In this book review, I looked at the topic of pentesting cloud-based applications, specifically Microsoft’s Azure. While the focus of the book was for Azure, a lot of the information will be beneficial no matter the cloud environment. Even thought Cloud hosting has been around for several years, it is still a new technology and many senior security professionals are learning the do and don’ts of how to secure the infrastructure.
I found “Pentesting Azure Applications” to be informative and Matt does a great job of sharing links to additional information on topics that can help secure your Azure deployment(s). In this aspect, while this book is meant to be used for pentesting Azure, it is also a great resource in securing and locking down your subscription. Just by looking at and using the “Defender’s Tips” that Matt includes, you will definitely make your network and systems more secure.
The text consists of 8 chapters, each chapter stands by itself and there is no need to read chapters 1 thru 7, if you are looking to understand logging and alerting in chapter 8. Below is a breakdown of each chapter and what can be found in each. Since the book can be used for all levels of security testers, you may find that some chapters are more useful than others. A lot of large pentesting firms have a team that handles the preparation and legal aspects for multiple teams, and you may want to jump straight to reconnaissance or network investigations chapters.
Chapter 1 – Preparation
In this chapter, Matt Burrough covers what to me is the most important part of any type of pentesting, the scope and legal issues. Scope is an essential part of setting up the engagement rules, identifying the assets to be targeted and what, if anything, is out of bounds. When compared to normal assessments, it is even more important to firmly define the scope in any cloud environment. Matt makes sure to point out that assessments of this type involve three parties, the testing company, the tested organization and Microsoft, in the case of Azure. All legal aspects should be reviewed by the pentesting companies’ lawyers to ensure compliance with all local and national regulations. As with most endeavors, preparation is the framework for a successful, safe and legal penetration exercise.
Chapter 2 – Access Methods
Matt starts out by describing the two basic deployment models Azure Service Management (ASM – Legacy) and Azure Resource Manager (newer role-based system). He spends time going over the advantages and disadvantages of both models as well as defining the weaknesses that can be targeted. He details how certificate-based authentication works with in ASM and the difficulties of managing certificates. He points out that the limit of certificate and owner tracking can be a problem, as well as name reuse, certificate revocation lists, storage, and nonrepudiation. Matt recommends, as good security practice in Azure, that any legacy ASM model deployed should be migrated to ARM.
Matt details several tools that can be used at each phase, listing where to find them and how to use them to get the most out of each. Even though I have used Mimikatz in the past, I found that I picked up a new trick or two that I will definitely be using in the future. He covers some basic information gathering techniques, like looking for credentials in unencrypted documents or saved tokens. Additionally, he covers what to do if you run into systems that are using 2 Factor Authentication.
Chapter 3 – Reconnaissance
If you have done any work as pentester or defender, you will be familiar with the reconnaissance phase of pentesting, the knocks on the doors and the taps on the windows. Most are familiar with basic port scanning looking for open ports and services, but with cloud environments such as Azure you have additional web services that are now susceptible to reconnaissance and attack. As in chapter 2, Matt goes over several tools that will help in evaluating what services and networks are available for exploitation.
As with other Microsoft products, PowerShell is a key tool in managing your Azure deployment and as such is also a tool that can be used to perform reconnaissance. Keeping with providing Defender’s tips, Matt provides some great information on securing PowerShell. The step by step directions that are provided are really good to be able to just jump in and start mapping out the services.
Matt provides numerous basic commands that will get you started, including gathering information that will be essential as you move on from the reconnaissance phase. One key aspect that he points out about VM pricing tiers that can help in identifying what might be running on that system. Other information that can be found during this portion of the assessment, such as, IP addresses, Firewall rules, possible services will be of great benefit when you get to chapter 5.
Matt has links to a couple very useful PowerShell scripts, one for each access model that automates the manual command line processes that he discusses. This allows you to quickly gather the information and then review it at a later time.
Chapter 4 – Examining Storage
Here Matt describes Azure cloud storage and how there are two keys that grant full control to the data contained within the storage. He starts off with some best practices, which also, if not implemented, points to some weaknesses that can be targeted. There are three types of access to storage accounts, account keys, user credentials and Share Access Signature (SAS) tokens. He goes into each of these types and details how they work and where they can be used. Next, he spends some time discussing where to find these keys, such as built in to source code, configuration files and storage utilities. If these methods don’t bare fruit, he covers several tools that can aid in getting access. Once you have access to a storage account, Matt lists the steps of identifying the storage types and provides a script that can automate the process.
Chapter 5 –Targeting Virtual Machines
Here the author spends a great deal of time explaining various techniques and methods that are used in generic pentesting activities of more traditional infrastructures. If you are able to obtain storage access as identified in chapter 4, Matt shows you how to take a snapshot of running VMs and then download them to work on them on your own hardware. Another useful tool, autopsy, a disk forensic tool, is discussed and shown how it can have advantages over other tools used to explore the virtual hard drive (VHD). Matt includes directions and several screenshots that allow even a novice to quickly start exploring the disk image. A review of how best to start working with a Windows or Linux system, including various ways to crack password for both. I have to admit it brought back some old memories when he was discussing Cain & Abel for password cracking.
Chapter 6 – Investigating Networks
This chapter starts with the available network options offered by Azure. On top of basic network configurations, there are system level firewalls that are included by Azure for their SQL servers and application services. Additionally, for web applications there is a paid Web Application Firewall (WAF) offering. Azure does also allow Next-Generation firewalls as a service to be offered to their clients, which can add another level of difficulty in your pentesting attempts. By understanding what is offered by Azure, a pentester can know what to expect and have the right tools and methods will work best.
Matt points out that there are several VPN connection options available for connecting corporate network to cloud networks. He provides a PowerShell scripts to export the details of VPN connections that are discovered, including ExpressRoute. ExpressRoute is a custom Microsoft offering that offers dedicated connections between your local and cloud networks.
Next, Matt covers the Service Bus, and how to gain details and how to look at messages for sensitive PII, code executions or SQL interactions. Lastly in this chapter, Matt discusses two ways of connecting non-Azure services to Azure.
Chapter 7 – Other Azure Services
In previous chapters, the focus was on Azure core offerings, in chapter 7, some of the newer or lesser known services are discussed. Matt takes a look at Azure Key Vault, Web Apps, and Automation and discusses the functionality, capabilities and vulnerable aspects of each. He points out that like most tools, these services if configured incorrectly can be both the issue and the solution.
Chapter 8 –Monitoring, Logs and Alerts
In the final chapter, Matt detours from the attacking nature of pentesting and shift his focus to how Azure can be useful in monitoring your cloud environment. Here he shows how system events and logs can be used to generated alerts that could help defect or at least detect the things he was teaching in chapters 2-7.
He covers the Azure Security Center (ASC), the Operations Management Suite (OMS) and the Secure DevOps Kit. ASC (paid subscription) has both detection and prevention components, it can alert on potentially malicious activity and also look at service configurations and make suggestions on increasing security of those services. In chapter 2, Matt discussed using the tool MimiKatz, well here in chapter 8 he shows how just using that program can generate an alert for that activity. If you don’t have a robust logging and monitoring platform, such as Splunk, the OMS offering can provide the same services for cloud and on-premise systems.
Lastly, Matt covers the Secure DevOps Kit, a collection of scripts, that when used will review your Azure subscription and test for numerous configuration issues and produce a report with results.
While this book serves those interested in pentesting Azure, it is also a good guide for pentesting in general and additionally offers a lot of information on securing your infrastructure. Being more of a defender, myself, I found useful advice throughout the book, but was particularly interested in chapter 8. The book is available online and can be purchased at the No Starch Press website here, as well as a link to scripts that were discussed in the book.