Hacking Azure Cloud Penetration Testing

Hacking Azure Cloud Penetration Testing involves identifying vulnerabilities in Azure's network and system configurations.

Azure's vast network infrastructure makes it a complex target for penetration testing.

To begin, you'll want to familiarize yourself with Azure's architecture and services, including Azure Active Directory, Azure Storage, and Azure Virtual Network.

With a solid understanding of Azure's components, you can start identifying potential entry points for an attacker.

Azure's public IP addresses and network security groups are particularly vulnerable to exploitation.

Related reading: Testing Azure

Azure Security Vulnerabilities are a real concern, and it's essential to understand the risks. Azure has been vulnerable to authentication bypass attacks, allowing attackers to access resources without proper authentication.

Azure's OAuth 2.0 implementation has been criticized for its lack of proper validation, making it vulnerable to token tampering attacks. This can lead to unauthorized access to sensitive data.

A well-known vulnerability in Azure's Active Directory (AD) module allowed attackers to bypass multi-factor authentication, making it easier to gain unauthorized access. The vulnerability, known as the "Azure AD bypass vulnerability", was patched in 2020.

On a similar theme: Azure Ad Password Protection Dc Agent

Azure's Azure Active Directory (AD) is also vulnerable to phishing attacks, which can trick users into revealing sensitive information. This can lead to account compromise and unauthorized access to resources.

Azure's cloud infrastructure is designed to be scalable and flexible, but this also makes it vulnerable to lateral movement attacks, where attackers move laterally within the cloud environment to reach sensitive data.

Consider reading: Cloud Azure Aws

Cloud penetration testing is a crucial aspect of securing Azure environments. You need to know which services are being used, what's being exposed, who has access to what, and how internal Azure services and external services are connected.

To audit an Azure environment, it's essential to understand the services being used, what's exposed, and who has access to what. This will help you identify potential vulnerabilities.

To compromise an Azure environment, a Red Team's first step is to obtain some Azure AD credentials. Here are some common ways to do that:

Once you have credentials, you need to know who they belong to and what they have access to. This requires basic enumeration, which can be noisy, especially the login process.

The Azure Threat Research Matrix is an excellent resource to get familiar with Tactics, Techniques, and Procedures (TTPs) during each phase of a cloud penetration test. It's a great starting point for anyone looking to learn more about cloud penetration testing.

To perform pentesting and red team exercises in Azure, it's recommended to start with sysadmin and blue team operations before diving into cloud penetration testing. This will help you understand the concepts better and absorb the material faster.

Here's an interesting read: Penetration Testing Azure for Ethical Hackers Pdf

To compromise an Azure environment, a Red Team needs to obtain some Azure AD credentials. This can be done through various means, such as leaks in GitHub or similar platforms (OSINT), social engineering, password reuse, vulnerabilities in Azure-hosted applications, 3rd parties being breached, internal employees, common phishing, or Azure password spraying.

To gather more information, you can try to obtain credentials, even if you haven't compromised any users inside the Azure tenant.

Related reading: Azure Credentials

After obtaining credentials, it's essential to know who they belong to and what they have access to, so you need to perform some basic enumeration.

The noisiest part of the enumeration is the login, not the enumeration itself.

Here are some ways to enumerate an Azure environment:

Keep in mind that Azure has a Threat Research Matrix, which can be a valuable resource to get familiar with Tactics, Techniques, and Procedures (TTPs) during each phase of a cloud penetration test.

Azure Security Controls are designed to protect your data and applications from unauthorized access. This includes features like Azure Active Directory (Azure AD) which can be integrated with your existing identity systems.

Azure AD provides multi-factor authentication to add an extra layer of security. This can be required for all users, or only for certain actions like accessing sensitive data.

Azure Monitor can track potential security threats and alert you to any suspicious activity. This can help you respond quickly to potential security breaches.

Explore further: Azure Auth Json Website Azure Ad Authentication

Azure Security Center continuously monitors your Azure resources for potential security vulnerabilities. It can also provide recommendations for remediation to help strengthen your security posture.

Azure Policy can enforce security, compliance, and governance rules across your Azure resources. This can help ensure that your resources are configured consistently and securely.

Azure Storage has features like encryption at rest and in transit to protect your data. This includes options for customer-managed keys and Azure-managed keys.

Azure Network Security Group (NSG) can control traffic flow to and from your Azure resources. This includes features like source IP address filtering and network protocols blocking.

Intriguing read: Azure Features

Azure provides various attack vectors that can be exploited by hackers. One such vector is User Data Abuse, which involves injecting scripts or data at the time of VM provisioning or later. This feature is intended for initial configuration tasks, but it presents a lucrative target for threat actors due to the lack of encryption and storage of potentially sensitive information.

User Data is inserted to an Azure virtual machine at provision time and is then persisted and accessible on the VM through the Instance Metadata Service. With local access to an Azure VM target, we can hunt for credentials or sensitive information by querying the IMDS.

Azure VM Run Commands provide the capability to remotely execute PowerShell scripts or shell commands directly on an Azure VM as SYSTEM, without needing to log in to the VM directly and without even needing network access to the VM. This feature can be exploited to gain a foothold, escalate privileges, or move laterally within an environment, assuming that we've compromised credentials with sufficient permissions.

Here are some ways to bypass Conditional Access:

Azure SSRF can be exploited to gain access to sensitive information. Azure Serial Console can be used by penetration testers as a clandestine entry point, offering a text-based interface for virtual machines (VMs) and virtual machine scale set instances, whether Linux or Windows.

Expand your knowledge: Azure Virtual Desktop Security

SSRF is a serious vulnerability that can be found in machines inside Azure. If you've stumbled upon one, check out this page for some useful tricks to help you navigate it.

SSRF stands for Server-Side Request Forgery, which means an attacker can trick a server into making a request to a different server, potentially allowing them to access sensitive data. This is a significant concern in Azure environments.

To mitigate SSRF attacks, it's essential to validate and sanitize user input to prevent attackers from manipulating requests. This involves checking for any suspicious or malicious input that could be used to exploit the vulnerability.

If you're dealing with a SSRF in a machine inside Azure, be sure to check out the provided page for some expert advice on how to tackle it.

You might like: Azure Security Tagging Vulnerability

One way to launch a MitM attack via CLI is by using the parameter --debug with the az tool. This allows you to see all the requests the tool is sending.

Using the --debug parameter is a simple yet effective way to intercept and manipulate the requests.

To manually check all the requests being sent, you can use the az tool with the --debug parameter, as mentioned earlier.

Conditional Access is a security feature in Azure that controls access to resources based on conditions such as location, device, and user behavior. However, hackers can bypass Conditional Access using various techniques.

Hackers can analyze error messages sent by the system to the user in the event of a failure to connect, which can provide insight into which policy is preventing the successful login.

Exclusion groups are often not maintained properly, leaving users in groups that don't require privilege, or users who have left the company, creating potential vulnerabilities.

Poorly defined block policies can also make it easier for hackers to bypass Conditional Access. Block policies should be set up correctly to prevent unauthorized access.

Here are some common ways hackers bypass Conditional Access:

Hackers can also bypass access controls, such as multi-factor authentication (MFA), using techniques like man-in-the-middle attacks, social engineering, or MFA bombing.

Access controls can be bypassed by executing the attack on-prem, since the device needs to be recognized as valid by the local domain servers.

Check this out: How to Enable Mfa in Azure Portal

Azure Network Security can be bypassed using the Serial Console, which provides a text-based interface for virtual machines (VMs) and virtual machine scale set instances.

This connection establishes a direct link to the ttyS0 or COM1 serial port of the VM or virtual machine scale set instance, regardless of network restrictions placed on the VM.

A Network Security Group (NSG) can explicitly deny access to common remote management services like RDP or WinRm, but the serial console can still be used to connect to the target machine.

The Azure serial console is also useful for bypassing Just-in-Time (JIT) admin access controls implemented by Microsoft Defender for Cloud.

To use this functionality, a compromised user requires the Microsoft.SerialConsole/serialPorts/connect/action permission.

Threat Actors such as UNC3944 have been observed leveraging this technique in the wild, as documented by Mandiant's reputable research.

Azure Serial Console offers various capabilities in unauthenticated SAC console mode, including:

Credential Exposure Through Boot Diagnostics Serial Logs can occur when administrators execute commands that include sensitive information, such as plaintext credentials, directly within the Serial Console.

Azure Lateral Movement is a type of attack where an attacker gains access to a compromised Azure account and uses it to move laterally within the organization's Azure environment.

To achieve this, attackers often rely on misconfigured Azure resources, such as storage accounts or virtual machines, that have been left exposed to the internet.

Attackers can use these misconfigured resources to gain a foothold in the Azure environment and then move laterally to other resources.

Consider reading: Azure App Service Environment Variables Key Vault

In Azure environments, users have default permissions to enumerate various entities such as users, groups, roles, and service principals. This is due to the default AzureAD permissions.

