gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-28 05:33:10 -08:00
Code Issues Packages Projects Releases Wiki Activity

more azure stuff

Browse Source
This commit is contained in:
Carlos Polop
2025-01-23 00:03:36 +01:00
parent 250329b9aa
commit 6736e6d5c8
7 changed files with 158 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
src/pentesting-cloud/azure-security/README.md
View File

@@ -4,6 +4,8 @@
## Basic Information
Learn the basics of Azure and Entra ID in the following page:
{{#ref}}
az-basic-information/
{{#endref}}
@@ -12,11 +14,16 @@ az-basic-information/
In order to audit an AZURE environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal Azure services and **external services** connected.
From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **credentials** for Azure AD. Here you have some ideas on how to do that:
From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **foothold**.
- **Leaks** in github (or similar) - OSINT
### Initial Access
Here you can find the most common ways to get initial access to an Azure/Entra ID environment:
- **OSINT**: Check for **leaks** in Github or any other open source platform that could contain **credentials** or interesting information.
-
- **Social** Engineering
- **Password** reuse (password leaks)
- **Password** reuse, leaks or [password spraying](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
- Vulnerabilities in Azure-Hosted Applications
- [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint
- **Local File Read**
@@ -31,7 +38,6 @@ From a Red Team point of view, the **first step to compromise an Azure environme
- **Internal** Employee
- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or Oauth App)
- [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
- [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
Even if you **haven't compromised any user** inside the Azure tenant you are attacking, you can **gather some information** from it:
@@ -49,10 +55,21 @@ az-unauthenticated-enum-and-initial-entry/
### SSRF
If you found a SSRF in a machine inside Azure check this page for tricks:
If you found a SSRF in a server inside Azure check this page for tricks:
{{#ref}}
https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure{{#endref}}
### Subdomain Takeover
- [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
### Azure & Entra ID tooling
The following tools will be super useful to enumerate both Entra ID tenants and Azure environments slowly (to avoid detection) or automatically (to save time):
{{#ref}}
az-enumeration-tools.md
{{#endref}}
### Bypass Login Conditions
@@ -68,9 +85,7 @@ In cases where you have some valid credentials but you cannot login, these are s
After bypassing it, you might be able to get back to your initial setup and you will still have access.
### Subdomain Takeover
- [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
### Whoami
@@ -132,7 +147,7 @@ Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com # For current user
### Entra ID Enumeration
By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/index.html#default-user-permissions)).\
By default, any user should have **enough permissions to enumerate** things such as users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/index.html#default-user-permissions)).\
You can find here a guide:
{{#ref}}
@@ -143,17 +158,7 @@ az-services/az-azuread.md
> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
> In the following section you can check some ways to **enumerate some common services.**
## App Service SCM
Kudu console to log in to the App Service 'container'.
## Webshell
Use portal.azure.com and select the shell, or use shell.azure.com, for a bash or powershell. The 'disk' of this shell are stored as an image file in a storage-account.
## Azure DevOps
Azure DevOps is separate from Azure. It has repositories, pipelines (yaml or release), boards, wiki, and more. Variable Groups are used to store variable values and secrets.
###
{{#include ../../banners/hacktricks-training.md}}

2
src/pentesting-cloud/azure-security/az-basic-information/README.md
View File

@@ -32,7 +32,7 @@
All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted.
<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1</a></p></figcaption></figure>
<figure><img src="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1</a></p></figcaption></figure>
### Azure Resource IDs

142
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md
View File

@@ -7,24 +7,23 @@
### Tenant Enumeration
There are some **public Azure APIs** that just knowing the **domain of the tenant** an attacker could query to gather more info about it.\
You can query directly the API or use the PowerShell library [**AADInternals**](https://github.com/Gerenios/AADInternals)**:**
You can query directly the API or use the PowerShell library [**AADInternals**](https://github.com/Gerenios/AADInternals) (`Install-Module AADInternals`):
| API | Information | AADInternals function |
| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- |
| login.microsoftonline.com/\<domain>/.well-known/openid-configuration | **Login information**, including tenant ID | `Get-AADIntTenantID -Domain <domain>` |
| autodiscover-s.outlook.com/autodiscover/autodiscover.svc | **All domains** of the tenant | `Get-AADIntTenantDomains -Domain <domain>` |
| login.microsoftonline.com/GetUserRealm.srf?login=\<UserName> | <p><strong>Login information</strong> of the tenant, including tenant Name and domain <strong>authentication type.</strong><br>If <code>NameSpaceType</code> is <strong><code>Managed</code></strong>, it means <strong>AzureAD</strong> is used.</p> | `Get-AADIntLoginInformation -UserName <UserName>` |
| login.microsoftonline.com/common/GetCredentialType | Login information, including **Desktop SSO information** | `Get-AADIntLoginInformation -UserName <UserName>` |
- **Login information including tenant ID**
- `Get-AADIntTenantID -Domain <domain>` (main API `login.microsoftonline.com/<domain>/.well-known/openid-configuration`)
- **All valid doimains in the tenant**
- `Get-AADIntTenantDomains -Domain <domain>` (main API `autodiscover-s.outlook.com/autodiscover/autodiscover.svc`)
- **Login information of the user**. If `NameSpaceType` is `Managed`, it means EntraID is used
- `Get-AADIntLoginInformation -UserName <UserName>` (main API `login.microsoftonline.com/GetUserRealm.srf?login=<UserName>`)
You can query all the information of an Azure tenant with **just one command of the** [**AADInternals**](https://github.com/Gerenios/AADInternals) **library**:
You can query all the information of an Azure tenant with **just one command from** [**AADInternals**](https://github.com/Gerenios/AADInternals):
```bash
# Doesn't work in macos because 'Resolve-DnsName' doesn't exist
Invoke-AADIntReconAsOutsider -DomainName corp.onmicrosoft.com | Format-Table
```
Output Example of the Azure tenant info:
## Output Example of the Azure tenant info:
```
Tenant brand: Company Ltd
Tenant name: company
Tenant id: 1937e3ab-38de-a735-a830-3075ea7e5b39
@@ -44,6 +43,9 @@ Moreover, the output presents the names of all verified domains associated with
### User Enumeration
> [!TIP]
> Note that even if a tenant is using several emails for the same user, the **username is unique**. This means that it'll noly work with the domain the user has associated and not with the other domains.
It's possible to **check if a username exists** inside a tenant. This includes also **guest users**, whose username is in the format:
```
@@ -83,13 +85,16 @@ external.user_outlook.com#EXT#@company.onmicrosoft.com
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal
```
There are **three different enumeration methods** to choose from:
Currenlty there are **4 different enumeration methods** to choose from. You can find information in `Get-Help Invoke-AADIntUserEnumerationAsOutsider`:
It supports following enumeration methods: Normal, Login, Autologon, and RST2.
- The **Normal** method seems currently work with all tenants. Previously it required Desktop SSO (aka Seamless SSO) to be enabled for at least one domain.
- The **Login** method works with any tenant, but enumeration queries will be logged to Azure AD sign-in log as failed login events!
- The **Autologon** method doesn't seem to work with all tenants anymore. Probably requires that DesktopSSO or directory sync is enabled.
| Method | Description |
| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Normal | This refers to the GetCredentialType API mentioned above. The default method. |
| Login | <p>This method tries to log in as the user.<br><strong>Note:</strong> queries will be logged to sign-ins log.</p> |
| Autologon | <p>This method tries to log in as the user via autologon endpoint.<br><strong>Queries are not logged</strong> to sign-ins log! As such, works well also for password spray and brute-force attacks.</p> |
After discovering the valid usernames you can get **info about a user** with:
@@ -97,12 +102,17 @@ After discovering the valid usernames you can get **info about a user** with:
Get-AADIntLoginInformation -UserName root@corp.onmicrosoft.com
```
The script [**o365creeper**](https://github.com/LMGsec/o365creeper) also allows you to discover **if an email is valid**.
The script [**o365spray**](https://github.com/0xZDH/o365spray) also allows you to discover **if an email is valid**.
```bash
# Put in emails.txt emails such as:
# - root@corp.onmicrosoft.com
python.exe .\o365creeper\o365creeper.py -f .\emails.txt -o validemails.txt
git clone https://github.com/0xZDH/o365spray
cd o365spray
python3 -m pip install -r requirements.txt
# Check 1 email
python3 ./o365spray.py --enum -d carloshacktricks.onmicrosoft.com -u carlos
# Check a list of emails
python3 ./o365spray.py --enum -d carloshacktricks.onmicrosoft.com -U /tmp/users.txt
```
**User Enumeration via Microsoft Teams**
@@ -113,10 +123,16 @@ The API of Microsoft Teams allows to search for users. In particular the "user s
Depending on the API response it is possible to distinguish between non-existing users and existing users that have a valid Teams subscription.
The script [**TeamsEnum**](https://github.com/sse-secure-systems/TeamsEnum) could be used to validate a given set of usernames against the Teams API.
The script [**TeamsEnum**](https://github.com/sse-secure-systems/TeamsEnum) could be used to validate a given set of usernames against the Teams API but you need access to a user with Teams access to use it.
```bash
python3 TeamsEnum.py -a password -u <username> -f inputlist.txt -o teamsenum-output.json
# Install
git clone https://github.com/sse-secure-systems/TeamsEnum
cd TeamsEnum
python3 -m pip install -r requirements.txt
# Login and ask for password
python3 ./TeamsEnum.py -a password -u <username> -f inputlist.txt -o teamsenum-output.json
```
Output:
@@ -192,58 +208,54 @@ Output:
}
```
## Azure Services
Know that we know the **domains the Azure tenant** is using is time to try to find **Azure services exposed**.
You can use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure service domains:**
```bash
Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base corp -Verbose
```
## Open Storage
You could discover open storage with a tool such as [**InvokeEnumerateAzureBlobs.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Invoke-EnumerateAzureBlobs.ps1) which will use the file **`Microburst/Misc/permitations.txt`** to generate permutations (very simple) to try to **find open storage accounts**.
```bash
Import-Module .\MicroBurst\MicroBurst.psm1
Invoke-EnumerateAzureBlobs -Base corp
[...]
https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
[...]
# Access https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
# Check: <Name>ssh_info.json</Name>
# Access then https://corpcommon.blob.core.windows.net/secrets/ssh_info.json
```
### SAS URLs
A _**shared access signature**_ (SAS) URL is an URL that **provides access** to certain part of a Storage account (could be a full container, a file...) with some specific permissions (read, write...) over the resources. If you find one leaked you could be able to access sensitive information, they look like this (this is to access a container, if it was just granting access to a file the path of the URL will also contain that file):
`https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D`
Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-explorer/) to access the data
## Compromise Credentials
### Phishing
- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-)
- [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)
### Password Spraying / Brute-Force
{{#ref}}
az-password-spraying.md
{{#endref}}
## Azure Services using domains
It's also possible to try to find **Azure services exposed** in common azure subdomains like the ones documented in this [post:
](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/)
- App Services: `azurewebsites.net`
- App Services Management: `scm.azurewebsites.net`
- App Services: `p.azurewebsites.net`
- App Services: `cloudapp.net`
- Storage Accounts-Files: `file.core.windows.net`
- Storage Accounts-Blobs: `blob.core.windows.net`
- Storage Accounts-Queues: `queue.core.windows.net`
- Storage Accounts-Tables: `table.core.windows.net`
- Databases-Redis: `redis.cache.windows.net`
- Databases-Cosmos DB: `documents.azure.com`
- Databases-MSSQL: `database.windows.net`
- Key Vaults: `vault.azure.net`
- Microsoft Hosted Domain: `onmicrosoft.com`
- Email: `mail.protection.outlook.com`
- SharePoint: `sharepoint.com`
- CDN: `azureedge.net`
- Search Appliance: `search.windows.net`
- API Services: `azure-api.net`
You can use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure domains:**
```bash
Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base corp -Verbose
```
## Phishing
- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) for credentials or via [OAuth Apps](az-oauth-apps-phishing.md)
- [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)
## References
- [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/)
- [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/)
- [https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/)
{{#include ../../../banners/hacktricks-training.md}}

5
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md
View File

@@ -11,14 +11,15 @@ However, note that this technique is **very noisy** and Blue Team can **easily c
You can perform a password spray attack with [**MSOLSpray**](https://github.com/dafthack/MSOLSpray)
```bash
git clone https://github.com/dafthack/MSOLSpray
. .\MSOLSpray\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\validemails.txt -Password Welcome2022! -Verbose
Invoke-MSOLSpray -UserList .\validemails.txt -Password 'Winter2025! -Verbose
```
Or with [**o365spray**](https://github.com/0xZDH/o365spray)
```bash
python3 o365spray.py --spray -U validemails.txt -p 'Welcome2022!' --count 1 --lockout 1 --domain victim.com
python3 o365spray.py --spray -U validemails.txt -p ''Winter2025!' --domain victim.com
```
Or with [**MailSniper**](https://github.com/dafthack/MailSniper)

49
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md Normal file
View File

@@ -0,0 +1,49 @@
# Az - Storage Unauth
{{#include ../../../banners/hacktricks-training.md}}
## Storage Unauth
For more information about storage check:
{{#ref}}
../az-services/az-storage.md
{{#endref}}
### Open Storage
You could discover open storage with a tool such as [**InvokeEnumerateAzureBlobs.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Invoke-EnumerateAzureBlobs.ps1) which will use the file **`Microburst/Misc/permutations.txt`** to generate permutations (very simple) to try to **find open storage accounts**.
```bash
Import-Module .\MicroBurst\MicroBurst.psm1
Invoke-EnumerateAzureBlobs -Base corp
[...]
https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
[...]
# Access https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
# Check: <Name>ssh_info.json</Name>
# Access then https://corpcommon.blob.core.windows.net/secrets/ssh_info.json
```
You can also use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure domains** (including storage domains):
```bash
Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base corp -Verbose
```
### SAS URLs
A _**shared access signature**_ (SAS) URL is an URL that **provides access** to certain part of a Storage account (could be a full container, a file...) with some specific permissions (read, write...) over the resources. If you find one leaked you could be able to access sensitive information, they look like this (this is to access a container, if it was just granting access to a file the path of the URL will also contain that file):
`https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D`
Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-explorer/) to access the data
{{#include ../../../banners/hacktricks-training.md}}

2
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md → src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md
View File

@@ -1,4 +1,4 @@
# Az - VMs Unath
# Az - VMs Unauth
{{#include ../../../banners/hacktricks-training.md}}