Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  1. Cloud
  2. Azure
  3. Lateral Movement

Application Proxy

PreviousDynamic GroupsNextHybrid Identity

Last updated 6 days ago

Application Proxies allow access to on-prem web applications after sign-in to Entra ID. They have the following components:

  • Endpoint; external URL that the users browse to access the on-prem application. External users must authenticate to AAD

  • Application proxy service. This service runs in the cloud and passes the token provided by Entra ID to the on-prem connector

  • Application Proxy Connector - Agent that runs on the on-prem infra and acts as a communication agent between the cloud proxy service and on-prem app.

Enumerate Application Proxies

. .\Get-MgApplicationProxyApplication.ps1
[+] Access token retrieved successfully.
Retrieving applications from Microsoft Graph...
[+] Successfully retrieved applications.

Application Proxy used by application: 'Finance Management System'
External URL: https://fms-defcorphq.msappproxy.net/
Internal URL: http://deffin-appproxy/
External Authentication Type: aadPreAuthentication

Script:

Get-MgApplicationProxyApplication.ps1
# This script is a part of Attacking and Defending Azure - Beginner's Edition course by Altered Security
# https://www.alteredsecurity.com/azureadlab

$token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/").Token

if (-not $token) {
    Write-Host "[+] Failed to retrieve access token." -ForegroundColor Red
    exit
} else {
    Write-Host "[+] Access token retrieved successfully." -ForegroundColor Green
}

$applicationsUrl = "https://graph.microsoft.com/beta/applications"

Write-Host "Retrieving applications from Microsoft Graph..." -ForegroundColor Cyan
$applications = Invoke-RestMethod -Uri $applicationsUrl -Headers @{ Authorization = "Bearer $token" }

if (-not $applications) {
	Write-Host "[-] No applications found or failed to retrieve applications." -ForegroundColor Red
    exit
} else {
    Write-Host "[+] Successfully retrieved applications." -ForegroundColor Green
}

foreach ($application in $applications.value) {
    $objectId = $application.id
    $displayName = $application.displayName

    try {
        $proxyUrl = "$applicationsUrl/$objectId/onPremisesPublishing"

        $proxyDetail = Invoke-RestMethod -Uri $proxyUrl -Method Get -Headers @{ Authorization = "Bearer $token" }

        if ($proxyDetail) {
			Write-Host ""
            Write-Host "Application Proxy used by application: '$displayName'" -ForegroundColor White
            Write-Host "External URL: $($proxyDetail.externalUrl)" -ForegroundColor White
            Write-Host "Internal URL: $($proxyDetail.internalUrl)" -ForegroundColor White
            Write-Host "External Authentication Type: $($proxyDetail.externalAuthenticationType)" -ForegroundColor White
        } else {
        }
    } catch {
    }
}

Vulnerabilities

Most applications behind a proxy are most-likely old or important applications. Web vulnerabilities do not magically go away, so if there is such a vulnerability in the web-app, it may be exploited.

☁️
  • Enumerate Application Proxies
  • Vulnerabilities