-
Notifications
You must be signed in to change notification settings - Fork 184
Azure Commands
Seth Art edited this page Jan 23, 2024
·
22 revisions
Before you can use the Azure commands, you need to:
- Download the latest CloudFox binary from our releases page
NOTE: if the latest pre-compiled binary doesn't have all functionality present in this guide, please download from one of our dev branches and build from source. - Install Azure CLI
- Authenticate with the client:
# az login
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code [REDACTED] to authenticate.
[
{
"cloudName": "AzureCloud",
"homeTenantId": "[REDACTED]",
"id": "[REDACTED]",
"isDefault": true,
"managedByTenants": [],
"name": "[REDACTED]",
"state": "Enabled",
"tenantId": "[REDACTED]",
"user": {
"name": "[REDACTED]",
"type": "user"
}
},
...omitted for brevity...
To list Azure commands:
./cloudfox azure -h
For help with a specific subcommand:
./cloudfox azure [command_name] -h
CloudFox offers a --wrap flag for all subcommands that will adjust the table output to the terminal screen when used. This flag does not have any effect on output files.
The whoami command displays information on the current tenant, subscriptions and resource groups available to your current Azure CLI session. This is useful to provide situation awareness on what tenant and subscription IDs to use with the other sub commands.
./cloudfox azure whoami
[🦊 cloudfox DEV 🦊 ][whoami] Enumerating Azure CLI sessions...
╭──────────────────────────────────┬──────────────────────────────────┬───────────────────┬─────────────────┬────────┬─────────────────╮
│ Tenant ID │ Subscription ID │ Subscription Name │ RG Name │ Region │ Domain │
├──────────────────────────────────┼──────────────────────────────────┼───────────────────┼─────────────────┼────────┼─────────────────┤
│ 11111111-1111-1111-1111-11111111 │ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │ SubscriptionA │ ResourceGroupA1 │ eastus │ cloudfox1.local │
│ 11111111-1111-1111-1111-11111111 │ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │ SubscriptionA │ ResourceGroupA2 │ eastus │ cloudfox1.local │
│ 11111111-1111-1111-1111-11111111 │ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB │ SubscriptionB │ ResourceGroupB1 │ eastus │ cloudfox1.local │
│ 11111111-1111-1111-1111-11111111 │ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB │ SubscriptionB │ ResourceGroupB2 │ eastus │ cloudfox1.local │
│ 22222222-2222-2222-2222-22222222 │ CCCCCCCC-CCCC-CCCC-CCCC-CCCCCCCC │ SubscriptionC │ ResourceGroupC1 │ eastus │ cloudfox2.local │
│ 22222222-2222-2222-2222-22222222 │ CCCCCCCC-CCCC-CCCC-CCCC-CCCCCCCC │ SubscriptionC │ ResourceGroupC2 │ eastus │ cloudfox2.local │
╰──────────────────────────────────┴──────────────────────────────────┴───────────────────┴─────────────────┴────────┴─────────────────╯
The vms command enumerates the Compute instances' useful information at subscription or tenant level
Example 1: enumerating instances for a specific subscription
./cloudfox azure vms --tenant 11111111-1111-1111-1111-11111111
[🦊 cloudfox DEV 🦊 ][vms] Enumerating VMs for tenant 11111111-1111-1111-1111-11111111
╭──────────────────────────────────┬──────────┬─────────────┬─────────────┬─────────────┬────────────────┬─────────────────────╮
│ Subscription ID │ VM Name │ VM Location │ Private IPs │ Public IPs │ Admin Username │ Resource Group Name │
├──────────────────────────────────┼──────────┼─────────────┼─────────────┼─────────────┼────────────────┼─────────────────────┤
│ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │ TestVM-1 │ us-east-1 │ 192.168.0.1 │ 72.88.100.1 │ admin │ ResourceGroupA1 │
│ │ │ │ 192.168.0.2 │ 72.88.100.2 │ │ │
│ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │ TestVM-3 │ us-east-2 │ 192.168.0.5 │ 72.88.100.5 │ admin │ ResourceGroupA1 │
│ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │ TestVM-2 │ us-west-2 │ 192.168.0.3 │ 72.88.100.3 │ admin │ ResourceGroupA2 │
│ │ │ │ 192.168.0.4 │ 72.88.100.4 │ │ │
╰──────────────────────────────────┴──────────┴─────────────┴─────────────┴─────────────┴────────────────┴─────────────────────╯
[instances] Output written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-11111111/table/vms.txt]
[instances] Output written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-11111111/csv/vms.csv]
Example 2: enumerating instances for a specific tenant
./cloudfox azure vms --subscription AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA
[🦊 cloudfox DEV 🦊 ][vms] Enumerating VMs for subscription AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA
╭──────────────────────────────────┬──────────┬─────────────┬─────────────┬─────────────┬────────────────┬─────────────────────╮
│ Subscription ID │ VM Name │ VM Location │ Private IPs │ Public IPs │ Admin Username │ Resource Group Name │
├──────────────────────────────────┼──────────┼─────────────┼─────────────┼─────────────┼────────────────┼─────────────────────┤
│ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │ TestVM-1 │ us-east-1 │ 192.168.0.1 │ 72.88.100.1 │ admin │ ResourceGroupA1 │
│ │ │ │ 192.168.0.2 │ 72.88.100.2 │ │ │
│ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │ TestVM-3 │ us-east-2 │ 192.168.0.5 │ 72.88.100.5 │ admin │ ResourceGroupA1 │
│ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │ TestVM-2 │ us-west-2 │ 192.168.0.3 │ 72.88.100.3 │ admin │ ResourceGroupA2 │
│ │ │ │ 192.168.0.4 │ 72.88.100.4 │ │ │
╰──────────────────────────────────┴──────────┴─────────────┴─────────────┴─────────────┴────────────────┴─────────────────────╯
[instances] Output written to [cloudfox-output/azure/subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA/table/vms.txt]
[instances] Output written to [cloudfox-output/azure/subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA/csv/vms.csv]
The rbac command maps the Azure RBAC role assignments at subscription or tenant level
Example 1: enumerating Azure RBAC role assignment at subscription level
./cloudfox azure rbac --subscription AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA
[🦊 cloudfox DEV 🦊 ][rbac] Enumerating RBAC permissions for subscription AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA
╭───────────┬─────────────┬─────────────────────────────────────────────────╮
│ User Name │ Role Name │ Role Scope │
├───────────┼─────────────┼─────────────────────────────────────────────────┤
│ User 1 │ Reader │ /subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │
│ User 2 │ Contributor │ /subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │
╰───────────┴─────────────┴─────────────────────────────────────────────────╯
[rbac] Output written to [cloudfox-output/azure/subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA/table/rbac.txt]
[rbac] Output written to [cloudfox-output/azure/subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA/csv/rbac.csv]
Example 2: enumerating Azure RBAC role assignment at tenant level
./cloudfox azure rbac --tenant 11111111-1111-1111-1111-11111111
[🦊 cloudfox DEV 🦊 ][rbac] Enumerating RBAC permissions for tenant 11111111-1111-1111-1111-11111111
╭───────────┬─────────────────────────┬─────────────────────────────────────────────────╮
│ User Name │ Role Name │ Role Scope │
├───────────┼─────────────────────────┼─────────────────────────────────────────────────┤
│ User 1 │ Reader │ /subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │
│ User 2 │ Contributor │ /subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │
│ User 1 │ Data Labeling - Labeler │ /subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB │
│ User 3 │ Data Labeling - Labeler │ /subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB │
│ User 1 │ Reader │ /subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │
│ User 2 │ Contributor │ /subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA │
│ User 1 │ Data Labeling - Labeler │ /subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB │
│ User 3 │ Data Labeling - Labeler │ /subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB │
╰───────────┴─────────────────────────┴─────────────────────────────────────────────────╯
[rbac] Output written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-11111111/table/rbac.txt]
[rbac] Output written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-11111111/csv/rbac.csv]
The storage command lists the storage containers in a tenant or subscription, and for the containers that have public blobs it parses their public URLs and writes it to a loot file.
Example 1: enumerating storage accounts at tenant level
./cloudfox az storage --tenant 11111111-1111-1111-1111-11111111
[🦊 cloudfox DEV 🦊 ][storage] Enumerating storage accounts for tenant 11111111-1111-1111-1111-11111111
╭──────────────────────────────────────┬──────────────────────┬─────────────────────┬───────────────╮
│ Subscription ID │ Storage Account Name │ Container Name │ Access Status │
├──────────────────────────────────────┼──────────────────────┼─────────────────────┼───────────────┤
│ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA │ storageo8mpi8ly68 │ container0ud33jox9x │ private │
│ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA │ storageo8mpi8ly68 │ containerbghlpn3f96 │ public │
│ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA │ storageo8mpi8ly68 │ containerto6e4m5qrq │ private │
│ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA │ storageo8mpi8ly68 │ containerx7mib885sz │ private │
│ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA │ storaget24glzw6uv │ container3vsww2t0fi │ public │
│ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB │ storaget24glzw6uv │ container9osxp02mza │ public │
│ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB │ storaget24glzw6uv │ containerefnkpiaibh │ private │
│ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB │ storaget24glzw6uv │ container2768ebzuf0 │ private │
│ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB │ storaget24glzw6uv │ container2vx3qx3kth │ public │
╰──────────────────────────────────────┴──────────────────────┴─────────────────────┴───────────────╯
[storage][tenant-11111111-1111-1111-1111-111111111111] Output written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-111111111111/table/storage.txt]
[storage][tenant-11111111-1111-1111-1111-111111111111] Output written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-111111111111/csv/storage.csv]
[storage][tenant-11111111-1111-1111-1111-111111111111] Loot file written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-111111111111/loot/public-blob-urls.txt]
Example 2: enumerating storage accounts at subscription level
./cloudfox az storage --subscription BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB
[🦊 cloudfox DEV 🦊 ][storage] Enumerating storage accounts for subscription BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB
╭──────────────────────────────────────┬──────────────────────┬─────────────────────┬───────────────╮
│ Subscription ID │ Storage Account Name │ Container Name │ Access Status │
├──────────────────────────────────────┼──────────────────────┼─────────────────────┼───────────────┤
│ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB │ storaget24glzw6uv │ container9osxp02mza │ public │
│ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB │ storaget24glzw6uv │ containerefnkpiaibh │ private │
│ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB │ storaget24glzw6uv │ container2768ebzuf0 │ private │
│ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB │ storaget24glzw6uv │ container2vx3qx3kth │ public │
╰──────────────────────────────────────┴──────────────────────┴─────────────────────┴───────────────╯
[storage][subscription-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB] Output written to [cloudfox-output/azure/subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB/table/storage.txt]
[storage][subscription-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB] Output written to [cloudfox-output/azure/subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB/csv/storage.csv]
[storage][subscription-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB] Loot file written to [cloudfox-output/azure/subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB/loot/public-blob-urls.txt]
Moreover, the storage command will create a file in the loot folder with the public object URLs to make it easy to access:
$ cat ./cloudfox-output/azure/subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB/loot/public-blob-urls.txt
https://storageo8mpi8ly68.blob.core.windows.net/containerbghlpn3f96/test1.txt
https://storageo8mpi8ly68.blob.core.windows.net/containerbghlpn3f96/test2.txt
https://storageo8mpi8ly68.blob.core.windows.net/containerbghlpn3f96/test3.txt
https://storageo8mpi8ly68.blob.core.windows.net/containerbghlpn3f96/test4.txt
...omitted for brevity...