Black Lantern Security (BLSOPS)

Share this post
Introducing Offensive-Azure
blog.blacklanternsecurity.com
Products and Tools

Introducing Offensive-Azure

A Toolkit Written in Python Aiming to Decouple the Relationship Between PowerShell and Offensive Azure tooling

Cody Martin
Mar 30, 2022
Share this post
Introducing Offensive-Azure
blog.blacklanternsecurity.com

During the course of typical red team operations, interacting with Azure products has been a growing issue. As time progresses, many corporations are moving large segments of their infrastructure to cloud based providers, namely Microsoft Azure. As a red team operator, this requires you to at least have a Windows virtual machine available to utilize existing tooling that targets Azure. The requirement is due to tools being written largely in PowerShell. At BLS, we enjoy using Python whenever possible since it is cross-platform and massively supported within the community.

Offensive-Azure Logo
Offensive-Azure

This brings us to the Offensive-Azure toolkit. Our aim is to create or re-create tooling that is beneficial to the red team professional in a way that is platform agnostic. One of the main goals of this project is to keep the tools as open and loose as possible. We are publishing the toolkit in its infancy, and will continue to develop and release more tools under this umbrella project. In this initial release, we are releasing two tools:

  • device-code-easy-mode.py

  • token-juggle.py

The inspiration for these tools comes directly from the work done on AADInternals and TokenTactics. They are amazing tools that deserve recognition.

device-code-easy-mode.py

Original inspiration comes directly from Dr. Azure AD and his AADInternals project. He developed a workflow in PowerShell for creating the device code flow authentication process that required you to stand up and supply an SMTP server for the cmdlet to interact on.

The workflow present in AADInternals didn't fit with BLS operations, so we decided to make a simpler tool that requests the device code for you, presents it to you, and polls the endpoint for any authentication events. It is up to you to stand up your own email infrastructure and conduct this phish in a successful way. Like the cmdlet in AADInternals, we use the application ID for Microsoft Office. Presenting the victim with an authentication request for "Microsoft Office" helps reassure the victim that they are interacting with a legitimate process.

You have the option to set the targeted resource within the script; just choose from the URIs presented. For AzureAD usage, you'll want to use graph. This is supposed to be going away sometime in April 2022 in favor of ms-graph.

For use with all of the Az cmdlets, you'll need both graph and azure_management tokens. To request the other necessary tokens, you'll need to use our other new tool, token-juggle.py, with your refresh token to request additional tokens once the device code flow authentication is completed.

Usage

python3 ./device-code-easy-mode.py
  • Send your phish with the code you are presented with as well as the devicelogin endpoint shown

  • Wait for the target to perform the required steps

    • The device code authentication flow expires after 15 minutes. Note that social engineering may help you prep your target

Installation

git clone https://github.com/blacklanternsecurity/offensive-azure.git

cd ./offensive-azure/Device-Code/

pipenv shell

pip install -r requirements.txt

token-juggle.py

Inspiration for token-juggle.py comes directly from rvrsh3ll and his project TokenTactics. token-juggle.py requests a new access token for a Microsoft/Azure resource using a refresh token.

This script will attempt to load a refresh token from a REFRESH_TOKEN environment variable if none is passed with -r or -R.

After a successful refresh to a new access and refresh token pair, the response output will be saved to where you specify with -o|--outfile. If you do not specify an outfile, then it will be saved to ./YYYY-mm-DD_HH-MM-SS_<resource>_token.json. These can be passed back to the script for further use.

Usage

Using the environment variable:

export REFRESH_TOKEN=<refresh-token>
python3 token-juggle.py teams

Using a refresh token as input:

python3 token-juggle.py outlook -r <refresh-token>

Using an already saved token response from this script:

python3 token-juggle.py ms_graph -R <path-to-refresh-token.json>

Installation

git clone https://github.com/blacklanternsecurity/offensive-azure.git

cd ./offensive-azure/Access-Tokens/

pipenv shell

pip install -r requirements.txt

The Next Steps

We encourage everyone to watch the Offensive-Azure repository as we will be adding many more scripts in the near future that will include Azure Active Directory enumeration as well as scripts that will target the other major Microsoft applications.

Share

Share this post
Introducing Offensive-Azure
blog.blacklanternsecurity.com
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Black Lantern Security (BLSOPS)
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing