Categories
Cyber Security

PWK – NMAP

Bulk Scanning, Finding Victims

I am currently reading up on NMAP (Network Mapper) as I prepare for my Offensive Security Certified Professional (PWK OSCP). – I will definitely be writing further blog posts on this subject but I found this tidbit extremely useful.

Scan the entire subnet to find the DNS server. Once you have the DNS server, you can leverage it to get the hostnames on your scans as well:

nmap --top-ports 10 --open --dns-server 10.11.1.??? -oA nmap/top10_all_hosts  10.11.1.0/24

This will help you better understand some of the relationships between the machines. It’s also a great way of finding the hard boxes (the “big four”) right away in the OSCP exam.

Categories
Cyber Security

Office365 & Azure Scanning

Frustrations

Nessus is capable of scanning Office 365 and Azure tenancies against a given known baseline. However, due to a lack of good documentation, setting up the credentials was tricky and resolving the below errors was even trickier.

"{
  \"error\": {
    \"code\": \"Authorization_RequestDenied\",
    \"message\": \"Insufficient privileges to complete the operation.\",
    \"innerError\": {
      \"request-id\": \"7b4216bf-329b-42b7-9b03-bb441697d814\",
      \"date\": \"2019-11-25T10:41:46\"
    }
  }
}"

Fortunately, the people over at Astrix have found the solution and wrote a great guide. To preserve this guide and update it as necessary, I have included it below:

Step 1 – Create Azure user Account

At https://portal.office.com/adminportal/home#/users, create a simple user account for Nessus. No administrative roles are required.

Make a note of the username and password.

Step 2 – Create an Azure Registered App

At https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps, select New registration → enter a name such as Nessus → select Register.

In Overview, make a note of the Application (client) ID.

Step 3 – Generate the Azure App Client Secret

In Certificates & secrets, select New client secret → enter a name such as Nessus - <hostname> → select Add.

Make a note of the value.

Step 4 – Grant Azure App Admin Roles

Using a Microsoft web browser (yes, really), browse to either https://outlook.office365.com/ecp/hybrid or https://cmdletpswmodule.blob.core.windows.net/exopsmodule/Microsoft.Online.CSE.PSModule.Client.application then install the Exchange Online PowerShell Module.

Once the Exchange Online PowerShell Module is installed, open it and execute the following commands:

Connect-MsolService;

$displayName = "<Azure registered app name>";

$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId;

$roleName_companyAdmin = "Company Administrator";

Add-MsolRoleMember -RoleName $roleName_companyAdmin -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId;

$roleName_userAdmin = "User Account Administrator";

Add-MsolRoleMember -RoleName $roleName_userAdmin -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId;

Step 5 – Configure the Scan

Create a Audit Cloud Infrastructure compliance scan and configure it with the Office 365 credentials that you generated in previous steps.