Achieving Passive User Enumeration with OneDrive
This post was written by @nyxgeek
Microsoft recently fixed a beloved user enumeration vulnerability in Office 365 that I routinely used to gain valid credentials for the last couple of years (https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/).
Microsoft still hasn't changed its official stance on user-enumeration-as-a-bug (they say it's NOT a problem), and the company opted to fix this latest example quietly without any announcement. One day in mid-November 2019, the user-enumeration "feature" just stopped working.
There are some other options for doing user enumeration via Office 365, but in my experience, these have proven unreliable. While they may work at first, after repeated attempts, false positives show up.
What I describe below is a simple, largely passive method of performing user enumeration via OneDrive. There is a caveat—the user must have logged into OneDrive. While this may lead to some loss of coverage, there should be no false positives. Until a better method comes along, this is a solid method to validate usernames.
Overview:
While using Office 365, I noticed that the OneDrive feature used a subdomain based off the Office 365 Tenant name, and a URL path that is distinct and predictable.
For example, let's examine the OneDrive URL for a user with the email address of [email protected]
https://acmecomputercompany-my.sharepoint.com/personal/lightmand_acmecomputercompany_com/_layouts/15/onedrive.aspx
Breaking this down, we can see that it is made with the following variables. Note that any periods in the username or domain are replaced with underscores (_).
https:// + <strong>TENANT NAME</strong> + -my.sharepoint.com/personal/+ <strong>USERNAME</strong> + <strong>DOMAIN</strong> + /_layouts/15/onedrive.aspx
Using a simple Python script, or even a Bash script, it's trivial to test for valid paths. If the user exists, it will return a 403 response code. If the user does not exist OR if they have never logged into OneDrive, then it will return a 404.
I have posted a script called onedrive_user_enum.py on
GitHub, available here:
https://github.com/nyxgeek/onedrive_user_enum
Usage:
Usage is as follows:
python onedrive_enum.py -d acmecomputercompany.com -U user_list.txt
If the domain name and Tenant ID are different, you can specify the tenant ID via the "-t" flag. Usernames should be sans domain, with only the first portion of the email address.
Below is an example of the output of the tool:
Obviously, the results will vary depending on how many users at the organization have accessed OneDrive. However, it is a reliable method of user enumeration, and should keep you off of the radar of defenders.