gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-09 11:44:59 -08:00
Code Issues Packages Projects Releases Wiki Activity

more azure stuff

Browse Source
This commit is contained in:
Carlos Polop
2025-01-23 00:03:36 +01:00
parent 250329b9aa
commit 6736e6d5c8
7 changed files with 158 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md
View File

@@ -7,24 +7,23 @@
### Tenant Enumeration
There are some **public Azure APIs** that just knowing the **domain of the tenant** an attacker could query to gather more info about it.\
You can query directly the API or use the PowerShell library [**AADInternals**](https://github.com/Gerenios/AADInternals)**:**
You can query directly the API or use the PowerShell library [**AADInternals**](https://github.com/Gerenios/AADInternals) (`Install-Module AADInternals`):
| API | Information | AADInternals function |
| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- |
| login.microsoftonline.com/\<domain>/.well-known/openid-configuration | **Login information**, including tenant ID | `Get-AADIntTenantID -Domain <domain>` |
| autodiscover-s.outlook.com/autodiscover/autodiscover.svc | **All domains** of the tenant | `Get-AADIntTenantDomains -Domain <domain>` |
| login.microsoftonline.com/GetUserRealm.srf?login=\<UserName> | <p><strong>Login information</strong> of the tenant, including tenant Name and domain <strong>authentication type.</strong><br>If <code>NameSpaceType</code> is <strong><code>Managed</code></strong>, it means <strong>AzureAD</strong> is used.</p> | `Get-AADIntLoginInformation -UserName <UserName>` |
| login.microsoftonline.com/common/GetCredentialType | Login information, including **Desktop SSO information** | `Get-AADIntLoginInformation -UserName <UserName>` |
- **Login information including tenant ID**
- `Get-AADIntTenantID -Domain <domain>` (main API `login.microsoftonline.com/<domain>/.well-known/openid-configuration`)
- **All valid doimains in the tenant**
- `Get-AADIntTenantDomains -Domain <domain>` (main API `autodiscover-s.outlook.com/autodiscover/autodiscover.svc`)
- **Login information of the user**. If `NameSpaceType` is `Managed`, it means EntraID is used
- `Get-AADIntLoginInformation -UserName <UserName>` (main API `login.microsoftonline.com/GetUserRealm.srf?login=<UserName>`)
You can query all the information of an Azure tenant with **just one command of the** [**AADInternals**](https://github.com/Gerenios/AADInternals) **library**:
You can query all the information of an Azure tenant with **just one command from** [**AADInternals**](https://github.com/Gerenios/AADInternals):
```bash
# Doesn't work in macos because 'Resolve-DnsName' doesn't exist
Invoke-AADIntReconAsOutsider -DomainName corp.onmicrosoft.com | Format-Table
```
Output Example of the Azure tenant info:
## Output Example of the Azure tenant info:
```
Tenant brand: Company Ltd
Tenant name: company
Tenant id: 1937e3ab-38de-a735-a830-3075ea7e5b39
@@ -44,6 +43,9 @@ Moreover, the output presents the names of all verified domains associated with
### User Enumeration
> [!TIP]
> Note that even if a tenant is using several emails for the same user, the **username is unique**. This means that it'll noly work with the domain the user has associated and not with the other domains.
It's possible to **check if a username exists** inside a tenant. This includes also **guest users**, whose username is in the format:
```
@@ -83,13 +85,16 @@ external.user_outlook.com#EXT#@company.onmicrosoft.com
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal
```
There are **three different enumeration methods** to choose from:
Currenlty there are **4 different enumeration methods** to choose from. You can find information in `Get-Help Invoke-AADIntUserEnumerationAsOutsider`:
It supports following enumeration methods: Normal, Login, Autologon, and RST2.
- The **Normal** method seems currently work with all tenants. Previously it required Desktop SSO (aka Seamless SSO) to be enabled for at least one domain.
- The **Login** method works with any tenant, but enumeration queries will be logged to Azure AD sign-in log as failed login events!
- The **Autologon** method doesn't seem to work with all tenants anymore. Probably requires that DesktopSSO or directory sync is enabled.
| Method | Description |
| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Normal | This refers to the GetCredentialType API mentioned above. The default method. |
| Login | <p>This method tries to log in as the user.<br><strong>Note:</strong> queries will be logged to sign-ins log.</p> |
| Autologon | <p>This method tries to log in as the user via autologon endpoint.<br><strong>Queries are not logged</strong> to sign-ins log! As such, works well also for password spray and brute-force attacks.</p> |
After discovering the valid usernames you can get **info about a user** with:
@@ -97,12 +102,17 @@ After discovering the valid usernames you can get **info about a user** with:
Get-AADIntLoginInformation -UserName root@corp.onmicrosoft.com
```
The script [**o365creeper**](https://github.com/LMGsec/o365creeper) also allows you to discover **if an email is valid**.
The script [**o365spray**](https://github.com/0xZDH/o365spray) also allows you to discover **if an email is valid**.
```bash
# Put in emails.txt emails such as:
# - root@corp.onmicrosoft.com
python.exe .\o365creeper\o365creeper.py -f .\emails.txt -o validemails.txt
git clone https://github.com/0xZDH/o365spray
cd o365spray
python3 -m pip install -r requirements.txt
# Check 1 email
python3 ./o365spray.py --enum -d carloshacktricks.onmicrosoft.com -u carlos
# Check a list of emails
python3 ./o365spray.py --enum -d carloshacktricks.onmicrosoft.com -U /tmp/users.txt
```
**User Enumeration via Microsoft Teams**
@@ -113,10 +123,16 @@ The API of Microsoft Teams allows to search for users. In particular the "user s
Depending on the API response it is possible to distinguish between non-existing users and existing users that have a valid Teams subscription.
The script [**TeamsEnum**](https://github.com/sse-secure-systems/TeamsEnum) could be used to validate a given set of usernames against the Teams API.
The script [**TeamsEnum**](https://github.com/sse-secure-systems/TeamsEnum) could be used to validate a given set of usernames against the Teams API but you need access to a user with Teams access to use it.
```bash
python3 TeamsEnum.py -a password -u <username> -f inputlist.txt -o teamsenum-output.json
# Install
git clone https://github.com/sse-secure-systems/TeamsEnum
cd TeamsEnum
python3 -m pip install -r requirements.txt
# Login and ask for password
python3 ./TeamsEnum.py -a password -u <username> -f inputlist.txt -o teamsenum-output.json
```
Output:
@@ -192,58 +208,54 @@ Output:
}
```
## Azure Services
Know that we know the **domains the Azure tenant** is using is time to try to find **Azure services exposed**.
You can use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure service domains:**
```bash
Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base corp -Verbose
```
## Open Storage
You could discover open storage with a tool such as [**InvokeEnumerateAzureBlobs.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Invoke-EnumerateAzureBlobs.ps1) which will use the file **`Microburst/Misc/permitations.txt`** to generate permutations (very simple) to try to **find open storage accounts**.
```bash
Import-Module .\MicroBurst\MicroBurst.psm1
Invoke-EnumerateAzureBlobs -Base corp
[...]
https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
[...]
# Access https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
# Check: <Name>ssh_info.json</Name>
# Access then https://corpcommon.blob.core.windows.net/secrets/ssh_info.json
```
### SAS URLs
A _**shared access signature**_ (SAS) URL is an URL that **provides access** to certain part of a Storage account (could be a full container, a file...) with some specific permissions (read, write...) over the resources. If you find one leaked you could be able to access sensitive information, they look like this (this is to access a container, if it was just granting access to a file the path of the URL will also contain that file):
`https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D`
Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-explorer/) to access the data
## Compromise Credentials
### Phishing
- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-)
- [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)
### Password Spraying / Brute-Force
{{#ref}}
az-password-spraying.md
{{#endref}}
## Azure Services using domains
It's also possible to try to find **Azure services exposed** in common azure subdomains like the ones documented in this [post:
](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/)
- App Services: `azurewebsites.net`
- App Services Management: `scm.azurewebsites.net`
- App Services: `p.azurewebsites.net`
- App Services: `cloudapp.net`
- Storage Accounts-Files: `file.core.windows.net`
- Storage Accounts-Blobs: `blob.core.windows.net`
- Storage Accounts-Queues: `queue.core.windows.net`
- Storage Accounts-Tables: `table.core.windows.net`
- Databases-Redis: `redis.cache.windows.net`
- Databases-Cosmos DB: `documents.azure.com`
- Databases-MSSQL: `database.windows.net`
- Key Vaults: `vault.azure.net`
- Microsoft Hosted Domain: `onmicrosoft.com`
- Email: `mail.protection.outlook.com`
- SharePoint: `sharepoint.com`
- CDN: `azureedge.net`
- Search Appliance: `search.windows.net`
- API Services: `azure-api.net`
You can use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure domains:**
```bash
Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base corp -Verbose
```
## Phishing
- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) for credentials or via [OAuth Apps](az-oauth-apps-phishing.md)
- [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)
## References
- [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/)
- [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/)
- [https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/)
{{#include ../../../banners/hacktricks-training.md}}