Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/daddycocoaman/azbelt

AAD related enumeration in Nim
https://github.com/daddycocoaman/azbelt

azure credential-gathering nim sliver

Last synced: 3 months ago
JSON representation

AAD related enumeration in Nim

Host: GitHub
URL: https://github.com/daddycocoaman/azbelt
Owner: daddycocoaman
License: mit
Created: 2023-01-20T00:10:23.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2023-09-07T16:05:45.000Z (over 1 year ago)
Last Synced: 2024-11-01T00:51:25.498Z (3 months ago)
Topics: azure, credential-gathering, nim, sliver
Language: Nim
Homepage:
Size: 543 KB
Stars: 128
Watchers: 5
Forks: 7
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# azbelt

Standalone DLL and sliver extension for enumerating Azure related credentials, primarily on AAD joined machines

## Modules
- `aadjoin` - Gets info about machine AAD status via `NetGetAadJoinInformation`
- `credman` - Gets credentials from Credential Manager
- `env` - Looks for Azure/AAD specific environment variables that may contain secrets
- `managed` - Calls IMDS endpoint to get info about machine with managed identity
- `msal` - Looks in various MSAL caches for tokens. Tokens are parsed to display scope and validity
- `sso` - If machine is AAD joined, get signed PRT cookie
- `tbres` - Gets tokens from Token Broker cache
- `all` - Runs all enumeration except SSO

## Building from source
A devcontainer is a provided for easy development and building. The devcontainer base definition is located [here](https://github.com/daddycocoaman/devcontainers/blob/main/nim/.devcontainer/devcontainer.json).

To build, simply:

``nimble release``

This will drop the DLLs into the project folder. If you want the exe for testing the DLL, you can also build the DLL runner:

``nimble dllrun``

You can do both at the same time:

``nimble all``

### Special Thanks
- [@byt3bl33d3r](https://twitter.com/byt3bl33d3r) - [OffensiveNim](https://github.com/byt3bl33d3r/OffensiveNim)
- [@_xpn_](https://twitter.com/@_xpn_) - [TokenBroker Cache research](https://blog.xpnsec.com/wam-bam/)
- [@tifkin](https://twitter.com/tifkin_) - [AAD SSO Refresh Token research](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30)
- [@_dirkjan](https://twitter.com/_dirkjan) - [PRT research](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/)