diff --git a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md index daa687f26..83208cca7 100644 --- a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md +++ b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md @@ -37,6 +37,8 @@ By default all subnets within the same Azure Virtual Network (VNet) **can commun To list all the VNets and subnets in an Azure account, you can use the Azure Command-Line Interface (CLI). Here are the steps: +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List VNets @@ -46,6 +48,21 @@ az network vnet list --query "[].{name:name, location:location, addressSpace:add az network vnet subnet list --resource-group --vnet-name --query "[].{name:name, addressPrefix:addressPrefix}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List VNets +Get-AzVirtualNetwork | Select-Object Name, Location, @{Name="AddressSpace"; Expression={$_.AddressSpace.AddressPrefixes}} + +# List subnets of a VNet +Get-AzVirtualNetwork -ResourceGroupName -Name | +Select-Object -ExpandProperty Subnets | +Select-Object Name, AddressPrefix +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Network Security Groups (NSG) @@ -60,6 +77,8 @@ NSGs can be associated to **subnets and NICs.** ### Enumeration +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List NSGs @@ -73,7 +92,23 @@ az network nsg rule list --nsg-name --resource-group -ResourceGroupName +# Get NSG rules +(Get-AzNetworkSecurityGroup -ResourceGroupName -Name ).SecurityRules + +# Get NICs and subnets using this NSG +(Get-AzNetworkSecurityGroup -Name -ResourceGroupName ).Subnets +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Firewall Azure Firewall is a **managed network security service** in Azure that protects cloud resources by inspecting and controlling traffic. It is a **stateful firewall** that filters traffic based on rules for Layers 3 to 7, supporting communication both **within Azure** (east-west traffic) and **to/from external networks** (north-south traffic). Deployed at the **Virtual Network (VNet) level**, it provides centralized protection for all subnets in the VNet. Azure Firewall automatically scales to handle traffic demands and ensures high availability without requiring manual setup. @@ -92,6 +127,8 @@ It is available in three SKUs—**Basic**, **Standard**, and **Premium**, each t ### Enumeration +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List Azure Firewalls @@ -107,6 +144,25 @@ az network firewall application-rule collection list --firewall-name --resource-group --query "[].{name:name, rules:rules}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List Azure Firewalls +Get-AzFirewall + +# Get network rules of a firewall +(Get-AzFirewall -Name -ResourceGroupName ).NetworkRuleCollections + +# Get application rules of a firewall +(Get-AzFirewall -Name -ResourceGroupName ).ApplicationRuleCollections + +# Get nat rules of a firewall +(Get-AzFirewall -Name -ResourceGroupName ).NatRuleCollections +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Route Tables @@ -116,6 +172,8 @@ Azure **Route Tables** are used to control the routing of network traffic within ### **Enumeration** +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List Route Tables @@ -125,7 +183,19 @@ az network route-table list --query "[].{name:name, resourceGroup:resourceGroup, az network route-table route list --route-table-name --resource-group --query "[].{name:name, addressPrefix:addressPrefix, nextHopType:nextHopType, nextHopIpAddress:nextHopIpAddress}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List Route Tables +Get-AzRouteTable +# List routes for a table +(Get-AzRouteTable -Name -ResourceGroupName ).Routes +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Private Link Azure Private Link is a service in Azure that **enables private access to Azure services** by ensuring that **traffic between your Azure virtual network (VNet) and the service travels entirely within Microsoft's Azure backbone network**. It effectively brings the service into your VNet. This setup enhances security by not exposing the data to the public internet. @@ -142,6 +212,8 @@ Consider a scenario where you have an **Azure SQL Database that you want to acce ### **Enumeration** +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List Private Link Services @@ -151,6 +223,19 @@ az network private-link-service list --query "[].{name:name, location:location, az network private-endpoint list --query "[].{name:name, location:location, resourceGroup:resourceGroup, privateLinkServiceConnections:privateLinkServiceConnections}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List Private Link Services +Get-AzPrivateLinkService | Select-Object Name, Location, ResourceGroupName + +# List Private Endpoints +Get-AzPrivateEndpoint | Select-Object Name, Location, ResourceGroupName, PrivateEndpointConnections +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Service Endpoints @@ -162,6 +247,8 @@ For instance, an **Azure Storage** account by default is accessible over the pub ### **Enumeration** +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List Virtual Networks with Service Endpoints @@ -171,6 +258,19 @@ az network vnet list --query "[].{name:name, location:location, serviceEndpoints az network vnet subnet list --resource-group --vnet-name --query "[].{name:name, serviceEndpoints:serviceEndpoints}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List Virtual Networks with Service Endpoints +Get-AzVirtualNetwork + +# List Subnets with Service Endpoints +(Get-AzVirtualNetwork -ResourceGroupName -Name ).Subnets +``` +{% endcode %} +{% endtab %} +{% endtabs %} ### Differences Between Service Endpoints and Private Links @@ -208,6 +308,8 @@ Imagine you have a globally distributed application with users all around the wo ### Enumeration +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List Azure Front Door Instances @@ -217,6 +319,19 @@ az network front-door list --query "[].{name:name, resourceGroup:resourceGroup, az network front-door waf-policy list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List Azure Front Door Instances +Get-AzFrontDoor + +# List Front Door WAF Policies +Get-AzFrontDoorWafPolicy -Name -ResourceGroupName +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Application Gateway and Azure Application Gateway WAF @@ -229,12 +344,24 @@ And **protect your website from attacks using the WAF capabilities.** ### **Enumeration** +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List the Web Application Firewall configurations for your Application Gateways az network application-gateway waf-config list --gateway-name --resource-group --query "[].{name:name, firewallMode:firewallMode, ruleSetType:ruleSetType, ruleSetVersion:ruleSetVersion}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List the Web Application Firewall configurations for your Application Gateways +(Get-AzApplicationGateway -Name -ResourceGroupName ).WebApplicationFirewallConfiguration +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Hub, Spoke & VNet Peering @@ -253,6 +380,8 @@ Imagine a company with separate departments like Sales, HR, and Development, **e ### Enumeration +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List all VNets in your subscription @@ -265,6 +394,22 @@ az network vnet peering list --resource-group --vnet-name -Name ).VirtualNetworkPeerings + +# List Shared Resources (e.g., Azure Firewall) in the Hub +Get-AzFirewall +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Site-to-Site VPN @@ -276,6 +421,8 @@ A business with its main office located in New York has an on-premises data cent ### **Enumeration** +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List VPN Gateways @@ -285,6 +432,19 @@ az network vnet-gateway list --query "[].{name:name, location:location, resource az network vpn-connection list --gateway-name --resource-group --query "[].{name:name, connectionType:connectionType, connectionStatus:connectionStatus}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List VPN Gateways +Get-AzVirtualNetworkGateway -ResourceGroupName + +# List VPN Connections +Get-AzVirtualNetworkGatewayConnection -ResourceGroupName +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure ExpressRoute @@ -296,12 +456,24 @@ A multinational corporation requires a **consistent and reliable connection to i ### **Enumeration** +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List ExpressRoute Circuits az network express-route list --query "[].{name:name, location:location, resourceGroup:resourceGroup, serviceProviderName:serviceProviderName, peeringLocation:peeringLocation}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List ExpressRoute Circuits +Get-AzExpressRouteCircuit +``` +{% endcode %} +{% endtab %} +{% endtabs %} {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\