This article is for educational purposes only, though Microsoft Azure encourages customers to pentest applications on the azure platform without any notification process. DOS and DDOS attack simulations are not allowed – in case as a customer, you want to simulate a DOS, DDOS attack on your application in Azure use breakingpoint cloud.
Stage: Recon
Use Case: As a Cloud Pentester, if you want to find if a particular target company is using Azure AD
https://login.microsoftonline.com/getuserrealm.srflogin=username@COMPANYNAME.onmicrosoft.com&xml=1
Replace the COMPANYNAME with the target company and execute in a browser – if the xml output NameSpaceType shows as Managed – then the company is using Azure AD.
Example of a company not using Azure AD.
Example of a company using Azure AD.
Azure Pentesting Stages:
1. Defining Scope of your Pentest
2. Build an Attacker and Target VM’s
3. Enumeration – Listing all the resources running in a target Azure Subscription
4. Information Gathering – Document all your Pentests with information gathered
5. Lateral Movement
6. Exploitation
7. Documentation
Attacker VM
Build an Ubuntu VM as Attacker VM, this virtual machine will be used to install enumeration, information gathering, exploitation tools required to attack the target VM and environment.
Install the Kali Linux components on this VM
Enumeration Tools
CloudBrute – Tool to find a cloud infrastructure of a company on top Cloud providers. It’s built on Go and easy to install and run scans against various targets across Azure, AWS, GCP, Digital Ocean etc... But you need to get your IPINFO API key setup CloudBrute.
Scenario: You are acting as an External Pentester and you want to enumerate/recon on what cloud service providers (CSP) your target company is using, this is where cloudburst can help. Cloud Detection tool to make it simple.
cloud_enum - Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud
Python program multi-cloud enumeration. It helps to enumerate AWS, Azure and Google Cloud resources. Simple but very powerful tool.
Screenshot showing docker.com AWS checks and Protected AWS S3 Buckets for example:
Azucar - Security auditing tool for Azure environments
CrowdStrike Reporting Tool for Azure (CRT) - Query Azure AD/O365 tenants for hard-to-find permissions and configuration settings
ScoutSuite - Multi-cloud security auditing tool. Security posture assessment of different cloud environments.
BlobHunter - A tool for scanning Azure blob storage accounts for publicly opened blobs
Information Gathering
o365recon - Information gathering with valid credentials to Azure
Get-MsolRolesAndMembers.ps1 - Retrieve list of roles and associated role members
PowerZure - PowerShell framework to assess Azure security
Azurite - Enumeration and reconnaissance activities in the Microsoft Azure Cloud
Sparrow.ps1 - Helps to detect possible compromised accounts and applications in the Azure/M365 environment
Hawk - PowerShell based tool for gathering information related to O365 intrusions and potential breaches
Lateral Movement
Stormspotter - Azure Red Team tool for graphing Azure and Azure Active Directory objects
AzureADLateralMovement - Lateral Movement graph for Azure Active Directory
SkyArk - Discover, assess and secure the most privileged entities in Azure and AWS
Exploitation
MicroBurst - A collection of scripts for assessing Microsoft Azure security