enumerate valid onedrive users
For a full rundown of the enumeration technique and OneDrive enum, check out the blog here:
https://www.trustedsec.com/blog/onedrive-to-enum-them-all/
If you are looking for the old, non-database vesion of OneDrive Enum, you can find it here: https://github.com/nyxgeek/simple_scanners
- Remote MySQL DB logging option -- log to a remote database
- PAUSEFILE -- if pausefile is present (/tmp/PAUSEFILE), pause enumeration
- Truncate userlist to x characters -- johnsmith -> johnsmi
- Local Database (sqlite3)
- Auto-lookup of tenants (thanks @DrAzureAD and @thetechr0mancer)
- Read in file OR folder of files
- Append -- easily create 'jsmith1' 'jsmith2' sprays
- Skip-Tried (de-dupe) -- remove previously tried usernames
- Kill-After -- cancel a userlist if no usernames identified within 'x' attempts
OneDrive users have a file share URL with a known location:
In this instance, the username is 'lightmand' and the domain is 'acmecomputercompany.com'. If a user has logged into OneDrive, this path will exist and return a 403 status code. If they have not, or the user is invalid, it will return a 404.
The results may vary depending on how widely used OneDrive is within an org. Currently it is the most reliable user-enumeration method that I'm aware of (office365userenum no longer works, and the others like UhOh365 are unreliable). Further, it does not attempt a login and is much more passive, and should be undetectable to the target org. Microsoft will see the hits, but the target org won't.
# ./onedrive_enum.py -h
*********************************************************************************************************
ββββββ βββ
ββββββ βββ
ββββββ βββββββββ βββββββ ββββββββ βββββββββ ββββ βββββ βββββ βββββββ
ββββββββ βββββββββββ βββββββββ βββββββββ βββββββββββ βββββ βββββ βββββ βββββββββ
ββββ ββββ ββββ ββββ βββββββββ ββββ βββββ ββββ βββ ββββ ββββ ββββ βββββββββ
ββββ ββββ ββββ ββββ ββββββββ ββββ βββββ ββββ ββββ βββββ βββ βββββββ
ββββββββ ββββ βββββ βββββββββ βββββββββββ ββββββ βββββ ββββββββ βββββββββ
ββββββ ββββ βββββ βββββββ βββββββββ ββββββ βββββ ββββββ βββββββ
ββββββ ββββββββ βββββ ββββ βββββββββββββ +-------------------------------------------------+
ββββββββββββββββββ βββββ ββββ βββββββββββββββ | OneDrive Enumerator |
ββββββββ ββββ ββββ ββββ ββββ ββββ ββββ ββββ | 2023 @nyxgeek - TrustedSec |
βββββββ ββββ ββββ ββββ ββββ ββββ ββββ ββββ | version 2.10 |
ββββββββ ββββ βββββ ββββββββββ βββββββββ βββββ | https://github.com/nyxgeek/onedrive_user_enum |
ββββββ ββββ βββββ ββββββββ βββββ βββ βββββ +-------------------------------------------------+
*********************************************************************************************************
usage: onedrive_enum.py [-h] -d [-t] [-e] [-u] [-U] [-p] [-a] [-tr] [-T] [-r] [-x] [-n] [-m] [-o] [-k] [-v] [-D]
options:
-h, --help show this help message and exit
-d , --domain target domain name (required)
-t , --tenant tenant name
-e , --environment Azure environment to target [commercial (default), chinese, gov]
-u , --username user to target
-U , --userfile file containing usernames (wordlists) -- will also take a directory
-p , --playlist file containing list of paths to user lists (wordlists) to try
-a , --append mutator: append a number, character, or string to a username
-tr , --truncate truncate to x characters
-T , --threads total number of threads (defaut: 100)
-r, --rerun force re-run of previously tested tenant/domain/wordlist combination
-x, --skip-tried dedupe. skip any usernames from previous runs
-n, --no-db disable logging to db
-m , --mysql file containing mysql data (db.conf)
-o , --output file to append found users to
-k , --killafter kill off non-productive jobs after x tries with no success
-v, --verbose enable verbose output
