GITBOOK-707: No subject

SUMMARY.md

@@ -392,6 +392,7 @@
     * [AWS - S3 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md)
 * [Azure Pentesting](pentesting-cloud/azure-security/README.md)
   * [Az - Basic Information](pentesting-cloud/azure-security/az-basic-information.md)
+  * [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md)
   * [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md)
     * [Az - Illicit Consent Grant](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-illicit-consent-grant.md)
     * [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)

pentesting-cloud/azure-security/README.md

@@ -15,8 +15,6 @@ Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt
 </details>
 {% endhint %}
 
-## I'M STILL BUILDING THE AZURE METHODOLOGY
-
 ## Basic Information
 
 {% content-ref url="az-basic-information.md" %}
@@ -90,7 +88,7 @@ After bypassing it, you might be able to get back to your initial setup and you
 ### Whoami
 
 {% hint style="danger" %}
-Learn **how to install** az cli, AzureAD and Az PowerShell in the [**Az - AzureAD**](az-azuread/) section.
+Learn **how to install** az cli, AzureAD and Az PowerShell in the [**Az - Entra ID**](az-azuread/) section.
 {% endhint %}
 
 One of the first things you need to know is **who you are** (in which environment you are):
@@ -141,7 +139,7 @@ Oone of the most important commands to enumerate Azure is **`Get-AzResource`** f
 You can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources"
 {% endhint %}
 
-### AzureAD Enumeration
+### ENtra ID Enumeration
 
 By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information.md#default-user-permissions)).\
 You can find here a guide:
@@ -155,12 +153,6 @@ Now that you **have some information about your credentials** (and if you are a
 In the following section you can check some ways to **enumerate some common services.**
 {% endhint %}
 
-## Service Principal and Access Policy
-
-An Azure service can have a System Identity (of the service itself) or use a User Assigned Managed Identity. This Identity can have Access Policy to, for example, a KeyVault to read secrets. These Access Policies should be restricted (least privilege principle), but might have more permissions than required. Typically an App Service would use KeyVault to retrieve secrets and certificates.
-
-So it is useful to explore these identities.
-
 ## App Service SCM
 
 Kudu console to log in to the App Service 'container'.
@@ -190,6 +182,12 @@ export ADAL_PYTHON_SSL_NO_VERIFY=1
 export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
 export HTTPS_PROXY="http://127.0.0.1:8080"
 export HTTP_PROXY="http://127.0.0.1:8080"
+
+# If this is not enough
+# Download the certificate from Burp and convert it into .pem format
+# And export the following env variable
+openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
+export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
 ```
 {% endtab %}
 

pentesting-cloud/azure-security/az-azuread/README.md

@@ -21,39 +21,9 @@ Azure Active Directory (Azure AD) serves as Microsoft's cloud-based service for
 
 Key features of Azure AD involve **multi-factor authentication** and **conditional access**, alongside seamless integration with other Microsoft security services. These features significantly elevate the security of user identities and empower organizations to effectively implement and enforce their access policies. As a fundamental component of Microsoft's cloud services ecosystem, Azure AD is pivotal for the cloud-based management of user identities.
 
-## Entities
-
-### Enumeration
-
-For this enumeration you can use the [**az cli tool**](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)**,** the **PowerShell module** [**AzureAD**](https://www.powershellgallery.com/packages/AzureAD/) (or [**AzureAD Preview**](https://www.powershellgallery.com/packages/AzureADPreview)) and the [**Az PowerShell**](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps) module.
-
-{% hint style="success" %}
-In linux you will need to install PowerShell Core:
-
-```bash
-sudo apt-get update
-sudo apt-get install -y wget apt-transport-https software-properties-common
-
-# Ubuntu 20.04
-wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
+###
 
-# Update repos
-sudo apt-get update
-sudo add-apt-repository universe
-
-# Install & start powershell
-sudo apt-get install -y powershell
-pwsh
-
-# Az cli
-curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
-```
-{% endhint %}
-
-#### **Modules differences**
-
-* **AzureAD** is a PowerShell module from Microsoft for **managing Azure AD. It doesnt' show all the properties of Azure AD objects and cannot be used to access Azure resources info**.
-* **Az PowerShell** is a module for **managing Azure resource**s from the PowerShell command line.
+## Entities
 
 ### **Connection**
 
@@ -700,6 +670,8 @@ The **owner** of the **application** can **add a password** to it (so he can imp
 Logins as these service principals are **not marked as risky** and they **won't have MFA.**
 {% endhint %}
 
+It's possible to find a list of the App IDs that belongs to Microsoft in [https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications](https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications)
+
 ### Managed Identities
 
 For more information about Managed Identities check:

pentesting-cloud/azure-security/az-basic-information.md

@@ -398,25 +398,45 @@ Privileged Identity Management (PIM) in Azure is a tool that **manages, controls
 
 There are **three types of tokens** used in OIDC:
 
-* [**Access Tokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** The client presents this token to the resource server to **access resources**. It can be used only for a specific combination of user, client, and resource and **cannot be revoked** until expiry - that is 1 hour by default. Detection is low using this.
+* [**Access Tokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** The client presents this token to the resource server to **access resources**. It can be used only for a specific combination of user, client, and resource and **cannot be revoked** until expiry - that is 1 hour by default.
 * **ID Tokens**: The client receives this **token from the authorization server**. It contains basic information about the user. It is **bound to a specific combination of user and client**.
 * **Refresh Tokens**: Provided to the client with access token. Used to **get new access and ID tokens**. It is bound to a specific combination of user and client and can be revoked. Default expiry is **90 days** for inactive refresh tokens and **no expiry for active tokens**.
 
 {% hint style="warning" %}
 Information for **conditional access** is **stored** inside the **JWT**. So, if you request the **token from an allowed IP address**, that **IP** will be **stored** in the token and then you can use that token from a **non-allowed IP to access the resources**.
 {% endhint %}
 
+### Access Tokens "aud"
+
+Depending on the action you want to perform the "**aud**" of the access token must be authorized to contact the API URL you will contact.
+
+The command `az account get-access-token --resource-type [...]` supports the following types and each of them will add a specific "aud" in the resulting access token:
+
+{% hint style="danger" %}
+Note that the following are just the APIs supported by `az account get-access-token` but there are more.
+{% endhint %}
+
+* **aad-graph (Azure Active Directory Graph API)**: Used to access the legacy Azure AD Graph API (deprecated), which allows applications to read and write directory data in Azure Active Directory (Azure AD).
+  * `https://graph.windows.net/`
+* **arm (Azure Resource Manager)**: Used to manage Azure resources through the Azure Resource Manager API. This includes operations like creating, updating, and deleting resources such as virtual machines, storage accounts, and more.
+  * `https://management.core.windows.net/ or https://management.azure.com/`
+* **batch (Azure Batch Services)**: Used to access Azure Batch, a service that enables large-scale parallel and high-performance computing applications efficiently in the cloud.
+  * `https://batch.core.windows.net/`
+* **data-lake (Azure Data Lake Storage)**: Used to interact with Azure Data Lake Storage Gen1, which is a scalable data storage and analytics service.
+  * `https://datalake.azure.net/`
+* **media (Azure Media Services)**: Used to access Azure Media Services, which provide cloud-based media processing and delivery services for video and audio content.
+  * `https://rest.media.azure.net`
+* **ms-graph (Microsoft Graph API)**: Used to access the Microsoft Graph API, the unified endpoint for Microsoft 365 services data. It allows you to access data and insights from services like Azure AD, Office 365, Enterprise Mobility, and Security services.
+  * `https://graph.microsoft.com`
+* **oss-rdbms (Azure Open Source Relational Databases)**: Used to access Azure Database services for open-source relational database engines like MySQL, PostgreSQL, and MariaDB.
+  * `https://ossrdbms-aad.database.windows.net`
+
 Check the following page to learn different ways to **request access tokens** and login with them:
 
 {% content-ref url="az-azuread/" %}
 [az-azuread](az-azuread/)
 {% endcontent-ref %}
 
-The most common API endpoints are:
-
-* **Azure Resource Manager** (ARM): management.azure.com
-* **Microsoft Graph**: graph.microsoft.com (Azure AD Graph which is deprecated is graph.windows.net)
-
 ## References
 
 * [https://learn.microsoft.com/en-us/azure/governance/management-groups/overview](https://learn.microsoft.com/en-us/azure/governance/management-groups/overview)

pentesting-cloud/azure-security/az-enumeration-tools.md

@@ -0,0 +1,97 @@
+# Az - Enumeration Tools
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Install PowerShell in Linux
+
+{% hint style="success" %}
+In linux you will need to install PowerShell Core:
+
+```bash
+sudo apt-get update
+sudo apt-get install -y wget apt-transport-https software-properties-common
+
+# Ubuntu 20.04
+wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
+
+# Update repos
+sudo apt-get update
+sudo add-apt-repository universe
+
+# Install & start powershell
+sudo apt-get install -y powershell
+pwsh
+
+# Az cli
+curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+```
+{% endhint %}
+
+## Install PowerShell in MacOS
+
+Instructions from the [**documentation**](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.4):
+
+1. Install `brew` if not installed yet:
+
+```bash
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
+```
+
+2. Install the latest stable release of PowerShell:
+
+```sh
+brew install powershell/tap/powershell
+```
+
+3. Run PowerShell:
+
+```sh
+pwsh
+```
+
+4. Update:
+
+```sh
+brew update
+brew upgrade powershell
+```
+
+## Main Enumeration Tools
+
+### az cli
+
+[**Azure Command-Line Interface (CLI)**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) is a cross-platform tool written in Python for managing and administering (most) Azure and Entra ID resources. It connects to Azure and executes administrative commands via the command line or scripts.
+
+Follow this link for the [**installation information**](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli#install).
+
+Commands in Azure CLI are structured using a pattern of: `az <service> <action> <parameters>`
+
+### Az PowerShell
+
+Azure PowerShell is a module with cmdlets for managing Azure resources directly from the PowerShell command line.
+
+Follow this link for the [**installation information**](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell).
+
+Commands in Azure PowerShell AZ Module are structured like: `<Action>-Az<Service> <parameters>`
+
+### **PowerShell module** [**AzureAD**](https://www.powershellgallery.com/packages/AzureAD/)
+
+###
+
+#### **Modules differences**
+
+* **AzureAD** is a PowerShell module from Microsoft for **managing Azure AD. It doesn't' show all the properties of Azure AD objects and cannot be used to access Azure resources info**.
+* **Az PowerShell** is a module for **managing Azure resource**s from the PowerShell command line.