Hacking the Cloud: A Deep Dive into Azure Pentesting

Initially, we will be discussing the basics of how Azure assigns roles and how azure works.?

Azure is a cloud computing service operated by Microsoft for application management via Microsoft-managed data centers. It supports many languages, tools, and frameworks, including both Microsoft-specific and third-party software and systems.

Some Terminology Regarding Azure

• Tenant — An Instance of Azure AD and Representing a single Organization.
• Azure AD Directory — Each tenant has a dedicated Directory, This is used to perform identity and access management functions for resources.
• Subscriptions — It is used to pay for services. There can be multiple subscriptions in a directory.
• Core Domain — The initial domain name <tenant>.onmicrosoft.com is the core domain. It is possible to define custom domain names too.

Some Architecture regarding Azure.

Management Group

• Management Group is used to manage multiple subscriptions
• There is a single top-level management group — Root management group — for each active directory in azure

Subscriptions

• An Azure subscription is a billing and /or access control boundary in an Azure AD Directory
• An Azure AD Directory may have multiple subscriptions, but each subscription can only trust a single directory
• An Azure role applied at the subscription level applies to all the resources within the subscription

Resource Groups and Resources

• A resource is a deployable item in Azure like VMs, App Services, Storage Accounts etc.
• A resource group acts as a container for resources.
• A resource group has its own identity and access management settings for providing role based access. An Azure role applied to the resource group applied to all the resources in the group.

Azure RBAC Roles

• Azure RBAC roles (or simply Azure roles) provides access management for Azure resources using the authorization system of ARM
• There are over more than 120 built-in roles (more than 300 as per permissions.cloud) and we can define custom roles too.

Azure RBAC Assignment

• Security Principal — An Azure AD user, group, service principal or managed identity
• Role Definition — A collection of permission! This lists the actions a security principal can perform (or denied from performing) like read, write and delete.
• Scope-The resource where the role is applied to.

Azure AD Roles

• Azure AD roles are applicable on azure AD resources like users, groups, domain, licenses, etc
• There are many administrator roles in Azure AD. We can also define custom roles.
• Global administrator is the most well-known and all powerful administrator role.

You only know the domain name of a company that you will perform the penetration test, for example RetailCorp and Microsoft, based on this information, we can obtain some useful information from here. These are listed below;

• Tenant ID
• Tenant Name
• Domains
• Azure services (used by the organisation)
• Email IDs
• Valid/invalid Users
• Public Azure Blobs

Tenant Name

Tenant is represents an organization in Azure Active Directory and it’s an instance ID. You can query the validity of the user’s login information and tenant name on the following endpoint.

https://login.microsoftonline.com/[email protected]&xml=1

Tenant ID

https://login.microsoftonline.com/retailcorp.onmicrosoft.com/.well-known/openid-configuration

We can also use tools like AADInternals (https://github.com/Gerenios/AADInternals) for finding the above!
We can use MicroBuster to look for services used by RetailCorp.
Let us first find out the services used by the target tenant:

Domains

We can use the following commands to detect the subdomains of the domain on Azure.

Import-Module .\\AADInternals.psd1 -Verbose Get-AADIntTenantDomains -Domain microsoft.com

Email IDs

python.exe o365creeper.py -f emails.txt -o validemails.t

Azure services

Accessibility of which services using on Azure by Azure AD users must be checked. Depending on the determination of which services and memberships can be used, different attack surfaces can be created.

Import-Module MicroBurst-master\\Misc\\Invoke-EnumerateAzureSubDomains.ps1
Invoke-EnumerateAzureSubDomains -Base defcorphq -Verbose

Accessing to the Azure AD environment can be achieved in many ways. The main ones of them are given below

• Password Spraying / Brute Force Attack
• Web Application Vulnerabilities
• Public Azure Blobs
• Phishing Attacks

In this blog, we demonstrate how to gain initial access by leveraging publicly available Azure Blob storage.

Public Azure Blobs

• Blob storage is used to store unstructured data (like files, videos, audio etc.)
• There are three types of resources in blob storage;
• Storage account — Unique Namespace across Azure. Can be accessed over HTTP or HTTPS.
• Container in the storage account — ‘Folders’ in the storage account
• Blob in a container — Stores data . Three types of blobs — Block, Append and Page blobs.

• By default, Anonymous access is not allowed for storage accounts
• if ‘Allow Blob public access’ is allowed on the storage account , it is possible to configure anonymous/public read access to:
• Only the blobs inside containers. Listing of containers content is not allowed.
• Contents of container and blobs

Invoke-EnumerateAzureBlobs -Base retailcorp

This script will try to find the anonymous readable blobs/containers inside the domain.

There is a script available in a container called 'configuration'. Let's check out its contents!
The script seems to be a VM deployment script and it contains a username and password in clear-text in very first lines!

Stay tuned for the next part, where we'll dive into privilege escalation and lateral movement in Azure.