admin/PayloadsAllTHINGS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Device Code Phish

Browse Source
This commit is contained in:
Swissky
2021-10-24 20:07:46 +02:00
parent d484212de9
commit 1a3058f40c
3 changed files with 39 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
Methodology and Resources/Cloud - Azure Pentest.md
View File

@@ -13,6 +13,7 @@
* [Enumeration methodology](#enumeration-methodology)
* [Phishing with Evilginx2](#phishing-with-evilginx2)
* [Illicit Consent Grant](#illicit-consent-grant)
* [Device Code Phish](#device-code-phish)
* [Token from Managed Identity](#token-from-managed-identity)
* [Azure API via Powershell](#azure-api-via-powershell)
* [Azure API via Python Version](#azure-api-via-python-version)
@@ -427,6 +428,21 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
**Mitigation**: Enable `Do not allow user consent` for applications in the "Consent and permissions menu".
## Device Code Phish
Requirements:
* Azure AD / Office 365 E3 Subscription
Exploitation:
* Import TokenTactics: `PS C:\TokenTactics> Import-Module .\TokenTactics.psd1`
* Request a device code for the Azure Graph API using TokenTactics: `Get-AzureToken -Client Graph`
* Replace `<REPLACE-WITH-DEVCODE-FROM-TOKENTACTICS>` in the [phishing email](https://github.com/rvrsh3ll/TokenTactics/blob/main/resources/DeviceCodePhishingEmailTemplate.oft)
* Leave TokenTactics running in the PowerShell window and send the phishing email
* Targeted user will follow the link to https://microsoft.com/devicelogin and complete the Device Code form
* Enjoy your **Access Token** & **Refresh Token**
## Token from Managed Identity
> **MSI_ENDPOINT** is an alias for **IDENTITY_ENDPOINT**, and **MSI_SECRET** is an alias for **IDENTITY_HEADER**.
@@ -1090,4 +1106,5 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta
* [Introducing ROADtools - The Azure AD exploration framework - Dirk-jan Mollema](https://dirkjanm.io/introducing-roadtools-and-roadrecon-azure-ad-exploration-framework/)
* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
* [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)