Azure DevOps Services Attack Toolkit – ADOKit is a toolkit that can be used to attack Azure DevOps Services by taking advantage of the available REST API. The tool allows the user to specify an attack module, along with specifying valid credentials (API key or stolen authentication cookie) for the respective Azure DevOps Services instance. The attack modules supported include reconnaissance, privilege escalation and persistence. ADOKit was built in a modular approach, so that new modules can be added in the future by the information security community.
Full details on the techniques used by ADOKit are in the X-Force Red whitepaper.
The below 3rd party libraries are used in this project.
Take the below steps to setup Visual Studio in order to compile the project yourself. This requires two .NET libraries that can be installed from the NuGet package manager.
https://api.nuget.org/v3/index.json
Install-Package Costura.Fody -Version 3.3.3
Install-Package Newtonsoft.Json
Below are the authentication options you have with ADOKit when authenticating to an Azure DevOps instance.
UserAuthentication
cookie on a user’s machine for the .dev.azure.com
domain. /credential:UserAuthentication=ABC123
/credential:apiToken
The below table shows the permissions required for each module.
Attack Scenario | Module | Special Permissions? | Notes |
---|---|---|---|
Recon | check | No | |
Recon | whoami | No | |
Recon | listrepo | No | |
Recon | searchrepo | No | |
Recon | listproject | No | |
Recon | searchproject | No | |
Recon | searchcode | No | |
Recon | searchfile | No | |
Recon | listuser | No | |
Recon | searchuser | No | |
Recon | listgroup | No | |
Recon | searchgroup | No | |
Recon | getgroupmembers | No | |
Recon | getpermissions | No | |
Persistence | createpat | No | |
Persistence | listpat | No | |
Persistence | removepat | No | |
Persistence | createsshkey | No | |
Persistence | listsshkey | No | |
Persistence | removesshkey | No | |
Privilege Escalation | addprojectadmin | Yes – Project Administrator , Project Collection Administrator or Project Collection Service Accounts | |
Privilege Escalation | removeprojectadmin | Yes – Project Administrator , Project Collection Administrator or Project Collection Service Accounts | |
Privilege Escalation | addbuildadmin | Yes – Project Administrator , Project Collection Administrator or Project Collection Service Accounts | |
Privilege Escalation | removebuildadmin | Yes – Project Administrator , Project Collection Administrator or Project Collection Service Accounts | |
Privilege Escalation | addcollectionadmin | Yes – Project Collection Administrator or Project Collection Service Accounts | |
Privilege Escalation | removecollectionadmin | Yes – Project Collection Administrator or Project Collection Service Accounts | |
Privilege Escalation | addcollectionbuildadmin | Yes – Project Collection Administrator or Project Collection Service Accounts | |
Privilege Escalation | removecollectionbuildadmin | Yes – Project Collection Administrator or Project Collection Service Accounts | |
Privilege Escalation | addcollectionbuildsvc | Yes – Project Collection Administrator , Project Colection Build Administrators or Project Collection Service Accounts | |
Privilege Escalation | removecollectionbuildsvc | Yes – Project Collection Administrator , Project Colection Build Administrators or Project Collection Service Accounts | |
Privilege Escalation | addcollectionsvc | Yes – Project Collection Administrator or Project Collection Service Accounts | |
Privilege Escalation | removecollectionsvc | Yes – Project Collection Administrator or Project Collection Service Accounts | |
Privilege Escalation | getpipelinevars | Yes – Contributors or Readers or Build Administrators or Project Administrators or Project Team Member or Project Collection Test Service Accounts or Project Collection Build Service Accounts or Project Collection Build Administrators or Project Collection Service Accounts or Project Collection Administrators | |
Privilege Escalation | getpipelinesecrets | Yes – Contributors or Readers or Build Administrators or Project Administrators or Project Team Member or Project Collection Test Service Accounts or Project Collection Build Service Accounts or Project Collection Build Administrators or Project Collection Service Accounts or Project Collection Administrators | |
Privilege Escalation | getserviceconnections | Yes – Project Administrator , Project Collection Administrator or Project Collection Service Accounts |
Perform authentication check to ensure that organization is using Azure DevOps and that provided credentials are valid.
Provide the check
module, along with any relevant authentication information and URL. This will output whether the organization provided is using Azure DevOps, and if so, will attempt to validate the credentials provided.
ADOKit.exe check /credential:apiKey /url:https://dev.azure.com/organizationName
ADOKit.exe check /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName
C:\>ADOKit.exe check /credential:apiKey /url:https://dev.azure.com/YourOrganization
==================================================
Module: check
Auth Type: API Key
Search Term:
Target URL: https://dev.azure.com/YourOrganization
Timestamp: 3/28/2023 3:33:01 PM
==================================================
[*] INFO: Checking if organization provided uses Azure DevOps
[+] SUCCESS: Organization provided exists in Azure DevOps
[*] INFO: Checking credentials provided
[+] SUCCESS: Credentials provided are VALID.
3/28/23 19:33:02 Finished execution of check
For more click here.
Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
If you are working with Linux or writing bash scripts, one of the most common…
What is a bash case statement? A bash case statement is a way to control…
Why Do We Check Files in Bash? When writing a Bash script, you often work…