Az - Unauthenticated Enum & Initial Entry

Azure 租户

租户枚举

有一些公共 Azure API，只要知道攻击者可以查询的租户域，就可以查询更多关于它的信息。 您可以直接查询 API 或使用 PowerShell 库 AADInternals:

您可以使用 AADInternals 库的一个命令查询 Azure 租户的所有信息：

Invoke-AADIntReconAsOutsider -DomainName corp.onmicrosoft.com | Format-Table

Azure租户信息的输出示例：

Tenant brand:       Company Ltd
Tenant name:        company
Tenant id:          1937e3ab-38de-a735-a830-3075ea7e5b39
DesktopSSO enabled: True

Name                           DNS   MX    SPF  Type      STS
----                           ---   --    ---  ----      ---
company.com                   True  True  True  Federated sts.company.com
company.mail.onmicrosoft.com  True  True  True  Managed
company.onmicrosoft.com       True  True  True  Managed
int.company.com              False False False  Managed

可以观察到租户的名称、ID和“品牌”名称的详细信息。此外，还显示了桌面单点登录（SSO）的状态，也称为Seamless SSO。启用此功能有助于确定目标组织中特定用户的存在（枚举）。

此外，输出显示了与目标租户关联的所有经过验证的域的名称，以及它们各自的身份类型。对于联合域，通常会披露正在使用的身份提供者的完全限定域名（FQDN），通常是一个 ADFS 服务器。"MX" 列指定电子邮件是否路由到 Exchange Online，而 "SPF" 列表示 Exchange Online 作为电子邮件发件人的列表。值得注意的是，当前的侦察功能不解析 SPF 记录中的 "include" 语句，这可能导致误报。

用户枚举

可以检查用户名是否存在在租户内。这也包括访客用户，其用户名格式为:

<email>#EXT#@<tenant name>.onmicrosoft.com

邮箱是用户的电子邮件地址，在“@”处用下划线“_”替换。

使用AADInternals，您可以轻松检查用户是否存在：

# Check does the user exist
Invoke-AADIntUserEnumerationAsOutsider -UserName "user@company.com"

Azure Unauthenticated Enumeration and Initial Entry

Introduction

In this section, we will cover the techniques to perform unauthenticated enumeration and gain initial access in Azure environments. By leveraging publicly available information and tools, an attacker can gather valuable information about the target Azure environment without the need for authentication. This information can then be used to identify potential entry points and security weaknesses that can be exploited to gain initial access.

Enumeration Techniques

1. DNS Enumeration

DNS enumeration involves querying DNS servers to gather information about the target domain, such as subdomains, mail servers, and other DNS records. Tools like dnsrecon and dnsenum can be used to perform DNS enumeration and gather valuable information that can be used in further attacks.

2. Service Enumeration

Service enumeration involves identifying services running in the Azure environment, such as web servers, databases, and other applications. Tools like nmap and Masscan can be used to scan for open ports and identify services running on those ports.

3. Storage Account Enumeration

Azure storage accounts can often contain sensitive data such as backups, logs, and other files. By enumerating storage accounts and analyzing their contents, an attacker can discover sensitive information that can be used to further compromise the Azure environment.

Initial Entry Points

Once valuable information has been gathered through enumeration, an attacker can identify potential entry points to gain initial access to the Azure environment. Common entry points include:

• Weak or default credentials

• Vulnerable services or applications

• Misconfigured security settings

• Exposed sensitive data

By exploiting these entry points, an attacker can gain initial access to the Azure environment and further escalate their privileges to carry out malicious activities.

UserName         Exists
--------         ------
user@company.com True

您还可以使用一个每行包含一个电子邮件地址的文本文件：

user@company.com
user2@company.com
admin@company.com
admin2@company.com
external.user_gmail.com#EXT#@company.onmicrosoft.com
external.user_outlook.com#EXT#@company.onmicrosoft.com

# Invoke user enumeration
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal

有三种不同的枚举方法可供选择：

发现有效用户名后，您可以使用以下方式获取有关用户的信息：

Get-AADIntLoginInformation -UserName root@corp.onmicrosoft.com

脚本 o365creeper 也允许您发现电子邮件是否有效。

# Put in emails.txt emails such as:
# - root@corp.onmicrosoft.com
python.exe .\o365creeper\o365creeper.py -f .\emails.txt -o validemails.txt

通过 Microsoft Teams 进行用户枚举

另一个信息来源是 Microsoft Teams。

Microsoft Teams 的 API 允许搜索用户。特别是 "user search" 端点 externalsearchv3 和 searchUsers 可以用于请求有关已注册 Teams 用户帐户的一般信息。

根据 API 响应，可以区分不存在的用户和具有有效 Teams 订阅的现有用户。

脚本 TeamsEnum 可用于验证一组给定的用户名是否存在于 Teams API 中。

python3 TeamsEnum.py -a password -u <username> -f inputlist.txt -o teamsenum-output.json

Unauthenticated Enumeration and Initial Entry

Introduction

In this section, we will cover the techniques used to perform unauthenticated enumeration and gain initial access in Azure environments. Unauthenticated enumeration involves gathering information from publicly available sources without the need for valid credentials. This information can then be used to identify potential entry points and vulnerabilities that can be exploited to gain unauthorized access to the Azure environment.