By default, any user can enumerate services in an environment, including users, groups, roles, service principals, which is a good starting point for lateral movement.

To gain more insight into the environment, you can use the guide provided to learn more about credentials and detection methods.

You can check the default AzureAD permissions to see which services are being used in the environment, which is a crucial step in lateral movement.

Azure's default permissions allow users to enumerate services, making it easier to identify which services are being used.

A different take: Azure Web App Permissions

Azure Virtual Machines provide a powerful infrastructure for hosting applications and services in the cloud.

To simulate real-world attacks and uncover security gaps, you can leverage the features and capabilities of Azure VMs.

By exploiting VM capabilities, you can identify potential attack vectors and improve your security posture.

VM extensions allow you to run custom scripts and execute commands on the VMs.

You can connect to Azure VMs using offensive tooling like Evil-WinRM.

Initiating a Command Prompt Session from the Special Administration Console (SAC) requires using the command cmd.

The SAC interface seamlessly transitions users to a fully interactive command prompt session, enabling them to execute commands directly within the VM operating system.

This process involves triggering the execution of sacsess.exe, which initiates cmd.exe within the virtual machine environment.

To execute commands within the VM, you can use the Invoke-RestMethod cmdlet in PowerShell.

You can also use the ConvertTo-Json cmdlet to convert the JSON body into a string.

Consider reading: How to Use Windows Azure

The Azure REST API can be used to PUT requests to the VM, allowing you to update the VM's properties.

This can be done by specifying the API version, subscription ID, resource group name, and VM name in the URL.

The PUT request requires a JSON body that includes the updated properties, such as the location and user data.

The user data can be encoded using Base64 encoding to ensure it is transmitted securely.

The Invoke-RestMethod cmdlet allows you to execute the PUT request and retrieve the results.

To authenticate the request, you need to obtain an access token using the Get-AzAccessToken cmdlet.

The access token can be used to set the Authorization header in the request.

Broaden your view: Risky User Azure

The Azure Portal's Serial Console can be used by penetration testers as a clandestine entry point, offering a text-based interface for virtual machines (VMs) and virtual machine scale set instances, whether Linux or Windows.

This connection establishes a direct link to the ttyS0 or COM1 serial port of the VM or virtual machine scale set instance, allowing for access regardless of network restrictions.

Threat Actors such as UNC3944 have actually been observed leveraging this technique in the wild, as documented by Mandiant's reputable research.

Azure Serial Console offers various capabilities in unauthenticated SAC console mode, including:

To use this functionality, our compromised user requires the Microsoft.SerialConsole/serialPorts/connect/action permission, which can be a risk if not managed properly.

Conditional Access can be bypassed, allowing hackers to gain access to a system. Access conditions are a first filter, and hackers can validate these initial conditions.

Access conditions based on the device's operating system are easy to bypass since they're based on a browser string that can be easily edited. Conditional Access interprets the user-agent string to determine the operating system, but a hacker could edit this string and fit the required condition.

Readers also liked: Azure Conditional Access Policies

Hackers can use a VPN to bypass IP address restrictions, allowing them to connect from a different location. If the condition is a restriction to certain specific IP addresses, hackers will have to find a way to go through one of the addresses, by having a foothold on the network for example.

Multi-factor authentication (MFA) can be bypassed by hackers, but it's an excellent policy to adopt. MFA adds a layer of protection by requiring a second authentication through an alternative channel, such as a push notification on a mobile device or a one-time code received via text message.

If this caught your attention, see: Azure Mfa Setup

Bypassing access controls is a crucial step in Azure lateral movement. Hackers can use various techniques to bypass these controls, making it essential to understand how they work.

One way to bypass access controls is through man-in-the-middle attacks using tools like Evilginx. This tool mimics a login page, replicating the user's actions, including typing a one-time code, to steal the user's MFA session tokens.

Expand your knowledge: Azure Cosmos Db User Assigned Identity

Hackers can also use social engineering to obtain one-time codes sent via text message. This can be done by convincing the user to share the code or by intercepting the code through a phishing attack.

Another technique used to bypass access controls is "MFA bombing." This involves sending a large number of MFA notifications to the user, along with a message from the hackers posing as the IT team, asking the user to approve the notifications. This ultimately enables the hackers to access the user's account.

Here are some common access controls and the tactics hackers use to bypass them:

These tactics highlight the importance of implementing robust access controls and monitoring user behavior to prevent lateral movement. By understanding how hackers bypass access controls, organizations can take steps to strengthen their security posture and prevent these types of attacks.