Enumeration

Unauthenticated Enumeration

- Cloud Mapping and Initial Info (OSINT)

Use OSINT for unauthenticated enumeration.

Use DNS Enumeration and External Identity Provider.

Enumerate publicly accessible aws resources with OSINT tools like cloud_enum.py.

Search for Leaked Credential on Github to obtain Service Account JSON file.

- Public Web Apps

"Initial Access > Exploiting Web App" section include techniques for unauthenticated enumeration of Azure Instances.

- Federation and Tenant ID Info

Get Federation info for target domain:

https://login.microsoftonline.com/getuserrealm.srf?login=username@targetdomain.com&xml=1

Get Tenant ID for a target domain:

https://login.microsoftonline.com/<target domain>/v2.0/.well-known/openidconfiguration

- Exchange Web Services (EWS) Endpoint

EWS endpoint is usually located at: https://your.target/EWS/Exchange.asmx

Try to enumerate active directory through their exposed portal

- Microsoft Defender for Identity (MDI) Enumeration

Autodiscover Interrogation -> ckeck_mdi.py (https://github.com/expl0itabl3/check_mdi)

The Autodiscover service in Microsoft Exchange is used to automatically configure client endpoints with necessary settings to comunicate with the Exchange server.

The web api gives away a ton of info.

python3 check_mdi.py -d domain.com

To just figure out if a company runs Microsoft Defender for Identity: https://github.com/thalpius/Microsoft-Defender-for-Identity-Check-Instance

- AZ Subdomains and Public Blobs

git clone https://github.com/NetSPI/MicroBurst

Import-Module .\MicroBurst.psm1

Enumerate publicly available azure services point to subdomain:

Invoke-EnumerateAzureSubDomains -Base "example" -Verbose

Enumerate publicly accessible azure blob storage service point to subdomain:

Invoke-EnumerateAzureBlobs -Base "example"

Get the information about tenant id of a target organization.

curl https://login.windows.net/example.com/.well-known/openid-configuration

Download information from publicly open blob:

Azure Storage Explorer > Storage Accounts > Connect to Azure Storage > Blob Container > Anonymously > Type obtained URL

Authenticated Enumeration

Authentication Methods

- Authenticate to Azure + Office 365 Management Portal

Portal:

• Azure Resource Manager Portal

• O365 / M365 Admin Center

• O365 / M365 User Portal

Credentials:

• Username + Password - Long Term Access:

  • Azure AD Users (Cloud Only)

  • Sync Users (On-Premise)

  • SSO Users (Federated Identity): SSO (Single Sign-On) allows users to log in once and gain access to multiple systems without needing to re-enter credentials.

  • External Users

- Authenticate to Azure Programmatically

CLI:

• Az CLI [Cross Platform]

• Az PowerShell [PowerShell Module]

• Microsoft Graph PowerShell [MgGraph Module]

Credentials:

• Username + Password - Long Term Access:

  • Az CLI: az login

  • Az PowerShell: Connect-AzAccount, Connect-AzureAD, Connect-MgGraph

  To potentially get around MFA:

  $credential = Get-Credential

  Connect-AzAccount -Credential $credential

  • MgGraph PowerShell: Connect-MgGraph -Scopes "Directory.Read.All"

  • MSOnline PowerShell: Connect-MsolService

  To potentially get around MFA:

  $credential = Get-Credential

  Connect-MsolService -Credential $credential

• Service Principal (App ID + Password or Certificate) - Long Term Access:

  • Az CLI: az login --service-principal -u ApplicationID -p Password --tenant TenantID

  • Az PowerShell:

    • $cred = Get-Credential # Where, Username = Application ID & Password = Client Secret

    • Connect-AzAccount -ServicePrincipal -Tenant TenantID -Credential $cred

  • Access Token (Account ID + Access Token) - Short Term Access:

    • Az CLI: az account get-access-token --resource=https://management.azure.com

    • Az PowerShell:

      • $token = “AccessToken”

      • Connect-AzAccount -AccessToken $token -AccountId {SubscriptionID}

    • MgGraph PowerShell:

      • az account get-access-token --resource https://graph.microsoft.com

      • Connect-MgGraph -AccessToken {TOKEN}

Azure CLI Enumeration

- Authentication

To check if the target organization is using Entra ID as an IDP (Identity Provider):

https://login.microsoftonline.com/getuserrealm.srf?login={Username}@{DomainName}&xml=1

- Account Info

Import a context file:

Import-AzContext -Profile 'C:\hola\Token.json'

Export a context file:

Save-AzContext -Path C:\hola\AzureAccessToken.json

To get currently logged-in session information:

Get-MgContext

Get-AzContext -ListAvailable

Get-AzContext -ListAvailable

To get context details:

$context = Get-AzContext

$context.Name

$context.Account

To list Company Information:

Get-MSolCompanyInformation

- Directory Roles

To get a list of all directory roles:

Get-MgDirectoryRole | ConvertTo-Json

To get the current user's role assignment:

Get-AzRoleAssignment

To get role assignments for a specific principal:

Get-AzRoleAssignment -ObjectId {PrincipalID-ManagedIdentity}

To get a list of members of a directory role:

Get-MgDirectoryRoleMember -DirectoryRoleId {DirectoryRoleID} -All | ConvertTo-Json

- Users

To get a list of users in Entra ID:

Get-MgUser

Get-MSolUser -All

To get the User ID of a specific user:

Get-MgUser -Filter "startswith(displayName,'{DisplayName}')"

To list all user attributes:

Get-MSolUser –All | fl

One-liner to search all Azure AD user attributes for passwords:

$users = Get-MsolUser; foreach ($user in $users) { $props = @(); $user | Get-Member -MemberType Properties | foreach-object { $props += $_.Name }; foreach ($prop in $props) { if ($user.$prop -like "*password*") { Write-Output ("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + ": " + $user.$prop) } } }

To get a list of the groups that a user is a member of:

Get-MgUserMemberOf -UserId {UserID}

List of all objects owned by logged-in user:

Get-MgUserOwnedObject -UserId {UserID} | ConvertTo-Json

To retrieves the object ID of the specified user:

Get-AzureADUser -SearchString "{user we are}"

Lists memberships and permissions of a specified user object:

Get-AzureADUserMembership -Objectld {user object ID} | ConvertTo-Json -Depth 3

List storage accounts:

Get-AzStorageAccount

- Groups

To list all groups in Entra ID:

Get-MgGroup

Get-MSolGroup -All

To get members of a group:

Get-MgGroupMember -GroupId {GroupID} | ConvertTo-Json

Get-MsolRole -RoleName "Group Name"

Get-MSolGroupMember –GroupObjectId $GUID

- Applications / Service Principals

Get the list of all applications:

Get-MgApplication

Get-AzureADApplication

To get an application object ID and app ID:

Get-MgApplication -Filter "startswith(displayName,'{example-app}')"

Get the details about a specific application:

Get-MgApplication -ApplicationId {ApplicationObjectID} | ConvertTo-Json

Get the detail about the owner of a specific application:

Get-MgApplicationOwner -ApplicationId {ApplicationObjectID} | ConvertTo-Json

Get the details about application permissions for an application:

$app= Get-MgApplication -ApplicationId {ApplicationObjectID}

$app.RequiredResourceAccess

Get the details of App Role for Microsoft Graph API:

$res=Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"

$res.AppRoles | Where-Object {$_.ID -eq '{AppRoleID}'} | ConvertTo-Json

Get the details about delegation permission for an application:

$app= Get-MgApplication -ApplicationId {ApplicationObjectID}

$app.Oauth2RequirePostResponse | ConvertTo-Json

As an app owner, create an application credential:

Add-MgApplicationPassword -ApplicationId "{AppObjectID}" | ConvertTo-Json

Check the directory role assigned to an application:

Get-MgDirectoryRoleMemberAsServicePrincipal -DirectoryRoleId {MgDirectoryRole output GUID} | ConvertTo-Json

Retrieves detailed information about a specific application;

$app = Get-AzureADApplication -Objectld {app object ID}

$app.Required ResourceAccess | ConvertTo-Json -Depth 3

To list Service Principals:

Get-MsolServicePrincipal

Lists service principals and retrieves roles associated with specified resource access:

$sp = Get-AzureADServicePrincipal -All $true | Where-Object {$.Appld -eq '{ResourceAppId}"}

$sp.AppRoles | Where-Object {$.Id -eq '{ResourceAccess > Id}'}

- Azure Resource Manager

Get details about currently logged in session:

az account show

Get the list of all available subscriptions:

az account list

az account list --all

Get-AzSubscription

Get the details of a subscription:

az account show -s {Subscription-ID/Name}

Select-AzSubscription -SubscriptionID "SubscriptionID"

- Resource Groups

Get the list of available resource groups in the current subscription:

az group list -s {Subscription-ID/Name}

Get the list of available resource groups in a specified subscription:

az group list -s {Subscription-ID/Name}

- Azure Resources

Get-AzResource

Get-AzResourceGroup

Get the list of available resources in the current subscription:

az resource list

Get the list of available resources in a specified resource group:

az resource list --resource-group {ResourceGroupName}

- Function Apps

To list the hostnames of all Azure Function Apps:

Get-AzFunctionApp | ForEach-Object { $_.EnabledHostnames }

To extract specific configuration details from all Function Apps across all subscriptions:

# Retrieve all Azure subscriptions
$subs = Get-AzSubscription
$allfunctioninfo = @()

# Loop through each subscription
Foreach ($s in $subs) {
    $subscriptionid = $s.SubscriptionId
    Select-AzSubscription -Subscription $subscriptionid

    # Retrieve all Function Apps in the current subscription
    $functionapps = Get-AzFunctionApp

    # Loop through each Function App and extract information
    foreach ($f in $functionapps) {
        $allfunctioninfo += $f.config | Select-Object AcrUseManagedIdentityCred, AcrUserManagedIdentityId, AppCommandLine, ConnectionString, CorsSupportCredentials, CustomActionParameter
        $allfunctioninfo += $f.SiteConfig | Format-List
        $allfunctioninfo += $f.ApplicationSettings | Format-List
        $allfunctioninfo += $f.IdentityUserAssignedIdentity.Keys | Format-List
    }
}

# Output all collected information
$allfunctioninfo

- Role Assignments

Lists of roles assigned in a specified subscription:

az role assignment list --subscription {Subscription-ID/Name}

Lists of roles assigned in the current subscription and inherited:

az role assignment list --all

List of all roles assigned to an identity (user, service principal, managed identity):

az role assignment list --assignee {ObjectID/Sign-InEmail/ServicePrincipal} --all

az role assignment list --assignee '{Email}' --all

- Role Definitions

Lists of roles with assigned permissions (Role Definition - For Built-in and Custom Roles):

az role definition list

Get the full information about a specified role:

az role definition list -n {RoleName}

Lists of custom roles with assigned permissions:

az role definition list --custom-role-only

- Virtual Machines

Get the list of available virtual machines:

az vm list

To get list VMs and get OS details:

Get-AzVM

$vm = Get-AzVM -Name "VM Name"

$vm.OSProfile

Get the list of IP addresses for a specified virtual machine:

az vm list-ip-addresses --name {VM-Name} --resource-group {ResourceGroupName}

Script to extract VM UserData:

$subs = Get-AzSubscription
$fulllist = @()
Foreach($s in $subs) {
    $subscriptionid = $s.SubscriptionId
    Select-AzSubscription -Subscription $subscriptionid
    $vms = Get-AzVM
    $list = $vms.UserData
    $list
    $fulllist += $list
}
$fulllist

- Networking

List virtual networks:

Get-AzVirtualNetwork

List public IP addresses assigned to virtual NICs:

Get-AzPublicIpAddress

Get Azure ExpressRoute (VPN) Info:

Get-AzExpressRouteCircuit

Get Azure VPN Info:

Get-AzVpnConnection

- WebApps & SQL

List Azure web applications:

Get-AzAdApplication

Get-AzWebApp

List SQL servers:

Get-AzSQLServer

Individual databases can be listed with information retrieved from the previous command:

Get-AzSqlDatabase -ServerName $ServerName -ResourceGroupName $ResourceGroupName

List SQL Firewall rules:

Get-AzSqlServerFirewallRule –ServerName $ServerName -ResourceGroupName $ResourceGroupName

List SQL Server AD Admins:

Get-AzSqlServerActiveDirectoryAdminstrator -ServerName $ServerName -ResourceGroupName $ResourceGroupName

- Runbooks

List Azure Runbooks

Get-AzAutomationAccount

Get-AzAutomationRunbook -AutomationAccountName <AutomationAccountName> -ResourceGroupName <ResourceGroupName>

To export a runbook:

Export-AzAutomationRunbook -AutomationAccountName $AccountName -ResourceGroupName $ResourceGroupName -Name $RunbookName -OutputFolder .\Desktop\

Script to export all runbooks from all subscriptions:

$subs = Get-AzSubscription
Foreach($s in $subs) {
    $subscriptionid = $s.SubscriptionId
    mkdir .\$subscriptionid\
    Select-AzSubscription -Subscription $subscriptionid
    $runbooks = @()
    $autoaccounts = Get-AzAutomationAccount | Select-Object AutomationAccountName, ResourceGroupName
    foreach ($i in $autoaccounts) {
        $runbooks += Get-AzAutomationRunbook -AutomationAccountName $i.AutomationAccountName -ResourceGroupName $i.ResourceGroupName | Select-Object AutomationAccountName, ResourceGroupName, Name
    }
    foreach($r in $runbooks) {
        Export-AzAutomationRunbook -AutomationAccountName $r.AutomationAccountName -ResourceGroupName $r.ResourceGroupName -Name $r.Name -OutputFolder .\$subscriptionid\
    }
}

Script to export all job outputs:

$subs = Get-AzSubscription
$jobout = @()
Foreach($s in $subs) {
    $subscriptionid = $s.SubscriptionId
    Select-AzSubscription -Subscription $subscriptionid
    $jobs = @()
    $autoaccounts = Get-AzAutomationAccount | Select-Object AutomationAccountName, ResourceGroupName
    foreach ($i in $autoaccounts) {
        $jobs += Get-AzAutomationJob -AutomationAccountName $i.AutomationAccountName -ResourceGroupName $i.ResourceGroupName | Select-Object AutomationAccountName, ResourceGroupName, JobId
    }
    foreach($r in $jobs) {
        $jobout += Get-AzAutomationJobOutput -AutomationAccountName $r.AutomationAccountName -ResourceGroupName $r.ResourceGroupName -JobId $r.JobId
    }
}
$jobout | Out-File -Encoding ascii joboutputs.txt

Azure Recon Tools

- MFASweep

https://github.com/dafthack/MFASweep

Tool to identify if MFA is enabled.

This script attempts to login to the provided account TEN (10) different times (11 if you include ADFS).

Import-Module MFASweep.ps1

Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020

- ROADtools

https://github.com/dirkjanm/ROADtools

ROADrecon is a tool for exploring Azure AD environments.

- PowerZure

https://github.com/hausec/PowerZure

Framework to interact with Azure AD.

Information Gathering Functions: https://powerzure.readthedocs.io/en/latest/Functions/infogathering.html

Operational Functions: https://powerzure.readthedocs.io/en/latest/Functions/operational.html

- MicroBurst:

https://github.com/NetSPI/MicroBurst

MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping.

To look for open storage blobs:

Invoke-EnumerateAzureBlobs -Base $BaseName

Export SSL/TLS certs:

Get-AzPasswords -ExportCerts Y

Azure Container Registry dump:

Get-AzPasswords

Get-AzACR

- Stormspotter

https://github.com/Azure/Stormspotter

Tool to graphing Azure and Azure AD objects to visualize the attack surface and pivot opportunities within a tenant.

- AzureHound

https://github.com/BloodHoundAD/AzureHound

To run AzureHound with a refresh token:

./azurehound -r "0.ARwA6Wg..." list --tenant "tenant ID" -v 2 -o output.json