top of page
Writer's picturesandeepseeram

Azure Pentesting

This article is for educational purposes only, though Microsoft Azure encourages customers to pentest applications on the azure platform without any notification process. DOS and DDOS attack simulations are not allowed – in case as a customer, you want to simulate a DOS, DDOS attack on your application in Azure use breakingpoint cloud.


Stage: Recon

Use Case: As a Cloud Pentester, if you want to find if a particular target company is using Azure AD


https://login.microsoftonline.com/getuserrealm.srflogin=username@COMPANYNAME.onmicrosoft.com&xml=1

Replace the COMPANYNAME with the target company and execute in a browser – if the xml output NameSpaceType shows as Managed – then the company is using Azure AD.


Example of a company not using Azure AD.


Example of a company using Azure AD.


Azure Pentesting Stages:

1. Defining Scope of your Pentest

2. Build an Attacker and Target VM’s

3. Enumeration – Listing all the resources running in a target Azure Subscription

4. Information Gathering – Document all your Pentests with information gathered

5. Lateral Movement

6. Exploitation

7. Documentation


Attacker VM

Build an Ubuntu VM as Attacker VM, this virtual machine will be used to install enumeration, information gathering, exploitation tools required to attack the target VM and environment.

Install the Kali Linux components on this VM



Enumeration Tools

  • CloudBrute – Tool to find a cloud infrastructure of a company on top Cloud providers. It’s built on Go and easy to install and run scans against various targets across Azure, AWS, GCP, Digital Ocean etc... But you need to get your IPINFO API key setup CloudBrute.

Scenario: You are acting as an External Pentester and you want to enumerate/recon on what cloud service providers (CSP) your target company is using, this is where cloudburst can help. Cloud Detection tool to make it simple.

  • cloud_enum - Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud

Python program multi-cloud enumeration. It helps to enumerate AWS, Azure and Google Cloud resources. Simple but very powerful tool.

Screenshot showing docker.com AWS checks and Protected AWS S3 Buckets for example:



  • Azucar - Security auditing tool for Azure environments

  • CrowdStrike Reporting Tool for Azure (CRT) - Query Azure AD/O365 tenants for hard-to-find permissions and configuration settings

  • ScoutSuite - Multi-cloud security auditing tool. Security posture assessment of different cloud environments.

  • BlobHunter - A tool for scanning Azure blob storage accounts for publicly opened blobs

Information Gathering

  • o365recon - Information gathering with valid credentials to Azure

  • Get-MsolRolesAndMembers.ps1 - Retrieve list of roles and associated role members

  • PowerZure - PowerShell framework to assess Azure security

  • Azurite - Enumeration and reconnaissance activities in the Microsoft Azure Cloud

  • Sparrow.ps1 - Helps to detect possible compromised accounts and applications in the Azure/M365 environment

  • Hawk - PowerShell based tool for gathering information related to O365 intrusions and potential breaches

Lateral Movement

  • Stormspotter - Azure Red Team tool for graphing Azure and Azure Active Directory objects

  • AzureADLateralMovement - Lateral Movement graph for Azure Active Directory

  • SkyArk - Discover, assess and secure the most privileged entities in Azure and AWS

Exploitation

  • MicroBurst - A collection of scripts for assessing Microsoft Azure security


860 views

Recent Posts

See All

Comments


Commenting has been turned off.
bottom of page