Azure Tools Update

This commit is contained in:
Swissky 2022-10-12 18:03:49 +02:00
parent 6dd5c18b45
commit f7a74feaf7
2 changed files with 28 additions and 35 deletions

View File

@ -1,4 +1,4 @@
# AWS
# Cloud - AWS
> Amazon Web Services offers reliable, scalable, and inexpensive cloud computing services.

View File

@ -1,4 +1,4 @@
# Azure Active Directory
# Cloud - Azure
## Summary
@ -59,7 +59,7 @@
## Azure Recon Tools
* **ROADTool**
* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework.
```powershell
pipenv shell
roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
@ -68,10 +68,8 @@
roadrecon gather
roadrecon gui
```
* **StormSpotter**
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects
```powershell
# https://github.com/Azure/Stormspotter
# session 1 - backend
pipenv shell
python ssbackend.pyz
@ -90,44 +88,45 @@
Password: BloodHound
Server: bolt://localhost:7687
```
* **Azure Hound**
* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound
```powershell
# https://github.com/BloodHoundAD/AzureHound
. C:\Tools\AzureHound\AzureHound.ps1
Invoke-AzureHound -Verbose
./azurehound configure
./azurehound -u "MattNelson@contoso.onmicrosoft.com" -p "MyVerySecurePassword123" --tenant "contoso.onmicrosoft.com" list
./azurehound -u "phisheduser@contoso.onmicrosoft.com" -p "Password1" list -o initial-scan.json --tenant "contoso.onmicrosoft.com"
./azurehound -a "6b5adee8-..." -s "<secret>" --tenant "contoso.onmicrosoft.com" list
./azurehound -j "ey..." --tenant "contoso.onmicrosoft.com" list az-ad
./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list
# GUI access
bolt://localhost:7687
Username: neo4j
Password: BloodHound
# Cypher query example:
MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
# Change object ID's to names in Bloodhound
MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname
# Custom Queries : https://hausec.com/2020/11/23/azurehound-cypher-cheatsheet/
# Cypher query examples:
MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname
```
* List of Microsoft portals: https://msportals.io/
* **Azucar** : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
* [BloodHoundAD/BARK](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit
```ps1
. .\BARK.ps1
$MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
$MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
$MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
```
* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites
* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
```powershell
# You should use an account with at least read-permission on the assets you want to access
git clone https://github.com/nccgroup/azucar.git
PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File
PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
# resolve the TenantID for an specific username
PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
```
* **Azurite Explorer** and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
```powershell
git clone https://github.com/mwrlabs/Azurite.git
git clone https://github.com/FSecureLABS/Azurite
git submodule init
git submodule update
PS> Import-Module AzureRM
@ -135,33 +134,27 @@
PS> Review-AzureRmSubscription
PS> Review-CustomAzureRmSubscription
```
* **MicroBurst** - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
* [**NetSPI/MicroBurst**](https://github.com/NetSPI/MicroBurst) - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
```powershell
$ git clone https://github.com/NetSPI/MicroBurst
PS C:> Import-Module .\MicroBurst.psm1
PS C:> Import-Module .\Get-AzureDomainInfo.ps1
PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose
```
* **SkyArk** - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.
* [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.
Require:
- Read-Only permissions over Azure Directory (Tenant)
- Read-Only permissions over Subscription
- Require AZ and AzureAD module or administrator right
```powershell
$ git clone https://github.com/cyberark/SkyArk
$ powershell -ExecutionPolicy Bypass -NoProfile
PS C> Import-Module .\SkyArk.ps1 -force
PS C> Start-AzureStealth
or in the Cloud Console
PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
PS C> Scan-AzureAdmins
* **PowerZure** -
* [**hausec/PowerZure**](https://github.com/hausec/PowerZure) - PowerShell framework to assess Azure security
```powershell
require az module !
$ git clone https://github.com/hausec/PowerZure
# Require az module !
$ ipmo .\PowerZure
$ Set-Subscription -Id [idgoeshere]