Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts
        • Execute commands on VM
        • Key Vault
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  1. Cloud

Azure

PreviousKubernetesNextArchitecture

Last updated 4 days ago

Introduction

Entra ID is the new name for what was previously known as Azure Active Directory (Azure AD), Microsoft's cloud-based identity and access management service. It is part of the Microsoft Entra product family, which focuses on securing and managing access across various digital environments, such as cloud, on-premises, and hybrid setups.

Microsoft Entra ID empowers organizations to manage and secure identities so people can access the applications and services they need. Microsoft Entra ID provides an identity solution that integrates broadly, from on-premises legacy apps to thousands of top software-as-a-service (SaaS) applications.

Azure Kill Chain

  • Reconnaissance Attackers gather information about the Azure environment, such as public-facing applications, IP addresses, Azure AD configuration, and exposed APIs. Tools like Azure CLI, PowerShell, or third-party scanners may be used to probe for vulnerabilities.

  • Initial Access Attackers gain a foothold in the Azure tenant. This could involve exploiting weak credentials, phishing attacks to steal Azure AD credentials, exploiting exposed APIs, or compromising an application hosted in Azure.

  • Enumeration Enumeration involves attackers actively probing and listing resources, configurations, and users in the Azure environment to identify potential vulnerabilities or misconfigurations that they can exploit. This is a deeper, more targeted activity than reconnaissance, which is often passive.

  • Privilege Escalation After gaining access, attackers aim to elevate privileges to obtain broader control over the Azure tenant. They may exploit misconfigured role-based access control (RBAC), manipulate Azure AD permissions, or exploit vulnerabilities in virtual machines or containers.

  • Persistence Attackers establish mechanisms to maintain long-term access. In Azure, this might involve creating malicious service principals, altering configurations for continuous access, or deploying backdoors in virtual machines or serverless functions.

  • Lateral Movement Attackers navigate the Azure environment to find and access additional resources. This could involve moving between subscriptions, accessing storage accounts, databases, or other resources linked to Azure services.

☁️
  • Introduction
  • Azure Kill Chain