 All right. Hello. Welcome to Track the Planet. Today we're going to be talking a little bit about user enumeration in Azure, and I hope to demonstrate to you today, it's kicking up, a little bit about why user enumeration is a vulnerability and why it should be taken seriously. So with that, a little bit about me. I'm Nick Skeek. I'm over at Trusted Sec, but this research is my own. This talk is about user enumeration, and there are no zero days being announced here. There's nothing really like no hotness, really except for some, really just taking advantage of things that are already existing. Microsoft knows about all of this. There's nothing new being announced that's going to be a surprise to them. Well, maybe. So first let's really just talk about user enumeration and why it matters. So what is it? User enumeration is the ability to determine if a user is valid on a system. There's various ways of doing it, especially in Azure, but some examples here you can see verbose responses just saying if the username is invalid or not. There's time-based ones, and then or you might do one that's web-based. Maybe it's a 404 if it doesn't exist in a 302 or a 401 if it does exist. So there's various ways of doing this. And it is a security flaw. We use it all the time in pen testing. It enables all of these different attacks, primarily password sprays, phishing, and then the occasional targeted RCE that can affect users if you have their email address. It's an unnecessary feature. It doesn't need to be here. It's purely cosmetic, and then it also allows the identification of targets, right? So we often use first dot last name. We use our identities in our email addresses. So when that's possible, it's possible then to not just identify a username, like a numeric username, but when it's John Smith, you know that person's identity. You can find them. So this is a dangerous thing because it allows all of these different attacks to happen, especially with password sprays. I just want to mention on this real quick, it is enormous. If you're on a pen test and you can't do user enumeration, you're going to have a bad time. If you're looking at, for instance, J Smith format, if you're using census data from 2010, that's 4.2 million lines. If you can reduce that to 2,000 lines or less, right? If you can find just the valid users, now all of a sudden you're not wasting a day doing password sprays. You can rotate every hour or as often as you can without selling their lockout out. So it's huge for that. It wouldn't really be possible if it wasn't for user enumeration. It would be not worth the time. And often, if you've ever dumped a domain controller, I'm sure that you know that there's always one or two bad passwords in there. I can count on one hand the number of times I've dumped a DC and not found anything that I was like, oh, yeah, that's, yeah. So instead of thinking about it like you're trying to guess the password when you're doing password sprays, assume that there's going to be one out of those hundred top passwords in there. Instead, focus on finding the users, because if you can get complete enumeration, you can almost always find a weak password. So think about it that way instead of thinking about it as trying to find the password. You're trying to find the user with that weak password that we assume exists somewhere. So it really matters in Azure because everybody uses Azure. Not everybody, but nearly. So in the Fortune 500, for instance, 99% have Azure tenants, whether they use them or not, right, they might have just registered it. But out of those, 96% had SharePoint enabled, and I've identified valid user names via OneDrive in 89% of the Fortune 500. So they are being used. It is widespread. If you look at state government adoption, every state government uses Azure. This is so widespread. Everyone is affected by things that come up in Azure, especially with user enumeration. There are federal government agencies that use Azure. Everything has the same vulnerability built in there with OneDrive and other user enumeration methods. So who might not want to be enumerated, right? Who might want to stay kind of hidden from view? There are a number of areas where you think maybe we shouldn't allow them to make lists of potential cyber targets, right? People that might be targeted with phishing, password sprays, et cetera. And it's not new to think about user enumeration as a vulnerability. This has been recognized by many large organizations. It shouldn't be the case that Microsoft makes the argument that user enumeration isn't a vulnerability. And you can see that they don't take it seriously because if you look from back even to 2014, that's a decade ago almost. That's when I believe the first exchange time-based user enumeration was identified. There are multiple loans after that you can see. And it's just persistent throughout all their products because they don't consider it a vulnerability. You can see this actually if you were to go to look at their bounty page out of scope submissions and vulnerabilities, these are not in scope for submission. So it's not surprising. I submitted the SharePoint OneDrive enumeration vulnerability to them. And you can actually see they actually gave us a really nice verbose response. So the parts that I want to point out are basically we would not consider it on its own security vulnerability and that it's similar to knowing a website IP address. And that's something that's public, right? That's not something that's considered private information at all. So that is their stance on it. It's not a bug. It's a feature. It's built in. So with that, we arrive at stage one, user enumeration. So knowing that OneDrive can enumerate users and it can do so silently via HTTP. It's just a head request. And you can tell if the user is valid or not. It's basically web scraping. There's no authentication attempt, unlike graph and other methods where you have to actually try to make a login which is sketchy if you're going to try doing something on a large scale. But OneDrive doesn't have any of those problems. You can use this and nobody can see it, except for Microsoft. So there's a few different Azure enumeration methods. These are the popular ones that I'm aware of. The graph one has a log on attempt made. It shows up in any logs. That's the normal one that people use to attack oftentimes. Oh, sorry. My bad. So the next one down seamless as a so, that's a quiet one. But you get false positives with it. There's the team's presence, but you need to have the external access enabled. We'll be talking about that later. And so we have OneDrive. OneDrive has no rate limits, no false positives. It's simple. It's easy to script out because it's so easy. You can in fact use Durbuster if you really wanted to do the same type of enumeration. Now, in order to enumerate a OneDrive user, there are a few things that you need to know. You need to know the domain name and you need to know the tenant name. But you don't always know what the tenant name is. Oftentimes, it will match the domain name minus the TLD, but that's not always the case. And in fact, a good portion of the time, it's not the case. And so that's an important requirement to doing the OneDrive enumeration. And thankfully, Dr. Azure AD, who is amazing, identified a way to do this. He published it in AAD internals and then Trevor Spray added it into their tool, which is also amazing and you should check it out. And it identifies the tenant names using a Microsoft lookup service. So I implemented these into my own tool, OneDrive enum, and I started enumerating users. And I then added networking capabilities and just had basically a SQL back end and a bunch of VPSs. For this, I used Clue, which is not a codified likeness, but it's a cloud lookup utility. And so that would just talk back to my Tron server and sync up word lists, et cetera, and then you could run your enumeration on there. And I had the original Clue crew was only a small squad, but after about six months or so of doing this, I decided to go a little bit harder and we upped it up a little bit. At one time, I did reach 56, but it was a little, that's too much. 40 was my running. And over the course of a year and a half, I was able to enumerate 24 million users. So these are users at the largest organizations in the world. Not just limited to Fortune 500 and 1000, but I did specifically look at those. So for reference, 20 million users, it's kind of hard to imagine, but it's about the state of Florida or Australia or New York state. So it's a lot of users. So let's take a look at some of the results of the user enumeration that I did. The total user names that were found were 24 million. The unique were about 10 million. Took about 556 days and averaged around 40K or so a day. And this was with a small scale operation. If somebody really wanted to do it, they could scale it up a lot. So this is the total operating budget for this, by the way, was about $5,000. So it's more than I wanted to spend, but it's something that proves it would be so cheap for anybody in the world to do this. Now, looking at user name formats, when you're trying to identify... So, I don't know about this. Microsoft doesn't want this to happen. Okay, well, let's see what we can do here. So to identify user name formats, I used a survey script. And in doing so, I would run a set of different user names against that, and then you can get back the number of the matching formats. So for instance, here you can see J. Smith was the top format. Let me just see if I can jiggle some stuff here. I might be able to get it going. Well, so going through the different user name formats, I actually sprayed this against all of the Fortune 1000 companies, and we can see overall what were the most prevalent user name formats. We have John Smith as the top, followed by Jay Smith, etc. It's just kind of interesting to see. The one thing you have to realize, though, is that this is probably not really perfect. Obviously, there's more variation in John Smith user name formats than there are in Jay Smith. So it's going to be a little bit skewed. John Smith is probably underrepresented in this survey here. One of the interesting things that I identified when I was doing this is that I had originally assumed that people would have one user name format. That it would only be the single one. But that's not the case, right? Because you run out of user name space eventually. If you're starting with Jay Smith, you have to do something when you get that 2000 user or so. You can do it a few ways. You can either go up in digits. You can add a format. You can switch over from Jay Smith to Jay Smith, for instance, something like that. Or you truncate it. Those are the main areas that I saw organizations would move as they were doing this. So I went through and I kind of did a catalog of that as well, looking at what combinations were used. You can see here that it's actually sorted also, limited by popularity on each level. So the third and fourth lines down, they're basically the same thing but flipped, right? So it's just kind of interesting to see the variations and how they fall out. So looking at Fortune 1000 companies, I just pulled these out specifically just so we'd be targeting large organizations and not picking on anybody really small. But just to show kind of what type of user enumeration is possible. And you'll notice here that a lot of these actually are over a hundred percent. And the reason for that is with OneDrive, you actually, the user, the URL exists until you delete the user and then you empty your recycle bin. So if you have a long retention policy, that's going to keep them in there a long time. And or if you have a high turnover, that would also super inflate your findings there. But at any rate, even for an attacker, that reduces it drastically. So it's still worthwhile. So in Azure, there are tenants and then there are domain, your email address is associated with those tenants. There are some multi-tenant domain or organizations like Microsoft where you can see they have their main Microsoft, but then they also have APC in Europe, etc. And this is just the breakdown of the users I found there. I got about 126k in Microsoft's main tenant on Microsoft.com. You can see LinkedIn is in there. I had forgotten that they had acquired that. And then you can see actually there is a Microsoft APC or Microsoft Europe. Yeah, both of Microsoft.com domains there. So you can see how they're actually split up. So if you're an attacker, you could actually target one of those specific geographic locations based on that tenant name. So got phase one done. Does anybody remember what phase two is? We're going to do some presence enumeration here. Stage two. So to do this, we're going to monitor teams. Before we talk about that, I'm just going to give you a real brief timeline here about teams and prior to that Skype for Business and prior to that link and before that Office Communicator, I guess. But they're all really the same thing. They're just incarnations of it again. They label it new, but they all have the same problems. So here it started out with being called Open Federation and that lets anybody from anywhere message people at your organization. That's back when it was link. I just want to point out here in 2016, Carl Fossum spoke about Power Skype and attacking federated Skype for Business at Derbycon. That was the first talk that I'm aware of where anybody discussed using presence enumeration and he had a great tool for it there. They eventually did shut down the PowerChill APIs that were on the back end, but it had a good run. And so this problem with presence enumeration is not new. I actually had a little side project here. I was going to release it, you know, how things happen. It doesn't, you don't end up getting around to releasing it. But I was trying to prove, you know, that this is a problem back then. And so I took a bunch of the CEOs from the biggest corporations in the world and I would, you know, monitor their online presence so you could look at a website and see if they're online or not. You could message them directly because they have external access enabled. So that was just kind of a thing to prove out that this is an issue back then. So this is not a new thing at all. Right now it's called external access and that's in Teams. And it's the default setting to have it enabled to let anybody speak with you. You can see it right there and you might recognize it from an outlook if you ever see a green dot show up next to somebody's email and you have the Teams plugin installed. That's what that is. So again, it's not a bug. It's a feature. So one day while I was playing with graphics floor, I noticed that there's a feature in there for presence lookups. So you can look up somebody's presence and you're using unauthenticated, you're on the outside and somehow I was doing the presence lookup and I was like, wait, that's kind of weird because you need to be licensed, you need to be logged in to do that. So I started playing with it in Burp and turns out there's a weird bearer token set. And if you're familiar with bearer tokens, that is not a normal bearer token. So I went digging around and lo and behold in the source code, they have a bypass to make anonymous presence lookups. It's on GitHub even. And so here you can actually see they're proxying the graph request through graph.office.net. So with this, if you have the UUID which is that last item there on the right, the long string of characters, if you have that for a user, you can check their presence via this lookup. So enter teamfiltration. So this was released last year actually at Defcon 30. And you can use it to enumerate teams. Microsoft mess a little bit with the external access enumeration, but you can still do it if they have external access enabled. Prior to that, you could tell even if they didn't have external access enabled, you could still enumerate them via that. At any rate, what we're looking for are the GUIDs that they can look up for teams, right? So we can now pull down a list of users GUIDs and using that previous trick, we can start looking up their presence without having to worry about any authentication. We're not using an actual account or anything. So you can do this purely anonymously. Now beware, there are limits on this, right? There are rate limits on this. And so keep that in mind. There will be a tool drop later. If you're looking for it right now, I'm sorry it's not there. It will be later today. So keep your eye out for it. My Twitter handle will be out later. So check that. Now so what should we do with something like this, right? This is pretty cool, but what should we do? We should track a company. And who better than Microsoft, right? This is their feature. They have enabled it by default on everybody's. They have to know how it works. And if they don't, who can be expected to know how it works? So I don't really feel bad about doing this because it's it's their feature that I'm demonstrating. So I started doing some monitoring around April 28th. And I started graphing it out. And it's kind of neat, right? You can see their their daily activity throughout the day, how many people are online. And it was great. I submitted the DEF CON. It's gonna be good. And then a week later, this happened. I was so bummed out. I was like, okay, this, this will be way more complicated now. I'm gonna have to, you know, spin up an Azure tenant, blah, blah, blah. But I waited. And a month later, it came back. So I don't know what happened. But things are working again. And, and you can now do this. I'm gonna be, I'm actually not monitoring that anymore. So you guys are free to use this and not worry about the rate limits. Yeah, so here, here's something interesting that popped up one day. Any guesses on what this is? It's an all hands meeting there for just a little bit like, and you can actually see two of them, right? There's one for probably in the Americas and probably one for overseas. There's actually a you can, you can see a Microsoft build event there, where they announced that. And then the two days that they're actually out there and busy on those days. I just want to put this up here for a second while I take a drink of water. So you can also draw heat maps. You can find out what day people are active, how many available users are active on any given day. And you can actually see, I think, I think the fourth of July this week being on a week day, you know, I think that mess with people taking off. People were still checking their phones you can see on the holiday. They were, they were more off on the weekend before. But yeah, it's kind of on Fridays, of course, look on Fridays, summertime. So I took all their out of office messages to these are also all available through the presence lookup. So team filtration will do this. Yeah, you could. So I've got all their out of office messages and just kind of it's not very useful, but it's kind of neat. But so back to identities and emails being linked, right? So you can go on LinkedIn, right and find members of the Microsoft security team. And then enumerate their email addresses and pull them up to make sure they're the right one because teams will tell you their display name. So you can verify that that's actually who you're looking for and not just somebody else named Jay Smith. So if an attacker were to do this, there are a few things that they might be interested in, right? Are they online right now? Who's on vacation? Who's out of office? Who should I call to talk to the person that's out of office? And then the other thing is it doesn't even have to be an adversary. This could be, you know, some marketing person that wants to like reach somebody when they're at their desk, just find out what their schedule is and now I know that they're going to be there right now and I can email them. So the other thing is that even if the usernames were completely anonymous, right, you can still tell a lot about somebody based on their schedule. Like when are their normal hours? Are they in night owl or are they up in the morning? What holidays are they taking off? Are they taking religious holidays or are they taking holidays particularly to one nation? Even if you use numeric usernames, you could still identify a lot about people by putting a game of 20 questions there, you know, figuring out this or that, this or that, and you can really narrow down who that could possibly be. So that was the end of that one. Stage three is the really interesting part, guest enumeration. So just real quick, know that it is possible to enumerate guest users in Azure. So you should consider any guests that you have to be public information. Real quick, how it works, right, you invite somebody to your tenant in Azure. Beware. So anything