May 27

Webinar Takeaway: Getting Started in Pentesting The Cloud – Azure

0  comments

My key takeaways

  • Hybrid environments make cloud to on-prem pivoting possible
  • 3 attack surfaces
    • external: public buckets
    • internal resource access: internal to cloud
    • internal api access: identify vulns via API calls & configuration analysis
  • Azure and O365 are not the same
    • Azure Resouce Manager : Subscriptions and Resources
    • Microsoft Office 365: Productivity
  • O365 accounts get Azure AD accounts automatically
  • Do the Cloud Asset Discovery for Recon
  • Enum Users through OAuth endpoint, but it is loud
  • Azure blobs and Amazon S3 buckets are sometimes exposed
    • some URL’s are pretty predictable
  • Azure has password protection (aka. blacklist) and smart lockout
  • finding auth points is key
  • Conditional access policies require to disable security defaults
    • security defaults are pretty good and enabled in any brand new Azure or M365 account
    • MFA is enabled in security defaults
  • MFA might be circumvented by changing the user agent to a mobile client as some organization configure conditional access policies to disable MFA on mobile
  • Use MFASweep to try to get over MFA
  • Goto actions post compromise
    • try to get to the Azure Portal directly
  • There are over 200 default service principals in an O365 tenant: a lot of surface
  • You need permission from the customer to test their Azure cloud, not from M$

Env

additional links


Tags

azure, cloud security, red teaming


You may also like

Webinar takeaway – Offensive Windows Event Logs

Webinar takeaway – Offensive Windows Event Logs

Webinar takeaway – A Master Class on Offensive MSBuild

Webinar takeaway – A Master Class on Offensive MSBuild
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}