From 626155bec125216ce55904c4366e1f42f0729db5 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Sun, 26 Jan 2025 16:06:53 +0100 Subject: [PATCH] small fixes --- src/pentesting-cloud/azure-security/README.md | 14 +++++++++----- .../azure-security/az-persistence/README.md | 4 ++-- .../azure-security/az-services/az-azuread.md | 4 ++-- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/src/pentesting-cloud/azure-security/README.md b/src/pentesting-cloud/azure-security/README.md index ad01e10c1..f53909e7b 100644 --- a/src/pentesting-cloud/azure-security/README.md +++ b/src/pentesting-cloud/azure-security/README.md @@ -22,7 +22,7 @@ The first step is of course to enumerate information about the tenant you are at Based on the domain name it's possible to know **if the company if using Azure**, get the **tenant ID**, get other **valid domains** in the same tenant (if more) and get **relevant information** like if SSO is enabled, mail configurations, valid user emails... -Check the folloeing page to learn how to perform the **external enumeration**: +Check the following page to learn how to perform the **external enumeration**: {{#ref}} az-unauthenticated-enum-and-initial-entry/ @@ -72,7 +72,7 @@ The following tools will be super useful to enumerate both Entra ID tenants and az-enumeration-tools.md {{#endref}} -### Bypass Login Conditions +### Bypass Access Policies
@@ -85,7 +85,11 @@ In cases where you have some valid credentials but you cannot login, these are s After bypassing it, you might be able to get back to your initial setup and you will still have access. +Check: +{{#ref}} +az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md +{{#endref}} ### Whoami @@ -145,7 +149,7 @@ Get-AzureADTenantDetail {{#endtabs }} -### Entra ID Enumeration & Privilege Escalation +### Entra ID Enumeration & Privesc By default, any user should have **enough permissions to enumerate** things such as users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/index.html#default-user-permissions)).\ You can find here a guide: @@ -161,7 +165,7 @@ az-enumeration-tools.md#automated-post-exploitation-tools {{#endref}} -### Enumerate Azure Services +### Azure Enumeration Once you know who you are, you can start enumerating the **Azure services you have access to**. @@ -196,7 +200,7 @@ In the following section you can find **information about the most common Azure az-services/ {{#endref}} -### Privilege Escalation, Post-Exploitation & Persistence in Azure Services +### Privilege Escalation, Post-Exploitation & Persistence Once you know how is the Azure environment structured and what services are being used, you can start looking for ways to **escalate privileges, move laterally, perform other post-exploitation attacks and maintain persistence**. diff --git a/src/pentesting-cloud/azure-security/az-persistence/README.md b/src/pentesting-cloud/azure-security/az-persistence/README.md index 55c6251fb..48a83293d 100644 --- a/src/pentesting-cloud/azure-security/az-persistence/README.md +++ b/src/pentesting-cloud/azure-security/az-persistence/README.md @@ -2,9 +2,9 @@ {{#include ../../../banners/hacktricks-training.md}} -### Illicit Consent Grant +### OAuth Application -By default, any user can register an application in Azure AD. So you can register an application (only for the target tenant) that needs high impact permissions with admin consent (an approve it if you are the admin) - like sending mail on a user's behalf, role management etc.T his will allow us to **execute phishing attacks** that would be very **fruitful** in case of success. +By default, any user can register an application in Entra ID. So you can register an application (only for the target tenant) that needs high impact permissions with admin consent (an approve it if you are the admin) - like sending mail on a user's behalf, role management etc.T his will allow us to **execute phishing attacks** that would be very **fruitful** in case of success. Moreover, you could also accept that application with your user as a way to maintain access over it. diff --git a/src/pentesting-cloud/azure-security/az-services/az-azuread.md b/src/pentesting-cloud/azure-security/az-services/az-azuread.md index cc04587c4..12cbd91aa 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-azuread.md +++ b/src/pentesting-cloud/azure-security/az-services/az-azuread.md @@ -1001,7 +1001,7 @@ When PIM is enabled it's possible to configure each role with certain requiremen - Max time to expire the elegible assignments - A lot more configuration on when and who to send notifications when certain actions happen with that role -### Conditional Access Policies +### Conditional Access Policies Check: @@ -1009,7 +1009,7 @@ Check: ../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md {{#endref}} -### Entra Identity Protection +### Entra Identity Protection Entra Identity Protection is a security service that allows to **detect when a user or a sign-in is too risky** to be accepted, allowing to **block** the user or the sig-in attempt.