Azure Entra ID Pentest
The NodeZero Azure Entra ID Pentest is a grey-box style pentest that utilizes an Azure credential and a privileged Active Directory (AD) credential to enumerate and exploit attack paths to compromising your Entra ID tenant. Th Azure Entra ID Pentest runs from a Docker container within your private enterprise network.
Why should I run a NodeZero Azure Entra ID Pentest?
How to Run an Azure Entra ID Pentest
Why should I run a NodeZero Azure Entra ID Pentest?
An Azure Entra ID pentest is a security test focused on determining misconfigurations within your Active Directory and Entra ID hybrid environment that could lead to a full tenant compromise.
The NodeZero Azure Entra ID Pentest is a grey-box style pentest requiring a privileged AD credential with DCSync permissions, and an initial Entra user credential. The privileged AD credential allows NodeZero to simulate an internal Domain Compromise that could enable common attack techniques such as Entra Connect credential dumping, and Azure Seamless SSO Silver Ticket attacks. By providing an initial Entra credential - NodeZero is able to simulate an initial credential compromise and enumerate the Entra ID environment. This initial collection also allows NodeZero to highlight possible privilege escalation misconfigurations for other users within the tenant.
How to Run an Azure Entra ID Pentest
From NodeZero's "Run Pentest" page, the Azure Entra ID Pentest can be found under the Identity Attack Surface category.
Scope
The Azure Entra ID Pentest requires a Domain Controller IP Address. NodeZero will connect to the DC utilizing the privileged domain credential (see below) to query AD via LDAP(S) and gather details about the domain's hybrid Entra ID setup. This includes the location of the Entra Connect application. Additionally, NodeZero will perform a DCSync attack against the DC to simulate a Domain Compromise and collect the Credential for the AZUREADSSOACC$ Machine Account, if present. This credential will be utilized to perform Kerberos Silver Ticket Attacks, if possible.
NOTE: The host running Entra Connect is automatically consider "In Scope" for the Azure Entra ID pentest once it is enumerated.
Privileged Domain Credential
The Azure Entra ID pentest requires a Privileged Domain Credential with DCSync privileges -- much like the NodeZero AD Password Audit. This allows NodeZero to simulate a Domain Compromise, enabling NodeZero to evaluate several common attack vectors and demonstrate how an on-premise compromise could enable an attacker to compromise your Entra ID tenant.
Azure Credential
An initial Azure Entra ID user credential is required for the Azure Entra ID pentest. As of October 2024, Microsoft has mandated the use of Multifactor Authentication for Azure services. NodeZero now utilizes the Device Code Flow (aka OAuth Device Authorization Grant) to request an initial credential for the Azure Entra ID Pentest. During configuration, users will be asked to provide their Entra tenant ID instead of a username/password. Once the pentest begins, users will receive an email notification that NodeZero is ready for them to return to the portal and complete the authentication and authorization steps required for NodeZero to access the tenant. Please see Injecting Azure MFA Credentials. This allows NodeZero to simulate an initial access vector to your Entra environment. Since Entra allows user's to enumerate a significant portion of the tenant's configuration by default, this credential does not need to be privileged.
Once NodeZero enumerates the environment utilizing this credential, it will attempt to find and exploit a path to compromising the tenant using the credential as a starting point. Additionally, NodeZero will show any paths to full tenant compromise it enumerates from other users utilizing Azurehound.