I'm going to show you some stuff here? These do not imply business relationships. Anybody can invite a guest user by default, even other guests. So if, you know, if you invite a meet to your tenant, I can then turn around and invite a random third party to your tenant, because that's a default setting there. And I don't know how many people actually go through and change that. But I'm just telling you that's what it is by default. So there's a lot of like ambiguity here about relationships if you're trying to infer them by looking at guest, guest users at an organization. But on the other hand, if you see that there's like maybe 30 or 100 guest users at an org, that might not be just a coincidence. So it's actually, this is all out in plain sight too. So if you go log into the Azure portal and you go to a guest account and you pull it up, this is the user principle name you'll see. And it's not too hard to decipher what we need to change, you know, from the email address to get to that username. And because user enumeration isn't a vulnerability, it's a feature. So I have to say Dr. Azure AD is the first one to discover guest enumeration. I ran across this and he actually found it four years ago. So this is not new at all, not new in the least. He didn't make a big deal about it. And it was kind of published midway down. And I also think that the other reason this hasn't received much attention yet is this will not come up on a pen test. This is not in scope on a pen test, right? I can't try pivoting to another tenant there. So why would I even care if I can enumerate users there? But it's been possible this whole time. And so I'm rather certain that people are using this already. Why wouldn't they? You know it's been out there? There are various ways of doing this. So why wouldn't people be doing this already? So keep that in mind while I show you these next ones. So real quick though, I'll show you how it works, right? This is how simple it is. How simple. You can do it from a browser yourself if you know the email address is. So on the left, that's an invalid. One fake user underscore domain dot com ext Microsoft dot on Microsoft dot com. So that's Microsoft's tenant there, Microsoft on Microsoft dot com. You can see on the left side, I'm showing you some valid user. You get redirected to a sign-in page if it's a valid user. So you can tell immediately, you don't even need to authenticate. You're simply entering that username there in that sign-in page. So another tool drop that will be out. There's another method of doing this too that I identified, which is via graph enumeration. So the same enumeration method that we use for other enumerations that are interactive. Same thing works there. There are a few differences though. Graph-based user enumeration is an authentication attempt against graph. But you can't log in this way. So even if you have the valid password, it won't let you in. It won't tell you if it's a valid password or not. Nothing about it. It's not possible to log in via this avenue with that guest account. So it's not really a log-in attempt, but if you decide to use this method, just keep that in mind. In the tool, the password is set to a really long GUID, so there won't be any chance that somebody actually has that password. But you can't leave the field blank. So it has to be either just be aware. It will show up in logs and defunders. If you see this in your logs where you see a failed guest EXE log on your account, don't be alarmed. You can't get in that way, but do know that somebody's found out about that account. Now, what can we do with this, right? If only we had a giant list of usernames from somewhere. Then we could do something interesting. We could try identifying some partnerships between companies. So I started by looking at, you know, going to Google, say, OK, so-and-so partners with blank. Who comes up? Let's look at that. So took a few consultant companies and I got some hits back. OK, this works for real. I can prove it out that it's actually actionable attack in the real world. This is not just, you know, an idea. So this is what 30,000 guest connections between companies looks like. So these are a lot of big companies in America. Now, this one is in Color Code. I left Microsoft in there because, again, this is their feature. But I'm going to show you here in just a slide or two here. But we identified guest accounts among all these giant organizations, ones that maybe they don't want people knowing who potentially, you know, right, because we don't know for sure if there's actually a business relationship there, but potentially could be because of this guest relationship. Now, one more sip of water. Where was I? So let's look at Microsoft's guest relationships. I've taken out all the names. I'm sorry, not going to be that fun. But you can see the diversity of relationships there. Now, any of the blue ones are where Microsoft has guest access to. Any of the red ones are where that entity has guest access to Microsoft. Now, by default, you know, they might just have guest access and no actual group membership, et cetera, and no special privileges, but they are there. Any of the green that are interconnected are in between