feat: add azure subdomain enumeration

Author: RoseSecurity

Guides/Enum_AzureSubdomains/README.md

@@ -0,0 +1,73 @@
+# :cloud: Enum_AzureSubdomains: Anonymously Enumerating Azure Services
+
+<p align="center">
+  <img alt="AzureDoggo" src="https://user-images.githubusercontent.com/72598486/216847358-a72ce9e8-7d25-4b27-b386-f21d339580fa.png">
+</p>
+
+Microsoft makes use of a number of different domains and subdomains for each of their Azure services. From SQL databases to SharePoint drives, each service maps to its respective domain/subdomain, and with the proper toolset, these can be identified through DNS enumeration to yield information about the target domain's infrastructure. ```enum_azuresubdomains.rb``` is a Metasploit module for enumerating public Azure services by validating legitimate subdomains through various DNS record queries. This cloud reconnaissance module rapidly identifies API services, storage accounts, key vaults, databases, and more! Expedite your cloud reconnaissance phases with ```enum_azuresubdomains.rb```.
+
+## Domains and Associated Services:
+
+| Domain | Associated Service |
+| --- | --- |
+| azurewebsites.net | App Services |
+| scm.azurewebsites.net | App Services - Management |
+| p.azurewebsites.net | App Services |
+| cloudapp.net | App Services |
+| file.core.windows.net | Storage Accounts-Files |
+| blob.core.windows.net | Storage Accounts-Blobs |
+| queue.core.windows.net | Storage Accounts-Queues |
+| table.core.windows.net | Storage Accounts-Tables |
+| redis.cache.windows.net | Databases-Redis |
+| documents.azure.com | Databases-Cosmos DB |
+| database.windows.net | Databases-MSSQL |
+| vault.azure.net | Key Vaults |
+| onmicrosoft.com | Microsoft Hosted Domain |
+| mail.protection.outlook.com | Email |
+| sharepoint.com | SharePoint |
+| azureedge.net | CDN |
+| search.windows.net | Search Appliance |
+| azure-api.net | API Services |
+
+***NOTE: Enumerating existing Azure subdomains may be handy for anyone looking to conduct subdomain takeovers. Subdomain takeovers are typically done the other way around (finding a domain that’s no longer registered or in use), but by preemptively discovering the domains, and keeping tabs on them for later, you may be able to monitor for potential subdomain takeovers.***
+
+# Demo:
+
+https://user-images.githubusercontent.com/72598486/217250582-eada89ee-ac4a-41c3-8421-314aa8e75bca.mov
+
+# Install:
+
+Download repository:
+
+```
+$ mkdir Enum_AzureSubdomains
+$ cd Enum_AzureSubdomains/
+$ sudo git clone https://github.com/RoseSecurity/Enum_AzureSubdomains.git
+```
+
+Usage:
+
+To load the script into Metasploit:
+
+```
+# Create directory for module
+$ mkdir -p ~/.msf4/modules/auxiliary/gather
+# Move script into folder
+$ mv enum_azuresubdomains.rb ~/.msf4/modules/auxiliary/gather
+```
+
+Fire up Metasploit:
+
+```
+# Quietly start Metasploit and reload all modules
+$ msfconsole -q -x 'reload_all'
+# Use module
+msf6> use auxiliary/gather/enum_azuresubdomains
+```
+
+If you encounter any errors, check the following log:
+
+```
+$ tail ~/.msf4/logs/framework.log
+```
+

Guides/Enum_AzureSubdomains/enum_azuresubdomains.rb

@@ -0,0 +1,87 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::DNS::Enumeration
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Azure Subdomain Scanner and Enumerator',
+        'Description' => 'This module enumerates public Azure services by locating valid subdomains through various DNS queries.',
+        'Author' => ['RoseSecurity <RoseSecurityResearch[at]protonmail.me>'],
+        'References' => ['www.netspi.com/blog/technical/cloud-penetration-testing/enumerating-azure-services'],
+        'License' => MSF_LICENSE
+      )
+    )
+    register_options(
+      [
+        OptString.new('DOMAIN', [true, 'The target domain without TLD (e.g., victim instead of victim.org)']),
+        OptBool.new('PERMUTATIONS', [false, 'Prepend and append permuted keywords to the domain', false]),
+        OptBool.new('ENUM_A', [true, 'Enumerate DNS A record', true]),
+        OptBool.new('ENUM_CNAME', [true, 'Enumerate DNS CNAME record', true]),
+        OptBool.new('ENUM_MX', [true, 'Enumerate DNS MX record', true]),
+        OptBool.new('ENUM_NS', [true, 'Enumerate DNS NS record', true]),
+        OptBool.new('ENUM_SOA', [true, 'Enumerate DNS SOA record', true]),
+        OptBool.new('ENUM_TXT', [true, 'Enumerate DNS TXT record', true])
+      ]
+    )
+  end
+
+  def dns_enum(target_domains)
+    target_domains.each do |domain|
+      if dns_get_a(domain)
+        print_good("Discovered Target Domain: #{domain}")
+        perform_dns_queries(domain)
+      end
+    end
+  end
+
+  def perform_dns_queries(domain)
+    dns_get_a(domain) if datastore['ENUM_A']
+    dns_get_cname(domain) if datastore['ENUM_CNAME']
+    dns_get_ns(domain) if datastore['ENUM_NS']
+    dns_get_mx(domain) if datastore['ENUM_MX']
+    dns_get_soa(domain) if datastore['ENUM_SOA']
+    dns_get_txt(domain) if datastore['ENUM_TXT']
+  end
+
+  def generate_target_domains(domain, subdomains)
+    if datastore['PERMUTATIONS']
+      permuted_domains = generate_permutations(domain)
+      (subdomains + permuted_domains).flat_map do |subdomain|
+        subdomains.map { |tld| domain + tld }
+      end
+    else
+      subdomains.map { |tld| domain + tld }
+    end
+  end
+
+  def generate_permutations(domain)
+    keywords = %w[
+      root web api azure azure-logs data database data-private data-public dev development
+      demo files filestorage internal keys logs private prod production public service services
+      splunk sql staging storage storageaccount test useast useast2 centralus northcentralus westcentralus
+      westus westus2
+    ]
+    keywords.flat_map do |keyword|
+      ["#{domain}-#{keyword}", "#{keyword}-#{domain}"]
+    end
+  end
+
+  def run
+    domain = datastore['DOMAIN']
+    subdomains = %w[
+      .onmicrosoft.com .scm.azurewebsites.net .azurewebsites.net .p.azurewebsites.net .cloudapp.net
+      .file.core.windows.net .blob.core.windows.net .queue.core.windows.net .table.core.windows.net
+      .mail.protection.outlook.com .sharepoint.com .redis.cache.windows.net .documents.azure.com
+      .database.windows.net .vault.azure.net .azureedge.net .search.windows.net .azure-api.net .azurecr.io
+    ]
+
+    target_domains = generate_target_domains(domain, subdomains)
+    dns_enum(target_domains)
+  end
+end

