Skip to content

Commit

Permalink
GITBOOK-713: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Nov 26, 2024
1 parent 3acfd79 commit c90ca6f
Show file tree
Hide file tree
Showing 12 changed files with 358 additions and 124 deletions.
Binary file added .gitbook/assets/image (350).png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added .gitbook/assets/image (351).png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added .gitbook/assets/image (352).png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added .gitbook/assets/image (353).png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
5 changes: 3 additions & 2 deletions SUMMARY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -391,7 +391,8 @@
* [AWS - SNS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md)
* [AWS - S3 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md)
* [Azure Pentesting](pentesting-cloud/azure-security/README.md)
* [Az - Basic Information](pentesting-cloud/azure-security/az-basic-information.md)
* [Az - Basic Information](pentesting-cloud/azure-security/az-basic-information/README.md)
* [Az - Tokens & Public Applications](pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md)
* [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md)
* [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md)
* [Az - Illicit Consent Grant](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-illicit-consent-grant.md)
Expand Down Expand Up @@ -445,7 +446,7 @@
* [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md)
* [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md)
* [Az - Entra ID (formerly AzureAD - AAD)](pentesting-cloud/azure-security/az-azuread/README.md)
* [Az - Conditional Access Policies / MFA Bypass](pentesting-cloud/azure-security/az-azuread/az-conditional-access-policies-mfa-bypass.md)
* [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-azuread/az-conditional-access-policies-mfa-bypass.md)
* [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-azuread/dynamic-groups.md)
* [Digital Ocean Pentesting](pentesting-cloud/digital-ocean-pentesting/README.md)
* [DO - Basic Information](pentesting-cloud/digital-ocean-pentesting/do-basic-information.md)
Expand Down
6 changes: 3 additions & 3 deletions pentesting-cloud/azure-security/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt

## Basic Information

{% content-ref url="az-basic-information.md" %}
[az-basic-information.md](az-basic-information.md)
{% content-ref url="az-basic-information/" %}
[az-basic-information](az-basic-information/)
{% endcontent-ref %}

## Azure Pentester/Red Team Methodology
Expand Down Expand Up @@ -141,7 +141,7 @@ You can get the same info in the **web console** going to [https://portal.azure.

### ENtra ID Enumeration

By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information.md#default-user-permissions)).\
By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/#default-user-permissions)).\
You can find here a guide:

{% content-ref url="az-azuread/" %}
Expand Down
28 changes: 14 additions & 14 deletions pentesting-cloud/azure-security/az-azuread/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,8 +214,8 @@ az account tenant list

For more information about Entra ID users check:

{% content-ref url="../az-basic-information.md" %}
[az-basic-information.md](../az-basic-information.md)
{% content-ref url="../az-basic-information/" %}
[az-basic-information](../az-basic-information/)
{% endcontent-ref %}

{% tabs %}
Expand Down Expand Up @@ -337,8 +337,8 @@ It's highly recommended to add MFA to every user, however, some companies won't

For more information about Entra ID groups check:

{% content-ref url="../az-basic-information.md" %}
[az-basic-information.md](../az-basic-information.md)
{% content-ref url="../az-basic-information/" %}
[az-basic-information](../az-basic-information/)
{% endcontent-ref %}

{% tabs %}
Expand Down Expand Up @@ -439,8 +439,8 @@ Check how to abuse dynamic groups in the following page:

For more information about Entra ID service principals check:

{% content-ref url="../az-basic-information.md" %}
[az-basic-information.md](../az-basic-information.md)
{% content-ref url="../az-basic-information/" %}
[az-basic-information](../az-basic-information/)
{% endcontent-ref %}

{% tabs %}
Expand Down Expand Up @@ -630,8 +630,8 @@ Function Add-AzADAppSecret

For more information about Applications check:

{% content-ref url="../az-basic-information.md" %}
[az-basic-information.md](../az-basic-information.md)
{% content-ref url="../az-basic-information/" %}
[az-basic-information](../az-basic-information/)
{% endcontent-ref %}

When an App is generated 2 types of permissions are given:
Expand Down Expand Up @@ -704,8 +704,8 @@ It's possible to find a list of the App IDs that belongs to Microsoft in [https:

For more information about Managed Identities check:

{% content-ref url="../az-basic-information.md" %}
[az-basic-information.md](../az-basic-information.md)
{% content-ref url="../az-basic-information/" %}
[az-basic-information](../az-basic-information/)
{% endcontent-ref %}

{% tabs %}
Expand All @@ -722,8 +722,8 @@ az identity list --output table

For more information about Azure and Entra ID roles check:

{% content-ref url="../az-basic-information.md" %}
[az-basic-information.md](../az-basic-information.md)
{% content-ref url="../az-basic-information/" %}
[az-basic-information](../az-basic-information/)
{% endcontent-ref %}

{% tabs %}
Expand Down Expand Up @@ -833,8 +833,8 @@ Moreover, if the logged user is **Owner** of the device, he is going to be **loc

For more information about administrative units check:

{% content-ref url="../az-basic-information.md" %}
[az-basic-information.md](../az-basic-information.md)
{% content-ref url="../az-basic-information/" %}
[az-basic-information](../az-basic-information/)
{% endcontent-ref %}

{% tabs %}
Expand Down
99 changes: 69 additions & 30 deletions ...ng-cloud/azure-security/az-azuread/az-conditional-access-policies-mfa-bypass.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Az - Conditional Access Policies / MFA Bypass
# Az - Conditional Access Policies & MFA Bypass

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">\
Expand Down Expand Up @@ -29,50 +29,64 @@ Here are a couple of examples:

It's possible that a conditional access policy is **checking some information that can be easily tampered allowing a bypass of the policy**. And if for example the policy was configuring MFA, the attacker will be able to bypass it.

When configuring a conditional access policy it's needed to indicate the **users** affected and **target resources** (like all cloud apps).

It's also needed to configure the **conditions** that will **trigger** the policy:

* **Network**: Ip, IP ranges and geographical locations
* Can be bypassed using a VPN or Proxy to connect to a country or managing to login from an allowed IP address
* **Microsoft risks**: User risk, Sign-in risk, Insider risk
* **Device platforms**: Any device or select Android, iOS, Windows phone, Windows, macOS, Linux
* If “Any device” is not selected but all the other options are selected it’s possible to bypass it using a random user-agent not related to those platforms
* **Client apps**: Option are “Browser”, “Mobiles apps and desktop clients”, “Exchange ActiveSync clients” and Other clients”
* To bypass login with a not selected option
* **Filter for devices**: It’s possible to generate a rule related the used device
* A**uthentication flows**: Options are “Device code flow” and “Authentication transfer”
* This won’t affect an attacker unless he is trying to abuse any of those protocols in a phishing attempt to access the victims account

The possible **results** are: Block or Grant access with potential conditions like require MFA, device to be compliant…

### Device Platforms - Device Condition

It's possible to set a condition based on the **device platform** (Android, iOS, Windows, macOS), however, this is based on the **user-agent** so it's pretty easy to bypass. Even **making all the options enforce MFA**, if you use a **user-agent that it doesn't recognize** you will be able to bypass the mFA.
It's possible to set a condition based on the **device platform** (Android, iOS, Windows, macOS...), however, this is based on the **user-agent** so it's easy to bypass. Even **making all the options enforce MFA**, if you use a **user-agent that it isn't recognized,** you will be able to bypass the MFA or block:

### Locations: Countries, IP ranges - Device Condition
<figure><img src="../../../.gitbook/assets/image (352).png" alt=""><figcaption></figcaption></figure>

Of course if this is set in the conditional policy, an attacker could just use a **VPN** in the **allowed country** or try to find a way to access from an **allowed IP address** to bypass these conditions.
Just making the browser **send an unknown user-agent** (like `Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) UCBrowser/10.1.0.563 Mobile`) is enough to not trigger this condition.\
You can change the user agent **manually** in the developer tools:

### Office365 Client Apps
<figure><img src="../../../.gitbook/assets/image (351).png" alt="" width="375"><figcaption></figcaption></figure>

You could indicate that if clients **access Office 365 apps from the browser they need MFA**:
&#x20;Or use a [browser extension like this one](https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg?hl=en).

<figure><img src="../../../.gitbook/assets/image (318).png" alt=""><figcaption></figcaption></figure>
### Locations: Countries, IP ranges - Device Condition

To bypass this, it's possible to pretend you log-in into an app from a desktop application (like to Microsoft Teams in the following example) which will bypass the protection:
If this is set in the conditional policy, an attacker could just use a **VPN** in the **allowed country** or try to find a way to access from an **allowed IP address** to bypass these conditions.

```bash
roadrecon auth -u user@email.com -r https://outlook.office.com/ -c 1fec8e78-bce4-4aaf-ab1b-5451cc387264 --tokrns-stdout
### Cloud Apps

<token>
```
It's possible to configure **conditional access policies to block or force** for example MFA when a user tries to access **specific app**:

As Microsoft Teams app has a lot of permissions, you will be able to use that access.
<figure><img src="../../../.gitbook/assets/image (353).png" alt=""><figcaption></figcaption></figure>

{% hint style="success" %}
You can find the I**D of more public applications** with predefined Office365 permissions in the database of roadtools:
To try to bypass this protection you should see if you can **only into any application**.\
The tool [**AzureAppsSweep**](https://github.com/carlospolop/AzureAppsSweep) has **tens of application IDs hardcoded** and will try to login into them and let you know and even give you the token if successful.

In order to **test specific application IDs in specific resources** you could also use a tool such as:

{% code overflow="wrap" %}
```sql
SELECT appId, displayName FROM ApplicationRefs WHERE publicCLient = 1 ORDER BY displayName ASC
```bash
roadrecon auth -u user@email.com -r https://outlook.office.com/ -c 1fec8e78-bce4-4aaf-ab1b-5451cc387264 --tokens-stdout

<token>
```
{% endcode %}
{% endhint %}

This attack is specially interesting because by default public Office365 applications will have permissions to access some data.
Moreover, it's also possible to protect the login method (e.g. if you are trying to login from the browser or from a desktop application). The tool [**Invoke-MFASweep**](az-conditional-access-policies-mfa-bypass.md#invoke-mfasweep) perform some checks to try to bypass this protections also.

### Other apps
The tool [**donkeytoken**](az-conditional-access-policies-mfa-bypass.md#donkeytoken) could also be used to similar purposes although it looks unmantained.

By default, other apps created by users won't have permissions and could be private.\
However, users could also create **public** **apps** granting them some **permissions.**

A potential scenario where a policy is set to **require MFA to access an application** when the user is using a **browser** (maybe because it's a web application and therefore it will be the only way), if there is a **proxy application** -an application allowed to **interact to other apps on behalf of users**-, the user could **login in the proxy application** and then through this proxy application **login into the initially MFA protected app**.

Check the [**Invoke-MFASweep**](az-conditional-access-policies-mfa-bypass.md#invoke-mfasweep) and the [**donkeytoken**](az-conditional-access-policies-mfa-bypass.md#donkeytoken) techniques.
The tool [**ROPCI**](https://github.com/wunderwuzzi23/ropci) can also be used to test this protections and see if it's possible to bypass MFAs or blocks, but this tool works from a **whitebox** perspective. You first need to download the list of Apps allowed in the tenant and then it will try to login into them.

## Other Az MFA Bypasses

Expand Down Expand Up @@ -108,6 +122,12 @@ Find more information about this kind of attack in the following page:

## Tooling

### [**AzureAppsSweep**](https://github.com/carlospolop/AzureAppsSweep)

This script get some user credentials and check if it can login in some applications.

This is useful to see if you **aren't required MFA to login in some applications** that you might later abuse to **escalate pvivileges**.

### [roadrecon](https://github.com/dirkjanm/ROADtools)

Get all the policies
Expand All @@ -121,21 +141,40 @@ roadrecon plugin policies
MFASweep is a PowerShell script that attempts to **log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled**. Depending on how conditional access policies and other multi-factor authentication settings are configured some protocols may end up being left single factor. It also has an additional check for ADFS configurations and can attempt to log in to the on-prem ADFS server if detected.

```bash
Invoke-Expression (Invoke-WebRequest -Uri "https://raw.githubusercontent.com/dafthack/MFASweep/master/MFASweep.ps1").Content
Invoke-MFASweep -Username <username> -Password <pass>
```

### [ROPCI](https://github.com/wunderwuzzi23/ropci)

This tool has helped identify MFA bypasses and then abuse APIs in multiple production AAD tenants, where AAD customers believed they had MFA enforced, but ROPC based authentication succeeded.

{% hint style="success" %}
You need to have permissions to list all the applications to be able to generate the list of the apps to brute-force.
{% endhint %}

```bash
./ropci configure
./ropci apps list --all --format json -o apps.json
./ropci apps list --all --format json | jq -r '.value[] | [.displayName,.appId] | @csv' > apps.csv
./ropci auth bulk -i apps.csv -o results.json
```

### [donkeytoken](https://github.com/silverhack/donkeytoken)

Donkey token is a set of functions which aim to help security consultants who need to validate Conditional Access Policies, tests for 2FA-enabled Microsoft portals, etc..

```powershell
Import-Module 'C:\Users\Administrador\Desktop\Azure\Modulos ps1\donkeytoken' -Force
```
<pre class="language-powershell"><code class="lang-powershell"><strong>git clone https://github.com/silverhack/donkeytoken.git
</strong><strong>Import-Module '.\donkeytoken' -Force
</strong></code></pre>

**Test each portal** if it's possible to **login without MFA**:

```powershell
Test-MFA -credential $cred -Verbose -Debug -InformationAction Continue
$username = "conditional-access-app-user@azure.training.hacktricks.xyz"
$password = ConvertTo-SecureString "Poehurgi78633" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($username, $password)
Invoke-MFATest -credential $cred -Verbose -Debug -InformationAction Continue
```

Because the **Azure** **portal** is **not constrained** it's possible to **gather a token from the portal endpoint to access any service detected** by the previous execution. In this case Sharepoint was identified, and a token to access it is requested:
Expand Down
42 changes: 21 additions & 21 deletions pentesting-cloud/azure-security/az-azuread/dynamic-groups.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,35 +27,35 @@ This feature requires Azure AD premium P1 license.

Note that by default any user can invite guests in Azure AD, so, If a dynamic group **rule** gives **permissions** to users based on **attributes** that can be **set** in a new **guest**, it's possible to **create a guest** with this attributes and **escalate privileges**. It's also possible for a guest to manage his own profile and change these attributes.

Get groups that allow Dynamic membership: `Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}`
Get groups that allow Dynamic membership: **`az ad group list --query "[?contains(groupTypes, 'DynamicMembership')]" --output table`**

### Example

* **Rule example**: `(user.otherMails -any (_ -contains "tester")) -and (user.userType -eq "guest")`
* **Rule description**: Any Guest user with a secondary email with the string 'tester' will be added to the group
* **Rule example**: `(user.otherMails -any (_ -contains "security")) -and (user.userType -eq "guest")`
* **Rule description**: Any Guest user with a secondary email with the string 'security' will be added to the group

1. Go to **Azure Active Directory** -> **Users** and **click** on `Want to switch back to the legacy users list experience? Click here to leave the preview`
2. Click on **`New guest user`** and **invite** an email
3. The **user's profile** will be **added** to the Azure AD as soon as the invite is sent. Open the user's profile and **click on (manage) under Invitation accepted**.
* ![](<../../../.gitbook/assets/image (281).png>)
4. Change **`Resend invite?`** to **Yes** and you will get an invitation URL:
* ![](<../../../.gitbook/assets/image (205).png>)
5. Copy the **URL** and **open** it, **login** as the invited user and **accept** the invitation
6. **Login** in the cli as the user and set the secondary email
For the Guest user email, accept the invitation and check the current settings of **that user** in [https://entra.microsoft.com/#view/Microsoft\_AAD\_IAM/TenantOverview.ReactView](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView).\
Unfortunately the page doesn't allow to modify the attribute values so we need to use the API:

{% code overflow="wrap" %}
````
```powershell
# Login
$password = ConvertTo-SecureString 'password' - AsPlainText -Force
$creds = New-Object
System.Management.Automation.PSCredential('externaltester@somedomain.onmicrosoft.com', $Password)
Connect-AzureAD -Credential $creds -TenantId <tenant_id_of_attacked_domain>
# Chnage OtherMails setting
Set-AzureADUser -ObjectId <OBJECT-ID> -OtherMails <Username>@<TENANT_NAME>.onmicrosoft.com -Verbose
# Login with the gust user
az login --allow-no-subscriptions
# Get user object ID
az ad signed-in-user show
# Update otherMails
az rest --method PATCH \
--url "https://graph.microsoft.com/v1.0/users/<user-object-id>" \
--headers 'Content-Type=application/json' \
--body '{"otherMails": ["newemail@example.com", "anotheremail@example.com"]}'
# Verify the update
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/users/<user-object-id>" \
--query "otherMails"
```
````
{% endcode %}

## References
Expand Down
Loading

0 comments on commit c90ca6f

Please sign in to comment.