From f7a74feaf7ed6e89b806b709a86d2bc1b77a8720 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 12 Oct 2022 18:03:49 +0200 Subject: [PATCH] Azure Tools Update --- .../Cloud - AWS Pentest.md | 2 +- .../Cloud - Azure Pentest.md | 61 ++++++++----------- 2 files changed, 28 insertions(+), 35 deletions(-) diff --git a/Methodology and Resources/Cloud - AWS Pentest.md b/Methodology and Resources/Cloud - AWS Pentest.md index 480bcced..b15d9f0f 100644 --- a/Methodology and Resources/Cloud - AWS Pentest.md +++ b/Methodology and Resources/Cloud - AWS Pentest.md @@ -1,4 +1,4 @@ -# AWS +# Cloud - AWS > Amazon Web Services offers reliable, scalable, and inexpensive cloud computing services. diff --git a/Methodology and Resources/Cloud - Azure Pentest.md b/Methodology and Resources/Cloud - Azure Pentest.md index 54e598dc..7055f84f 100644 --- a/Methodology and Resources/Cloud - Azure Pentest.md +++ b/Methodology and Resources/Cloud - Azure Pentest.md @@ -1,4 +1,4 @@ -# Azure Active Directory +# Cloud - Azure ## Summary @@ -59,7 +59,7 @@ ## Azure Recon Tools -* **ROADTool** +* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework. ```powershell pipenv shell roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout] @@ -68,10 +68,8 @@ roadrecon gather roadrecon gui ``` -* **StormSpotter** +* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects ```powershell - # https://github.com/Azure/Stormspotter - # session 1 - backend pipenv shell python ssbackend.pyz @@ -90,44 +88,45 @@ Password: BloodHound Server: bolt://localhost:7687 ``` -* **Azure Hound** +* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound ```powershell - # https://github.com/BloodHoundAD/AzureHound - - . C:\Tools\AzureHound\AzureHound.ps1 - Invoke-AzureHound -Verbose + ./azurehound configure + ./azurehound -u "MattNelson@contoso.onmicrosoft.com" -p "MyVerySecurePassword123" --tenant "contoso.onmicrosoft.com" list + ./azurehound -u "phisheduser@contoso.onmicrosoft.com" -p "Password1" list -o initial-scan.json --tenant "contoso.onmicrosoft.com" + ./azurehound -a "6b5adee8-..." -s "" --tenant "contoso.onmicrosoft.com" list + ./azurehound -j "ey..." --tenant "contoso.onmicrosoft.com" list az-ad + ./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list # GUI access bolt://localhost:7687 Username: neo4j Password: BloodHound - # Cypher query example: - MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p - - # Change object ID's to names in Bloodhound - MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname - # Custom Queries : https://hausec.com/2020/11/23/azurehound-cypher-cheatsheet/ + # Cypher query examples: + MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p + MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname ``` -* List of Microsoft portals: https://msportals.io/ -* **Azucar** : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks. +* [BloodHoundAD/BARK](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit + ```ps1 + . .\BARK.ps1 + $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com" + $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com" + $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress + ``` +* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites +* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks. ```powershell # You should use an account with at least read-permission on the assets you want to access - git clone https://github.com/nccgroup/azucar.git PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File - PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000 PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000 - # resolve the TenantID for an specific username PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com ``` -* **Azurite Explorer** and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud. +* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud. ```powershell - git clone https://github.com/mwrlabs/Azurite.git - git clone https://github.com/FSecureLABS/Azurite git submodule init git submodule update PS> Import-Module AzureRM @@ -135,33 +134,27 @@ PS> Review-AzureRmSubscription PS> Review-CustomAzureRmSubscription ``` -* **MicroBurst** - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping +* [**NetSPI/MicroBurst**](https://github.com/NetSPI/MicroBurst) - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping ```powershell - $ git clone https://github.com/NetSPI/MicroBurst PS C:> Import-Module .\MicroBurst.psm1 PS C:> Import-Module .\Get-AzureDomainInfo.ps1 PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose ``` -* **SkyArk** - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins. +* [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins. Require: - Read-Only permissions over Azure Directory (Tenant) - Read-Only permissions over Subscription - Require AZ and AzureAD module or administrator right ```powershell - $ git clone https://github.com/cyberark/SkyArk $ powershell -ExecutionPolicy Bypass -NoProfile PS C> Import-Module .\SkyArk.ps1 -force PS C> Start-AzureStealth - - or in the Cloud Console - PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1') PS C> Scan-AzureAdmins -* **PowerZure** - +* [**hausec/PowerZure**](https://github.com/hausec/PowerZure) - PowerShell framework to assess Azure security ```powershell - require az module ! - $ git clone https://github.com/hausec/PowerZure + # Require az module ! $ ipmo .\PowerZure $ Set-Subscription -Id [idgoeshere]