gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-04 16:57:26 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:29:08 +00:00
parent 2753c75e8b
commit 396dbafaf2
245 changed files with 9878 additions and 12609 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
src/pentesting-cloud/azure-security/README.md
View File

@@ -2,86 +2,85 @@
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
{{#ref}}
az-basic-information/
{{#endref}}
## Azure Pentester/Red Team Methodology
## Azure Pentester/Red Team Metodologie
In order to audit an AZURE environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal Azure services and **external services** connected.
Om 'n AZURE omgewing te oudit, is dit baie belangrik om te weet: watter **dienste gebruik word**, wat is **blootgestel**, wie het **toegang** tot wat, en hoe is interne Azure dienste en **eksterne dienste** gekoppel.
From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **credentials** for Azure AD. Here you have some ideas on how to do that:
Vanuit 'n Red Team perspektief, is die **eerste stap om 'n Azure omgewing te kompromitteer** om daarin te slaag om 'n paar **bewyse** vir Azure AD te verkry. Hier is 'n paar idees oor hoe om dit te doen:
- **Leaks** in github (or similar) - OSINT
- **Social** Engineering
- **Password** reuse (password leaks)
- Vulnerabilities in Azure-Hosted Applications
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
- **Local File Read**
- `/home/USERNAME/.azure`
- `C:\Users\USERNAME\.azure`
- The file **`accessTokens.json`** in `az cli` before 2.30 - Jan2022 - stored **access tokens in clear text**
- The file **`azureProfile.json`** contains **info** about logged user.
- **`az logout`** removes the token.
- Older versions of **`Az PowerShell`** stored **access tokens** in **clear** text in **`TokenCache.dat`**. It also stores **ServicePrincipalSecret** in **clear**-text in **`AzureRmContext.json`**. The cmdlet **`Save-AzContext`** can be used to **store** **tokens**.\
Use `Disconnect-AzAccount` to remove them.
- 3rd parties **breached**
- **Internal** Employee
- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or Oauth App)
- [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
- [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
- **Lekke** in github (of soortgelyk) - OSINT
- **Sosiale** Ingenieurswese
- **Wagwoord** hergebruik (wagwoordlekke)
- Kwesbaarhede in Azure-gehoste toepassings
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) met toegang tot metadata-eindpunt
- **Plaaslike Lêer Lees**
- `/home/USERNAME/.azure`
- `C:\Users\USERNAME\.azure`
- Die lêer **`accessTokens.json`** in `az cli` voor 2.30 - Jan2022 - gestoor **toegangstokens in duidelike teks**
- Die lêer **`azureProfile.json`** bevat **inligting** oor die ingelogde gebruiker.
- **`az logout`** verwyder die token.
- Ou weergawe van **`Az PowerShell`** het **toegangstokens** in **duidelike** teks in **`TokenCache.dat`** gestoor. Dit stoor ook **ServicePrincipalSecret** in **duidelike** teks in **`AzureRmContext.json`**. Die cmdlet **`Save-AzContext`** kan gebruik word om **tokens** te **stoor**.\
Gebruik `Disconnect-AzAccount` om hulle te verwyder.
- 3de partye **gekompromitteer**
- **Interne** Werknemer
- [**Algemene Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (bewyse of Oauth App)
- [Toestelkode Verifikasie Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
- [Azure **Wagwoord Spuit**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
Even if you **haven't compromised any user** inside the Azure tenant you are attacking, you can **gather some information** from it:
Selfs as jy **nie enige gebruiker** binne die Azure tenant wat jy aanval, gecompromitteer het nie, kan jy **'n paar inligting** daaruit versamel:
{{#ref}}
az-unauthenticated-enum-and-initial-entry/
{{#endref}}
> [!NOTE]
> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
> Nadat jy daarin geslaag het om bewese te verkry, moet jy weet **aan wie behoort daardie bewese**, en **waartoe hulle toegang het**, so jy moet 'n paar basiese enumerasie uitvoer:
## Basic Enumeration
## Basiese Enumerasie
> [!NOTE]
> Remember that the **noisiest** part of the enumeration is the **login**, not the enumeration itself.
> Onthou dat die **luidste** deel van die enumerasie die **inlog** is, nie die enumerasie self nie.
### SSRF
If you found a SSRF in a machine inside Azure check this page for tricks:
As jy 'n SSRF in 'n masjien binne Azure gevind het, kyk hierdie bladsy vir truuks:
{{#ref}}
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
{{#endref}}
### Bypass Login Conditions
### Bypass Inlog Voorwaardes
<figure><img src="../../images/image (268).png" alt=""><figcaption></figcaption></figure>
In cases where you have some valid credentials but you cannot login, these are some common protections that could be in place:
In gevalle waar jy 'n paar geldige bewese het maar jy kan nie inlog nie, is dit 'n paar algemene beskermings wat in plek kan wees:
- **IP whitelisting** -- You need to compromise a valid IP
- **Geo restrictions** -- Find where the user lives or where are the offices of the company and get a IP from the same city (or contry at least)
- **Browser** -- Maybe only a browser from certain OS (Windows, Linux, Mac, Android, iOS) is allowed. Find out which OS the victim/company uses.
- You can also try to **compromise Service Principal credentials** as they usually are less limited and its login is less reviewed
- **IP witlys** -- Jy moet 'n geldige IP kompromitteer
- **Geo beperkings** -- Vind waar die gebruiker woon of waar die kantore van die maatskappy is en kry 'n IP van dieselfde stad (of land ten minste)
- **Blaaier** -- Miskien is slegs 'n blaaier van sekere OS (Windows, Linux, Mac, Android, iOS) toegelaat. Vind uit watter OS die slagoffer/maatskappy gebruik.
- Jy kan ook probeer om **Service Principal bewese** te kompromitteer aangesien hulle gewoonlik minder beperk is en hul inlog minder nagegaan word.
After bypassing it, you might be able to get back to your initial setup and you will still have access.
Nadat jy dit omseil het, mag jy in staat wees om terug te keer na jou aanvanklike opstelling en jy sal steeds toegang hê.
### Subdomain Takeover
### Subdomein Oorname
- [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
### Whoami
> [!CAUTION]
> Learn **how to install** az cli, AzureAD and Az PowerShell in the [**Az - Entra ID**](az-services/az-azuread.md) section.
> Leer **hoe om** az cli, AzureAD en Az PowerShell in die [**Az - Entra ID**](az-services/az-azuread.md) afdeling te installeer.
One of the first things you need to know is **who you are** (in which environment you are):
Een van die eerste dinge wat jy moet weet is **wie jy is** (in watter omgewing jy is):
{{#tabs }}
{{#tab name="az cli" }}
```bash
az account list
az account tenant list # Current tenant info
@@ -90,22 +89,18 @@ az ad signed-in-user show # Current signed-in user
az ad signed-in-user list-owned-objects # Get owned objects by current user
az account management-group list #Not allowed by default
```
{{#endtab }}
{{#tab name="AzureAD" }}
```powershell
#Get the current session state
Get-AzureADCurrentSessionInfo
#Get details of the current tenant
Get-AzureADTenantDetail
```
{{#endtab }}
{{#tab name="Az PowerShell" }}
```powershell
# Get the information about the current context (Account, Tenant, Subscription etc.)
Get-AzContext
@@ -121,53 +116,49 @@ Get-AzResource
Get-AzRoleAssignment # For all users
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com # For current user
```
{{#endtab }}
{{#endtabs }}
> [!CAUTION]
> Oone of the most important commands to enumerate Azure is **`Get-AzResource`** from Az PowerShell as it lets you **know the resources your current user has visibility over**.
> Een van die belangrikste opdragte om Azure te enumerate is **`Get-AzResource`** van Az PowerShell, aangesien dit jou **inligting gee oor die hulpbronne wat jou huidige gebruiker kan sien**.
>
> You can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources"
> Jy kan dieselfde inligting in die **webkonsol** kry deur na [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) te gaan of te soek na "Alle hulpbronne"
### ENtra ID Enumeration
By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/#default-user-permissions)).\
You can find here a guide:
Standaard behoort enige gebruiker **voldoende regte te hê om** dinge soos gebruikers, groepe, rolle, diensprincipals... te enumerate (kyk [standaard AzureAD regte](az-basic-information/#default-user-permissions)).\
Jy kan hier 'n gids vind:
{{#ref}}
az-services/az-azuread.md
{{#endref}}
> [!NOTE]
> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
> In the following section you can check some ways to **enumerate some common services.**
> Nou dat jy **'n bietjie inligting oor jou akrediteerings het** (en as jy 'n rooi span is, hoop ek jy **is nie opgespoor nie**). Dit is tyd om uit te vind watter dienste in die omgewing gebruik word.\
> In die volgende afdeling kan jy 'n paar maniere kyk om **'n paar algemene dienste te enumerate.**
## App Service SCM
Kudu console to log in to the App Service 'container'.
Kudu-konsol om in te log in die App Service 'houer'.
## Webshell
Use portal.azure.com and select the shell, or use shell.azure.com, for a bash or powershell. The 'disk' of this shell are stored as an image file in a storage-account.
Gebruik portal.azure.com en kies die shell, of gebruik shell.azure.com, vir 'n bash of powershell. Die 'skyf' van hierdie shell word as 'n beeldlêer in 'n stoorrekening gestoor.
## Azure DevOps
Azure DevOps is separate from Azure. It has repositories, pipelines (yaml or release), boards, wiki, and more. Variable Groups are used to store variable values and secrets.
Azure DevOps is apart van Azure. Dit het repositories, pipelines (yaml of release), borde, wiki, en meer. Veranderlike Groepe word gebruik om veranderlike waardes en geheime te stoor.
## Debug | MitM az cli
Using the parameter **`--debug`** it's possible to see all the requests the tool **`az`** is sending:
Deur die parameter **`--debug`** te gebruik, is dit moontlik om al die versoeke wat die hulpmiddel **`az`** stuur, te sien:
```bash
az account management-group list --output table --debug
```
In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
Om 'n **MitM** na die hulpmiddel te doen en **al die versoeke** wat dit handmatig stuur te kontroleer, kan jy doen:
{{#tabs }}
{{#tab name="Bash" }}
```bash
export ADAL_PYTHON_SSL_NO_VERIFY=1
export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
@@ -180,25 +171,21 @@ export HTTP_PROXY="http://127.0.0.1:8080"
openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
```
{{#endtab }}
{{#tab name="PS" }}
```bash
$env:ADAL_PYTHON_SSL_NO_VERIFY=1
$env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
$env:HTTPS_PROXY="http://127.0.0.1:8080"
$env:HTTP_PROXY="http://127.0.0.1:8080"
```
{{#endtab }}
{{#endtabs }}
## Automated Recon Tools
## Geoutomatiseerde Verkenning Gereedskap
### [**ROADRecon**](https://github.com/dirkjanm/ROADtools)
```powershell
cd ROADTools
pipenv shell
@@ -206,9 +193,7 @@ roadrecon auth -u test@corp.onmicrosoft.com -p "Welcome2022!"
roadrecon gather
roadrecon gui
```
### [Monkey365](https://github.com/silverhack/monkey365)
```powershell
Import-Module monkey365
Get-Help Invoke-Monkey365
@@ -216,9 +201,7 @@ Get-Help Invoke-Monkey365 -Detailed
Invoke-Monkey365 -IncludeEntraID -ExportTo HTML -Verbose -Debug -InformationAction Continue
Invoke-Monkey365 - Instance Azure -Analysis All -ExportTo HTML
```
### [**Stormspotter**](https://github.com/Azure/Stormspotter)
```powershell
# Start Backend
cd stormspotter\backend\
@@ -236,9 +219,7 @@ az login -u test@corp.onmicrosoft.com -p Welcome2022!
python stormspotter\stormcollector\sscollector.pyz cli
# This will generate a .zip file to upload in the frontend (127.0.0.1:9091)
```
### [**AzureHound**](https://github.com/BloodHoundAD/AzureHound)
```powershell
# You need to use the Az PowerShell and Azure AD modules:
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
@@ -294,9 +275,7 @@ MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContribu
## All Azure AD Groups that are synchronized with On-Premise AD
MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n
```
### [Azucar](https://github.com/nccgroup/azucar)
```bash
# You should use an account with at least read-permission on the assets you want to access
git clone https://github.com/nccgroup/azucar.git
@@ -309,17 +288,13 @@ PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials
# resolve the TenantID for an specific username
PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
```
### [**MicroBurst**](https://github.com/NetSPI/MicroBurst)
```
Import-Module .\MicroBurst.psm1
Import-Module .\Get-AzureDomainInfo.ps1
Get-AzureDomainInfo -folder MicroBurst -Verbose
```
### [**PowerZure**](https://github.com/hausec/PowerZure)
```powershell
Connect-AzAccount
ipmo C:\Path\To\Powerzure.psd1
@@ -340,9 +315,7 @@ $ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest
# Administrator
$ Create-Backdoor, Execute-Backdoor
```
### [**GraphRunner**](https://github.com/dafthack/GraphRunner/wiki/Invoke%E2%80%90GraphRunner)
```powershell
#Get-GraphTokens
@@ -398,9 +371,4 @@ Get-TenantID -Domain
#Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.
Invoke-GraphRunner -Tokens $tokens
```
{{#include ../../banners/hacktricks-training.md}}