# 侦察工具 **ROADTool** ``` >pipenv shell >roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout] >roadrecon gather [-h] [-d DATABASE] [-f TOKENFILE] [--tokens-stdin] [--mfa] >roadrecon auth -u test@.onmicrosoft.com -p >roadrecon gather >roadrecon gui ``` **StormSpotter** ``` https://github.com/Azure/Stormspotter ``` **Azure Hound** ``` https://github.com/BloodHoundAD/AzureHound >. C:\Tools\AzureHound\AzureHound.ps1 >Invoke-AzureHound -Verbose GUI bolt://localhost:7687 Username: neo4j Password: BloodHound ``` **Azucar** ``` Azucar 自动收集各种配置数据并分析与特定订阅相关的所有数据 使用至少对要访问的资产具有读取权限的帐户 git clone https://github.com/nccgroup/azucar.git PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000 PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000 解析特定用户名的 TenantID PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com ``` **Azurite Explorer和Azurite Visualizer:Microsoft Azure云中的枚举和侦察活动** ``` >git clone https://github.com/mwrlabs/Azurite.git >git clone https://github.com/FSecureLABS/Azurite >git submodule init >git submodule update >PS> Import-Module AzureRM >PS> Import-Module AzuriteExplorer.ps1 >PS> Review-AzureRmSubscription >PS> Review-CustomAzureRmSubscription ``` **MicroBurst** ``` 包括支持 Azure 服务发现、弱配置审计和后利用操作(例如凭据转储)的函数和脚本 >git clone https://github.com/NetSPI/MicroBurst PS C:> Import-Module .\MicroBurst.psm1 PS C:> Import-Module .\Get-AzureDomainInfo.ps1 PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose ``` **SkyArk** ``` 发现扫描的 Azure 环境中的最高特权用户 - 包括 Azure shadow admin 要求: Azure 目录的只读权限 订阅的只读权限 需要 AZ 和 AzureAD 模块或管理员权限 $ git clone https://github.com/cyberark/SkyArk $ powershell -ExecutionPolicy Bypass -NoProfile PS C> Import-Module .\SkyArk.ps1 -force PS C> Start-AzureStealth or in the Cloud Console PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1') PS C> Scan-AzureAdmins ``` **PowerZure** ``` >git clone https://github.com/hausec/PowerZure >ipmo .\PowerZure >Set-Subscription -Id [idgoeshere] Reader >Get-Runbook, Get-AllUsers, Get-Apps, Get-Resources, Get-WebApps, Get-WebAppDetails Contributor >Execute-Command -OS Windows -VM Win10Test -ResourceGroup Test-RG -Command "whoami" >Execute-MSBuild -VM Win10Test -ResourceGroup Test-RG -File "build.xml" >Get-AllSecrets # AllAppSecrets, AllKeyVaultContents >Get-AvailableVMDisks, Get-VMDisk # Download a virtual machine's disk Owner >Set-Role -Role Contributor -User test@contoso.com -Resource Win10VMTest Administrator >Create-Backdoor, Execute-Backdoor ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/yun-an-quan/azure/zhen-cha-gong-ju.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.