Enumeration Introduction

There are a wealth of blog posts and tools for enumerating domains. This is often the first step of an engagement and can allow things to play out like this:

Your target is lolware.net

You cannot find any vulnerabilities at https://lolware.net

There is a waiting vulnerability at https://ctadvisor.lolware.net, if only you knew the domain existed

Most of the automated tooling however is focused on subdomains.

Outside the Subdomain

Several notable write ups have identified totally separate domains utilising sheer luck. For example, looking at any facebook.com page will probably lead an attacker to knowing about the existence of fbcdn.net.

Enter Microsoft Exchange Federation

Microsoft Exchange includes a "Federation" feature. Microsoft document the feature here: https://technet.microsoft.com/en-us/library/dd335047(v=exchg.150).aspx

Although this is an optional feature for Exchange on-premises, the advantage we have is:

Workers are increasingly requesting this feature

It is enabled by default in Exchange Online

Federation Involves Telling the World What You Have

The crux of this article is in the form of the Get-FederationInformation command.

Simply connect to Exchange Online, or open Powershell on any Exchange server.

PS > $UserCredential = Get-Credential cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential PS > $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office36 5.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection PS > Import-PSSession $Session

And with that in place, let's run the command against a domain currently making front page news:

PS > $fedinfo = Get-FederationInformation -DomainName amp.com.au PS > $fedinfo .DomainNames mws-email.amp.com.au amp.com.au ampadvice.com.au ampbanking.com.au ampcapital.com hillross.com.au ipac.com.au

If you were pentesting AMP, you have a range of domains to be throwing traditional subdomain enumeration tools at right there.

For a particularly interesting example look at Microsoft - just be aware the command will lag your session for a while.