Webinar Takeaway: Getting Started in Pentesting The Cloud – Azure

My key takeaways

• Hybrid environments make cloud to on-prem pivoting possible
• 3 attack surfaces
  • external: public buckets
  • internal resource access: internal to cloud
  • internal api access: identify vulns via API calls & configuration analysis
• Azure and O365 are not the same
  • Azure Resouce Manager : Subscriptions and Resources
  • Microsoft Office 365: Productivity
• O365 accounts get Azure AD accounts automatically
• Do the Cloud Asset Discovery for Recon
• Enum Users through OAuth endpoint, but it is loud
• Azure blobs and Amazon S3 buckets are sometimes exposed
  • some URL's are pretty predictable
• Azure has password protection (aka. blacklist) and smart lockout
• finding auth points is key
• Conditional access policies require to disable security defaults
  • security defaults are pretty good and enabled in any brand new Azure or M365 account
  • MFA is enabled in security defaults
• MFA might be circumvented by changing the user agent to a mobile client as some organization configure conditional access policies to disable MFA on mobile
• Use MFASweep to try to get over MFA
• Goto actions post compromise
  • try to get to the Azure Portal directly
• There are over 200 default service principals in an O365 tenant: a lot of surface
• You need permission from the customer to test their Azure cloud, not from M$

Env

• Provided by BHIS
• Presenter: Beau Bullock

additional links

• https://www.nobandwidth.io/
• https://github.com/dafthack
• A password spraying tool for Microsoft Online accounts
• enumerate valid onedrive users
• Find exposed data in Azure with this public blob scanner
• Multi-cloud OSINT tool
• https://github.com/dafthack/DomainPasswordSpray
• https://aws.amazon.com/training/
• https://docs.microsoft.com/en-us/learn/azure/
• Fireprox to avoid smart lockout
• searching through email in a Microsoft Exchange environment for specific terms
• A tool for checking if MFA is enabled on multiple Microsoft Services
• Cloud Pentest Cheat Sheet
• A collection of Microsoft 365 licensing diagrams
• Automated Attack Simulation in the Cloud
• Multi-Cloud Security Auditing Tool
• ROADTools - Azure AD exploration framework
• PowerZure - PowerShell framework to assess Azure security
• MicroBurst - scripts for assessing Microsoft Azure security
• Stormspotter - graphing Azure
• AzureHound