Skip to content

Instantly share code, notes, and snippets.

@Korving-F

Korving-F/azurehound_access_tokens.md

Created August 5, 2024 08:49
Show Gist options
  • Save Korving-F/79a3dc1c391246164d3cc87366b72dcf to your computer and use it in GitHub Desktop.
Save Korving-F/79a3dc1c391246164d3cc87366b72dcf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
azurehound_access_tokens.md

JWT Access Token Creation for AzureHound

az account get-access-token --resource https://management.azure.com --tenant $TENANT_ID
az account get-access-token --resource https://graph.azure.com --tenant $TENANT_ID
Get-AzAccessToken -ResourceUrl "https://management.azure.com" -TenantId $TENANT_ID
Get-AzAccessToken -ResourceUrl "https://graph.azure.com" -TenantId $TENANT_ID

AzureHound

Combining these obtained tokens allow us to run AzureHound correctly.

# List everything
./azurehound -j $ACCESS_TOKEN list -t $TENANT_ID -o output.json

# Use scoped token to enumerate EntraID
./azurehound -j $ACCESS_TOKEN list az-ad -t $TENANT_ID -o output.json

# Use scoped token to enumerate AzureRM Resources
./azurehound -j $ACCESS_TOKEN list az-rm -t $TENANT_ID -o output.json

Debugging

Generating ARM tokens from a cloud shell causes issues, since the tenant cannot be specified and the audience of the token is overwritten. Generate the token from a regular az-cli session instead to force the audience of the token to be set correctily.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment