Microsoft Azure Subdomain Scanner / Enumerator

`*Background:*  
  
Microsoft makes use of a number of different domains and subdomains for  
each of their Azure services. From SQL databases to SharePoint drives, each  
service maps to its respective domain/subdomain, and with the proper  
toolset, these can be identified through DNS enumeration to yield  
information about the target domain's infrastructure.  
enum_azuresubdomains.rb is a Metasploit module for enumerating public Azure  
services by validating legitimate subdomains through various DNS record  
queries. This cloud reconnaissance module rapidly identifies API services,  
storage accounts, key vaults, databases, and more! Expedite your cloud  
reconnaissance phases with enum_azuresubdomains.rb.  
  
*Code:*  
  
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::DNS::Enumeration  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Azure Subdomain Scanner and Enumerator',  
'Description' => 'This module can be used for enumerating public  
Azure services by locating valid subdomains through various DNS queries.',  
'Author' => ['RoseSecurity <RoseSecurityConsulting[at]protonmail.me  
>'],  
'References' => ['  
www.netspi.com/blog/technical/cloud-penetration-testing/enumerating-azure-services'  
],  
'License' => MSF_LICENSE  
)  
)  
register_options(  
[  
OptString.new('DOMAIN', [true, 'The target domain without TLD (Ex:  
victim rather than victim.org)']),  
OptBool.new('PERMUTATIONS',  
[false,  
'Prepend and append permutated keywords to domain',  
false]),  
OptBool.new('ENUM_A', [true, 'Enumerate DNS A record', true]),  
OptBool.new('ENUM_CNAME', [true, 'Enumerate DNS CNAME record',  
true]),  
OptBool.new('ENUM_MX', [true, 'Enumerate DNS MX record', true]),  
OptBool.new('ENUM_NS', [true, 'Enumerate DNS NS record', true]),  
OptBool.new('ENUM_SOA', [true, 'Enumerate DNS SOA record', true]),  
OptBool.new('ENUM_TXT', [true, 'Enumerate DNS TXT record', true])  
]  
)  
end  
  
def dns_enum(target_domains)  
target_domains.each do |domain|  
next unless dns_get_a(domain)  
  
print_good("Discovered Target Domain: #{domain} \n")  
dns_get_a(domain) if datastore['ENUM_A']  
dns_get_cname(domain) if datastore['ENUM_CNAME']  
dns_get_ns(domain) if datastore['ENUM_NS']  
dns_get_mx(domain) if datastore['ENUM_MX']  
dns_get_soa(domain) if datastore['ENUM_SOA']  
dns_get_txt(domain) if datastore['ENUM_TXT']  
end  
end  
  
def run  
# Array of subdomains to enumerate  
domain = datastore['DOMAIN']  
subdomains = [  
'.onmicrosoft.com',  
'.scm.azurewebsites.net',  
'.azurewebsites.net',  
'.p.azurewebsites.net',  
'.cloudapp.net',  
'.file.core.windows.net',  
'.blob.core.windows.net',  
'.queue.core.windows.net',  
'.table.core.windows.net',  
'.mail.protection.outlook.com',  
'.sharepoint.com',  
'.redis.cache.windows.net',  
'.documents.azure.com',  
'.database.windows.net',  
'.vault.azure.net',  
'.azureedge.net',  
'.search.windows.net',  
'.azure-api.net',  
'.azurecr.io'  
]  
  
# Array of keywords to prepend and append  
permutations = %w[  
root  
web  
api  
azure  
azure-logs  
data  
database  
data-private  
data-public  
dev  
development  
demo  
files  
filestorage  
internal  
keys  
logs  
private  
prod  
production  
public  
service  
services  
splunk  
sql  
staging  
storage  
storageaccount  
test  
useast  
useast2  
centralus  
northcentralus  
westcentralus  
westus  
westus2  
]  
  
# Create permutated array of keywords and target domain  
if datastore['PERMUTATIONS']  
permutated_domains = []  
permutations.each do |keywords|  
permutated_domains.append("#{domain}-#{keywords}")  
permutated_domains.append("#{keywords}-#{domain}")  
end  
# Permutated and Normal list of subdomains  
target_domains = []  
subdomains.each do |tld|  
target_domains.append(domain + tld)  
permutated_domains.each do |_subdomain|  
target_domains.append(domain + tld)  
end  
end  
# Query DNS records of permutated and normal target subdomains  
else  
# Query DNS records of normal target subdomains  
target_domains = []  
subdomains.each do |tld|  
target_domains.append(domain + tld)  
end  
end  
dns_enum(target_domains)  
end  
end  
`