In the first part of this introductory guide to pen testing Azure, we discussed the approaches under different cloud environments, industry best practices, and activities allowed and prohibited by Microsoft. In this second part, we’ll review the benefits of penetration testing in Azure. We’ll also cover the most popular tools for penetration testing in Azure.
Benefits of Cloud Penetration Testing
Cloud penetration testing, especially for Azure, is beneficial for many reasons. Let’s run through some of them.
- To identify unknown Vulnerabilities and Prevent Risks in advance
Identifying vulnerabilities in apps, services, and cloud infrastructure is perhaps the most obvious reason why organizations must conduct penetration testing. This allows the penetration tester to recommend remediation measures that ensure the organization takes proactive steps to resolve the problems before malicious actors exploit them.
- Get an Objective Assessment
Penetration Testers offer an unbiased perspective. Their objective analysis uncovers vulnerabilities that internal users or security assessment teams might miss or underestimate, necessitating deeper exploration.
This could be because external experts prioritize identifying potential exploits within Azure systems and software rather than fixating on the specifics of the deployment environment.
- Meet Data Security Compliance and Demonstrate Due Diligence
Regulatory laws are changing and becoming more stringent daily, specifically for highly regulated industries like healthcare, financial services, and the public sector. Compliance regulations like the HIPAA, GDPR, and the PCI DSS make it crucial for enterprises to be proactive with their security assessments.
As your organization is under increased scrutiny to protect customer data, cloud pen testing efforts demonstrate to stakeholders and customers that you take data security seriously and conduct due diligence proactively.
- Improve Enterprise Security Posture and Enhance Cyber Resilience
Conducting regular penetration testing is crucial to enhance the organization’s overall security posture and enhance cyber resilience. It empowers your enterprise to fine-tune security measures, configurations, and policies specific to your cloud infrastructure, reducing the chances of security incidents and data breaches.
Popular Azure Pentesting Tools
There are many pen testing tools for Azure platforms. Depending on the stages of penetration testing and security assessments, here are some popular and powerful tools to use:
Tools for Azure Information Gathering
After gaining access to the target organization’s Azure AD, the first intent should be to gather as much information as possible. This includes users, groups, roles, permissions, resources, configurations, policies, and other relevant data. The following tools can help with information gathering in Azure:
- BloodHound’s Azure Hound: The Azure Hound is a powerful tool for surveillance and information gathering in Azure environments, specifically for privilege escalation paths and potential attack vectors. After using Azure Hound to collect the data, you can then feed it into the BloodHound database for security analysis. Azure Hound visualizes the Azure AD environment in graph format, helping you highlight relationships between users, groups, roles, and resources.
- ROADTools: This framework uses tools to interact with Azure AD when pen testing. It includes tools for reconnaissance (ROADrecon), enumeration, privilege escalation (ROADtx), and exploitation in Azure.
- o365recon: This is a powerful tool that red teams and pen testers use for initial access and information gathering when valid credentials are available. It helps gather data like users, accounts, groups, permissions, configurations, Azure AD settings, and other necessary information in Microsoft 365 (M365) environments, such as Azure AD.
- Azure Logic Apps Scanner: If you’re using Logic Apps in your environment, you might want to consider using Azure Logic Apps Scanner. It can help find security weaknesses and misconfigurations within your Logic App workflows.
- SCuBA M365 Security Baseline Assessment Tool: The Security Configuration and Usage Baseline Analyzer, or SCuBA Gear, assesses security configurations and checks if they adhere to CISA’s security baseline for M365. These baselines offer policy configuration recommendations that are easy to adopt and align with each organization's specific requirements and risk tolerance levels. The detailed reports highlight gaps and non-compliance, allowing organizations to prioritize and address them quickly.
- Get-MsolRolesAndMembers.ps1: This is a PowerShell script that helps manage role-based access control (RBAC) and permissions. When conducting Azure pen testing, this script can help retrieve a list of roles and associated role members.
Other tools like Sparrow.ps1, Hawk, Azurite, Cloud Katana (serverless computing platforms), and PowerZure are also great for information gathering in the Azure/M365 environment.
Tools for Azure Enumeration
Enumeration can provide deeper insights into Azure resources, services, endpoints, privilege relationships, and potential attack surfaces in an Active Directory or Azure environment. It can help identify Azure VMs, storage accounts, network configurations, databases, and other components.
