Az - Enumeration Tools

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

Install PowerShell in Linux

Tip

在 linux 上,您需要安装 PowerShell Core:

sudo apt-get update
sudo apt-get install -y wget apt-transport-https software-properties-common

# Ubuntu 20.04
wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb

# Update repos
sudo apt-get update
sudo add-apt-repository universe

# Install & start powershell
sudo apt-get install -y powershell
pwsh

# Az cli
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

在 MacOS 上安装 PowerShell

说明来自 documentation:

  1. 如果尚未安装 brew,请安装:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
  1. 安装 PowerShell 的最新稳定版本:
brew install powershell/tap/powershell
  1. 运行 PowerShell:
pwsh
  1. 更新:
brew update
brew upgrade powershell

主要枚举工具

az cli

Azure Command-Line Interface (CLI) 是一个用 Python 编写的跨平台工具,用于管理和维护(大多数)Azure 和 Entra ID 资源。它连接到 Azure,并通过命令行或脚本执行管理命令。

Follow this link for the installation instructions¡.

Commands in Azure CLI are structured using a pattern of: az <service> <action> <parameters>

调试 | MitM az cli

使用参数 --debug 可以看到工具 az 发送的所有请求:

az account management-group list --output table --debug

为了对该工具进行一次 MitM 并手动 检查它发送的所有请求,你可以执行:

export ADAL_PYTHON_SSL_NO_VERIFY=1
export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
export HTTPS_PROXY="http://127.0.0.1:8080"
export HTTP_PROXY="http://127.0.0.1:8080"

# If this is not enough
# Download the certificate from Burp and convert it into .pem format
# And export the following env variable
openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem

Az PowerShell

Azure PowerShell 是一个模块,包含用于从 PowerShell 命令行直接管理 Azure 资源的 cmdlets。

有关安装说明,请参阅此链接 installation instructions.

Azure PowerShell AZ Module 中的命令结构如下:<Action>-Az<Service> <parameters>

Debug | MitM Az PowerShell

使用参数 -Debug 可以看到工具发送的所有请求:

Get-AzResourceGroup -Debug

为了对该工具进行 MitM手动检查其发送的所有请求,你可以根据 docs 设置环境变量 HTTPS_PROXYHTTP_PROXY

Microsoft Graph PowerShell

Microsoft Graph PowerShell 是一个跨平台 SDK,允许通过单一端点访问所有 Microsoft Graph APIs,包括 SharePoint、Exchange 和 Outlook 等服务。它支持 PowerShell 7+、通过 MSAL 的现代身份验证、外部身份和高级查询。其重点是最小权限访问,确保操作安全,并定期更新以与最新的 Microsoft Graph API 功能保持一致。

有关安装,请参阅此链接 installation instructions

Microsoft Graph PowerShell 中的命令格式如下:<Action>-Mg<Service> <parameters>

Debug Microsoft Graph PowerShell

使用参数 -Debug 可以查看工具发送的所有请求:

Get-MgUser -Debug

AzureAD Powershell

Azure Active Directory (AD) 模块现在已弃用,是 Azure PowerShell 的一部分,用于管理 Azure AD 资源。它提供 cmdlets 来执行诸如管理用户、组以及在 Entra ID 中注册应用程序等任务。

Tip

这已被 Microsoft Graph PowerShell 取代

请参阅此链接获取 installation instructions

自动化 Recon & 合规 工具

turbot azure plugins

Turbot 与 steampipe 和 powerpipe 结合,可以从 Azure 和 Entra ID 收集信息,执行合规检查并发现错误配置。当前推荐运行的 Azure 模块包括:

# Install
brew install turbot/tap/powerpipe
brew install turbot/tap/steampipe
steampipe plugin install azure
steampipe plugin install azuread

# Config creds via env vars or az cli default creds will be used
export AZURE_ENVIRONMENT="AZUREPUBLICCLOUD"
export AZURE_TENANT_ID="<tenant-id>"
export AZURE_SUBSCRIPTION_ID="<subscription-id>"
export AZURE_CLIENT_ID="<client-id>"
export AZURE_CLIENT_SECRET="<secret>"

# Run steampipe-mod-azure-insights
cd /tmp
mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-azure-insights
steampipe service start
powerpipe server
# Go to http://localhost:9033 in a browser

Prowler

Prowler 是一个开源的安全工具,用于执行 AWS、Azure、Google Cloud 和 Kubernetes 的安全最佳实践评估、审计、事件响应、持续监控、加固 和 取证准备。

它基本上允许我们针对 Azure 环境运行数百项检查,以发现安全配置错误,并将结果以 json(和其他文本格式)收集,或在 web 上查看。

# Create a application with Reader role and set the tenant ID, client ID and secret in prowler so it access the app

# Launch web with docker-compose
export DOCKER_DEFAULT_PLATFORM=linux/amd64
curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/docker-compose.yml
curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/.env
## If using an old docker-compose version, change the "env_file" params to: env_file: ".env"
docker compose up -d
# Access the web and configure the access to run a scan from it

# Prowler cli
python3 -m pip install prowler --break-system-packages
docker run --rm toniblyx/prowler:v4-latest azure --list-checks
docker run --rm toniblyx/prowler:v4-latest azure --list-services
docker run --rm toniblyx/prowler:v4-latest azure --list-compliance
docker run --rm -e "AZURE_CLIENT_ID=<client-id>" -e "AZURE_TENANT_ID=<tenant-id>" -e "AZURE_CLIENT_SECRET=<secret>" toniblyx/prowler:v4-latest azure --sp-env-auth
## It also support other authentication types, check: prowler azure --help

Monkey365

它可自动对 Azure subscriptions 和 Microsoft Entra ID 的安全配置进行审查。

HTML 报告存储在 github 仓库文件夹内的 ./monkey-reports 目录中。

git clone https://github.com/silverhack/monkey365
Get-ChildItem -Recurse monkey365 | Unblock-File
cd monkey365
Import-Module ./monkey365
mkdir /tmp/monkey365-scan
cd /tmp/monkey365-scan

Get-Help Invoke-Monkey365
Get-Help Invoke-Monkey365 -Detailed

# Scan with user creds (browser will be run)
Invoke-Monkey365 -TenantId <tenant-id> -Instance Azure -Collect All -ExportTo HTML

# Scan with App creds
$SecureClientSecret = ConvertTo-SecureString "<secret>" -AsPlainText -Force
Invoke-Monkey365 -TenantId <tenant-id> -ClientId <client-id> -ClientSecret $SecureClientSecret -Instance Azure -Collect All -ExportTo HTML

ScoutSuite

ScoutSuite 收集配置数据以供人工检查,并标出风险区域。它是一个多云的安全审计工具,可用于评估云环境的安全态势。

virtualenv -p python3 venv
source venv/bin/activate
pip install scoutsuite
scout --help

# Use --cli flag to use az cli credentials
# Use --user-account to have scout prompt for user credentials
# Use --user-account-browser to launch a browser to login
# Use --service-principal to have scout prompt for app credentials

python scout.py azure --cli

Azure-MG-Sub-Governance-Reporting

这是一个 powershell 脚本,帮助你 可视化 Management Group 和 Entra ID 租户中所有资源和权限,并发现安全配置错误。

它使用 Az PowerShell module,因此任何由该模块支持的身份验证方式都可用。

import-module Az
.\AzGovVizParallel.ps1 -ManagementGroupId <management-group-id> [-SubscriptionIdWhitelist <subscription-id>]

自动化 Post-Exploitation 工具

ROADRecon

ROADRecon 的枚举提供关于 Entra ID 配置的信息,例如用户、组、角色、条件访问策略…

cd ROADTools
pipenv shell
# Login with user creds
roadrecon auth -u test@corp.onmicrosoft.com -p "Welcome2022!"
# Login with app creds
roadrecon auth --as-app --client "<client-id>" --password "<secret>" --tenant "<tenant-id>"
roadrecon gather
roadrecon gui

AzureHound

AzureHound 是用于 Microsoft Entra ID 和 Azure 的 BloodHound 采集器。它是一个单一静态的 Go 二进制文件,可在 Windows/Linux/macOS 上运行,直接与以下服务通信:

  • Microsoft Graph (Entra ID directory, M365) and
  • Azure Resource Manager (ARM) 控制平面 (subscriptions, resource groups, compute, storage, key vault, app services, AKS, etc.)

主要特性

  • 可从公共互联网的任何位置针对租户 APIs 运行(不需要内部网络访问)
  • 输出 JSON 以供 BloodHound CE 摄取,用于可视化跨身份和云资源的攻击路径
  • 观察到的默认 User-Agent:azurehound/v2.x.x

认证选项

  • 用户名 + 密码: -u -p
  • 刷新令牌: –refresh-token
  • JSON Web Token(访问令牌): –jwt
  • 服务主体 密钥: -a -s
  • 服务主体 证书: -a –cert <cert.pem> –key <key.pem> [–keypass ]

示例

# Full tenant collection to file using different auth flows
## User creds
azurehound list -u "<user>@<tenant>" -p "<pass>" -t "<tenant-id|domain>" -o ./output.json

## Use an access token (JWT) from az cli for Graph
JWT=$(az account get-access-token --resource https://graph.microsoft.com -o tsv --query accessToken)
azurehound list --jwt "$JWT" -t "<tenant-id>" -o ./output.json

## Use a refresh token (e.g., from device code flow)
azurehound list --refresh-token "<refresh_token>" -t "<tenant-id>" -o ./output.json

## Service principal secret
azurehound list -a "<client-id>" -s "<secret>" -t "<tenant-id>" -o ./output.json

## Service principal certificate
azurehound list -a "<client-id>" --cert "/path/cert.pem" --key "/path/key.pem" -t "<tenant-id>" -o ./output.json

# Targeted discovery
azurehound list users -t "<tenant-id>" -o users.json
azurehound list groups -t "<tenant-id>" -o groups.json
azurehound list roles -t "<tenant-id>" -o roles.json
azurehound list role-assignments -t "<tenant-id>" -o role-assignments.json

# Azure resources via ARM
azurehound list subscriptions -t "<tenant-id>" -o subs.json
azurehound list resource-groups -t "<tenant-id>" -o rgs.json
azurehound list virtual-machines -t "<tenant-id>" -o vms.json
azurehound list key-vaults -t "<tenant-id>" -o kv.json
azurehound list storage-accounts -t "<tenant-id>" -o sa.json
azurehound list storage-containers -t "<tenant-id>" -o containers.json
azurehound list web-apps -t "<tenant-id>" -o webapps.json
azurehound list function-apps -t "<tenant-id>" -o funcapps.json

What gets queried

  • Graph endpoints (examples):
  • /v1.0/organization, /v1.0/users, /v1.0/groups, /v1.0/roleManagement/directory/roleDefinitions, directoryRoles, owners/members
  • ARM endpoints (examples):
  • management.azure.com/subscriptions/…/providers/Microsoft.Storage/storageAccounts
  • …/Microsoft.KeyVault/vaults, …/Microsoft.Compute/virtualMachines, …/Microsoft.Web/sites, …/Microsoft.ContainerService/managedClusters

Preflight behavior and endpoints

  • 每个 azurehound list 通常在枚举前执行这些测试调用:
  1. Identity platform: login.microsoftonline.com
  2. Graph: GET https://graph.microsoft.com/v1.0/organization
  3. ARM: GET https://management.azure.com/subscriptions?api-version=…
  • Cloud environment base URLs 在 Government/China/Germany 环境下有所不同。参见仓库中的 constants/environments.go。

ARM-heavy objects (less visible in Activity/Resource logs)

  • 以下目标主要使用 ARM control plane 读取:automation-accounts, container-registries, function-apps, key-vaults, logic-apps, managed-clusters, management-groups, resource-groups, storage-accounts, storage-containers, virtual-machines, vm-scale-sets, web-apps。
  • 这些 GET/list 操作通常不会写入 Activity Logs;数据平面读取(例如 *.blob.core.windows.net, *.vault.azure.net)由资源级别的 Diagnostic Settings 覆盖。

OPSEC and logging notes

  • Microsoft Graph Activity Logs 默认未启用;启用并导出到 SIEM 以便获得对 Graph 调用的可见性。预期的 Graph preflight GET /v1.0/organization 会带有 UA azurehound/v2.x.x。
  • Entra ID non-interactive sign-in logs 会记录 AzureHound 使用的 identity platform auth (login.microsoftonline.com)。
  • ARM control-plane 的 read/list 操作不会记录在 Activity Logs 中;许多 azurehound 针对资源的 list 操作不会显示在那里。只有数据平面日志(通过 Diagnostic Settings)会捕获对服务端点的读取。
  • Defender XDR GraphApiAuditEvents (preview) 可能会暴露 Graph 调用和 token 标识符,但可能缺少 UserAgent 且保留时间有限。

Tip: 在为权限路径进行枚举时,导出 users、groups、roles 和 role assignments,然后导入 BloodHound 并使用预置的 cypher queries 来显示 Global Administrator/Privileged Role Administrator 以及通过嵌套组和 RBAC 分配的传递式提升路径。

Launch the BloodHound web with curl -L https://ghst.ly/getbhce | docker compose -f - up and import the output.json file. Then, in the EXPLORE tab, in the CYPHER section you can see a folder icon that contains pre-built queries.

MicroBurst

MicroBurst 包含函数和脚本,支持 Azure Services 的发现、弱配置审计,以及 post exploitation 操作(例如 credential dumping)。它旨在在存在 Azure 的 penetration tests 期间使用。

Import-Module .\MicroBurst.psm1
Import-Module .\Get-AzureDomainInfo.ps1
Get-AzureDomainInfo -folder MicroBurst -Verbose

PowerZure

PowerZure 的出现源于对一个能够同时进行 reconnaissance 和 exploitation 的框架的需求,针对 Azure、EntraID 及其相关资源。

它使用 Az PowerShell 模块,因此任何该模块支持的 authentication 方法也被该工具支持。

# Login
Import-Module Az
Connect-AzAccount

# Clone and import PowerZure
git clone https://github.com/hausec/PowerZure
cd PowerZure
ipmo ./Powerzure.psd1
Invoke-Powerzure -h # Check all the options

# Info Gathering (read)
Get-AzureCurrentUser # Get current user
Get-AzureTarget # What can you access to
Get-AzureUser -All # Get all users
Get-AzureSQLDB -All # Get all SQL DBs
Get-AzureAppOwner # Owners of apps in Entra
Show-AzureStorageContent -All # List containers, shared and tables
Show-AzureKeyVaultContent -All # List all contents in key vaults


# Operational (write)
Set-AzureUserPassword -Password <password> -Username <username> # Change password
Set-AzureElevatedPrivileges # Get permissions from Global Administrator in EntraID to User Access Administrator in Azure RBAC.
New-AzureBackdoor -Username <username> -Password <password>
Invoke-AzureRunCommand -Command <command> -VMName <vmname>
[...]

GraphRunner

GraphRunner 是一个用于与 Microsoft Graph API 交互的 post-exploitation 工具集。它提供了各种工具,用于从 Microsoft Entra ID (Azure AD) 帐户执行 reconnaissance、persistence 和 pillaging of data。

#A good place to start is to authenticate with the Get-GraphTokens module. This module will launch a device-code login, allowing you to authenticate the session from a browser session. Access and refresh tokens will be written to the global $tokens variable. To use them with other GraphRunner modules use the Tokens flag (Example. Invoke-DumpApps -Tokens $tokens)
Import-Module .\GraphRunner.ps1
Get-GraphTokens

#This module gathers information about the tenant including the primary contact info, directory sync settings, and user settings such as if users have the ability to create apps, create groups, or consent to apps.
Invoke-GraphRecon -Tokens $tokens -PermissionEnum

#A module to dump conditional access policies from a tenant.
Invoke-GraphRecon -Tokens $tokens -PermissionEnum

#A module to dump conditional access policies from a tenant.
Invoke-DumpCAPS -Tokens $tokens -ResolveGuids

#This module helps identify malicious app registrations. It will dump a list of Azure app registrations from the tenant including permission scopes and users that have consented to the apps. Additionally, it will list external apps that are not owned by the current tenant or by Microsoft's main app tenant. This is a good way to find third-party external apps that users may have consented to.
Invoke-DumpApps -Tokens $tokens

#Gather the full list of users from the directory.
Get-AzureADUsers -Tokens $tokens -OutFile users.txt

#Create a list of security groups along with their members.
Get-SecurityGroups -AccessToken $tokens.access_token

#Gets groups that may be able to be modified by the current user
Get-UpdatableGroups -Tokens $tokens

#Finds dynamic groups and displays membership rules
Get-DynamicGroups -Tokens $tokens

#Gets a list of SharePoint site URLs visible to the current user
Get-SharePointSiteURLs -Tokens $tokens

#This module attempts to locate mailboxes in a tenant that have allowed other users to read them. By providing a userlist the module will attempt to access the inbox of each user and display if it was successful. The access token needs to be scoped to Mail.Read.Shared or Mail.ReadWrite.Shared for this to work.
Invoke-GraphOpenInboxFinder -Tokens $tokens -Userlist users.txt

#This module attempts to gather a tenant ID associated with a domain.
Get-TenantID -Domain

#Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.
Invoke-GraphRunner -Tokens $tokens

Stormspotter

Stormspotter 为 Azure 订阅中的资源创建“攻击图”。

它使 red teams and pentesters 能可视化 tenant 中的攻击面和横向移动机会,并大幅提升你的防御者快速定位和优先排序事件响应工作的能力。

不幸的是,看起来已不再维护

# Start Backend
cd stormspotter\backend\
pipenv shell
python ssbackend.pyz

# Start Front-end
cd stormspotter\frontend\dist\spa\
quasar.cmd serve -p 9091 --history

# Run Stormcollector
cd stormspotter\stormcollector\
pipenv shell
az login -u test@corp.onmicrosoft.com -p Welcome2022!
python stormspotter\stormcollector\sscollector.pyz cli
# This will generate a .zip file to upload in the frontend (127.0.0.1:9091)

参考资料

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks