Post

External Information Gathering

Collection of tools, techniques, and payloads for external information gathering when performing an external security assessment.

  1. Subdomain Discovery & Enumeration
  2. Outlook Web Access (OWA)
  3. SSO Services
  4. Azure AD Brute Forcing
  5. Generic Email Accounts
  6. Other


Subdomain Discovery & Enumeration

Find Certificates

DNS Data

Subdomain Fuzzing

This list can be used when attempting to discover subdomains of a given domain. The target domain should be concatenated on the end and then DNS resolution should be performed.


Outlook Web Access (OWA)

You can find a the OWA portal for a target domain by going to the following link:

1
https://outlook.office365.com/CLIENT_DOMAIN


SSO Services

You may be able to find additional single sign-on (SSO) services by visiting the following links:

1
2
https://CLIENT_DOMAIN/adfs/ls/idpinitiatedsignon.aspx
https://CLIENT_OWA_DOMAIN/adfs/ls/idpinitiatedsignon.aspx
  • The endpoints for both links are the same, however, the domain is different.


Azure AD Brute Forcing


Generic Email Accounts

This list can be used when attempting to fuzz accounts for user enumeration, password spraying attacks, or phishing.


Other

This post is licensed under CC BY 4.0 by the author.