跳转至

侦察工具

ROADTool

>pipenv shell
>roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
>roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa]
>roadrecon auth -u test@<TENANT NAME>.onmicrosoft.com -p <PASSWORD>
>roadrecon gather
>roadrecon gui

StormSpotter

https://github.com/Azure/Stormspotter

Azure Hound

https://github.com/BloodHoundAD/AzureHound
>. C:\Tools\AzureHound\AzureHound.ps1
>Invoke-AzureHound -Verbose
GUI 
bolt://localhost:7687
Username: neo4j
Password: BloodHound

Azucar

Azucar 自动收集各种配置数据并分析与特定订阅相关的所有数据
使用至少对要访问的资产具有读取权限的帐户
git clone https://github.com/nccgroup/azucar.git
PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File

PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000

解析特定用户名的 TenantID
PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com

Azurite Explorer和Azurite Visualizer:Microsoft Azure云中的枚举和侦察活动

>git clone https://github.com/mwrlabs/Azurite.git
>git clone https://github.com/FSecureLABS/Azurite
>git submodule init
>git submodule update
>PS> Import-Module AzureRM
>PS> Import-Module AzuriteExplorer.ps1
>PS> Review-AzureRmSubscription
>PS> Review-CustomAzureRmSubscription

MicroBurst

包括支持 Azure 服务发现、弱配置审计和后利用操作(例如凭据转储)的函数和脚本
>git clone https://github.com/NetSPI/MicroBurst
PS C:> Import-Module .\MicroBurst.psm1
PS C:> Import-Module .\Get-AzureDomainInfo.ps1
PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose

SkyArk

发现扫描的 Azure 环境中的最高特权用户 - 包括 Azure shadow admin
要求:
Azure 目录的只读权限
订阅的只读权限
需要 AZ 和 AzureAD 模块或管理员权限
$ git clone https://github.com/cyberark/SkyArk
$ powershell -ExecutionPolicy Bypass -NoProfile
PS C> Import-Module .\SkyArk.ps1 -force
PS C> Start-AzureStealth

or in the Cloud Console

PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')  
PS C> Scan-AzureAdmins

PowerZure

>git clone https://github.com/hausec/PowerZure
>ipmo .\PowerZure
>Set-Subscription -Id [idgoeshere]

Reader
>Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails

Contributor
>Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami"
>Execute-MSBuild -VM Win10Test  -ResourceGroup Test-RG -File "build.xml"
>Get-AllSecrets # AllAppSecrets, AllKeyVaultContents
>Get-AvailableVMDisks, Get-VMDisk # Download a virtual machine's disk

Owner
>Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest

Administrator
>Create-Backdoor, Execute-Backdoor