BSides Portland - Attacking Azure Environments with PowerShell

ATTACKING AZURE ENVIRONMENTS
WITH POWERSHELL
KARL FOSAAEN

2 Confidential & Proprietary
WHO AM I
Karl Fosaaen
 Pen Tester
 Password Cracker
 Social Engineer
 Blogger
 Cloud Enthusiast
 Homebrewer
https://github.com/netspi
https://blog.netspi.com/
Twitter - @kfosaaen

TALK OVERVIEW
 Outline
 Intro to Dumping Azure Data
− Why/How
 Azure Services Covered
− AzureAD Users and Groups
− Storage Accounts
− AzureSQL
− Passwords
 Demos/Questions
− Sample Escalation Process

4 Confidential & Proprietary4 Confidential & Proprietary
DUMPING AZURE DATA

DUMPING AZURE DATA
 Why do we want to dump data from Azure?
 We frequently get Azure creds during assessments
− Integrated AD (DCSync) + Fall2018 = Azure Access
 Regular domain users can usually list info about Azure
− Not regularly locked down
 Azure infrastructure audits
 Why can we do this?
 Azure management is available over the internet
 Frequently without MFA
 Why do we want to automate this?
 Doing a million PS commands by hand is annoying

DUMPING AZURE DATA
 MicroBurst
 GitHub Link - https://github.com/NetSPI/MicroBurst
 Current Functions:
▪ Invoke-EnumerateAzureBlobs
▪ Invoke-EnumerateAzureSubDomains
▪ Get-AzurePasswords
▪ Get-AzureDomainInfo
▪ Get-MSOLDomainInfo
 Module Dependencies:
− Azure
− AzureRM
− MSOnline

AZURE PERMISSIONS
 Permissions
 Three Important Levels
− Owner
− Contributor
− Reader
 Additional Roles
− Different Administrative/Reader Roles
− Not hugely important here

DUMPING AZURE DATA
 Ways to dump data from Azure
 Azure Portal
− Pros – Graphical interface, easy to look at for review
− Cons – Not great at scale
 REST APIs
− Pros – Structured, JSON return data
− Cons – Authentication pain points, JSON data formatting
 PowerShell Cmdlets
− Pros
− Integrated Auth
− Data returned as pipeline-able objects
− Easier output
− Can handle data at scale
− Cons
− Limited threading options

DUMPING AZURE DATA
 PowerShell Cmdlet Modules
 Azure Service Management (ASM)
− Older style of Azure Administration
 AzureRM
− Newer option for Resource Management
 AZ
− Latest option, currently in preview
− Will eventually replace AzureRM
 MSOnline
− Office 365 Administration
− When you don’t have rights to run the others

DUMPING AZURE DATA
 Existing Tools
− Azucar - https://github.com/nccgroup/azucar/
− Didn’t quite fit my use cases
− Didn’t work well with several of the environments I tried
− AzuriteExplorer - https://github.com/mwrlabs/Azurite
− Similar functionality
− Doesn’t appear to be actively maintained (broken AzureRM cmdlets)

DUMPING AZURE DATA
 Required Reading
 Pentesting Azure Applications - Matt Burrough
− https://nostarch.com/azure
 Clearly outlines testing process
 Explains why you should be doing this
 Good example scripts

AZURE SERVICES

AZURE SERVICES
 Here are some of the services that we’ll cover in this talk
 MicroBurst dumps more data than this, but we don’t have time
to cover everything
− Authenticated
− AzureAD Users and Groups
− Storage Accounts
− App Services
− AzureSQL
− NSG/Firewall Rules
− RBAC Roles
− Passwords
− Unauthenticated
− Azure Blob Storage Enumeration
− General Azure Services Enumeration

AZURE SERVICES
 AzureAD
 Users and Groups
− Additional Recon Info
− Phone Numbers
− Enrolled Devices
− Third Party Apps (SSO Integration)
− Guest Users
 Practical Examples
− Password Guessing Attacks
− Phishing
− Accessing third party apps (AWS, WebEx, HR/Expense systems)
− Office365

AZURE SERVICES
 Storage Accounts
 Naming Structure - netspiazure.*Service*.core.windows.net
 Data Types
− Blobs (blob)
− File Services (file)
− Data Tables (table)
− Queues (queue)

AZURE SERVICES
 Anonymous Blob Enumeration
 Enumerate Storage Accounts
− DNS lookups on keywords
− Bing Searches to expand the scope
 Enumerate Public Folders
− Azure REST APIs
− Config files
− VHD files
− PII/Passwords
− Hosting Payloads
 Blog Post - https://blog.netspi.com/anonymously-enumerating-azure-file-resources/

