Last active
September 8, 2025 14:11
-
-
Save iknowjason/ac3afb89a51e38603650b21f91626643 to your computer and use it in GitHub Desktop.
Revisions
-
iknowjason revised this gist
Apr 15, 2024 . 1 changed file with 8 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,10 +33,14 @@ curl -s https:///login.microsoftonline.com/$DOMAIN/v2.0/.well-known/openid-confi curl -s -X POST https:///login.microsoftonline.com/common/GetCredentialType --data '{"Username":"[email protected]"}' | jq '.IfExistsResult' # Note: Checking the user: [email protected] # Response Codes #-1 An unknown error #0 The account exists, and uses that domain for authentication #1 The account doesn’t exist #2 The response is being throttled #4 Some server error #5 The account exists, but is set up to authenticate with a different identity provider. This could indicate the account is only used as a personal account #6 The account exists, and is set up to use both the domain and a different identity provider # ADFS Recon Google Dorks -
Jul 11, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ # Start with a DNS domain as seed, and do some recon to check if domain is M365 / Azure tenant hosted # Insert your domain environment variable below DOMAIN="microsoft.com" # Check the getuserrealm.srf endpoint for domain information -
Jul 11, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ # Start with a DNS domain as seed, and do some recon to check if domain is M365 / Azure tenant hosted # Insert your domain environment variable below DOMAIN = "microsoft.com" # Check the getuserrealm.srf endpoint for domain information -
Jan 19, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -27,7 +27,7 @@ curl -s https:///login.microsoftonline.com/$DOMAIN/v2.0/.well-known/openid-confi # Check GetCredentialType endpoint for username enumeration # Once on a managed domain, check individual users # Credit and props to Brian Thomas for helping to validate this. Thanks Brian! # Verify that the getuserrealm.srf returns a "Managed" value for NameSpaceType # If it does, the 0 or 1 below is correct. IF it doesn't, unmanaged domains can return 0, leading to false positives curl -s -X POST https:///login.microsoftonline.com/common/GetCredentialType --data '{"Username":"[email protected]"}' | jq '.IfExistsResult' -
Jan 19, 2022 . 1 changed file with 5 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -27,11 +27,14 @@ curl -s https:///login.microsoftonline.com/$DOMAIN/v2.0/.well-known/openid-confi # Check GetCredentialType endpoint for username enumeration # Once on a managed domain, check individual users # Credit and propse to Brian Thomas for helping to validate this # Verify that the getuserrealm.srf returns a "Managed" value for NameSpaceType # If it does, the 0 or 1 below is correct. IF it doesn't, unmanaged domains can return 0, leading to false positives curl -s -X POST https:///login.microsoftonline.com/common/GetCredentialType --data '{"Username":"[email protected]"}' | jq '.IfExistsResult' # Note: Checking the user: [email protected] # Response Codes # 1 - User Does Not Exist on Azure as Identity Provider # 0 - Account exists for domain using Azure as Identity Provider # 5 - Account exists but uses different IdP other than Microsoft # 6 - Account exists and is setup to use the domain and an IdP other than Microsoft -
Jan 7, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,7 +30,7 @@ curl -s https:///login.microsoftonline.com/$DOMAIN/v2.0/.well-known/openid-confi curl -s -X POST https:///login.microsoftonline.com/common/GetCredentialType --data '{"Username":"[email protected]"}' | jq '.IfExistsResult' # Note: Checking the user: [email protected] # Response Codes # 1 - User Does Not Exist # 0 - Account exists for that domain for auth # 5 - Account exists but uses different IdP other than Microsoft # 6 - Account exists and is setup to use the domain and an IdP other than Microsoft -
Aug 10, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,7 +12,7 @@ host autodiscover.$DOMAIN curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1 # Note: Look for NameSpaceType # Return NameSpaceType - either "Unknown", "Managed", or "Federated" curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1 | jq -r '.NameSpaceType' # Check for federation on the domain -
Jul 23, 2021 . 1 changed file with 7 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,4 +33,10 @@ curl -s -X POST https:///login.microsoftonline.com/common/GetCredentialType --da # 1 - User Doesnt' Exist # 0 - Account exists for that domain for auth # 5 - Account exists but uses different IdP other than Microsoft # 6 - Account exists and is setup to use the domain and an IdP other than Microsoft # ADFS Recon Google Dorks inurl://adfs/ls/idpinitiatedsignon inurl://adfs/oauth2/authorize -
Jul 22, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,36 @@ # Start with a DNS domain as seed, and do some recon to check if domain is M365 / Azure tenant hosted # Insert your domain environment variable below $DOMAIN = "microsoft.com" # Check the getuserrealm.srf endpoint for domain information # Check autodiscover.$DOMAIN DNS entry host autodiscover.$DOMAIN # Note: Checks autodiscover forward lookup ~ you should see a CNAME record for autodiscover.$DOMAIN pointing to autodiscover.otulook.com # Test if domain is managed or not. Check if it's a Azure/M365 tenant. Returns 'Unknown', 'Federated', or 'Managed' curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1 # Note: Look for NameSpaceType # Return NameSpaceType - either "Unkown" or "Managed" curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\json\=1 | jq -r '.NameSpaceType' # Check for federation on the domain curl -s https:///login.microsoftonline.com/getuserrealm.srf\?login\=$DOMAIN\&\xml\=1 # Note: Look at <NameSpaceType> and <IsFederated> # Get the TenantID for a managed domain curl -s https:///login.microsoftonline.com/$DOMAIN/v2.0/.well-known/openid-configuration # Note: Look for the token endpoint. Example response: # "token_endpoint":"https://login.microsoftonline.com/9d9817d9-f209-4430-8f4f-cc03332848cb/oauth2/v2.0/token # '9d9817d9-f209-4430-8f4f-cc03332848cb' is the TenantId # Check GetCredentialType endpoint for username enumeration # Once on a managed domain, check individual users curl -s -X POST https:///login.microsoftonline.com/common/GetCredentialType --data '{"Username":"[email protected]"}' | jq '.IfExistsResult' # Note: Checking the user: [email protected] # Response Codes # 1 - User Doesnt' Exist # 0 - Account exists for that domain for auth # 5 - Account exists but uses different IdP other than Microsoft # 6 - Account exists and is setup to use the domain and an IdP other than Microsoft