karl fosaaen
play

Karl Fosaaen WHO AM I Karl Fosaaen Pen Tester Password Cracker - PowerPoint PPT Presentation

May 05, 2023 •211 likes •573 views

ADVENTURES IN AZURE PRIVILEGE ESCALATION Karl Fosaaen WHO AM I Karl Fosaaen Pen Tester Password Cracker Social Engineer Blogger Cloud Enthusiast Private Pilot https://github.com/netspi https://blog.netspi.com/

  1. ADVENTURES IN AZURE PRIVILEGE ESCALATION Karl Fosaaen

  2. WHO AM I  Karl Fosaaen  Pen Tester  Password Cracker  Social Engineer  Blogger  Cloud Enthusiast  Private Pilot  https://github.com/netspi  https://blog.netspi.com/  Twitter - @kfosaaen 2 Confidential & Proprietary

  3. INTRODUCTION  Everyone is moving to the cloud  Developers  Sys Admins  Pen Testers  Azure Benefits  AzureAD − Integrated AD users/groups  One-stop licensing  Easy to integrate 3 Confidential & Proprietary

  4. INTRODUCTION  For the folks at home, this will assume some level of Azure knowledge, feel free to pause here, watch the following talks, and come back when you’re done  Primer Talks:  You Moved to O365, Now What? - https://www.youtube.com/watch?v=1loGEPn_n7U  Attacking & Defending the Microsoft Cloud - https://adsecurity.org/?p=4179  I’m in your cloud… - https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027 %20presentations/DEFCON-27-Dirk-jan-Mollema-Im-in-your- cloud-pwning-your-azure-environment.pdf  Attacking Azure w/PowerShell - https://www.youtube.com/watch?v=IdORwgxDpkw 4 Confidential & Proprietary

  5. INITIAL ENTRY POINTS  How to get credentials in the first place  This talk is about privilege escalation, but first we need access  Gathered Credentials  GitHub/PasteBin/etc.  Guessed Creds  Summer2019  How to access Azure  Azure Portal – portal.azure.com  Azure CLI  PowerShell - AzureRM /AZ CLI / MSOnline 5 Confidential & Proprietary

  6. AZURE PERMISSIONS MODEL  Tenant Level  Global Admin  Subscription Level  Owner  Contributor  Reader  Special/Custom Roles  Multi-Level  Service Specific  Application Specific  Application of Roles  Subscription/Resource Group/Asset Level 6 Confidential & Proprietary

  7. PRIVILEGE ESCALATION  How to Access/List Your Permissions  AZ CLI − List Roles: az role assignment list List your roles: az role assignment list – assignee YOUR_USERNAME − List the Readers: az role assignment list --role reader − − List the Contributors: az role assignment list --role contributor − List the Owners: az role assignment list --role owner  Azure Portal – Search->Subscriptions − Review subscription IAM  Azure Portal – Search->Azure Active Directory − Roles and Administrators − Built-in Roles, Global Admins, etc. 7 Confidential & Proprietary

  8. PRIVILEGE ESCALATION  General Privilege Overview  Tenant/Global Admin  Owner  Contributor/Some Contributor Rights  Reader  No Azure Access 8 Confidential & Proprietary

  9. PRIVILEGE ESCALATION – NO ACCESS  No Azure Access  Portal is available, but there’s nothing there… − Common for users without a Subscription  Positives  You have valid credentials and can pivot to other services − Office365 − Outlook/SharePoint/Teams/etc. Single Factor Auth Interfaces − https://myapps.microsoft.com −  Negatives  Not that much valuable information available from Azure 9 Confidential & Proprietary

  10. PRIVILEGE ESCALATION - READER  Reader Level Access  AzureAD Password Guessing with a full list of users − Summer2019, Company1, Password2, etc. 10 Confidential & Proprietary

  11. PRIVILEGE ESCALATION - READER  Reading Deployment Parameters  All Resource Groups, All Deployments  Looking for config templates with Cleartext Credentials/Keys/Etc. Get-AzureRmResourceGroup | Get-AzureRmResourceGroupDeployment >> ".\Deployments.txt" 11 Confidential & Proprietary

  12. PRIVILEGE ESCALATION - READER  Reading App Services Configurations  Not enabled for default Reader access − Often granted to Developers with Reader access  Connection Strings for Azure SQL  Pivot into SQL DB − AzureSQL – Data Access Only − MSSQL on VM/Server – See PowerUpSQL 12 Confidential & Proprietary

  13. PRIVILEGE ESCALATION - READER  Reading App Services Configurations  Credentials for Deploying Applications − Backdoor applications, access source code, etc. 13 Confidential & Proprietary

  14. PRIVILEGE ESCALATION - READER  Reader Level Example  Guessed external credentials  User has Subscription Reader rights  Deployment parameters expose local admin credential for domain joined virtual machine  RDP to VM exposed to available external network  Mimikatz Contributor account from Azure VM machine 14 Confidential & Proprietary

  15. PRIVILEGE ESCALATION - CONTRIBUTOR Contributor Access 15 Confidential & Proprietary

  16. PRIVILEGE ESCALATION - CONTRIBUTOR  Your user has some level of contributor access  Subscription Level − Great!  Individual Resource Groups Not bad −  Single Resources/Services − We’ll see… 16 Confidential & Proprietary

  17. PRIVILEGE ESCALATION - CONTRIBUTOR  Contributor Level Access on Virtual Machines  NT Authority\SYSTEM command execution on VMs  Next Steps  Use PowerShell commands or the Portal to get data/shells/etc. from the VMs, pivot from there  Related Blog: https://blog.netspi.com/running-powershell-scripts-on-azure-vms/ 17 Confidential & Proprietary

  18. PRIVILEGE ESCALATION - CONTRIBUTOR  Contributor Level Access on Storage Accounts  List out all of the Containers and Files  Look for config files, passwords, keys  Next Steps  Copy off files  Backdoor office documents 18 Confidential & Proprietary

  19. PRIVILEGE ESCALATION - CONTRIBUTOR  Contributor Level Access on Virtual Disks  Ability to copy a disk off to another Azure VM  Read the disk − Hashes, files, etc. See cloudcopy AWS attack (@_StaticFlow_) − https://medium.com/@_StaticFlow_/cloudcopy-stealing-hashes-from-domain-controllers-in-the-cloud- c55747f0913 https://github.com/Static-Flow/CloudCopy 19 Confidential & Proprietary

  20. PRIVILEGE ESCALATION - CONTRIBUTOR  Contributor Level Access to:  Key Vaults/App Services/Automation Accounts  Get-AzurePasswords  Dump Key Vault Entries  App Services (See Reader Slides)  Automation Accounts − Frequently set up to run as Contributor Service accounts − Sometimes configured with higher level credentials − Cleartext credentials can be recovered for stored account “ RunAs ” creds − Automation Account certificate authentication “exportable” via runbooks 20 Confidential & Proprietary

  21. PRIVILEGE ESCALATION - CONTRIBUTOR  Contributor Level Access to Automation Accounts  Runbooks = Funbooks  Accessing Key Vaults − New runbook to export all key vault entries − Automation account may have access that you don’t  Escalating Privileges − New runbook to operate as the privileged user − Privilege Escalation − Owner and/or Tenant Admin − Add additional owner or admin rights to your account  Related Blog: https://blog.netspi.com/azure-automation-accounts-key-stores/ 21 Confidential & Proprietary

  22. PRIVILEGE ESCALATION - CONTRIBUTOR  Reader Level Example (Continued)  Guessed external credentials  User has Subscription Reader rights  Deployment parameters expose local admin credential for domain joined virtual machine  RDP to VM exposed to available (internal/external) network  Mimikatz Contributor account from Azure VM machine  Login to Azure with New Account  Contributor Access to Automation Accounts  Get-AzurePasswords used to dump Owner Account Credential from Automation Accounts stored credentials 22 Confidential & Proprietary

  23. PRIVILEGE ESCALATION - OWNER Owner Access 23 Confidential & Proprietary

  24. PRIVILEGE ESCALATION - OWNER  Owner Level Access  Escalating up to Global Admin/Tenant Admin  Frequently Owner Accounts are configured with multiple subscriptions − Global admins are kept on their own island (Think Enterprise Admins)  Pivot to another subscription − Lather/Rinse/Repeat until you’ve accessed/”Owned” all subscriptions (effective Tenant Admin)  Listing available subscriptions − az account list --output table  Switching subscriptions − az account set --subscription "My Demos" 24 Confidential & Proprietary

  25. PRIVILEGE ESCALATION – TENANT ADMIN Tenant Admin and Persistence 25 Confidential & Proprietary

  26. PRIVILEGE ESCALATION – TENANT ADMIN  Tenant Admin Access  You have global admin, now what?  Burn it all down…  Pivot internally − Find your way to the internal network − Via Azure or other channels  Persist Access 26 Confidential & Proprietary

  27. PERSISTENCE  Adding Azure AD accounts  Global Admins and User Admins are usually limited groups − Additions to these groups can be noisy  Slightly quieter… Similar username to company (kfosaaen/karl.fosaaen) − Add as a Contributor or Owner for all (important) subscriptions − Mimic account attributes of other admins − List Subscriptions: az account list | ConvertFrom-Json | ForEach-Object {$_.id} Pipe those IDs into this command: az role assignment create --role Owner --assignee USERNAME_HERE --scope /subscriptions/$id 27 Confidential & Proprietary

  28. PERSISTENCE  Guest access to Tenant  Using a look-alike email domain (netspi.cloud)  Using vendor email domain (comcast.net) − ISP customer email could be perceived as legit vendor domain  Add appropriate IAM assignments as needed 28 Confidential & Proprietary

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Building T EX Live Karl Berry ( karl@tug.org ) TL overview http://tug.org/texlive 2/11

Building T EX Live Karl Berry ( karl@tug.org ) TL overview http://tug.org/texlive 2/11

Building T EX Live Karl Berry ( karl@tug.org ) TL overview http://tug.org/texlive 2/11 cross-platform T EX distribution, yearly release, DVD sponsored by TUG, DANTE e.V., all user groups basis for distros (Debian, Fedora, BSD, . .

267 views • 11 slides
Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at

Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at

Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at http://www.infosys.tuwien.ac.at/teaching/courses/ VerteilteSysteme/ Some slides based on material from this book (Prentice Hall, 2005) 2 Concepts,

933 views • 76 slides
Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at

Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at

Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at http://www.infosys.tuwien.ac.at/teaching/courses/ VerteilteSysteme/ Dependability and fault tolerance Taxonomy Techniques and challenges

1.8k views • 100 slides
Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at

Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at

Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at http://www.infosys.tuwien.ac.at/teaching/courses/ VerteilteSysteme/ Lecture 5: Naming and Discovery Name, Address, Identifier Name Space and Name

670 views • 66 slides
Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at

Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at

Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at http://www.infosys.tuwien.ac.at/teaching/courses/ VerteilteSysteme/ Lecture 3: Communication (Part 2) Remote Procedure Call (contd) Remote Method

836 views • 55 slides
What SOA can do for Software Dependability Karl M. Gschka Karl.Goeschka@tuwien.ac.at Vienna

What SOA can do for Software Dependability Karl M. Gschka Karl.Goeschka@tuwien.ac.at Vienna

What SOA can do for Software Dependability Karl M. Gschka Karl.Goeschka@tuwien.ac.at Vienna University of Technology Overview Dependability challenges Control loop: Adaptivity and evolution The SOA potential Challenges of

627 views • 38 slides
Debugging a Memory Manager Karl Cronburg karl@cs.tufts.edu Tufts University The Problem How do

Debugging a Memory Manager Karl Cronburg karl@cs.tufts.edu Tufts University The Problem How do

Debugging a Memory Manager Karl Cronburg karl@cs.tufts.edu Tufts University The Problem How do we guarantee correctness of a memory management system? Difficulties include: Complex garbage collection (GC) algorithms Static analysis

688 views • 51 slides
Karl Marx September 19, 2017 Karl Marx Born in Trier, Germany in 1818. Father was

Karl Marx September 19, 2017 Karl Marx Born in Trier, Germany in 1818. Father was

Discussion Series led by Henry Crown Fellows Karl Marx September 19, 2017 Karl Marx Born in Trier, Germany in 1818. Father was Jewish but became Protestant to help practice law. Fought a duel at age 17. Transferred to

463 views • 15 slides
Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at

Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at

Verteilte Systeme (Distributed Systems) Karl M. Gschka Karl.Goeschka@tuwien.ac.at http://www.infosys.tuwien.ac.at/teaching/courses/ VerteilteSysteme/ Lecture 6: Clocks and Agreement Synchronization of physical clocks Logical clocks

693 views • 57 slides
Description of visual auras Karl Lashley Cortical

Description of visual auras Karl Lashley Cortical

Description of visual auras Karl Lashley Cortical spreading depression Aristides Leo Serotonin and introduction of methysergide Wolff Olegemia and CSD Neuro-imflammation Karl

477 views • 19 slides
Karl Goetz <karl@kgoetz.id.au> GNU Hackers Meetup, Den Haag 2010-07-25T14:00 Where is the

Karl Goetz <karl@kgoetz.id.au> GNU Hackers Meetup, Den Haag 2010-07-25T14:00 Where is the

Karl Goetz <karl@kgoetz.id.au> GNU Hackers Meetup, Den Haag 2010-07-25T14:00 Where is the name from? pub 1024D/135EA668 2001-03-05 uid Richard Stallman (Chief GNUisance) <rms@gnu.org> sig sig3 135EA668 2001-03-05 __________

149 views • 12 slides
Karl Marx (1818-1883) Karl Marx Marx (1818-1883) German economist, philosopher,

Karl Marx (1818-1883) Karl Marx Marx (1818-1883) German economist, philosopher,

Karl Marx (1818-1883) Karl Marx Marx (1818-1883) German economist, philosopher, sociologist and revolutionist. Enormous impact on arrangement of economies in the 20th century The strongest critic of capitalism and classical

802 views • 34 slides
COMMUNICATE BETTER KARL PFEIFFER, CT Lead German Linguist karl.pfeiffer@argosmultilingual.com

COMMUNICATE BETTER KARL PFEIFFER, CT Lead German Linguist karl.pfeiffer@argosmultilingual.com

HELPING YOU COMMUNICATE BETTER KARL PFEIFFER, CT Lead German Linguist karl.pfeiffer@argosmultilingual.com www.argosmultilingual.com Beyond Navigation Established and Emerging Satellite Applications www.argosmultilingual.com OVERVIEW

786 views • 55 slides
Krylov methods for fast frequency response computations Karl Meerbergen January 8, 2006 Karl

Krylov methods for fast frequency response computations Karl Meerbergen January 8, 2006 Karl

Outline Motivation Rayleigh damping Rational approximation Lanczos method Numerical example Conclusions Krylov methods for fast frequency response computations Karl Meerbergen January 8, 2006 Karl Meerbergen Krylov methods for fast

372 views • 24 slides
Krylov methods for fast frequency response computations Karl Meerbergen February 28, 2007 Karl

Krylov methods for fast frequency response computations Karl Meerbergen February 28, 2007 Karl

Outline Motivation Rayleigh damping Modal truncation Lanczos method Numerical example Conclusions Krylov methods for fast frequency response computations Karl Meerbergen February 28, 2007 Karl Meerbergen Krylov methods for fast

607 views • 36 slides
Happy 103rd birthday, Richard Guy Karl Dilcher Infinite products Infinite products involving

Happy 103rd birthday, Richard Guy Karl Dilcher Infinite products Infinite products involving

Happy 103rd birthday, Richard Guy Karl Dilcher Infinite products Infinite products involving Dirichlet characters and cyclotomic polynomials Karl Dilcher Dalhousie Number Theory Seminar, Sept. 30, 2019 Karl Dilcher Infinite products Joint

965 views • 69 slides
Mgmt Config: Merging Config Management and Monitoring (in real-time) James Shubin, a.k.a. @

Mgmt Config: Merging Config Management and Monitoring (in real-time) James Shubin, a.k.a. @

Mgmt Config: Merging Config Management and Monitoring (in real-time) James Shubin, a.k.a. @ purpleidea Config Mgmt. Architect, m9rx (self-funded) FOSDEM, Brussels, Belgium, 03/Feb/2019 1 JAMES SHUBIN Why are these separate? 2 JAMES SHUBIN

367 views • 33 slides
Global Translation Services Website translation using post-edited machine translation and

Global Translation Services Website translation using post-edited machine translation and

Global Translation Services Website translation using post-edited machine translation and crowdsourcing David Grunwald davidg@gts-translation.com twitter: @davegrun LinkedIn: davegrun March 31, 2011 David Grunwald, GTS About GTS Small

211 views • 17 slides
Publishing Online Lecture 6 COMPS CI111/ 111G Todays lecture Blogs Wikis Blogs

Publishing Online Lecture 6 COMPS CI111/ 111G Todays lecture Blogs Wikis Blogs

Publishing Online Lecture 6 COMPS CI111/ 111G Todays lecture Blogs Wikis Blogs S hort for web log , a website where posts are displayed in reverse chronological order (ie. newest posts first) Around 150 million blogs

649 views • 24 slides
Todays Presenter John Klima Assistant Director, Waukesha Public Library (WI), author,

Todays Presenter John Klima Assistant Director, Waukesha Public Library (WI), author,

Todays Presenter John Klima Assistant Director, Waukesha Public Library (WI), author, editor, and LITA Blogger MANAGING LIBRARY TECHNOLOGY: KEEPING ALL THE BALLS IN THE AIR BY JOHN KLIMA ABOUT ME: WAUKESHA PUBLIC LIBRARY I WEAR TOO

608 views • 44 slides
Creating a Chapter Website Gwendolyn Bradley AAUP Director of External Relations Leonore Fleming

Creating a Chapter Website Gwendolyn Bradley AAUP Director of External Relations Leonore Fleming

Creating a Chapter Website Gwendolyn Bradley AAUP Director of External Relations Leonore Fleming Assistant Professor of Philosophy at Utica College and governing board member and webmaster of the Utica College AAUP Chapter What Well Cover Today

676 views • 44 slides
Stream Reasoning introduction Emanuele Della Valle emanuele.dellavalle@polimi.it

Stream Reasoning introduction Emanuele Della Valle emanuele.dellavalle@polimi.it

Stream Reasoning For Linked Data M. Balduini, J-P Calbimonte, O. Corcho, D. Dell'Aglio, E. Della Valle, and J.Z. Pan http://streamreasoning.org/sr4ld2013 Stream Reasoning introduction Emanuele Della Valle emanuele.dellavalle@polimi.it

955 views • 31 slides
Blogtrackers & YouTubeTracker Blog and YouTube Monitoring Tools Nitin Agarwal

Blogtrackers & YouTubeTracker Blog and YouTube Monitoring Tools Nitin Agarwal

Blogtrackers & YouTubeTracker Blog and YouTube Monitoring Tools Nitin Agarwal (nxagarwal@ualr.edu) Maulden-Entergy Endowed Chair and Distinguished Professor Collaboratorium for Social Media and Online Behavioral Studies (COSMOS) University

438 views • 5 slides
Creating a Data Marvel (Comics) Jennifer Reif Developer Relations Engineer, Neo4j @JMHReif Who

Creating a Data Marvel (Comics) Jennifer Reif Developer Relations Engineer, Neo4j @JMHReif Who

Creating a Data Marvel (Comics) Jennifer Reif Developer Relations Engineer, Neo4j @JMHReif Who is Jennifer? Neo4j Developer Relations Engineer Continuous learner Conference speaker Blogger What were building! Breaking it

483 views • 16 slides

More recommend