diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md index df5a51a37..cd7e82a37 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md @@ -42,7 +42,7 @@ aws iam get-account-summary ## References -- https://aws.amazon.com/organizations/ +- [https://aws.amazon.com/organizations/](https://aws.amazon.com/organizations/) {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md index 1da888587..0512dbf92 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md @@ -48,7 +48,7 @@ aws sqs send-message --queue-url --message-body ## References -- https://docs.aws.amazon.com/cdk/api/v2/python/aws\_cdk.aws\_sqs/README.html +- [https://docs.aws.amazon.com/cdk/api/v2/python/aws\_cdk.aws\_sqs/README.html](https://docs.aws.amazon.com/cdk/api/v2/python/aws\_cdk.aws\_sqs/README.html) {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md b/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md index 53f4bc63a..e2d19d91e 100644 --- a/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md +++ b/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md @@ -24,9 +24,9 @@ az storage queue policy set --name --permissions rwd --expiry 2024- ## References -- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues -- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api -- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes +- [https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues](https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues) +- [https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api](https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api) +- [https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes](https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes) {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md index c84d73899..eae39951d 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md @@ -82,9 +82,9 @@ az storage queue policy set --name --permissions rwd --expiry 2024- ## References -- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues -- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api -- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes +- [https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues](https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues) +- [https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api](https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api) +- [https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes](https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes) {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md index 7dea64f6f..d71b7065d 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md @@ -42,15 +42,6 @@ An attacker with this permission can delete an Azure Service Bus subscription. T az servicebus topic subscription delete --resource-group --namespace-name --topic-name --name ``` -### Actions: `Microsoft.ServiceBus/namespaces/write` & `Microsoft.ServiceBus/namespaces/read` - -An attacker with permissions to create or modify Azure Service Bus namespaces can exploit this to disrupt operations, deploy unauthorized resources, or expose sensitive data. They can alter critical configurations such as enabling public network access, downgrading encryption settings, or changing SKUs to degrade performance or increase costs. Additionally, they could disable local authentication, manipulate replica locations, or adjust TLS versions to weaken security controls, making namespace misconfiguration a significant post-exploitation risk. - -```bash -az servicebus namespace create --resource-group --name --location -az servicebus namespace update --resource-group --name --tags -``` - ### Actions: `Microsoft.ServiceBus/namespaces/queues/write` (`Microsoft.ServiceBus/namespaces/queues/read`) An attacker with permissions to create or modify Azure Service Bus queues (to modiffy the queue you will also need the Action:`Microsoft.ServiceBus/namespaces/queues/read`) can exploit this to intercept data, disrupt workflows, or enable unauthorized access. They can alter critical configurations such as forwarding messages to malicious endpoints, adjusting message TTL to retain or delete data improperly, or enabling dead-lettering to interfere with error handling. Additionally, they could manipulate queue sizes, lock durations, or statuses to disrupt service functionality or evade detection, making this a significant post-exploitation risk. @@ -88,13 +79,13 @@ Take a look here: ## References -- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues -- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api -- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes -- https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless -- https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus -- https://learn.microsoft.com/en-us/cli/azure/servicebus/namespace?view=azure-cli-latest -- https://learn.microsoft.com/en-us/cli/azure/servicebus/queue?view=azure-cli-latest +- [https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues](https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues) +- [https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api](https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api) +- [https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes](https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes) +- [https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless) +- [https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus) +- [https://learn.microsoft.com/en-us/cli/azure/servicebus/namespace?view=azure-cli-latest](https://learn.microsoft.com/en-us/cli/azure/servicebus/namespace?view=azure-cli-latest) +- [https://learn.microsoft.com/en-us/cli/azure/servicebus/queue?view=azure-cli-latest](https://learn.microsoft.com/en-us/cli/azure/servicebus/queue?view=azure-cli-latest) {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md index 2093cb494..e5a05257f 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md @@ -12,7 +12,7 @@ For more information about SQL Database check: ### `Microsoft.Sql/servers/databases/read`, `Microsoft.Sql/servers/read` && `Microsoft.Sql/servers/databases/write` -With these permissions, an attacker can create and update databases within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions. +With these permissions, an attacker can create and update databases within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions. ```bash # Create Database @@ -22,6 +22,18 @@ az sql db create --resource-group --server --name az sql db update --resource-group --server --name --max-size ``` +With this permissions (`Microsoft.Sql/servers/read` && `Microsoft.Sql/servers/databases/write`) you can restore a deleted database: + +```bash +az sql db restore \ + --dest-name \ + --name \ + --resource-group \ + --server \ + --deleted-time "" + +``` + ### `Microsoft.Sql/servers/elasticPools/write` && `Microsoft.Sql/servers/elasticPools/read` With these permissions, an attacker can create and update elasticPools within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions. @@ -99,6 +111,51 @@ az sql db import --admin-user \ --storage-uri `https://.blob.core.windows.net/bacpac-container/MyDatabase.bacpac` ``` +### `Microsoft.Sql/servers/connectionPolicies/write` && `Microsoft.Sql/servers/connectionPolicies/read` + +With this permissions, a user can modify and retrieve the connection policies of an Azure SQL server. These permissions allow someone to change how clients connect to the server—choosing between methods like redirect or proxy—which could be exploited to weaken security, redirect traffic, or intercept sensitive data if misconfigured. + +```bash +az sql server conn-policy update \ + --resource-group \ + --server \ + --connection-policy +``` + +### `Microsoft.Sql/servers/keys/write` && `Microsoft.Sql/servers/keys/read` + +With this permissions, a user can update and retrieve encryption keys associated with an Azure SQL Server. These keys are often used for securing sensitive data through encryption, so manipulating them could compromise data security by allowing unauthorized decryption or key rotation changes. + +```bash +az sql server key create \ + --resource-group MyResourceGroup \ + --server MyServer \ + --kid "https://mykeyvault.vault.azure.net/keys/mykey/1234567890abcdef +``` + +### `Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action`, `Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read`, `Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read` + +This permissions permission allows disabling Ledger Digest for an Azure SQL Database, which stops the periodic uploading of cryptographic digest records to Azure Blob Storage that verifies the integrity of data. + +```bash +az sql db ledger-digest-uploads disable \ + --name ledgerDB \ + --resource-group myResourceGroup \ + --server my-sql-server +``` + +### `Microsoft.Sql/servers/databases/transparentDataEncryption/write`, `Microsoft.Sql/locations/transparentDataEncryptionAzureAsyncOperation/read`, `Microsoft.Sql/servers/databases/transparentDataEncryption/read` + +This permission allows an authorized user or attacker to enable, disable, or modify Transparent Data Encryption (TDE) settings on an Azure SQL database, potentially impacting data security by altering encryption configurations. + +```bash +az sql db tde set \ + --database \ + --resource-group \ + --server \ + --status +``` + {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md index 5adead1d1..841397a02 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md @@ -66,9 +66,9 @@ az storage queue policy set --name --permissions rwd --expiry 2024- ## References -- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues -- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api -- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes +- [https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues](https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues) +- [https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api](https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api) +- [https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes](https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes) {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md index 9c0822272..e73fd8cbb 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md @@ -99,134 +99,217 @@ az servicebus namespace update --disable-local-auth false -n -- ### Send Messages with keys (Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action OR Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action) -You can retrieve the `PrimaryConnectionString`, which acts as a credential for the Service Bus namespace. With this connection string, you can fully authenticate as the Service Bus namespace, enabling you to send messages to any queue or topic and potentially interact with the system in ways that could disrupt operations, impersonate valid users, or inject malicious data into the messaging workflow. +You can retrieve the `PrimaryConnectionString`, which acts as a credential for the Service Bus namespace. With this connection string, you can fully authenticate as the Service Bus namespace, enabling you to send messages to any queue or topic and potentially interact with the system in ways that could disrupt operations, impersonate valid users, or inject malicious data into the messaging workflow. This method works if `--disable-local-auth` is set to false. ```python -#You need to install the following libraries -#pip install azure-servicebus -#pip install aiohttp -#pip install azure-identity - import asyncio from azure.servicebus.aio import ServiceBusClient from azure.servicebus import ServiceBusMessage -# Constants NAMESPACE_CONNECTION_STR = "" -TOPIC_NAME = "" +TOPIC_OR_QUEUE_NAME = "" -# Function to send a single message to a Service Bus topic -async def send_individual_message(publisher): - # Prepare a single message with updated content - single_message = ServiceBusMessage("Hacktricks-Training: Single Item") - # Send the message to the topic - await publisher.send_messages(single_message) - print("Sent a single message containing 'Hacktricks-Training'") +async def send_message(): + async with ServiceBusClient.from_connection_string(NAMESPACE_CONNECTION_STR) as client: + async with client.get_topic_sender(topic_name=TOPIC_OR_QUEUE_NAME) as sender: + await sender.send_messages(ServiceBusMessage("Hacktricks-Training: Single Item")) + print("Sent message") -# Function to send multiple messages to a Service Bus topic -async def send_multiple_messages(publisher): - # Generate a collection of messages with updated content - message_list = [ServiceBusMessage(f"Hacktricks-Training: Item {i+1} in list") for i in range(5)] - # Send the entire collection of messages to the topic - await publisher.send_messages(message_list) - print("Sent a list of 5 messages containing 'Hacktricks-Training'") +asyncio.run(send_message()) +``` -# Function to send a grouped batch of messages to a Service Bus topic -async def send_grouped_messages(publisher): - # Send a grouped batch of messages with updated content - async with publisher: - grouped_message_batch = await publisher.create_message_batch() - for i in range(10): - try: - # Append a message to the batch with updated content - grouped_message_batch.add_message(ServiceBusMessage(f"Hacktricks-Training: Item {i+1}")) - except ValueError: - # If batch reaches its size limit, handle by creating another batch - break - # Dispatch the batch of messages to the topic - await publisher.send_messages(grouped_message_batch) - print("Sent a batch of 10 messages containing 'Hacktricks-Training'") +Addtionally you can send messages with az rest, in this case you need to generate a sas token to use. -# Main function to execute all tasks -async def execute(): - # Instantiate the Service Bus client with the connection string - async with ServiceBusClient.from_connection_string( - conn_str=NAMESPACE_CONNECTION_STR, - logging_enable=True) as sb_client: - # Create a topic sender for dispatching messages to the topic - publisher = sb_client.get_topic_sender(topic_name=TOPIC_NAME) - async with publisher: - # Send a single message - await send_individual_message(publisher) - # Send multiple messages - await send_multiple_messages(publisher) - # Send a batch of messages - await send_grouped_messages(publisher) +```python +import time, urllib.parse, hmac, hashlib, base64 -# Run the asynchronous execution -asyncio.run(execute()) -print("Messages Sent") -print("----------------------------") +def generate_sas_token(uri, key_name, key, expiry_in_seconds=3600): + expiry = int(time.time() + expiry_in_seconds) + string_to_sign = urllib.parse.quote_plus(uri) + "\n" + str(expiry) + signed_hmac_sha256 = hmac.new(key.encode('utf-8'), string_to_sign.encode('utf-8'), hashlib.sha256).digest() + signature = urllib.parse.quote_plus(base64.b64encode(signed_hmac_sha256)) + token = f"SharedAccessSignature sr={urllib.parse.quote_plus(uri)}&sig={signature}&se={expiry}&skn={key_name}" + return token + +# Replace these with your actual values +resource_uri = "https://.servicebus.windows.net/" +key_name = "" +primary_key = "" + +sas_token = generate_sas_token(resource_uri, key_name, primary_key) +print(sas_token) +``` + +```bash +az rest --method post \ + --uri "https://.servicebus.windows.net//messages" \ + --headers "Content-Type=application/atom+xml;type=entry;charset=utf-8" "Authorization=SharedAccessSignature sr=https%3A%2F%2F.servicebus.windows.net%2F&sig=&se=&skn=" \ + --body "" ``` -### Recieve with keys (Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action OR Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action) +### Receive with keys (Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action OR Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action) -You can retrieve the PrimaryConnectionString, which serves as a credential for the Service Bus namespace. Using this connection string, you can receive messages from any queue or subscription within the namespace, allowing access to