azure automatic tools

src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md

@@ -48,7 +48,7 @@ optional arguments:
 
 <summary>Code to perform Role Juggling from PowerShell</summary>
 
-```powershell
+```bash
 # PowerShell script to check for role juggling possibilities using AWS CLI
 
 # Check for AWS CLI installation

src/pentesting-cloud/azure-security/README.md

@@ -95,7 +95,7 @@ az account management-group list #Not allowed by default
 
 {{#tab name="AzureAD" }}
 
-```powershell
+```bash
 #Get the current session state
 Get-AzureADCurrentSessionInfo
 #Get details of the current tenant
@@ -106,7 +106,7 @@ Get-AzureADTenantDetail
 
 {{#tab name="Az PowerShell" }}
 
-```powershell
+```bash
 # Get the information about the current context (Account, Tenant, Subscription etc.)
 Get-AzContext
 # List all available contexts
@@ -130,7 +130,7 @@ Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com # For current user
 >
 > You can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources"
 
-### ENtra ID Enumeration
+### Entra ID Enumeration
 
 By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/index.html#default-user-permissions)).\
 You can find here a guide:
@@ -155,250 +155,6 @@ Use portal.azure.com and select the shell, or use shell.azure.com, for a bash or
 
 Azure DevOps is separate from Azure. It has repositories, pipelines (yaml or release), boards, wiki, and more. Variable Groups are used to store variable values and secrets.
 
-## Debug | MitM az cli
-
-Using the parameter **`--debug`** it's possible to see all the requests the tool **`az`** is sending:
-
-```bash
-az account management-group list --output table --debug
-```
-
-In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
-
-{{#tabs }}
-{{#tab name="Bash" }}
-
-```bash
-export ADAL_PYTHON_SSL_NO_VERIFY=1
-export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
-export HTTPS_PROXY="http://127.0.0.1:8080"
-export HTTP_PROXY="http://127.0.0.1:8080"
-
-# If this is not enough
-# Download the certificate from Burp and convert it into .pem format
-# And export the following env variable
-openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
-export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
-```
-
-{{#endtab }}
-
-{{#tab name="PS" }}
-
-```bash
-$env:ADAL_PYTHON_SSL_NO_VERIFY=1
-$env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
-$env:HTTPS_PROXY="http://127.0.0.1:8080"
-$env:HTTP_PROXY="http://127.0.0.1:8080"
-```
-
-{{#endtab }}
-{{#endtabs }}
-
-## Automated Recon Tools
-
-### [**ROADRecon**](https://github.com/dirkjanm/ROADtools)
-
-```powershell
-cd ROADTools
-pipenv shell
-roadrecon auth -u test@corp.onmicrosoft.com -p "Welcome2022!"
-roadrecon gather
-roadrecon gui
-```
-
-### [Monkey365](https://github.com/silverhack/monkey365)
-
-```powershell
-Import-Module monkey365
-Get-Help Invoke-Monkey365
-Get-Help Invoke-Monkey365 -Detailed
-Invoke-Monkey365 -IncludeEntraID -ExportTo HTML -Verbose -Debug -InformationAction Continue
-Invoke-Monkey365 - Instance Azure -Analysis All -ExportTo HTML
-```
-
-### [**Stormspotter**](https://github.com/Azure/Stormspotter)
-
-```powershell
-# Start Backend
-cd stormspotter\backend\
-pipenv shell
-python ssbackend.pyz
-
-# Start Front-end
-cd stormspotter\frontend\dist\spa\
-quasar.cmd serve -p 9091 --history
-
-# Run Stormcollector
-cd stormspotter\stormcollector\
-pipenv shell
-az login -u test@corp.onmicrosoft.com -p Welcome2022!
-python stormspotter\stormcollector\sscollector.pyz cli
-# This will generate a .zip file to upload in the frontend (127.0.0.1:9091)
-```
-
-### [**AzureHound**](https://github.com/BloodHoundAD/AzureHound)
-
-```powershell
-# You need to use the Az PowerShell and Azure AD modules:
-$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
-$creds = New-Object System.Management.Automation.PSCredential ("test@corp.onmicrosoft.com", $passwd)
-Connect-AzAccount -Credential $creds
-
-Import-Module AzureAD\AzureAD.psd1
-Connect-AzureAD -Credential $creds
-
-# Launch AzureHound
-. AzureHound\AzureHound.ps1
-Invoke-AzureHound -Verbose
-
-# Simple queries
-## All Azure Users
-MATCH (n:AZUser) return n.name
-## All Azure Applications
-MATCH (n:AZApp) return n.objectid
-## All Azure Devices
-MATCH (n:AZDevice) return n.name
-## All Azure Groups
-MATCH (n:AZGroup) return n.name
-## All Azure Key Vaults
-MATCH (n:AZKeyVault) return n.name
-## All Azure Resource Groups
-MATCH (n:AZResourceGroup) return n.name
-## All Azure Service Principals
-MATCH (n:AZServicePrincipal) return n.objectid
-## All Azure Virtual Machines
-MATCH (n:AZVM) return n.name
-## All Principals with the ‘Contributor’ role
-MATCH p = (n)-[r:AZContributor]->(g) RETURN p
-
-# Advanced queries
-## Get Global Admins
-MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p
-## Owners of Azure Groups
-MATCH p = (n)-[r:AZOwns]->(g:AZGroup) RETURN p
-## All Azure Users and their Groups
-MATCH p=(m:AZUser)-[r:MemberOf]->(n) WHERE NOT m.objectid CONTAINS 'S-1-5' RETURN p
-## Privileged Service Principals
-MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN p
-## Owners of Azure Applications
-MATCH p = (n)-[r:AZOwns]->(g:AZApp) RETURN p
-## Paths to VMs
-MATCH p = (n)-[r]->(g: AZVM) RETURN p
-## Paths to KeyVault
-MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
-## Paths to Azure Resource Group
-MATCH p = (n)-[r]->(g:AZResourceGroup) RETURN p
-## On-Prem users with edges to Azure
-MATCH  p=(m:User)-[r:AZResetPassword|AZOwns|AZUserAccessAdministrator|AZContributor|AZAddMembers|AZGlobalAdmin|AZVMContributor|AZOwnsAZAvereContributor]->(n) WHERE m.objectid CONTAINS 'S-1-5-21' RETURN p
-## All Azure AD Groups that are synchronized with On-Premise AD
-MATCH (n:Group) WHERE n.objectid CONTAINS 'S-1-5' AND n.azsyncid IS NOT NULL RETURN n
-```
-
-### [Azucar](https://github.com/nccgroup/azucar)
-
-```bash
-# You should use an account with at least read-permission on the assets you want to access
-git clone https://github.com/nccgroup/azucar.git
-PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File
-
-PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT
-PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
-PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
-
-# resolve the TenantID for an specific username
-PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
-```
-
-### [**MicroBurst**](https://github.com/NetSPI/MicroBurst)
-
-```
-Import-Module .\MicroBurst.psm1
-Import-Module .\Get-AzureDomainInfo.ps1
-Get-AzureDomainInfo -folder MicroBurst -Verbose
-```
-
-### [**PowerZure**](https://github.com/hausec/PowerZure)
-
-```powershell
-Connect-AzAccount
-ipmo C:\Path\To\Powerzure.psd1
-Get-AzureTarget
-
-# Reader
-$ Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails
-
-# Contributor
-$ Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami"
-$ Execute-MSBuild -VM Win10Test  -ResourceGroup Test-RG -File "build.xml"
-$ Get-AllSecrets # AllAppSecrets, AllKeyVaultContents
-$ Get-AvailableVMDisks, Get-VMDisk # Download a virtual machine's disk
-
-# Owner
-$ Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest
-
-# Administrator
-$ Create-Backdoor, Execute-Backdoor
-```
-
-### [**GraphRunner**](https://github.com/dafthack/GraphRunner/wiki/Invoke%E2%80%90GraphRunner)
-
-```powershell
-
-#Get-GraphTokens
-#A good place to start is to authenticate with the Get-GraphTokens module. This module will launch a device-code login, allowing you to authenticate the session from a browser session. Access and refresh tokens will be written to the global $tokens variable. To use them with other GraphRunner modules use the Tokens flag (Example. Invoke-DumpApps -Tokens $tokens)
-Import-Module .\GraphRunner.ps1
-Get-GraphTokens
-
-#Invoke-GraphRecon
-#This module gathers information about the tenant including the primary contact info, directory sync settings, and user settings such as if users have the ability to create apps, create groups, or consent to apps.
-Invoke-GraphRecon -Tokens $tokens -PermissionEnum
-
-#Invoke-DumpCAPS
-#A module to dump conditional access policies from a tenant.
-Invoke-GraphRecon -Tokens $tokens -PermissionEnum
-
-#Invoke-DumpCAPS
-#A module to dump conditional access policies from a tenant.
-Invoke-DumpCAPS -Tokens $tokens -ResolveGuids
-
-#Invoke-DumpApps
-#This module helps identify malicious app registrations. It will dump a list of Azure app registrations from the tenant including permission scopes and users that have consented to the apps. Additionally, it will list external apps that are not owned by the current tenant or by Microsoft's main app tenant. This is a good way to find third-party external apps that users may have consented to.
-Invoke-DumpApps -Tokens $tokens
-
-#Get-AzureADUsers
-#Gather the full list of users from the directory.
-Get-AzureADUsers -Tokens $tokens -OutFile users.txt
-
-#Get-SecurityGroups
-#Create a list of security groups along with their members.
-Get-SecurityGroups -AccessToken $tokens.access_token
-
-G#et-UpdatableGroups
-#Gets groups that may be able to be modified by the current user
-Get-UpdatableGroups -Tokens $tokens
-
-#Get-DynamicGroups
-#Finds dynamic groups and displays membership rules
-Get-DynamicGroups -Tokens $tokens
-
-#Get-SharePointSiteURLs
-#Gets a list of SharePoint site URLs visible to the current user
-Get-SharePointSiteURLs -Tokens $tokens
-
-#Invoke-GraphOpenInboxFinder
-#This module attempts to locate mailboxes in a tenant that have allowed other users to read them. By providing a userlist the module will attempt to access the inbox of each user and display if it was successful. The access token needs to be scoped to Mail.Read.Shared or Mail.ReadWrite.Shared for this to work.
-Invoke-GraphOpenInboxFinder -Tokens $tokens -Userlist users.txt
-
-#Get-TenantID
-#This module attempts to gather a tenant ID associated with a domain.
-Get-TenantID -Domain
-
-#Invoke-GraphRunner
-#Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.
-Invoke-GraphRunner -Tokens $tokens
-```
-
 {{#include ../../banners/hacktricks-training.md}}