AZURE SERVICES
 Azure SQL
 Microsoft SQL – In the Cloud
 Data Access
− Firewall rules requirements
− SQL Management Studio
− Direct Portal Access
 Azure SQL as a C2 -------------→
− Dev ENV
− Open FW rules
− Weak SA Password

AZURE SERVICES
 Passwords
 Key Vaults
− Keys
− Certs
− Passwords
 App Services Configurations
− Deployment Credentials
− Database Connection Strings
 Automation Accounts
− Credentials for Azure Automation accounts
 Blog Post - https://blog.netspi.com/get-azurepasswords/

AZURE SERVICES
 Passwords
 Automation Accounts
− Credentials for Azure Automation accounts
− Process:
− Create Automation Script
− Import Automation Script
− Run Automation Script
− Get Automation Script Output
− Delete Automation Script
 Blog Post - https://blog.netspi.com/get-azurepasswords/

MICROBURST USAGE
 MicroBurst
 How to Run the Tools
− Import the Module
− Import-Module C:MicroBurstMicroBurst.psm1 -Verbose
 CMD Examples
− Invoke-EnumerateAzureBlobs -Base microburst
− Invoke-EnumerateAzureSubDomains -Base microburst –Verbose
− Get-AzurePasswords -Verbose | Out-GridView
− Get-AzureDomainInfo –folder MicroBurst –Verbose
− Get-MSOLDomainInfo –folder MicroBurst –Verbose

DEMO

DEMO
 Sample Escalation
 Anonymously enumerate a public blob storage container (Invoke-EnumerateAzureBlobs)
− List files
− Download VHD
− Parse credentials from VHD file
− Crack hashes for Local Creds and Cached Creds
− Run VHD locally
− Login to VM (via RDP)
− Login to Azure with the cracked domain creds
 Connect as domain user and dump domain info (Get-AzureDomainInfo)
− List out users/services/etc.
 Dump remaining domain passwords for Azure subscription (Get-AzurePasswords)
− Get VPN access, pivot to internal domain/network
 Execute Commands on all Azure VMs (as nt authoritySYSTEM)

CRACKING LOCAL ADMIN

LOCAL ADMIN -> LOAD VHD IN HYPER-V

LOCAL ADMIN -> RDP -> MIMIKATZ
*Ideal Situation
ktest also happens to be a DA
RDP is open to everywhere

GRABBING CACHED CREDENTIALS
*Slightly more realistic situation
RDP is not open
But the system is domain joined

CRACKING CACHED CREDENTIALS
*Slightly more realistic situation
RDP is not open
But the system is domain joined

DEMO - CODE EXECUTION
 Execute Commands on all Azure VMs (as nt authoritySYSTEM)
− Invoke-AzureRmVMRunCommand
− Requires “Contributor” rights
 Practical Uses
− Mimikatz everything
− Task C2 agents
− Search for data
 Not Practical Uses
− Botnets
− Crypto miners
− Delete everything
 Mileage may vary depending on VM/Region

DEMO - CODE EXECUTION

FIXES/CONCLUSIONS

FIXES / CONCLUSIONS
 Fixes
 Limit Azure Management access for non-admin users
 Watch out for misconfigurations in your Azure environment
 Try to get users to stop using Fall2018 as a password
 Set up MFA for all users with Azure access
 Conclusions
 The cloud is complicated, misconfigurations will happen
 But there are options for mitigating the risks

QUESTIONS

Thanks!
NetSPI co-workers for the QA/Testing/Ideas
All of you who came to a Saturday afternoon talk
And all of you watching this on YouTube

ADDITIONAL INFO
 MicroBurst GitHub - https://github.com/NetSPI/MicroBurst
 NetSPI Blog - https://blog.netspi.com
 MicroBurst Specific Blogs:
 https://blog.netspi.com/get-azurepasswords/
 https://blog.netspi.com/anonymously-enumerating-azure-file-resources/
 https://blog.netspi.com/enumerating-azure-services/
 Twitter - @kfosaaen
 SlideShare - http://www.slideshare.net/kfosaaen

MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS
https://www.netspi.com
https://www.facebook.com/netspi
@NetSPI
https://www.slideshare.net/NetSPI

BSides Portland - Attacking Azure Environments with PowerShell

More Related Content

What's hot

Similar to BSides Portland - Attacking Azure Environments with PowerShell

Recently uploaded

BSides Portland - Attacking Azure Environments with PowerShell