Accessing the Azure cloud

There are multiple ways to interact with an Azure tenant, and each method has specific advantages during a penetration test. The following list outlines the ways the Azure cloud can be accessed:

• Azure portal
• Azure CLI
• Az PowerShell cmdlets
• Azure REST APIs

In Chapter 2, Building Your Own Environment, we will discuss setting up your own environment, but if you already have access to an Azure environment, feel free to follow along with these access methods.

Azure portal

The Azure portal is a web-based console for accessing and managing Azure resources. The URL for the Azure public cloud platform is https://portal.azure.com. As noted at the start of the chapter, the address is different for other Azure clouds, such as those for the US government, China, and Germany.

A user has to first authenticate using an Azure AD user account to gain access to the portal. For those of you that are visual learners, the Azure portal will be the best starting point for understanding the resources in an Azure tenant.

Within the portal, there are blades on the left-hand side of the site for each Azure service, as illustrated in the following screenshot:

Figure 1.8 – Azure portal navigation

If the service you are looking for is not in one of the blades, you can use the search bar at the top of the site to find the service you're looking for, as illustrated in the following screenshot:

Figure 1.9 – Azure service search

There are a few specific blades/services that we will focus on later in the book, but for now, it will be important to become familiar with navigating through services and the subscriptions/tenants that are available for your user.

In the top-right corner of the portal, you can select your signed-in user and select Switch directory to see all of the available Azure AD directories for your user, as illustrated in the following screenshot:

Figure 1.10 – Azure user menu

Depending on the tenants that your account has access to, you may see more than one directory here. These are the different Azure AD tenants that you have (direct membership or guest) access to. Once a directory is selected, you can navigate to the Subscriptions blade to see the subscriptions that you have access to, as illustrated in the following screenshot:

Figure 1.11 – Azure subscriptions list

In the Subscriptions section, take note of the My role column, as this will let you know your current user's RBAC role in the subscription. Within the individual subscriptions, you can also use the IAM blade to see the rights of other users in the subscription.

Cloud Shell

Within the portal, there is a small PowerShell prompt >_ icon available to the right of the search bar. This icon activates the Azure Cloud Shell within the portal. This can also be accessed via https://shell.azure.com and is shown in the following screenshot:

Figure 1.12 – Azure Cloud Shell portal link

If a Cloud Shell has not already been set up for your account, this will require you to select a storage account to use for Cloud Shell storage. Once in the Cloud Shell, your prompt should look like this:

Figure 1.13 – Azure Cloud Shell

When setting up your Cloud Shell, you can choose a Bash or PowerShell environment. Both environments have their benefits and they both have the Az CLI ready to use in the shell.

While the Azure Cloud Shell is preloaded with all of tools you need to manage an Azure environment, it also comes with some risks. We will see in later chapters how this service can be used for privilege escalation attacks.

Azure CLI

Another popular option for managing Azure environments is the Azure CLI. Installation of the CLI is simple for Windows systems. Keep in mind that we will be installing the CLI as part of the next chapter's exercises, but if you want to install the CLI on another system, you can download the Microsoft installer for the latest version here: https://aka.ms/installazurecliwindows.

Important note

Since the preceding link is for an executable, it's understandable if you're not immediately rushing to open it. As a general note, we will be using more of these links throughout the book to connect you with Microsoft resources.

The aka.ms links in the book should be safe to follow, as they are all managed by Microsoft's internal short-link service.

For those looking for more information on the CLI, along with options for installing on other operating systems, here is Microsoft's Azure CLI documentation page: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli.

Once installed, open a PowerShell session (powershell.exe) and run the following command:

PS C:\> az login
The default web browser has been opened at https://login.microsoftonline.com/common/oauth2/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
You have logged in. Now let us find all the subscriptions to which you have access...
[  {
    ''cloudName'': ''AzureCloud'',
    ''homeTenantId'': ''40d5707e-b434-XXXX-YYYY-ZZZZZZZZZZZZ'',
    ''id'': ''204cce89-27de-4669-a48b-04c27255e05e'',
    ''isDefault'': true,
    ''managedByTenants'': [],
    ''name'': ''Development'',
    ''state'': ''Enabled'',
    ''tenantId'': ''40d5707e-b434-XXXX-YYYY-ZZZZZZZZZZZZ'',
    ''user'': {
      ''name'': ''[email protected]'',
      ''type'': ''user''
    }
  }
]
PS C:\>

This will open a browser window to prompt you to authenticate to Azure. If you are already portal-authenticated in the browser, your username should be populated in the login screen. Log in with your account, and the CLI should be authenticated. This process will also list out all of your available subscriptions.

For starters, use the az command to list out the available options, as follows:

PS C:\ > az
     /\
    /  \    _____   _ _  ___ _
   / /\ \  |_  / | | | \'__/ _\
  / ____ \  / /| |_| | | |  __/
 /_/    \_\/___|\__,_|_|  \___|
Welcome to the cool new Azure CLI!
Use `az --version` to display the current version.
Here are the base commands:
    account : Manage Azure subscription information.
    acr : Manage private registries with Azure Container Registries.
    ad : Manage Azure Active Directory Graph entities needed for Role Based Access Control.
    advisor : Manage Azure Advisor.
     [Truncated]

Typically, the commands that you will run in the CLI will be related to the service name (acr, appservice, vm), and then an action that you want to take.

For example, here's how you would list out resources in your default subscription:

PS C:\ > az resource list

If you need ideas for options on the commands that you might be able to run, use the --help flag to list out your available options.

This is a powerful tool to use for managing Azure, and we will be using it for a few of the book examples in future chapters. That being said, most of our examples will be focused on the Azure PowerShell modules and on tools that utilize them. Before we dive into the specific modules, we want to make sure that we have a basic understanding of Microsoft's PowerShell programming language.

PowerShell

For subscriptions large and small, it is convenient to have access to the flexibility of PowerShell for parsing data. Azure subscriptions can contain large numbers of resources, and those can be quite difficult to parse by hand in the portal.

Here are some quick notes for those that are not as familiar with PowerShell:

• PowerShell is a command shell, like cmd.exe.
• When you are running PowerShell or the PowerShell Integrated Scripting Environment (ISE), we will refer to that as a session.
• PowerShell is also a scripting language that has deep ties with the .NET runtimes and Windows APIs.
• PowerShell modules are sets of functions that can be imported into a PowerShell session.
• PowerShell modules can be imported directly from files or installed from external sources, such as the PowerShell Gallery (PSGallery—https://www.powershellgallery.com/). They can also be configured to be permanently imported for all new sessions.
• PowerShell functions, or Cmdlets, are commands that can be used in a session.
• Functions with parameters allow for tab-complete—type a dash and Tab (or Ctrl + space) to see the available parameters for the function.
• PowerShell can have pipeline-able objects that allow you to use the output from one function for the input of other functions.
• The PowerShell pipeline is very powerful, and we will make extensive use of it in our examples.

We will be using several PowerShell-based tools throughout the book, and while we will try to make commands as simple as possible, it would be a good idea to get a basic understanding of how to use PowerShell.

Important note

If you're looking for non-book PowerShell resources, Microsoft does provide some free learning resources for those learning about PowerShell. These resources are a great beginner's course and will give you a head start on the concepts covered in this book: https://docs.microsoft.com/en-us/powershell/scripting/learn/more-powershell-learning.

For starters, you will need to be able to enable PowerShell script execution on your system. Chances are good that you will have some PowerShell execution policy restrictions on your testing system. As noted in this blog post by one of this book's technical reviewers, Scott Sutherland, these execution restrictions are easily bypassed (see https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/).

For the installation of PowerShell modules, we will primarily use the PowerShell Gallery packages. The PSGallery (https://www.powershellgallery.com/) is a trusted, Microsoft-managed resource for package management. This is one of the easiest ways to install modules, and the Microsoft packages required for the toolkits will all be listed in the gallery.

Since we will walk through the installation of the Azure PowerShell modules in the second chapter of this book, the installation of these modules on your current system is not immediately needed.

The Az module

The Az PowerShell Cmdlets are functions that interact with Azure to allow for the administration of Azure services. These functions allow functions for listing, creating, destroying, and modifying Azure resources. While some Azure services are not supported by the functions, most services that you interact with will be supported.

1. In an elevated (Run as Administrator) PowerShell session, run the Az module installation command, as follows:

   PS C:\> Install-Module -Name Az

2. After installation, you will want to authenticate to your Azure tenant. You can do this by running the following code:

   PS C:\> Connect-AzAccount

3. Much like the Azure CLI, this will prompt you to log in, but this time, an Azure AD Authentication Library (ADAL) authentication window will prompt you, instead of a web browser, as illustrated in the following screenshot:

Figure 1.14 – Az PowerShell authentication prompt

From here, any command that you will use will be based off of the Microsoft guidance for approved verbs for PowerShell functions (https://docs.microsoft.com/en-us/powershell/scripting/developer/cmdlet/approved-verbs-for-windows-powershell-commands).

Most of the verbs that we will use are Get or Invoke, but this would be a good opportunity to try out the PowerShell tab completion.

1. If the module is not already imported into your PowerShell session, import the Az module, as follows:

   PS C:\> Import-Module Az

2. Then, type Get-Az, as follows, and pause:

   PS C:\> Get-Az

3. From here, you can use the Ctrl + space shortcut to expand your options, as follows:
   

   Figure 1.15 – Az PowerShell module command options

4. If we do the same for a PowerShell function parameter, you will get all of the available parameters for the function, as follows:
   

   Figure 1.16 – Az PowerShell module parameter options

5. To see the sub-modules within the Az module, we can use the following command:

   PS C:\> Get-Module -Name az*

   

   Figure 1.17 – Listing Az PowerShell sub-modules

6. To get all of the commands available in a module, you can use the following command:

   PS C:\> Get-Module -Name az*

Figure 1.18 – Listing Az.Accounts module commands

Many of the actions that we try to accomplish in the PowerShell cmdlets can easily be found through tab completing. When in doubt, start typing what you think the command might be, and you may be surprised with how easy it is to find the real command.

Modules – Az versus AzureRM

If you're searching around the internet for a specific Az PowerShell function to use, you may run into functions prefixed with Azure Resource Manager (AzureRM), as compared to Az. These functions are for the now-deprecated AzureRM module. This is one of the original PowerShell modules for Azure administration, so you may run into references to it.

For most AzureRM functions, you should be able to substitute Az for AzureRM to get the equivalent Az module command (Get-AzureRmVM versus Get-AzVM).

The AzureAD module

The AzureAD module covers specific functions for managing Azure AD tenants. From a penetration-testing perspective, we will primarily be using this to enumerate information about an Azure AD tenant, but there are some privileged commands that can be used to add or modify users. Much like the Az module, this module will be required for some of the tools mentioned in the book. We will also install this module in our testing VM in the following section but will cover basic usage of the module here:

1. In an elevated (Run as Administrator) PowerShell session, run the AzureAD module installation command, as follows:

   PS C:\> Install-Module -Name AzureAD

2. After installation, you will want to authenticate to your Azure tenant. You can do this by running the following code:

   PS C:\> Connect-AzureAD

Just as with the Az module, this will prompt you to log in with an authentication window, and you can use the same PowerShell commands as you did with the Az module to help navigate the available functions.

Azure REST APIs

The final method for accessing Azure is by using the REST APIs. APIs are one of the few ways that we can make use of stolen access tokens, and we will be seeing examples of this in attack scenarios that we will cover in later chapters. REST clients such as Postman or cURL can be used to interact with the APIs if a valid authorization token is provided. In the later examples, we will also be using the HTTPie command-line tool for interacting with the APIs.

We could potentially write an entire chapter on using the REST APIs to manage Azure, but for now, just know that these are very powerful APIs that can be used to execute many of the same actions that we would normally take with the CLI or PowerShell modules.

If you want to play around with the REST API basics, check out the tutorials on the Microsoft Azure REST API reference page, at https://docs.microsoft.com/en-us/rest/api/azure/.

Azure Resource Manager

Regardless of the tool or method that we are using to interact with the Azure platform and Azure resources, the communication happens through a single central endpoint called Azure Resource Manager (ARM). You can think of it as a centralized layer for resource management in Azure (see Figure 1.19). The advantage of this approach is that there is consistency regardless of the tool that we are using. Authentication and access are all handled the same way.

When we make a request for an operation to be performed, using any of the tools that we described earlier, Resource Manager will talk to ''resource providers'' that perform the action we've requested, as illustrated in the following diagram:

Figure 1.19 – ARM

Resource providers are services that provide different types of resources. For example, the network resource provider is responsible for network resources (virtual networks, network interfaces, and so on), while the compute resource provider is responsible for compute resources (VMs).