As an obsolute defender we would be required to observe the organization in the lens of the attacker.

To start with what would be the key objectives of the attacker while he start with the engagenent

Objectives of Recon

Tools

---

Recon Tools

• Recon-NG

  • https://github.com/lanmaster53/recon-ng

• OWASP Amass

  • https://github.com/OWASP/Amass

• Spiderfoot

  • https://www.spiderfoot.net/

• Gobuster

  • https://github.com/OJ/gobuster

• Sublist3r

  • https://github.com/aboul3la/Sublist3r

---

Additional Tool Recommendations (optional):

To further enhance the toolkit, consider adding these popular recon tools:

• Shodan (https://www.shodan.io/): Identify Internet-exposed assets.

• Censys (https://search.censys.io/): Asset inventory and discovery.

• Assetfinder (https://github.com/tomnomnom/assetfinder): Quickly find domains and subdomains.

• theHarvester (https://github.com/laramies/theHarvester): Collect email addresses and domains from public sources.

---

Use search engines

• Bing and Google are good places to start

Example search query:

site:targetdomain.com -site:www.targetdomain.com

• Baidu

• DuckDuckGo

---

Additional Recommendations (Optional):

• Yandex: Effective for broader global coverage, particularly in regions outside typical Google indexing.

• Custom Google Dorks: Tailored search queries to identify sensitive files, configuration data, or subdomains.

• Internet Archive (Wayback Machine): Discover historical snapshots of websites, revealing past configurations or exposures.

Recon: Certificate Transparency

---

• Monitors and logs digital certs

• Creates a public, searchable log

• Can help discover additional subdomains

• More importantly, you can potentially find more Top-Level Domains (TLDs)!

• Single cert can be scoped for multiple domains

---

Additional Notes (Optional):

• Utilize tools such as crt.sh or CertSpotter to search these certificate transparency logs effectively.

• Useful in identifying shadow IT, development or test environments, or forgotten infrastructure.

Recon: Internet-Wide Scans

• Shodan.io and Censys.io

• Perform internet-wide portscans

• Enable certificate searches

• Useful for identifying exposed services, misconfigurations, and cloud assets

Shodan Query Examples:

• org:"Target Name" – Search by organization name

• net:"CIDR Range" – Filter by network block

• port:"443" – Focus on specific services like HTTPS

---

Optional Additions:

• ZoomEye – Another internet-wide scan engine useful in certain regions

• Shodan Filters – Use additional filters like ssl.cert.subject.CN, country, or product to refine searches

• Automation – Combine with Python’s shodan module or Censys APIs for scripted asset discovery workflows

---

Recon: DNS Brute Forcing

• Perform lookups on a list of potential subdomains

• Make sure to use quality lists

Recommended Wordlists:

• SecLists

  https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS

• Common strategy:

  If you find common patterns in discovered subdomains, try iterating names (e.g., dev1, dev2, dev3, or us-west, us-east, etc.)

---

Optional Additions:

• Tools like dnsx, MassDNS, or Fierce can speed up large-scale brute force attempts.

• Combine with wildcard DNS detection to filter false positives.

---

Recon: MX Records

• MX Records can help us identify cloud services in use

Common Identifiers:

• O365 → target-domain.mail.protection.outlook.com

• Google Workspace → google.com or googlemail.com

• Proofpoint → pphosted.com

---

Additional Tip:

• SPF records (TXT) often reinforce the MX record findings by including domains like spf.protection.outlook.com or spf.google.com.

This can be used in recon to infer the email service provider used by the target, which helps tailor phishing or email-based intrusion techniques.

---

Recon: Other Recon Resources

Other Services:

• HackerTarget

  🔗 https://hackertarget.com/

• ThreatCrowd

  🔗 https://www.threatcrowd.org/

• DNSDumpster

  🔗 https://dnsdumpster.com/

• ARIN Searches

  🔗 https://whois.arin.net/ui/

  • Search bar accepts wildcards

  • Great for finding other netblocks owned by the same organization

---

Optional Enhancements:

• SecurityTrails and ViewDNS.info: Great for domain history and passive DNS

• Robtex: Combines DNS, BGP, and geolocation views for infrastructure mapping

• BinaryEdge: Alternative to Shodan/Censys for internet asset scanning and banner grabbing

• Google BigQuery + Censys datasets: For large-scale correlation and automation

These services are especially useful in surfacing otherwise hidden relationships between domains, subnets, malware infrastructure, and exposed services.

Recon: Cloud Netblocks

• Now resolve all the domains you obtained and compare them to cloud service netblock ranges

Azure Netblocks:

• Public:

  https://www.microsoft.com/en-us/download/details.aspx?id=56519

• US Gov:

  http://www.microsoft.com/en-us/download/details.aspx?id=57063

• Germany:

  http://www.microsoft.com/en-us/download/details.aspx?id=57064

• China:

  http://www.microsoft.com/en-us/download/details.aspx?id=57062

AWS Netblocks:

• https://ip-ranges.amazonaws.com/ip-ranges.json

GCP Netblocks:

• https://www.gstatic.com/ipranges/cloud.json

---

Additional Notes:

• These JSON files can be integrated into automated recon workflows to tag discovered assets with cloud provider context.

