Az - Unauthenticated Enum & Initial Entry

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Azure Tenant

Tenant Enumeration

Kuna baadhi ya API za Azure za umma ambazo kwa kujua tu domain ya tenant mshambuliaji anaweza kuziuliza ili kupata taarifa zaidi kuhusu hiyo tenant.
Unaweza kuuliza API moja kwa moja au kutumia maktaba ya PowerShell AADInternals (Install-Module AADInternals):

  • Taarifa za kuingia zikiwemo tenant ID
  • Get-AADIntTenantID -Domain <domain> (main API login.microsoftonline.com/<domain>/.well-known/openid-configuration)
  • Domains zote halali katika tenant
  • Get-AADIntTenantDomains -Domain <domain> (main API autodiscover-s.outlook.com/autodiscover/autodiscover.svc)
  • Taarifa za kuingia za mtumiaji. Ikiwa NameSpaceType ni Managed, ina maana EntraID inatumiwa
  • Get-AADIntLoginInformation -UserName <UserName> (main API login.microsoftonline.com/GetUserRealm.srf?login=<UserName>)

Unaweza kuuliza taarifa zote za Azure tenant kwa amri moja tu kutoka AADInternals:

# Doesn't work in macos because 'Resolve-DnsName' doesn't exist
Invoke-AADIntReconAsOutsider -DomainName corp.onmicrosoft.com | Format-Table

## Output Example of the Azure tenant info:

Tenant brand:       Company Ltd
Tenant name:        company
Tenant id:          1937e3ab-38de-a735-a830-3075ea7e5b39
DesktopSSO enabled: True

Name                           DNS   MX    SPF  Type      STS
----                           ---   --    ---  ----      ---
company.com                   True  True  True  Federated sts.company.com
company.mail.onmicrosoft.com  True  True  True  Managed
company.onmicrosoft.com       True  True  True  Managed
int.company.com              False False False  Managed

Inawezekana kuona maelezo kuhusu jina la tenant, ID, na jina la “brand”. Zaidi ya hayo, status ya Desktop Single Sign-On (SSO), pia inajulikana kama Seamless SSO, inaonyeshwa. Inapowezeshwa, kipengele hiki hurahisisha kubaini uwepo (enumeration) wa mtumiaji fulani ndani ya shirika lengwa.

Zaidi ya hayo, output inaonyesha majina ya domains zote zilizo kuthibitishwa zinazohusiana na tenant lengwa, pamoja na aina zao za identity types. Kwa kesi ya domains za federated, Fully Qualified Domain Name (FQDN) ya identity provider inayotumika, kawaida seva ya ADFS, pia ina funuliwa. Safu “MX” inaonyesha kama barua pepe zinapita kwenda Exchange Online, wakati safu “SPF” inaonyesha kuwekwa kwa Exchange Online kama mtumaji wa barua pepe. Ni muhimu kutambua kwamba kazi ya reconnaissance ya sasa haina parse ya statements za “include” ndani ya rekodi za SPF, jambo ambalo linaweza kusababisha false negatives.

User Enumeration

Tip

Kumbuka kwamba hata kama tenant inatumia barua pepe nyingi kwa mtumiaji mmoja, jina la mtumiaji ni la kipekee. Hii inamaanisha itafanya kazi tu na domain ambayo mtumiaji ameihusisha na sio na domains nyingine.

Inawezekana kuangalia kama jina la mtumiaji lipo ndani ya tenant. Hii pia inajumuisha watumiaji wageni, ambao jina lao la mtumiaji lipo kwa muundo:

<email>#EXT#@<tenant name>.onmicrosoft.com

Barua pepe ni anwani ya mtumiaji ambapo alama “@” imebadilishwa kuwa “_“.

Kwa kutumia AADInternals, unaweza kwa urahisi kuangalia kama mtumiaji yupo au la:

# Check does the user exist
Invoke-AADIntUserEnumerationAsOutsider -UserName "user@company.com"

I don’t have the README.md content to translate. Please paste the file text you want translated to Swahili (I’ll preserve all Markdown/html tags, links and code).

UserName         Exists
--------         ------
user@company.com True

Unaweza pia kutumia faili ya maandishi yenye anwani moja ya barua pepe kwa kila mstari:

user@company.com
user2@company.com
admin@company.com
admin2@company.com
external.user_gmail.com#EXT#@company.onmicrosoft.com
external.user_outlook.com#EXT#@company.onmicrosoft.com

# Invoke user enumeration
Get-Content .\users.txt | Invoke-AADIntUserEnumerationAsOutsider -Method Normal

Kwa sasa kuna mbinu 4 tofauti za enumeration za kuchagua. Unaweza kupata taarifa katika Get-Help Invoke-AADIntUserEnumerationAsOutsider:

Inasaidia mbinu zifuatazo za enumeration: Normal, Login, Autologon, and RST2.

  • Njia ya Normal inaonekana kwa sasa inafanya kazi na tenants zote. Hapo awali ilihitaji Desktop SSO (aka Seamless SSO) iwe imewezeshwa kwa angalau domain moja.

  • Njia ya Login inafanya kazi na tenant yoyote, lakini enumeration queries zitaandikwa kwenye Azure AD sign-in log kama failed login events!

  • Njia ya Autologon inaonekana haitumii tena na tenants zote. Inawezekana inahitaji DesktopSSO au directory sync iwe imewezeshwa.

