From 6736e6d5c8d56258861cf8716e855fed95cc66fe Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Thu, 23 Jan 2025 00:03:36 +0100 Subject: [PATCH] more azure stuff --- src/SUMMARY.md | 3 +- src/pentesting-cloud/azure-security/README.md | 45 +++--- .../az-basic-information/README.md | 2 +- .../README.md | 142 ++++++++++-------- .../az-password-spraying.md | 5 +- .../az-storage-unauth.md | 49 ++++++ .../{az-vms-unath.md => az-vms-unauth.md} | 2 +- 7 files changed, 158 insertions(+), 90 deletions(-) create mode 100644 src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md rename src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/{az-vms-unath.md => az-vms-unauth.md} (98%) diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 6172b28d3..d05776c71 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -398,7 +398,8 @@ - [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md) - [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md) - [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md) - - [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md) + - [Az - Storage Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md) + - [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md) - [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md) - [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) - [Az - Services](pentesting-cloud/azure-security/az-services/README.md) diff --git a/src/pentesting-cloud/azure-security/README.md b/src/pentesting-cloud/azure-security/README.md index 0caa81da2..94a939282 100644 --- a/src/pentesting-cloud/azure-security/README.md +++ b/src/pentesting-cloud/azure-security/README.md @@ -4,6 +4,8 @@ ## Basic Information +Learn the basics of Azure and Entra ID in the following page: + {{#ref}} az-basic-information/ {{#endref}} @@ -12,11 +14,16 @@ az-basic-information/ In order to audit an AZURE environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal Azure services and **external services** connected. -From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **credentials** for Azure AD. Here you have some ideas on how to do that: +From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **foothold**. -- **Leaks** in github (or similar) - OSINT +### Initial Access + +Here you can find the most common ways to get initial access to an Azure/Entra ID environment: + +- **OSINT**: Check for **leaks** in Github or any other open source platform that could contain **credentials** or interesting information. + - - **Social** Engineering -- **Password** reuse (password leaks) +- **Password** reuse, leaks or [password spraying](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) - Vulnerabilities in Azure-Hosted Applications - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint - **Local File Read** @@ -31,7 +38,6 @@ From a Red Team point of view, the **first step to compromise an Azure environme - **Internal** Employee - [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or Oauth App) - [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md) -- [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) Even if you **haven't compromised any user** inside the Azure tenant you are attacking, you can **gather some information** from it: @@ -49,10 +55,21 @@ az-unauthenticated-enum-and-initial-entry/ ### SSRF -If you found a SSRF in a machine inside Azure check this page for tricks: +If you found a SSRF in a server inside Azure check this page for tricks: {{#ref}} -https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure{{#endref}} + +### Subdomain Takeover + +- [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/) + +### Azure & Entra ID tooling + +The following tools will be super useful to enumerate both Entra ID tenants and Azure environments slowly (to avoid detection) or automatically (to save time): + +{{#ref}} +az-enumeration-tools.md {{#endref}} ### Bypass Login Conditions @@ -68,9 +85,7 @@ In cases where you have some valid credentials but you cannot login, these are s After bypassing it, you might be able to get back to your initial setup and you will still have access. -### Subdomain Takeover -- [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/) ### Whoami @@ -132,7 +147,7 @@ Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com # For current user ### Entra ID Enumeration -By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/index.html#default-user-permissions)).\ +By default, any user should have **enough permissions to enumerate** things such as users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/index.html#default-user-permissions)).\ You can find here a guide: {{#ref}} @@ -143,17 +158,7 @@ az-services/az-azuread.md > Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\ > In the following section you can check some ways to **enumerate some common services.** -## App Service SCM - -Kudu console to log in to the App Service 'container'. - -## Webshell - -Use portal.azure.com and select the shell, or use shell.azure.com, for a bash or powershell. The 'disk' of this shell are stored as an image file in a storage-account. - -## Azure DevOps - -Azure DevOps is separate from Azure. It has repositories, pipelines (yaml or release), boards, wiki, and more. Variable Groups are used to store variable values and secrets. +### {{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-basic-information/README.md b/src/pentesting-cloud/azure-security/az-basic-information/README.md index c2c398e2b..21f39b3eb 100644 --- a/src/pentesting-cloud/azure-security/az-basic-information/README.md +++ b/src/pentesting-cloud/azure-security/az-basic-information/README.md @@ -32,7 +32,7 @@ All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted. -

https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1

+

https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1

### Azure Resource IDs diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md index 025bc4e87..4b4587cc2 100644 --- a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md +++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md @@ -7,24 +7,23 @@ ### Tenant Enumeration There are some **public Azure APIs** that just knowing the **domain of the tenant** an attacker could query to gather more info about it.\ -You can query directly the API or use the PowerShell library [**AADInternals**](https://github.com/Gerenios/AADInternals)**:** +You can query directly the API or use the PowerShell library [**AADInternals**](https://github.com/Gerenios/AADInternals) (`Install-Module AADInternals`): -| API | Information | AADInternals function | -| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- | -| login.microsoftonline.com/\/.well-known/openid-configuration | **Login information**, including tenant ID | `Get-AADIntTenantID -Domain ` | -| autodiscover-s.outlook.com/autodiscover/autodiscover.svc | **All domains** of the tenant | `Get-AADIntTenantDomains -Domain ` | -| login.microsoftonline.com/GetUserRealm.srf?login=\ |

Login information of the tenant, including tenant Name and domain authentication type.
If NameSpaceType is Managed, it means AzureAD is used.

| `Get-AADIntLoginInformation -UserName ` | -| login.microsoftonline.com/common/GetCredentialType | Login information, including **Desktop SSO information** | `Get-AADIntLoginInformation -UserName ` | +- **Login information including tenant ID** + - `Get-AADIntTenantID -Domain ` (main API `login.microsoftonline.com//.well-known/openid-configuration`) +- **All valid doimains in the tenant** + - `Get-AADIntTenantDomains -Domain ` (main API `autodiscover-s.outlook.com/autodiscover/autodiscover.svc`) +- **Login information of the user**. If `NameSpaceType` is `Managed`, it means EntraID is used + - `Get-AADIntLoginInformation -UserName ` (main API `login.microsoftonline.com/GetUserRealm.srf?login=`) -You can query all the information of an Azure tenant with **just one command of the** [**AADInternals**](https://github.com/Gerenios/AADInternals) **library**: +You can query all the information of an Azure tenant with **just one command from** [**AADInternals**](https://github.com/Gerenios/AADInternals): ```bash +# Doesn't work in macos because 'Resolve-DnsName' doesn't exist Invoke-AADIntReconAsOutsider -DomainName corp.onmicrosoft.com | Format-Table -``` -Output Example of the Azure tenant info: +## Output Example of the Azure tenant info: -``` Tenant brand: Company Ltd Tenant name: company Tenant id: 1937e3ab-38de-a735-a830-3075ea7e5b39 @@ -44,6 +43,9 @@ Moreover, the output presents the names of all verified domains associated with ### User Enumeration +> [!TIP] +> Note that even if a tenant is using several emails for the same user, the **username is unique**. This means that it'll noly work with the domain the user has associated and not with the other domains. + It's possible to **check if a username exists** inside a tenant. This includes also **guest users**, whose username is in the format: ``` @@ -83,13 +85,16 @@ external.user_outlook.com#EXT#@company.onmicrosoft.com Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal ``` -There are **three different enumeration methods** to choose from: +Currenlty there are **4 different enumeration methods** to choose from. You can find information in `Get-Help Invoke-AADIntUserEnumerationAsOutsider`: + +It supports following enumeration methods: Normal, Login, Autologon, and RST2. + +- The **Normal** method seems currently work with all tenants. Previously it required Desktop SSO (aka Seamless SSO) to be enabled for at least one domain. + +- The **Login** method works with any tenant, but enumeration queries will be logged to Azure AD sign-in log as failed login events! + +- The **Autologon** method doesn't seem to work with all tenants anymore. Probably requires that DesktopSSO or directory sync is enabled. -| Method | Description | -| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Normal | This refers to the GetCredentialType API mentioned above. The default method. | -| Login |

