Gathering Subscription access information with PowerZure
Eng Soon Cheah
Posted on March 31, 2022
*Test at your own risk
1.In an Az PowerShell module-authenticated PowerShell session on your machine, download PowerZure using the following commands:
PS C:\> cd C:\Users\$env:USERNAME
PS C:\> git clone https://github.com/hausec/PowerZure.git
2.Import the PowerZure module into your PowerShell session with the following commands. If prompted to install the Azure AD module, type Y and press Enter. Close and re-open the PowerShell console:
3.If you installed the Azure AD module, open a new PowerShell session and use the following commands to re-import PowerZure into the PowerShell console.
PS C:\> cd C:\Users\$env:USERNAME\PowerZure
PS C:\> Import-Module .\PowerZure.ps1
After the module is imported, it will list your current role (Reader) and available subscription. This is useful reconnaissance information.
- AADRoles: Shows the role that the current user is assigned in Azure AD
- AzureRoles: Shows the Azure RBAC role assignments and scopes for the user.
- Available Subscriptions: Shows the subscriptions that the user has some level of permission to. This information is useful to see whether there are opportunities to move laterally to other subscriptions using this user account.
4.To see a list of all the available functions in PowerZure, run the following command.
5.Part of enumerating the attack surface area is determining the actual access that a credential had and its level of access(read/write/execute). PowerZure had a function called Get-AzureTargets that we can use for this purpose. This function compared the user role to the Azure scope to make this determination. You can run the function using the following command.
While the Get-AzTargets function of PowerZure is a great way to understand the scope of access that a user has, and the resources that they have access to, MicroBurst also collects this information into flat files for the review of an entire subscription. Each tool has its own benefits, and different situations will call for different tools.
Reference:
https://github.com/PacktPublishing/Penetration-Testing-Azure-for-Ethical-Hackers
Posted on March 31, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.