Az - Unauthenticated Enum & Initial Entry
Az - Uthibitishaji wa Enum & Kuingia Mwanzo
Azure Tenant
Uthibitishaji wa Tenant
Kuna Azure APIs za umma ambazo kwa kujua tu uwanja wa tenant mshambuliaji anaweza kuuliza ili kukusanya habari zaidi kuhusu hilo. Unaweza kuuliza moja kwa moja API au kutumia maktaba ya PowerShell AADInternals:
| API | Taarifa | Kazi ya AADInternals |
|---|---|---|
login.microsoftonline.com/<domain>/.well-known/openid-configuration | Taarifa ya kuingia, ikiwa ni pamoja na kitambulisho cha tenant |
|
autodiscover-s.outlook.com/autodiscover/autodiscover.svc | Majina yote ya uwanja wa tenant |
|
login.microsoftonline.com/GetUserRealm.srf?login=<UserName> | Taarifa ya kuingia ya tenant, ikiwa ni pamoja na Jina la tenant na uwanja wa aina ya uthibitishaji.
Ikiwa |
|
login.microsoftonline.com/common/GetCredentialType | Taarifa ya kuingia, ikiwa ni pamoja na Taarifa ya Desktop SSO |
|
Unaweza kuuliza taarifa zote za tenant wa Azure kwa amri moja tu ya AADInternals maktaba:
Mfano wa Maudhui ya Mpangaji wa Azure:
Niwezekana kuangalia maelezo kuhusu jina la mpangaji, kitambulisho, na jina la "brand". Aidha, hali ya Desktop Single Sign-On (SSO), inayojulikana pia kama Seamless SSO, inaonyeshwa. Wakati ikiruhusiwa, kipengele hiki hufanikisha kujua uwepo (ujumuishaji) wa mtumiaji maalum ndani ya shirika lengwa.
Zaidi ya hayo, matokeo yanatoa majina ya uhalalishaji wa vikoa vyote vilivyothibitishwa vinavyohusiana na mpangaji lengwa, pamoja na aina zao za utambulisho. Katika kesi ya vikoa vilivyofederated, Jina Kamili la Kikoa (FQDN) la mtoa huduma wa utambulisho unaotumiwa, kawaida seva ya ADFS, pia hufunuliwa. Safu ya "MX" inabainisha ikiwa barua pepe zinapelekwa kwa Exchange Online, wakati safu ya "SPF" inaonyesha orodha ya Exchange Online kama mtumaji wa barua pepe. Ni muhimu kutambua kuwa kazi ya uchunguzi wa sasa haipasui taarifa za "include" ndani ya rekodi za SPF, ambayo inaweza kusababisha matokeo hasi ya uwongo.
Ujumuishaji wa Mtumiaji
Niwezekana kuangalia ikiwa jina la mtumiaji lipo ndani ya mpangaji. Hii ni pamoja na watumiaji wa mwaliko, ambao majina yao ya mtumiaji yako katika muundo:
Email ni anwani ya barua pepe ya mtumiaji ambapo katika “@” imebadilishwa na mstari wa chini “_“.
Kwa AADInternals, unaweza kwa urahisi kuthibitisha ikiwa mtumiaji yupo au la:
Az Unauthenticated Enumeration and Initial Entry
Unauthenticated Enumeration
During the initial phase of a penetration test, it is crucial to gather as much information as possible without triggering any alerts. Unauthenticated enumeration involves collecting data from publicly available sources without the need for authentication. This can include information such as employee names, email addresses, service versions, and potentially sensitive files.
Tools and Techniques
There are various tools and techniques that can be used for unauthenticated enumeration, such as:
Search Engines: Utilize search engines like Bing, Google, and Shodan to discover information about the target organization.
Publicly Accessible Resources: Explore publicly accessible resources such as websites, forums, and social media platforms for valuable data.
DNS Enumeration: Gather information about the target's DNS records to identify subdomains and potential entry points.
Metadata Analysis: Extract metadata from files to reveal details about the document's history and authorship.
Initial Entry
Once sufficient information has been gathered through unauthenticated enumeration, the next step is to identify potential entry points into the target environment. This could involve exploiting misconfigurations, weak credentials, or known vulnerabilities to gain unauthorized access.
Common Entry Points
Some common entry points that may be targeted during the initial entry phase include:
Exposed Services: Services such as web servers, databases, and remote access tools that are accessible from the internet.
Phishing Attacks: Sending malicious emails or messages to trick users into revealing sensitive information or installing malware.
Brute Force Attacks: Attempting to guess passwords or access credentials through automated tools.
Vulnerability Exploitation: Leveraging known vulnerabilities in software or systems to gain access.
By combining unauthenticated enumeration with targeted entry techniques, a penetration tester can effectively identify and exploit security weaknesses within the target environment.
Unaweza pia kutumia faili ya maandishi inayohifadhi anwani moja ya barua pepe kwa kila safu:
Kuna njia tatu tofauti za uchambuzi za kuchagua:
| Njia | Maelezo |
|---|---|
Kawaida | Hii inahusu API ya GetCredentialType iliyotajwa hapo juu. Njia ya chaguo-msingi. |
Ingia | Njia hii inajaribu kuingia kama mtumiaji. Angalizo: maswali yataorodheshwa kwenye logi za kuingia. |
Autologon | Njia hii inajaribu kuingia kama mtumiaji kupitia mwisho wa autologon. Maswali hayo hayataorodheshwa kwenye logi za kuingia! Kwa hivyo, inafanya kazi vizuri pia kwa mashambulizi ya kunyunyizia nywila na nguvu ya nguvu. |
Baada ya kugundua majina halali ya watumiaji unaweza kupata taarifa kuhusu mtumiaji na:
Skripti o365creeper pia inakuruhusu kugundua ikiwa barua pepe ni halali.
