Az - Entra ID (formerly AzureAD - AAD) & IAM
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Azure Active Directory (Azure AD) inatumika kama huduma ya Microsoft ya msingi ya wingu kwa usimamizi wa utambulisho na ufikiaji. Ni muhimu katika kuwezesha wafanyakazi kuingia na kupata rasilimali, ndani na nje ya shirika, ikiwa ni pamoja na Microsoft 365, lango la Azure, na maombi mengine mengi ya SaaS. Muundo wa Azure AD unalenga kutoa huduma muhimu za utambulisho, ikiwa ni pamoja na uthibitishaji, ruhusa, na usimamizi wa watumiaji.
Vipengele muhimu vya Azure AD vinajumuisha uthibitishaji wa hatua nyingi na ufikiaji wa masharti, pamoja na uunganisho usio na mshono na huduma nyingine za usalama za Microsoft. Vipengele hivi vinainua usalama wa utambulisho wa watumiaji na kuweza kuwezesha mashirika kutekeleza na kutekeleza sera zao za ufikiaji kwa ufanisi. Kama sehemu ya msingi ya mfumo wa huduma za wingu za Microsoft, Azure AD ni muhimu kwa usimamizi wa utambulisho wa watumiaji kwa msingi wa wingu.
az login #This will open the browser (if not use --use-device-code)
az login -u <username> -p <password> #Specify user and password
az login --identity #Use the current machine managed identity (metadata)
az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID #Login with user managed identity
# Login as service principal
## With password
az login --service-principal -u <application ID> -p VerySecret --tenant contoso.onmicrosoft.com # Tenant can also be the tenant UUID
## With cert
az login --service-principal -u <application ID> -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com
# Request access token (ARM)
az account get-access-token
# Request access token for different resource. Supported tokens: aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms
az account get-access-token --resource-type aad-graph
# If you want to configure some defaults
az configure
# Get user logged-in already
az ad signed-in-user show
# Help
az find "vm" # Find vm commands
az vm -h # Get subdomains
az ad user list --query-examples # Get examples
# Login Open browser
Connect-MgGraph
# Login with service principal secret
## App ID and Tenant ID of your Azure AD App Registration
$appId = "<appId>"
$tenantId = "<tenantId>"
$clientSecret = "<clientSecret>"
## Convert the client secret to a SecureString
$secureSecret = ConvertTo-SecureString -String $clientSecret -AsPlainText -Force
## Create a PSCredential object
$credential = New-Object System.Management.Automation.PSCredential ($appId, $secureSecret)
## Connect using client credentials
Connect-MgGraph -TenantId $tenantId -ClientSecretCredential $credential
# Login with token
$token = (az account get-access-token --resource https://graph.microsoft.com --query accessToken -o tsv)
$secureToken = ConvertTo-SecureString $token -AsPlainText -Force
Connect-MgGraph -AccessToken $secureToken
# Find commands
Find-MgGraphCommand -command *Mg*
Connect-AzAccount #Open browser
# Using credentials
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@corp.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds
# Get Access Token
(Get-AzAccessToken).Token
# Request access token to other endpoints: AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse
(Get-AzAccessToken -ResourceTypeName MSGraph).Token
(Get-AzAccessToken -Resource "https://graph.microsoft.com").Token
# Connect with access token
Connect-AzAccount -AccountId test@corp.onmicrosoft.com -AccessToken $token
Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId <ACCOUNT-ID>
## The -AccessToken is from management.azure.com
# Connect with Service principal/enterprise app secret
$password = ConvertTo-SecureString 'KWEFNOIRFIPMWL.--DWPNVFI._EDWWEF_ADF~SODNFBWRBIF' -AsPlainText -Force
$creds = New-Object
System.Management.Automation.PSCredential('2923847f-fca2-a420-df10-a01928bec653', $password)
Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant 29sd87e56-a192-a934-bca3-0398471ab4e7d
#All the Azure AD cmdlets have the format *-AzAD*
Get-Command *azad*
#Cmdlets for other Azure resources have the format *Az*
Get-Command *az*
#Using management
$Token = 'eyJ0eXAi..'
# List subscriptions
$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value
# Using graph
Invoke-WebRequest -Uri "https://graph.windows.net/myorganization/users?api-version=1.6" -Headers @{Authorization="Bearer {0}" -f $Token}
# Request tokens to access endpoints
# ARM
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
# Vault
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
Connect-AzureAD #Open browser
# Using credentials
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("test@corp.onmicrosoft.com", $passwd)
Connect-AzureAD -Credential $creds
# Using tokens
## AzureAD cannot request tokens, but can use AADGraph and MSGraph tokens to connect
Connect-AzureAD -AccountId test@corp.onmicrosoft.com -AadAccessToken $token
Wakati unapo ingia kupitia CLI kwenye Azure na programu yoyote, unatumia Programu ya Azure kutoka tenant inayomilikiwa na Microsoft. Programu hizi, kama zile unazoweza kuunda kwenye akaunti yako, zina kitambulisho cha mteja. Hutaweza kuona zote katika orodha za programu zilizoruhusiwa unazoweza kuona kwenye console, lakini zinaruhusiwa kwa default.
Kwa mfano, script ya powershell inayofanya uthibitisho inatumia programu yenye kitambulisho cha mteja 1950a258-227b-4e31-a9cf-717495945fc2
. Hata kama programu hiyo haitappear kwenye console, sysadmin anaweza kuzuia programu hiyo ili watumiaji wasiweze kufikia kwa kutumia zana zinazounganisha kupitia programu hiyo.
Hata hivyo, kuna vitambulisho vingine vya mteja vya programu ambavyo vitakuruhusu kuungana na Azure:
# The important part is the ClientId, which identifies the application to login inside Azure
$token = Invoke-Authorize -Credential $credential `
-ClientId '1dfb5f98-f363-4b0f-b63a-8d20ada1e62d' `
-Scope 'Files.Read.All openid profile Sites.Read.All User.Read email' `
-Redirect_Uri "https://graphtryit-staging.azurewebsites.net/" `
-Verbose -Debug `
-InformationAction Continue
$token = Invoke-Authorize -Credential $credential `
-ClientId '65611c08-af8c-46fc-ad20-1888eb1b70d9' `
-Scope 'openid profile Sites.Read.All User.Read email' `
-Redirect_Uri "chrome-extension://imjekgehfljppdblckcmjggcoboemlah" `
-Verbose -Debug `
-InformationAction Continue
$token = Invoke-Authorize -Credential $credential `
-ClientId 'd3ce4cf8-6810-442d-b42e-375e14710095' `
-Scope 'openid' `
-Redirect_Uri "https://graphexplorer.azurewebsites.net/" `
-Verbose -Debug `
-InformationAction Continue
# List tenants
az account tenant list
Kwa maelezo zaidi kuhusu watumiaji wa Entra ID angalia:
# Enumerate users
az ad user list --output table
az ad user list --query "[].userPrincipalName"
# Get info of 1 user
az ad user show --id "test@corp.onmicrosoft.com"
# Search "admin" users
az ad user list --query "[].displayName" | findstr /i "admin"
az ad user list --query "[?contains(displayName,'admin')].displayName"
# Search attributes containing the word "password"
az ad user list | findstr /i "password" | findstr /v "null,"
# All users from Entra ID
az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi==null]"
az ad user list --query "[?onPremisesSecurityIdentifier==null].displayName"
# All users synced from on-prem
az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi!=null]"
az ad user list --query "[?onPremisesSecurityIdentifier!=null].displayName"
# Get groups where the user is a member
az ad user get-member-groups --id <email>
# Get roles assigned to the user in Azure (NOT in Entra ID)
az role assignment list --include-inherited --include-groups --include-classic-administrators true --assignee <email>
# Get ALL roles assigned in Azure in the current subscription (NOT in Entra ID)
az role assignment list --include-inherited --include-groups --include-classic-administrators true --all
# Get EntraID roles assigned to a user
## Get Token
export TOKEN=$(az account get-access-token --resource https://graph.microsoft.com/ --query accessToken -o tsv)
## Get users
curl -X GET "https://graph.microsoft.com/v1.0/users" \
-H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" | jq
## Get EntraID roles assigned to an user
curl -X GET "https://graph.microsoft.com/beta/rolemanagement/directory/transitiveRoleAssignments?\$count=true&\$filter=principalId%20eq%20'86b10631-ff01-4e73-a031-29e505565caa'" \
