Looking to update the scripts to combine into one script and provide the option to choice which enumeration mode to run "Full" or "User".
Azure AD RedTeam Full Enumeration Script used to query all aspects of your target Azure tenant, focusing on the Active Directory (AD) component using 4 common modules to interact with Azure AD via PowerShell. The script will save all output from each enumeration task into a folder separating out the output files into appropriate folders for analyze later. This script saved me a lot of time on the enumeration portion for the Pentester Academy CARTP exam. Will be extremely useful for any Azure AD pentesting engagement. The script contains more information within it to help you enumerate discovered resources further, so ensure you read the commented out portions!
The following 4 modules are used:
This script is also designed to run other popular scripts and modules intended to get the most information out of your target Azure AD tenant. You should look into their project to understand the full capabilities of the tools besides the small task performed within this script.
These scripts require valid credentials in order to execute correctly. All appropriate tokens are acquired as part of the script when needed.
- Download the repo and rename folder as 'Tools' or whatever you choose. This repo includes the modules you need already.
Want to do it manually:
- As an administrator install the following on your system to interact with Azure on PowerShell:
- AzureAD Module -
(main) Install-module AzureAD OR (public) Install-module AzureADPreview
- get the public for these scripts - Az PowerShell Module -
Install-Module Az -Force
- Azure Command-Line Interface (CLI) -
Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
- AAD Internals -
Install-Module AADInternals
You can also edit the script to do all the above as well!
-
Download the AzureHound and MicroBurst repos.
-
Put both repos and the two enumeration scripts into a folder called
Tools
or whatever. -
Run the first full script:
.\AzRedTeamEnumScript.ps1
You can also use the User
enumeration script when you find credentials to another user in the same domain and want to query for what that new user and/or service principal has access to and not have to run the full enumeration script again.
To run the script:
.\AzureUserAccessEnumScript.ps1
- @n3t1nv4d3 author and researcher (https://github.com/n3t1nv4d3).