• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2022
  • June
  • 5
  • AzureRT – A Powershell Module Implementing Various Azure Red Team Tactics

AzureRT – A Powershell Module Implementing Various Azure Red Team Tactics

June 5, 2022 Comments Off on AzureRT – A Powershell Module Implementing Various Azure Red Team Tactics
AzureRT - A Powershell Module Implementing Various Azure Red Team Tactics cybersecurity ethical hacking hack android hack app hack wordpress hacker news hacking hacking tools for windows keylogger kit kitploit password brute force penetration testing pentest pentest android pentest linux pentest toolkit pentest tools spy tool kit spyware tools

Powershell module implementing various cmdlets to interact with Azure and Azure AD from an offensive perspective.

Helpful utilities dealing with access token based authentication, switching from Az to AzureAD and az cli interfaces, easy to use pre-made attacks such as Runbook-based command execution and more.

The Most Valuable Cmdlets

This toolkit brings lots of various cmdlets. This section highlights the most important & useful ones.

Typical Red Team / audit workflow starting with stolen credentials can be summarised as follows:

Credentials Stolen -> Authenticate to Azure/AzureAD -> find whether they're valid -> find out what you can do with them

The below cmdlets are precisely suited to help you follow this sequence:

  1. Connect-ART – Offers various means to authenticate to Azure – credentials, PSCredential, token

  2. Connect-ARTAD – Offers various means to authenticate to Azure AD – credentials, PSCredential, token

  3. Get-ARTWhoami – When you authenticate – run this to check whoami and validate your access

  4. Get-ARTAccess – Then, when you know you have access – find out what you can do & what’s possible by performing Azure situational awareness

  5. Get-ARTADAccess – Similarly you can find out what you can do scoped to Azure AD.

Use Cases

Cmdlets implemented in this module came helpful in following use & attack scenarios:

  • Juggling with access tokens from Az to AzureAD and back again.
  • Nicely print authentication context (aka whoami) in Az, AzureAD, Microsoft.Graph and az cli at the same time
  • Display available permissions granted to the user on a target Azure VM
  • Display accessible Azure Resources along with permissions we have against them
  • Easily read all accessible Azure Key Vault secrets
  • Authenticate as a Service Principal to leverage Privileged Role Administrator role assigned to that Service Principal
  • Execute attack against Azure Automation via malicious Runbook

Installation

This module depends on Powershell Az and AzureAD modules pre-installed. Microsoft.Graph and az cli are optional but nonetheless really useful. Before one starts crafting around Azure, following commands may be used to prepare one’s offensive environment:

Install-Module Az -Force -Confirm -AllowClobber -Scope CurrentUser
Install-Module AzureAD -Force -Confirm -AllowClobber -Scope CurrentUser
Install-Module Microsoft.Graph -Force -Confirm -AllowClobber -Scope CurrentUser # OPTIONAL
Install-Module MSOnline -Force -Confirm -AllowClobber -Scope CurrentUser # OPTIONAL
Install-Module AzureADPreview -Force -Confirm -AllowClobber -Scope CurrentUser # OPTIONAL
Install-Module AADInternals -Force -Confirm -AllowClobber -Scope CurrentUser # OPTIONAL

Import-Module Az
Import-Module AzureAD

Even though only first two modules are required by AzureRT, its good to have others pre-installed too.

Then to load this module, simply type:

PS> . .AzureRT.ps1

And you’re good to go.

Or you can let AzureRT to install and import all the dependencies:

PS> . .AzureRT.ps1
PS> Import-ARTModules

Batteries Included

The module will be gradually receiving next tools and utilities, naturally categorised onto subsequent kill chain phases.

Every cmdlet has a nice help message detailing parameters, description and example usage:

PS C:> Get-Help Connect-ART

Currently, following utilities are included:

Authentication & Token mechanics

  • Get-ARTWhoami – Displays and validates our authentication context on Azure, AzureAD, Microsoft.Graph and on AZ CLI interfaces.

  • Connect-ART – Invokes Connect-AzAccount to authenticate current session to the Azure Portal via provided Access Token or credentials. Skips the burden of providing Tenant ID and Account ID by automatically extracting those from provided Token.

  • Connect-ARTAD – Invokes Connect-AzureAD (and optionally Connect-MgGraph) to authenticate current session to the Azure Active Directory via provided Access Token or credentials. Skips the burden of providing Tenant ID and Account ID by automatically extracting those from provided Token.

  • Connect-ARTADServicePrincipal – Invokes Connect-AzAccount to authenticate current session to the Azure Portal via provided Access Token or credentials. Skips the burden of providing Tenant ID and Account ID by automatically extracting those from provided Token. Then it creates self-signed PFX certificate and associates it with Service Principal for authentication. Afterwards, authenticates as that Service Principal to AzureAD and deassociates that certificate to cleanup

  • Get-ARTAccessTokenAzCli – Acquires access token from az cli, via az account get-access-token

  • Get-ARTAccessTokenAz – Acquires access token from Az module, via Get-AzAccessToken .

  • Get-ARTAccessTokenAzureAD – Gets an access token from Azure Active Directory. Authored by Simon Wahlin, @SimonWahlin

  • Get-ARTAccessTokenAzureADCached – Attempts to retrieve locally cached AzureAD access token (https://graph.microsoft.com), stored after Connect-AzureAD occurred.

  • Remove-ARTServicePrincipalKey – Performs cleanup actions after running Connect-ARTADServicePrincipal

Recon & Situational Awareness

  • Get-ARTAccess – Performs Azure Situational Awareness.

  • Get-ARTADAccess – Performs Azure AD Situational Awareness.

  • Get-ARTTenants – List Tenants available for the currently authenticated user (or the one based on supplied Access Token)

  • Get-ARTDangerousPermissions – Analyzes accessible Azure Resources and associated permissions user has on them to find all the Dangerous ones that could be abused by an attacker.

  • Get-ARTResource – Authenticates to the https://management.azure.com using provided Access Token and pulls accessible resources and permissions that token Owner have against them.

  • Get-ARTRoleAssignment – Displays a bit easier to read representation of assigned Azure RBAC roles to the currently used Principal.

  • Get-ARTADRoleAssignment – Displays Azure AD Role assignments on a current user or on all Azure AD users.

  • Get-ARTADScopedRoleAssignment – Displays Azure AD Scoped Role assignments on a current user or on all Azure AD users, associated with Administrative Units

  • Get-ARTRolePermissions – Displays all granted permissions on a specified Azure RBAC role.

  • Get-ARTADRolePermissions – Displays all granted permissions on a specified Azure AD role.

  • Get-ARTADDynamicGroups – Displays Azure AD Dynamic Groups along with their user Membership Rules, members count and current user membership status

  • Get-ARTApplication – Lists Azure AD Enterprise Applications that current user is owner of (or all existing when -All used) along with their owners and Service Principals

  • Get-ARTApplicationProxy – Lists Azure AD Enterprise Applications that have Application Proxy setup.

  • Get-ARTApplicationProxyPrincipals – Displays users and groups assigned to the specified Application Proxy application.

  • Get-ARTStorageAccountKeys – Displays all the available Storage Account keys.

  • Get-ARTKeyVaultSecrets – Lists all available Azure Key Vault secrets. This cmdlet assumes that requesting user connected to the Azure AD with KeyVaultAccessToken (scoped to https://vault.azure.net) and has “Key Vault Secrets User” role assigned (or equivalent).

  • Get-ARTAutomationCredentials – Lists all available Azure Automation Account credentials and attempts to pull their values (unable to pull values!).

  • Get-ARTAutomationRunbookCode – Invokes REST API method to pull specified Runbook’s source code.

  • Get-ARTAzVMPublicIP – Retrieves Azure VM Public IP address

  • Get-ARTResourceGroupDeploymentTemplate – Displays Resource Group Deployment Template JSON based on input parameters, or pulls all of them at once.

  • Get-ARTAzVMUserDataFromInside – Retrieves Azure VM User Data from inside of a VM by reaching to Instance Metadata endpoint.

Privilege Escalation

  • Add-ARTADGuestUser – Sends Azure AD Guest user invitation e-mail, allowing to expand access to AAD tenant for the external attacker & returns Invite Redeem URL used to easily accept the invitation.

  • Set-ARTADUserPassword – Abuses Authentication Administrator Role Assignment to reset other non-admin users password.

  • Add-ARTUserToGroup – Adds a specified Azure AD User to the specified Azure AD Group.

  • Add-ARTUserToRole – Adds a specified Azure AD User to the specified Azure AD Role.

  • Add-ARTADAppSecret – Add client secret to the Azure AD Applications. Authored by Nikhil Mittal, @nikhil_mitt

Lateral Movement

  • Invoke-ARTAutomationRunbook – Creates an Automation Runbook under specified Automation Account and against selected Worker Group. That Runbook will contain Powershell commands to be executed on all the affected Azure VMs.

  • Invoke-ARTRunCommand – Abuses virtualMachines/runCommand permission against a specified Azure VM to run custom Powershell command.

  • Update-ARTAzVMUserData – Modifies Azure VM User Data script through a direct API invocation.

  • Invoke-ARTCustomScriptExtension – Creates new or modifies Azure VM Custom Script Extension leading to remote code execution.

Misc

  • Get-ARTTenantID – Retrieves Current user’s Tenant ID or Tenant ID based on Domain name supplied.

  • Get-ARTPRTToken – Retrieves Current user’s PRT (Primary Refresh Token) value using Dirk-Jan Mollema’s ROADtoken

  • Get-ARTPRTNonce – Retrieves Current user’s PRT (Primary Refresh Token) nonce value

  • Get-ARTUserId – Acquires current user or user specified in parameter ObjectId via Az module

  • Get-ARTSubscriptionId – Helper that collects current Subscription ID.

  • Parse-JWTtokenRT – Parses input JWT token and prints it out nicely.

  • Invoke-ARTGETRequest – Takes Access Token and invokes GET REST method API request against a specified URI. It also verifies whether provided token has required audience set.

  • Import-ARTModules – Installs & Imports required & optional Powershell modules for Azure Red Team activities

Show Support

This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you!



Mariusz Banach / mgeeky, (@mariuszbit)
<mb [at] binary-offensive.com>
Download AzureRT

Post navigation

Telegram is Giving Data to German Feds in Certain Cases
VAmPI: Vulnerable REST API with OWASP top 10 vulnerabilities

Related Articles

Pentesting Reporting Tool (1)

BlackStone – Pentesting Reporting Tool

- Hack Tools
August 7, 2022
Pict - Post-Infection Collection Toolkit

Pict – Post-Infection Collection Toolkit

- Hack Tools
August 6, 2022
CVE-2022-35924: Nextauth.js Authentication Bypass Vulnerability

CVE-2022-35924: Nextauth.js Authentication Bypass Vulnerability

- Hack Tools
August 6, 2022
hacker gadgets
hacker phone covers

Recent Posts

Pentesting Reporting Tool (1)

BlackStone – Pentesting Reporting Tool

August 7, 2022
Pict - Post-Infection Collection Toolkit

Pict – Post-Infection Collection Toolkit

August 6, 2022
CVE-2022-35924: Nextauth.js Authentication Bypass Vulnerability

CVE-2022-35924: Nextauth.js Authentication Bypass Vulnerability

August 6, 2022
jsubfinder: earch webpages & javascript for hidden subdomains and secrets in the given URL

jsubfinder: earch webpages & javascript for hidden subdomains and secrets in the given URL

August 6, 2022
Peetch - An eBPF Playground

Peetch – An eBPF Playground

August 5, 2022
CVE-2022-25168: Apache Hadoop Command Injection Vulnerability

CVE-2022-25168: Apache Hadoop Command Injection Vulnerability

August 5, 2022

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW