Skip to content
nyxgeek edited this page Jun 14, 2023 · 5 revisions

Welcome to the onedrive_user_enum wiki!

Intro

If you haven't read it yet, please check out this blog post:

https://www.trustedsec.com/blog/onedrive-to-enum-them-all/

Known Limitations

  1. Users must have a license to be enumerated
  2. Periods are translated to underscores ('.' -> '_'), and by default all underscores are converted back to periods. This may result in incorrectly showing john.smith instead of john_smith. When in doubt, verify email address format from public sources, or try both (cat usernames_john.smith.txt | tr '.' '_' > usernames_john_smith.txt)
  3. This will only enumerate the UPN, not any aliases etc.

Starting Wordlists

  1. Grab a copy of statistically-likely-usernames

https://github.com/insidetrust/statistically-likely-usernames

This is still a good starting point, especially the top-formats.txt, for identifying which formats are in use.

  1. Run the generate_f17.sh shell script, using USERNAMES/firstnames.txt and USERNAMES/lastnames.txt (from 1990 US Census data). These word lists are much more comprehensive (and take a lot longer to run).

You'll see a big warning message on your screen, and after a 10 second countdown, it will begin.

** THIS WILL TAKE A LONG TIME TO RUN AND CAN USE UP SOME DISK SPACE - < 10GB **

nyxgeek:onedrive_user_enum $ ./generate_usernames_f17.sh USERNAMES/firstnames.1990.txt USERNAMES/lastnames.1990.txt
******************************************************************************************
 HEY! THIS IS GOING TO TAKE A LONG LONG TIME, AND WILL TAKE UP LIKE 10GB of DISK SPACE!!!
******************************************************************************************

******************************************************************************************
 HEY! THIS IS GOING TO TAKE A LONG LONG TIME, AND WILL TAKE UP LIKE 10GB of DISK SPACE!!!
******************************************************************************************

******************************************************************************************
 HEY! THIS IS GOING TO TAKE A LONG LONG TIME, AND WILL TAKE UP LIKE 10GB of DISK SPACE!!!
******************************************************************************************

(you still have time to CTRL-C for about 10 seconds)

Starting username generation...
Generating jsmith

real	22m11.420s
user	3m13.487s
sys	6m32.887s

Generating j.smith
...

And so on -- you can see that on my M1 macbook, it took 22 minutes just to make the jsmith wordlist. Grab a coffee or three and come back later.


Examples

Intial Runs - Identifying Format

Let's assume we are going to enumerate users at acmecomputercompany.com. To begin, we will let the auto-lookup do it's work, and we will only supply a DOMAIN NAME. We will also give it a general wordlist, so that we can identify what username format is in use:

./onedrive_enum.py -T 150 -d acmecomputercompany.com

*********************************************************************************************************

                                         ██████               ███
                                        ░░████               ░░░
   ██████    █████████     ███████    ████████   █████████   ████   █████  █████   ███████
  ███░░███  ░░███░░░███   ███░░░███  ███░░░███  ░░███░░░███ ░░███  ░░███  ░░███   ███░░░███
 ░███  ░███  ░███  ░███  ░████████  ░███ ░░███   ░███  ░░░   ░███   ░███   ░███  ░████████
 ░███  ░███  ░███  ░███  ░███░░░░   ░███ ░░███   ░███        ░███   ░░███  ███   ░███░░░
 ░░██████    ████  █████ ░░███████  ░░█████████  ██████      █████   ░░██████    ░░███████
  ░░░░░░    ░░░░  ░░░░░   ░░░░░░░    ░░░░░░░░░  ░░░░░░      ░░░░░     ░░░░░░      ░░░░░░░


   ██████  ████████   █████ ████ █████████████      +-------------------------------------------------+
  ███░░███░░███░░███ ░░███ ░███ ░░███░░███░░███     |               OneDrive Enumerator               |
 ░███████  ░███ ░███  ░███ ░███  ░███ ░███ ░███     |           2023 @nyxgeek - TrustedSec            |
 ░███░░░   ░███ ░███  ░███ ░███  ░███ ░███ ░███     |                 version 2.00                    |
 ░░██████  ████ █████ ░░████████ █████░███ █████    |  https://github.com/nyxgeek/onedrive_user_enum  |
  ░░░░░░  ░░░░ ░░░░░   ░░░░░░░░ ░░░░░ ░░░ ░░░░░     +-------------------------------------------------+

*********************************************************************************************************

Tenants Identified:
---------------------
acmecomputercompany

OneDrive hosts found:
---------------------
acmecomputercompany-my.sharepoint.com


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Beginning enumeration of https://acmecomputercompany-my.sharepoint.com/personal/USER_acmecomputercompany_com/
--------------------------------------------------------------------------------------------------------
[-] [401] VALID USERNAME FOR acmecomputercompany,acmecomputercompany.com - wayneb, username:wayneb@acmecomputercompany.com
[-] [401] VALID USERNAME FOR acmecomputercompany,acmecomputercompany.com - parkerp, username:parkerp@acmecomputercompany.com
        28407 / 961735 tested,  2 valid,  0 errors

After running for a while we manage to detect two accounts in smithj format.

At this point, we kill our first run with CTRL-C and are going to move to a dedicated wordlist.

Going forward, we are going to a dedicated smithj wordlist.

... More to come ...


Troubleshooting - Why aren't I finding users?

  1. Are you multi-tenant? If so, iterate through all combinations of tenants and domains. Often if there are multiple tenants, you will find users in each of them. If it's broken up by geographic location (acmecomputersEurope, acmecomputersAsia, etc), then you will want to try the both the primary domain(s) and any country-suffix domains associated with those regions.

YOU CAN FIND THE SAME DOMAIN ENDING IN MULTIPLE TENANTS. Example:

AcmeComputersEurope,user@acmecomputercompany.com AcmeComputersAsia,user@acmecomputercompany.com

Be sure to check all tenants for users.

  1. Have you tried all the domains? Do some googling for the organization's email address format. Often enough it will differ from their main web domain. This is especially true for long domain names.

  2. Maybe the users aren't being assigned to a custom domain, and instead are set up with their onmicrosoft.com domain. Instead of assigning -d with the custom domain, use their onmicrosoft domain. This will be tenant.onmicrosoft.com. There may be more than one of these (rare). Username format would look like 'user@acmecomputercompany.onmicrosoft.com'

  3. Odd username formats -- numeric especially with prefixes can be hard to find initially. Example: ZY123456. Try finding pdf or docx metadata on Google. Look for screenshots, hints in documentation online. To do initial surveys of numeric, I recommend using seq and shuf to get a sub-sample. seq 100000 999999 | shuf | head -n 150000 > seq_100k_999k_shuf50k.txt

  4. Users just aren't there. Sometimes orgs don't sync all their users. Sometimes their Azure environment is standalone from on-prem. Try other enumeration methods -- Graph or Teams are great.