Share this page!

gatitohacs 😼 Profile picture
Twitter logo
Feb 28 β€’ 9 tweets β€’ 3 min read
So you wanna do some #azure #recon:

I give you a few pointers.
πŸ‘‡
Step 1: Say kiitos to @DrAzureAD then install AADInternals, set your phasers to stun and your POWAHSHELL to german to ensure MAXIMUM efficiency german powershell screenshot
To import the modul you might have to set your execution pawliciy 🐾.
For maximum fun we can set this to
Set-ExecutionPolicy unrestricted
on our managed company super safe devices. Do some privesc first if needed πŸ˜€
After importing this badboy you can check from an outsider perspective and get some infos, with no creds, on an org
with
Invoke-AADIntReconAsOutsider invoke recon on german maxi...
Or you can use creds to perform some insider recon with
Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache

Type in your creds and see results with

$results = Invoke-AADIntReconAsInsider
Or you can use ROADRecon which you can find here

github.com/dirkjanm/ROADt…
Or you can use AzureHound

github.com/BloodHoundAD/A…
Or you can do it manually by interacting with the apis, like e.g
login.microsoftonline.com/GetUserRealm.s…
provides login and auth-type infos. Also have a look at
microsoft.github.io/Azure-Threat-R…
@threadreaderapp unroll

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with gatitohacs 😼

gatitohacs 😼 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @rootcathacking

gatitohacs 😼 Profile picture
Mar 2
I pet a cat today and now my allergies are killing me, so obviously this calls for a follow up of, hey you found some #aws creds, what to do meow:

#cloud #hacking #Recon
πŸ‘‡
Step 1: First you gotta decide if this is more of a lazy space vibe kinda thing (A), or (B) calls for some illegal dirty acidcore and adjust your playlist accordingly:
A:
B: soundcloud.com/pitch1/i-can-h…
next drop the keys in your .aws creds file. I typically name the first set initial and work with the --profile tag in the cli, so I can keep track on were I am. Then check who you are first, with:
aws sts get-caller-identity --profile initial
Read 11 tweets
gatitohacs 😼 Profile picture
Mar 1
So you found #aws creds to an S3, lets do some #cloud #hacking #recon:

πŸ‘‡
First of all, S3 stands for serious summertime sadness
and allows the general operations of:

list
get
put
delete

An S3 is a bucket and within a bucket there are objects. Basically an object can be anyfile. Objects have keys assoziated
and a bucket nayme must be globally unique and not contain spaces or uppercase letters.
Example:
mrlee.s3.us-west-2.amazonaws.com/mafia/pizza.jpg

the bucket mrlee in the west region with an object pizza.jpg and a key of /mafia/pizza.jpg
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(