onedrive_user_enum v2.00
enumerate valid onedrive users
For a full rundown of the enumeration technique and OneDrive enum, check out the blog here:
https://www.trustedsec.com/blog/onedrive-to-enum-them-all/
Now featuring:
- Local Database (sqlite3)
- Auto-lookup of tenants (thanks @DrAzureAD and @thetechr0mancer)
- Read in file OR folder of files
- Append -- easily create 'jsmith1' 'jsmith2' sprays
- Skip-Tried (de-dupe) -- remove previously tried usernames
- Kill-After -- cancel a userlist if no usernames identified within 'x' attempts
OneDrive Enumeration overview:
OneDrive users have a file share URL with a known location:
In this instance, the username is 'lightmand' and the domain is 'acmecomputercompany.com'. If a user has logged into OneDrive, this path will exist and return a 403 status code. If they have not, or the user is invalid, it will return a 404.
The results may vary depending on how widely used OneDrive is within an org. Currently it is the most reliable user-enumeration method that I'm aware of (office365userenum no longer works, and the others like UhOh365 are unreliable). Further, it does not attempt a login and is much more passive, and should be undetectable to the target org. Microsoft will see the hits, but the target org won't.
usage:
# ./onedrive_enum.py -h
*********************************************************************************************************
ββββββ βββ
ββββββ βββ
ββββββ βββββββββ βββββββ ββββββββ βββββββββ ββββ βββββ βββββ βββββββ
ββββββββ βββββββββββ βββββββββ βββββββββ βββββββββββ βββββ βββββ βββββ βββββββββ
ββββ ββββ ββββ ββββ βββββββββ ββββ βββββ ββββ βββ ββββ ββββ ββββ βββββββββ
ββββ ββββ ββββ ββββ ββββββββ ββββ βββββ ββββ ββββ βββββ βββ βββββββ
ββββββββ ββββ βββββ βββββββββ βββββββββββ ββββββ βββββ ββββββββ βββββββββ
ββββββ ββββ βββββ βββββββ βββββββββ ββββββ βββββ ββββββ βββββββ
ββββββ ββββββββ βββββ ββββ βββββββββββββ +-------------------------------------------------+
ββββββββββββββββββ βββββ ββββ βββββββββββββββ | OneDrive Enumerator |
ββββββββ ββββ ββββ ββββ ββββ ββββ ββββ ββββ | 2023 @nyxgeek - TrustedSec |
βββββββ ββββ ββββ ββββ ββββ ββββ ββββ ββββ | version 2.00 |
ββββββββ ββββ βββββ ββββββββββ βββββββββ βββββ | https://github.com/nyxgeek/onedrive_user_enum |
ββββββ ββββ βββββ ββββββββ βββββ βββ βββββ +-------------------------------------------------+
*********************************************************************************************************
usage: onedrive_enum.py [-h] -d [-t] [-u] [-a] [-U] [-p] [-o] [-T] [-e] [-r] [-x] [-n] [-k] [-v]
options:
-h, --help show this help message and exit
-d , --domain target domain name (required)
-t , --tenant tenant name
-u , --username user to target
-a , --append mutator: append a number, character, or string to a username
-U , --userfile file containing usernames (wordlists) -- will also take a directory
-p , --playlist file containing list of paths to user lists (wordlists) to try
-o , --output file to write output to (default: output.log)
-T , --threads total number of threads (defaut: 100)
-e , --environment Azure environment to target [commercial (default), chinese, gov]
-r, --rerun force re-run of previously tested tenant/domain/wordlist combination
-x, --skip-tried dedupe. skip any usernames from previous runs
-n, --no-db disable logging to db
-k , --killafter kill off non-productive jobs after x tries with no success
-v, --verbose enable verbose output
example:
# ./onedrive_enum.py -t microsoft -d microsoft.com -U USERNAMES/statistically-likely/jsmith.txt
*********************************************************************************************************
ββββββ βββ
ββββββ βββ
ββββββ βββββββββ βββββββ ββββββββ βββββββββ ββββ βββββ βββββ βββββββ
ββββββββ βββββββββββ βββββββββ βββββββββ βββββββββββ βββββ βββββ βββββ βββββββββ
ββββ ββββ ββββ ββββ βββββββββ ββββ βββββ ββββ βββ ββββ ββββ ββββ βββββββββ
ββββ ββββ ββββ ββββ ββββββββ ββββ βββββ ββββ ββββ βββββ βββ βββββββ
ββββββββ ββββ βββββ βββββββββ βββββββββββ ββββββ βββββ ββββββββ βββββββββ
ββββββ ββββ βββββ βββββββ βββββββββ ββββββ βββββ ββββββ βββββββ
ββββββ ββββββββ βββββ ββββ βββββββββββββ +-------------------------------------------------+
ββββββββββββββββββ βββββ ββββ βββββββββββββββ | OneDrive Enumerator |
ββββββββ ββββ ββββ ββββ ββββ ββββ ββββ ββββ | 2023 @nyxgeek - TrustedSec |
βββββββ ββββ ββββ ββββ ββββ ββββ ββββ ββββ | version 2.00 |
ββββββββ ββββ βββββ ββββββββββ βββββββββ βββββ | https://github.com/nyxgeek/onedrive_user_enum |
ββββββ ββββ βββββ ββββββββ βββββ βββ βββββ +-------------------------------------------------+
*********************************************************************************************************
Beginning enumeration of https://microsoft-my.sharepoint.com/personal/USER_microsoft_com/
--------------------------------------------------------------------------------------------------------
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user1, username:[email protected]
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user2, username:[email protected]
[-] [403] VALID USERNAME FOR microsoft,microsoft.com - user3, username:[email protected]
Note: Users that are valid but who have not yet signed into OneDrive will return a 404 not found.
sHoUtOuTz aNd GrEeTz
Thanks to @DrAzureAD, @thetechr0mancer, @rootsecdev, @HackingLZ