From 95e989f5a1925bc5ad7243f77e200200fe4f64d2 Mon Sep 17 00:00:00 2001
From: CravateRouge <baptiste.crepin@ntymail.com>
Date: Mon, 7 Nov 2022 11:47:47 +0100
Subject: [PATCH] Add application endpoint enumeration

---
 Methodology and Resources/Cloud - Azure Pentest.md | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md
index d6721d2..1c1ad9f 100644
--- a/Methodology and Resources/Cloud - Azure Pentest.md	
+++ b/Methodology and Resources/Cloud - Azure Pentest.md	
@@ -948,12 +948,19 @@ cat <PATH TO .json FILE> | Select-String password
 
 ```powershell
 # Enumerate application that have Proxy
-PS C:\Tools> Get-AzureADApplication | %{try{GetAzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}}
+PS C:\Tools> Get-AzureADApplication -All $true | %{try{GetAzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}}
 PS C:\Tools> Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Finance Management System"}
 PS C:\Tools> . C:\Tools\GetApplicationProxyAssignedUsersAndGroups.ps1
 PS C:\Tools> Get-ApplicationProxyAssignedUsersAndGroups -ObjectId <OBJECT-ID>
 ```
-
+   
+## Application Endpoint
+```powershell
+# Enumerate possible endpoints for applications starting/ending with PREFIX
+PS C:\Tools> Get-AzureADServicePrincipal -All $true -Filter "startswith(displayName,'PREFIX')" | % {$_.ReplyUrls}
+PS C:\Tools> Get-AzureADApplication -All $true -Filter "endswith(displayName,'PREFIX')" | Select-Object ReplyUrls,WwwHomePage,HomePage
+```
+   
 ## Conditional Access
 
 * Bypassing conditional access by copying User-Agent (Chrome Dev Tool > Select iPad Pro, etc)