gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-06-12 19:11:44 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
28650f17b49211ce0a53f972132e5fd2f1dea3c6
hacktricks-cloud/src/pentesting-cloud/azure-security/az-enumeration-tools.md
T

30 KiB
Raw Blame History

Az - Enumeration Tools

{{#include ../../banners/hacktricks-training.md}}

Install PowerShell in Linux

Tip

In linux you will need to install PowerShell Core:

sudo apt-get update
sudo apt-get install -y wget apt-transport-https software-properties-common

# Ubuntu 20.04
wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb

# Update repos
sudo apt-get update
sudo add-apt-repository universe

# Install & start powershell
sudo apt-get install -y powershell
pwsh

# Az cli
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Install PowerShell in MacOS

Instructions from the documentation:

  1. Install brew if not installed yet:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
  1. Install the latest stable release of PowerShell:
brew install powershell/tap/powershell
  1. Run PowerShell:
pwsh
  1. Update:
brew update
brew upgrade powershell

Main Enumeration Tools

az cli

Azure Command-Line Interface (CLI) is a cross-platform tool written in Python for managing and administering (most) Azure and Entra ID resources. It connects to Azure and executes administrative commands via the command line or scripts.

Follow this link for the installation instructions¡.

Commands in Azure CLI are structured using a pattern of: az <service> <action> <parameters>

Debug | MitM az cli

Using the parameter --debug it's possible to see all the requests the tool az is sending:

az account management-group list --output table --debug

In order to do a MitM to the tool and check all the requests it's sending manually you can do:

{{#tabs }} {{#tab name="Bash" }}

export ADAL_PYTHON_SSL_NO_VERIFY=1
export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
export HTTPS_PROXY="http://127.0.0.1:8080"
export HTTP_PROXY="http://127.0.0.1:8080"

# If this is not enough
# Download the certificate from Burp and convert it into .pem format
# And export the following env variable
openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem

{{#endtab }}

{{#tab name="CMD" }}

set ADAL_PYTHON_SSL_NO_VERIFY=1
set AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
set HTTPS_PROXY="http://127.0.0.1:8080"
set HTTP_PROXY="http://127.0.0.1:8080"

# If this is not enough
# Download the certificate from Burp and convert it into .pem format
# And export the following env variable
openssl x509 -in cacert.der -inform DER -out cacert.pem -outform PEM
set REQUESTS_CA_BUNDLE=C:\Users\user\Downloads\cacert.pem

{{#endtab }}

{{#tab name="PS" }}

$env:ADAL_PYTHON_SSL_NO_VERIFY=1
$env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
$env:HTTPS_PROXY="http://127.0.0.1:8080"
$env:HTTP_PROXY="http://127.0.0.1:8080"

{{#endtab }} {{#endtabs }}

Fixing “CA cert does not include key usage extension”

Why the error happens

When Azure CLI authenticates, it makes HTTPS requests (via MSAL → Requests → OpenSSL). If youre intercepting TLS with Burp, Burp generates “on the fly” certificates for sites like login.microsoftonline.com and signs them with Burps CA.

On newer stacks (Python 3.13 + OpenSSL 3), CA validation is stricter:

  • A CA certificate must include Basic Constraints: CA:TRUE and a Key Usage extension permitting certificate signing (keyCertSign, and typically cRLSign).

Burps default CA (PortSwigger CA) is old and typically lacks the Key Usage extension, so OpenSSL rejects it even if you “trust it”.

That produces errors like:

  • CA cert does not include key usage extension
  • CERTIFICATE_VERIFY_FAILED
  • self-signed certificate in certificate chain

So you must:

  1. Create a modern CA (with proper Key Usage).
  2. Make Burp use it to sign intercepted certs.
  3. Trust that CA in macOS.
  4. Point Azure CLI / Requests to that CA bundle.

