exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Azure Subdomain Scanner / Enumerator

Microsoft Azure Subdomain Scanner / Enumerator
Posted Aug 14, 2023
Authored by RoseSecurity | Site metasploit.com

This is a Metasploit module for enumerating public Azure services by validating legitimate subdomains through various DNS record queries. This cloud reconnaissance module rapidly identifies API services, storage accounts, key vaults, databases, and more!

tags | exploit
SHA-256 | ccd5eff55c0f2d978fd9aeb246beff5116650ca8cf92390516addb006dcf5583
Download | Favorite | View

Microsoft Azure Subdomain Scanner / Enumerator

Change Mirror Download
*Background:*

Microsoft makes use of a number of different domains and subdomains for
each of their Azure services. From SQL databases to SharePoint drives, each
service maps to its respective domain/subdomain, and with the proper
toolset, these can be identified through DNS enumeration to yield
information about the target domain's infrastructure.
enum_azuresubdomains.rb is a Metasploit module for enumerating public Azure
services by validating legitimate subdomains through various DNS record
queries. This cloud reconnaissance module rapidly identifies API services,
storage accounts, key vaults, databases, and more! Expedite your cloud
reconnaissance phases with enum_azuresubdomains.rb.

*Code:*

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::DNS::Enumeration

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Azure Subdomain Scanner and Enumerator',
        'Description' => 'This module can be used for enumerating public
Azure services by locating valid subdomains through various DNS queries.',
        'Author' => ['RoseSecurity <RoseSecurityConsulting[at]protonmail.me
>'],
        'References' => ['
www.netspi.com/blog/technical/cloud-penetration-testing/enumerating-azure-services'
],
        'License' => MSF_LICENSE
      )
      )
    register_options(
      [
        OptString.new('DOMAIN', [true, 'The target domain without TLD (Ex:
victim rather than victim.org)']),
        OptBool.new('PERMUTATIONS',
                    [false,
                     'Prepend and append permutated keywords to domain',
false]),
        OptBool.new('ENUM_A', [true, 'Enumerate DNS A record', true]),
        OptBool.new('ENUM_CNAME', [true, 'Enumerate DNS CNAME record',
true]),
        OptBool.new('ENUM_MX', [true, 'Enumerate DNS MX record', true]),
        OptBool.new('ENUM_NS', [true, 'Enumerate DNS NS record', true]),
        OptBool.new('ENUM_SOA', [true, 'Enumerate DNS SOA record', true]),
        OptBool.new('ENUM_TXT', [true, 'Enumerate DNS TXT record', true])
      ]
    )
  end

  def dns_enum(target_domains)
    target_domains.each do |domain|
      next unless dns_get_a(domain)

      print_good("Discovered Target Domain: #{domain} \n")
      dns_get_a(domain) if datastore['ENUM_A']
      dns_get_cname(domain) if datastore['ENUM_CNAME']
      dns_get_ns(domain) if datastore['ENUM_NS']
      dns_get_mx(domain) if datastore['ENUM_MX']
      dns_get_soa(domain) if datastore['ENUM_SOA']
      dns_get_txt(domain) if datastore['ENUM_TXT']
    end
  end

  def run
    # Array of subdomains to enumerate
    domain = datastore['DOMAIN']
    subdomains = [
      '.onmicrosoft.com',
      '.scm.azurewebsites.net',
      '.azurewebsites.net',
      '.p.azurewebsites.net',
      '.cloudapp.net',
      '.file.core.windows.net',
      '.blob.core.windows.net',
      '.queue.core.windows.net',
      '.table.core.windows.net',
      '.mail.protection.outlook.com',
      '.sharepoint.com',
      '.redis.cache.windows.net',
      '.documents.azure.com',
      '.database.windows.net',
      '.vault.azure.net',
      '.azureedge.net',
      '.search.windows.net',
      '.azure-api.net',
      '.azurecr.io'
    ]

    # Array of keywords to prepend and append
    permutations = %w[
      root
      web
      api
      azure
      azure-logs
      data
      database
      data-private
      data-public
      dev
      development
      demo
      files
      filestorage
      internal
      keys
      logs
      private
      prod
      production
      public
      service
      services
      splunk
      sql
      staging
      storage
      storageaccount
      test
      useast
      useast2
      centralus
      northcentralus
      westcentralus
      westus
      westus2
    ]

    # Create permutated array of keywords and target domain
    if datastore['PERMUTATIONS']
      permutated_domains = []
      permutations.each do |keywords|
        permutated_domains.append("#{domain}-#{keywords}")
        permutated_domains.append("#{keywords}-#{domain}")
      end
      # Permutated and Normal list of subdomains
      target_domains = []
      subdomains.each do |tld|
        target_domains.append(domain + tld)
        permutated_domains.each do |_subdomain|
          target_domains.append(domain + tld)
        end
      end
      # Query DNS records of permutated and normal target subdomains
    else
      # Query DNS records of normal target subdomains
      target_domains = []
      subdomains.each do |tld|
        target_domains.append(domain + tld)
      end
    end
    dns_enum(target_domains)
  end
end
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close