potentially sensitive or critical data, enabling data exfiltration, or interfering with message processing and application workflows. +You can retrieve the PrimaryConnectionString, which serves as a credential for the Service Bus namespace. Using this connection string, you can receive messages from any queue or subscription within the namespace, allowing access to potentially sensitive or critical data, enabling data exfiltration, or interfering with message processing and application workflows. This method works if `--disable-local-auth` is set to false. ```python -#You need to install the following libraries -#pip install azure-servicebus -#pip install aiohttp -#pip install azure-identity - import asyncio from azure.servicebus.aio import ServiceBusClient -NAMESPACE_CONNECTION_STR = "" -TOPIC_NAME = "" -SUBSCRIPTION_NAME = "" #Topic Subscription +CONN_STR = "" +QUEUE = "" -# Function to receive and process messages from a Service Bus subscription -async def receive_and_process_messages(): - # Create a Service Bus client using the connection string - async with ServiceBusClient.from_connection_string( - conn_str=NAMESPACE_CONNECTION_STR, - logging_enable=True) as servicebus_client: +# For topics/subscriptions, you would use: +# TOPIC = "" +# SUBSCRIPTION = "" - # Get the Subscription Receiver object for the specified topic and subscription - receiver = servicebus_client.get_subscription_receiver( - topic_name=TOPIC_NAME, - subscription_name=SUBSCRIPTION_NAME, - max_wait_time=5 - ) - - async with receiver: - # Receive messages with a defined maximum wait time and count - received_msgs = await receiver.receive_messages( - max_wait_time=5, - max_message_count=20 - ) - for msg in received_msgs: - print("Received: " + str(msg)) - # Complete the message to remove it from the subscription +async def receive(): + async with ServiceBusClient.from_connection_string(CONN_STR) as client: + # For a queue receiver: + async with client.get_queue_receiver(queue_name=QUEUE, max_wait_time=5) as receiver: + msgs = await receiver.receive_messages(max_wait_time=5, max_message_count=20) + for msg in msgs: + print("Received:", msg) await receiver.complete_message(msg) + + # For a topic/subscription receiver (commented out): + # async with client.get_subscription_receiver(topic_name=TOPIC, subscription_name=SUBSCRIPTION, max_wait_time=5) as receiver: + # msgs = await receiver.receive_messages(max_wait_time=5, max_message_count=20) + # for msg in msgs: + # print("Received:", msg) + # await receiver.complete_message(msg) -# Run the asynchronous message processing function -asyncio.run(receive_and_process_messages()) -print("Message Receiving Completed") -print("----------------------------") +asyncio.run(receive()) +print("Done receiving messages") ``` +Addtionally you can send messages with az rest, in this case you need to generate a sas token to use. +```python +import time, urllib.parse, hmac, hashlib, base64 + +def generate_sas_token(uri, key_name, key, expiry_in_seconds=3600): + expiry = int(time.time() + expiry_in_seconds) + string_to_sign = urllib.parse.quote_plus(uri) + "\n" + str(expiry) + signature = urllib.parse.quote_plus(base64.b64encode( + hmac.new(key.encode('utf-8'), string_to_sign.encode('utf-8'), hashlib.sha256).digest() + )) + token = f"SharedAccessSignature sr={urllib.parse.quote_plus(uri)}&sig={signature}&se={expiry}&skn={key_name}" + return token + +# Example usage: +resource_uri = "https://.servicebus.windows.net/queue" # For queue +# resource_uri = "https://.servicebus.windows.net//subscriptions/" # For topic subscription +sas_token = generate_sas_token(resource_uri, "", "") +print(sas_token) + +``` + +For a queue you can get or peek the message (getting a messages would remove them, while peeking will not): +```bash +#Get a message +az rest --method post \ + --uri "https://.servicebus.windows.net//messages/head?timeout=60" \ + --headers "Content-Type=application/atom+xml;type=entry;charset=utf-8" "Authorization=SharedAccessSignature sr=&sig=&se=&skn=" + +#Peek a message +az rest --method get \ + --uri "https://.servicebus.windows.net//messages/head?peekonly=true&timeout=60" \ + --headers "Authorization=SharedAccessSignature sr=&sig=&se=&skn=" + +#You can select the meesage changing the field PreviousSequenceNumber +az rest --method get \ + --uri "https://.servicebus.windows.net//messages?timeout=60&PreviousSequenceNumber=&api-version=2017-04" \ + --headers "Authorization=SharedAccessSignature sr=&sig=&se=&skn=" +``` + +For a topic: +```bash +#Get a message +az rest --method post \ + --uri "https://.servicebus.windows.net//subscriptions//messages/head?timeout=60" \ + --headers "Content-Type=application/atom+xml;type=entry;charset=utf-8" "Authorization=SharedAccessSignature sr=&sig=&se=&skn=" + +#Peek a message +az rest --method get \ + --uri "https://.servicebus.windows.net//subscriptions//messages/head?timeout=60&api-version=2017-04" \ + --headers "Authorization=SharedAccessSignature sr=&sig=&se=&skn=" + +#You can select the meesage changing the field PreviousSequenceNumber +az rest --method get \ + --uri "https://.servicebus.windows.net//subscriptions//messages?timeout=60&PreviousSequenceNumber=&api-version=2017-04" \ + --headers "Authorization=SharedAccessSignature sr=&sig=&se=&skn=" +``` + +### Send Messages. DataActions: `Microsoft.ServiceBus/namespaces/messages/send/action` + +You can use this permissions to send messages, even if `--disable-local-auth` is set to true. + +```python +import asyncio +from azure.identity.aio import DefaultAzureCredential +from azure.servicebus.aio import ServiceBusClient +from azure.servicebus import ServiceBusMessage + +NS = ".servicebus.windows.net" # Your namespace +QUEUE_OR_TOPIC = "" # Your queue name + +async def run(): + credential = DefaultAzureCredential() + async with ServiceBusClient(fully_qualified_namespace=NS, credential=credential) as client: + async with client.get_queue_sender(queue_name=QUEUE) as sender: + await sender.send_messages(ServiceBusMessage("Single Message")) + print("Sent a single message") + await credential.close() + +if __name__ == "__main__": + asyncio.run(run()) +``` + +### Recieve Messages. DataActions: `Microsoft.ServiceBus/namespaces/messages/receive/action` + +You can use this permissions to receive messages, even if `--disable-local-auth` is set to true. + +```python +import asyncio +from azure.identity.aio import DefaultAzureCredential +from azure.servicebus.aio import ServiceBusClient + +NS = ".servicebus.windows.net" +QUEUE = "" + +# For a topic subscription, uncomment and set these values: +# TOPIC = "" +# SUBSCRIPTION = "" + +async def run(): + credential = DefaultAzureCredential() + async with ServiceBusClient(fully_qualified_namespace=NS, credential=credential) as client: + # Receiving from a queue: + async with client.get_queue_receiver(queue_name=QUEUE, max_wait_time=5) as receiver: + async for msg in receiver: + print("Received from Queue:", msg) + await receiver.complete_message(msg) + + # To receive from a topic subscription, uncomment the code below and comment out the queue receiver above: + # async with client.get_subscription_receiver(topic_name=TOPIC, subscription_name=SUBSCRIPTION, max_wait_time=5) as receiver: + # async for msg in receiver: + # print("Received from Topic Subscription:", msg) + # await receiver.complete_message(msg) + + await credential.close() + +asyncio.run(run()) +print("Done receiving messages") +``` ## References -- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues -- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api -- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes -- https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless -- https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus +- [https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues](https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues) +- [https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api](https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api) +- [https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes](https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes) +- [https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless) +- [https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus) {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md index b1e4cd75e..f8d19620e 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md @@ -27,7 +27,7 @@ az sql server create \ --resource-group \ --location \ --admin-user \ - --admin-password + --admin-password ``` Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it: @@ -39,6 +39,32 @@ az sql server update \ --enable-public-network true ``` +Furthermore, with the permissions you can enalbe the assign identity, an opertate with the managed identity attached to the server. For example here with a managed identity that can access Azure Storage: + +```bash +az sql server update \ + --name \ + --resource-group \ + --assign_identity +``` +```sql +CREATE EXTERNAL DATA SOURCE ManagedIdentity +WITH ( + TYPE = BLOB_STORAGE, + LOCATION = 'https://.blob.core.windows.net/', + CREDENTIAL = ManagedIdentityCredential +); +GO + +SELECT * +FROM OPENROWSET( + BULK 'message.txt', + DATA_SOURCE = 'ManagedIdentity', + SINGLE_CLOB +) AS DataFile; +GO +``` + ### `Microsoft.Sql/servers/firewallRules/write` An attacker can manipulate firewall rules on Azure SQL servers to allow unauthorized access. This can be exploited to open up the server to specific IP addresses or entire IP ranges, including public IPs, enabling access for malicious actors. This post-exploitation activity can be used to bypass existing network security controls, establish persistence, or facilitate lateral movement within the environment by exposing sensitive resources. diff --git a/src/pentesting-cloud/azure-security/az-services/az-queue-enum.md b/src/pentesting-cloud/azure-security/az-services/az-queue-enum.md index 910ca794f..3fbcd8fbc 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-queue-enum.md +++ b/src/pentesting-cloud/azure-security/az-services/az-queue-enum.md @@ -88,9 +88,9 @@ $queueMessage.Value ## References -- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues -- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api -- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes +- [https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues](https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues) +- [https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api](https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api) +- [https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes](https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes) {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md b/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md index f70dd4bea..d81800ba2 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md +++ b/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md @@ -8,15 +8,21 @@ Azure Service Bus is a cloud-based **messaging service** designed to enable reli ### Key Concepts -1. **Queues:** its purpose is to store messages until the receiver is ready. +1. **Namespaces:** A namespace in messaging systems is a logical container that organizes and manages messaging components, queues and topics. It provides an isolated environment where applications can send, receive, and process messages. Queues and topics share the same infrastructure and configuration within a Service Bus namespace, but they operate independently without interacting with each other. +2. **Queues:** its purpose is to store messages until the receiver is ready. - Messages are ordered, timestamped, and durably stored. - Delivered in pull mode (on-demand retrieval). - Supports point-to-point communication. -2. **Topics:** Publish-subscribe messaging for broadcasting. +3. **Topics:** Publish-subscribe messaging for broadcasting. - Multiple independent subscriptions receive copies of messages. - Subscriptions can have rules/filters to control delivery or add metadata. - Supports many-to-many communication. -3. **Namespaces:** A container for all messaging components, queues and topics, is like your own slice of a powerful Azure cluster, providing dedicated capacity and optionally spanning across three availability zones. + +The service bus endpoint/connection string is: + +```bash +https://.servicebus.windows.net:443/ +``` ### Advance Features @@ -45,9 +51,14 @@ SAS Policies define the access permissions for Azure Service Bus entities namesp - **Primary and Secondary Connection Strings**: Pre-configured connection strings that include the endpoint and key for easy use in applications. - **SAS Policy ARM ID**: The Azure Resource Manager (ARM) path to the policy for programmatic identification. -### NameSpace +It’s important to note that a namespace has a single SAS policy that affects every entity within it, while queues and topics can have their own individual SAS policies for more granular control. -sku, authrorization rule, +### "--disable-local-auth" + +The --disable-local-auth parameter is used to control whether local authentication (i.e. using Shared Access Signature (SAS) keys) is enabled for your Service Bus namespace. Here’s what you need to know: + + - When set to true: Local authentication using SAS keys is disabled and azure Active Directory (Azure AD) authentication is allowed. + - When set to false:Both SAS (local) authentication and Azure AD authentication are available and you can use connection strings with SAS keys to access your Service Bus resources. ### Enumeration diff --git a/src/pentesting-cloud/azure-security/az-services/az-sql.md b/src/pentesting-cloud/azure-security/az-services/az-sql.md index 3c7d08d21..eb5301035 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-sql.md +++ b/src/pentesting-cloud/azure-security/az-services/az-sql.md @@ -6,28 +6,45 @@ Azure SQL is a family of managed, secure, and intelligent products that use the **SQL Server database engine in the Azure cloud**. This means you don't have to worry about the physical administration of your servers, and you can focus on managing your data. -Azure SQL consists of three main offerings: +Azure SQL consists of four main offerings: -1. **Azure SQL Database**: This is a **fully-managed database service**, which allows you to host individual databases in the Azure cloud. It offers built-in intelligence that learns your unique database patterns and provides customized recommendations and automatic tuning. -2. **Azure SQL Managed Instance**: This is for larger scale, entire SQL Server instance-scoped deployments. It provides near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, which provides a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for on-premises SQL Server customers. -3. **Azure SQL Server on Azure VMs**: This is Infrastructure as a Service (IaaS) and is best for migrations where you want **control over the operating system and SQL Server instance**, like it was a server running on-premises. +1. **Azure SQL Server**: Azure SQL Server is a managed relational database service on that simplifies the deployment and management of SQL Server databases, with built-in security and performance features. +2. **Azure SQL Database**: This is a **fully-managed database service**, which allows you to host individual databases in the Azure cloud. It offers built-in intelligence that learns your unique database patterns and provides customized recommendations and automatic tuning. +3. **Azure SQL Managed Instance**: This is for larger scale, entire SQL Server instance-scoped deployments. It provides near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, which provides a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for on-premises SQL Server customers. +4. **Azure SQL Server on Azure VMs**: This is Infrastructure as a Service (IaaS) and is best for migrations where you want **control over the operating system and SQL Server instance**, like it was a server running on-premises. -### Azure SQL Database +### Azure SQL Server -**Azure SQL Database** is a **fully managed database platform as a service (PaaS)** that provides scalable and secure relational database solutions. It's built on the latest SQL Server technologies and eliminates the need for infrastructure management, making it a popular choice for cloud-based applications. +Azure SQL Server is relational database management system (RDBMS) that uses Transact-SQL for data operations and is built to handle enterprise-level systems. It offers robust features for performance, security, scalability, and integration with various Microsoft applications. Azure SQL databases rely on this server, as these are built on this servers and it is the entrypoint for user to access the databases. -#### Key Features +#### Network -- **Always Up-to-Date**: Runs on the latest stable version of SQL Server and Receives new features and patches automatically. -- **PaaS Capabilities**: Built-in high availability, backups, and updates. -- **Data Flexibility**: Supports relational and non-relational data (e.g., graphs, JSON, spatial, and XML). +**Network Connectivity**: Choose whether to enable access via public endpoint or private endpoint. If you select No access, no endpoints are created until is configured manualy: + - No access: No endpoints are configured, blocking incoming connections until manually set up. + - Public endpoint: Allows direct connections over the public internet, subject to firewall rules and other security configurations. + - Private endpoint: Restricts connectivity to a private network. -#### Purchasing Models / Service Tiers +**Connection Policy**: Define how clients communicate with the SQL database server: + - Default: Uses a Redirect policy for all client connections from inside Azure (except those using Private Endpoints) and a Proxy policy for connections from outside Azure. + - Proxy: Routes all client connections through the Azure SQL Database gateway. + - Redirect: Clients connect directly to the node hosting the database. -- **vCore-based**: Choose compute, memory, and storage independently. For General Purpose, Business Critical (with high resilience and performance for OLTP apps), and scales up to 128 TB storag -- **DTU-based**: Bundles compute, memory, and I/O into fixed tiers. Balanced resources for common tasks. - - Standard: Balanced resources for common tasks. - - Premium: High performance for demanding workloads. +#### Authentication Methods +Azure SQL supports various authentication methods to secure database access: + +- **Microsoft Entra-only authentication**: Uses Microsoft Entra (formerly Azure AD) for centralized identity management and single sign-on. +- **Both SQL and Microsoft Entra authentication**: Allows you to use traditional SQL authentication alongside Microsoft Entra. +- **SQL authentication**: Relies solely on SQL Server usernames and passwords. + +#### Security features + +SQL servers have **Managed Identities**. Managed identities allow your server to securely authenticate with other Azure services without storing credentials. It allow to access other services which would be System assigned managed identity and be accessed by other services with other identities which is User assigned managed identity. Some of the services that SQL can access are Azure Storage Account(V2), Azure Data Lake Storage Gen2, SQL Server, Oracle, Teradata, MongoDB or Cosmos DB API for MongoDB, Generic ODBC, Bulk Operations and S3-compatible object storage. + +Other security features that SQL server has are: + +- **Firewall Rules**: Firewall rules control access to your server by restricting or allowing traffic. This is a feature of the databases itself too. +- **Transparent Data Encryption (TDE)**: TDE encrypts your databases, backups, and logs at rest to protect your data even if the storage is compromised. It can be done with a service-managed key or a customer -managed key. +- **Microsoft Defender for SQL**: Microsoft Defender for SQL can be enabled offering vulnerability assessments and advanced threat protection for a server. #### Deployment Models @@ -40,6 +57,44 @@ Azure SQL Database supports flexible deployment options to suit various needs: - Allows multiple databases to share resources within a pool. - Cost-efficient for applications with fluctuating usage patterns across multiple databases. +### Azure SQL Database + +**Azure SQL Database** is a **fully managed database platform as a service (PaaS)** that provides scalable and secure relational database solutions. It's built on the latest SQL Server technologies and eliminates the need for infrastructure management, making it a popular choice for cloud-based applications. + +#### Key Features + +- **Always Up-to-Date**: Runs on the latest stable version of SQL Server and Receives new features and patches automatically. +- **PaaS Capabilities**: Built-in high availability, backups, and updates. +- **Data Flexibility**: Supports relational and non-relational data (e.g., graphs, JSON, spatial, and XML). + +#### Network + +**Network Connectivity**: Choose whether to enable access via public endpoint or private endpoint. If you select No access, no endpoints are created until is configured manualy: + - No access: No endpoints are configured, blocking incoming connections until manually set up. + - Public endpoint: Allows direct connections over the public internet, subject to firewall rules and other security configurations. + - Private endpoint: Restricts connectivity to a private network. + +**Connection Policy**: Define how clients communicate with the SQL database server: + - Default: Uses a Redirect policy for all client connections from inside Azure (except those using Private Endpoints) and a Proxy policy for connections from outside Azure. + - Proxy: Routes all client connections through the Azure SQL Database gateway. + - Redirect: Clients connect directly to the node hosting the database. + +#### Security Features + +- **Microsoft Defender for SQL**: can be enabled offering vulnerability assessments and advanced threat protection. +- **Ledger**: cryptographically verifies the integrity of data, ensuring that any tampering is detected. +- **Server Identity**: uses system-assigned and user-assigned managed identities to enable centralized access +- **Transparent Data Encryption Key Management**: encrypts databases, backups, and logs at rest without requiring any changes to the application. Encryption can be enabled on each database, and if configured at the database level, these settings override the server-level configuration. +- **Always Encrypted**: is a suite of advanced data protection features that separates data ownership from data management. This ensures that administrators or operators with high privileges cannot access sensitive data. + + +#### Purchasing Models / Service Tiers + +- **vCore-based**: Choose compute, memory, and storage independently. For General Purpose, Business Critical (with high resilience and performance for OLTP apps), and scales up to 128 TB storag +- **DTU-based**: Bundles compute, memory, and I/O into fixed tiers. Balanced resources for common tasks. + - Standard: Balanced resources for common tasks. + - Premium: High performance for demanding workloads. + #### Scalable performance and pools - **Single Databases**: Each database is isolated and has its own dedicated compute, memory, and storage resources. Resources can be scaled dynamically (up or down) without downtime (1–128 vCores, 32 GB–4 TB storage, and up to 128 TB). @@ -60,6 +115,7 @@ Azure SQL Database supports flexible deployment options to suit various needs: - **Geo-Redundancy** - **Failover Groups**: Simplifies disaster recovery by grouping databases for automatic failover across regions. + ### Azure SQL Managed Instance **Azure SQL Managed Instance** is a Platform as a Service (PaaS) database engine that offers near 100% compatibility with SQL Server and handles most management tasks (e.g., upgrading, patching, backups, monitoring) automatically. It provides a cloud solution for migrating on-premises SQL Server databases with minimal changes. @@ -71,9 +127,9 @@ Azure SQL Database supports flexible deployment options to suit various needs: #### Advanced Security Features - * **Threat Protection**: Advanced Threat Protection alerts for suspicious activities and SQL injection attacks. Auditing to track and log database events for compliance. - * **Access Control**: Microsoft Entra authentication for centralized identity management. Row-Level Security and Dynamic Data Masking for granular access control. - * **Backups**: Automated and manual backups with point-in-time restore capability. + * **Threat Protection**: Advanced Threat Protection alerts for suspicious activities and SQL injection attacks. Auditing to track and log database events for compliance. + * **Access Control**: Microsoft Entra authentication for centralized identity management. Row-Level Security and Dynamic Data Masking for granular access control. + * **Backups**: Automated and manual backups with point-in-time restore capability. ### Azure SQL Virtual Machines @@ -100,7 +156,7 @@ Azure SQL Database supports flexible deployment options to suit various needs: ```bash # List Servers -az sql server list # --output table +az sql server list # managed identities are enumerated here too ## List Server Usages az sql server list-usages --name --resource-group ## List Server Firewalls diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md index 3b0309cc1..23e6cbb33 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md @@ -34,11 +34,11 @@ This service account has **Editor role over the whole project (high privileges). And the **default access scopes** are the following: - **https://www.googleapis.com/auth/devstorage.read\_only** -- Read access to buckets :) -- https://www.googleapis.com/auth/logging.write -- https://www.googleapis.com/auth/monitoring.write -- https://www.googleapis.com/auth/servicecontrol -- https://www.googleapis.com/auth/service.management.readonly -- https://www.googleapis.com/auth/trace.append +- [https://www.googleapis.com/auth/logging.write](https://www.googleapis.com/auth/logging.write) +- [https://www.googleapis.com/auth/monitoring.write](https://www.googleapis.com/auth/monitoring.write) +- [https://www.googleapis.com/auth/servicecontrol](https://www.googleapis.com/auth/servicecontrol) +- [https://www.googleapis.com/auth/service.management.readonly](https://www.googleapis.com/auth/service.management.readonly) +- [https://www.googleapis.com/auth/trace.append](https://www.googleapis.com/auth/trace.append) However, it's possible to **grant it `cloud-platform` with a click** or specify **custom ones**.