Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/nyxgeek/onedrive_user_enum
onedrive user enumeration - pentest tool to enumerate valid o365 users
https://github.com/nyxgeek/onedrive_user_enum
azure enumeration m365 o365 office365 onedrive onedrive-users osint pentest pentesting user-enumeration
Last synced: 27 days ago
JSON representation
onedrive user enumeration - pentest tool to enumerate valid o365 users
- Host: GitHub
- URL: https://github.com/nyxgeek/onedrive_user_enum
- Owner: nyxgeek
- License: gpl-3.0
- Created: 2019-03-05T08:54:38.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2024-02-20T03:07:12.000Z (5 months ago)
- Last Synced: 2024-02-28T14:34:17.569Z (4 months ago)
- Topics: azure, enumeration, m365, o365, office365, onedrive, onedrive-users, osint, pentest, pentesting, user-enumeration
- Language: Python
- Homepage:
- Size: 1.06 MB
- Stars: 534
- Watchers: 12
- Forks: 76
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Lists
- osint_stuff_tool_collection - Onedrive Enumeration Tool
README
# onedrive_user_enum v2.10
enumerate valid onedrive users
For a full rundown of the enumeration technique and OneDrive enum, check out the blog here:
https://www.trustedsec.com/blog/onedrive-to-enum-them-all/
If you are looking for the old, non-database vesion of OneDrive Enum, you can find it here: https://github.com/nyxgeek/simple_scanners
### New features in 2.10:
* Remote MySQL DB logging option -- log to a remote database
* PAUSEFILE -- if pausefile is present (/tmp/PAUSEFILE), pause enumeration
* Truncate userlist to x characters -- johnsmith -> johnsmi
### New features in 2.00:
* Local Database (sqlite3)
* Auto-lookup of tenants (thanks @DrAzureAD and @thetechr0mancer)
* Read in file OR folder of files
* Append -- easily create 'jsmith1' 'jsmith2' sprays
* Skip-Tried (de-dupe) -- remove previously tried usernames
* Kill-After -- cancel a userlist if no usernames identified within 'x' attempts
## OneDrive Enumeration overview:
OneDrive users have a file share URL with a known location:
https://acmecomputercompany-my.sharepoint.com/personal/lightmand_acmecomputercompany_com/_layouts/15/onedrive.aspx
In this instance, the username is 'lightmand' and the domain is 'acmecomputercompany.com'. If a user has logged into OneDrive, this path will exist and return a 403 status code. If they have not, or the user is invalid, it will return a 404.
The results may vary depending on how widely used OneDrive is within an org. Currently it is the most reliable user-enumeration method that I'm aware of (office365userenum no longer works, and the others like UhOh365 are unreliable). Further, it does not attempt a login and is much more passive, and should be undetectable to the target org. Microsoft will see the hits, but the target org won't.
## usage:
```
# ./onedrive_enum.py -h
*********************************************************************************************************
██████ ███
░░████ ░░░
██████ █████████ ███████ ████████ █████████ ████ █████ █████ ███████
███░░███ ░░███░░░███ ███░░░███ ███░░░███ ░░███░░░███ ░░███ ░░███ ░░███ ███░░░███
░███ ░███ ░███ ░███ ░████████ ░███ ░░███ ░███ ░░░ ░███ ░███ ░███ ░████████
░███ ░███ ░███ ░███ ░███░░░░ ░███ ░░███ ░███ ░███ ░░███ ███ ░███░░░
░░██████ ████ █████ ░░███████ ░░█████████ ██████ █████ ░░██████ ░░███████
░░░░░░ ░░░░ ░░░░░ ░░░░░░░ ░░░░░░░░░ ░░░░░░ ░░░░░ ░░░░░░ ░░░░░░░
██████ ████████ █████ ████ █████████████ +-------------------------------------------------+
███░░███░░███░░███ ░░███ ░███ ░░███░░███░░███ | OneDrive Enumerator |
░███████ ░███ ░███ ░███ ░███ ░███ ░███ ░███ | 2023 @nyxgeek - TrustedSec |
░███░░░ ░███ ░███ ░███ ░███ ░███ ░███ ░███ | version 2.10 |
░░██████ ████ █████ ░░████████ █████░███ █████ | https://github.com/nyxgeek/onedrive_user_enum |
░░░░░░ ░░░░ ░░░░░ ░░░░░░░░ ░░░░░ ░░░ ░░░░░ +-------------------------------------------------+
*********************************************************************************************************
usage: onedrive_enum.py [-h] -d [-t] [-u] [-a] [-U] [-p] [-o] [-T] [-e] [-r] [-x] [-n] [-k] [-v]
options:
-h, --help show this help message and exit
-d , --domain target domain name (required)
-t , --tenant tenant name
-u , --username user to target
-a , --append mutator: append a number, character, or string to a username
-U , --userfile file containing usernames (wordlists) -- will also take a directory
-p , --playlist file containing list of paths to user lists (wordlists) to try
-o , --output file to write output to (default: output.log)
-T , --threads total number of threads (defaut: 100)
-e , --environment Azure environment to target [commercial (default), chinese, gov]
-r, --rerun force re-run of previously tested tenant/domain/wordlist combination
-x, --skip-tried dedupe. skip any usernames from previous runs
-n, --no-db disable logging to db
-k , --killafter kill off non-productive jobs after x tries with no success
-v, --verbose enable verbose output
-tr --truncate truncate userlist at x characters
```
## example - basic usage:
```
# ./onedrive_enum.py -t microsoft -d microsoft.com -U USERNAMES/statistically-likely/jsmith.txt
*********************************************************************************************************
██████ ███
░░████ ░░░
██████ █████████ ███████ ████████ █████████ ████ █████ █████ ███████
███░░███ ░░███░░░███ ███░░░███ ███░░░███ ░░███░░░███ ░░███ ░░███ ░░███ ███░░░███
░███ ░███ ░███ ░███ ░████████ ░███ ░░███ ░███ ░░░ ░███ ░███ ░███ ░████████
░███ ░███ ░███ ░███ ░███░░░░ ░███ ░░███ ░███ ░███ ░░███ ███ ░███░░░
░░██████ ████ █████ ░░███████ ░░█████████ ██████ █████ ░░██████ ░░███████
░░░░░░ ░░░░ ░░░░░ ░░░░░░░ ░░░░░░░░░ ░░░░░░ ░░░░░ ░░░░░░ ░░░░░░░
██████ ████████ █████ ████ █████████████ +-------------------------------------------------+
███░░███░░███░░███ ░░███ ░███ ░░███░░███░░███ | OneDrive Enumerator |
░███████ ░███ ░███ ░███ ░███ ░███ ░███ ░███ | 2023 @nyxgeek - TrustedSec |
░███░░░ ░███ ░███ ░███ ░███ ░███ ░███ ░███ | version 2.10 |
░░██████ ████ █████ ░░████████ █████░███ █████ | https://github.com/nyxgeek/onedrive_user_enum |
░░░░░░ ░░░░ ░░░░░ ░░░░░░░░ ░░░░░ ░░░ ░░░░░ +-------------------------------------------------+
*********************************************************************************************************
Beginning enumeration of https://microsoft-my.sharepoint.com/personal/USER_microsoft_com/
--------------------------------------------------------------------------------------------------------
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user1, username:[email protected]
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user2, username:[email protected]
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user3, username:[email protected]
```
## example - mysql db logging:
```
# ./onedrive_enum.py -t microsoft -d microsoft.com -U USERNAMES/statistically-likely/jsmith.txt -m db.conf
*********************************************************************************************************
██████ ███
░░████ ░░░
██████ █████████ ███████ ████████ █████████ ████ █████ █████ ███████
███░░███ ░░███░░░███ ███░░░███ ███░░░███ ░░███░░░███ ░░███ ░░███ ░░███ ███░░░███
░███ ░███ ░███ ░███ ░████████ ░███ ░░███ ░███ ░░░ ░███ ░███ ░███ ░████████
░███ ░███ ░███ ░███ ░███░░░░ ░███ ░░███ ░███ ░███ ░░███ ███ ░███░░░
░░██████ ████ █████ ░░███████ ░░█████████ ██████ █████ ░░██████ ░░███████
░░░░░░ ░░░░ ░░░░░ ░░░░░░░ ░░░░░░░░░ ░░░░░░ ░░░░░ ░░░░░░ ░░░░░░░
██████ ████████ █████ ████ █████████████ +-------------------------------------------------+
███░░███░░███░░███ ░░███ ░███ ░░███░░███░░███ | OneDrive Enumerator |
░███████ ░███ ░███ ░███ ░███ ░███ ░███ ░███ | 2023 @nyxgeek - TrustedSec |
░███░░░ ░███ ░███ ░███ ░███ ░███ ░███ ░███ | version 2.10 |
░░██████ ████ █████ ░░████████ █████░███ █████ | https://github.com/nyxgeek/onedrive_user_enum |
░░░░░░ ░░░░ ░░░░░ ░░░░░░░░ ░░░░░ ░░░ ░░░░░ +-------------------------------------------------+
*********************************************************************************************************
Test connection to mysql db was successful!
Beginning enumeration of https://microsoft-my.sharepoint.com/personal/USER_microsoft_com/
--------------------------------------------------------------------------------------------------------
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user1, username:[email protected]
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user2, username:[email protected]
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user3, username:[email protected]
```
#### Note: Users that are valid but who have not yet signed into OneDrive will return a 404 not found.
## references
* https://github.com/Gerenios/AADInternals/
* https://github.com/blacklanternsecurity/TREVORspray
* https://github.com/nil0x42/duplicut
* https://patorjk.com/ -- ascii art generator
## sHoUtOuTz aNd GrEeTz
Thanks to @DrAzureAD, @thetechr0mancer, @rootsecdev, @Oddvarmoe, @HackingLZ