Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  1. Cloud
  2. Azure
  3. Lateral Movement

Application Proxy

PreviousDynamic GroupsNextHybrid Identity

Last updated 25 days ago

Application Proxies allow access to on-prem web applications after sign-in to Entra ID. They have the following components:

  • Endpoint; external URL that the users browse to access the on-prem application. External users must authenticate to AAD

  • Application proxy service. This service runs in the cloud and passes the token provided by Entra ID to the on-prem connector

  • Application Proxy Connector - Agent that runs on the on-prem infra and acts as a communication agent between the cloud proxy service and on-prem app.

Enumerate Application Proxies

. .\Get-MgApplicationProxyApplication.ps1
[+] Access token retrieved successfully.
Retrieving applications from Microsoft Graph...
[+] Successfully retrieved applications.

Application Proxy used by application: 'Finance Management System'
External URL: https://fms-defcorphq.msappproxy.net/
Internal URL: http://deffin-appproxy/
External Authentication Type: aadPreAuthentication

Script:

Get-MgApplicationProxyApplication.ps1
# This script is a part of Attacking and Defending Azure - Beginner's Edition course by Altered Security
# https://www.alteredsecurity.com/azureadlab

$token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/").Token

if (-not $token) {
    Write-Host "[+] Failed to retrieve access token." -ForegroundColor Red
    exit
} else {
    Write-Host "[+] Access token retrieved successfully." -ForegroundColor Green
}

$applicationsUrl = "https://graph.microsoft.com/beta/applications"

Write-Host "Retrieving applications from Microsoft Graph..." -ForegroundColor Cyan
$applications = Invoke-RestMethod -Uri $applicationsUrl -Headers @{ Authorization = "Bearer $token" }

if (-not $applications) {
	Write-Host "[-] No applications found or failed to retrieve applications." -ForegroundColor Red
    exit
} else {
    Write-Host "[+] Successfully retrieved applications." -ForegroundColor Green
}

foreach ($application in $applications.value) {
    $objectId = $application.id
    $displayName = $application.displayName

    try {
        $proxyUrl = "$applicationsUrl/$objectId/onPremisesPublishing"

        $proxyDetail = Invoke-RestMethod -Uri $proxyUrl -Method Get -Headers @{ Authorization = "Bearer $token" }

        if ($proxyDetail) {
			Write-Host ""
            Write-Host "Application Proxy used by application: '$displayName'" -ForegroundColor White
            Write-Host "External URL: $($proxyDetail.externalUrl)" -ForegroundColor White
            Write-Host "Internal URL: $($proxyDetail.internalUrl)" -ForegroundColor White
            Write-Host "External Authentication Type: $($proxyDetail.externalAuthenticationType)" -ForegroundColor White
        } else {
        }
    } catch {
    }
}

Vulnerabilities

Most applications behind a proxy are most-likely old or important applications. Web vulnerabilities do not magically go away, so if there is such a vulnerability in the web-app, it may be exploited.

☁️
  • Enumerate Application Proxies
  • Vulnerabilities