Tools and Techniques

1. Enumerating Azure Subdomains

One common technique is to use tools like Sublist3r or Amass to discover subdomains associated with the target Azure environment. By identifying subdomains, an attacker can potentially find additional entry points or misconfigurations that may lead to unauthorized access.

2. Identifying Azure Storage Accounts

Another important aspect of unauthenticated enumeration is identifying Azure storage accounts. Tools like Azure Storage Explorer or azurite can be used to discover publicly accessible storage accounts that may contain sensitive data or provide avenues for further exploitation.

3. Exploring Azure Blob Containers

Once storage accounts are identified, attackers can explore Azure blob containers within these accounts to search for valuable data such as configuration files, credentials, or other sensitive information that could aid in gaining initial access to the Azure environment.

Conclusion

Unauthenticated enumeration is a critical phase in the reconnaissance process of a penetration test. By leveraging publicly available information and tools, attackers can gather valuable insights that may help them in identifying and exploiting vulnerabilities in Azure environments. It is essential for organizations to regularly assess their Azure security posture and address any potential weaknesses to prevent unauthorized access.

[-] user1@domain - Target user not found. Either the user does not exist, is not Teams-enrolled or is configured to not appear in search results (personal accounts only)
[+] user2@domain - User2 | Company (Away, Mobile)
[+] user3@domain - User3 | Company (Available, Desktop)

此外，还可以枚举现有用户的可用性信息，如下所示：

• 可用

• 离开

• 请勿打扰

• 忙碌

• 离线

如果配置了外出办公消息，也可以使用 TeamsEnum 检索消息。如果指定了输出文件，则外出办公消息会自动存储在 JSON 文件中：

jq . teamsenum-output.json

Azure Unauthenticated Enumeration and Initial Entry

Introduction

In this section, we will cover the techniques to perform unauthenticated enumeration and gain initial access in Azure environments. By leveraging publicly available information and tools, an attacker can gather valuable information about the target Azure environment without the need for authentication. This information can then be used to identify potential entry points and security weaknesses that can be exploited to gain initial access.

Topics Covered

1. Unauthenticated Enumeration Techniques: We will explore various methods to enumerate Azure resources, services, and configurations without authentication.

2. Identifying Entry Points: Learn how to identify potential entry points based on the information gathered during the enumeration phase.

3. Exploiting Security Weaknesses: Understand how to exploit security misconfigurations and vulnerabilities to gain initial access to the Azure environment.

Prerequisites

To follow the techniques outlined in this section, you need basic knowledge of Azure services and a willingness to explore and learn about Azure security. Familiarity with common security tools and techniques will be beneficial.

{
"email": "user2@domain",
"exists": true,
"info": [
{
"tenantId": "[REDACTED]",
"isShortProfile": false,
"accountEnabled": true,
"featureSettings": {
"coExistenceMode": "TeamsOnly"
},
"userPrincipalName": "user2@domain",
"givenName": "user2@domain",
"surname": "",
"email": "user2@domain",
"tenantName": "Company",
"displayName": "User2",
"type": "Federated",
"mri": "8:orgid:[REDACTED]",
"objectId": "[REDACTED]"
}
],
"presence": [
{
"mri": "8:orgid:[REDACTED]",
"presence": {
"sourceNetwork": "Federated",
"calendarData": {
"outOfOfficeNote": {
"message": "Dear sender. I am out of the office until March 23rd with limited access to my email. I will respond after my return.Kind regards, User2",
"publishTime": "2023-03-15T21:44:42.0649385Z",
"expiry": "2023-04-05T14:00:00Z"
},
"isOutOfOffice": true
},
"capabilities": [
"Audio",
"Video"
],
"availability": "Away",
"activity": "Away",
"deviceType": "Mobile"
},
"etagMatch": false,
"etag": "[REDACTED]",
"status": 20000
}
]
}

Azure 服务

了解了 Azure 租户正在使用的域之后，是时候尝试查找暴露的 Azure 服务了。

您可以使用MicroBust中的一种方法来实现这个目标。此功能将在几个Azure 服务域中搜索基本域名（以及一些排列组合）。

Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base corp -Verbose

开放存储

您可以使用诸如InvokeEnumerateAzureBlobs.ps1之类的工具，该工具将使用文件**Microburst/Misc/permitations.txt生成排列组合（非常简单），以尝试查找开放的存储账户**。

Import-Module .\MicroBurst\MicroBurst.psm1
Invoke-EnumerateAzureBlobs -Base corp
[...]
https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
[...]

# Access https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
# Check: <Name>ssh_info.json</Name>
# Access then https://corpcommon.blob.core.windows.net/secrets/ssh_info.json

SAS URLs

一个共享访问签名（SAS）URL是一个URL，提供对存储账户的某个部分的访问权限（可以是完整容器、文件...），具有一些特定的权限（读取、写入...）来访问资源。如果发现泄漏了一个这样的URL，你可能能够访问到敏感信息，它们看起来像这样（这是用于访问一个容器的，如果只是授予对文件的访问权限，URL的路径中也会包含该文件）：

https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D

使用Storage Explorer来访问数据

危害凭证

钓鱼

• 常见钓鱼（凭证或OAuth应用 -非法同意授予攻击-）

• 设备代码认证 钓鱼

密码喷洒 / 暴力破解

参考资料

• https://aadinternals.com/post/just-looking/

• https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/