Azure AD - Collectors
Swissky
parent
b8bec59c3c
commit
0dd1cc6ac6
|
|
@ -1,152 +0,0 @@
|
||||||
## Azure Recon Tools
|
|
||||||
|
|
||||||
* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound
|
|
||||||
```powershell
|
|
||||||
# First, retrieve a refresh token (-r) if username/password isn't supported.
|
|
||||||
# An access token (-j) isn't recommended because it can expire before the end of azurehound execution
|
|
||||||
Install-Module AADInternals -Scope CurrentUser
|
|
||||||
Import-Module AADInternals
|
|
||||||
$rt = (Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -PRTToken (Get-AADIntUserPRTToken) -IncludeRefreshToken $true)[1]
|
|
||||||
|
|
||||||
# Second, launch azurehound collector
|
|
||||||
./azurehound -r "0.AXMAMe..." list --tenant "753a0bc5-..." -o output.json
|
|
||||||
|
|
||||||
## Connects on your Azure account using the refresh token provided and the tenant of the account
|
|
||||||
## and collects every possible objects in contoso.microsoft.com. Results are stored in json
|
|
||||||
./azurehound -r $rt --tenant "contoso.onmicrosoft.com" list -o azurehound-scan.json --tenant "contoso.microsoft.com"
|
|
||||||
## Sets configuration file with connection variables and other things (not required)
|
|
||||||
./azurehound configure
|
|
||||||
## Collects every objects on all accessible tenants using username/password and prints it to stdout
|
|
||||||
./azurehound -u "MattNelson@contoso.onmicrosoft.com" -p "MyVerySecurePassword123" --tenant "contoso.onmicrosoft.com" list
|
|
||||||
## Collects every objects on a specific tenant using username/password and stores it in json
|
|
||||||
./azurehound -u "phisheduser@contoso.onmicrosoft.com" -p "Password1" list -o initial-scan.json --tenant "contoso.onmicrosoft.com"
|
|
||||||
## Collects every objects on all tenants accessible using Service Principal secret
|
|
||||||
./azurehound -a "6b5adee8-..." -s "<secret>" --tenant "contoso.onmicrosoft.com" list
|
|
||||||
## Collects AzureAD info (all except AzureRM info) using JWT access token
|
|
||||||
./azurehound -j "ey..." --tenant "contoso.onmicrosoft.com" list az-ad
|
|
||||||
## Collects every users using refresh token
|
|
||||||
./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list users
|
|
||||||
|
|
||||||
# List of collections
|
|
||||||
az-ad: Collect all information available at the AzureAD tenant level. In most tenants, all users have the ability to read all this information by default.
|
|
||||||
az-rm: Collect all information available at the AzureRM subscription level. Users do not by default have read access to any of this information.
|
|
||||||
|
|
||||||
apps: Collects AzureAD application registration objects.
|
|
||||||
devices: Collects AzureAD devices regardless of join type.
|
|
||||||
groups: Collects AzureAD security-enabled groups, both role eligible and non role eligible.
|
|
||||||
key-vaults: Collects AzureRM key vaults.
|
|
||||||
management-groups: Collects AzureRM management group objects
|
|
||||||
resource-groups: Collects AzureRM resource group objects
|
|
||||||
roles: Collects AzureAD admin role objects
|
|
||||||
service-principals: Collects AzureAD service principals
|
|
||||||
subscriptions: Collevts AzureRM subscriptions
|
|
||||||
tenants: Collevts AzureAD tenant objects
|
|
||||||
users: Collects AzureAD users, including any guest users in the target tenant.
