mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-01-10 12:13:17 -08:00
Translated ['src/pentesting-cloud/azure-security/az-services/az-azuread.
This commit is contained in:
Translator
@@ -4,9 +4,9 @@
|
||||
|
||||
## Basic Information
|
||||
|
||||
Azure Active Directory (Azure AD) inatoa huduma ya Microsoft ya msingi ya wingu kwa usimamizi wa utambulisho na ufikiaji. Ni muhimu katika kuwezesha wafanyakazi kuingia na kupata rasilimali, ndani na nje ya shirika, ikiwa ni pamoja na Microsoft 365, lango la Azure, na maombi mengine mengi ya SaaS. Muundo wa Azure AD unalenga kutoa huduma muhimu za utambulisho, hasa ikiwa ni pamoja na **uthibitishaji, ruhusa, na usimamizi wa watumiaji**.
|
||||
Azure Active Directory (Azure AD) inatoa huduma ya Microsoft ya msingi ya wingu kwa usimamizi wa utambulisho na ufikiaji. Ni muhimu katika kuwezesha wafanyakazi kuingia na kupata rasilimali, ndani na nje ya shirika, ikiwa ni pamoja na Microsoft 365, lango la Azure, na maombi mengine mengi ya SaaS. Muundo wa Azure AD unalenga kutoa huduma muhimu za utambulisho, ikijumuisha **uthibitishaji, ruhusa, na usimamizi wa watumiaji**.
|
||||
|
||||
Vipengele muhimu vya Azure AD vinajumuisha **uthibitishaji wa hatua nyingi** na **ufikiaji wa masharti**, pamoja na uunganisho usio na mshono na huduma nyingine za usalama za Microsoft. Vipengele hivi vinainua kwa kiasi kikubwa usalama wa utambulisho wa watumiaji na kuweza kuwezesha mashirika kutekeleza na kutekeleza sera zao za ufikiaji kwa ufanisi. Kama sehemu ya msingi ya mfumo wa huduma za wingu za Microsoft, Azure AD ni muhimu kwa usimamizi wa utambulisho wa watumiaji kwa msingi wa wingu.
|
||||
Vipengele muhimu vya Azure AD vinajumuisha **uthibitishaji wa hatua nyingi** na **ufikiaji wa masharti**, pamoja na uunganisho usio na mshono na huduma nyingine za usalama za Microsoft. Vipengele hivi vinainua kwa kiasi kikubwa usalama wa utambulisho wa watumiaji na kuweza kwa mashirika kutekeleza na kutekeleza sera zao za ufikiaji kwa ufanisi. Kama sehemu ya msingi ya mfumo wa huduma za wingu za Microsoft, Azure AD ni muhimu kwa usimamizi wa utambulisho wa watumiaji kwa msingi wa wingu.
|
||||
|
||||
## Enumeration
|
||||
|
||||
@@ -140,6 +140,34 @@ curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-
|
||||
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
|
||||
```
|
||||
{{#endtab }}
|
||||
{{#tab name="MS Graph" }}
|
||||
```bash
|
||||
Get-MgTenantRelationshipDelegatedAdminCustomer
|
||||
# Install the Microsoft Graph PowerShell module if not already installed
|
||||
Install-Module Microsoft.Graph -Scope CurrentUser
|
||||
|
||||
# Import the module
|
||||
Import-Module Microsoft.Graph
|
||||
|
||||
# Login to Microsoft Graph
|
||||
Connect-MgGraph -Scopes "User.Read.All", "Group.Read.All", "Directory.Read.All"
|
||||
|
||||
# Enumerate available commands in Microsoft Graph PowerShell
|
||||
Get-Command -Module Microsoft.Graph*
|
||||
|
||||
# Example: List users
|
||||
Get-MgUser -All
|
||||
|
||||
# Example: List groups
|
||||
Get-MgGroup -All
|
||||
|
||||
# Example: Get roles assigned to a user
|
||||
Get-MgUserAppRoleAssignment -UserId <UserId>
|
||||
|
||||
# Disconnect from Microsoft Graph
|
||||
Disconnect-MgGraph
|
||||
```
|
||||
{{#endtab }}
|
||||
|
||||
{{#tab name="Azure AD" }}
|
||||
```bash
|
||||
@@ -156,9 +184,9 @@ Connect-AzureAD -AccountId test@corp.onmicrosoft.com -AadAccessToken $token
|
||||
{{#endtab }}
|
||||
{{#endtabs }}
|
||||
|
||||
Wakati unapo **ingia** kupitia **CLI** kwenye Azure kwa programu yoyote, unatumia **Azure Application** kutoka **tenant** inayomilikiwa na **Microsoft**. Programu hizi, kama zile unazoweza kuunda kwenye akaunti yako, **zina client id**. **Hutaweza kuona zote** katika **orodha za programu zilizoruhusiwa** unazoweza kuona kwenye console, **lakini zinaruhusiwa kwa default**.
|
||||
Wakati unapo **ingia** kupitia **CLI** kwenye Azure kwa programu yoyote, unatumia **Azure Application** kutoka **tenant** inayomilikiwa na **Microsoft**. Programu hizi, kama zile unazoweza kuunda kwenye akaunti yako, **zina client id**. Hutaweza **kuona zote** katika **orodha za programu zilizoruhusiwa** unazoweza kuona kwenye console, **lakini zinaruhusiwa kwa default**.
|
||||
|
||||
Kwa mfano, **powershell script** inayofanya **uthibitisho** inatumia programu yenye client id **`1950a258-227b-4e31-a9cf-717495945fc2`**. Hata kama programu hiyo haitokei kwenye console, sysadmin anaweza **kuzuia programu hiyo** ili watumiaji wasiweze kufikia kwa kutumia zana zinazounganisha kupitia programu hiyo.
|
||||
Kwa mfano, **powershell script** inayofanya **uthibitisho** inatumia programu yenye client id **`1950a258-227b-4e31-a9cf-717495945fc2`**. Hata kama programu hiyo haionekani kwenye console, sysadmin anaweza **kuzuia programu hiyo** ili watumiaji wasiweze kufikia kwa kutumia zana zinazounganisha kupitia programu hiyo.
|
||||
|
||||
Hata hivyo, kuna **client-ids nyingine** za programu ambazo **zitakuruhusu kuungana na Azure**:
|
||||
```bash
|
||||
@@ -248,6 +276,34 @@ curl -X GET "https://graph.microsoft.com/beta/roleManagement/directory/roleDefin
|
||||
```
|
||||
{{#endtab }}
|
||||
|
||||
{{#tab name="MS Graph" }}
|
||||
```bash
|
||||
# Enumerate users using Microsoft Graph PowerShell
|
||||
Get-MgUser -All
|
||||
|
||||
# Get user details
|
||||
Get-MgUser -UserId "test@corp.onmicrosoft.com" | Format-List *
|
||||
|
||||
# Search "admin" users
|
||||
Get-MgUser -All | Where-Object { $_.DisplayName -like "*test*" } | Select-Object DisplayName
|
||||
|
||||
# Search attributes containing the word "password"
|
||||
Get-MgUser -All | Where-Object { $_.AdditionalProperties.PSObject.Properties.Name -contains "password" }
|
||||
|
||||
# All users from Entra ID
|
||||
Get-MgUser -Filter "startswith(userPrincipalName, 't')" -All | Select-Object DisplayName, UserPrincipalName
|
||||
|
||||
# Get groups where the user is a member
|
||||
Get-MgUserMemberOf -UserId <UserId>
|
||||
|
||||
# Get roles assigned to the user in Entra ID
|
||||
Get-MgUserAppRoleAssignment -UserId <UserId>
|
||||
|
||||
# List available commands in Microsoft Graph PowerShell
|
||||
Get-Command -Module Microsoft.Graph.Users
|
||||
```
|
||||
{{#endtab }}
|
||||
|
||||
{{#tab name="Azure AD" }}
|
||||
```bash
|
||||
# Enumerate Users
|
||||
@@ -301,15 +357,15 @@ Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
|
||||
{{#endtab }}
|
||||
{{#endtabs }}
|
||||
|
||||
#### Badilisha Nenosiri la Mtumiaji
|
||||
#### Badilisha Nywila ya Mtumiaji
|
||||
```bash
|
||||
$password = "ThisIsTheNewPassword.!123" | ConvertTo- SecureString -AsPlainText –Force
|
||||
|
||||
(Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@corp.onmicrosoft.com"}).ObjectId | Set- AzureADUserPassword -Password $password –Verbose
|
||||
```
|
||||
### MFA & Sera za Upatikanaji wa Masharti
|
||||
### MFA & Sera za Ufikiaji wa Masharti
|
||||
|
||||
Inapendekezwa sana kuongeza MFA kwa kila mtumiaji, hata hivyo, baadhi ya kampuni hazitaweka au zinaweza kuziweka kwa Upatikanaji wa Masharti: Mtumiaji atakuwa **na hitaji la MFA ikiwa** atajiunga kutoka eneo maalum, kivinjari au **hali fulani**. Sera hizi, ikiwa hazijapangwa vizuri zinaweza kuwa na uwezekano wa **kuepukwa**. Angalia:
|
||||
