HackTricks-wiki
diff --git a/‎src/SUMMARY.md‎
Lines changed: 2 additions & 1 deletion b/‎src/SUMMARY.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/pentesting-cloud/azure-security/README.md‎
Lines changed: 25 additions & 20 deletions b/‎src/pentesting-cloud/azure-security/README.md‎
Lines changed: 25 additions & 20 deletions
diff --git a/‎src/pentesting-cloud/azure-security/az-basic-information/README.md‎
Lines changed: 1 addition & 1 deletion b/‎src/pentesting-cloud/azure-security/az-basic-information/README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md‎
Lines changed: 71 additions & 59 deletions b/‎src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md‎
Lines changed: 71 additions & 59 deletions
@@ -398,7 +398,8 @@
   - [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md)
   - [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md)
     - [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md)
-    - [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md)
+    - [Az - Storage Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md)
+    - [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md)
     - [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
     - [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
   - [Az - Services](pentesting-cloud/azure-security/az-services/README.md)
 
@@ -4,6 +4,8 @@
 
 ## Basic Information
 
+Learn the basics of Azure and Entra ID in the following page:
+
 {{#ref}}
 az-basic-information/
 {{#endref}}
@@ -12,11 +14,16 @@ az-basic-information/
 
 In order to audit an AZURE environment it's very important to know: which **services are being used**, what is **being exposed**, who has **access** to what, and how are internal Azure services and **external services** connected.
 
-From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **credentials** for Azure AD. Here you have some ideas on how to do that:
+From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **foothold**.
+
+### Initial Access
+
+Here you can find the most common ways to get initial access to an Azure/Entra ID environment:
 
-- **Leaks** in github (or similar) - OSINT
+- **OSINT**: Check for **leaks** in Github or any other open source platform that could contain **credentials** or interesting information.
+  - 
 - **Social** Engineering
-- **Password** reuse (password leaks)
+- **Password** reuse, leaks or [password spraying](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
 - Vulnerabilities in Azure-Hosted Applications
   - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint
   - **Local File Read**
@@ -31,7 +38,6 @@ From a Red Team point of view, the **first step to compromise an Azure environme
 - **Internal** Employee
 - [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or Oauth App)
   - [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
-- [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
 
 Even if you **haven't compromised any user** inside the Azure tenant you are attacking, you can **gather some information** from it:
 
@@ -49,10 +55,21 @@ az-unauthenticated-enum-and-initial-entry/
 
 ### SSRF
 
-If you found a SSRF in a machine inside Azure check this page for tricks:
+If you found a SSRF in a server inside Azure check this page for tricks:
+
+{{#ref}}
+https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure{{#endref}}
+
+### Subdomain Takeover
+
+- [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
+
+### Azure & Entra ID tooling
+
+The following tools will be super useful to enumerate both Entra ID tenants and Azure environments slowly (to avoid detection) or automatically (to save time):
 
 {{#ref}}
-https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html
+az-enumeration-tools.md
 {{#endref}}
 
 ### Bypass Login Conditions
@@ -68,9 +85,7 @@ In cases where you have some valid credentials but you cannot login, these are s
 
 After bypassing it, you might be able to get back to your initial setup and you will still have access.
 
-### Subdomain Takeover
 
-- [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
 
 ### Whoami
 
@@ -132,7 +147,7 @@ Get-AzRoleAssignment -SignInName [email protected] # For current user
 
 ### Entra ID Enumeration
 
-By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/index.html#default-user-permissions)).\
+By default, any user should have **enough permissions to enumerate** things such as users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/index.html#default-user-permissions)).\
 You can find here a guide:
 
 {{#ref}}
@@ -143,17 +158,7 @@ az-services/az-azuread.md
 > Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
 > In the following section you can check some ways to **enumerate some common services.**
 
-## App Service SCM
-
-Kudu console to log in to the App Service 'container'.
-
-## Webshell
-
-Use portal.azure.com and select the shell, or use shell.azure.com, for a bash or powershell. The 'disk' of this shell are stored as an image file in a storage-account.
-
-## Azure DevOps
-
-Azure DevOps is separate from Azure. It has repositories, pipelines (yaml or release), boards, wiki, and more. Variable Groups are used to store variable values and secrets.
+### 
 
 {{#include ../../banners/hacktricks-training.md}}
 
 
@@ -32,7 +32,7 @@
 
 All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted.
 