-D, --debug enable debug output
# ./onedrive_enum.py -t microsoft -d microsoft.com -U USERNAMES/statistically-likely/jsmith.txt
*********************************************************************************************************
ββββββ βββ
ββββββ βββ
ββββββ βββββββββ βββββββ ββββββββ βββββββββ ββββ βββββ βββββ βββββββ
ββββββββ βββββββββββ βββββββββ βββββββββ βββββββββββ βββββ βββββ βββββ βββββββββ
ββββ ββββ ββββ ββββ βββββββββ ββββ βββββ ββββ βββ ββββ ββββ ββββ βββββββββ
ββββ ββββ ββββ ββββ ββββββββ ββββ βββββ ββββ ββββ βββββ βββ βββββββ
ββββββββ ββββ βββββ βββββββββ βββββββββββ ββββββ βββββ ββββββββ βββββββββ
ββββββ ββββ βββββ βββββββ βββββββββ ββββββ βββββ ββββββ βββββββ
ββββββ ββββββββ βββββ ββββ βββββββββββββ +-------------------------------------------------+
ββββββββββββββββββ βββββ ββββ βββββββββββββββ | OneDrive Enumerator |
ββββββββ ββββ ββββ ββββ ββββ ββββ ββββ ββββ | 2023 @nyxgeek - TrustedSec |
βββββββ ββββ ββββ ββββ ββββ ββββ ββββ ββββ | version 2.10 |
ββββββββ ββββ βββββ ββββββββββ βββββββββ βββββ | https://github.com/nyxgeek/onedrive_user_enum |
ββββββ ββββ βββββ ββββββββ βββββ βββ βββββ +-------------------------------------------------+
*********************************************************************************************************
Beginning enumeration of https://microsoft-my.sharepoint.com/personal/USER_microsoft_com/
--------------------------------------------------------------------------------------------------------
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user1, username:user1@microsoft.com
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user2, username:user2@microsoft.com
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user3, username:user3@microsoft.com
# ./onedrive_enum.py -t microsoft -d microsoft.com -U USERNAMES/statistically-likely/jsmith.txt -m db.conf
*********************************************************************************************************
ββββββ βββ
ββββββ βββ
ββββββ βββββββββ βββββββ ββββββββ βββββββββ ββββ βββββ βββββ βββββββ
ββββββββ βββββββββββ βββββββββ βββββββββ βββββββββββ βββββ βββββ βββββ βββββββββ
ββββ ββββ ββββ ββββ βββββββββ ββββ βββββ ββββ βββ ββββ ββββ ββββ βββββββββ
ββββ ββββ ββββ ββββ ββββββββ ββββ βββββ ββββ ββββ βββββ βββ βββββββ
ββββββββ ββββ βββββ βββββββββ βββββββββββ ββββββ βββββ ββββββββ βββββββββ
ββββββ ββββ βββββ βββββββ βββββββββ ββββββ βββββ ββββββ βββββββ
ββββββ ββββββββ βββββ ββββ βββββββββββββ +-------------------------------------------------+
ββββββββββββββββββ βββββ ββββ βββββββββββββββ | OneDrive Enumerator |
ββββββββ ββββ ββββ ββββ ββββ ββββ ββββ ββββ | 2023 @nyxgeek - TrustedSec |
βββββββ ββββ ββββ ββββ ββββ ββββ ββββ ββββ | version 2.10 |
ββββββββ ββββ βββββ ββββββββββ βββββββββ βββββ | https://github.com/nyxgeek/onedrive_user_enum |
ββββββ ββββ βββββ ββββββββ βββββ βββ βββββ +-------------------------------------------------+
*********************************************************************************************************
Test connection to mysql db was successful!
Beginning enumeration of https://microsoft-my.sharepoint.com/personal/USER_microsoft_com/
--------------------------------------------------------------------------------------------------------
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user1, username:user1@microsoft.com
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user2, username:user2@microsoft.com
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user3, username:user3@microsoft.com
- https://github.com/Gerenios/AADInternals/
- https://github.com/blacklanternsecurity/TREVORspray
- https://github.com/nil0x42/duplicut
- https://patorjk.com/ -- ascii art generator
Thanks to @DrAzureAD, @thetechr0mancer, @rootsecdev, @Oddvarmoe, @HackingLZ