Inapendekezwa sana kuongeza MFA kwa kila mtumiaji, hata hivyo, baadhi ya kampuni hazitaweka au zinaweza kuziweka kwa Ufikiaji wa Masharti: Mtumiaji atakuwa **na hitaji la MFA ikiwa** anaingia kutoka eneo fulani, kivinjari au **hali fulani**. Sera hizi, ikiwa hazijapangwa vizuri zinaweza kuwa na uwezekano wa **kuepukwa**. Angalia:
|
||||
|
||||
{{#ref}}
|
||||
../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md
|
||||
@@ -368,7 +424,33 @@ Get-AzADGroupMember -GroupDisplayName <resource_group_name>
|
||||
Get-AzRoleAssignment -ResourceGroupName <resource_group_name>
|
||||
```
|
||||
{{#endtab }}
|
||||
{{#tab name="MS Graph" }}
|
||||
```bash
|
||||
# Enumerate groups using Microsoft Graph PowerShell
|
||||
Get-MgGroup -All
|
||||
|
||||
# Get group details
|
||||
Get-MgGroup -GroupId <GroupId> | Format-List *
|
||||
|
||||
# Search "admin" groups
|
||||
Get-MgGroup -All | Where-Object { $_.DisplayName -like "*admin*" } | Select-Object DisplayName
|
||||
|
||||
# Get members of a group
|
||||
Get-MgGroupMember -GroupId <GroupId> -All
|
||||
|
||||
# Get groups a group is member of
|
||||
Get-MgGroupMemberOf -GroupId <GroupId>
|
||||
|
||||
# Get roles assigned to the group in Entra ID
|
||||
Get-MgGroupAppRoleAssignment -GroupId <GroupId>
|
||||
|
||||
# Get group owner
|
||||
Get-MgGroupOwner -GroupId <GroupId>
|
||||
|
||||
# List available commands in Microsoft Graph PowerShell
|
||||
Get-Command -Module Microsoft.Graph.Groups
|
||||
```
|
||||
{{#endtab }}
|
||||
{{#tab name="Azure AD" }}
|
||||
```bash
|
||||
# Enumerate Groups
|
||||
@@ -405,8 +487,8 @@ Wamiliki wa kundi wanaweza kuongeza watumiaji wapya kwenye kundi
|
||||
Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verbose
|
||||
```
|
||||
> [!WARNING]
|
||||
> Makundi yanaweza kuwa ya kidinamik, ambayo kimsingi inamaanisha kwamba **ikiwa mtumiaji atatimiza masharti fulani ataongezwa kwenye kundi**. Bila shaka, ikiwa masharti yanategemea **sifa** ambazo **mtumiaji** anaweza **kudhibiti**, anaweza kutumia kipengele hiki vibaya ili **kuingia kwenye makundi mengine**.\
|
||||
> Angalia jinsi ya kutumia vibaya makundi ya kidinamik kwenye ukurasa ufuatao:
|
||||
> Makundi yanaweza kuwa ya dinamik, ambayo kimsingi inamaanisha kwamba **ikiwa mtumiaji atatimiza masharti fulani atajumuishwa katika kundi**. Bila shaka, ikiwa masharti yanategemea **sifa** ambazo **mtumiaji** anaweza **kudhibiti**, anaweza kutumia kipengele hiki vibaya ili **kuingia katika makundi mengine**.\
|
||||
> Angalia jinsi ya kutumia vibaya makundi ya dinamik katika ukurasa ufuatao:
|
||||
|
||||
{{#ref}}
|
||||
../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md
|
||||
@@ -467,6 +549,30 @@ Headers = @{
|
||||
(Invoke-RestMethod @RequestParams).value
|
||||
```
|
||||
{{#endtab }}
|
||||
{{#tab name="MS Graph" }}
|
||||
```bash
|
||||
# Get Service Principals using Microsoft Graph PowerShell
|
||||
Get-MgServicePrincipal -All
|
||||
|
||||
# Get details of one Service Principal
|
||||
Get-MgServicePrincipal -ServicePrincipalId <ServicePrincipalId> | Format-List *
|
||||
|
||||
# Search SP by display name
|
||||
Get-MgServicePrincipal -All | Where-Object { $_.DisplayName -like "*app*" } | Select-Object DisplayName
|
||||
|
||||
# Get owner of Service Principal
|
||||
Get-MgServicePrincipalOwner -ServicePrincipalId <ServicePrincipalId>
|
||||
|
||||
# Get objects owned by a Service Principal
|
||||
Get-MgServicePrincipalOwnedObject -ServicePrincipalId <ServicePrincipalId>
|
||||
|
||||
# Get groups where the SP is a member
|
||||
Get-MgServicePrincipalMemberOf -ServicePrincipalId <ServicePrincipalId>
|
||||
|
||||
# List available commands in Microsoft Graph PowerShell
|
||||
Get-Command -Module Microsoft.Graph.ServicePrincipals
|
||||
```
|
||||
{{#endtab }}
|
||||
|
||||
{{#tab name="Azure AD" }}
|
||||
```bash
|
||||
@@ -645,6 +751,25 @@ Get-AzADAppCredential
|
||||
```
|
||||
{{#endtab }}
|
||||
|
||||
{{#tab name="MS Graph" }}
|
||||
```bash
|
||||
# List Applications using Microsoft Graph PowerShell
|
||||
Get-MgApplication -All
|
||||
|
||||
# Get application details
|
||||
Get-MgApplication -ApplicationId 7861f72f-ad49-4f8c-96a9-19e6950cffe1 | Format-List *
|
||||
|
||||
# Search App by display name
|
||||
Get-MgApplication -Filter "startswith(displayName, 'app')" | Select-Object DisplayName
|
||||
|
||||
# Get owner of an application
|
||||
Get-MgApplicationOwner -ApplicationId <ApplicationId>
|
||||
|
||||
# List available commands in Microsoft Graph PowerShell
|
||||
Get-Command -Module Microsoft.Graph.Applications
|
||||
```
|
||||
{{#endtab }}
|
||||
|
||||
{{#tab name="Azure AD" }}
|
||||
```bash
|
||||
# List all registered applications
|
||||
@@ -668,7 +793,7 @@ Get-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *
|
||||
> Hivyo, ukipata **nenosiri** hili unaweza kufikia kama **service principal** **ndani** ya **tenant**.\
|
||||
> Kumbuka kwamba nenosiri hili linaonekana tu wakati linapotengenezwa (unaweza kulibadilisha lakini huwezi kulipata tena).\
|
||||
> **Mmiliki** wa **programu** anaweza **kuongeza nenosiri** kwake (ili aweze kujifanya kuwa yeye).\
|
||||
> Kuingia kama service principals hawa **hakutajwi kama hatari** na hawatakuwa na MFA.**
|
||||
> Kuingia kama hawa service principals **hakutajwi kuwa na hatari** na hawatakuwa na MFA.**
|
||||
|
||||
Inawezekana kupata orodha ya App IDs zinazotumika mara kwa mara zinazomilikiwa na Microsoft katika [https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications](https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications)
|
||||
|
||||
@@ -719,7 +844,27 @@ az role assignment list --all --query "[].{principalName:principalName,principal
|
||||
# Get all the roles assigned to a user
|
||||
az role assignment list --assignee "<email>" --all --output table
|
||||
# Get all the roles assigned to a user by filtering
|
||||
az role assignment list --all --query "[?principalName=='carlos@carloshacktricks.onmicrosoft.com']" --output table
|
||||
az role assignment list --all --query "[?principalName=='admin@organizationadmin.onmicrosoft.com']" --output table
|
||||
```
|
||||
{{#endtab }}
|
||||
|
||||
{{#tab name="MS Graph" }}
|
||||
```bash
|
||||
|
||||
# List all available role templates using Microsoft Graph PowerShell
|
||||
Get-MgDirectoryRoleTemplate -All
|
||||
|
||||
# List enabled built-in Entra ID roles
|
||||
Get-MgDirectoryRole -All
|
||||
|
||||
# List all Entra ID roles with their permissions (including custom roles)
|
||||
Get-MgDirectoryRoleDefinition -All
|
||||
|
||||
# List members of a Entra ID role
|
||||
Get-MgDirectoryRoleMember -DirectoryRoleId <RoleId> -All
|
||||
|
||||
# List available commands in Microsoft Graph PowerShell
|
||||
Get-Command -Module Microsoft.Graph.Identity.DirectoryManagement
|
||||
```
|
||||
{{#endtab }}
|
||||
|
||||
@@ -752,9 +897,9 @@ Headers = @{
|
||||
{{#endtab }}
|
||||
{{#endtabs }}
|
||||
|
||||
### Entra ID Roles
|
||||
### Entra ID Majukumu
|
||||
|
||||
Kwa maelezo zaidi kuhusu Azure roles angalia:
|
||||
Kwa maelezo zaidi kuhusu majukumu ya Azure angalia:
|
||||
|
||||
{{#ref}}
|
||||
../az-basic-information/
|
||||
@@ -833,6 +978,24 @@ Get-AzureADMSScopedRoleMembership -Id <id> | fl *
|
||||
# If you know how to do this send a PR!
|
||||
```
|
||||
{{#endtab }}
|
||||
{{#tab name="MS Graph" }}
|
||||
```bash
|
||||
# Enumerate devices using Microsoft Graph PowerShell
|
||||
Get-MgDevice -All
|
||||
|
||||
# Get device details
|
||||
Get-MgDevice -DeviceId <DeviceId> | Format-List *
|
||||
|
||||
# Get devices managed using Intune
|
||||
Get-MgDevice -Filter "isCompliant eq true" -All
|
||||
|
||||
# Get devices owned by a user
|
||||
Get-MgUserOwnedDevice -UserId test@corp.onmicrosoft.com
|
||||
|
||||
# List available commands in Microsoft Graph PowerShell
|
||||
Get-Command -Module Microsoft.Graph.Identity.DirectoryManagement
|
||||
```
|
||||
{{#endtab }}
|
||||
|
||||
{{#tab name="Azure AD" }}
|
||||
```bash
|
||||
@@ -915,7 +1078,7 @@ Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members
|
||||
|
||||
Privileged Identity Management (PIM) katika Azure inasaidia **kuzuia mamlaka kupita kiasi** kutolewa kwa watumiaji bila sababu.
|
||||
|
||||
Moja ya sifa kuu zinazotolewa na PIM ni kwamba inaruhusu kutokutoa majukumu kwa wakuu ambao wako hai kila wakati, bali kuwafanya **kuwa na haki kwa kipindi fulani (mfano miezi 6)**. Kisha, kila wakati mtumiaji anapotaka kuanzisha jukumu hilo, anahitaji kuomba akionyesha muda anahitaji mamlaka (mfano masaa 3). Kisha **meneja anahitaji kuidhinisha** ombi hilo.\
|
||||
Moja ya sifa kuu zinazotolewa na PIM ni kwamba inaruhusu kutokutoa majukumu kwa wakuu ambao wako hai kila wakati, lakini kuwafanya **kuwa na haki kwa kipindi fulani (mfano miezi 6)**. Kisha, kila wakati mtumiaji anapotaka kuanzisha jukumu hilo, anahitaji kuomba akionyesha muda anahitaji mamlaka (mfano masaa 3). Kisha **meneja anahitaji kuidhinisha** ombi hilo.\
|
||||
Kumbuka kwamba mtumiaji pia atakuwa na uwezo wa kuomba **kupanua** muda.
|
||||
|
||||
Zaidi ya hayo, **PIM inatuma barua pepe** kila wakati jukumu lenye mamlaka linapopewa mtu.
|
||||
@@ -945,7 +1108,7 @@ Angalia:
|
||||
|
||||
Entra Identity Protection ni huduma ya usalama inayoruhusu **kubaini wakati mtumiaji au kuingia kuna hatari kubwa** ili kukubaliwa, ikiruhusu **kuzuia** mtumiaji au jaribio la kuingia.
|
||||
|
||||
Inaruhusu meneja kuiseti ili **kuzuia** majaribio wakati hatari ni "Chini na juu", "Kati na juu" au "Juu". Ingawa, kwa default ime **zimwa** kabisa:
|
||||
Inaruhusu meneja kuiseti ili **kuzuia** majaribio wakati hatari ni "Chini na juu", "Kati na juu" au "Juu". Ingawa, kwa kawaida ime **zimwa** kabisa:
|
||||
|
||||
<figure><img src="../../../images/image (356).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
@@ -957,9 +1120,9 @@ Inaruhusu meneja kuiseti ili **kuzuia** majaribio wakati hatari ni "Chini na juu
|
||||
Entra Password Protection ([https://portal.azure.com/index.html#view/Microsoft_AAD_ConditionalAccess/PasswordProtectionBlade](https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PasswordProtectionBlade)) ni kipengele cha usalama ambacho **kinasaidia kuzuia matumizi mabaya ya nywila dhaifu kwa kufunga akaunti wakati majaribio kadhaa yasiyofanikiwa ya kuingia yanapotokea**.\
|
||||
Inaruhusu pia **kufungia orodha ya nywila maalum** ambayo unahitaji kutoa.
|
||||
|
||||
Inaweza **kutumika kwa kiwango cha wingu na pia kwenye Active Directory ya ndani**.
|
||||
Inaweza **kutumika kwa kiwango cha wingu na kwenye Active Directory ya ndani**.
|
||||
|
||||
Njia ya default ni **Ukaguzi**:
|
||||
Njia ya kawaida ni **Audit**:
|
||||
|
||||
<figure><img src="../../../images/image (355).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user