-<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1</a></p></figcaption></figure>
+<figure><img src="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1</a></p></figcaption></figure>
 
 ### Azure Resource IDs
 
 
@@ -7,24 +7,23 @@
 ### Tenant Enumeration
 
 There are some **public Azure APIs** that just knowing the **domain of the tenant** an attacker could query to gather more info about it.\
-You can query directly the API or use the PowerShell library [**AADInternals**](https://github.com/Gerenios/AADInternals)**:**
+You can query directly the API or use the PowerShell library [**AADInternals**](https://github.com/Gerenios/AADInternals) (`Install-Module AADInternals`):
 
-| API                                                                  | Information                                                                                                                                                                                                                                           | AADInternals function                             |
-| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- |
-| login.microsoftonline.com/\<domain>/.well-known/openid-configuration | **Login information**, including tenant ID                                                                                                                                                                                                            | `Get-AADIntTenantID -Domain <domain>`             |
-| autodiscover-s.outlook.com/autodiscover/autodiscover.svc             | **All domains** of the tenant                                                                                                                                                                                                                         | `Get-AADIntTenantDomains -Domain <domain>`        |
-| login.microsoftonline.com/GetUserRealm.srf?login=\<UserName>         | <p><strong>Login information</strong> of the tenant, including tenant Name and domain <strong>authentication type.</strong><br>If <code>NameSpaceType</code> is <strong><code>Managed</code></strong>, it means <strong>AzureAD</strong> is used.</p> | `Get-AADIntLoginInformation -UserName <UserName>` |
-| login.microsoftonline.com/common/GetCredentialType                   | Login information, including **Desktop SSO information**                                                                                                                                                                                              | `Get-AADIntLoginInformation -UserName <UserName>` |
+- **Login information including tenant ID**
+  - `Get-AADIntTenantID -Domain <domain>` (main API `login.microsoftonline.com/<domain>/.well-known/openid-configuration`)
+- **All valid doimains in the tenant**
+  - `Get-AADIntTenantDomains -Domain <domain>` (main API `autodiscover-s.outlook.com/autodiscover/autodiscover.svc`)
+- **Login information of the user**. If `NameSpaceType` is `Managed`, it means EntraID is used
+  - `Get-AADIntLoginInformation -UserName <UserName>` (main API `login.microsoftonline.com/GetUserRealm.srf?login=<UserName>`)
 
-You can query all the information of an Azure tenant with **just one command of the** [**AADInternals**](https://github.com/Gerenios/AADInternals) **library**:
+You can query all the information of an Azure tenant with **just one command from** [**AADInternals**](https://github.com/Gerenios/AADInternals):
 
 ```bash
+# Doesn't work in macos because 'Resolve-DnsName' doesn't exist
 Invoke-AADIntReconAsOutsider -DomainName corp.onmicrosoft.com | Format-Table
-```
 
-Output Example of the Azure tenant info:
+## Output Example of the Azure tenant info:
 
-```
 Tenant brand:       Company Ltd
 Tenant name:        company
 Tenant id:          1937e3ab-38de-a735-a830-3075ea7e5b39
@@ -44,6 +43,9 @@ Moreover, the output presents the names of all verified domains associated with
 
 ### User Enumeration
 
+> [!TIP]
+> Note that even if a tenant is using several emails for the same user, the **username is unique**. This means that it'll noly work with the domain the user has associated and not with the other domains.
+
 It's possible to **check if a username exists** inside a tenant. This includes also **guest users**, whose username is in the format:
 
 ```
@@ -83,26 +85,34 @@ external.user_outlook.com#EXT#@company.onmicrosoft.com
 Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal
 ```
 
-There are **three different enumeration methods** to choose from:
+Currenlty there are **4 different enumeration methods** to choose from. You can find information in `Get-Help Invoke-AADIntUserEnumerationAsOutsider`:
+
+It supports following enumeration methods: Normal, Login, Autologon, and RST2.
+
+- The **Normal** method seems currently work with all tenants. Previously it required Desktop SSO (aka Seamless SSO) to be enabled for at least one domain. 
+    
+- The **Login** method works with any tenant, but enumeration queries will be logged to Azure AD sign-in log as failed login events!
+    
+- The **Autologon** method doesn't seem to work with all tenants anymore. Probably requires that DesktopSSO or directory sync is enabled.
 
-| Method    | Description                                                                                                                                                                                             |
-| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Normal    | This refers to the GetCredentialType API mentioned above. The default method.                                                                                                                           |
-| Login     | <p>This method tries to log in as the user.<br><strong>Note:</strong> queries will be logged to sign-ins log.</p>                                                                                       |
-| Autologon | <p>This method tries to log in as the user via autologon endpoint.<br><strong>Queries are not logged</strong> to sign-ins log! As such, works well also for password spray and brute-force attacks.</p> |
 
 After discovering the valid usernames you can get **info about a user** with:
 
 ```bash
 Get-AADIntLoginInformation -UserName [email protected]
 ```
 
-The script [**o365creeper**](https://github.com/LMGsec/o365creeper) also allows you to discover **if an email is valid**.
+The script [**o365spray**](https://github.com/0xZDH/o365spray) also allows you to discover **if an email is valid**.
 