partners of Microsoft that also have a connection to Microsoft. So you can see between various entities there. And then the larger it is, the bigger, or the greater number of connections there are to that node. So that's what you're seeing here. Now, again, this is Microsoft's stance. This is pure user enumeration. Nothing about this is an attack. This is user enumeration. Pure. So, I want to focus on Microsoft, but to show the width of this and how it affects everybody, I'm just going to show you a few other large companies here. So for instance, here's Metas. You can see we've got Tesla. Might be interesting. Again, I apologize, this is not more juicy, but. Here's a company in Palantir. I don't know if anybody's heard of that one. Remember that Blue says that they have guest access to that tenant. So, looking at the most widespread companies, I'm just showing you a few of the top ones here that I found the most connections to organizations. And these are distinct hosts that they have connections to. You can see a bunch of consultancy companies there. Not too unusual. But so, speaking again about users and identities and enumeration, with this type of information, we know the email address that's there, right? So we have their identity oftentimes. So, you can actually do some deeper digging and give it some more context with what years these guest relationships were active because almost nobody cleans up guests. They almost always just leave them out there and maybe they disable them or whatnot, but they almost always leave them there. So you can at least see when they are. The oldest one that I identified personally that I verified was like 2018. So that's a little ways to go. So, how does this matter, right, for attackers, right? If you're looking at these guest relationships, now all of a sudden, if you're trying to hit a hardened target, you might wanna say, hey, let's see what we can do around these peripherals. You know, can we compromise another tenant and see if we have any access? You know, it might be a fruitless effort, but it might be something. So I mean, this is providing a roadmap to allow attackers to identify their next steps. And this is pure user enumeration, right? Not a vulnerability. So, one of the last things I wanna say is that this is a US adversaries dream, right? You have nations that love to do data collection. Do you think that they're not doing something with this yet? Do you think that they're just letting this sit out there because it's not ethical to collect this? I mean, look at these different industries. All of America is tied up in this, right? State governments, federal corporations, and if they don't take this seriously, they're not gonna fix this. They're gonna let this sit. And this isn't just like a short-term investment. This is a long-term investment. Names are durable, right? How many times do most people change their name in their life? A couple times, maybe a few, but most people don't change their names very often. So once you make these lists, they're valid for a long time, right? They might switch organizations, but that person's name, you still have that. You can make permutations out of that and try those other places. So I mean, this isn't something that I think we should let. Is this something that we want? You know, is this how we want to have our stuff run? I think that we should maybe recommend politely that they take this a little more seriously. I mean, so we've demonstrated that's possible to get 24 million users out of Azure. We've demonstrated 100,000 users every 30 minutes. So twice a day, that's a huge number of requests. We're able to do that. We can monitor an entire company as big as Microsoft. We can select out users from there and monitor them exclusively if we wanted to on even finer rotation. Then we've shown that we can do guests enumeration, right, between different companies. This is all user enumeration. This isn't an exploit, at least not by Microsoft stance. It's, this is all just user enumeration. So I just want you to remember though, in closing that I am just the messenger here. I'm just showing you what the logical conclusion of this is, right? I'm not anybody special. I'm just some dude that, this is basically sysadmin 101, right? I made a SQL server. I stood up servers and I had to report back. I made a Python script. It's not hard stuff. And it only cost me about 5K, right? If you're a nation state or somebody who really wants to invest in this, you can do something much bigger than I did. This is just like a hobby that I didn't spare time to try to get Microsoft to fix this. And that is why I did this. I want Microsoft to fix this. I don't know how else to go about it. We've talked to Microsoft and they don't take it seriously as an issue. So at this point, I just wanted to share this with you. So at least we can all be on the same footing and know what's possible out there. So with that, some shout outs. Dr. Azur A.D. Tech Romancer, Carl Fawson, he's awesome. RootSecDev, Flagwick. And then everybody at Trust and Sec, of course. These are some links to the different tools. The last two will be out later today. So just keep an eye on that. Follow me on Twitter. And thank you so much.