improvements

Author: carlospolop

src/pentesting-cloud/azure-security/README.md

@@ -16,53 +16,47 @@ In order to audit an AZURE environment it's very important to know: which **serv
 
 From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **foothold**.
 
-### Initial Access
+### External enum & Initial Access
 
-Here you can find the most common ways to get initial access to an Azure/Entra ID environment:
+The first step is of course to enumerate information about the tenant you are attacking and try to get a foothold.
 
-- **OSINT**: Check for **leaks** in Github or any other open source platform that could contain **credentials** or interesting information.
-  - 
-- **Social** Engineering
-- **Password** reuse, leaks or [password spraying](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
-- Vulnerabilities in Azure-Hosted Applications
-  - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint
-  - **Local File Read**
-    - `/home/USERNAME/.azure`
-    - `C:\Users\USERNAME\.azure`
-    - The file **`accessTokens.json`** in `az cli` before 2.30 - Jan2022 - stored **access tokens in clear text**
-    - The file **`azureProfile.json`** contains **info** about logged user.
-    - **`az logout`** removes the token.
-    - Older versions of **`Az PowerShell`** stored **access tokens** in **clear** text in **`TokenCache.dat`**. It also stores **ServicePrincipalSecret** in **clear**-text in **`AzureRmContext.json`**. The cmdlet **`Save-AzContext`** can be used to **store** **tokens**.\
-      Use `Disconnect-AzAccount` to remove them.
-- 3rd parties **breached**
-- **Internal** Employee
-- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or Oauth App)
-  - [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
+Based on the domain name it's possible to know **if the company if using Azure**, get the **tenant ID**, get other **valid domains** in the same tenant (if more) and get **relevant information** like if SSO is enabled, mail configurations, valid user emails...
 
-Even if you **haven't compromised any user** inside the Azure tenant you are attacking, you can **gather some information** from it:
+Check the folloeing page to learn how to perform the **external enumeration**:
 
 {{#ref}}
 az-unauthenticated-enum-and-initial-entry/
 {{#endref}}
 
-> [!NOTE]
-> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
+With this information the most common ways to try to get a foothold are:
+- **OSINT**: Check for **leaks** in Github or any other open source platform that could contain **credentials** or interesting information.
+- **Password** reuse, leaks or [password spraying](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
+  - Buy credentials to an employee
+- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or Oauth App)
+  - [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
+- 3rd parties **breached**
+- Vulnerabilities in Azure-Hosted Applications
+  - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint
+  - **Subdomain takeovers** like in [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
+- If some developer laptop is compromised ([WinPEAS and LinPEAS](https://github.com/peass-ng/PEASS-ng) can find this info):
+  - Inside **`<HOME>/.Azure`**
+    - **`azureProfile.json`** contains info about logged in users from the past
+    - **`clouds.config contains`** info about subscriptions
+    - **`service_principal_entries.json`** contains applications credentials (tenant id, clients and secret). Only in Linux & macOS
+    - **`msal_token_cache.json`** contains contains access tokens and refresh tokens. Only in Linux & macOS 
+    - **`service_principal_entries.bin`** and msal_token_cache.bin are used in Windows and are encrypted with DPAPI
+    - **`msal_http_cache.bin`** is a cache of HTTP request
+      - Load it: `with open("msal_http_cache.bin", 'rb') as f: pickle.load(f)`
+    - **`AzureRmContext.json`** contains information about previous logins using Az PowerShell (but no credentials)
+  - Inside **`C:\Users\<username>\AppData\Local\Microsoft\IdentityCache\*`** are several `.bin` files with **access tokens**, ID tokens and account information encrypted with the users DPAPI.
+  - It’s possible to find more **access tokens** in the `.tbres` files inside **`C:\Users\<username>\AppData\Local\Microsoft\TokenBroken\Cache\`** which contain a base64 encrypted with DPAPI with access tokens.
+  - In Linux and macOS you can get **access tokens, refresh tokens and id tokens** from Az PowerShell (if used) running `pwsh -Command "Save-AzContext -Path /tmp/az-context.json"`
+    - In Windows this just generates id tokens.
+    - Possible to see if Az PowerShell was used in Linux and macSO checking is `$HOME/.local/share/.IdentityService/` exists (although the contained files are empty and useless)
 
-## Basic Enumeration
 
 > [!NOTE]
-> Remember that the **noisiest** part of the enumeration is the **login**, not the enumeration itself.
-
-### SSRF
-
-If you found a SSRF in a server inside Azure check this page for tricks:
-
-{{#ref}}
-https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure{{#endref}}
-
-### Subdomain Takeover
-
-- [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
+> Remember that usually the **noisiest** part of the enumeration is the **login**, not the enumeration itself.
 
 ### Azure & Entra ID tooling
 
@@ -108,18 +102,7 @@ az account management-group list #Not allowed by default
 
 {{#endtab }}
 
-{{#tab name="AzureAD" }}
-
-```bash
-#Get the current session state
-Get-AzureADCurrentSessionInfo
-#Get details of the current tenant
-Get-AzureADTenantDetail
-```
-
-{{#endtab }}
-
-{{#tab name="Az PowerShell" }}
+{{#tab name="Az" }}
 
 ```bash
 # Get the information about the current context (Account, Tenant, Subscription etc.)
@@ -130,22 +113,33 @@ Get-AzContext -ListAvailable
 Get-AzSubscription
 #Get Resource group
 Get-AzResourceGroup
-# Enumerate all resources visible to the current user
-Get-AzResource
-# Enumerate all Azure RBAC role assignments
-Get-AzRoleAssignment # For all users
-Get-AzRoleAssignment -SignInName [email protected] # For current user
+```
+
+{{#endtab }}
+
+{{#tab name="Mg" }}
+
+```bash
+#Get the current session
+Get-MgContext
+```
+
+{{#endtab }}
+
+{{#tab name="AzureAD" }}
+
+```bash
+#Get the current session state
+Get-AzureADCurrentSessionInfo
+#Get details of the current tenant
+Get-AzureADTenantDetail
 ```
 
