Az - AzureAD (AAD)
基本情報
Azure Active Directory(Azure AD)は、Microsoftのクラウドベースのアイデンティティおよびアクセス管理サービスとして機能します。これは、従業員が組織内外のリソースにサインインしてアクセスできるようにするのに重要であり、Microsoft 365、Azureポータル、およびさまざまな他のSaaSアプリケーションを含んでいます。Azure ADの設計は、認証、承認、およびユーザー管理を含む重要なアイデンティティサービスの提供に焦点を当てています。
Azure ADの主な機能には、多要素認証および条件付きアクセスが含まれ、他のMicrosoftセキュリティサービスとのシームレスな統合が行われています。これらの機能は、ユーザーのアイデンティティのセキュリティを大幅に向上させ、組織がアクセスポリシーを効果的に実装および強制するのを支援します。Microsoftのクラウドサービスエコシステムの基本的なコンポーネントとして、Azure ADはユーザーのアイデンティティのクラウドベースの管理に不可欠です。
エンティティ
列挙
この列挙には、az cliツール、PowerShellモジュール AzureAD(またはAzureAD Preview)、およびAz PowerShellモジュールを使用できます。
Linuxでは、PowerShell Coreをインストールする必要があります:
モジュールの違い
AzureAD は、Azure AD を管理するための Microsoft の PowerShell モジュールです。Azure AD オブジェクトのすべてのプロパティを表示せず、Azure リソース情報にアクセスするために使用することはできません。
Az PowerShell は、PowerShell コマンドラインから Azure リソースを管理するためのモジュールです。
接続
AzureにCLIを使用してログインすると、Microsoftに所属するテナントのAzureアプリケーションを使用しています。これらのアプリケーションは、アカウントで作成できるもののように、クライアントIDを持っています。コンソールで見ることができる許可されたアプリケーションリストにはすべて表示されませんが、デフォルトで許可されています。
たとえば、powershellスクリプトが認証に使用するクライアントID 1950a258-227b-4e31-a9cf-717495945fc2
を持つアプリケーションがあります。コンソールに表示されない場合でも、システム管理者はそのアプリケーションをブロックして、ユーザーがそのアプリを介して接続するツールを使用できないようにすることができます。
ただし、Azureに接続するために他のクライアントIDを持つアプリケーションもあります:
ユーザー
Azure AD Enumeration
User Enumeration
Azure AD user enumeration can be performed using the Azure AD Graph API. By making requests to the API, an attacker can gather information about users in the Azure AD directory, such as usernames, email addresses, and other attributes.
Tools
Azure AD Explorer: A tool for exploring Azure AD data using the Azure AD Graph API.
Group Enumeration
Similar to user enumeration, group enumeration can also be performed using the Azure AD Graph API. This allows an attacker to discover information about groups in the Azure AD directory, such as group names, descriptions, and memberships.
Tools
Azure AD Explorer: Can also be used for exploring Azure AD groups.
Application Enumeration
Azure AD applications can be enumerated using the Azure AD Graph API as well. This enables an attacker to identify registered applications in the Azure AD directory, along with details such as the application name, ID, and permissions.
Tools
Azure AD Explorer: Supports enumerating Azure AD applications.
Tenant Enumeration
Tenant enumeration involves gathering information about the Azure AD tenant itself, such as tenant ID, domain name, and other relevant details. This can be useful for an attacker to understand the target environment better.
Tools
Manual enumeration using the Azure portal or PowerShell commands.
Azure AD Exploitation
Password Spraying
Password spraying attacks can be conducted against Azure AD to attempt to gain unauthorized access to user accounts. By trying a few common passwords across multiple accounts, an attacker may find a valid password and gain access.
Tools
Manual password spraying using common password lists or tools like CrackMapExec.
Phishing Attacks
Phishing attacks targeting Azure AD users can be used to steal credentials or deliver malware. Attackers may send fake login pages or emails to trick users into providing their credentials, which can then be used to access Azure AD accounts.
Tools
Various phishing tools and frameworks can be used to create and launch phishing campaigns against Azure AD users.
Token Impersonation
By obtaining a user's token, an attacker can impersonate that user and access resources on their behalf. This can be achieved through techniques like token theft or token reuse, allowing the attacker to bypass authentication mechanisms.
Tools
Manual techniques using tools like Impacket or custom scripts for token impersonation.
Privilege Escalation
Once access to an Azure AD account is obtained, privilege escalation techniques can be used to elevate permissions and gain further access within the Azure environment. This can involve exploiting misconfigurations, vulnerabilities, or weak permissions.
Tools
Manual enumeration and exploitation techniques, leveraging knowledge of Azure AD and associated services.
Azure AD Enumeration
Enumerate Azure AD Users
To list all users in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Groups
To list all groups in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Applications
To list all applications in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Service Principals
To list all service principals in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Devices
To list all devices in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Domains
To list all domains in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Directory Roles
To list all directory roles in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Directory Role Members
To list all members of a specific directory role in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Directory Role Templates
To list all directory role templates in Azure AD, you can use the following PowerShell command:
ユーザーパスワードの変更
MFA & Conditional Access Policies
すべてのユーザーにMFAを追加することを強くお勧めしますが、一部の企業は設定しないか、特定の場所、ブラウザ、またはある条件からログインした場合にMFAを必要とする条件付きアクセスで設定するかもしれません。これらのポリシーは、正しく構成されていない場合、バイパスのリスクがあります。次の項目を確認してください:
pageAz - Conditional Access Policies / MFA Bypassグループ
Azure AD Enumeration
User Enumeration
To enumerate users in Azure AD, you can use tools like Azure AD Recon
or Azure AD Connect Sync
. These tools can help you gather information about users, groups, and contacts in the Azure AD environment.
Using Azure AD Recon
Install Azure AD Recon: Download and install Azure AD Recon on your local machine.
Run the Tool: Launch Azure AD Recon and provide the necessary inputs such as the Azure AD domain name and credentials.
Enumerate Users: Use the tool to enumerate users in the Azure AD environment.
Using Azure AD Connect Sync
Install Azure AD Connect Sync: Set up Azure AD Connect Sync on a machine with network access to the Azure AD environment.
Configure Sync: Configure the synchronization settings to start syncing Azure AD data.
Enumerate Users: Once the synchronization is complete, you can enumerate users using the synced data.
Group Enumeration
To enumerate groups in Azure AD, you can leverage tools like Azure AD Recon
or Azure AD Connect Sync
. These tools allow you to discover information about the groups present in the Azure AD environment.
Using Azure AD Recon
Launch Azure AD Recon: Open Azure AD Recon on your machine.
Provide Inputs: Enter the required details such as the Azure AD domain name and authentication credentials.
Enumerate Groups: Utilize the tool to enumerate groups in Azure AD.
Using Azure AD Connect Sync
Access Azure AD Connect Sync: Log in to the machine where Azure AD Connect Sync is installed.
Check Sync Status: Ensure that the synchronization process is running and up to date.
Enumerate Groups: Explore the synced data to enumerate groups in Azure AD.
Contact Enumeration
For enumerating contacts in Azure AD, you can employ tools like Azure AD Recon
or Azure AD Connect Sync
. These tools aid in identifying and retrieving information about contacts stored in Azure AD.
Using Azure AD Recon
Start Azure AD Recon: Initiate Azure AD Recon on your system.
Input Details: Input the Azure AD domain name and valid credentials into the tool.
Enumerate Contacts: Use the tool to enumerate contacts within Azure AD.
Using Azure AD Connect Sync
Launch Azure AD Connect Sync: Access the machine hosting Azure AD Connect Sync.
Verify Synchronization: Confirm that the synchronization process is active and functioning properly.
