Presented at
DEF CON 31 (2023),
Aug. 11, 2023, 5:30 p.m.
(20 minutes)
Microsoft Azure is ripe with user information disclosures. We are going to look at weaponizing these disclosures by performing data collection at a large scale against OneDrive, Teams, and Graph.
OneDrive and Teams present silent enumeration methods, requiring no logon attempts and creating no logs. This enables enumeration at a massive scale against the biggest corporations, educational instututes, and government entities in the world. Over the last 1.5 years I have enumerated over 20m users. We will explore the techniques used and the data that was collected, including Azure adoption rates and analysis of username formats.
Microsoft Teams suffers from information dislcosure due to default settings allowing users to see the online presence of others. An undocumented, unauthenticated Microsoft Teams Presence lookup trick will be shared, which enables easy unauthenticated enumeration of the online Teams Presence of users at many organizations. To demonstrate this we will monitor approximately 100,000 Microsoft employees' online presence and any out-of-office messages that are stored.
Finally, Azure supports Guest users, allowing two companies to collaborate on a project. I will unveil a method of identifying Azure Guest users at other tenants. In this way, hidden corporate relationships can be revealed.
Related exploits identified include:
Microsoft Lync Time-Based User Enum (no CVE - 2016)
Microsoft Skype for Business 2016 XSS Injection - CVE-2017-8550
Microsoft Lync 2011 for Mac HTML Injection - CVE-2018-8474
Related Tools:
onedrive_user_enum
o365recon
lyncsmash
REFERENCES:
https://github.com/nyxgeek/onedrive_user_enum
https://github.com/Flangvik/TeamFiltration/
Presenters:
-
nyxgeek
- Hacker at TrustedSec
nyxgeek is a hacker at TrustedSec. Interests include: user enumeration, password spraying, password cracking. Team Trontastic on the CMIYC leaderboard.
Links:
Similar Presentations: