From 87c89d2f25fc9282d1c3dfa59b03781ff9018b33 Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Fri, 13 Dec 2024 01:31:02 +0100 Subject: [PATCH 1/6] Update README.md --- .../azure-security/az-services/vms/README.md | 151 +++++++++++++++++- 1 file changed, 150 insertions(+), 1 deletion(-) diff --git a/pentesting-cloud/azure-security/az-services/vms/README.md b/pentesting-cloud/azure-security/az-services/vms/README.md index 9ff2e58ba..e664d118d 100644 --- a/pentesting-cloud/azure-security/az-services/vms/README.md +++ b/pentesting-cloud/azure-security/az-services/vms/README.md @@ -66,6 +66,9 @@ Azure Virtual Machines (VMs) are flexible, on-demand **cloud-based servers that * It's possible to **generate a SAS URI** (of max 60days) to **export the disk**, which can be configured to require authentication or not * Same in snapshots +{% tabs %} +{% tab title="az cli" %} +{% code overflow="wrap" %} ```bash # List all disks az disk list --output table @@ -73,6 +76,21 @@ az disk list --output table # Get info about a disk az disk show --name --resource-group ``` +{% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List all disks +Get-AzDisk + +# Get info about a disk +Get-AzDisk -Name -ResourceGroupName +``` +{% endcode %} +{% endtab %} +{% endtabs %} + ## Images, Gallery Images & Restore points @@ -81,6 +99,9 @@ Images can be managed in the **Images section** of Azure or inside **Azure compu A **restore point** stores the VM configuration and **point-in-time** application-consistent **snapshots of all the managed disks** attached to the VM. It's related to the VM and its purpose is to be able to restore that VM to how it was in that specific point in it. +{% tabs %} +{% tab title="az cli" %} +{% code overflow="wrap" %} ```bash # Shared Image Galleries | Compute Galleries ## List all galleries and get info about one @@ -112,6 +133,36 @@ az image list --output table az restore-point collection list-all --output table az restore-point collection show --collection-name --resource-group ``` +{% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +## List all galleries and get info about one +Get-AzGallery +Get-AzGallery -Name -ResourceGroupName + +## List all image definitions in a gallery and get info about one +Get-AzGalleryImageDefinition -GalleryName -ResourceGroupName +Get-AzGalleryImageDefinition -GalleryName -ResourceGroupName -Name + +## List all the versions of an image definition in a gallery +Get-AzGalleryImageVersion -GalleryImageDefinitionName -GalleryName -ResourceGroupName + +## List all VM applications inside a gallery +Get-AzGalleryApplication -GalleryName -ResourceGroupName + +# Images +# List all managed images in your subscription +Get-AzImage -Name -ResourceGroupName + +# Restore points +## List all restore points and get info about 1 +Get-AzRestorePointCollection -Name -ResourceGroupName +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Site Recovery @@ -125,6 +176,8 @@ The Bastion deploys a subnet called **`AzureBastionSubnet`** with a `/26` netmas To list all Azure Bastion Hosts in your subscription and connect to VMs through them, you can use the following commands: +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List bastions @@ -149,6 +202,16 @@ az network bastion rdp \ --password ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List bastions +Get-AzBastion +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Metadata @@ -302,7 +365,6 @@ az vm run-command list --output table ``` {% endcode %} {% endtab %} - {% tab title="Az PS" %} ```powershell # Get readable VMs @@ -321,7 +383,79 @@ Get-AzVMExtension -ResourceGroupName -VMName Get-AzVM | select -ExpandProperty NetworkProfile # Get name of network connector of VM Get-AzNetworkInterface -Name # Get info of network connector (like IP) + +# Disks +## List all disks and get info about one +Get-AzDisk +Get-AzDisk -Name -ResourceGroupName + +# Snapshots +## List all galleries abd get info about one +Get-AzGallery +Get-AzGallery -Name -ResourceGroupName + +## List all snapshots and get info about one +Get-AzSnapshot +Get-AzSnapshot -Name -ResourceGroupName + +## List all image definitions in a gallery and get info about one +Get-AzGalleryImageDefinition -GalleryName -ResourceGroupName +Get-AzGalleryImageDefinition -GalleryName -ResourceGroupName -Name + +## List all the versions of an image definition in a gallery +Get-AzGalleryImageVersion -GalleryImageDefinitionName -GalleryName -ResourceGroupName + +## List all VM applications inside a gallery +Get-AzGalleryApplication -GalleryName -ResourceGroupName + +# Images +# List all managed images in your subscription +Get-AzImage -Name -ResourceGroupName + +# Restore points +## List all restore points and get info about 1 +Get-AzRestorePointCollection -Name -ResourceGroupName + +# Bastion +## List bastions +Get-AzBastion + +# Network +## List all VNets in your subscription +Get-AzVirtualNetwork + +## List VNet peering connections for a given VNet +(Get-AzVirtualNetwork -ResourceGroupName -Name ).VirtualNetworkPeerings + +## List Shared Resources (e.g., Azure Firewall) in the Hub +Get-AzFirewall + +## List VPN Gateways +Get-AzVirtualNetworkGateway -ResourceGroupName + +## List VPN Connections +Get-AzVirtualNetworkGatewayConnection -ResourceGroupName + +## List ExpressRoute Circuits +Get-AzExpressRouteCircuit + +# Misc +## List all virtual machine scale sets +Get-AzVmss + +## List all availability sets +Get-AzAvailabilitySet + +## List all load balancers +Get-AzLoadBalancer + +## List all storage accounts +Get-AzStorageAccount + +## List all custom script extensions on a specific VM +Get-AzVMExtension -VMName -ResourceGroupName ``` +{% endcode %} {% endtab %} {% endtabs %} @@ -337,6 +471,9 @@ The required permission is **`Microsoft.Compute/virtualMachines/extensions/write It's possible to list all the available extensions with: +{% tabs %} +{% tab title="Az Cli" %} +{% code overflow="wrap" %} ```bash # It takes some mins to run az vm extension image list --output table @@ -344,6 +481,18 @@ az vm extension image list --output table # Get extensions by publisher az vm extension image list --publisher "Site24x7" --output table ``` +{% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# It takes some mins to run +Get-AzVMExtensionImage -Location -PublisherName -Type +``` +{% endcode %} +{% endtab %} +{% endtabs %} + It's possible to **run custom extensions that runs custom code**: From 509183b03007ae69105d5e46934788f53d99f81a Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Fri, 13 Dec 2024 01:32:10 +0100 Subject: [PATCH 2/6] Update az-azure-network.md --- .../az-services/vms/az-azure-network.md | 172 ++++++++++++++++++ 1 file changed, 172 insertions(+) diff --git a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md index daa687f26..83208cca7 100644 --- a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md +++ b/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md @@ -37,6 +37,8 @@ By default all subnets within the same Azure Virtual Network (VNet) **can commun To list all the VNets and subnets in an Azure account, you can use the Azure Command-Line Interface (CLI). Here are the steps: +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List VNets @@ -46,6 +48,21 @@ az network vnet list --query "[].{name:name, location:location, addressSpace:add az network vnet subnet list --resource-group --vnet-name --query "[].{name:name, addressPrefix:addressPrefix}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List VNets +Get-AzVirtualNetwork | Select-Object Name, Location, @{Name="AddressSpace"; Expression={$_.AddressSpace.AddressPrefixes}} + +# List subnets of a VNet +Get-AzVirtualNetwork -ResourceGroupName -Name | +Select-Object -ExpandProperty Subnets | +Select-Object Name, AddressPrefix +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Network Security Groups (NSG) @@ -60,6 +77,8 @@ NSGs can be associated to **subnets and NICs.** ### Enumeration +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List NSGs @@ -73,7 +92,23 @@ az network nsg rule list --nsg-name --resource-group -ResourceGroupName +# Get NSG rules +(Get-AzNetworkSecurityGroup -ResourceGroupName -Name ).SecurityRules + +# Get NICs and subnets using this NSG +(Get-AzNetworkSecurityGroup -Name -ResourceGroupName ).Subnets +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Firewall Azure Firewall is a **managed network security service** in Azure that protects cloud resources by inspecting and controlling traffic. It is a **stateful firewall** that filters traffic based on rules for Layers 3 to 7, supporting communication both **within Azure** (east-west traffic) and **to/from external networks** (north-south traffic). Deployed at the **Virtual Network (VNet) level**, it provides centralized protection for all subnets in the VNet. Azure Firewall automatically scales to handle traffic demands and ensures high availability without requiring manual setup. @@ -92,6 +127,8 @@ It is available in three SKUs—**Basic**, **Standard**, and **Premium**, each t ### Enumeration +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List Azure Firewalls @@ -107,6 +144,25 @@ az network firewall application-rule collection list --firewall-name --resource-group --query "[].{name:name, rules:rules}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List Azure Firewalls +Get-AzFirewall + +# Get network rules of a firewall +(Get-AzFirewall -Name -ResourceGroupName ).NetworkRuleCollections + +# Get application rules of a firewall +(Get-AzFirewall -Name -ResourceGroupName ).ApplicationRuleCollections + +# Get nat rules of a firewall +(Get-AzFirewall -Name -ResourceGroupName ).NatRuleCollections +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Route Tables @@ -116,6 +172,8 @@ Azure **Route Tables** are used to control the routing of network traffic within ### **Enumeration** +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List Route Tables @@ -125,7 +183,19 @@ az network route-table list --query "[].{name:name, resourceGroup:resourceGroup, az network route-table route list --route-table-name --resource-group --query "[].{name:name, addressPrefix:addressPrefix, nextHopType:nextHopType, nextHopIpAddress:nextHopIpAddress}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List Route Tables +Get-AzRouteTable +# List routes for a table +(Get-AzRouteTable -Name -ResourceGroupName ).Routes +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Private Link Azure Private Link is a service in Azure that **enables private access to Azure services** by ensuring that **traffic between your Azure virtual network (VNet) and the service travels entirely within Microsoft's Azure backbone network**. It effectively brings the service into your VNet. This setup enhances security by not exposing the data to the public internet. @@ -142,6 +212,8 @@ Consider a scenario where you have an **Azure SQL Database that you want to acce ### **Enumeration** +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List Private Link Services @@ -151,6 +223,19 @@ az network private-link-service list --query "[].{name:name, location:location, az network private-endpoint list --query "[].{name:name, location:location, resourceGroup:resourceGroup, privateLinkServiceConnections:privateLinkServiceConnections}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List Private Link Services +Get-AzPrivateLinkService | Select-Object Name, Location, ResourceGroupName + +# List Private Endpoints +Get-AzPrivateEndpoint | Select-Object Name, Location, ResourceGroupName, PrivateEndpointConnections +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Service Endpoints @@ -162,6 +247,8 @@ For instance, an **Azure Storage** account by default is accessible over the pub ### **Enumeration** +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List Virtual Networks with Service Endpoints @@ -171,6 +258,19 @@ az network vnet list --query "[].{name:name, location:location, serviceEndpoints az network vnet subnet list --resource-group --vnet-name --query "[].{name:name, serviceEndpoints:serviceEndpoints}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List Virtual Networks with Service Endpoints +Get-AzVirtualNetwork + +# List Subnets with Service Endpoints +(Get-AzVirtualNetwork -ResourceGroupName -Name ).Subnets +``` +{% endcode %} +{% endtab %} +{% endtabs %} ### Differences Between Service Endpoints and Private Links @@ -208,6 +308,8 @@ Imagine you have a globally distributed application with users all around the wo ### Enumeration +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List Azure Front Door Instances @@ -217,6 +319,19 @@ az network front-door list --query "[].{name:name, resourceGroup:resourceGroup, az network front-door waf-policy list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List Azure Front Door Instances +Get-AzFrontDoor + +# List Front Door WAF Policies +Get-AzFrontDoorWafPolicy -Name -ResourceGroupName +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Application Gateway and Azure Application Gateway WAF @@ -229,12 +344,24 @@ And **protect your website from attacks using the WAF capabilities.** ### **Enumeration** +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List the Web Application Firewall configurations for your Application Gateways az network application-gateway waf-config list --gateway-name --resource-group --query "[].{name:name, firewallMode:firewallMode, ruleSetType:ruleSetType, ruleSetVersion:ruleSetVersion}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List the Web Application Firewall configurations for your Application Gateways +(Get-AzApplicationGateway -Name -ResourceGroupName ).WebApplicationFirewallConfiguration +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure Hub, Spoke & VNet Peering @@ -253,6 +380,8 @@ Imagine a company with separate departments like Sales, HR, and Development, **e ### Enumeration +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List all VNets in your subscription @@ -265,6 +394,22 @@ az network vnet peering list --resource-group --vnet-name -Name ).VirtualNetworkPeerings + +# List Shared Resources (e.g., Azure Firewall) in the Hub +Get-AzFirewall +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Site-to-Site VPN @@ -276,6 +421,8 @@ A business with its main office located in New York has an on-premises data cent ### **Enumeration** +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List VPN Gateways @@ -285,6 +432,19 @@ az network vnet-gateway list --query "[].{name:name, location:location, resource az network vpn-connection list --gateway-name --resource-group --query "[].{name:name, connectionType:connectionType, connectionStatus:connectionStatus}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List VPN Gateways +Get-AzVirtualNetworkGateway -ResourceGroupName + +# List VPN Connections +Get-AzVirtualNetworkGatewayConnection -ResourceGroupName +``` +{% endcode %} +{% endtab %} +{% endtabs %} ## Azure ExpressRoute @@ -296,12 +456,24 @@ A multinational corporation requires a **consistent and reliable connection to i ### **Enumeration** +{% tabs %} +{% tab title="az cli" %} {% code overflow="wrap" %} ```bash # List ExpressRoute Circuits az network express-route list --query "[].{name:name, location:location, resourceGroup:resourceGroup, serviceProviderName:serviceProviderName, peeringLocation:peeringLocation}" -o table ``` {% endcode %} +{% endtab %} +{% tab title="PowerShell" %} +{% code overflow="wrap" %} +```powershell +# List ExpressRoute Circuits +Get-AzExpressRouteCircuit +``` +{% endcode %} +{% endtab %} +{% endtabs %} {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ From b860fa520cc11d0f705b15585db381de45407a72 Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Fri, 13 Dec 2024 01:33:44 +0100 Subject: [PATCH 3/6] Update az-storage-privesc.md --- .../az-privilege-escalation/az-storage-privesc.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md index ed82ec637..3f3fba06b 100644 --- a/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md +++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md @@ -150,6 +150,18 @@ az storage blob undelete \ ``` {% endcode %} +### Microsoft.Storage/storageAccounts/fileServices/shares/restore/action && Microsoft.Storage/storageAccounts/read + +With these permissions, an attacker can restore a deleted Azure file share by specifying its deleted version ID. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access. + +{% code overflow="wrap" %} +```bash +az storage share-rm restore \ + --storage-account \ + --name \ + --deleted-version +``` +{% endcode %} ## Other interesting looking permissions (TODO) From 08bb01e0931ee6dadfca3ef36f12859f1ea15430 Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Fri, 13 Dec 2024 01:34:19 +0100 Subject: [PATCH 4/6] Update az-file-shares.md --- .../az-services/az-file-shares.md | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/pentesting-cloud/azure-security/az-services/az-file-shares.md b/pentesting-cloud/azure-security/az-services/az-file-shares.md index 400d3a0e4..5ca733e45 100644 --- a/pentesting-cloud/azure-security/az-services/az-file-shares.md +++ b/pentesting-cloud/azure-security/az-services/az-file-shares.md @@ -43,6 +43,9 @@ Learn & practice GCP Hacking: +az storage share-rm list --storage-account # To see the deleted ones too --include-deleted # Get dirs/files inside the share az storage file list --account-name --share-name ## If type is "dir", you can continue enumerating files inside of it @@ -65,6 +69,33 @@ az storage file list --account-name --share-name --snapshot az storage file download-batch -d . --account-name --source --snapshot ``` {% endcode %} +{% endtab %} + +{% tab title="Az PowerShell" %} +{% code overflow="wrap" %} +```powershell +Get-AzStorageAccount + +# List File Shares +Get-AzStorageShare -Context (Get-AzStorageAccount -ResourceGroupName "" -Name "").Context + +# Get Directories/Files Inside the Share +Get-AzStorageFile -ShareName "" -Context (Get-AzStorageAccount -ResourceGroupName "" -Name "").Context +Get-AzStorageFile -ShareName "" -Path "" -Context (Get-AzStorageAccount -ResourceGroupName "" -Name "").Context + +# Download a Complete Share +Get-AzStorageFileContent -ShareName "" -Destination "C:\Download" -Path "" -Context (Get-AzStorageAccount -ResourceGroupName "" -Name "").Context + +# Get Snapshots/Backups +Get-AzStorageShare -Context (Get-AzStorageAccount -ResourceGroupName "" -Name "").Context | Where-Object { $_.SnapshotTime -ne $null } + +# List Contents of a Snapshot/Backup +Get-AzStorageFile -ShareName "" -Context (New-AzStorageContext -StorageAccountName "" -StorageAccountKey (Get-AzStorageAccountKey -ResourceGroupName "" -Name "" | Select-Object -ExpandProperty Value) -SnapshotTime "") + +``` +{% endcode %} +{% endtab %} +{% endtabs %} {% hint style="info" %} By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login --enable-file-backup-request-intent`. From 7a372d9414027d51228bd6ba9c13f2d45a3914b5 Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Fri, 13 Dec 2024 01:36:31 +0100 Subject: [PATCH 5/6] Update az-table-storage-post-exploitation.md --- .../az-post-exploitation/az-table-storage-post-exploitation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md index 50e25c217..0eb9a3592 100644 --- a/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md +++ b/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: -ResourceGroupName ).Context +``` +{% endcode %} +{% endtab %} +{% endtabs %} {% hint style="info" %} By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login`.