Step-by-step: working configuration

0) Prereqs

  • Burp running locally (proxy at 127.0.0.1:8080)
  • Azure CLI installed (Homebrew)
  • You can sudo (to trust the CA in the system keychain)

1) Create a standards-compliant Burp CA (PEM + KEY)

Create an OpenSSL config file that explicitly sets CA extensions:

mkdir -p ~/burp-ca && cd ~/burp-ca

cat > burp-ca.cnf <<'EOF'
[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = dn
x509_extensions    = v3_ca

[ dn ]
C  = US
O  = Burp Custom CA
CN = Burp Custom Root CA

[ v3_ca ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
EOF

Generate the CA certificate + private key:

openssl req -x509 -new -nodes \
  -days 3650 \
  -keyout burp-ca.key \
  -out burp-ca.pem \
  -config burp-ca.cnf

Sanity check (you MUST see Key Usage):

openssl x509 -in burp-ca.pem -noout -text | egrep -A3 "Basic Constraints|Key Usage"

Expected to include something like:

  • CA:TRUE
  • Key Usage: ... Certificate Sign, CRL Sign

2) Convert to PKCS#12 (Burp import format)

Burp needs certificate + private key, easiest as PKCS#12:

openssl pkcs12 -export \
  -out burp-ca.p12 \
  -inkey burp-ca.key \
  -in burp-ca.pem \
  -name "Burp Custom Root CA"

Youll be prompted for an export password (set one; Burp will ask for it).

3) Import the CA into Burp and restart Burp

In Burp:

  • Proxy → Options
  • Find Import / export CA certificate
  • Click Import CA certificate
  • Choose PKCS#12
  • Select burp-ca.p12
  • Enter the password
  • Restart Burp completely (important)

Why restart? Burp may keep using the old CA until restart.

4) Trust the new CA in macOS system keychain

This allows system apps and many TLS stacks to trust the CA.

sudo security add-trusted-cert \
  -d -r trustRoot \
  -k /Library/Keychains/System.keychain \
  ~/burp-ca/burp-ca.pem

(If you prefer GUI: Keychain Access → System → Certificates → import → set “Always Trust”.)

5) Configure proxy env vars

export HTTPS_PROXY="http://127.0.0.1:8080"
export HTTP_PROXY="http://127.0.0.1:8080"

6) Configure Requests/Azure CLI to trust your Burp CA

Azure CLI uses Python Requests internally; set both of these:

export REQUESTS_CA_BUNDLE="$HOME/burp-ca/burp-ca.pem"
export SSL_CERT_FILE="$HOME/burp-ca/burp-ca.pem"

Notes:

  • REQUESTS_CA_BUNDLE is used by Requests.
  • SSL_CERT_FILE helps for other TLS consumers and edge cases.
  • You typically do not need the old ADAL_PYTHON_SSL_NO_VERIFY / AZURE_CLI_DISABLE_CONNECTION_VERIFICATION once the CA is correct.

7) Verify Burp is actually signing with your new CA (critical check)

This confirms your interception chain is correct:

openssl s_client -connect login.microsoftonline.com:443 \
  -proxy 127.0.0.1:8080 </dev/null 2>/dev/null \
  | openssl x509 -noout -issuer

Expected issuer contains your CA name, e.g.:

O=Burp Custom CA, CN=Burp Custom Root CA

If you still see PortSwigger CA, Burp is not using your imported CA → re-check import and restart.

8) Verify Python Requests works through Burp

python3 - <<'EOF'
import requests
requests.get("https://login.microsoftonline.com")
print("OK")
EOF

Expected: OK

9) Azure CLI test

az account get-access-token --resource=https://management.azure.com/

If youre already logged in, it should return JSON with an accessToken.

Az PowerShell

Azure PowerShell is a module with cmdlets for managing Azure resources directly from the PowerShell command line.

Follow this link for the installation instructions.

Commands in Azure PowerShell AZ Module are structured like: <Action>-Az<Service> <parameters>

Debug | MitM Az PowerShell

Using the parameter -Debug it's possible to see all the requests the tool is sending:

Get-AzResourceGroup -Debug

In order to do a MitM to the tool and check all the requests it's sending manually you can set the env variables HTTPS_PROXY and HTTP_PROXY according to the docs.

Microsoft Graph PowerShell

Microsoft Graph PowerShell is a cross-platform SDK that enables access to all Microsoft Graph APIs, including services like SharePoint, Exchange, and Outlook, using a single endpoint. It supports PowerShell 7+, modern authentication via MSAL, external identities, and advanced queries. With a focus on least privilege access, it ensures secure operations and receives regular updates to align with the latest Microsoft Graph API features.

Follow this link for the installation instructions.

Commands in Microsoft Graph PowerShell are structured like: <Action>-Mg<Service> <parameters>

Debug Microsoft Graph PowerShell

Using the parameter -Debug it's possible to see all the requests the tool is sending:

Get-MgUser -Debug

AzureAD Powershell

The Azure Active Directory (AD) module, now deprecated, is part of Azure PowerShell for managing Azure AD resources. It provides cmdlets for tasks like managing users, groups, and application registrations in Entra ID.

Tip

This is replaced by Microsoft Graph PowerShell

Follow this link for the installation instructions.

Automated Recon & Compliance Tools

turbot azure plugins

Turbot with steampipe and powerpipe allows to gather information from Azure and Entra ID and perform compliance checks and find misconfigurations. The currently most recommended Azure modules to run are:

# Install
brew install turbot/tap/powerpipe
brew install turbot/tap/steampipe
steampipe plugin install azure
steampipe plugin install azuread

# Config creds via env vars or az cli default creds will be used
export AZURE_ENVIRONMENT="AZUREPUBLICCLOUD"
export AZURE_TENANT_ID="<tenant-id>"
export AZURE_SUBSCRIPTION_ID="<subscription-id>"
export AZURE_CLIENT_ID="<client-id>"
export AZURE_CLIENT_SECRET="<secret>"

# Run steampipe-mod-azure-insights
cd /tmp
mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-azure-insights
steampipe service start
powerpipe server
# Go to http://localhost:9033 in a browser

Prowler

Prowler is an Open Source security tool to perform AWS, Azure, Google Cloud and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.

It basically would allow us to run hundreds of checks against an Azure environment to find security misconfigurations and gather the results in json (and other text format) or check them in the web.

# Create a application with Reader role and set the tenant ID, client ID and secret in prowler so it access the app

# Launch web with docker-compose
export DOCKER_DEFAULT_PLATFORM=linux/amd64
curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/docker-compose.yml
curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/.env
## If using an old docker-compose version, change the "env_file" params to: env_file: ".env"
docker compose up -d
# Access the web and configure the access to run a scan from it

# Prowler cli
python3 -m pip install prowler --break-system-packages
docker run --rm toniblyx/prowler:v4-latest azure --list-checks
docker run --rm toniblyx/prowler:v4-latest azure --list-services
docker run --rm toniblyx/prowler:v4-latest azure --list-compliance
docker run --rm -e "AZURE_CLIENT_ID=<client-id>" -e "AZURE_TENANT_ID=<tenant-id>" -e "AZURE_CLIENT_SECRET=<secret>" toniblyx/prowler:v4-latest azure --sp-env-auth
## It also support other authentication types, check: prowler azure --help

Monkey365

It allows to perform Azure subscriptions and Microsoft Entra ID security configuration reviews automatically.

The HTML reports are stored inside the ./monkey-reports directory inside the github repository folder.

git clone https://github.com/silverhack/monkey365
Get-ChildItem -Recurse monkey365 | Unblock-File
cd monkey365
Import-Module ./monkey365
mkdir /tmp/monkey365-scan
cd /tmp/monkey365-scan

Get-Help Invoke-Monkey365
Get-Help Invoke-Monkey365 -Detailed

# Scan with user creds (browser will be run)
Invoke-Monkey365 -TenantId <tenant-id> -Instance Azure -Collect All -ExportTo HTML              

# Scan with App creds
$SecureClientSecret = ConvertTo-SecureString "<secret>" -AsPlainText -Force     
Invoke-Monkey365 -TenantId <tenant-id> -ClientId <client-id> -ClientSecret $SecureClientSecret -Instance Azure -Collect All -ExportTo HTML

ScoutSuite

Scout Suite gathers configuration data for manual inspection and highlights risk areas. It's a multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.

virtualenv -p python3 venv
source venv/bin/activate
pip install scoutsuite
scout --help

# Use --cli flag to use az cli credentials
# Use --user-account to have scout prompt for user credentials
# Use --user-account-browser to launch a browser to login
# Use --service-principal to have scout prompt for app credentials

python scout.py azure --cli

Azure-MG-Sub-Governance-Reporting

It's a powershell script that helps you to visualize all the resources and permissions inside a Management Group and the Entra ID tenant and find security misconfigurations.

It works using the Az PowerShell module, so any authentication supported by this tool is supported by the tool.

import-module Az
.\AzGovVizParallel.ps1 -ManagementGroupId <management-group-id> [-SubscriptionIdWhitelist <subscription-id>]

Automated Post-Exploitation tools

ROADtools / ROADrecon / ROADtx

ROADtools is one of the main open-source frameworks for Entra ID offensive research. The most relevant components are:

  • roadrecon: tenant discovery and local dataset generation (users, groups, roles, devices, service principals, applications, directory settings).
  • roadtx: token acquisition/exchange, refresh-token reuse, device registration, and PRT workflows.
  • roadlib: lower-level auth/API library used by the other modules.

The collected data is stored in a local SQLite database and can be explored in the ROADrecon web UI, which is useful to map privileged users, role assignments, devices, service principals, and application relationships before planning persistence or lateral movement.

ROADrecon collection

cd ROADTools
pipenv shell
# Login with user creds
roadrecon auth -u test@corp.onmicrosoft.com -p "Welcome2022!"
# Login with app creds
roadrecon auth --as-app --client "<client-id>" --password "<secret>" --tenant "<tenant-id>"
roadrecon gather
roadrecon gui

ROADrecon originally targeted Azure AD Graph. As of May 22, 2026, the official repository still keeps Microsoft Graph support in the msgraph branch, and community forks such as Tom2Byrne/ROADtools continue updating Graph-based collection. In Graph-capable builds, ROADrecon adds the -mg switch to enumerate endpoints such as /users, /groups, /devices, /servicePrincipals, and /applications.

# Graph-capable ROADrecon builds
roadrecon auth -u test@corp.onmicrosoft.com -p "Welcome2022!"
roadrecon gather -mg
roadrecon gui

ROADtx high-value use cases

If you already have valid credentials, a refresh token, or a PRT-derived session, ROADtx is commonly used to:

  • Register a rogue Entra ID device against urn:ms-drs:enterpriseregistration.windows.net to obtain device keys/certificates and create durable device-backed access.
  • Exchange/reuse refresh tokens to get fresh Microsoft Graph or other resource tokens without repeating interactive sign-in.
  • Abuse PRT workflows to silently mint new access tokens in the background.

A useful hunting clue is that default roadtx device values have historically been:

  • OS: Windows
  • OS version: 10.0.19041.928
  • Name: DESKTOP-<RANDOM 8 DIGITS>

These values are easy to change, so treat them as weak indicators. They are still useful when correlated with unusual device registration events, non-corporate naming patterns, suspicious source IPs/geos/ASNs, or scripted user agents.

ROADtools opsec / hunting notes

Because ROADtools uses legitimate Microsoft identity APIs, defenders should hunt for the combination of token activity, enumeration patterns, and user-agent anomalies instead of expecting malware-like signatures. Useful signals include:

  • Device registration audit operations such as Add device, Add registered owner to device, Add registered user to device, and Register device
  • Requests or sign-ins tied to Device Registration Service
  • Script-like user agents such as python-requests, urllib, or curl
  • Bursty Microsoft Graph reads against discovery-heavy endpoints like /users, /groups, /devices, /servicePrincipals, and /applications
  • Powerful OAuth scopes appearing in audit data, especially Directory.ReadWrite.All, Device.ReadWrite.All, Application.ReadWrite.All, AuditLog.ReadWrite.All, and Policy.ReadWrite.All

AzureHound

AzureHound is the BloodHound collector for Microsoft Entra ID and Azure. It is a single static Go binary for Windows/Linux/macOS that talks directly to:

  • Microsoft Graph (Entra ID directory, M365) and
  • Azure Resource Manager (ARM) control plane (subscriptions, resource groups, compute, storage, key vault, app services, AKS, etc.)

Key traits

  • Runs from anywhere on the public internet against tenant APIs (no internal network access required)
  • Outputs JSON for BloodHound CE ingestion to visualize attack paths across identities and cloud resources
  • Default User-Agent observed: azurehound/v2.x.x

Authentication options

  • Username + password: -u -p
  • Refresh token: --refresh-token
  • JSON Web Token (access token): --jwt
  • Service principal secret: -a -s
  • Service principal certificate: -a --cert <cert.pem> --key <key.pem> [--keypass ]

Examples

# Full tenant collection to file using different auth flows
## User creds
azurehound list -u "<user>@<tenant>" -p "<pass>" -t "<tenant-id|domain>" -o ./output.json

## Use an access token (JWT) from az cli for Graph
JWT=$(az account get-access-token --resource https://graph.microsoft.com -o tsv --query accessToken)
azurehound list --jwt "$JWT" -t "<tenant-id>" -o ./output.json

## Use a refresh token (e.g., from device code flow)
azurehound list --refresh-token "<refresh_token>" -t "<tenant-id>" -o ./output.json

## Service principal secret
azurehound list -a "<client-id>" -s "<secret>" -t "<tenant-id>" -o ./output.json

## Service principal certificate
azurehound list -a "<client-id>" --cert "/path/cert.pem" --key "/path/key.pem" -t "<tenant-id>" -o ./output.json

# Targeted discovery
azurehound list users -t "<tenant-id>" -o users.json
azurehound list groups -t "<tenant-id>" -o groups.json
azurehound list roles -t "<tenant-id>" -o roles.json
azurehound list role-assignments -t "<tenant-id>" -o role-assignments.json

# Azure resources via ARM
azurehound list subscriptions -t "<tenant-id>" -o subs.json
azurehound list resource-groups -t "<tenant-id>" -o rgs.json
azurehound list virtual-machines -t "<tenant-id>" -o vms.json
azurehound list key-vaults -t "<tenant-id>" -o kv.json
azurehound list storage-accounts -t "<tenant-id>" -o sa.json
azurehound list storage-containers -t "<tenant-id>" -o containers.json
azurehound list web-apps -t "<tenant-id>" -o webapps.json
azurehound list function-apps -t "<tenant-id>" -o funcapps.json

What gets queried

  • Graph endpoints (examples):
    • /v1.0/organization, /v1.0/users, /v1.0/groups, /v1.0/roleManagement/directory/roleDefinitions, directoryRoles, owners/members
  • ARM endpoints (examples):
    • management.azure.com/subscriptions/.../providers/Microsoft.Storage/storageAccounts
    • .../Microsoft.KeyVault/vaults, .../Microsoft.Compute/virtualMachines, .../Microsoft.Web/sites, .../Microsoft.ContainerService/managedClusters

Preflight behavior and endpoints

  • Each azurehound list
Reference in New Issue View Git Blame Copy Permalink