From 6d88cb548f45a8b18f1e22cb0fc69aea5f6c1697 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Tue, 4 Mar 2025 23:07:33 +0100 Subject: [PATCH] impr --- src/pentesting-cloud/azure-security/README.md | 29 +++++++++++++++---- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/src/pentesting-cloud/azure-security/README.md b/src/pentesting-cloud/azure-security/README.md index 0becd06b1..05228483d 100644 --- a/src/pentesting-cloud/azure-security/README.md +++ b/src/pentesting-cloud/azure-security/README.md @@ -173,6 +173,9 @@ You should start finding out the **permissions you have** over the resources. Fo 1. **Find the resource you have some acecss to**: +> [!TIP] +> This doesn't require any special permission. + The Az PoswerShell command **`Get-AzResource`** lets you **know the resources your current user has visibility over**. Moreover, you can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources" or executing: @@ -180,11 +183,26 @@ Moreover, you can get the same info in the **web console** going to [https://por az rest --method GET --url "https://management.azure.com/subscriptions//resources?api-version=2021-04-01" ``` -2. **Find the permissions you have over the resources you have access to and find the roles assigned to you**: +2. **Find the permissions you have over the resources you can see**: -Note that you need the permission **`Microsoft.Authorization/roleAssignments/read`** to execute this action. +> [!TIP] +> This doesn't require any special permission. -Furthermore, with enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in: +Talking to the API **`https://management.azure.com/{resource_id}/providers/Microsoft.Authorization/permissions?api-version=2022-04-01`** you can get the permissions you have over the specified resource in the **`resource_id`**. + +Therefore, **checking each of the resources you have access to**, you can get the permissions you have over them. + +> [!WARNING] +> You can automate this enumeration using the tool **[Find_My_Az_Management_Permissions](https://github.com/carlospolop/Find_My_Az_Management_Permissions)**. + + +
+Enumerate permissions with **`Microsoft.Authorization/roleAssignments/read`** + +> [!TIP] +> Note that you need the permission **`Microsoft.Authorization/roleAssignments/read`** to execute this action. + +- With enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in: ```bash Get-AzRoleAssignment -Scope /subscriptions//resourceGroups/Resource_Group_1/providers/Microsoft.RecoveryServices/vaults/vault-m3ww8ut4 ``` @@ -200,7 +218,7 @@ like in: az rest --method GET --uri "https://management.azure.com//subscriptions//resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/vault-m3ww8ut4/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01" | jq ".value" ``` -Another option is to get the roles attached to you in azure with: +- Another option is to **get the roles attached to you in azure**. This also requires the permission **`Microsoft.Authorization/roleAssignments/read`**: ```bash az role assignment list --assignee "" --all --output table @@ -213,7 +231,7 @@ az rest --method GET --uri 'https://management.azure.com/subscriptions/").Actions`**. @@ -223,6 +241,7 @@ Or call the API directly with az rest --method GET --uri "https://management.azure.com//subscriptions//providers/Microsoft.Authorization/roleDefinitions/?api-version=2022-04-01" | jq ".properties" ``` +
In the following section you can find **information about the most common Azure services and how to enumerate them**: