Getting Started in Pentesting the Cloud: Azure

© Black Hills Information Security
@BHInfoSecurity
Getting
Started in
Pentesting the
Cloud: Azure

@BHInfoSecurity
Beau Bullock
@dafthack
• Pentester / Red Team at Black Hills Information Security
• Author / Instructor of Breaching the Cloud Training
• Certs: OSCP
, OSWP
, GXPN, GPEN, GWAPT, GCIH, GCIA,
GCFA, GSEC
• Speaker: WWHF, DerbyCon, Black Hat Arsenal, BSides,
Hack Miami, RVASec
• Tool Developer: MailSniper, PowerMeta,
DomainPasswordSpray, MSOLSpray, HostRecon, Check-
LocalAdminHash, MFASweep
• Cyberpunk Synthwave Metal Producer (NOBANDWIDTH)
2
@BHInfoSecurity

@BHInfoSecurity
Roadmap
• Identifying Attack Surface
• Recon & External Attacks
• Authentication
• Post-Compromise
• Azure Subscription Hierarchy
• Resource-Specific Issues
• Leveraging Scanning Tools
3
@BHInfoSecurity

@BHInfoSecurity
Why Azure?
• Extremely popular for productivity
and compute resources
• Hybrid environments make cloud to
on-prem pivoting possible
• Publicly accessible authentication
• More SharePoint usage facilitates
accessibility to sensitive data
• Azure Pentesting techniques apply to
multiple different types of
engagements (Red Team, External,
Assumed Compromise, WebApps,
etc.)

@BHInfoSecurity
Identifying Attack Surface
5

@BHInfoSecurity
Identifying
Attack
Surface
• External
• Unauthenticated
• Attacking public resources
• Internal (Resource access)
• Testing internal cloud resources from
another resource such as a VM
• Internal (API access)
• Authenticated
• Identify vulnerabilities via API calls &
configuration analysis

@BHInfoSecurity
Azure RM
vs
Microsoft 365
• Azure Resource Manager
• Subscriptions and Resources
• VMs
• Databases
• Storage
• Serverless
• Many more…
• Microsoft 365
• Productivity
• Outlook
• SharePoint
• Teams

@BHInfoSecurity
Recon & External Attacks
8

@BHInfoSecurity
Recon: Cloud Asset Discovery
• Identify Microsoft 365 Usage
• https://login.microsoftonline.com/getuserrealm.srf?login=username@a
cmecomputercompany.com&xml=1
• https://login.microsoftonline.com/<target domain>/v2.0/.well-
known/openid-configuration
9

@BHInfoSecurity
Recon: User Enumeration
• User enumeration on Azure can be performed at
https://login.Microsoft.com/common/oauth2/token
• This endpoint tells you if a user exists or not
• Detect invalid users while password spraying with:
• https://github.com/dafthack/MSOLSpray
• May be able to enumerate users via OneDrive
• https://github.com/nyxgeek/onedrive_user_enum
10

@BHInfoSecurity
Data in Public Azure Blobs
• Microsoft Azure Storage is like Amazon S3
• Blob storage is for unstructured data
• Containers and blobs can be publicly
accessible via access policies
• Predictable URL’s at core.windows.net
• storage-acct-name.blob.core.windows.net
• storage-acct-name.file.core.windows.net
• storage-acct-name.table.core.windows.net
• storage-acct-name.queue.core.windows.net
11

@BHInfoSecurity
Data in Public Azure Blobs
• The “Blob” access policy means
anyone can anonymously read
blobs, but can’t list the blobs in
the container
• The “Container” access policy
allows for listing containers and
blobs
12

@BHInfoSecurity
Cloud_enum
• Cloud_enum from Chris Moberly (@initstring)
• https://github.com/initstring/cloud_enum
• Awesome tool for scanning Azure, AWS, & GCP for buckets and more
• Enumerates:
• GCP open and protected buckets as well as Google App Engine sites
• Azure storage accounts, blob containers, hosted DBs, VMs, and WebApps
• AWS open and protected buckets
13

@BHInfoSecurity
Password Attacks
• Password Spraying
• Trying one password for every
user at an org to avoid account
lockouts
• Most systems have some sort of
lockout policy
• Example: 5 attempts in 30 mins = lockout
• If we attempt to auth as each
individual username one time
every 30 mins we lockout
nobody
14

@BHInfoSecurity
Password Attacks
• Can use MSOLSpray to spray Azure users
• The script logs:
• If a user cred is valid
• If MFA is enabled on the account
• If a tenant doesn't exist
• If a user doesn't exist
• If the account is locked
• If the account is disabled
• If the password is expired
15

@BHInfoSecurity
Password
Protection &
Smart
Lockout
• Azure Password Protection
• Prevents users from picking passwords
with certain words like seasons, company
name, etc.
• Azure Smart Lockout
• Locks out auth attempts whenever brute
force or spray attempts are detected
• Can be bypassed with FireProx +
MSOLSpray
• https://github.com/ustayready/fireprox
16

@BHInfoSecurity
Authentication
17

@BHInfoSecurity
Azure
Authentication
• More ways to authenticate to cloud
providers than just username and
password
• API's, certificates, and more
• Multi-Factor settings might differ for things
like service accounts or those that
authenticate with certs
• Sometimes keys get posted publicly with
code to repos
• Finding authentication points is a key first
step

@BHInfoSecurity
Cloud Authentication Methods
• Forms of authentication to consider…
• Password Hash Synchronization
• Pass Through Authentication
• Active Directory Federation Services (ADFS)
• Certificate-based auth
• Conditional access policies
• Long-term access tokens
• Legacy authentication portals
19

@BHInfoSecurity
Password Hash Synchronization
• Azure AD Connect
• On-prem service
synchronizes hashed
user credentials to Azure
• User can authenticate
directly to Azure
services like O365 with
their internal domain
credential
20

@BHInfoSecurity
Pass-Through Authentication
• Credentials stored
only on-prem
• On-prem agent
validates
authentication
requests to Azure
AD
• Allows SSO to other
Azure apps without
creds stored in
cloud
21

@BHInfoSecurity
Active Directory
Federation Services
• Credentials stored only
on-prem
• Federated trust is setup
between Azure and on-
prem AD to validate auth
requests to the cloud
• For password attacks you
would have to auth to
the on-prem ADFS portal
instead of Azure
endpoints
22

@BHInfoSecurity
Conditional Access Policies &
MFA
23

@BHInfoSecurity
Microsoft
MFA
• Microsoft 365 and Azure have built-in MFA
options
• Free Microsoft accounts can use the MFA
features
• Microsoft MFA verification options:
• Microsoft Authenticator app
• OAUTH Hardware token
• SMS
• Voice call

@BHInfoSecurity
Security Defaults
• Security Defaults is an Azure AD setting that helps protect
accounts by:
• Requires all users register for MFA
• Blocks legacy auth protocols (EWS, IMAP
, etc.)
• Requires MFA during auth when necessary
• Protects privileged activities like access to Azure portal
• These are great settings to have but sometimes more granular
options are necessary.
• Conditional Access Policies are more advanced, but Security
Defaults must be disabled to use them.
25

@BHInfoSecurity
Conditional Access Policies
• Fine-grained controls for access to resources and when/where
MFA is applied
• Can be built around different scenarios such as:
• The user, location they are coming from, device they are using, their
“real-time risk” level, and more
26

@BHInfoSecurity
Legacy Auth
• Legacy Authentication – SMTP
, IMAP
, EAS,
EWS, POP3, etc.
• Sometimes employees need access to
legacy portals (ex. Outlook for Mac)
• These can be completely blocked with
conditional access policies
• Note that Exchange ActiveSync has its own
checkbox
• Legacy auth End of Life pushed back to 2nd
half of 2021
27

@BHInfoSecurity
Device Platforms
28

@BHInfoSecurity
Device Platforms
• Authentication without a mobile user agent and with
29

@BHInfoSecurity
MFASweep
• Tool to help find inconsistencies in
Microsoft MFA deployments
• Microsoft Graph API
• Azure Service Management API
• Microsoft 365 Exchange Web Services
• Microsoft 365 Web Portal
• Microsoft 365 Web Portal Using a Mobile User
Agent
• Microsoft 365 Active Sync
• ADFS
• https://github.com/dafthack/MFASweep
30

@BHInfoSecurity
MFASweep
• To run MFASweep all you need is a set of credentials you want to
test
• WARNING: This script attempts to log in to the provided account
SIX (6) different times (7 if you include ADFS). If you enter an
incorrect password, this may lock the account out.
• Import MFASweep into a PowerShell session
Import-Module MFASweep.ps1
• Run the Invoke-MFASweep module with the credentials
Invoke-MFASweep -Username targetuser@targetdomain.com -Password
Winter2020
31

@BHInfoSecurity
MFASweep
• Can also check ADFS
• For more information check out the blog post here:
https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/
32

@BHInfoSecurity
Post Compromise
33

@BHInfoSecurity
Post-
Compromise
Recon
• Who do we have access as?
• What roles do we have?
• Is MFA enabled?
• What can we access (webapps, storage,
etc.?)
• Who are the admins?
• How are we going to escalate to admin?
• Any security protections in place (ATP
,
GuardDuty, etc.)?

@BHInfoSecurity
Azure Portal
• Standard users can access Azure domain information and isn’t
usually locked down
• Authenticated users can go to portal.azure.com and click
Azure Active Directory
• O365 Global Address List has this info as well
• Even if portal is locked down PowerShell cmdlets will still likely
work
• There is a company-wide setting that locks down the entire
org from viewing Azure info via cmd line:
• Set-MsolCompanySettings –UsersPermissionToReadOtherUsersEnabled $false
35

@BHInfoSecurity
Command
Line Access
• PowerShell Modules
• Az
• AzureAD & MSOnline
• Azure Cross-platform CLI Tools (az cli)
• Linux and Windows clients
• CloudPentestCheatsheets
• https://github.com/dafthack/CloudPentes
tCheatsheets

@BHInfoSecurity
Azure Subscription Hierachy
37

@BHInfoSecurity
Subscriptions
• Organizations can have multiple subscriptions
38

@BHInfoSecurity
Subscriptions
• A good first step is to determine what
subscription you are in
• The subscription name is usually
informative
• It might have “Prod”, or “Dev” in the title
• Multiple subscriptions can be under the
same Azure AD directory (tenant)
• Each subscription can have multiple
resource groups
39

@BHInfoSecurity
Roles
• Built-In Azure Subscription Roles
• Owner (full control over resource)
• Contributor (All rights except the ability to change permissions)
• Reader (can only read attributes)
• User Access Administrator (manage user access to Azure resources)
40

@BHInfoSecurity
Resource-Specific Issues
41

@BHInfoSecurity
Serverless
Environment
Variables
• Azure Functions – Serverless apps in Azure
• Secrets should be called from Key Vaults
• Sometimes plaintext values get added
as environment vars or within source
code as connection strings
• Reader level access to Functions allows
viewing

@BHInfoSecurity
Instance Metadata Service
• Cloud servers need a way to orient themselves because of how
dynamic they are
• A “Metadata” endpoint was created and hosted on a non-
routable IP address at 169.254.169.254
• Can contain access/secret keys to AWS and IAM credentials
• This should only be reachable from the localhost
• Server compromise or SSRF vulnerabilities might allow remote
attackers to reach it
43
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/

@BHInfoSecurity
Azure AD User Attributes
• User attributes and sensitive information
• Very often find credentials in description or comment fields
• Use this one-liner to search every Azure AD user field for
passwords
PS> $users = Get-MsolUser; foreach($user in $users){$props =
@();$user | Get-Member | foreach-object{$props+=$_.Name};
foreach($prop in $props){if($user.$prop -like "*password*"){Write-
Output ("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " +
$user.$prop)}}}
44

@BHInfoSecurity
Service Principal Hijacking
• There are over 200 default service
principals in an O365 tenant
• None of them are listed in the Azure
GUI portal
• They all have varying levels of
permissions through Microsoft Graph
• An “Application Administrator” can
change passwords or certificates for
service principals… even the default
ones
45

@BHInfoSecurity
Key Vaults
• Azure Key Vault
• Vault for storing passwords and other secrets
• Other cloud apps and services can use these
• Easily store and manage SSL/TLS certs
• By default only the owner of the key vault can access the keys
• Contributors over key vault resources can give themselves access
46

@BHInfoSecurity
Microsoft 365 Compliance Search
• Microsoft 365 Compliance Search
• https://protection.office.com
• Must be a member of “eDiscovery Manager” role group in
Security & Compliance Center (Administrator, compliance officer,
or eDiscover manager)
• Search and report across all Microsoft 365 services
• Exchange Email
• Skype for Business
• Teams messages
• SharePoint Sites
• OneDrive Accounts
• And more…
47

@BHInfoSecurity
Leveraging Scanning Tools
48

@BHInfoSecurity
Leveraging
Scanning
Tools
• How can automation help?
• Manual inspection of cloud resources is likely a
good starting point to be less noisy but
scanning can help expedite vulnerability
discovery
• Quickly assess cloud environments for
common security issues
• IAM permissions
• Public accessibility of resources
• VM/Instance storage encryption
• Network ingress/egress rules
• Serverless
• VM metadata
• …and more

@BHInfoSecurity
Scanning with
ScoutSuite
• ScoutSuite by NCC Group - Multi-Cloud Auditing Tool
• https://github.com/nccgroup/ScoutSuite
• Support for the following cloud providers:
• Amazon Web Services
• Microsoft Azure
• Google Cloud Platform
• Alibaba Cloud (alpha)
• Oracle Cloud Infrastructure (alpha)
50

@BHInfoSecurity
Tools
• Additional tools to help automate post-
compromise
• ROADTools
• https://github.com/dirkjanm/ROADtools
• PowerZure
• https://github.com/hausec/PowerZure
• MicroBurst
• https://github.com/NetSPI/MicroBurst
• Stormspotter
• https://github.com/Azure/Stormspotter
• AzureHound
• https://github.com/BloodHoundAD/AzureHo
und

@BHInfoSecurity
Key Takeaways
1. Reconnaissance is key to understanding cloud asset usage
2. Cloud attack surface enables multiple ways to gain access
3. Configuration of cloud resources is a wild west and changes daily
4. Key methods for gaining a foothold include:
1. Key disclosure in repos
2. Password attacks
3. Phishing
4. Remote code execution
5. Situational awareness will help drive decisions post-compromise
52

@BHInfoSecurity
The End
• Follow me on Twitter
• Beau Bullock - @dafthack
• Breaching the Cloud Training
• https://wildwesthackinfest.com/training
/breaching-the-cloud-beau-bullock/
• Black Hills Information Security
• https://www.blackhillsinfosec.com
• @BHInfoSecurity
53

Getting Started in Pentesting the Cloud: Azure

More Related Content

What's hot (20)

Similar to Getting Started in Pentesting the Cloud: Azure (20)

More from Beau Bullock (13)

Recently uploaded (20)

Getting Started in Pentesting the Cloud: Azure