Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
        • MFASweep
        • GraphRunner
        • Azure SQL databases
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Contents
  • Introduction
  • Azure Kill Chain
  • Permissions for white/greybox pentest
  1. Cloud

Azure

PreviousKubernetesNextArchitecture

Last updated 4 months ago

Contents

Introduction

Entra ID is the new name for what was previously known as Azure Active Directory (Azure AD), Microsoft's cloud-based identity and access management service. It is part of the Microsoft Entra product family, which focuses on securing and managing access across various digital environments, such as cloud, on-premises, and hybrid setups.

Microsoft Entra ID empowers organizations to manage and secure identities so people can access the applications and services they need. Microsoft Entra ID provides an identity solution that integrates broadly, from on-premises legacy apps to thousands of top software-as-a-service (SaaS) applications.

Azure Kill Chain

  • Reconnaissance Attackers gather information about the Azure environment, such as public-facing applications, IP addresses, Azure AD configuration, and exposed APIs. Tools like Azure CLI, PowerShell, or third-party scanners may be used to probe for vulnerabilities.

  • Initial Access Attackers gain a foothold in the Azure tenant. This could involve exploiting weak credentials, phishing attacks to steal Azure AD credentials, exploiting exposed APIs, or compromising an application hosted in Azure.

  • Enumeration Enumeration involves attackers actively probing and listing resources, configurations, and users in the Azure environment to identify potential vulnerabilities or misconfigurations that they can exploit. This is a deeper, more targeted activity than reconnaissance, which is often passive.

  • Privilege Escalation After gaining access, attackers aim to elevate privileges to obtain broader control over the Azure tenant. They may exploit misconfigured role-based access control (RBAC), manipulate Azure AD permissions, or exploit vulnerabilities in virtual machines or containers.

  • Persistence Attackers establish mechanisms to maintain long-term access. In Azure, this might involve creating malicious service principals, altering configurations for continuous access, or deploying backdoors in virtual machines or serverless functions.

  • Lateral Movement Attackers navigate the Azure environment to find and access additional resources. This could involve moving between subscriptions, accessing storage accounts, databases, or other resources linked to Azure services.

Permissions for white/greybox pentest

To start a white box hardening review of some Entra ID tenants you need to ask for Global Reader role on each tenant. Moreover, to perform a hardening review of different Azure subscriptions you would need at least the Readerrole over all the subscriptions.

Note that if those roles aren't enough to access all the info you need, you could also ask the client for roles with the permissions you need. Just try to minimize the amount of not read-only permissions you ask for!

☁️
Service Discovery, Recon, Enumeration and Initial Access Attacks
Authenticated Enumeration
Privilege Escalation
Lateral Movement
Architecture