Skip to content

Instantly share code, notes, and snippets.

@puzzlepeaches

puzzlepeaches/combo.yaml

Created August 3, 2024 12:07
Show Gist options
  • Save puzzlepeaches/04ba7b9fc19b19c535a2945b1f5a5fe4 to your computer and use it in GitHub Desktop.
Save puzzlepeaches/04ba7b9fc19b19c535a2945b1f5a5fe4 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. puzzlepeaches created this gist Aug 3, 2024.
    83 changes: 83 additions & 0 deletions combo.yaml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,83 @@
    id: o365-tenant-name-and-user-enum

    # Current use: nuclei -t combo.yaml -u acme.com
    # Intended use: nuclei -t combo.yaml -u acme.com -var userlist=jsmith.txt
    info:
    name: Office 365 Tenant Name Discovery and User Enumeration
    author: ed
    severity: info
    description: Discovers the tenant name for a given Office 365 domain and then enumerates users in the target tenant's OneDrive.

    # Pre-define the userlist for ideally modification via -var userlist=jsmith.txt when running nuclei [BROKEN]
    variables:
    userlist: usernames.txt

    flow: |
    http(1)
    if (template["tenant_name"]) {
    set("tenant_name", template["tenant_name"]);
    http(2)
    }
    http:
    - method: POST
    path:
    - "https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc"
    headers:
    Content-Type: text/xml; charset=utf-8
    SOAPAction: http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation
    User-Agent: AutodiscoverClient
    Accept-Encoding: identity
    body: |
    <?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:exm="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:ext="http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <soap:Header>
    <a:Action soap:mustUnderstand="1">http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation</a:Action>
    <a:To soap:mustUnderstand="1">https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc</a:To>
    <a:ReplyTo>
    <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
    </a:ReplyTo>
    </soap:Header>
    <soap:Body>
    <GetFederationInformationRequestMessage xmlns="http://schemas.microsoft.com/exchange/2010/Autodiscover">
    <Request>
    <Domain>{{Host}}</Domain>
    </Request>
    </GetFederationInformationRequestMessage>
    </soap:Body>
    </soap:Envelope>
    matchers-condition: and
    matchers:
    - type: status
    status:
    - 200
    extractors:
    - type: regex
    name: tenant_name
    part: body
    regex:
    - '(?i)<Domain>([^<>/.]+)\.onmicrosoft\.com</Domain>'
    internal: true
    group: 1

    - method: GET
    path:
    - "https://{{tenant_name}}-my.sharepoint.com/personal/{{replace(user, '.', '_')}}_{{replace(Host, '.', '_')}}/_layouts/15/onedrive.aspx"
    redirects: false

    attack: batteringram
    payloads:
    # BROKEN
    user: "{{userlist}}"

    headers:
    # Refuses to take anything but the curl user-agent???
    User-Agent: "curl/7.64.1"
    Accept: "*/*"
    Host: "{{tenant_name}}-my.sharepoint.com"
    matchers-condition: or
    matchers:
    - type: status
    status:
    - 401
    - 403