diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md
index 50e25c217..0eb9a3592 100644
--- a/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md
+++ b/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md
@@ -15,7 +15,7 @@ Learn & practice GCP Hacking:  (1).p
</details>
{% endhint %}
-## Table Storage Privesc
+## Table Storage Post Exploitation
For more information about table storage check:
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
index ed82ec637..3f3fba06b 100644
--- a/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
@@ -150,6 +150,18 @@ az storage blob undelete \
```
{% endcode %}
+### Microsoft.Storage/storageAccounts/fileServices/shares/restore/action && Microsoft.Storage/storageAccounts/read
+
+With these permissions, an attacker can restore a deleted Azure file share by specifying its deleted version ID. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access.
+
+{% code overflow=)
\
+ --name \
+ --deleted-version
+```
+{% endcode %}
## Other interesting looking permissions (TODO)
diff --git a/pentesting-cloud/azure-security/az-services/az-file-shares.md b/pentesting-cloud/azure-security/az-services/az-file-shares.md
index 400d3a0e4..5ca733e45 100644
--- a/pentesting-cloud/azure-security/az-services/az-file-shares.md
+++ b/pentesting-cloud/azure-security/az-services/az-file-shares.md
@@ -43,6 +43,9 @@ Learn & practice GCP Hacking:  (1).p
## Enumeration
+
+{% tabs %}
+{% tab title=)
+az storage share-rm list --storage-account # To see the deleted ones too --include-deleted
# Get dirs/files inside the share
az storage file list --account-name --share-name
## If type is "dir", you can continue enumerating files inside of it
@@ -65,6 +69,33 @@ az storage file list --account-name --share-name --snapshot
az storage file download-batch -d . --account-name --source --snapshot
```
{% endcode %}
+{% endtab %}
+
+{% tab title="Az PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+Get-AzStorageAccount
+
+# List File Shares
+Get-AzStorageShare -Context (Get-AzStorageAccount -ResourceGroupName "" -Name "").Context
+
+# Get Directories/Files Inside the Share
+Get-AzStorageFile -ShareName "" -Context (Get-AzStorageAccount -ResourceGroupName "" -Name "").Context
+Get-AzStorageFile -ShareName "" -Path "" -Context (Get-AzStorageAccount -ResourceGroupName "" -Name "").Context
+
+# Download a Complete Share
+Get-AzStorageFileContent -ShareName "" -Destination "C:\Download" -Path "" -Context (Get-AzStorageAccount -ResourceGroupName "" -Name "").Context
+
+# Get Snapshots/Backups
+Get-AzStorageShare -Context (Get-AzStorageAccount -ResourceGroupName "" -Name "").Context | Where-Object { $_.SnapshotTime -ne $null }
+
+# List Contents of a Snapshot/Backup
+Get-AzStorageFile -ShareName "" -Context (New-AzStorageContext -StorageAccountName "" -StorageAccountKey (Get-AzStorageAccountKey -ResourceGroupName "" -Name "" | Select-Object -ExpandProperty Value) -SnapshotTime "")
+
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
{% hint style="info" %}
By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login --enable-file-backup-request-intent`.
diff --git a/pentesting-cloud/azure-security/az-services/az-table-storage.md b/pentesting-cloud/azure-security/az-services/az-table-storage.md
index 5290fdcde..1b7b3e923 100644
--- a/pentesting-cloud/azure-security/az-services/az-table-storage.md
+++ b/pentesting-cloud/azure-security/az-services/az-table-storage.md
@@ -41,6 +41,9 @@ There **isn't built-in backup mechanism** for table storage.
## Enumeration
+{% tabs %}
+{% tab title="az cli" %}
+{% code overflow="wrap" %}
```bash
# Get storage accounts
az storage account list
@@ -72,6 +75,20 @@ az storage entity merge \
--table-name mytable \
--entity PartitionKey=pk1 RowKey=rk1 Age=31
```
+{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# Get storage accounts
+Get-AzStorageAccount
+
+# List tables
+Get-AzStorageTable -Context (Get-AzStorageAccount -Name -ResourceGroupName ).Context
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
{% hint style="info" %}
By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login`.
diff --git a/pentesting-cloud/azure-security/az-services/vms/README.md b/pentesting-cloud/azure-security/az-services/vms/README.md
index 9ff2e58ba..e664d118d 100644
--- a/pentesting-cloud/azure-security/az-services/vms/README.md
+++ b/pentesting-cloud/azure-security/az-services/vms/README.md
@@ -66,6 +66,9 @@ Azure Virtual Machines (VMs) are flexible, on-demand **cloud-based servers that
* It's possible to **generate a SAS URI** (of max 60days) to **export the disk**, which can be configured to require authentication or not
* Same in snapshots
+{% tabs %}
+{% tab title="az cli" %}
+{% code overflow="wrap" %}
```bash
# List all disks
az disk list --output table
@@ -73,6 +76,21 @@ az disk list --output table
# Get info about a disk
az disk show --name --resource-group
```
+{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# List all disks
+Get-AzDisk
+
+# Get info about a disk
+Get-AzDisk -Name -ResourceGroupName
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
## Images, Gallery Images & Restore points
@@ -81,6 +99,9 @@ Images can be managed in the **Images section** of Azure or inside **Azure compu
A **restore point** stores the VM configuration and **point-in-time** application-consistent **snapshots of all the managed disks** attached to the VM. It's related to the VM and its purpose is to be able to restore that VM to how it was in that specific point in it.
+{% tabs %}
+{% tab title="az cli" %}
+{% code overflow="wrap" %}
```bash
# Shared Image Galleries | Compute Galleries
## List all galleries and get info about one
@@ -112,6 +133,36 @@ az image list --output table
az restore-point collection list-all --output table
az restore-point collection show --collection-name --resource-group
```
+{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+## List all galleries and get info about one
+Get-AzGallery
+Get-AzGallery -Name -ResourceGroupName
+
+## List all image definitions in a gallery and get info about one
+Get-AzGalleryImageDefinition -GalleryName -ResourceGroupName
+Get-AzGalleryImageDefinition -GalleryName -ResourceGroupName -Name
+
+## List all the versions of an image definition in a gallery
+Get-AzGalleryImageVersion -GalleryImageDefinitionName -GalleryName -ResourceGroupName
+
+## List all VM applications inside a gallery
+Get-AzGalleryApplication -GalleryName -ResourceGroupName
+
+# Images
+# List all managed images in your subscription
+Get-AzImage -Name -ResourceGroupName
+
+# Restore points
+## List all restore points and get info about 1
+Get-AzRestorePointCollection -Name -ResourceGroupName
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
## Azure Site Recovery
@@ -125,6 +176,8 @@ The Bastion deploys a subnet called **`AzureBastionSubnet`** with a `/26` netmas
To list all Azure Bastion Hosts in your subscription and connect to VMs through them, you can use the following commands:
+{% tabs %}
+{% tab title="az cli" %}
{% code overflow="wrap" %}
```bash
# List bastions
@@ -149,6 +202,16 @@ az network bastion rdp \
--password
```
{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# List bastions
+Get-AzBastion
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
## Metadata
@@ -302,7 +365,6 @@ az vm run-command list --output table
```
{% endcode %}
{% endtab %}
-
{% tab title="Az PS" %}
```powershell
# Get readable VMs
@@ -321,7 +383,79 @@ Get-AzVMExtension -ResourceGroupName -VMName
Get-AzVM | select -ExpandProperty NetworkProfile # Get name of network connector of VM
Get-AzNetworkInterface -Name # Get info of network connector (like IP)
+
+# Disks
+## List all disks and get info about one
+Get-AzDisk
+Get-AzDisk -Name -ResourceGroupName
+
+# Snapshots
+## List all galleries abd get info about one
+Get-AzGallery
+Get-AzGallery -Name -ResourceGroupName
+
+## List all snapshots and get info about one
+Get-AzSnapshot
+Get-AzSnapshot -Name -ResourceGroupName
+
+## List all image definitions in a gallery and get info about one
