Hi!
Yesterday, I had the privilege to give a talk about an introduction of Azure Pentesting.
Slides (in English)
En cours de chargement…
Recharger le document 
Ouvrir dans un nouvel onglet Video (in French)
Maxime.
En cours de chargement…
Catégorie : Azure (Page 22 of 112)
En cours de chargement…
Hi!
In this article, I will show you how you can exploit a virtual machine associated with a Managed Identity. To leverage this attack, we will use the LAVA – Azure Exploitation framework.
In the first step, we will execute a command to list all the machines hosted in the Azure subscription. The goal of this action is to identity which machine is configured with a Managed Identity. In the example below, we can see the virtual machine max01 configured with a Managed Identity (SystemAssigned).
In the second step, we can see the virtual machine max01 associated with a privilege role. In this example, the privileged role associated with the identity of the max01 virtual machine is owner of the Azure subscription!
In the third step, we will leverage the « Run Command » feature, to execute a call to the metadata endpoint and retrieve the access token used by the Managed Identity feature. By default all the commands executed with the « Run Command » feature are executed as root!
In the last step of this article, we will use the token retrieved during the third step and usurp the identity of the virtual machine max01 to run a command to list the subscriptions or the ressource groups. With the owner role associated to the managed identity, a malicious attacker could leverage this attack to create, modify or delete any resources hosted in this Azure Subscription.
Maxime.
Hi!
In this article, I will show you how you can leverage the MicroBurst tool to anonymously enumerating Azure Services.
Please find below a list of DNS suffixes associated with the Azure Services:
| DNS Suffix | Associated Azure Service |
| file.core.windows.net | Storage Accounts – Files |
| blob.core.windows.net | Storage Accounts – Blobs |
| queue.core.windows.net | Storage Accounts – Queues |
| table.core.windows.net | Storage Accounts – Tables |
| azurewebsites.net | App Services and Function app |
| scm.azurewebsites.net | App Services – Management |
| database.windows.net | Databases – MSSQL |
| documents.azure.com | Databases – Cosmos DB |
| azurecontainer.io | Container Instances |
| azurecr.io | Container Registry |
| redis.cache.windows.net | Redis |
| azureedge.net | CDN |
| search.windows.net | Search Appliance |
| azure-api.net | API Services |
| cloudapp.azure.com | Customer-assigned public IP DNS |
| vault.azure.net | Key Vault |
To conduct this enumeration, we will use the MicroBurst tool.
git clone https://github.com/NetSPI/MicroBurst.git
Import-Module .\MicroBurst.psm1
Invoke-EnumerateAzureSubDomains -Base yourkeyword (you can also add a list of permutations with the parameter -Permutations ".\permutations.txt")
Maxime.