Baada ya kugundua valid usernames unaweza kupata taarifa kuhusu mtumiaji kwa:

Get-AADIntLoginInformation -UserName root@corp.onmicrosoft.com

Skripti o365spray pia inakuwezesha kugundua ikiwa anwani ya barua pepe ni halali.

git clone https://github.com/0xZDH/o365spray
cd o365spray
python3 -m pip install -r requirements.txt

# Check 1 email
python3 ./o365spray.py --enum -d carloshacktricks.onmicrosoft.com -u carlos
# Check a list of emails
python3 ./o365spray.py --enum -d carloshacktricks.onmicrosoft.com -U /tmp/users.txt

User Enumeration via Microsoft Teams

Chanzo kizuri kingine cha taarifa ni Microsoft Teams.

API ya Microsoft Teams inaruhusu kutafuta watumiaji. Hasa “user search” endpoints externalsearchv3 na searchUsers zinaweza kutumika kuomba taarifa za jumla kuhusu akaunti za watumiaji waliojisajili kwenye Teams.

Kulingana na majibu ya API, inawezekana kutofautisha watumiaji wasiopatikana na watumiaji waliopo ambao wana usajili halali wa Teams.

The script TeamsEnum inaweza kutumika kuhalalisha seti fulani ya majina ya watumiaji dhidi ya Teams API, lakini unahitaji ufikiaji wa mtumiaji mwenye haki za Teams ili kuitumia.

# Install
git clone https://github.com/lucidra-security/TeamsEnum
cd TeamsEnum
python3 -m pip install -r requirements.txt

# Login and ask for password
python3 ./TeamsEnum.py -a password -u <username> -f inputlist.txt -o teamsenum-output.json

I don’t have the contents of src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md. Please paste the README.md content here (preserve the markdown/links/tags). I will translate the English text to Swahili, leaving code, tags, links, paths and specified terms unchanged.

[-] user1@domain - Target user not found. Either the user does not exist, is not Teams-enrolled or is configured to not appear in search results (personal accounts only)
[+] user2@domain - User2 | Company (Away, Mobile)
[+] user3@domain - User3 | Company (Available, Desktop)

Zaidi ya hayo, inawezekana kuorodhesha taarifa za upatikanaji kuhusu watumiaji waliopo kama zifuatazo:

  • Available
  • Away
  • DoNotDisturb
  • Busy
  • Offline

Ikiwa ujumbe wa kutokuwa kazini umewekwa, pia inawezekana kupata ujumbe huo kwa kutumia TeamsEnum. Ikiwa faili ya pato ilibainishwa, ujumbe za kutokuwa kazini huhifadhiwa moja kwa moja ndani ya faili ya JSON:

jq . teamsenum-output.json

Please paste the README.md content you want translated to Swahili.

{
"email": "user2@domain",
"exists": true,
"info": [
{
"tenantId": "[REDACTED]",
"isShortProfile": false,
"accountEnabled": true,
"featureSettings": {
"coExistenceMode": "TeamsOnly"
},
"userPrincipalName": "user2@domain",
"givenName": "user2@domain",
"surname": "",
"email": "user2@domain",
"tenantName": "Company",
"displayName": "User2",
"type": "Federated",
"mri": "8:orgid:[REDACTED]",
"objectId": "[REDACTED]"
}
],
"presence": [
{
"mri": "8:orgid:[REDACTED]",
"presence": {
"sourceNetwork": "Federated",
"calendarData": {
"outOfOfficeNote": {
"message": "Dear sender. I am out of the office until March 23rd with limited access to my email. I will respond after my return.Kind regards, User2",
"publishTime": "2023-03-15T21:44:42.0649385Z",
"expiry": "2023-04-05T14:00:00Z"
},
"isOutOfOffice": true
},
"capabilities": ["Audio", "Video"],
"availability": "Away",
"activity": "Away",
"deviceType": "Mobile"
},
"etagMatch": false,
"etag": "[REDACTED]",
"status": 20000
}
]
}

Password Spraying / Brute-Force

Az - Password Spraying

Azure Services zinazotumia vikoa

Pia inawezekana kujaribu kutafuta Azure services exposed katika subdomains za kawaida za azure kama zile zilizoandikwa katika post:

  • App Services: azurewebsites.net
  • App Services – Management: scm.azurewebsites.net
  • App Services: p.azurewebsites.net
  • App Services: cloudapp.net
  • Storage Accounts-Files: file.core.windows.net
  • Storage Accounts-Blobs: blob.core.windows.net
  • Storage Accounts-Queues: queue.core.windows.net
  • Storage Accounts-Tables: table.core.windows.net
  • Databases-Redis: redis.cache.windows.net
  • Databases-Cosmos DB: documents.azure.com
  • Databases-MSSQL: database.windows.net
  • Key Vaults: vault.azure.net
  • Microsoft Hosted Domain: onmicrosoft.com
  • Email: mail.protection.outlook.com
  • SharePoint: sharepoint.com
  • CDN: azureedge.net
  • Search Appliance: search.windows.net
  • API Services: azure-api.net

Unaweza kutumia njia kutoka kwa MicroBust kwa lengo hilo. Kazi hii itatafuta jina la kikoa cha msingi (na mabadiliko machache) katika kadhaa ya azure domains:

Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base corp -Verbose

Phishing

Filesystem Credentials

az cli inahifadhi taarifa nyingi za kuvutia ndani ya <HOME>/.Azure:

  • azureProfile.json ina taarifa kuhusu watumiaji waliokuwa wameingia hapo awali
  • clouds.config ina taarifa kuhusu subscriptions
  • service_principal_entries.json ina applications credentials (tenant id, clients and secret)
  • msal_token_cache.json ina access tokens and refresh tokens

Kumbuka kwamba kwenye macOS na linux faili hizi zimehifadhiwa kwa maandishi wazi na bila ulinzi.

Marejeleo

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks