3. Agenda
• Overview of Azure Services
• Most common Azure Services that will be
attacked
• Azure Penetration Testing Tools
• Guidelines for Azure Penetration Testing
• Demo
5. How Microsoft’s Azure Penetration Testing
Works
Blue Team
• Collect all evidence regarding the
incident
• Notify all operations and
engineering teams
• Classify the threat to decide
whether it requires further
investigation
• Create a plan to alleviate the
threat
• Execute the plan and recover the
affected systems
Blue and Red Team
• Timing of the breach
• Mechanism of the breach
• Compromised systems and assets
• If the Blue team was able to
mitigate the attack
• Whether recovery was successful
and effective
6. Azure Penetration Testing Policies
Prohibited
• Scanning or conducting tests on other Azure
customer assets
• Accessing data that is not completely self-owned
• Conducting any DDoS attacks
• Conducting any intensive network fuzzing against
Azure virtual machines
• Any tests that generate a huge amount of traffic
through automated testing methods
• Attempt phishing or any social engineering
attacks on Microsoft’s employees
• Utilizing any services that violate the acceptable
usage policies as mentioned in the online usage
terms
Encouraged
• Create multiple test or trial accounts to test cross-
account access vulnerabilities. However, using
these test accounts to access other customer’s
data is prohibited.
• Running vulnerability scanning tools, port scan, or
fuzz on your virtual machine.
• Testing your account by generating traffic which is
expected to match regular working periods and
can also include surge capacity.
• Try to break out of Azure services to access other
customer assets. If any such vulnerability is found,
you should inform Microsoft and cease any further
tests.
• Test Microsoft Intune to ensure all restrictions
function as expected.
7. Overview of Azure Services
Host applications
Store data for
applications
Create applications
Enhance
applications
Monitor or manage
application
8. Most common Azure Services that will be attacked
App Services Storage Accounts
Automation
Accounts
Virtual Machines
Key Vaults Azure SQL
Azure Container
Registry/ Azure
Container
Instances
9. Azure Penetration Testing Tools
Windows or Linux administration tools
• JQ,httpie,wget,curl,unzip , and PowerShell
General Penetration testing tools
• Gobuster,nmap,dnscan,and hydra
Azure-specific penetration testing tools
• Microbust,Lava,Koboko,PowerZure,Stormspotter nd BloodHound
11. Steps to follow while conducting Azure Pentest
• Identifying attack surfaces
• Data collection for security reviews (using Azure Security Center)
• Vulnerability scanning through automated tools like Nessus, OpenVAS or Nexpose
etc. Using these tools you will get a list of all possible weaknesses along with
suggestions to fix them.
• Thereafter run manual vulnerability analysis using traditional methods such as
fuzzing or web application vulnerability scanners like Astra Pentest or Acunetix WP
scan respectively if required depending upon the criticality of identified issues.
• Perform external pentesting for your Azure environment.
27. Reference
• Penetration Testing Azure for Ethical
Hackers: Develop practical skills to perform
pentesting and risk assessment of
Microsoft Azure environments