From 18c656f75655971975654c5a5120512fc15a1413 Mon Sep 17 00:00:00 2001 From: CravateRouge Date: Fri, 4 Nov 2022 15:09:39 +0100 Subject: [PATCH] Add AzureHound examples --- .../Cloud - Azure Pentest.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index 08800ad..d6721d2 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -90,11 +90,27 @@ ``` * [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound ```powershell + # First, retrieve a refresh token (-r) if username/password isn't supported. + # An access token (-j) isn't recommended because it can expire before the end of azurehound execution + Install-Module AADInternals -Scope CurrentUser + Import-Module AADInternals + $rt = (Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -PRTToken (Get-AADIntUserPRTToken) -IncludeRefreshToken $true)[1] + + # Second, launch azurehound collector + ## Connects on your Azure account using the refresh token provided and the tenant of the account + ## and collects every possible objects in contoso.microsoft.com. Results are stored in json + ./azurehound -r $rt --tenant "contoso.onmicrosoft.com" list -o azurehound-scan.json --tenant "contoso.microsoft.com" + ## Sets configuration file with connection variables and other things (not required) ./azurehound configure + ## Collects every objects on all accessible tenants using username/password and prints it to stdout ./azurehound -u "MattNelson@contoso.onmicrosoft.com" -p "MyVerySecurePassword123" --tenant "contoso.onmicrosoft.com" list + ## Collects every objects on a specific tenant using username/password and stores it in json ./azurehound -u "phisheduser@contoso.onmicrosoft.com" -p "Password1" list -o initial-scan.json --tenant "contoso.onmicrosoft.com" + ## Collects every objects on all tenants accessible using Service Principal secret ./azurehound -a "6b5adee8-..." -s "" --tenant "contoso.onmicrosoft.com" list + ## Collects AzureAD info (all except AzureRM info) using JWT access token ./azurehound -j "ey..." --tenant "contoso.onmicrosoft.com" list az-ad + ## Collects every users using refresh token ./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list users # List of collections @@ -1137,4 +1153,4 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta * [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html) * [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) * [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html) -* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad) \ No newline at end of file +* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad)