Azure Penetration Testing

Azure Penetration Testing

Azure Penetration Testing is the practice of simulating cyber attacks against an Azure environment where security experts attempt to find and exploit vulnerabilities. It is a proactive approach to identify, analyse, and address cyber-security vulnerabilities within an Azure cloud environment. This process is crucial due to Azure's complex infrastructure, which features extensive inter connectivity, diverse service offerings, and broad third-party integrations.

Scope and Objectives of Azure Penetration Testing

The scope of Azure penetration testing is broadly defined by the nature of the Azure environment and the specific requirements of the organisation.

Typical objectives include:

• Identifying security vulnerabilities: Detecting existing flaws in the system that could potentially be exploited.
• Assessing the effectiveness of security measures: Evaluating the robustness of current security protocols and configurations.
• Testing incident response capabilities: Analysing how well the system and its operators can detect, respond to, and recover from security breaches.

Why Choose ProCheckUp for Your Penetration Testing?

Choosing ProCheckUp means partnering with a proven leader with over 25 years experience. Our CREST approval and NCSC endorsements reflect our commitment to delivering top-tier cyber services across various sectors. We offer flexible, cost-effective solutions tailored to meet the diverse needs and budgets of our clients, ensuring continuous improvement..

Legal and Preparatory Requirements for Azure Penetration Testing

Before initiating any penetration testing activities in an Azure environment, it is crucial to ensure all legal and preparatory steps are thoroughly addressed. This not only guarantees compliance with laws and Microsoft Azure policies but also sets the stage for a successful and ethical penetration testing process. We outline below, the essential legal and preparatory requirements..

Legal Compliance and Permissions

• Client Authorisation: We obtain written authorisation from the entity that owns the Azure environment. This documentation should clearly outline the scope of the penetration test, the systems to be tested, and the methodologies that will be employed.
• Service Agreements: We ensure that there is a formal agreement, such as a Statement of Work (SOW) in a Job Schedule Form or a more formal Professional Services Agreement (PSA) for larger clients, that details the engagement's goals, scope, limitations, and responsibilities of each party involved in the testing process.
• Regulatory Compliance: Both client stakeholders and ProCheckUp should be aware of and comply with all applicable local, national, and international laws regarding cyber-security and data protection. This may require consultations with legal experts to ensure that the testing activities do not violate any regulations.

Azure Policies and Notifications

• Adherence to Azure Testing Guidelines: Microsoft Azure has specific guidelines that must be followed when conducting penetration tests against its services. Review the Azure Penetration Testing Rules of Engagement. to understand what is permitted and what actions need prior approval.
• Notification: The customer must notify Microsoft of the penetration testing activities through the Azure Security Center to ensure the penetration test actions are recognised as authorised tests and not actual attacks This ensures Microsoft  is aware of the penetration test and does not mistakenly identify it as a real attack, which could lead to unnecessary incident response measures.
• Scope of Testing: Working with the customer we clearly define what Azure resources are included in the testing scope. The Azure Penetration Testing Rules of Engagement may limit testing to specific resource types or configurations, so it’s crucial to align the testing scope with these guidelines.

Pre-Test Preparation

Technical Preparation

• Access Requirements: We determine the types of access required for the test, such as specific user roles, user accounts with administrative privileges or accounts using MFA.
• Tool Configuration: We setup and configure penetration testing tools to respect the boundaries of the testing scope and Azure's policies. Tools are configured to minimise disruption to any production environments, though it is best to use cloned non production environments.

Stakeholder Engagement

• Communication Plan: We establish a communication plan with all stakeholders, including security teams, IT management, and any operational personnel to align on the test objectives and procedures.
• Incident Response Coordination: We coordinate with the stakeholders incident response team to prepare for any potential discoveries of active security incidents during the test.

Customer Safety Processes

• Backup Systems: When testing production systems customer stakeholders should ensure that backups are available for all critical data and configurations in case the test inadvertently affects system stability or data integrity.
• Impact Analysis: Customer stakeholders should conduct a risk assessment to identify potential impacts of the test on the system and operations, preparing mitigation strategies for identified risks.

Documentation and Record-Keeping

• Test Plan Documentation: We maintain detailed documentation of the test plan, methodologies, tools, and any customer procedures used during the penetration test. This should include the rationale for choosing specific testing methods and the expected test outcomes.

Stages of Azure Penetration Testing

Planning and Reconnaissance

The "Planning and Reconnaissance" phase is the foundation of our successful Azure Penetration Testing methodology. This initial stage is critical as it sets the scope and objectives for the penetration test and gathers essential information that will guide all subsequent activities. Below we list the key steps involved in this phase.

Define The Test Objectives And Scope

• Objective Setting
• Working with customer stakeholders we clearly define what the penetration test aims to achieve. Common objectives include identifying exploitable vulnerabilities, evaluating the effectiveness of existing security measures, and testing the response capabilities of the security team.
• Scope
  In-scope Resources: Working with the customer stakeholders we then determine which Azure resources, services and data are included in the test. This includes specifying environments (production or non-production), types of data, and Azure services like VMs, databases, and storage accounts. Clearly defining the scope helps prevent unauthorised access to sensitive areas and ensures compliance with both organisational policies and external regulations.
  Limitations: Clear boundaries are set to avoid any impact on production systems or data. This includes time frames for testing to minimise disruption to normal business operations.
• Compliance and Regulations
• We ensure that the testing activities align with relevant legal, regulatory, and Azure policy guidelines.

Pre-Flight Checks

• Stakeholder Briefing (optional dependent on the customer): We hold a meeting with all relevant stakeholders to review the test plan, confirm scope, and discuss any potential concerns or limitations.
• Logistical Arrangements: We ensure all necessary tools, access credentials, and resources are in place before the testing begins. This includes setting up secure channels for data collection and reporting.
• Legal and Ethical Compliance: As part of the pre-flight checks we re-confirm that all testing activities are authorised and documented, with special attention to ethical considerations and data protection laws.

Information Gathering

• Public Data Collection
• We use Open-Source Intelligence (OSINT) techniques to collect data about the target organisation. This could include details from public databases, social media, and corporate websites which can reveal useful information about the organisational structure and the Azure technology stack.
• Network And Asset Mapping
• We use Azure tools and external scanning tools to map out the network and understand the architecture of the Azure environment. This includes identifying resource groups, Azure services in use, and the configuration of virtual networks.
• Security Policy Review (optional)
• We analyse the security policies applied across the Azure environment to understand the controls in place. This review can help identify potential misconfigurations or overly permissive settings that could be exploited.

Initial Vulnerability Identification

• DNS and Service Enumeration: We employ tools to scan for DNS records and visible services that can be accessed. Tools like Azure Network Watcher (if allowed) or third-party scanners can provide insights into the services exposed to the internet.
• Identifying Entry Points: We determine potential entry points for attacks, using public records of SSL certificates issued to identify publicly exposed APIs, web applications, and management interfaces that could provide initial access to the environment.

Scanning and Enumeration

The "Scanning and Enumeration" phase of our Azure Penetration Testing methodology, following the initial planning and reconnaissance phase. This phase  involves actively probing the Azure environment to identify live systems, open ports, running services, and existing vulnerabilities that could be exploited. Here’s how this phase is structured:

Detailed Steps for Scanning and Enumeration

IP/URL identification  and Asset Discovery

• IP and URL Identification: We use the collected public data and Azure account information to determine the applicable IP addresses and URL's for the penetration test. This includes SSL certificate information that has been made public.
• Asset Inventory: We utilise third-party tools to list all assets within the scope, categorizing them by type (e.g., Azure VMs, containers, and other networked devices.).

Port and Service Enumeration

• Network Scanning: We use network scanning tools to identify open ports and services. Tools like Nmap, Masscan or Azure specific scanners to scan IP addresses and URL's associated with the Azure environment to find entry points and detect open ports that could indicate running services.
• Service Detection: For each open port, we determine the service type including web servers, database services, and cloud-specific services like Azure Blob Storage or Azure SQL Database.
• Configuration Review: We examine the configuration of these services to identify weak security practices such as default settings, unnecessary services, or deprecated protocols to ensure that data transmitted over the Internet is securely encrypted.

Vulnerability Scanning

• Automated Scanning: Once the open ports are identified, we further enumerate the types of services running on those ports using tools like Nessus Professional, Qualys or Microsoft's own Azure Security Center scanning (if given access) that are configured for Azure environments and can detect common misconfigurations and known security flaws.
• Custom Scripts and Tools:  We deploy scripts designed to uncover Azure-specific misconfigurations or inadequacies, especially those not typically identified by generic scanning tools.
• Simulate Network Attacks: Use tools like Metasploit to test the effectiveness of network controls against simulated attacks.
• Web Application Scanning: We then use web application scanners like Burp Suite professional and Qualys Web Application scanning to discover and catalog web applications, APIs, and their endpoints that are hosted within the Azure environment. And to identify vulnerabilities, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
• API Testing: We test exposed APIs for security issues related to authentication, authorisation, and data validation, which are critical in cloud environments.

Risk Identification

• Threat Modeling (optional CSTAR approach) : If within the scope of the engagement, based on gathered data, we develop threat models that describe potential attack vectors specific to the organisation's Azure environment. Considering both external and insider threats.(Learn More)

Directory and Access Enumeration

• Azure Active Directory (AD) Scanning (optional configuration review) :
• If within the scope of the engagement, we enumerate Azure AD to gather information on user accounts, roles, and permissions. Tools like BloodHound or custom PowerShell scripts are employed to visualize privilege relationships and identify misconfigurations for vulnerabilities like overly permissive access, which could be exploited during later phases.(Learn More)
• Storage Access Evaluation: Check storage accounts and databases for improper permissions or exposed sensitive data.

Security Group and Network ACL Analysis

• Virtual Network Analysis (optional segmentation testing):
• If within the scope of the engagement, we assess the segmentation and isolation practices within the Azure Virtual Network to identify potential lateral movement pathways. for vulnerabilities like overly permissive access, which could be exploited during later phases.(Learn More)

• Review Azure Firewall and Network Controls (optional firewall review): If within the scope of the engagement, we analyse firewall rules that control inbound and outbound traffic to Azure resources to identify overly permissive settings or configuration errors.(Learn More)

Gaining Access

The "Gaining Access" phase of our Azure Penetration Testing methodology focuses on leveraging the identified vulnerabilities to achieve unauthorised and later authorised access to systems, services, or data within the Azure environment to gain access to restricted areas or information. This stage is critical as it demonstrates the practical impact of vulnerabilities and helps assess the real-world threats that an organisation may face.

Techniques

• Exploitation of Known Vulnerabilities: We utilise known exploits or develop custom exploits based on the vulnerabilities identified earlier in software, configurations, or Azure services. Tools such as Metasploit can be instrumental in this stage for deploying payloads that exploit these weaknesses.
• Use of Exploit Kits: Depending on the complexity and nature of the target environment, specialised exploit kits may be used to streamline the exploitation process.

Detailed Steps for Gaining Access

Session Hijacking and Man-in-the-Middle (MitM) Attacks

• Intercepting Traffic: We exploit any insecure network communication protocols to intercept and manipulate data being transmitted between users and Azure services, potentially hijacking active sessions.
• Token Theft: We capture authentication tokens in transit or from user machines to gain access to Azure services without needing a username and password using the later Pass-the-Hash/Token attacks.

Credential Exploitation

• Password Attacks: We utilise brute force, dictionary attacks, or credential stuffing on known user accounts to gain access using weak, default, or stolen credentials..
• Pass-the-Hash/Token: We utilise techniques to leverage compromised credentials without needing the plaintext password, especially effective in environments where single sign-on (SSO) or Active Directory Federation Services (ADFS) is configured..

Social Engineering and Phishing (optional)

If within the scope of the engagement, we use techniques like phishing to gain credentials or other sensitive information from legitimate users.

• Phishing Attacks: We conduct targeted phishing campaigns to deceive users into providing their credentials or executing malicious software that provides backdoor access.
• Spear Phishing: We use more personalized approaches in phishing to target specific individuals who have elevated privileges within the Azure environment.

Service and Application Exploits

• Application-Level Flaws: We target specific flaws in web applications hosted on Azure, such as SQL injection, XSS, or server-side request forgery (SSRF) to gain unauthorized access or execute arbitrary code on the server.
• Misconfigured Services: We exploit misconfigured Azure services such as improperly secured Azure Blob Storage or Azure Kubernetes Service (AKS) instances to gain access.

Exploiting Azure-specific Features and Misconfigurations

• Azure Logic Apps: We exploit misconfigurations in Azure Logic Apps to execute unauthorised actions or access sensitive data.
• Azure Resource Manager (ARM): We take advantage of overly permissive ARM policies to escalate privileges or manipulate Azure resource configurations.

Lateral Movement

• Session Hijacking: We utilise the initial foothold to explore further into the Azure network, accessing additional resources and escalating privileges where possible.
• Cross-Service Exploitation/Chained exploits: Utilising access obtained from one Azure service, we aim to compromise other interconnected services or applications, such as moving from Azure App Services to Azure SQL databases.

Data Encryption Verification

• Encryption at Rest: We confirm that sensitive data stored in Azure services like Blob Storage and Azure SQL Database is encrypted at rest, providing essential data protection against unauthorised access.
• Encryption in Transit: Ensure that data transmitted between services  (for example, from Azure Virtual Machines to Azure SQL Database) is adequately encrypted, preventing data interception during transmission.

Serverless Architecture Security

• Azure Functions Security: We meticulously assess the security configurations of serverless architectures deployed within Azure, such as Azure Functions, ensuring they are devoid of vulnerabilities that attackers might exploit..

Maintaining Access and Lateral Movement (optional)

If within the scope of the engagement the "Maintaining Access and Lateral Movement" phase of our Azure Penetration Testing methodology involves establishing persistent access to the environment and explores ways to expand control over additional resources and data. By mimicking the behavior of Advanced Persistent Threats (APT), we assess the depth of any potential breach and understand how an attacker could embed themselves into the system. The lateral movement part of this phase uses techniques to navigate through the Azure environment, expanding access from the initial foothold to other systems and resources.

Techniques

Establishing Persistence

• Backdoors: We install back-doors on compromised systems to ensure continued access, even if the original entry point is closed or the user credentials are changed.
• Scheduled Tasks: We use Azure automation or native operating system features to create scheduled tasks or cron jobs that call back to the attacker’s control server or re-execute malware at regular intervals.
• Web Shells: We deploy web shells on web servers, which allow for persistent, remote administration over the web interface.

Network Analysis and Manipulation

• Sniffing and Traffic Analysis: We capture network traffic within Azure to extract credentials, session tokens, or other sensitive data.
• Man-in-the-Middle Attacks: We position ourselves between two communicating parties to intercept or manipulate data being exchanged, typically by exploiting weaknesses in network protocols.

Credential Harvesting and Reuse

• Extract Credentials: We use tools to extract credentials stored on compromised instances or intercepted during communication. The use software like hashcat using powerful GPU's to recover weak passwords.
• Role Switching: We exploit stolen Azure role credentials and Azure policies to grant broader access than initially available, including elevating privileges within Azure Active Directory or other Azure services.
• Exploiting System Vulnerabilities: We take advantage of system-level vulnerabilities or misconfigurations to escalate privileges from a lower-privileged user to an administrative user.

Lateral Movement Techniques

• Pass-the-Ticket/Pass-the-Hash Techniques: We use techniques to authenticate to other systems using stolen Kerberos tickets or NTLM hash values without knowing the actual passwords.
• Network Pivoting:  We utilise existing credentials or sessions to access other systems within the Azure environment, such as moving from one virtual machine to another within the same network. We also use  a compromised Azure VM as a pivot point to access internal networks or other virtual networks connected through peering.

Exploiting Trust Relationships

• Cross-Account Access: We leverage trust policies between Azure subscriptions to access additional resources.
• Service to Service Exploitation: We exploit connections or trust relationships between services, such as moving from a compromised web server to a connected database server. Or utilise permissions granted to one service (like Azure Functions) to access or manipulate other services (like Azure Blob Storage or Azure SQL).

Access to Key Assets

• Data Access: Locate and access databases, file servers, and other storage solutions within Azure to extract sensitive data.
• Critical Infrastructure Access: Gain control over critical infrastructure components like domain controllers, network infrastructure devices, or security solutions to deepen control over the environment.

Command and Control Channels

• Data Exfiltration Routes: We establish secure channels for data exfiltration to external servers or through DNS queries.
• Covert Channels: We set up covert channels using Azure services like Azure Event Hubs or Azure Service Bus to communicate between compromised assets without detection.

Monitoring and Evasion Techniques

• Log Manipulation: We modify or delete logs to erase traces of activity and evade detection by security monitoring tools.
• Security Group Manipulation: We adjust security group rules to facilitate movement while attempting to remain under the radar.

ProCheckUp's Reporting Transparent, Tangible 

Every engagement culminates in a detailed report, featuring both high-level overviews for management and detailed technical findings for IT professionals. 

Our reports include

• Executive Summary: Provides a high-level overview of the test objectives, methodology, key findings, and overall security posture.
• Detailed Findings: Each finding is detailed with evidence, impact analysis, and clear, actionable remediation steps.
• Technical Appendices: Includes raw data, logs, tool outputs, and detailed technical descriptions for deeper analysis by the IT team.

Reporting formats

• Delivery Formats: We can supply the report in multiple formats, such as PDF for executives or spreadsheets for technical teams.
• Review Meeting: A wash up meeting with all stakeholders to go through the findings, discussing the implications, and answer any questions.

Conclusion

Azure Penetration Testing is an essential component of a organisations comprehensive cloud security strategy. Through a systematic process of planning, scanning, gaining access, maintaining access, and then detailed analysis and reporting by ProCheckUp, customer organisations can uncover and better understand vulnerabilities within their Azure environments. Azure Penetration Testing not only identifies security weaknesses but also provides actionable insights and recommendations for strengthening their security posture.