Most of the tools above for information gathering, such as BloodHound, also work here. However, here are some more specific tools to use for Azure enumeration:
- o365creeper: This tool is useful for enumerating valid email addresses within the M365 environment. As such, it can help identify active email accounts for targeted attacks or pen testing purposes.
- BlobHunter: BlobHunter scans Azure Blob Storage accounts for publicly accessible containers and blobs. This can help identify potential security risks caused by misconfigurations that expose sensitive data to the public. An alternative tool is Grayhat Warfare, which can also be used to scan AWS buckets.
- CloudBrute: Although not specifically designed for Azure, it is still a good tool for checking an organization’s cloud foodprint. It can search for the company’s cloud infrastructure resources across various cloud providers.
- Azucar: It assesses Azure security configurations, permissions, and potential vulnerabilities.
- ScoutSuite: Like CloudBrute, this multi-cloud security auditing tool assesses security posture in different cloud environments.
Other tools for enumeration in Azure environments include CloudFox, Monkey365, and Prowler. Using the Azure-Access Permissions, a PowerShell script, is a good idea to enumerate access permissions and audit access controls in Azure AD.
Tools for Azure Lateral Movement
After gaining access to Azure AD, an attack vector will typically try to access different resources with the access token information of the user it compromised. This lateral movement is usually in a bid to get the access token information of a superior user. Here are tools to help you perform lateral movement in Azure.
- StormSpotter: As a Penetration Tester, StormSpotter can help run automated scans and checks against Azure Configurations, ARM templates, NSGs, Azure Policies, etc. It can pinpoint open ports, exposed services, and outdated software versions. Additionally, it is great for helping you stay compliant.
- AzureADLateralMovement: This is an effective tool for creating a lateral movement graph for the Azure Active Directory. It provides insights into potential paths and possible techniques that attackers could use to move laterally within a tenant’s Azure AD environment.
- SkyArk: Helps to discover, assess, and secure high-privileged accounts, roles, and resources that are critical targets for lateral movement and privilege escalation attacks.
- Omigood (OM I GOOD?): A vulnerability scanner that helps to identify and remediate vulnerabilities in Azure VMs that could be exploited for lateral movement.
- Rubeus: This tool can be used for lateral movement and privilege escalation in Azure environments. You can perform pass-the-ticket attacks, create Kerberos tickets, extract ticket-granting tickets (TGTs), and other techniques to move laterally and escalate privileges within Azure Active Directory. It should be worth mentioning that Rubeus’ functionality might be limited depending on the specific Azure AD configuration.
It’s worth mentioning that BloodHound and PowerZure, which I mentioned earlier, have tools and scripts for lateral movement and post-exploitation in Azure.
Tools for Azure Exploitation
This step involves exploiting the vulnerabilities identified during earlier stages. Some exploitation tools for Azure environments include:
- BlueMap: This is an effective network reconnaissance and interactive exploitation tool. It can help save complex operational security and overhead. Note that BlueMap can also be useful in the enumeration stage, helping you automate some tedious tasks.
- Microsoft-Teams-GIFShell: This tool can be used to identify Remote Code Execution (ROE), which allows an attacker to execute code on a victim's machine using GIFs sent through Teams messages. As a Pen Tester, you can use it to check if such vulnerabilities exist and exploit them to assess the potential impact.
- Mimikatz: This is particularly popular for post-exploitation, where you can harvest credentials, perform pass-the-hash attacks, and escalate privileges within Azure environments.
In addition, you can use the azuread_decrypt_msol_v2.ps1 script to extract and decrypt sensitive credentials related to Azure AD Msol service accounts, which can then facilitate further exploitation opportunities.
Conclusion
Azure pen testing is not only great for identifying vulnerabilities but also helps you demonstrate compliance, enhance cyber resilience, and prepare your team to respond proactively to real-world threats.
At WebSec, our team of Penetration Testers and Ethical Hackers help you unearth unknown vulnerabilities in your Azure systems and applications. We provide detailed remediation reports that ensure you fix any weaknesses before malicious actors capitalize on them. This facilitates business continuity by ensuring your customers' sensitive data is always safe and you remain compliant.
Ready to fortify your security posture, or do you have questions about our working methods? We're always happy to help. Contact us today.