Uchambuzi wa Watumiaji kupitia Microsoft Teams
Chanzo kingine kizuri cha habari ni Microsoft Teams.
API ya Microsoft Teams inaruhusu kutafuta watumiaji. Hasa "user search" endpoints externalsearchv3 na searchUsers inaweza kutumika kuomba habari za jumla kuhusu akaunti za watumiaji waliojiandikisha kwenye Teams.
Kulingana na majibu ya API, inawezekana kutofautisha kati ya watumiaji wasio wapo na watumiaji waliopo ambao wana usajili halali wa Teams.
Skripti TeamsEnum inaweza kutumika kuthibitisha seti iliyopewa ya majina ya watumiaji dhidi ya API ya Teams.
Az Unauthenticated Enumeration and Initial Entry
Introduction
In this section, we will cover the techniques used to perform unauthenticated enumeration and gain initial access in Azure environments.
Unauthenticated Enumeration
Service Discovery
Service discovery can be performed using tools like nmap to identify open ports and services running in the Azure environment.
DNS Enumeration
DNS enumeration can reveal valuable information such as subdomains and associated IP addresses.
Web Application Enumeration
Tools like dirb or gobuster can be used to discover web applications and directories that may contain sensitive information.
Initial Entry
Default Credentials
Check for default credentials on services like databases, web applications, or virtual machines to gain initial access.
Exploiting Misconfigurations
Exploiting misconfigurations such as weak security settings or improper access controls can provide entry points into the Azure environment.
Brute Force Attacks
Brute force attacks can be used to crack passwords and gain unauthorized access to Azure resources.
By leveraging these techniques, attackers can perform unauthenticated enumeration and gain initial entry into Azure environments.
Zaidi ya hayo, niwezekanavyo kutambua habari ya upatikanaji kuhusu watumiaji waliopo kama ifuatavyo:
Inapatikana
Mbali
Usijaribu Kusumbua
Mzibuo
Nje ya mtandao
Ikiwa ujumbe wa nje ya ofisi umewekwa, pia niwezekanavyo kupata ujumbe huo kwa kutumia TeamsEnum. Ikiwa faili ya matokeo imetajwa, ujumbe wa nje ya ofisi utahifadhiwa moja kwa moja ndani ya faili ya JSON:
Az Unauthenticated Enumeration and Initial Entry
Unauthenticated Enumeration
During the initial phase of a penetration test, it is crucial to gather as much information as possible without triggering any alarms. Unauthenticated enumeration involves collecting data from publicly available sources without the need for any credentials. This can include information such as employee names, email addresses, service versions, and potentially sensitive files.
Tools and Techniques
There are various tools and techniques that can be used for unauthenticated enumeration in Azure environments. These can include search engines, public code repositories, and other open-source intelligence (OSINT) tools. It is important to carefully analyze and correlate the information gathered to identify potential entry points into the target environment.
Initial Entry
Once sufficient information has been gathered during the enumeration phase, the next step is to identify potential entry points into the Azure environment. This can involve exploiting misconfigurations, weak credentials, or known vulnerabilities in services or applications. By leveraging the information obtained during the enumeration phase, a penetration tester can attempt to gain unauthorized access to the target environment.
Exploitation Techniques
There are various exploitation techniques that can be used to gain initial access to an Azure environment. These can include phishing attacks, brute force attacks, exploiting misconfigured services, or leveraging known vulnerabilities in applications. It is important to prioritize and test these techniques carefully to minimize the risk of detection and to maximize the chances of a successful compromise.
By following a structured approach that combines unauthenticated enumeration with targeted exploitation techniques, a penetration tester can effectively assess the security posture of an Azure environment and help organizations identify and remediate potential security issues.
Huduma za Azure
Tukiwa tunajua domaini ambazo mpangaji wa Azure anatumia ni wakati wa kujaribu kutafuta huduma za Azure zilizofichuliwa.
Unaweza kutumia njia kutoka MicroBust kwa lengo kama hilo. Kazi hii itatafuta jina la msingi la domaini (na mabadiliko machache) katika domaini za huduma za Azure:
Uhifadhi Uliofunguliwa
Unaweza kugundua uhifadhi uliofunguliwa kwa kutumia chombo kama InvokeEnumerateAzureBlobs.ps1 ambacho kitatumia faili Microburst/Misc/permitations.txt kuunda mabadiliko (rahisi sana) kujaribu kupata akaunti za uhifadhi zilizofunguliwa.
SAS URLs
Shared access signature (SAS) URL ni URL inayotoa upatikanaji wa sehemu fulani ya akaunti ya Uhifadhi (inaweza kuwa kontena kamili, faili...) na idhini maalum (soma, andika...) juu ya rasilimali. Ikiwa unapata moja iliyovuja unaweza kuweza kupata habari nyeti, zinaonekana kama hivi (hii ni kwa kupata kontena, ikiwa ilikuwa tu inatoa upatikanaji kwa faili njia ya URL pia itaambatisha faili hiyo):
https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D
Tumia Storage Explorer kupata data
Compromise Credentials
Phishing
Phishing ya Kawaida (idhini au OAuth App -Shambulio la Kutoa Idhini ya Haramu-)
Password Spraying / Brute-Force
Az - Password SprayingMarejeo
Last updated