-H "Authorization: Bearer $TOKEN" \
-H "ConsistencyLevel: eventual" \
-H "Content-Type: application/json" | jq
## Get role details
curl -X GET "https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/cf1c38e5-3621-4004-a7cb-879624dced7c" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" | jq
# Enumerate Users
Get-AzureADUser -All $true
Get-AzureADUser -All $true | select UserPrincipalName
# Get info of 1 user
Get-AzureADUser -ObjectId test@corp.onmicrosoft.com | fl
# Search "admin" users
Get-AzureADUser -SearchString "admin" #Search admin at the begining of DisplayName or userPrincipalName
Get-AzureADUser -All $true |?{$_.Displayname -match "admin"} #Search "admin" word in DisplayName
# Get all attributes of a user
Get-AzureADUser -ObjectId test@defcorphq.onmicrosoft.com|%{$_.PSObject.Properties.Name}
# Search attributes containing the word "password"
Get-AzureADUser -All $true |%{$Properties = $_;$Properties.PSObject.Properties.Name | % {if ($Properties.$_ -match 'password') {"$($Properties.UserPrincipalName) - $_ - $($Properties.$_)"}}}
# All users from AzureAD# All users from AzureAD
Get-AzureADUser -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null}
# All users synced from on-prem
Get-AzureADUser -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null}
# Objects created by a/any user
Get-AzureADUser [-ObjectId <email>] | Get-AzureADUserCreatedObject
# Devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Objects owned by a specific user
Get-AzureADUserOwnedObject -ObjectId test@corp.onmicrosoft.com
# Get groups & roles where the user is a member
Get-AzureADUserMembership -ObjectId 'test@corp.onmicrosoft.com'
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get devices registered by a user
Get-AzureADUserRegisteredDevice -ObjectId test@defcorphq.onmicrosoft.com
# Apps where a user has a role (role not shown)
Get-AzureADUser -ObjectId roygcain@defcorphq.onmicrosoft.com | Get-AzureADUserAppRoleAssignment | fl *
# Get Administrative Units of a user
$userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@example.com'"
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where { $_.Id -eq $userObj.ObjectId } }
# Enumerate users
Get-AzADUser
# Get details of a user
Get-AzADUser -UserPrincipalName test@defcorphq.onmicrosoft.com
# Search user by string
Get-AzADUser -SearchString "admin" #Search at the beginnig of DisplayName
Get-AzADUser | ?{$_.Displayname -match "admin"}
# Get roles assigned to a user
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
$password = "ThisIsTheNewPassword.!123" | ConvertTo- SecureString -AsPlainText –Force
(Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@corp.onmicrosoft.com"}).ObjectId | Set- AzureADUserPassword -Password $password –Verbose
Inapendekezwa sana kuongeza MFA kwa kila mtumiaji, hata hivyo, baadhi ya kampuni hazitaweka au zinaweza kuziweka kwa Upatikanaji wa Masharti: Mtumiaji atakuwa na hitaji la MFA ikiwa anaingia kutoka eneo fulani, kivinjari au hali fulani. Sera hizi, ikiwa hazijapangwa vizuri zinaweza kuwa na uwezekano wa kupitishwa. Angalia:
Kwa maelezo zaidi kuhusu makundi ya Entra ID angalia:
# Enumerate groups
az ad group list
az ad group list --query "[].[displayName]" -o table
# Get info of 1 group
az ad group show --group <group>
# Get "admin" groups
az ad group list --query "[].displayName" | findstr /i "admin"
az ad group list --query "[?contains(displayName,'admin')].displayName"
# All groups from Entra ID
az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi==null]"
az ad group list --query "[?onPremisesSecurityIdentifier==null].displayName"
# All groups synced from on-prem
az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi!=null]"
az ad group list --query "[?onPremisesSecurityIdentifier!=null].displayName"
# Get members of group
az ad group member list --group <group> --query "[].userPrincipalName" -o table
# Check if member of group
az ad group member check --group "VM Admins" --member-id <id>
# Get which groups a group is member of
az ad group get-member-groups -g "VM Admins"
# Get roles assigned to the group in Azure (NOT in Entra ID)
az role assignment list --include-groups --include-classic-administrators true --assignee <group-id>
# To get Entra ID roles assigned check how it's done with users and use a group ID
# Enumerate Groups
Get-AzureADGroup -All $true
# Get info of 1 group
Get-AzADGroup -DisplayName <resource_group_name> | fl
# Get "admin" groups
Get-AzureADGroup -SearchString "admin" | fl #Groups starting by "admin"
Get-AzureADGroup -All $true |?{$_.Displayname -match "admin"} #Groups with the word "admin"
# Get groups allowing dynamic membership
Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}
# All groups that are from Azure AD
Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null}
# All groups that are synced from on-prem (note that security groups are not synced)
Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null}
# Get members of a group
Get-AzureADGroupMember -ObjectId <group_id>
# Get roles of group
Get-AzureADMSGroup -SearchString "Contoso_Helpdesk_Administrators" #Get group id
Get-AzureADMSRoleAssignment -Filter "principalId eq '69584002-b4d1-4055-9c94-320542efd653'"
# Get Administrative Units of a group
$groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} }
# Get Apps where a group has a role (role not shown)
Get-AzureADGroup -ObjectId <id> | Get-AzureADGroupAppRoleAssignment | fl *
# Get all groups
Get-AzADGroup
# Get details of a group
Get-AzADGroup -ObjectId <id>
# Search group by string
Get-AzADGroup -SearchString "admin" | fl * #Search at the beginnig of DisplayName
Get-AzADGroup |?{$_.Displayname -match "admin"}
# Get members of group
Get-AzADGroupMember -GroupDisplayName <resource_group_name>
# Get roles of group
Get-AzRoleAssignment -ResourceGroupName <resource_group_name>
Wamiliki wa kundi wanaweza kuongeza watumiaji wapya kwenye kundi
Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verbose
Makundi yanaweza kuwa ya kidinamik, ambayo kimsingi inamaanisha kwamba ikiwa mtumiaji atatimiza masharti fulani atajumuishwa katika kundi. Bila shaka, ikiwa masharti yanategemea sifa ambazo mtumiaji anaweza kudhibiti, anaweza kutumia kipengele hiki vibaya ili kuingia katika makundi mengine. Angalia jinsi ya kutumia vibaya makundi ya kidinamik katika ukurasa ufuatao:
Kwa maelezo zaidi kuhusu wawakilishi wa huduma za Entra ID angalia:
# Get Service Principals
az ad sp list --all
az ad sp list --all --query "[].[displayName,appId]" -o table
# Get details of one SP
az ad sp show --id 00000000-0000-0000-0000-000000000000
# Search SP by string
az ad sp list --all --query "[?contains(displayName,'app')].displayName"
# Get owner of service principal
az ad sp owner list --id <id> --query "[].[displayName]" -o table
# Get service principals owned by the current user
az ad sp list --show-mine
# Get SPs with generated secret or certificate
az ad sp list --query '[?length(keyCredentials) > `0` || length(passwordCredentials) > `0`].[displayName, appId, keyCredentials, passwordCredentials]' -o json
# Get Service Principals
Get-AzureADServicePrincipal -All $true
# Get details about a SP
Get-AzureADServicePrincipal -ObjectId <id> | fl *
# Get SP by string name or Id
Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -match "app"} | fl
Get-AzureADServicePrincipal -All $true | ?{$_.AppId -match "103947652-1234-5834-103846517389"}
# Get owner of SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalOwner |fl *
# Get objects owned by a SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalOwnedObject
# Get objects created by a SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalCreatedObject
# Get groups where the SP is a member
Get-AzureADServicePrincipal | Get-AzureADServicePrincipalMembership
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalMembership |fl *
# Get SPs
Get-AzADServicePrincipal
# Get info of 1 SP
Get-AzADServicePrincipal -ObjectId <id>
# Search SP by string
Get-AzADServicePrincipal | ?{$_.DisplayName -match "app"}
# Get roles of a SP
Get-AzRoleAssignment -ServicePrincipalName <String>
$Token = 'eyJ0eX..'
$URI = 'https://graph.microsoft.com/v1.0/applications'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value
Mmiliki wa Huduma Kuu anaweza kubadilisha nenosiri lake.
```powershell # Just call Add-AzADAppSecret Function Add-AzADAppSecret { <# .SYNOPSIS Add client secret to the applications.
.PARAMETER GraphToken Pass the Graph API Token
.EXAMPLE PS C:> Add-AzADAppSecret -GraphToken 'eyJ0eX..'
.LINK https://docs.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http https://docs.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http #>
[CmdletBinding()] param( [Parameter(Mandatory=$True)] [String] $GraphToken = $null )
$AppList = $null $AppPassword = $null
$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications" "Method" = "GET" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }
try { $AppList = Invoke-RestMethod @Params -UseBasicParsing } catch { }
if($AppList -ne $null) { [System.Collections.ArrayList]$Details = @()
foreach($App in $AppList.value) { $ID = $App.ID $psobj = New-Object PSObject
$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications/$ID/addPassword" "Method" = "POST" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }
$Body = @{ "passwordCredential"= @{ "displayName" = "Password" } }
try { $AppPassword = Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json) Add-Member -InputObject $psobj -NotePropertyName "Object ID" -NotePropertyValue $ID Add-Member -InputObject $psobj -NotePropertyName "App ID" -NotePropertyValue $App.appId Add-Member -InputObject $psobj -NotePropertyName "App Name" -NotePropertyValue $App.displayName Add-Member -InputObject $psobj -NotePropertyName "Key ID" -NotePropertyValue $AppPassword.keyId Add-Member -InputObject $psobj -NotePropertyName "Secret" -NotePropertyValue $AppPassword.secretText $Details.Add($psobj) | Out-Null } catch { Write-Output "Failed to add new client secret to '$($App.displayName)' Application." } } if($Details -ne $null) { Write-Output "" Write-Output "Client secret added to : " Write-Output $Details | fl * } } else { Write-Output "Failed to Enumerate the Applications." } }
</details>
### Maombi
Kwa maelezo zaidi kuhusu Maombi angalia:
<div data-gb-custom-block data-tag="content-ref" data-url='../az-basic-information/'>
[az-basic-information](../az-basic-information/)
</div>
Wakati App inaundwa aina 2 za ruhusa zinatolewa:
* **Ruhusa** zinazotolewa kwa **Huduma Kuu**
* **Ruhusa** ambazo **app** inaweza kuwa nazo na kutumia kwa **niaba ya mtumiaji**.
<div data-gb-custom-block data-tag="tabs">
<div data-gb-custom-block data-tag="tab" data-title='az cli'>
```bash
# List Apps
az ad app list
az ad app list --query "[].[displayName,appId]" -o table
# Get info of 1 App
az ad app show --id 00000000-0000-0000-0000-000000000000
# Search App by string
az ad app list --query "[?contains(displayName,'app')].displayName"
# Get the owner of an application
az ad app owner list --id <id> --query "[].[displayName]" -o table
# Get SPs owned by current user
az ad app list --show-mine
# Get apps with generated secret or certificate
az ad app list --query '[?length(keyCredentials) > `0` || length(passwordCredentials) > `0`].[displayName, appId, keyCredentials, passwordCredentials]' -o json
# List all registered applications
Get-AzureADApplication -All $true
# Get details of an application
Get-AzureADApplication -ObjectId <id> | fl *
# List all the apps with an application password
Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID $_.ObjectID){$_}}
# Get owner of an application
Get-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *
# Get Apps
Get-AzADApplication
# Get details of one App
Get-AzADApplication -ObjectId <id>
# Get App searching by string
Get-AzADApplication | ?{$_.DisplayName -match "app"}
# Get Apps with password
Get-AzADAppCredential
App yenye ruhusa AppRoleAssignment.ReadWrite
inaweza kuinua hadhi hadi Global Admin kwa kujipatia nafasi hiyo.
Kwa maelezo zaidi angalia hii.