Enumerate Contacts: Examine the synchronized data to enumerate contacts in Azure AD.
Summary
Azure AD enumeration involves gathering information about users, groups, and contacts within the Azure AD environment. Tools like Azure AD Recon
and Azure AD Connect Sync
facilitate the enumeration process by providing insights into the entities present in Azure AD. By leveraging these tools, pentesters can effectively enumerate and analyze the Azure AD environment for potential security weaknesses.
Azure AD Enumeration
Enumerate Azure AD Users
To list all users in the Azure AD tenant, you can use the following PowerShell command:
Enumerate Azure AD Groups
To list all groups in the Azure AD tenant, you can use the following PowerShell command:
Enumerate Azure AD Applications
To list all applications in the Azure AD tenant, you can use the following PowerShell command:
Enumerate Azure AD Service Principals
To list all service principals in the Azure AD tenant, you can use the following PowerShell command:
Enumerate Azure AD Devices
To list all devices in the Azure AD tenant, you can use the following PowerShell command:
Enumerate Azure AD Domains
To list all domains in the Azure AD tenant, you can use the following PowerShell command:
Enumerate Azure AD Directory Roles
To list all directory roles in the Azure AD tenant, you can use the following PowerShell command:
Enumerate Azure AD Directory Role Members
To list all members of a specific directory role in the Azure AD tenant, you can use the following PowerShell command:
Replace <DirectoryRoleObjectId>
with the actual object ID of the directory role you want to enumerate members for.
グループへのユーザーの追加
グループの所有者は、新しいユーザーをグループに追加できます
グループはダイナミックになる可能性があります。これは、ユーザーが特定の条件を満たすと、グループに追加されるということを基本的に意味します。もちろん、条件が属性に基づいている場合、ユーザーが制御できる場合、この機能を悪用して他のグループに入ることができます。 次のページでダイナミックグループを悪用する方法を確認してください:
サービス プリンシパル / エンタープライズ アプリケーション
PowerShell用語でのService Principalは、Azureポータル(Web)ではEnterprise Applicationsと呼ばれます。
Azure AD
Enumeration
Azure AD enumeration can be performed using various techniques such as:
User Enumeration: Enumerating users through the Azure AD Graph API or Microsoft Graph API.
Group Enumeration: Enumerating groups to discover privileged groups or potential targets.
Application Enumeration: Identifying applications registered in Azure AD that may have misconfigurations or vulnerabilities.
Exploitation
Exploiting Azure AD may involve techniques like:
Password Spraying: Attempting to authenticate using a list of common passwords against Azure AD accounts.
Brute Force Attacks: Trying to guess passwords by systematically checking all possible combinations.
OAuth Token Abuse: Exploiting misconfigured OAuth settings to gain unauthorized access to resources.
Post-Exploitation
After gaining access to Azure AD, an attacker may perform actions like:
User Impersonation: Impersonating a user to access their resources and perform unauthorized actions.
Data Exfiltration: Stealing sensitive data from Azure AD, such as user credentials or confidential information.
Persistence: Establishing persistence by creating backdoors or adding rogue accounts for future access.
Azure AD Enumeration
Enumerate Azure AD Users
To list all users in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Groups
To list all groups in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Applications
To list all applications in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Service Principals
To list all service principals in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Devices
To list all devices in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Domains
To list all domains in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Directory Roles
To list all directory roles in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Directory Role Members
To list all members of a specific directory role in Azure AD, you can use the following PowerShell command:
Replace <DirectoryRoleObjectId>
with the actual object ID of the directory role you want to enumerate members for.
Azure ADの侵入テスト
Azure ADは、Microsoft Azureの認証およびアクセス管理サービスです。Azure ADの侵入テストは、組織のセキュリティを評価し、潜在的な脆弱性を特定するために重要です。侵入テストは、ユーザー認証、アクセス許可、ロールの構成、マルチファクタ認証など、さまざまな側面を評価する必要があります。
最終更新