Az - Unauthenticated Enum & Initial Entry
Azure Tenant
Uthibitishaji wa Tenant
Kuna Azure APIs za umma ambazo kwa kujua tu uwanja wa tenant mshambuliaji anaweza kuuliza ili kukusanya habari zaidi kuhusu hilo. Unaweza kuuliza moja kwa moja API au kutumia maktaba ya PowerShell AADInternals:
Unaweza kuuliza taarifa zote za tenant wa Azure kwa amri moja tu ya AADInternals maktaba:
Mfano wa Matokeo ya Taarifa ya Mpangaji wa Azure:
Niwezekana kuona maelezo kuhusu jina la mpangaji, kitambulisho, na jina la "brand". Aidha, hali ya Desktop Single Sign-On (SSO), inayojulikana pia kama Seamless SSO, inaonyeshwa. Wakati ikiruhusiwa, kipengele hiki hufanikisha kujua uwepo (ujumuishaji) wa mtumiaji maalum ndani ya shirika lengwa.
Zaidi ya hayo, matokeo yanatoa majina ya uhalalishaji wa vikoa vyote vilivyothibitishwa vinavyohusiana na mpangaji lengwa, pamoja na aina zao za utambulisho. Katika kesi ya vikoa vilivyofederated, Jina Kamili la Kikoa la Utambulisho (FQDN) la mtoa huduma wa utambulisho unaotumiwa, kwa kawaida seva ya ADFS, pia inafunuliwa. Safu ya "MX" inabainisha ikiwa barua pepe zinapelekwa kwa Exchange Online, wakati safu ya "SPF" inaonyesha orodha ya Exchange Online kama mtumaji wa barua pepe. Ni muhimu kutambua kuwa kazi ya uchunguzi wa sasa haipasui taarifa za "include" ndani ya rekodi za SPF, ambayo inaweza kusababisha matokeo hasi ya uwongo.
Ujumuishaji wa Mtumiaji
Niwezekana kuangalia ikiwa jina la mtumiaji lipo ndani ya mpangaji. Hii ni pamoja na watumiaji wa mwaliko, ambao majina yao ya mtumiaji yana muundo:
Email ni anwani ya barua pepe ya mtumiaji ambapo katika “@” imebadilishwa na mstari wa chini “_“.
Kwa AADInternals, unaweza kwa urahisi kuthibitisha ikiwa mtumiaji yupo au la:
Enumerating Unauthenticated
Enumerating Azure AD Tenant
Enumerating Azure AD Tenant Name: Visit the Azure portal login page and view the page source to find the Azure AD tenant name.
Enumerating Azure AD Tenant Users: Use the Microsoft Graph API to enumerate users in the Azure AD tenant.
Enumerating Azure AD Tenant Domains: Use the Microsoft Graph API to enumerate domains in the Azure AD tenant.
Initial Entry
Phishing Attacks: Send phishing emails to Azure AD users to obtain their credentials.
Brute Force Attacks: Perform brute force attacks against the Azure AD login page to guess user passwords.
Password Spraying: Use password spraying attacks to attempt login with commonly used passwords across multiple Azure AD accounts.
Credential Stuffing: Use credential stuffing attacks with leaked credentials to gain unauthorized access to Azure AD accounts.
Unaweza pia kutumia faili ya maandishi inayohifadhi anwani moja ya barua pepe kwa kila safu:
Kuna njia tatu tofauti za uchambuzi za kuchagua kutoka:
Baada ya kugundua majina halali ya watumiaji unaweza kupata taarifa kuhusu mtumiaji na:
Skripti o365creeper pia inakuruhusu kugundua ikiwa barua pepe ni halali.
Uchambuzi wa Watumiaji kupitia Microsoft Teams
Chanzo kingine kizuri cha habari ni Microsoft Teams.
API ya Microsoft Teams inaruhusu kutafuta watumiaji. Hasa "user search" endpoints externalsearchv3 na searchUsers inaweza kutumika kuomba habari za jumla kuhusu akaunti za watumiaji waliojiandikisha kwenye Teams.
Kulingana na majibu ya API, inawezekana kutofautisha kati ya watumiaji wasio wapo na watumiaji waliopo ambao wana usajili halali wa Teams.
Skripti TeamsEnum inaweza kutumika kuthibitisha seti iliyopewa ya majina ya mtumiaji dhidi ya API ya Teams.
Enumerating Unauthenticated
Enumerating Azure AD Users
Azure AD exposes a user enumeration vulnerability that allows an attacker to discover valid usernames. By sending a request to the /common/users
endpoint, an attacker can determine if a specific username exists in the Azure AD tenant. This can be achieved without authentication.
To enumerate Azure AD users:
Send a GET request to the
/common/users
endpoint.Analyze the response to determine if the username exists in the Azure AD tenant.
Enumerating Azure Storage Accounts
Azure Storage Accounts can also be enumerated without authentication. By sending a request to the /subscriptions/{subscriptionId}/providers/Microsoft.Storage/storageAccounts
endpoint, an attacker can discover existing storage accounts within the subscription.
To enumerate Azure Storage Accounts:
Send a GET request to the
/subscriptions/{subscriptionId}/providers/Microsoft.Storage/storageAccounts
endpoint.Analyze the response to identify existing storage accounts.
Enumerating Azure Resources
Azure resources such as virtual machines, databases, and more can be enumerated without authentication. By sending requests to various Azure endpoints, an attacker can gather information about the resources present in the Azure environment.
To enumerate Azure resources:
Identify the endpoints corresponding to the resources of interest.
Send appropriate requests to these endpoints to gather information about the resources.
By enumerating unauthenticated endpoints in Azure, an attacker can gather valuable information that can be used for further exploitation and attacks.
Zaidi ya hayo, niwezekanavyo kutambua habari ya upatikanaji kuhusu watumiaji waliopo kama ifuatavyo:
Inapatikana
Mbali
Usijaribu Kusumbua
Mzibuo
Nje ya mtandao
Ikiwa ujumbe wa nje ya ofisi umewekwa, pia niwezekanavyo kupata ujumbe huo kwa kutumia TeamsEnum. Ikiwa faili ya matokeo ilitajwa, ujumbe wa nje ya ofisi utahifadhiwa moja kwa moja ndani ya faili ya JSON:
Enumerating Unauthenticated
Enumerating Azure AD Tenant
Enumerating Azure AD Tenant Name: To find the Azure AD tenant name, you can use the following URL:
https://login.microsoftonline.com/<TENANT_ID>/.well-known/openid-configuration
. The tenant name will be present in the response.Enumerating Azure AD Users: You can use the Microsoft Graph API to enumerate Azure AD users. An example request to list users:
GET https://graph.microsoft.com/v1.0/users
.Enumerating Azure AD Groups: Similarly, you can use the Microsoft Graph API to enumerate Azure AD groups. An example request to list groups:
GET https://graph.microsoft.com/v1.0/groups
.
Enumerating Azure Storage Accounts
Enumerating Storage Accounts: To enumerate Azure Storage Accounts, you can use the Azure CLI command:
az storage account list
.Enumerating Blob Containers: To list the Blob Containers within a Storage Account, you can use the Azure CLI command:
az storage container list --account-name <STORAGE_ACCOUNT_NAME>
.Enumerating File Shares: To list the File Shares within a Storage Account, you can use the Azure CLI command:
az storage share list --account-name <STORAGE_ACCOUNT_NAME>
.
Huduma za Azure
Tukijua domaini ambazo mpangaji wa Azure anatumia ni wakati wa kujaribu kupata huduma za Azure zilizofichuliwa.
Unaweza kutumia njia kutoka MicroBust kwa lengo kama hilo. Kazi hii itatafuta jina la msingi la domaini (na mabadiliko machache) katika domaini za huduma za Azure:
Uhifadhi Uliofunguliwa
Unaweza kugundua uhifadhi uliofunguliwa kwa kutumia chombo kama InvokeEnumerateAzureBlobs.ps1 ambacho kitatumia faili Microburst/Misc/permitations.txt
kuunda mabadiliko (rahisi sana) kujaribu kupata akaunti za uhifadhi zilizofunguliwa.
SAS URLs
Shared access signature (SAS) URL ni URL inayotoa ufikiaji kwa sehemu fulani ya akaunti ya Uhifadhi (inaweza kuwa kontena kamili, faili...) na idhini maalum (soma, andika...) juu ya rasilimali. Ikiwa unapata moja iliyovuja unaweza kupata ufikiaji wa habari nyeti, zinaonekana kama hivi (hii ni kufikia kontena, ikiwa ilikuwa tu kutoa ufikiaji kwa faili njia ya URL pia itaambatisha faili hiyo):
https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D
Tumia Storage Explorer kupata data
Compromise Credentials
Phishing
Common Phishing (idhini au OAuth App -Illicit Consent Grant Attack-)
Password Spraying / Brute-Force
References
Last updated