Azure Pentesting

EK BOU NOG STEEDS DIE AZURE METODOLOGIE

Basiese Inligting

Azure Pentester/Red Team Metodologie

Om 'n AZURE-omgewing te oudit, is dit baie belangrik om te weet: watter diensse word gebruik, wat blootgestel word, wie het toegang tot wat, en hoe is interne Azure-diensse en eksterne diensse gekoppel.

Vanuit 'n Red Team-oogpunt is die eerste stap om 'n Azure-omgewing te kompromitteer om te slaag om sekere geldeenhede vir Azure AD te verkry. Hier het jy 'n paar idees oor hoe om dit te doen:

• Lekke in github (of soortgelyk) - OSINT

• Sosiale Ingenieurswese

• Wagwoord hergebruik (wagwoordlek)

• Kwesbaarhede in Azure-gehoste Aansoeke

• Bedienerkant Aanvraagvervalsing met toegang tot meta-data-eindpunt

• Plaaslike Lêes van Lêers

• /home/USERNAME/.azure

• C:\Users\USERNAME\.azure

• Die lêer accessTokens.json in az cli voor 2.30 - Jan2022 - het toegangsgeldeenhede in die teks gestoor

• Die lêer azureProfile.json bevat inligting oor die aangemelde gebruiker.

• az logout verwyder die geldeenheid.

• Ouer weergawes van Az PowerShell het toegangsgeldeenhede in teks in TokenCache.dat gestoor. Dit stoor ook ServicePrincipalSecret in teks in AzureRmContext.json. Die cmdlet Save-AzContext kan gebruik word om geldeenhede te stoor. Gebruik Disconnect-AzAccount om hulle te verwyder.

• 3de partye geskend

• Interne Werknemer

• Gewone Hengel (geldeenhede of Oauth-toep)

• Toestelkoderingshengel

• Azure Wagwoord Spuit

Selfs as jy geen gebruiker binne die Azure-huurder wat jy aanval, gekompromitteer het nie, kan jy steeds inligting daaroor versamel:

Basiese Opname

SSRF

As jy 'n SSRF in 'n masjien binne Azure gevind het, kyk na hierdie bladsy vir truuks:

Deur Aanmeldingsvoorwaardes

In gevalle waar jy enkele geldige geldeenhede het, maar nie kan aanmeld nie, is hierdie algemene beskermingsmaatreëls wat van toepassing kan wees:

• IP-witlysing -- Jy moet 'n geldige IP kompromitteer

• Geo-beperkings -- Vind uit waar die gebruiker woon of waar die maatskappy se kantore is en kry 'n IP van dieselfde stad (of ten minste dieselfde land)

• Blaaier -- Miskien is slegs 'n blaaier van 'n sekere bedryfstelsel (Windows, Linux, Mac, Android, iOS) toegelaat. Vind uit watter bedryfstelsel die slagoffer/maatskappy gebruik.

• Jy kan ook probeer om Service Principal-geldeenhede te kompromitteer aangesien hulle gewoonlik minder beperk is en hul aanmelding minder hersien word

Nadat jy dit omseil het, kan jy dalk terugkeer na jou aanvanklike opstelling en steeds toegang hê.

Subdomein-oorneem

• https://godiego.co/posts/STO-Azure/

Wie is ek

Een van die eerste dinge wat jy moet weet, is wie jy is (in watter omgewing jy is):

az account list
az account tenant list # Current tenant info
az account subscription list # Current subscription info
az ad signed-in-user show # Current signed-in user
az ad signed-in-user list-owned-objects # Get owned objects by current user
az account management-group list #Not allowed by default

AzureAD

Identifying Azure AD Users

To identify Azure AD users, you can use various techniques such as:

• Enumerating users through the Azure AD Graph API

• Extracting user information from leaked documents or databases

• Harvesting email addresses from public sources or company websites

Enumerating Azure AD Groups

To enumerate Azure AD groups, you can:

• Use the Azure AD Graph API to list all groups

• Extract group information from leaked data or documents

• Search for group names on public platforms or forums

Exploiting Azure AD Misconfigurations

Common misconfigurations in Azure AD that can be exploited include:

• Weak or default passwords for user accounts

• Improperly configured group permissions

• Lack of multi-factor authentication for sensitive accounts

Attacking Azure AD Connect

Azure AD Connect can be targeted by:

• Exploiting vulnerabilities in the synchronization process

• Gaining access to the Azure AD Connect server

• Manipulating synchronization rules to achieve unauthorized access

Bypassing Azure AD Security Controls

To bypass Azure AD security controls, attackers may:

• Use password spraying or brute force attacks

• Exploit weaknesses in conditional access policies

• Abuse privileged roles or misconfigured permissions

Escalating Privileges in Azure AD

Privilege escalation in Azure AD can be achieved by:

• Exploiting vulnerabilities in Azure AD roles and permissions

• Abusing administrative roles to gain higher privileges

• Leveraging misconfigurations to escalate privileges within Azure AD

Maintaining Access in Azure AD

To maintain access in Azure AD, attackers can:

• Create backdoors using compromised credentials

• Establish persistence through scheduled tasks or service principals

• Monitor Azure AD logs for detection evasion

Covering Tracks in Azure AD

To cover tracks in Azure AD, attackers may:

• Delete logs or audit trails to hide malicious activities

• Modify timestamps to conceal unauthorized access

• Use anti-forensic techniques to avoid detection

#Get the current session state
Get-AzureADCurrentSessionInfo
#Get details of the current tenant
Get-AzureADTenantDetail

Az PowerShell

Hierdie gids bevat inligting oor hoe om Az PowerShell te gebruik vir die outomatisering van sekuriteitsverwante take in Azure. Dit sluit in die installering van die Az PowerShell-module, die instelling van verbindings met Azure, en die uitvoering van sekuriteitsopdragte deur middel van Az PowerShell-opdraggolwe.

# Get the information about the current context (Account, Tenant, Subscription etc.)
Get-AzContext
# List all available contexts
Get-AzContext -ListAvailable
# Enumerate subscriptions accessible by the current user
Get-AzSubscription
#Get Resource group
Get-AzResourceGroup
# Enumerate all resources visible to the current user
Get-AzResource
# Enumerate all Azure RBAC role assignments
Get-AzRoleAssignment # For all users
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com # For current user

AzureAD Enumerasie

Standaard behoort enige gebruiker genoeg toestemmings te hê om dinge soos gebruikers, groepe, rolle, diensprinsipale te ontleed (kyk na standaard AzureAD-toestemmings). Jy kan hier 'n gids vind:

Diensprinsipaal en Toegangbeleid

'n Azure-diens kan 'n Stelselidentiteit hê (van die diens self) of 'n Gebruikerstoegewysde Bestuurde Identiteit gebruik. Hierdie Identiteit kan Toegangbeleid hê om byvoorbeeld 'n KeyVault te lees vir geheime. Hierdie Toegangbeleide behoort beperk te wees (minste bevoorregtingbeginsel), maar mag meer toestemmings hê as wat nodig is. Tipies sal 'n App-diens KeyVault gebruik om geheime en sertifikate te herwin.

Dit is dus nuttig om hierdie identiteite te verken.

App-diens SCM

Kudu-konsol om in te teken op die App-diens 'houer'.

Webshell

Gebruik portal.azure.com en kies die skul, of gebruik shell.azure.com, vir 'n bash of powershell. Die 'skyf' van hierdie skul word gestoor as 'n beeldlêer in 'n stoorrekening.

Azure DevOps

Azure DevOps is afsonderlik van Azure. Dit het bewaarplekke, pyplyne (yaml of vrystelling), borde, wiki, en meer. Veranderlike Groepe word gebruik om veranderlike waardes en geheime te stoor.

Geoutomatiseerde Verkenningstools

ROADRecon

cd ROADTools
pipenv shell
roadrecon auth -u test@corp.onmicrosoft.com -p "Welcome2022!"
roadrecon gather
roadrecon gui

Monkey365

Import-Module monkey365
Get-Help Invoke-Monkey365
Get-Help Invoke-Monkey365 -Detailed
Invoke-Monkey365 -IncludeAzureActiveDirectory -ExportTo HTML -Verbose -Debug -InformationAction Continue
Invoke-Monkey365 - Instance Azure -Analysis All -ExportTo HTML

Stormspotter

# Start Backend
cd stormspotter\backend\
pipenv shell
python ssbackend.pyz

# Start Front-end
cd stormspotter\frontend\dist\spa\
quasar.cmd serve -p 9091 --history

# Run Stormcollector
cd stormspotter\stormcollector\
pipenv shell
az login -u test@corp.onmicrosoft.com -p Welcome2022!
python stormspotter\stormcollector\sscollector.pyz cli
# This will generate a .zip file to upload in the frontend (127.0.0.1:9091)

AzureHound

# You need to use the Az PowerShell and Azure AD modules:
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("test@corp.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds

Import-Module AzureAD\AzureAD.psd1
Connect-AzureAD -Credential $creds

# Launch AzureHound
. AzureHound\AzureHound.ps1
Invoke-AzureHound -Verbose

# Simple queries
## All Azure Users
MATCH (n:AZUser) return n.name
## All Azure Applications
MATCH (n:AZApp) return n.objectid
## All Azure Devices
MATCH (n:AZDevice) return n.name
## All Azure Groups
MATCH (n:AZGroup) return n.name
## All Azure Key Vaults
MATCH (n:AZKeyVault) return n.name
## All Azure Resource Groups
MATCH (n:AZResourceGroup) return n.name
## All Azure Service Principals
MATCH (n:AZServicePrincipal) return n.objectid
## All Azure Virtual Machines
MATCH (n:AZVM) return n.name
## All Principals with the ‘Contributor’ role
MATCH p = (n)-[r:AZContributor]->(g) RETURN p

# Advanced queries
## Get Global Admins
MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p
## Owners of Azure Groups
MATCH p = (n)-[r:AZOwns]->(g:AZGroup) RETURN p
## All Azure Users and their Groups
MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p
## Privileged Service Principals
MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p
## Owners of Azure Applications
MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p
## Paths to VMs
MATCH p = (n)-[r]->(g: AZVM) RETURN p
## Paths to KeyVault
MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
## Paths to Azure Resource Group
MATCH p = (n)-[r]->(g:AZResourceGroup) RETURN p
## On-Prem users with edges to Azure
MATCH  p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p
## All Azure AD Groups that are synchronized with On-Premise AD
MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n

Azucar

# You should use an account with at least read-permission on the assets you want to access
git clone https://github.com/nccgroup/azucar.git
PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File

PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000

# resolve the TenantID for an specific username
PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com

MicroBurst

Import-Module .\MicroBurst.psm1
Import-Module .\Get-AzureDomainInfo.ps1
Get-AzureDomainInfo -folder MicroBurst -Verbose

PowerZure

Connect-AzAccount
ipmo C:\Path\To\Powerzure.psd1
Get-AzureTarget

# Reader
$ Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails

# Contributor
$ Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami"
$ Execute-MSBuild -VM Win10Test  -ResourceGroup Test-RG -File "build.xml"
$ Get-AllSecrets # AllAppSecrets, AllKeyVaultContents
$ Get-AvailableVMDisks, Get-VMDisk # Download a virtual machine's disk

# Owner
$ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest

# Administrator
$ Create-Backdoor, Execute-Backdoor