Mstari wa siri ambao programu inatumia kuthibitisha utambulisho wake wakati wa kuomba token ni nenosiri la programu. Hivyo, ukipata nenosiri hili unaweza kufikia kama service principal ndani ya tenant. Kumbuka kwamba nenosiri hili linaonekana tu wakati linapotengenezwa (unaweza kulibadilisha lakini huwezi kulipata tena). Mmiliki wa programu anaweza kuongeza nenosiri kwake (ili aweze kujifanya kuwa yeye). Kuingia kama service principals hawa hakutajwi kama hatari na hawatakuwa na MFA.
Inawezekana kupata orodha ya App IDs zinazotumika mara kwa mara ambazo ni za Microsoft katika https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications
Kwa maelezo zaidi kuhusu Identiti Zinazodhibitiwa angalia:
# List all manged identitiesaz identity list --output table# With the principal ID you can continue the enumeration in service principals
Kwa maelezo zaidi kuhusu majukumu ya Azure angalia:
# Get rolesaz role definition list# Get all assigned rolesaz role assignment list --all --query "[].roleDefinitionName"az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'# Get info of 1 roleaz role definition list --name "AzureML Registry User"# Get only custom rolesaz role definition list --custom-role-only# Get only roles assigned to the resource group indicatedaz role definition list --resource-group <resource_group># Get only roles assigned to the indicated scopeaz role definition list --scope <scope># Get all the principals a role is assigned toaz role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"# Get all the roles assigned to a useraz role assignment list --assignee "<email>" --all --output table# Get all the roles assigned to a user by filteringaz role assignment list --all --query "[?principalName=='carlos@carloshacktricks.onmicrosoft.com']" --output table# Get role assignments on the subscriptionGet-AzRoleDefinition# Get Role definitionGet-AzRoleDefinition -Name "Virtual Machine Command Executor"# Get roles of a user or resourceGet-AzRoleAssignment -SignInName test@corp.onmicrosoft.comGet-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name># Get permissions over a resource using ARM directly$Token = (Get-AzAccessToken).Token$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'$RequestParams = @{Method = 'GET'Uri = $URIHeaders = @{'Authorization' = "Bearer $Token"}}(Invoke-RestMethod @RequestParams).value
Kwa maelezo zaidi kuhusu Azure roles angalia:
# List template Entra ID rolesaz rest --method GET \--uri "https://graph.microsoft.com/v1.0/directoryRoleTemplates"# List enabled built-in Entra ID rolesaz rest --method GET \--uri "https://graph.microsoft.com/v1.0/directoryRoles"# List all Entra ID roles with their permissions (including custom roles)az rest --method GET \--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions"# List only custom Entra ID rolesaz rest --method GET \--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)'# List all assigned Entra ID rolesaz rest --method GET \--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments"# List members of a Entra ID rolesaz rest --method GET \--uri "https://graph.microsoft.com/v1.0/directoryRoles/<role-id>/members"# List Entra ID roles assigned to a useraz rest --method GET \--uri "https://graph.microsoft.com/v1.0/users/<user-id>/memberOf/microsoft.graph.directoryRole" \--query "value[]" \--output json# List Entra ID roles assigned to a groupaz rest --method GET \--uri "https://graph.microsoft.com/v1.0/groups/$GROUP_ID/memberOf/microsoft.graph.directoryRole" \--query "value[]" \--output json# List Entra ID roles assigned to a service principalaz rest --method GET \--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$SP_ID/memberOf/microsoft.graph.directoryRole" \--query "value[]" \--output json# Get all available role templatesGet-AzureADDirectoryroleTemplate# Get enabled roles (Assigned roles)Get-AzureADDirectoryRoleGet-AzureADDirectoryRole -ObjectId <roleID> #Get info about the role# Get custom roles - use AzureAdPreviewGet-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName# Users assigned a role (Global Administrator)Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMemberGet-AzureADDirectoryRole -ObjectId <id> | fl# Roles of the Administrative Unit (who has permissions over the administrative unit and its members)Get-AzureADMSScopedRoleMembership -Id <id> | fl *
# If you know how to do this send a PR!# Enumerate DevicesGet-AzureADDevice -All $true | fl *# List all the active devices (and not the stale devices)Get-AzureADDevice -All $true | ?{$_.ApproximateLastLogonTimeStamp -ne $null}# Get owners of all devicesGet-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwnerGet-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}# Registred users of all the devicesGet-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUserGet-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}# Get dives managed using IntuneGet-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"}# Get devices owned by a userGet-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com# Get Administrative Units of a deviceGet-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }
Ikiwa kifaa (VM) kime unganishwa na AzureAD, watumiaji kutoka AzureAD wataweza kuingia. Zaidi ya hayo, ikiwa mtumiaji aliyeingia ni Mmiliki wa kifaa, atakuwa meneja wa ndani.