Guides/Enum_AzureSubdomains/msf.md

@@ -0,0 +1,83 @@
+## Introduction
+Microsoft makes use of a number of different domains and subdomains for each of their Azure services. From SQL databases to SharePoint drives, each service maps to its respective domain/subdomain, and these can be identified through DNS enumeration to yield information about the target domain's infrastructure. ```enum_azuresubdomains.rb``` is a Metasploit module for enumerating public Azure services by validating legitimate subdomains through various DNS record queries. This cloud reconnaissance module identifies API services, storage accounts, key vaults, and databases.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use auxiliary/gather/enum_azuresubdomains`
+  3. Do: `set DOMAIN <Target Domain>`
+  5. Do: `run`
+
+## Options
+
+  **DOMAIN**
+
+  The target domain to enumerate without the Top Level Domain (Example: victim.org would just be victim).
+
+  **PERMUTATIONS**
+
+  This appends and prepends permutated keywords to identify common domain name variations.
+
+
+## Scenarios
+
+Running the module against a real system (in this case, the University of Maryland's online Azure services):
+
+```
+msf6 > use auxiliary/gather/enum_azuresubdomains
+msf6 auxiliary(gather/enum_azuresubdomains) > show options
+
+Module options (auxiliary/gather/enum_azuresubdomains):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   DOMAIN                         yes       The target domain without TLD (Ex: victim rather than victim.org)
+   ENUM_A        true             yes       Enumerate DNS A record
+   ENUM_CNAME    true             yes       Enumerate DNS CNAME record
+   ENUM_MX       true             yes       Enumerate DNS MX record
+   ENUM_NS       true             yes       Enumerate DNS NS record
+   ENUM_SOA      true             yes       Enumerate DNS SOA record
+   ENUM_TXT      true             yes       Enumerate DNS TXT record
+   NS                             no        Specify the nameservers to use for queries, space separated
+   PERMUTATIONS  false            no        Prepend and append permutated keywords to domain (This option can take minutes to complete)
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RPORT         53               yes       The target port (TCP)
+   SEARCHLIST                     no        DNS domain search list, comma separated
+   THREADS       1                yes       Number of threads to use in threaded queries
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/enum_azuresubdomains) > set DOMAIN umuc365
+DOMAIN => umuc365
+msf6 auxiliary(gather/enum_azuresubdomains) > set PERMUTATIONS true
+PERMUTATIONS => true
+msf6 auxiliary(gather/enum_azuresubdomains) > run
+
+[*] Discovered Target Domain: umuc365.mail.protection.outlook.com
+
+[*] Querying DNS CNAME records for umuc365.mail.protection.outlook.com
+[*] Querying DNS NS records for umuc365.mail.protection.outlook.com
+[*] Querying DNS MX records for umuc365.mail.protection.outlook.com
+[*] Querying DNS SOA records for umuc365.mail.protection.outlook.com
+[*] Querying DNS TXT records for umuc365.mail.protection.outlook.com
+
+[*] Discovered Target Domain: umuc365.sharepoint.com
+
+[*] Querying DNS CNAME records for umuc365.sharepoint.com
+[+] umuc365.sharepoint.com CNAME: 2732-ipv4v6e.clump.dprodmgd105.aa-rt.sharepoint.com
+[*] Querying DNS NS records for umuc365.sharepoint.com
+[*] Querying DNS MX records for umuc365.sharepoint.com
+[*] Querying DNS SOA records for umuc365.sharepoint.com
+[*] Querying DNS TXT records for umuc365.sharepoint.com
+
+[*] Discovered Target Domain: umuc365-web.sharepoint.com
+
+[*] Querying DNS CNAME records for umuc365-web.sharepoint.com
+[+] umuc365-web.sharepoint.com CNAME: umuc365.sharepoint.com
+[*] Querying DNS NS records for umuc365-web.sharepoint.com
+[*] Querying DNS MX records for umuc365-web.sharepoint.com
+[*] Querying DNS SOA records for umuc365-web.sharepoint.com
+[*] Querying DNS TXT records for umuc365-web.sharepoint.com
+[*] Auxiliary module execution completed
+  ```