-
Notifications
You must be signed in to change notification settings - Fork 76
Home
If you haven't read it yet, please check out this blog post:
https://www.trustedsec.com/blog/onedrive-to-enum-them-all/
- Users must have a license to be enumerated
- Periods are translated to underscores ('.' -> '_'), and by default all underscores are converted back to periods. This may result in incorrectly showing john.smith instead of john_smith. When in doubt, verify email address format from public sources, or try both (
cat usernames_john.smith.txt | tr '.' '_' > usernames_john_smith.txt
) - This will only enumerate the UPN, not any aliases etc.
- Grab a copy of statistically-likely-usernames
https://github.com/insidetrust/statistically-likely-usernames
This is still a good starting point, especially the top-formats.txt, for identifying which formats are in use.
- Run the generate_f17.sh shell script, using USERNAMES/firstnames.txt and USERNAMES/lastnames.txt (from 1990 US Census data). These word lists are much more comprehensive (and take a lot longer to run).
You'll see a big warning message on your screen, and after a 10 second countdown, it will begin.
** THIS WILL TAKE A LONG TIME TO RUN AND CAN USE UP SOME DISK SPACE - < 10GB **
nyxgeek:onedrive_user_enum $ ./generate_usernames_f17.sh USERNAMES/firstnames.1990.txt USERNAMES/lastnames.1990.txt
******************************************************************************************
HEY! THIS IS GOING TO TAKE A LONG LONG TIME, AND WILL TAKE UP LIKE 10GB of DISK SPACE!!!
******************************************************************************************
******************************************************************************************
HEY! THIS IS GOING TO TAKE A LONG LONG TIME, AND WILL TAKE UP LIKE 10GB of DISK SPACE!!!
******************************************************************************************
******************************************************************************************
HEY! THIS IS GOING TO TAKE A LONG LONG TIME, AND WILL TAKE UP LIKE 10GB of DISK SPACE!!!
******************************************************************************************
(you still have time to CTRL-C for about 10 seconds)
Starting username generation...
Generating jsmith
real 22m11.420s
user 3m13.487s
sys 6m32.887s
Generating j.smith
...
And so on -- you can see that on my M1 macbook, it took 22 minutes just to make the jsmith wordlist. Grab a coffee or three and come back later.
Let's assume we are going to enumerate users at acmecomputercompany.com. To begin, we will let the auto-lookup do it's work, and we will only supply a DOMAIN NAME. We will also give it a general wordlist, so that we can identify what username format is in use:
./onedrive_enum.py -T 150 -d acmecomputercompany.com
*********************************************************************************************************
██████ ███
░░████ ░░░
██████ █████████ ███████ ████████ █████████ ████ █████ █████ ███████
███░░███ ░░███░░░███ ███░░░███ ███░░░███ ░░███░░░███ ░░███ ░░███ ░░███ ███░░░███
░███ ░███ ░███ ░███ ░████████ ░███ ░░███ ░███ ░░░ ░███ ░███ ░███ ░████████
░███ ░███ ░███ ░███ ░███░░░░ ░███ ░░███ ░███ ░███ ░░███ ███ ░███░░░
░░██████ ████ █████ ░░███████ ░░█████████ ██████ █████ ░░██████ ░░███████
░░░░░░ ░░░░ ░░░░░ ░░░░░░░ ░░░░░░░░░ ░░░░░░ ░░░░░ ░░░░░░ ░░░░░░░
██████ ████████ █████ ████ █████████████ +-------------------------------------------------+
███░░███░░███░░███ ░░███ ░███ ░░███░░███░░███ | OneDrive Enumerator |
░███████ ░███ ░███ ░███ ░███ ░███ ░███ ░███ | 2023 @nyxgeek - TrustedSec |
░███░░░ ░███ ░███ ░███ ░███ ░███ ░███ ░███ | version 2.00 |
░░██████ ████ █████ ░░████████ █████░███ █████ | https://github.com/nyxgeek/onedrive_user_enum |
░░░░░░ ░░░░ ░░░░░ ░░░░░░░░ ░░░░░ ░░░ ░░░░░ +-------------------------------------------------+
*********************************************************************************************************
Tenants Identified:
---------------------
acmecomputercompany
OneDrive hosts found:
---------------------
acmecomputercompany-my.sharepoint.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Beginning enumeration of https://acmecomputercompany-my.sharepoint.com/personal/USER_acmecomputercompany_com/
--------------------------------------------------------------------------------------------------------
[-] [401] VALID USERNAME FOR acmecomputercompany,acmecomputercompany.com - wayneb, username:[email protected]
[-] [401] VALID USERNAME FOR acmecomputercompany,acmecomputercompany.com - parkerp, username:[email protected]
28407 / 961735 tested, 2 valid, 0 errors
After running for a while we manage to detect two accounts in smithj format.
At this point, we kill our first run with CTRL-C and are going to move to a dedicated wordlist.
Going forward, we are going to a dedicated smithj wordlist.
... More to come ...
- Are you multi-tenant? If so, iterate through all combinations of tenants and domains. Often if there are multiple tenants, you will find users in each of them. If it's broken up by geographic location (acmecomputersEurope, acmecomputersAsia, etc), then you will want to try the both the primary domain(s) and any country-suffix domains associated with those regions.
YOU CAN FIND THE SAME DOMAIN ENDING IN MULTIPLE TENANTS. Example:
AcmeComputersEurope,[email protected] AcmeComputersAsia,[email protected]
Be sure to check all tenants for users.
-
Have you tried all the domains? Do some googling for the organization's email address format. Often enough it will differ from their main web domain. This is especially true for long domain names.
-
Maybe the users aren't being assigned to a custom domain, and instead are set up with their onmicrosoft.com domain. Instead of assigning -d with the custom domain, use their onmicrosoft domain. This will be tenant.onmicrosoft.com. There may be more than one of these (rare). Username format would look like '[email protected]'
-
Odd username formats -- numeric especially with prefixes can be hard to find initially. Example: ZY123456. Try finding pdf or docx metadata on Google. Look for screenshots, hints in documentation online. To do initial surveys of numeric, I recommend using seq and shuf to get a sub-sample.
seq 100000 999999 | shuf | head -n 150000 > seq_100k_999k_shuf50k.txt
-
Users just aren't there. Sometimes orgs don't sync all their users. Sometimes their Azure environment is standalone from on-prem. Try other enumeration methods -- Graph or Teams are great.