A Toolkit Written in Python Aiming to Decouple the Relationship Between PowerShell and Offensive Azure tooling
During the course of typical red team operations, interacting with Azure products has been a growing issue. As time progresses, many corporations are moving large segments of their infrastructure to cloud based providers, namely Microsoft Azure. As a red team operator, this requires you to at least have a Windows virtual machine available to utilize existing tooling that targets Azure. The requirement is due to tools being written largely in PowerShell. At BLS, we enjoy using Python whenever possible since it is cross-platform and massively supported within the community.
This brings us to the Offensive-Azure toolkit. Our aim is to create or re-create tooling that is beneficial to the red team professional in a way that is platform agnostic. One of the main goals of this project is to keep the tools as open and loose as possible. We are publishing the toolkit in its infancy, and will continue to develop and release more tools under this umbrella project. In this initial release, we are releasing two tools:
Original inspiration comes directly from Dr. Azure AD and his AADInternals project. He developed a workflow in PowerShell for creating the device code flow authentication process that required you to stand up and supply an SMTP server for the cmdlet to interact on.
The workflow present in AADInternals didn't fit with BLS operations, so we decided to make a simpler tool that requests the device code for you, presents it to you, and polls the endpoint for any authentication events. It is up to you to stand up your own email infrastructure and conduct this phish in a successful way. Like the cmdlet in AADInternals, we use the application ID for Microsoft Office. Presenting the victim with an authentication request for "Microsoft Office" helps reassure the victim that they are interacting with a legitimate process.
You have the option to set the targeted resource within the script; just choose from the URIs presented. For AzureAD usage, you'll want to use
graph. This is supposed to be going away sometime in April 2022 in favor of
For use with all of the
Az cmdlets, you'll need both
azure_management tokens. To request the other necessary tokens, you'll need to use our other new tool,
token-juggle.py, with your refresh token to request additional tokens once the device code flow authentication is completed.
Send your phish with the code you are presented with as well as the
Wait for the target to perform the required steps
The device code authentication flow expires after 15 minutes. Note that social engineering may help you prep your target
git clone https://github.com/blacklanternsecurity/offensive-azure.git cd ./offensive-azure/Device-Code/ pipenv shell pip install -r requirements.txt
This script will attempt to load a refresh token from a REFRESH_TOKEN environment variable if none is passed with
After a successful refresh to a new access and refresh token pair, the response output will be saved to where you specify with
-o|--outfile. If you do not specify an outfile, then it will be saved to
./YYYY-mm-DD_HH-MM-SS_<resource>_token.json. These can be passed back to the script for further use.
Using the environment variable:
export REFRESH_TOKEN=<refresh-token> python3 token-juggle.py teams
Using a refresh token as input:
python3 token-juggle.py outlook -r <refresh-token>
Using an already saved token response from this script:
python3 token-juggle.py ms_graph -R <path-to-refresh-token.json>
git clone https://github.com/blacklanternsecurity/offensive-azure.git cd ./offensive-azure/Access-Tokens/ pipenv shell pip install -r requirements.txt
The Next Steps
We encourage everyone to watch the Offensive-Azure repository as we will be adding many more scripts in the near future that will include Azure Active Directory enumeration as well as scripts that will target the other major Microsoft applications.