Kwa maelezo zaidi kuhusu vitengo vya utawala angalia:
# List all administrative unitsaz rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits"# Get AU infoaz rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits/a76fd255-3e5e-405b-811b-da85c715ff53"# Get membersaz rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits/a76fd255-3e5e-405b-811b-da85c715ff53/members"# Get principals with roles over the AUaz rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits/a76fd255-3e5e-405b-811b-da85c715ff53/scopedRoleMembers"# Get Administrative UnitsGet-AzureADMSAdministrativeUnitGet-AzureADMSAdministrativeUnit -Id <id># Get ID of admin unit by string$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"# List the users, groups, and devices affected by the administrative unitGet-AzureADMSAdministrativeUnitMember -Id <id># Get the roles users have over the members of the AUGet-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members
Usimamizi wa Utambulisho wa Kipekee (PIM) katika Azure husaidia kuzuia mamlaka kupita kiasi kutolewa kwa watumiaji bila sababu.
Moja ya sifa kuu zinazotolewa na PIM ni kwamba inaruhusu kutokutoa majukumu kwa wakuu ambao wanafanya kazi kila wakati, bali kuwafanya kuwa na haki kwa kipindi fulani (mfano, miezi 6). Kisha, kila wakati mtumiaji anapotaka kuanzisha jukumu hilo, anahitaji kuomba akionyesha muda anahitaji mamlaka (mfano, masaa 3). Kisha meneja anahitaji kuidhinisha ombi hilo. Kumbuka kwamba mtumiaji pia atakuwa na uwezo wa kuomba kupanua muda.
Zaidi ya hayo, PIM inatuma barua pepe kila wakati jukumu la kipekee linapopewa mtu.
Wakati PIM imewezeshwa, inawezekana kusanidi kila jukumu na mahitaji fulani kama:
Muda wa juu (masaa) wa kuanzishwa
Hitaji la MFA wakati wa kuanzishwa
Hitaji la muktadha wa uthibitishaji wa Upatikanaji wa Masharti
Hitaji la sababu wakati wa kuanzishwa
Hitaji la taarifa za tiketi wakati wa kuanzishwa
Hitaji la idhini ili kuanzisha
Muda wa juu wa kuisha kwa ugawaji unaostahiki
Mengi zaidi ya usanidi kuhusu wakati na nani wa kutuma arifa wakati vitendo fulani vinapotokea na jukumu hilo
Angalia:
Ulinzi wa Utambulisho wa Entra ni huduma ya usalama inayoruhusu kubaini wakati mtumiaji au kuingia kuna hatari kubwa ili kukubaliwa, ikiruhusu kuzuia mtumiaji au jaribio la kuingia.
Inaruhusu meneja kuisakinisha ili kuzuia majaribio wakati hatari ni "Chini na juu", "Kati na juu" au "Juu". Ingawa, kwa kawaida ime zimwa kabisa:
Sasa inashauriwa kuongeza vizuizi hivi kupitia sera za Upatikanaji wa Masharti ambapo inawezekana kusanidi chaguzi sawa.
Ulinzi wa Nywila wa Entra (https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PasswordProtectionBlade) ni kipengele cha usalama ambacho husaidia kuzuia matumizi mabaya ya nywila dhaifu kwa kufunga akaunti wakati majaribio kadhaa yasiyofanikiwa ya kuingia yanapotokea. Inaruhusu pia kufungia orodha ya nywila maalum ambayo unahitaji kutoa.
Inaweza kutumika kwa kiwango cha wingu na pia kwenye Active Directory ya ndani.
Njia ya kawaida ni Ukaguzi:
Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)