Mastering Modern Red Teaming Infrastructure Part 4: Advanced OSINT Techniques, Credential Harvesting, and Azure AD Password Spraying Tactics
In this part of the series, we focus on Open-Source Intelligence (OSINT) techniques to collect victim emails, validate identities, and perform external password spraying. The goal is to leverage public sources, Darkweb leaks, and enumeration techniques to build a target list and assess exposed credentials. The test will be on sud0root.com and megabigtech.com domains while maintaining OPSEC.
After collect the email we will perform password spraying against:
✅ Microsoft Azure Entra ID (formerly Azure AD).
✅ Other external Identity Providers (IdPs) such as ADFS, Okta, and PingFederate.
Table of Contents
- Automated Tools: theHarvester & Intelligence Gathering Sources
- LinkedIn: Mining Employee Data for Phishing & Password Spraying
- Corporate Contact Sites
- Dark Web & Credential Leaks: Past Breaches as an Attack Vector
- Validating Emails: Microsoft Teams & Azure AD (Microsoft Entra ID) & Hunter.io
- Final Step: External Password Spraying on Microsoft Entra ID & Other IdPs
1. Automated Tools: theHarvester & Intelligence Gathering Sources
1.1 To start gathering emails we will start by using theHarvester on megabigtech.com:
theHarvester -d megabigtech.com -l 300 -b all
1.2 Hunter.io & Snov.io — web-based services to find corporate emails and verify validity
2. LinkedIn: Mining Employee Data for Phishing & Password Spraying
LinkedIn is a goldmine for gathering corporate employee details. The OPSEC strategy involves:
🔹 Using a VPN and a fake LinkedIn profile to avoid detection.
🔹 Searching for employees of the target organization.
🔹 Extracting names, titles, departments, and locations to create email file formats.
2.1 Manual Search on LinkedIn by target organization name
Based on OSINT findings, we can generate email permutations file:
<lastname><first_initial><second_initial>@domain.com
<first_name>.<last_name>@domain.com
<first_name>@domain.comExample:
If we find an employee named Faris Faisall, possible email formats include:
[email protected]
[email protected]
[email protected]2.2 Automated
Tools like BridgeKeeper can scrape employee names from LinkedIn profiles and other sources to convert them into potential usernames and can Convert an already generated list of names to username
Gather employee names for a company, Example Ltd., and convert each name into an ‘flast’ username formatted email:
bridgekeeper.py --company "Example, Ltd." --format {f}{last}@example.com --depth 10 --output example-employeesGather employee names and email addresses from search engines and Hunter.io:
bridgekeeper.py --company "Example, Ltd." --domain example.com --api {API_KEY} --depth 10 --output example-employeesConvert an already generated list of names to usernames:
bridgekeeper.py --names names.txt --format {@example.com">f}{last}@example.com --output example-employees3. Corporate Contact Sites
Many companies have public contact directories listing employee names, emails, and roles. These can be found on:
🔹 Company “About Us” pages
🔹 Press releases & blogs
🔹 Job postings (which may list internal email formats)
For example hunter site identified [email protected] from corporate contact sites
4. Dark Web & Credential Leaks: Past Breaches as an Attack Vector
Compromised emails and passwords from past breaches often reveal corporate credentials.
4.1 First check if emails were leaked in past breaches using below Useful sources:
✅ https://haveibeenpwned.com/ and https://intelx.io and https://leakcheck.io/ sites
These sources will tell me if the email has been breached or not and where it breach. If breached, I will search the breaded data on the Pastebin or dark web by breach name
4.2 Pastebin & Telegram — often used to dump credentials.
In recent times, platforms like Pastebin and Telegram have become repositories for leaking data from various breaches. For instance, the email address found previously during OSINT [email protected], associated with megabigtech.com demo lab, was found in a breach disclosed on Pastebin.
4.3 Dark Web forums — marketplaces for compromised credentials.
Caution: When accessing dark web platforms, ensure you do so responsibly and in strict adherence to all applicable laws and regulations. Unauthorized activities or misuse can result in severe legal consequences, so always align your actions with established legal and ethical standards.
First open VPN then start tor service then open torbrowser-launcher
Due to the frequent takedowns of hidden services and .onion sites by authorities I’m using the below site to search for new onion sites and leaked data and compromised credentials during red teaming.
http://tor66sewebgixwhcqfnp5inzp5x5uohhdy3kvtnyfxc2e5mxiuh34iid.onion/search?q=leak+data
Some darkweb leaked credentials sites I’m using, and I found it useful
http://darkleakyqmv62eweqwy4dnhaijg4m4dkburo73pzuqfdumcntqdokyd.onion/
http://7ukmkdtyxdkdivtjad57klqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd.onion/
http://hackeoyrzjy3ob4cdr2q56bgp7cpatruphcxvgbfsiw6zeqcc36e4ryd.onion/
http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/
http://5odv4qjwkhpv3obbtqlgjsk3xfcr6llfvu6dfn6u4e5umhjd3flikgid.onion/
http://ux7z5awxtjr45bxtbuegyrwprndt5jigchlothsjparbj5jypz56wcid.onion/
http://craf75ymkprmhrb5j42n2oluyteejneibffuz6zgfr3mzw4obk2f3oyd.onion/
http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/
Additionally, there are advanced dark web monitoring services and tools available but need subscription. it can efficiently and automatically perform all of the tasks mentioned above.
💡 If we find an employee’s reused password from a past breach, we can do credentials stuffing attack or attempt authentication against:
- Microsoft 365 (Entra ID)
- Okta, PingFederate, or ADFS
- VPN, OWA, or other externally exposed services
5. Validating Emails: Microsoft Teams & Azure AD (Microsoft Entra ID) & Hunter.io
To verify which emails are valid and active, we can:
5.1 Use Hunter.io’s email verification API.
Click on verify email address
Then it says it is verified and valid email address
5.2 Check Microsoft Teams “External Access” to see if an email exists.
Microsoft Teams Validation: Open Microsoft Teams and try adding an external contact. If the email is valid, Teams will auto-complete the name. If not, Teams returns an error.
🚀 Key Insight: If Teams auto-completes, the email is valid and in use — making it a prime candidate for password spraying or phishing.
5.3 Using AADInternals module to confirm if user exist on azure or not (so email is valid or not)
Final Step: External Password Spraying on Microsoft Entra ID & Other IdPs
Many organizations utilize Azure AD and Microsoft 365 to leverage integrated tools like Teams and Office applications, which enhance collaboration and productivity.
5.1 Confirm Target using Azure AD: To determine whether a client is using Azure Entra ID (formerly Azure Active Directory) or other Identity Providers (IdPs), we will use the AADInternals PowerShell module. This tool allows you to query the client’s domain to ascertain if it’s configured as ‘Managed’ or ‘Federated’. A ‘Managed’ domain indicates that Azure AD handles authentication directly, while a ‘Federated’ domain signifies that authentication is managed by an external IdP, such as Active Directory Federation Services (ADFS), Okta, or PingFederate.
Install AADInternals Module on PowerShell
Install-Module -Name AADInternals -Force -AllowClobber
Import-Module AADInternals
Get-Command -Module AADInternalsThe below sud0root and megabigtech.com using managed authentication which means they using Azure AD to handles authentication directly
also we can use manual method to enumerate tenant and confirm target using Azure AD by visit this API:
https://login.microsoftonline.com/getuserrealm.srf?login=sud0root.com
5.2 For ‘Managed’ domains “Likely indicates a native cloud setup.”: you can employ tools like Go365 to perform password spraying attacks. Go365 is designed to conduct user enumeration and password guessing attacks on organizations utilizing Office 365.
Password spray on megabigtech.com. and it will detect if user valid or not also it will detect valid username and password.
[email protected] and MegaDev79$ password is valid
5.3 For ‘Federated’ domains (strong indicator of a hybrid setup): the approach will depend on the specific IdP in use. Each IdP may have unique endpoints and authentication mechanisms, necessitating tailored strategies for password spraying. It’s crucial to research and understand the specific IdP’s authentication flow to effectively conduct such assessments
In a recent engagement, I encountered a client utilizing federated authentication for their Office 365 services. Instead of authenticating directly through Azure Entra ID (formerly Azure Active Directory), their authentication requests were redirected to a different endpoint, as specified in the Security Token Service (STS) configuration.
To assess the security of this setup, I employed Burp Suite’s Intruder tool to perform a password spraying attack. Also, By crafting a custom script to simulate standard web authentication requests, I was able to analyze the responses and identify valid credentials based on specific indicators in the server’s replies. So, you can use burp intruder or write custom script.
I removed the sts complete link from screenshot because this is sensitive information
5.4 My OPSEC during password spray (Rotating Source IP using AWS API Gateway)
To enhance operational security (OPSEC) during password spraying assessments, one effective method I using involves utilizing AWS API Gateway to obscure the origin of the traffic. By setting up an API Gateway in AWS to route authentication requests to the target service, such as Microsoft’s authentication API, each request appears to originate from a dynamic IP address within AWS’s IP range. This approach not only conceals the true source of the password spraying activity but also diminishes the likelihood of detection by the target’s security mechanisms, as the traffic blends in with legitimate AWS-originated requests.
Next: Stay sharp — we’re moving from OSINT, credential harvesting, and password spray to Payload Development and Hardening to Evade Detection (no chain no gain) in Part 5.
if you find this blog useful, don’t forget to hit the clap button and follow the blog.
Certifications:
OSEC3, CRTL, CRTO, OSCP, OSEP, OSWE, OSED, eMAPT … Others
Follow me on LinkedIn & Twitter(X) to stay updated and to know new things.
Bye Bye, Take Care.