 {{#endtab }}
 {{#endtabs }}
 
-> [!CAUTION]
-> Oone of the most important commands to enumerate Azure is **`Get-AzResource`** from Az PowerShell as it lets you **know the resources your current user has visibility over**.
->
-> You can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources"
 
-### Entra ID Enumeration
+### Entra ID Enumeration & Privilege Escalation
 
 By default, any user should have **enough permissions to enumerate** things such as users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/index.html#default-user-permissions)).\
 You can find here a guide:
@@ -154,11 +148,50 @@ You can find here a guide:
 az-services/az-azuread.md
 {{#endref}}
 
-> [!NOTE]
-> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
-> In the following section you can check some ways to **enumerate some common services.**
+Check the **Post-Exploitation tools** to find tools to escalate privileges in Entra ID like **AzureHound:**
+
+{{#ref}}
+az-enumeration-tools.md#automated-post-exploitation-tools
+{{#endref}}
+
+
+### Enumerate Azure Services
+
+Once you know who you are, you can start enumerating the **Azure services you have access to**.
+
+The Az PoswerShell command **`Get-AzResource`** lets you **know the resources your current user has visibility over**.
 
-### 
+Moreover, you can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources" or executing: `az rest --method GET --url "https://management.azure.com/subscriptions/<subscription-id>/resources?api-version=2021-04-01"`
+
+Furthermore, with enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in: **`Get-AzRoleAssignment -Scope /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.RecoveryServices/vaults/vault-m3ww8ut4`**
+
+In the following section you can find information about the most common Azure services and how to enumerate them:
+
+{{#ref}}
+az-services/
+{{#endref}}
+
+### Privilege Escalation, Post-Exploitation & Persistence in Azure Services
+
+Once you know how is the Azure environment structured and what services are being used, you can start looking for ways to **escalate privileges, move laterally, perform other post-exploitation attacks and maintain persistence**.
+
+In the following section you can find information about how to escalate privileges in the most common Azure services:
+
+{{#ref}}
+az-privilege-escalation/
+{{#endref}}
+
+In the following one you can find information about how to perform post-exploitation attacks in the most common Azure services:
+
+{{#ref}}
+az-post-exploitation/
+{{#endref}}
+
+In the following one you can find information about how to maintain persistence in the most common Azure services:
+
+{{#ref}}
+az-persistence/
+{{#endref}}
 
 {{#include ../../banners/hacktricks-training.md}}
 

src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md

@@ -146,6 +146,19 @@ new_azure_cli_bearer_tokens_for_graph_api = (
 pprint(new_azure_cli_bearer_tokens_for_graph_api)
 ```
 
+### Other access token fields
+
+- **appid**: Application ID used to generate the token
+- **appidacr**: The Application Authentication Context Class Reference indicates how the client was authenticated, for a public client the value is 0, and if a client secret is used the value is 1
+- **acr**: The Authentication Context Class Reference claim is "0" when the end-user authentication did not meet the requirements of ISO/IEC 29115.
+- **amr**: The Authentication method indicates how the token was authenticated. A value of “pwd” indicates that a password was used.
+- **groups**: Indicates the groups where the principal is a member.
+- **iss**: The issues identifies the security token service (STS) that generated the token. e.g. https://sts.windows.net/fdd066e1-ee37-49bc-b08f-d0e152119b04/ (the uuid is the tenant ID)
+- **oid**: The object ID of the principal
+- **tid**: Tenant ID
+- **iat, nbf, exp**: Issued at (when it was issued), Not before (cannot be used before this time, usually same value as iat), Expiration time.
+
+
 ## FOCI Tokens Privilege Escalation
 
 Previously it was mentioned that refresh tokens should be tied to the **scopes** it was generated with, to the **application** and **tenant** it was generated to. If any of these boundaries is broken, it's possible to escalate privileges as it will be possible to generate access tokens to other resources and tenants the user has access to and with more scopes than it was originally intended.
@@ -198,6 +211,7 @@ pprint(microsoft_office_bearer_tokens_for_graph_api)
 ## References
 
 - [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)
+- [https://github.com/Huachao/azure-content/blob/master/articles/active-directory/active-directory-token-and-claims.md](https://github.com/Huachao/azure-content/blob/master/articles/active-directory/active-directory-token-and-claims.md)
 
 {{#include ../../../banners/hacktricks-training.md}}
 

src/pentesting-cloud/azure-security/az-enumeration-tools.md

@@ -93,6 +93,23 @@ export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
 
 {{#endtab }}
 
+{{#tab name="CMD" }}
+
+```bash
+set ADAL_PYTHON_SSL_NO_VERIFY=1
+set AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
+set HTTPS_PROXY="http://127.0.0.1:8080"
+set HTTP_PROXY="http://127.0.0.1:8080"
+
+# If this is not enough
+# Download the certificate from Burp and convert it into .pem format
+# And export the following env variable
+openssl x509 -in cacert.der -inform DER -out cacert.pem -outform PEM
+set REQUESTS_CA_BUNDLE=C:\Users\user\Downloads\cacert.pem
+```
+
+{{#endtab }}
+
 {{#tab name="PS" }}
 
 ```bash