+Get-AzGalleryImageDefinition -GalleryName -ResourceGroupName
+Get-AzGalleryImageDefinition -GalleryName -ResourceGroupName -Name
+
+## List all the versions of an image definition in a gallery
+Get-AzGalleryImageVersion -GalleryImageDefinitionName -GalleryName -ResourceGroupName
+
+## List all VM applications inside a gallery
+Get-AzGalleryApplication -GalleryName -ResourceGroupName
+
+# Images
+# List all managed images in your subscription
+Get-AzImage -Name -ResourceGroupName
+
+# Restore points
+## List all restore points and get info about 1
+Get-AzRestorePointCollection -Name -ResourceGroupName
+
+# Bastion
+## List bastions
+Get-AzBastion
+
+# Network
+## List all VNets in your subscription
+Get-AzVirtualNetwork
+
+## List VNet peering connections for a given VNet
+(Get-AzVirtualNetwork -ResourceGroupName -Name ).VirtualNetworkPeerings
+
+## List Shared Resources (e.g., Azure Firewall) in the Hub
+Get-AzFirewall
+
+## List VPN Gateways
+Get-AzVirtualNetworkGateway -ResourceGroupName
+
+## List VPN Connections
+Get-AzVirtualNetworkGatewayConnection -ResourceGroupName
+
+## List ExpressRoute Circuits
+Get-AzExpressRouteCircuit
+
+# Misc
+## List all virtual machine scale sets
+Get-AzVmss
+
+## List all availability sets
+Get-AzAvailabilitySet
+
+## List all load balancers
+Get-AzLoadBalancer
+
+## List all storage accounts
+Get-AzStorageAccount
+
+## List all custom script extensions on a specific VM
+Get-AzVMExtension -VMName -ResourceGroupName
```
+{% endcode %}
{% endtab %}
{% endtabs %}
@@ -337,6 +471,9 @@ The required permission is **`Microsoft.Compute/virtualMachines/extensions/write
It's possible to list all the available extensions with:
+{% tabs %}
+{% tab title="Az Cli" %}
+{% code overflow="wrap" %}
```bash
# It takes some mins to run
az vm extension image list --output table
@@ -344,6 +481,18 @@ az vm extension image list --output table
# Get extensions by publisher
az vm extension image list --publisher "Site24x7" --output table
```
+{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# It takes some mins to run
+Get-AzVMExtensionImage -Location -PublisherName -Type
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
+
It's possible to **run custom extensions that runs custom code**:
diff --git a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
index daa687f26..83208cca7 100644
--- a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
+++ b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
@@ -37,6 +37,8 @@ By default all subnets within the same Azure Virtual Network (VNet) **can commun
To list all the VNets and subnets in an Azure account, you can use the Azure Command-Line Interface (CLI). Here are the steps:
+{% tabs %}
+{% tab title="az cli" %}
{% code overflow="wrap" %}
```bash
# List VNets
@@ -46,6 +48,21 @@ az network vnet list --query "[].{name:name, location:location, addressSpace:add
az network vnet subnet list --resource-group --vnet-name --query "[].{name:name, addressPrefix:addressPrefix}" -o table
```
{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# List VNets
+Get-AzVirtualNetwork | Select-Object Name, Location, @{Name="AddressSpace"; Expression={$_.AddressSpace.AddressPrefixes}}
+
+# List subnets of a VNet
+Get-AzVirtualNetwork -ResourceGroupName -Name |
+Select-Object -ExpandProperty Subnets |
+Select-Object Name, AddressPrefix
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
## Network Security Groups (NSG)
@@ -60,6 +77,8 @@ NSGs can be associated to **subnets and NICs.**
### Enumeration
+{% tabs %}
+{% tab title="az cli" %}
{% code overflow="wrap" %}
```bash
# List NSGs
@@ -73,7 +92,23 @@ az network nsg rule list --nsg-name --resource-group -ResourceGroupName
+# Get NSG rules
+(Get-AzNetworkSecurityGroup -ResourceGroupName -Name ).SecurityRules
+
+# Get NICs and subnets using this NSG
+(Get-AzNetworkSecurityGroup -Name -ResourceGroupName ).Subnets
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
## Azure Firewall
Azure Firewall is a **managed network security service** in Azure that protects cloud resources by inspecting and controlling traffic. It is a **stateful firewall** that filters traffic based on rules for Layers 3 to 7, supporting communication both **within Azure** (east-west traffic) and **to/from external networks** (north-south traffic). Deployed at the **Virtual Network (VNet) level**, it provides centralized protection for all subnets in the VNet. Azure Firewall automatically scales to handle traffic demands and ensures high availability without requiring manual setup.
@@ -92,6 +127,8 @@ It is available in three SKUs—**Basic**, **Standard**, and **Premium**, each t
### Enumeration
+{% tabs %}
+{% tab title="az cli" %}
{% code overflow="wrap" %}
```bash
# List Azure Firewalls
@@ -107,6 +144,25 @@ az network firewall application-rule collection list --firewall-name --resource-group --query "[].{name:name, rules:rules}" -o table
```
{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# List Azure Firewalls
+Get-AzFirewall
+
+# Get network rules of a firewall
+(Get-AzFirewall -Name -ResourceGroupName ).NetworkRuleCollections
+
+# Get application rules of a firewall
+(Get-AzFirewall -Name -ResourceGroupName ).ApplicationRuleCollections
+
+# Get nat rules of a firewall
+(Get-AzFirewall -Name -ResourceGroupName ).NatRuleCollections
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
## Azure Route Tables
@@ -116,6 +172,8 @@ Azure **Route Tables** are used to control the routing of network traffic within
### **Enumeration**
+{% tabs %}
+{% tab title="az cli" %}
{% code overflow="wrap" %}
```bash
# List Route Tables
@@ -125,7 +183,19 @@ az network route-table list --query "[].{name:name, resourceGroup:resourceGroup,
az network route-table route list --route-table-name --resource-group --query "[].{name:name, addressPrefix:addressPrefix, nextHopType:nextHopType, nextHopIpAddress:nextHopIpAddress}" -o table
```
{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# List Route Tables
+Get-AzRouteTable
+# List routes for a table
+(Get-AzRouteTable -Name -ResourceGroupName ).Routes
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
## Azure Private Link
Azure Private Link is a service in Azure that **enables private access to Azure services** by ensuring that **traffic between your Azure virtual network (VNet) and the service travels entirely within Microsoft's Azure backbone network**. It effectively brings the service into your VNet. This setup enhances security by not exposing the data to the public internet.
@@ -142,6 +212,8 @@ Consider a scenario where you have an **Azure SQL Database that you want to acce
### **Enumeration**
+{% tabs %}
+{% tab title="az cli" %}
{% code overflow="wrap" %}
```bash
# List Private Link Services
@@ -151,6 +223,19 @@ az network private-link-service list --query "[].{name:name, location:location,
az network private-endpoint list --query "[].{name:name, location:location, resourceGroup:resourceGroup, privateLinkServiceConnections:privateLinkServiceConnections}" -o table
```
{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# List Private Link Services
+Get-AzPrivateLinkService | Select-Object Name, Location, ResourceGroupName
+
+# List Private Endpoints
+Get-AzPrivateEndpoint | Select-Object Name, Location, ResourceGroupName, PrivateEndpointConnections
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
## Azure Service Endpoints
@@ -162,6 +247,8 @@ For instance, an **Azure Storage** account by default is accessible over the pub
### **Enumeration**
+{% tabs %}
+{% tab title="az cli" %}
{% code overflow="wrap" %}
```bash
# List Virtual Networks with Service Endpoints
@@ -171,6 +258,19 @@ az network vnet list --query "[].{name:name, location:location, serviceEndpoints
az network vnet subnet list --resource-group --vnet-name --query "[].{name:name, serviceEndpoints:serviceEndpoints}" -o table
```
{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# List Virtual Networks with Service Endpoints
+Get-AzVirtualNetwork
+
+# List Subnets with Service Endpoints
+(Get-AzVirtualNetwork -ResourceGroupName -Name ).Subnets
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
### Differences Between Service Endpoints and Private Links
@@ -208,6 +308,8 @@ Imagine you have a globally distributed application with users all around the wo
### Enumeration
+{% tabs %}
+{% tab title="az cli" %}
{% code overflow="wrap" %}
```bash
# List Azure Front Door Instances
@@ -217,6 +319,19 @@ az network front-door list --query "[].{name:name, resourceGroup:resourceGroup,
az network front-door waf-policy list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table
```
{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# List Azure Front Door Instances
+Get-AzFrontDoor
+
+# List Front Door WAF Policies
+Get-AzFrontDoorWafPolicy -Name -ResourceGroupName
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
## Azure Application Gateway and Azure Application Gateway WAF
@@ -229,12 +344,24 @@ And **protect your website from attacks using the WAF capabilities.**
### **Enumeration**
+{% tabs %}
+{% tab title="az cli" %}
{% code overflow="wrap" %}
```bash
# List the Web Application Firewall configurations for your Application Gateways
az network application-gateway waf-config list --gateway-name --resource-group --query "[].{name:name, firewallMode:firewallMode, ruleSetType:ruleSetType, ruleSetVersion:ruleSetVersion}" -o table
```
{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# List the Web Application Firewall configurations for your Application Gateways
+(Get-AzApplicationGateway -Name -ResourceGroupName ).WebApplicationFirewallConfiguration
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
## Azure Hub, Spoke & VNet Peering
@@ -253,6 +380,8 @@ Imagine a company with separate departments like Sales, HR, and Development, **e
### Enumeration
+{% tabs %}
+{% tab title="az cli" %}
{% code overflow="wrap" %}
```bash
# List all VNets in your subscription
@@ -265,6 +394,22 @@ az network vnet peering list --resource-group --vnet-name -Name ).VirtualNetworkPeerings
+
+# List Shared Resources (e.g., Azure Firewall) in the Hub
+Get-AzFirewall
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
## Site-to-Site VPN
@@ -276,6 +421,8 @@ A business with its main office located in New York has an on-premises data cent
### **Enumeration**
+{% tabs %}
+{% tab title="az cli" %}
{% code overflow="wrap" %}
```bash
# List VPN Gateways
@@ -285,6 +432,19 @@ az network vnet-gateway list --query "[].{name:name, location:location, resource
az network vpn-connection list --gateway-name --resource-group --query "[].{name:name, connectionType:connectionType, connectionStatus:connectionStatus}" -o table
```
{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# List VPN Gateways
+Get-AzVirtualNetworkGateway -ResourceGroupName
+
+# List VPN Connections
+Get-AzVirtualNetworkGatewayConnection -ResourceGroupName
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
## Azure ExpressRoute
@@ -296,12 +456,24 @@ A multinational corporation requires a **consistent and reliable connection to i
### **Enumeration**
+{% tabs %}
+{% tab title="az cli" %}
{% code overflow="wrap" %}
```bash
# List ExpressRoute Circuits
az network express-route list --query "[].{name:name, location:location, resourceGroup:resourceGroup, serviceProviderName:serviceProviderName, peeringLocation:peeringLocation}" -o table
```
{% endcode %}
+{% endtab %}
+{% tab title="PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+# List ExpressRoute Circuits
+Get-AzExpressRouteCircuit
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}
{% hint style="success" %}
Learn & practice AWS Hacking: (1) (1) (1).png)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\