Share this page!

Andy Robbins Profile picture
Twitter logo
Aug 8 6 tweets 2 min read
Problem: you want to collect data with AzureHound but you can't use simple username/password because your user:

❌ - Requires MFA
❌ - Can't auth due to a CAP
❌ - Is a guest/federated user in the target tenant

Solution: refresh tokens! Sounds scary and new? They're EASY: 🧵
There are MANY ways to get your hands on a refresh token, but I think by far the simplest is by using the OAuth 2.0 device code flow.

Sounds complicated but it's a very easy three-step process:
Step 1: initialize a device code authentication flow with this very simple POST request.

Note the "user_code" and "verification_url" we get back:
Step 2: Open a browser where your user is already logged in to an Azure service (the portal, for example). Navigate to the above URL in that browser.

Enter the code from above when asked for it. Follow the prompts until you see this screen:
Step 3: You're ready to get your refresh token! Go back to your PowerShell prompt and perform this very easy POST request.

You now have a refresh token!
Now you can feed this refresh token to AzureHound and do your data collection without being affected by MFA, CAPs, or guest/federated user issues.

This page on the #BloodHound documentation has all the above info and commands for easy copy/pasting: bloodhound.readthedocs.io/en/latest/data…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Andy Robbins

Andy Robbins Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_wald0

Andy Robbins Profile picture
Aug 8
Take a close look at BARK's functions and you will see that most of them are simple wrappers around basic REST API calls. This means it's very easy to extend BARK.

For example, BARK is missing a function to list virtual machines. Here's how easy this is to add: 🧵
Let's look at an existing function that lists objects in AzureRM, "Get-AllAzureRMResourceGroups":
The most "difficult" line we need to change is line 24. We must ensure we are hitting the right URL.

The Microsoft documentation can help us here. We will Google "azure api list virtual machines", and the first result is this page:

docs.microsoft.com/en-us/rest/api…
Read 7 tweets
Andy Robbins Profile picture
Aug 6
From initial access to Global Admin with #BloodHound and BARK.

In this thread let's walk, step by step, through an example attack path based on real configurations we've seen in real environments:
There are MANY ways to achieve initial access into AzureAD. For this example we will go with something simple: we were able to phish a user and get their username and clear text password.

This user has no MFA/CAP restrictions - we'll discuss how to deal with these later.
We now want to collect data with AzureHound. We'll clone the repo, inspect the source code, then build the binary ourselves:

$ git clone github.com/BloodHoundAD/A…
$ cd AzureHound
$ go build .
Read 22 tweets
Andy Robbins Profile picture
Jun 24
If you're like me, you are angry and disappointed at SCOTUS striking down Roe v Wade. You might also be exhausted and feel defeated.

Here are three things you can do RIGHT NOW to help defend women's rights in the United States. This will take you THREE minutes. Do these NOW: 🧵
First and most importantly, contact your congressional rep and tell them you support the Women's Health Protection Act, which will protect abortion access for every person in every state.

THIS FORM TAKES 30 SECONDS TO COMPLETE: actforwomen.org/take-action/
Second, contact your healthcare provider and ask them to do the same thing. Lawmakers need to hear from healthcare professionals that abortion is safe, abortion is normal, and that abortion is health care.

EMAIL THIS LINK TO YOUR DOCTOR: secure.everyaction.com/p/QCHf7o5do0Sn…
Read 4 tweets
Andy Robbins Profile picture
Jun 1
Where do #Azure attack paths come from? Attack paths that abuse (mis)configurations generally emerge from two types of control in Azure: explicit control and implicit control.

Let's see what that means and how you as a defender can eliminate the most dangerous paths:🧵
Explicit control means there is a one-to-one control relationship clearly defined on the controlled object. For example, Azure Users can be made explicit owners of Azure Service Principals: Image
David owns MyCoolAzureApp, meaning David can add a new credential to that Service Principal and authenticate as it, taking over the identity.

But this explicit configuration does not exist in isolation: there are paths INTO the user OUT of the SP: Image
Read 11 tweets
Andy Robbins Profile picture
May 27
One year ago this week I published The Attack Path Management Manifesto, which you can read here: medium.com/p/3a3b117f5e5

It's a long read, so in this thread I'm going to give you the most succinct version of the manifesto I can:
Adversaries have been abusing identity-based attack paths -- in particular those that emerge in Active Directory environments -- for over 20 years. Why? There are three major reasons:
1. Active Directory is the FOUNDATION upon which all identity and access in the enterprise is built. Your workstation? AD auth. Your CI/CD pipeline? AD via ADFS. Your network devices? AD via RADIUS.

Control the foundation and you control the enterprise.
Read 25 tweets
Andy Robbins Profile picture
May 25
MSRC came back on my case and said:

"...this case does not meet the bar for servicing by MSRC and we will be closing this case..."

and:

"...This is considered by-design..."

A quick thread on what the "issue" is and why MSRC is right 🧵
While preparing for my @WWHackinFest talk, I was creating demo videos showing Managed Identity abuse primitives in various Azure services. For example, you can remotely extract the JWT for a VM's managed identity like this:
My abuse primitive demo for Logic Apps was a little different: I was using the Logic App to add a secret to another Service Principal, then capturing the output in the Logic App, showing the other Service Principal's new key credential in plain text:
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(