• Tools like ipwhois, pyasn, or iprange modules can be used to compare resolved IPs against these netblocks.

Recon: Cloud Asset Discovery

• Script to compare a list of IP addresses against Azure, AWS, GCP netblocks and more:

  🔗 https://github.com/oldrho/ip2provider

• How to use it:

  • Create a list of IP addresses, one per line.

  • Run the following command:

      cat iplist.txt | python ip2provider.py
    

• Additional resource:

  🔗 https://github.com/g0ldencybersec/CloudRecon

---

Optional Enhancement:

• Automate this in Python with additional tagging (e.g., provider, region, ASN).

• Combine outputs with tools like ipwhois for enriched cloud attribution.

---

Recon: Microsoft 365 / Entra ID Usage

Identifying whether an organization uses Microsoft 365 (formerly Office 365) or Microsoft Entra ID (formerly Azure AD) can help an attacker or security analyst understand authentication mechanisms, cloud adoption maturity, and potential identity-based attack surfaces.

1. Determine if the Domain is a Microsoft-Managed Tenant

Use the following URL to query the tenant realm associated with a specific domain:

<https://login.microsoftonline.com/getuserrealm.srf?login=username@targetdomain.com&xml=1>

• This reveals whether the domain uses managed or federated authentication.

• Helpful attributes include:

  • NameSpaceType: Managed or Federated

  • CloudInstanceName: Typically microsoftonline.com

  • FederationBrandName: Identity provider branding

name space type is important stuff to note .. federated means active directory services. Credential will be sent to the federated provider to get the token.

2. Retrieve the Microsoft Entra Tenant ID

To extract the tenant ID associated with a domain, query the well-known OpenID configuration endpoint:

<https://login.microsoftonline.com/><targetdomain>/v2.0/.well-known/openid-configuration

• This JSON document includes the issuer URL, from which you can parse the tenant ID (a GUID).

• Useful for enumeration, multi-tenant recon, or linking domains under the same tenant

similarly replace the target-domain in the url with your target to get the tenant id of the target organization

In aws side equalant is account id.

It is use full for attacker, what is required for service principal to authenticate, service principal cant be authenticate using client id and secret. It will also require service principal. Its a low severity sensitive information which will be exposed for all cloud service clients

For google it has to be unique user name to validate the client or target is using google service.

Recon: AWS Usage

🔍 Identifying S3 Bucket Usage

Many web apps pull static resources (e.g., images, scripts, configs) directly from Amazon S3 buckets. Misconfigured buckets can expose sensitive content or become entry points.

• What to look for:

  Use browser dev tools or interceptors to see if assets are being loaded from:

  • https://[bucketname].s3.amazonaws.com

  • https://s3-[region].amazonaws.com/[OrgName]

• Brute-forcing Buckets (Later Lab):

  Once you recognize a pattern, you can attempt brute-force discovery of other buckets tied to the organization using known prefixes, tools like:

  • Bucket Finder

  • S3Scanner

  • AWSBucketDump

---

🛠 Using Burp Suite

• Method:

  Interact with the app normally through Burp Suite and review the request logs to spot outbound traffic to AWS S3 endpoints. This reveals:

  • Bucket names

  • Region usage

  • Possible organization naming conventions

---

🔗 Example Reference:

• In the illustrated scenario, a web client visits http://example.com, which internally fetches content from:

    example.s3-website-us-west-2.amazonaws.com
  

This confirms S3 is in use and reveals the region (us-west-2), which can be useful for regional scoping or compliance mapping.

🔗 Notes

Majority of the targets do not tie up the aws services to certain email domain

Inspect every website using burpsuite because you will see s3 bucket is using static content

Recon: Employees

🎯 Why it Matters:

Identifying employees of a target organization is essential for enabling phishing, password spraying, and credential stuffing attacks.

---

🛠 Build a User List:

• Use breach data (from HaveIBeenPwned, etc.)

• Leverage LinkedIn, company press releases, and corporate blogs

---

📂 Discover Username Schemas via Metadata:

• Many public documents (PDF, DOCX, XLSX) contain metadata with author or creator fields.

• This data often includes:

  • Full names

  • Internal usernames (e.g., j.doe, john.d, jdoe)

---

🔧 Tools to Extract Metadata:

• PowerMeta

  • GitHub: https://github.com/daft-hack/PowerMeta

  • Performs Google/Bing dorking + metadata parsing

• FOCA

  • GitHub: https://github.com/ElevenPaths/FOCA

  • GUI-based, extracts metadata and maps infrastructure

🧰 PowerMeta: Harvesting Employee Metadata

✅ Step 1: Clone PowerMeta

git clone <https://github.com/daft-hack/PowerMeta.git>
cd PowerMeta

✅ Step 2: Run PowerMeta

Replace the domain with your target (e.g., acme.com):

Invoke-PowerMeta -TargetDomain "acme.com"

This command performs:

• Google/Bing dorking: Searches for site:acme.com filetype:pdf|docx|xlsx

• Download of public documents

• Extraction of metadata fields like:

  • Author

  • Creator

  • LastModifiedBy

Example Output Fields:

[*] Extracted metadata:
Author: John Doe
Creator: j.doe

💡 These values help you infer:

• Username patterns (jdoe, john.d, doej)

• Internal identity formats (useful for password spraying or targeted phishing)

🧪 Bonus: Custom Dorking Without PowerMeta

You can also manually gather documents via:

site:acme.com filetype:pdf
site:acme.com filetype:docx
site:acme.com filetype:xlsx

Then run exiftool or strings to extract metadata:

exiftool employee_report.pdf

🔎 Recon: User Enumeration (Azure AD / M365)

✅ Goal:

Identify whether specific email addresses or usernames are valid in a Microsoft Entra ID (formerly Azure AD) tenant — a crucial step before phishing or password spraying.

---

🔗 Primary Endpoint:

<https://login.microsoftonline.com/common/oauth2/token>

• If a user does not exist, the response contains:

    "error": "invalid_grant",
    "error_description": "The user account does not exist in the directory"
  

This lets you enumerate valid users by testing emails and watching for differences in error messages.

---

🧰 Tools to Automate Enumeration:

1. MSOLSpray

   • Detects invalid users during password spraying

   • GitHub: https://github.com/daft-hack/MSOLSpray

2. OneDrive User Enumerator

   • Leverages OneDrive's API to check for valid usernames

   • GitHub: https://github.com/nyxgeek/onedrive_user_enum

---

🧪 Bonus Recon Tactic:

• Use Microsoft login pages (login.microsoftonline.com) with getuserrealm.srf and openid-configuration endpoints to:

  • Confirm tenant existence

  • Check if a domain is federated or managed

  • Extract tenant ID for targeting

🛠️ MSOLSpray

MSOLSpray is a PowerShell script designed for password spraying against Microsoft Online accounts (Azure/O365).(GitHub)

Basic Usage:

Import-Module .\\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\\userlist.txt -Password Winter2020!

Parameters:

• UserList: Path to a file containing a list of usernames (one per line).

• Password: The password to spray against the user list.

This tool logs various outcomes, such as valid credentials, MFA requirements, non-existent users, and account statuses.(GitHub)

---

🛠️ OneDrive User Enumerator

This Python tool checks for the existence of OneDrive accounts to enumerate valid Office 365 users.(GitHub)

Basic Usage:

python onedrive_enum.py -d targetdomain.com -U userlist.txt

Parameters:

• d: Target domain name (required).

• U: File containing usernames to check (one per line)

Additional Options:

• t: Specify the tenant name if different from the domain.

• T: Set the number of threads (default is 100).

• o: Output results to a specified file.

• v: Enable verbose output.(vk9-sec.com, KitPloit - PenTest & Hacking Tools, Knowledge Base (KB))

The tool interprets HTTP response codes to determine user validity: a 403 indicates a valid user, while a 404 suggests the user does not exist or hasn't activated OneDrive.(TrustedSec)

---

🛠️ AADInternals

🧰 What Can You Do with AADInternals?

🔹 Recon & Enumeration (External / No Auth Required)

• Discover if a domain is part of Microsoft 365 / Entra ID

• Extract tenant ID, tenant brand, and identity federation details

• Determine if SSO is enabled, if the domain is managed or federated

• Enumerate valid users externally (no login required)

• Check MX, SPF, DMARC, and other DNS records

• Perform domain reconnaissance stealthily as an outsider

🔸 Post-Auth Capabilities (Requires Credentials)

• Token extraction (access/refresh tokens)

• Token replay

• MFA bypass scenarios

• Abuse of legacy auth

• Conditional access policy evaluation

---

🔧 Tool Setup

📦 Installation

Clone the repo:

git clone <https://github.com/Gerenios/AADInternals.git>

Then in PowerShell:

Import-Module ./AADInternals/AADInternals.psd1

---

🛠️ External Recon Syntax (No Authentication)

1. Domain/Tenant Recon

Invoke-AADIntReconAsOutsider -Domain "targetdomain.com"

⏎ Output includes:

• Tenant brand name

• Tenant ID (GUID)

• Whether DesktopSSO is enabled

• DNS and identity configuration

---

2. User Enumeration

Invoke-AADIntUserEnumerationAsOutsider -Domain "targetdomain.com"

⏎ It checks if usernames exist via smart response parsing from Microsoft login APIs.

---

📸 Example Output:

Shows domain info: testbeau.onmicrosoft.com, tenant ID, managed status, etc.

---

🔗 Official Links

• GitHub Repo:

  https://github.com/Gerenios/AADInternals

• Docs & Usage Guide:

  https://aadinternals.com/aadinternals