-
Notifications
You must be signed in to change notification settings - Fork 88
Home
Welcome to the onedrive_user_enum wiki!
If you haven't read it yet, please check out this blog post:
https://www.trustedsec.com/blog/onedrive-to-enum-them-all/
- Users must have a license to be enumerated
- Periods are translated to underscores ('.' -> '_'), and by default all underscores are converted back to periods. This may result in incorrectly showing john.smith instead of john_smith. When in doubt, verify email address format from public sources, or try both (
cat usernames_john.smith.txt | tr '.' '_' > usernames_john_smith.txt) - This will only enumerate the UPN, not any aliases etc.
- Grab a copy of statistically-likely-usernames
https://github.com/insidetrust/statistically-likely-usernames
This is still a good starting point, especially the top-formats.txt, for identifying which formats are in use.
- Run the generate_f17.sh shell script, using USERNAMES/firstnames.txt and USERNAMES/lastnames.txt (from 1990 US Census data). These word lists are much more comprehensive (and take a lot longer to run).
./generate_f17.sh USERNAMES/firstnames.txt USERNAMES/lastnames.txt
***THIS WILL TAKE A LONG TIME TO RUN AND CAN USE UP SOME DISK SPACE - < 10GB ***
Let's assume we are going to enumerate users at acmecomputercompany.com. To begin, we will let the auto-lookup do it's work, and we will only supply a DOMAIN NAME. We will also give it a general wordlist, so that we can identify what username format is in use:
./onedrive_enum.py -T 150 -d acmecomputercompany.com
*********************************************************************************************************
██████ ███
░░████ ░░░
██████ █████████ ███████ ████████ █████████ ████ █████ █████ ███████
███░░███ ░░███░░░███ ███░░░███ ███░░░███ ░░███░░░███ ░░███ ░░███ ░░███ ███░░░███
░███ ░███ ░███ ░███ ░████████ ░███ ░░███ ░███ ░░░ ░███ ░███ ░███ ░████████
░███ ░███ ░███ ░███ ░███░░░░ ░███ ░░███ ░███ ░███ ░░███ ███ ░███░░░
░░██████ ████ █████ ░░███████ ░░█████████ ██████ █████ ░░██████ ░░███████
░░░░░░ ░░░░ ░░░░░ ░░░░░░░ ░░░░░░░░░ ░░░░░░ ░░░░░ ░░░░░░ ░░░░░░░
██████ ████████ █████ ████ █████████████ +-------------------------------------------------+
███░░███░░███░░███ ░░███ ░███ ░░███░░███░░███ | OneDrive Enumerator |
░███████ ░███ ░███ ░███ ░███ ░███ ░███ ░███ | 2023 @nyxgeek - TrustedSec |
░███░░░ ░███ ░███ ░███ ░███ ░███ ░███ ░███ | version 2.00 |
░░██████ ████ █████ ░░████████ █████░███ █████ | https://github.com/nyxgeek/onedrive_user_enum |
░░░░░░ ░░░░ ░░░░░ ░░░░░░░░ ░░░░░ ░░░ ░░░░░ +-------------------------------------------------+
*********************************************************************************************************
Tenants Identified:
---------------------
acmecomputercompany
OneDrive hosts found:
---------------------
acmecomputercompany-my.sharepoint.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Beginning enumeration of https://acmecomputercompany-my.sharepoint.com/personal/USER_acmecomputercompany_com/
--------------------------------------------------------------------------------------------------------
[-] [401] VALID USERNAME FOR acmecomputercompany,acmecomputercompany.com - wayneb, username:wayneb@acmecomputercompany.com
[-] [401] VALID USERNAME FOR acmecomputercompany,acmecomputercompany.com - parkerp, username:parkerp@acmecomputercompany.com
28407 / 961735 tested, 2 valid, 0 errors
After running for a while we manage to detect two accounts in smithj format.
At this point, we kill our first run with CTRL-C and are going to move to a dedicated wordlist.
... More to come ...