-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathGet-ExODomains.ps1
More file actions
74 lines (63 loc) · 3 KB
/
Get-ExODomains.ps1
File metadata and controls
74 lines (63 loc) · 3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
<#
.SYNOPSIS
Enumerates the domains associated with a Microsoft 365 tenant via Exchange federation metadata.
.DESCRIPTION
Queries the Exchange Online GetFederationInformation SOAP endpoint to retrieve all domains
associated with a tenant. This is an unauthenticated OSINT technique that uses the
Exchange AutoDiscover service.
Reported to Microsoft in July 2018 who confirmed this is by-design behavior, not a
security vulnerability.
.PARAMETER Domain
A domain known to belong to the target Microsoft 365 tenant.
.EXAMPLE
. .\Get-ExODomains.ps1
Get-ExODomains -Domain example.com
.NOTES
Author: Mike Crowley
https://mikecrowley.us
Related:
https://github.com/Mike-Crowley/Public-Scripts/blob/main/Exchange/Get-AlternateMailboxes.ps1
.LINK
https://learn.microsoft.com/en-us/exchange/client-developer/web-service-reference/getfederationinformation-operation-soap
#>
function Get-ExODomains {
[CmdletBinding()]
param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[ValidateNotNullOrEmpty()]
[string]$Domain
)
# https://learn.microsoft.com/en-us/exchange/client-developer/web-service-reference/getfederationinformation-operation-soap
$body = @"
<soap:Envelope xmlns:exm="http://schemas.microsoft.com/exchange/services/2006/messages"
xmlns:ext="http://schemas.microsoft.com/exchange/services/2006/types"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Header>
<a:Action soap:mustUnderstand="1">http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation</a:Action>
<a:To soap:mustUnderstand="1">https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc</a:To>
</soap:Header>
<soap:Body>
<GetFederationInformationRequestMessage xmlns="http://schemas.microsoft.com/exchange/2010/Autodiscover">
<Request>
<Domain>$Domain</Domain>
</Request>
</GetFederationInformationRequestMessage>
</soap:Body>
</soap:Envelope>
"@
$headers = @{
"SOAPAction" = '"http://schemas.microsoft.com/exchange/2010/Autodiscover/Autodiscover/GetFederationInformation"'
}
try {
$response = Invoke-RestMethod -Method Post -Uri "https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc" -Body $body -Headers $headers -UserAgent "AutodiscoverClient" -ContentType "text/xml; charset=utf-8" -ErrorAction Stop
}
catch {
Write-Warning "Failed to retrieve federation information for $Domain : $($_.Exception.Message)"
return
}
$response.Envelope.body.GetFederationInformationResponseMessage.response.Domains.Domain | Sort-Object
}
# Get-ExODomains -Domain example.com