External Information Gathering

Collection of tools, techniques, and payloads for external information gathering when performing an external security assessment.

1. Subdomain Discovery & Enumeration
   • Find Certificates
   • DNS Data
   • Subdomain Fuzzing
2. Outlook Web Access (OWA)
3. SSO Services
4. Azure AD Brute Forcing
5. Generic Email Accounts
6. Other

Subdomain Discovery & Enumeration

Find Certificates

• Certificate Search - crt.sh
• Censys

DNS Data

• DNS Dumpster
• Pentest Tools - Subdomain Finder

Subdomain Fuzzing

This list can be used when attempting to discover subdomains of a given domain. The target domain should be concatenated on the end and then DNS resolution should be performed.

Outlook Web Access (OWA)

You can find a the OWA portal for a target domain by going to the following link:

https://outlook.office365.com/CLIENT_DOMAIN

SSO Services

You may be able to find additional single sign-on (SSO) services by visiting the following links:

https://CLIENT_DOMAIN/adfs/ls/idpinitiatedsignon.aspx
https://CLIENT_OWA_DOMAIN/adfs/ls/idpinitiatedsignon.aspx

• The endpoints for both links are the same, however, the domain is different.

Azure AD Brute Forcing

• New Azure Active Directory password brute-forcing flaw has no fix

Generic Email Accounts

This list can be used when attempting to fuzz accounts for user enumeration, password spraying attacks, or phishing.

Other

• Fingerprinting Organizations with Collected Archives (FOCA)
• Search in a Search Engine "CLIENT_NAME" site:pastebin.com
• Search in a Search Engine "CLIENT_DOMAIN" site:pastebin.com