mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Azure Tools Update
This commit is contained in:
parent
6dd5c18b45
commit
f7a74feaf7
@ -1,4 +1,4 @@
|
||||
# AWS
|
||||
# Cloud - AWS
|
||||
|
||||
> Amazon Web Services offers reliable, scalable, and inexpensive cloud computing services.
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Azure Active Directory
|
||||
# Cloud - Azure
|
||||
|
||||
## Summary
|
||||
|
||||
@ -59,7 +59,7 @@
|
||||
|
||||
## Azure Recon Tools
|
||||
|
||||
* **ROADTool**
|
||||
* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework.
|
||||
```powershell
|
||||
pipenv shell
|
||||
roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
|
||||
@ -68,10 +68,8 @@
|
||||
roadrecon gather
|
||||
roadrecon gui
|
||||
```
|
||||
* **StormSpotter**
|
||||
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects
|
||||
```powershell
|
||||
# https://github.com/Azure/Stormspotter
|
||||
|
||||
# session 1 - backend
|
||||
pipenv shell
|
||||
python ssbackend.pyz
|
||||
@ -90,44 +88,45 @@
|
||||
Password: BloodHound
|
||||
Server: bolt://localhost:7687
|
||||
```
|
||||
* **Azure Hound**
|
||||
* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound
|
||||
```powershell
|
||||
# https://github.com/BloodHoundAD/AzureHound
|
||||
|
||||
. C:\Tools\AzureHound\AzureHound.ps1
|
||||
Invoke-AzureHound -Verbose
|
||||
./azurehound configure
|
||||
./azurehound -u "MattNelson@contoso.onmicrosoft.com" -p "MyVerySecurePassword123" --tenant "contoso.onmicrosoft.com" list
|
||||
./azurehound -u "phisheduser@contoso.onmicrosoft.com" -p "Password1" list -o initial-scan.json --tenant "contoso.onmicrosoft.com"
|
||||
./azurehound -a "6b5adee8-..." -s "<secret>" --tenant "contoso.onmicrosoft.com" list
|
||||
./azurehound -j "ey..." --tenant "contoso.onmicrosoft.com" list az-ad
|
||||
./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list
|
||||
|
||||
# GUI access
|
||||
bolt://localhost:7687
|
||||
Username: neo4j
|
||||
Password: BloodHound
|
||||
|
||||
# Cypher query example:
|
||||
MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
|
||||
|
||||
# Change object ID's to names in Bloodhound
|
||||
MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname
|
||||
|
||||
# Custom Queries : https://hausec.com/2020/11/23/azurehound-cypher-cheatsheet/
|
||||
# Cypher query examples:
|
||||
MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
|
||||
MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname
|
||||
```
|
||||
* List of Microsoft portals: https://msportals.io/
|
||||
* **Azucar** : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
|
||||
* [BloodHoundAD/BARK](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit
|
||||
```ps1
|
||||
. .\BARK.ps1
|
||||
$MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
|
||||
$MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
|
||||
$MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
|
||||
```
|
||||
* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites
|
||||
* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
|
||||
```powershell
|
||||
# You should use an account with at least read-permission on the assets you want to access
|
||||
git clone https://github.com/nccgroup/azucar.git
|
||||
PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File
|
||||
|
||||
PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT
|
||||
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
|
||||
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
|
||||
|
||||
# resolve the TenantID for an specific username
|
||||
PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
|
||||
```
|
||||
* **Azurite Explorer** and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
|
||||
* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
|
||||
```powershell
|
||||
git clone https://github.com/mwrlabs/Azurite.git
|
||||
git clone https://github.com/FSecureLABS/Azurite
|
||||
git submodule init
|
||||
git submodule update
|
||||
PS> Import-Module AzureRM
|
||||
@ -135,33 +134,27 @@
|
||||
PS> Review-AzureRmSubscription
|
||||
PS> Review-CustomAzureRmSubscription
|
||||
```
|
||||
* **MicroBurst** - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
|
||||
* [**NetSPI/MicroBurst**](https://github.com/NetSPI/MicroBurst) - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
|
||||
```powershell
|
||||
$ git clone https://github.com/NetSPI/MicroBurst
|
||||
PS C:> Import-Module .\MicroBurst.psm1
|
||||
PS C:> Import-Module .\Get-AzureDomainInfo.ps1
|
||||
PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose
|
||||
```
|
||||
* **SkyArk** - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.
|
||||
* [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.
|
||||
Require:
|
||||
- Read-Only permissions over Azure Directory (Tenant)
|
||||
- Read-Only permissions over Subscription
|
||||
- Require AZ and AzureAD module or administrator right
|
||||
|
||||
```powershell
|
||||
$ git clone https://github.com/cyberark/SkyArk
|
||||
$ powershell -ExecutionPolicy Bypass -NoProfile
|
||||
PS C> Import-Module .\SkyArk.ps1 -force
|
||||
PS C> Start-AzureStealth
|
||||
|
||||
or in the Cloud Console
|
||||
|
||||
PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
|
||||
PS C> Scan-AzureAdmins
|
||||
* **PowerZure** -
|
||||
* [**hausec/PowerZure**](https://github.com/hausec/PowerZure) - PowerShell framework to assess Azure security
|
||||
```powershell
|
||||
require az module !
|
||||
$ git clone https://github.com/hausec/PowerZure
|
||||
# Require az module !
|
||||
$ ipmo .\PowerZure
|
||||
$ Set-Subscription -Id [idgoeshere]
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user