|
|
||||||
virtual-machines: Collects AzureRM virtual machines
|
|
||||||
|
|
||||||
# GUI access
|
|
||||||
bolt://localhost:7687
|
|
||||||
Username: neo4j
|
|
||||||
Password: BloodHound
|
|
||||||
|
|
||||||
# Custom Queries : https://hausec.com/2020/11/23/azurehound-cypher-cheatsheet/
|
|
||||||
# Cypher query examples:
|
|
||||||
MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
|
|
||||||
MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname
|
|
||||||
```
|
|
||||||
* [**BloodHoundAD/BARK**](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit
|
|
||||||
```ps1
|
|
||||||
. .\BARK.ps1
|
|
||||||
$MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
|
|
||||||
$MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
|
|
||||||
$MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
|
|
||||||
```
|
|
||||||
* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework.
|
|
||||||
```powershell
|
|
||||||
pipenv shell
|
|
||||||
roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
|
|
||||||
roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
|
|
||||||
roadrecon auth -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
|
|
||||||
roadrecon gather
|
|
||||||
roadrecon gui
|
|
||||||
```
|
|
||||||
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects
|
|
||||||
```powershell
|
|
||||||
# session 1 - backend
|
|
||||||
pipenv shell
|
|
||||||
python ssbackend.pyz
|
|
||||||
|
|
||||||
# session 2 - frontend
|
|
||||||
cd C:\Tools\stormspotter\frontend\dist\spa\
|
|
||||||
quasar.cmd serve -p 9091 --history
|
|
||||||
|
|
||||||
# session 3 - collector
|
|
||||||
pipenv shell
|
|
||||||
az login -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
|
|
||||||
python C:\Tools\stormspotter\stormcollector\sscollector.pyz cli
|
|
||||||
|
|
||||||
# Web access on http://localhost:9091
|
|
||||||
Username: neo4j
|
|
||||||
Password: BloodHound
|
|
||||||
Server: bolt://localhost:7687
|
|
||||||
```
|
|
||||||
* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites
|
|
||||||
* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
|
|
||||||
```powershell
|
|
||||||
# You should use an account with at least read-permission on the assets you want to access
|
|
||||||
PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File
|
|
||||||
PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT
|
|
||||||
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
|
|
||||||
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
|
|
||||||
# resolve the TenantID for an specific username
|
|
||||||
PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
|
|
||||||
```
|
|
||||||
* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
|
|
||||||
```powershell
|
|
||||||
git submodule init
|
|
||||||
git submodule update
|
|
||||||
PS> Import-Module AzureRM
|
|
||||||
PS> Import-Module AzuriteExplorer.ps1
|
|
||||||
PS> Review-AzureRmSubscription
|
|
||||||
PS> Review-CustomAzureRmSubscription
|
|
||||||
```
|
|
||||||
* [**NetSPI/MicroBurst**](https://github.com/NetSPI/MicroBurst) - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
|
|
||||||
```powershell
|
|
||||||
PS C:> Import-Module .\MicroBurst.psm1
|
|
||||||
PS C:> Import-Module .\Get-AzureDomainInfo.ps1
|
|
||||||
PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose
|
|
||||||
```
|
|
||||||
* [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.
|
|
||||||
Require:
|
|
||||||
- Read-Only permissions over Azure Directory (Tenant)
|
|
||||||
- Read-Only permissions over Subscription
|
|
||||||
- Require AZ and AzureAD module or administrator right
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
$ powershell -ExecutionPolicy Bypass -NoProfile
|
|
||||||
PS C> Import-Module .\SkyArk.ps1 -force
|
|
||||||
PS C> Start-AzureStealth
|
|
||||||
PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
|
|
||||||
PS C> Scan-AzureAdmins
|
|
||||||
* [**hausec/PowerZure**](https://github.com/hausec/PowerZure) - PowerShell framework to assess Azure security
|
|
||||||
```powershell
|
|
||||||
# Require az module !
|
|
||||||
$ ipmo .\PowerZure
|
|
||||||
$ Set-Subscription -Id [idgoeshere]
|
|
||||||
|
|
||||||
# Reader
|
|
||||||
$ Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails
|
|
||||||
|
|
||||||
# Contributor
|
|
||||||
$ Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami"
|
|
||||||
$ Execute-MSBuild -VM Win10Test -ResourceGroup Test-RG -File "build.xml"
|
|
||||||
$ Get-AllSecrets # AllAppSecrets, AllKeyVaultContents
|
|
||||||
$ Get-AvailableVMDisks, Get-VMDisk # Download a virtual machine's disk
|
|
||||||
|
|
||||||
# Owner
|
|
||||||
$ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest
|
|
||||||
|
|
||||||
# Administrator
|
|
||||||
$ Create-Backdoor, Execute-Backdoor
|
|
||||||
```
|
|
||||||
* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API
|
|
||||||
|
|
@ -2,16 +2,52 @@
|
||||||
|
|
||||||
## Azure AD - Collectors
|
## Azure AD - Collectors
|
||||||
|
|
||||||
* roadrecon
|
* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites
|
||||||
|
* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - A collection of Azure AD tools for offensive and defensive security purposes
|
||||||
```ps1
|
```ps1
|
||||||
roadrecon auth --access-token eyJ0eXA...
|
roadrecon auth --access-token eyJ0eXA...
|
||||||
roadrecon auth --prt-cookie <primary-refresh-token> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2"
|
roadrecon auth --prt-cookie <primary-refresh-token> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2"
|
||||||
roadrecon gather
|
roadrecon gather
|
||||||
|
roadrecon gui
|
||||||
```
|
```
|
||||||
* AzureHound
|
* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound
|
||||||
```ps1
|
```ps1
|
||||||
./azurehound --refresh-token <refresh-token> list --tenant "<target-tenant-id>" -o output.json
|
./azurehound --refresh-token <refresh-token> list --tenant "<target-tenant-id>" -o output.json
|
||||||
|
./azurehound -u "<username>@contoso.onmicrosoft.com" -p "<password>" list groups --tenant "<tenant>.onmicrosoft.com"
|
||||||
|
./azurehound -j "<jwt>" list users --tenant "<tenant>.onmicrosoft.com"
|
||||||
```
|
```
|
||||||
|
* [**BloodHoundAD/BARK**](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit
|
||||||
|
```ps1
|
||||||
|
. .\BARK.ps1
|
||||||
|
$MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
|
||||||
|
$MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
|
||||||
|
$MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
|
||||||
|
```
|
||||||
|
* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API
|
||||||
|
```ps1
|
||||||
|
Invoke-GraphRecon -Tokens $tokens -PermissionEnum
|
||||||
|
Invoke-DumpCAPS -Tokens $tokens -ResolveGuids
|
||||||
|
Invoke-DumpApps -Tokens $tokens
|
||||||
|
Get-DynamicGroups -Tokens $tokens
|
||||||
|
```
|
||||||
|
* [**NetSPI/MicroBurst**](https://github.com/NetSPI/MicroBurst) - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
|
||||||
|
```powershell
|
||||||
|
PS C:> Import-Module .\MicroBurst.psm1
|
||||||
|
PS C:> Import-Module .\Get-AzureDomainInfo.ps1
|
||||||
|
PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose
|
||||||
|
```
|
||||||
|
* [**hausec/PowerZure**](https://github.com/hausec/PowerZure) - PowerShell framework to assess Azure security
|
||||||
|
```powershell
|
||||||
|
PS C:> Import-Module .\Powerzure.psd1
|
||||||
|
PS C:> Set-Subscription -Id [idgoeshere]
|
||||||
|
PS C:> Get-AzureTarget
|
||||||
|
PS C:> Get-AzureInTuneScript
|
||||||
|
PS C:> Show-AzureKeyVaultContent -All
|
||||||
|
```
|
||||||
|
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - :warning: This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects
|
||||||
|
* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) - :warning: This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
|
||||||
|
* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) - :warning: This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
|
||||||
|
* [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - :warning: This repository has not been updated recently - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.
|
||||||
|
|
||||||
|
|
||||||
## Azure AD - User Enumeration
|
## Azure AD - User Enumeration
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue