Pentesting Tips - Windows

A curated list of useful tools and resources for penetration testing and securing Microsofts Windows.

Enumeration

• o365creeper - Enumerate valid email addresses
• CloudBrute - Tool to find a cloud infrastructure of a company on top Cloud providers
• cloud_enum - Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud
• Azucar - Security auditing tool for Azure environments
• CrowdStrike Reporting Tool for Azure (CRT) - Query Azure AD/O365 tenants for hard to find permissions and configuration settings
• ScoutSuite - Multi-cloud security auditing tool. Security posture assessment of different cloud environments.
• BlobHunter - A tool for scanning Azure blob storage accounts for publicly opened blobs
• Grayhat Warfare - Open Azure blobs and AWS bucket search

Information Gathering

• o365recon - Information gathering with valid credentials to Azure
• Get-MsolRolesAndMembers.ps1 - Retrieve list of roles and associated role members
• ROADtools - Framework to interact with Azure AD
• PowerZure - PowerShell framework to assess Azure security
• Azurite - Enumeration and reconnaissance activities in the Microsoft Azure Cloud
• Sparrow.ps1 - Helps to detect possible compromised accounts and applications in the Azure/M365 environment
• Hawk - Powershell based tool for gathering information related to O365 intrusions and potential breaches
• Microsoft Azure AD Assessment - Tooling for assessing an Azure AD tenant state and configuration
• Cloud Katana - Unlocking Serverless Computing to Assess Security Controls

Lateral Movement

• Stormspotter - Azure Red Team tool for graphing Azure and Azure Active Directory objects
• AzureADLateralMovement - Lateral Movement graph for Azure Active Directory
• SkyArk - Discover, assess and secure the most privileged entities in Azure and AWS

Exploitation

• MicroBurst - A collection of scripts for assessing Microsoft Azure security
• azuread_decrypt_msol_v2.ps1 - Decrypt Azure AD MSOL service account
• winPEAS - Script that will search for all possible paths to escalate privileges on Windows hosts

Credential Attacks

• MSOLSpray - A password spraying tool for Microsoft Online accounts (Azure/O365)
• MFASweep - A tool for checking if MFA is enabled on multiple Microsoft Services Resources
• adconnectdump - Dump Azure AD Connect credentials for Azure AD and Active Directory

Articles

• Abusing Azure AD SSO with the Primary Refresh Token
• Abusing dynamic groups in Azure AD for Privilege Escalation
• Attacking Azure, Azure AD, and Introducing PowerZure
• Attacking Azure & Azure AD, Part II
• Azure AD Connect for Red Teamers
• Azure AD Introduction for Red Teamers
• Azure AD Pass The Certificate
• Azure AD privilege escalation - Taking over default application permissions as Application Admin
• Defense and Detection for Attacks Within Azure
• Hunting Azure Admins for Vertical Escalation
• Impersonating Office 365 Users With Mimikatz
• Lateral Movement from Azure to On-Prem AD
• Malicious Azure AD Application Registrations
• Moving laterally between Azure AD joined machines
• CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory
• Privilege Escalation Vulnerability in Azure Functions
• Azure Application Proxy C2
• Recovering Plaintext Passwords from Azure Virtual Machines like It’s the 1990s
• Forensicating Azure VMs
• Network Forensics on Azure VMs

Books

Lists and Cheat Sheets

• Azure Articles from NetSPI
• Azure Cheat Sheet on CloudSecDocs
• Resources about Azure from Cloudberry Engineering
• Resources from PayloadsAllTheThings
• Encyclopedia on Hacking the Cloud

Tips and Tricks