a

src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md

@@ -208,6 +208,26 @@ microsoft_office_bearer_tokens_for_graph_api = (
 pprint(microsoft_office_bearer_tokens_for_graph_api)
 ```
 
+## Where to find tokens
+
+From an attackers perspective it's very interesting to know where is it possible to find access and refresh tokens when for example the PC of a victim is compromised:
+
+- Inside **`<HOME>/.Azure`**
+  - **`azureProfile.json`** contains info about logged in users from the past
+  - **`clouds.config contains`** info about subscriptions
+  - **`service_principal_entries.json`** contains applications credentials (tenant id, clients and secret). Only in Linux & macOS
+  - **`msal_token_cache.json`** contains contains access tokens and refresh tokens. Only in Linux & macOS 
+  - **`service_principal_entries.bin`** and msal_token_cache.bin are used in Windows and are encrypted with DPAPI
+  - **`msal_http_cache.bin`** is a cache of HTTP request
+    - Load it: `with open("msal_http_cache.bin", 'rb') as f: pickle.load(f)`
+  - **`AzureRmContext.json`** contains information about previous logins using Az PowerShell (but no credentials)
+- Inside **`C:\Users\<username>\AppData\Local\Microsoft\IdentityCache\*`** are several `.bin` files with **access tokens**, ID tokens and account information encrypted with the users DPAPI.
+- It’s possible to find more **access tokens** in the `.tbres` files inside **`C:\Users\<username>\AppData\Local\Microsoft\TokenBroken\Cache\`** which contain a base64 encrypted with DPAPI with access tokens.
+- In Linux and macOS you can get **access tokens, refresh tokens and id tokens** from Az PowerShell (if used) running `pwsh -Command "Save-AzContext -Path /tmp/az-context.json"`
+  - In Windows this just generates id tokens.
+  - Possible to see if Az PowerShell was used in Linux and macSO checking is `$HOME/.local/share/.IdentityService/` exists (although the contained files are empty and useless)
+- If the user is **logged inside Azure with the browser**, according to this [**post**](https://www.infosecnoodle.com/p/obtaining-microsoft-entra-refresh?r=357m16&utm_campaign=post&utm_medium=web) it's possible to start the authentication flow with a **redirect to localhost**, make the browser automatically authorize the login, and receive the resh token. Note that there are only a few FOCI applications that allow redicet to localhost (like az cli or the powershell module), so these applications must be allowed.
+
 ## References
 
 - [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)

src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md

@@ -127,6 +127,7 @@ If you managed to **escape from the container** there are some interesting thing
     - `/var/lib/kubelet/config.yaml`
     - `/var/lib/kubelet/kubeadm-flags.env`
     - `/etc/kubernetes/kubelet-kubeconfig`
+    - `/etc/kubernetes/admin.conf` --> `kubectl --kubeconfig /etc/kubernetes/admin.conf get all -n kube-system`
   - Other **kubernetes common files**:
     - `$HOME/.kube/config` - **User Config**
     - `/etc/kubernetes/kubelet.conf`- **Regular Config**

src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md

@@ -36,6 +36,10 @@ curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh
 kubescape scan --verbose
 ```
 
+### [**Popeye**](https://github.com/derailed/popeye)
+
+[**Popeye**](https://github.com/derailed/popeye) is a utility that scans live Kubernetes cluster and **reports potential issues with deployed resources and configurations**. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive \_over_load one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity.
+
 ### [**Kube-bench**](https://github.com/aquasecurity/kube-bench)
 
 The tool [**kube-bench**](https://github.com/aquasecurity/kube-bench) is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [**CIS Kubernetes Benchmark**](https://www.cisecurity.org/benchmark/kubernetes/).\
@@ -97,10 +101,6 @@ kube-hunter --remote some.node.com
 
 ## **Audit IaC Code**
 
-### [**Popeye**](https://github.com/derailed/popeye)
-
-[**Popeye**](https://github.com/derailed/popeye) is a utility that scans live Kubernetes cluster and **reports potential issues with deployed resources and configurations**. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive \_over_load one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity.
-
 ### [**KICS**](https://github.com/Checkmarx/kics)
 
 [**KICS**](https://github.com/Checkmarx/kics) finds **security vulnerabilities**, compliance issues, and infrastructure misconfigurations in the following **Infrastructure as Code solutions**: Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, Helm, Microsoft ARM, and OpenAPI 3.0 specifications
@@ -208,6 +208,13 @@ You should update your Kubernetes environment as frequently as necessary to have
   - cloud controller manager, if you use one.
 - Upgrade the Worker Node components such as kube-proxy, kubelet.
 
+## Kubernetes monitoring & security:
+
+- Kyverno Policy Engine
+- Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement
+- Network Security Policies
+- Falco - Runtime security monitoring & detection
+
 {{#include ../../../banners/hacktricks-training.md}}
 
 

src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md

@@ -2,6 +2,7 @@
 
 **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196)
 
+
 ## Abusing policies misconfiguration
 
 ### Enumerate rules
@@ -59,5 +60,7 @@ Another way to bypass policies is to focus on the ValidatingWebhookConfiguration
 ../kubernetes-validatingwebhookconfiguration.md
 {{#endref}}
 
+## More info
 
+For more info check [https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/](https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/)