This method tries to log in as the user.
Note: queries will be logged to sign-ins log.

| -| Autologon |

This method tries to log in as the user via autologon endpoint.
Queries are not logged to sign-ins log! As such, works well also for password spray and brute-force attacks.

| After discovering the valid usernames you can get **info about a user** with: @@ -97,12 +102,17 @@ After discovering the valid usernames you can get **info about a user** with: Get-AADIntLoginInformation -UserName root@corp.onmicrosoft.com ``` -The script [**o365creeper**](https://github.com/LMGsec/o365creeper) also allows you to discover **if an email is valid**. +The script [**o365spray**](https://github.com/0xZDH/o365spray) also allows you to discover **if an email is valid**. ```bash -# Put in emails.txt emails such as: -# - root@corp.onmicrosoft.com -python.exe .\o365creeper\o365creeper.py -f .\emails.txt -o validemails.txt +git clone https://github.com/0xZDH/o365spray +cd o365spray +python3 -m pip install -r requirements.txt + +# Check 1 email +python3 ./o365spray.py --enum -d carloshacktricks.onmicrosoft.com -u carlos +# Check a list of emails +python3 ./o365spray.py --enum -d carloshacktricks.onmicrosoft.com -U /tmp/users.txt ``` **User Enumeration via Microsoft Teams** @@ -113,10 +123,16 @@ The API of Microsoft Teams allows to search for users. In particular the "user s Depending on the API response it is possible to distinguish between non-existing users and existing users that have a valid Teams subscription. -The script [**TeamsEnum**](https://github.com/sse-secure-systems/TeamsEnum) could be used to validate a given set of usernames against the Teams API. +The script [**TeamsEnum**](https://github.com/sse-secure-systems/TeamsEnum) could be used to validate a given set of usernames against the Teams API but you need access to a user with Teams access to use it. ```bash -python3 TeamsEnum.py -a password -u -f inputlist.txt -o teamsenum-output.json +# Install +git clone https://github.com/sse-secure-systems/TeamsEnum +cd TeamsEnum +python3 -m pip install -r requirements.txt + +# Login and ask for password +python3 ./TeamsEnum.py -a password -u -f inputlist.txt -o teamsenum-output.json ``` Output: @@ -192,58 +208,54 @@ Output: } ``` -## Azure Services - -Know that we know the **domains the Azure tenant** is using is time to try to find **Azure services exposed**. - -You can use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure service domains:** - -```bash -Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose -Invoke-EnumerateAzureSubDomains -Base corp -Verbose -``` - -## Open Storage - -You could discover open storage with a tool such as [**InvokeEnumerateAzureBlobs.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Invoke-EnumerateAzureBlobs.ps1) which will use the file **`Microburst/Misc/permitations.txt`** to generate permutations (very simple) to try to **find open storage accounts**. - -```bash -Import-Module .\MicroBurst\MicroBurst.psm1 -Invoke-EnumerateAzureBlobs -Base corp -[...] -https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list -[...] - -# Access https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list -# Check: ssh_info.json -# Access then https://corpcommon.blob.core.windows.net/secrets/ssh_info.json -``` - -### SAS URLs - -A _**shared access signature**_ (SAS) URL is an URL that **provides access** to certain part of a Storage account (could be a full container, a file...) with some specific permissions (read, write...) over the resources. If you find one leaked you could be able to access sensitive information, they look like this (this is to access a container, if it was just granting access to a file the path of the URL will also contain that file): - -`https://.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D` - -Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-explorer/) to access the data - -## Compromise Credentials - -### Phishing - -- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-) -- [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md) - ### Password Spraying / Brute-Force {{#ref}} az-password-spraying.md {{#endref}} +## Azure Services using domains + +It's also possible to try to find **Azure services exposed** in common azure subdomains like the ones documented in this [post: +](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/) + +- App Services: `azurewebsites.net` +- App Services – Management: `scm.azurewebsites.net` +- App Services: `p.azurewebsites.net` +- App Services: `cloudapp.net` +- Storage Accounts-Files: `file.core.windows.net` +- Storage Accounts-Blobs: `blob.core.windows.net` +- Storage Accounts-Queues: `queue.core.windows.net` +- Storage Accounts-Tables: `table.core.windows.net` +- Databases-Redis: `redis.cache.windows.net` +- Databases-Cosmos DB: `documents.azure.com` +- Databases-MSSQL: `database.windows.net` +- Key Vaults: `vault.azure.net` +- Microsoft Hosted Domain: `onmicrosoft.com` +- Email: `mail.protection.outlook.com` +- SharePoint: `sharepoint.com` +- CDN: `azureedge.net` +- Search Appliance: `search.windows.net` +- API Services: `azure-api.net` + +You can use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure domains:** + +```bash +Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose +Invoke-EnumerateAzureSubDomains -Base corp -Verbose +``` + + +## Phishing + +- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) for credentials or via [OAuth Apps](az-oauth-apps-phishing.md) +- [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md) + ## References - [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/) - [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/) +- [https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/) {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md index fa08a5fef..191e8f367 100644 --- a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md +++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md @@ -11,14 +11,15 @@ However, note that this technique is **very noisy** and Blue Team can **easily c You can perform a password spray attack with [**MSOLSpray**](https://github.com/dafthack/MSOLSpray) ```bash +git clone https://github.com/dafthack/MSOLSpray . .\MSOLSpray\MSOLSpray.ps1 -Invoke-MSOLSpray -UserList .\validemails.txt -Password Welcome2022! -Verbose +Invoke-MSOLSpray -UserList .\validemails.txt -Password 'Winter2025! -Verbose ``` Or with [**o365spray**](https://github.com/0xZDH/o365spray) ```bash -python3 o365spray.py --spray -U validemails.txt -p 'Welcome2022!' --count 1 --lockout 1 --domain victim.com +python3 o365spray.py --spray -U validemails.txt -p ''Winter2025!' --domain victim.com ``` Or with [**MailSniper**](https://github.com/dafthack/MailSniper) diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md new file mode 100644 index 000000000..c0579d8c8 --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md @@ -0,0 +1,49 @@ +# Az - Storage Unauth + +{{#include ../../../banners/hacktricks-training.md}} + +## Storage Unauth + +For more information about storage check: + +{{#ref}} +../az-services/az-storage.md +{{#endref}} + +### Open Storage + +You could discover open storage with a tool such as [**InvokeEnumerateAzureBlobs.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Invoke-EnumerateAzureBlobs.ps1) which will use the file **`Microburst/Misc/permutations.txt`** to generate permutations (very simple) to try to **find open storage accounts**. + +```bash +Import-Module .\MicroBurst\MicroBurst.psm1 +Invoke-EnumerateAzureBlobs -Base corp +[...] +https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list +[...] + +# Access https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list +# Check: ssh_info.json +# Access then https://corpcommon.blob.core.windows.net/secrets/ssh_info.json +``` + +You can also use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure domains** (including storage domains): + +```bash +Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose +Invoke-EnumerateAzureSubDomains -Base corp -Verbose +``` + + +### SAS URLs + +A _**shared access signature**_ (SAS) URL is an URL that **provides access** to certain part of a Storage account (could be a full container, a file...) with some specific permissions (read, write...) over the resources. If you find one leaked you could be able to access sensitive information, they look like this (this is to access a container, if it was just granting access to a file the path of the URL will also contain that file): + +`https://.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D` + +Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-explorer/) to access the data + + +{{#include ../../../banners/hacktricks-training.md}} + + + diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md similarity index 98% rename from src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md rename to src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md index 553dcb03b..6560deaf7 100644 --- a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md +++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md @@ -1,4 +1,4 @@ -# Az - VMs Unath +# Az - VMs Unauth {{#include ../../../banners/hacktricks-training.md}}