 ```bash
-# Put in emails.txt emails such as:
-# - [email protected]
-python.exe .\o365creeper\o365creeper.py -f .\emails.txt -o validemails.txt
+git clone https://github.com/0xZDH/o365spray
+cd o365spray
+python3 -m pip install -r requirements.txt
+
+# Check 1 email
+python3 ./o365spray.py --enum -d carloshacktricks.onmicrosoft.com -u carlos
+# Check a list of emails
+python3 ./o365spray.py --enum -d carloshacktricks.onmicrosoft.com -U /tmp/users.txt
 ```
 
 **User Enumeration via Microsoft Teams**
@@ -113,10 +123,16 @@ The API of Microsoft Teams allows to search for users. In particular the "user s
 
 Depending on the API response it is possible to distinguish between non-existing users and existing users that have a valid Teams subscription.
 
-The script [**TeamsEnum**](https://github.com/sse-secure-systems/TeamsEnum) could be used to validate a given set of usernames against the Teams API.
+The script [**TeamsEnum**](https://github.com/sse-secure-systems/TeamsEnum) could be used to validate a given set of usernames against the Teams API but you need access to a user with Teams access to use it.
 
 ```bash
-python3 TeamsEnum.py -a password -u <username> -f inputlist.txt -o teamsenum-output.json
+# Install
+git clone https://github.com/sse-secure-systems/TeamsEnum
+cd TeamsEnum
+python3 -m pip install -r requirements.txt
+
+# Login and ask for password
+python3 ./TeamsEnum.py -a password -u <username> -f inputlist.txt -o teamsenum-output.json
 ```
 
 Output:
@@ -192,58 +208,54 @@ Output:
 }
 ```
 
-## Azure Services
+### Password Spraying / Brute-Force
 
-Know that we know the **domains the Azure tenant** is using is time to try to find **Azure services exposed**.
+{{#ref}}
+az-password-spraying.md
+{{#endref}}
 
-You can use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure service domains:**
+## Azure Services using domains
+
+It's also possible to try to find **Azure services exposed** in common azure subdomains like the ones documented in this [post:
+](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/)
+
+- App Services: `azurewebsites.net`
+- App Services – Management: `scm.azurewebsites.net`
+- App Services: `p.azurewebsites.net`
+- App Services: `cloudapp.net`
+- Storage Accounts-Files: `file.core.windows.net`
+- Storage Accounts-Blobs: `blob.core.windows.net`
+- Storage Accounts-Queues: `queue.core.windows.net`
+- Storage Accounts-Tables: `table.core.windows.net`
+- Databases-Redis: `redis.cache.windows.net`
+- Databases-Cosmos DB: `documents.azure.com`
+- Databases-MSSQL: `database.windows.net`
+- Key Vaults: `vault.azure.net`
+- Microsoft Hosted Domain: `onmicrosoft.com`
+- Email: `mail.protection.outlook.com`
+- SharePoint: `sharepoint.com`
+- CDN: `azureedge.net`
+- Search Appliance: `search.windows.net`
+- API Services: `azure-api.net`
+
+You can use a method from [**MicroBust**](https://github.com/NetSPI/MicroBurst) for such goal. This function will search the base domain name (and a few permutations) in several **azure domains:**
 
 ```bash
 Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
 Invoke-EnumerateAzureSubDomains -Base corp -Verbose
 ```
 
-## Open Storage
-
-You could discover open storage with a tool such as [**InvokeEnumerateAzureBlobs.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Invoke-EnumerateAzureBlobs.ps1) which will use the file **`Microburst/Misc/permitations.txt`** to generate permutations (very simple) to try to **find open storage accounts**.
-
-```bash
-Import-Module .\MicroBurst\MicroBurst.psm1
-Invoke-EnumerateAzureBlobs -Base corp
-[...]
-https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
-[...]
-
-# Access https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
-# Check: <Name>ssh_info.json</Name>
-# Access then https://corpcommon.blob.core.windows.net/secrets/ssh_info.json
-```
-
-### SAS URLs
-
-A _**shared access signature**_ (SAS) URL is an URL that **provides access** to certain part of a Storage account (could be a full container, a file...) with some specific permissions (read, write...) over the resources. If you find one leaked you could be able to access sensitive information, they look like this (this is to access a container, if it was just granting access to a file the path of the URL will also contain that file):
-
-`https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D`
-
-Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-explorer/) to access the data
-
-## Compromise Credentials
 
-### Phishing
+## Phishing
 
-- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-)
+- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) for credentials or via [OAuth Apps](az-oauth-apps-phishing.md)
 - [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)
 
-### Password Spraying / Brute-Force
-
-{{#ref}}
-az-password-spraying.md
-{{#endref}}
-
 ## References
 
 - [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/)
 - [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/)
+- [https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/](https://www.netspi.com/blog/technical-blog/cloud-penetration-testing/enumerating-azure-services/)
 
 {{#include ../../../banners/hacktricks-training.md}}