Home
AzDevRecon is a web-based Azure DevOps enumeration tool designed for offensive security professionals, red teamers, and penetration testers. It helps identify misconfigurations, exposed secrets, and security gaps by leveraging Personal Access Tokens (PATs) and Access Tokens (with aud=499b84ac-1321-427f-aa17-267ca6975798, also obtainable via Managed Identity) for reconnaissance and data extraction.
- Token-Based Enumeration – Supports enumeration using Azure DevOps Personal Access Tokens (PATs) and Access Tokens from Managed Identity authentication.
- Project & Repository Discovery – Identify accessible projects and repositories that may contain sensitive data.
- Pipeline & Build Analysis – Analyze Azure Pipelines and Build artifacts for security flaws and misconfigurations.
- Secrets & Credential Hunting – Detect hardcoded secrets, API keys, and exposed tokens that could lead to privilege escalation.
- User & Permission Analysis – Map roles, permissions, and potential privilege escalation paths to assess security risks.
- Web-Based UI – Intuitive interface for efficient and streamlined enumeration.
- By leveraging discovered tokens, AzDevRecon allows security teams to enumerate and analyze Azure DevOps instances, helping organizations proactively identify and mitigate security risks before attackers can exploit them.
AzDevRecon provides a web-based UI for easy authentication and management. The first step is to register and log in to access its functionalities.
Registration Page
- Navigate to the AzDevRecon web interface.
- Fill in the required details.
- Click Register to create an account.
Login Page
- Once registered, enter your username and password to log in.
- Click Login to access the main dashboard.
Once logged in, you will be redirected to the dashboard, where you can start the enumeration process.
when Clicked on view you will see list of projects and the list users within the organization.
Now click on view of the desired project.
To List the repos click on Files.
Repo Branches
Pipelines YAML
Pipeline Varibales
Project Permissions
