SlideShare uma empresa Scribd logo

Azure Penetration Testing

Cheah Eng Soon
Cheah Eng Soon

Azure Penetration Testing

Tecnologia
1 de 27
Baixar para ler offline
Azure Penetration Testing Eng Soon Cheah Microsoft MVP
Agenda • Overview of Azure Services • Most common Azure Services that will be attacked • Azure Penetration Testing Tools • Guidelines for Azure Penetration Testing • Demo
Why Azure Penetration Testing is Important?
How Microsoft’s Azure Penetration Testing Works Blue Team • Collect all evidence regarding the incident • Notify all operations and engineering teams • Classify the threat to decide whether it requires further investigation • Create a plan to alleviate the threat • Execute the plan and recover the affected systems Blue and Red Team • Timing of the breach • Mechanism of the breach • Compromised systems and assets • If the Blue team was able to mitigate the attack • Whether recovery was successful and effective
Azure Penetration Testing Policies Prohibited • Scanning or conducting tests on other Azure customer assets • Accessing data that is not completely self-owned • Conducting any DDoS attacks • Conducting any intensive network fuzzing against Azure virtual machines • Any tests that generate a huge amount of traffic through automated testing methods • Attempt phishing or any social engineering attacks on Microsoft’s employees • Utilizing any services that violate the acceptable usage policies as mentioned in the online usage terms Encouraged • Create multiple test or trial accounts to test cross- account access vulnerabilities. However, using these test accounts to access other customer’s data is prohibited. • Running vulnerability scanning tools, port scan, or fuzz on your virtual machine. • Testing your account by generating traffic which is expected to match regular working periods and can also include surge capacity. • Try to break out of Azure services to access other customer assets. If any such vulnerability is found, you should inform Microsoft and cease any further tests. • Test Microsoft Intune to ensure all restrictions function as expected.
Overview of Azure Services Host applications Store data for applications Create applications Enhance applications Monitor or manage application
Most common Azure Services that will be attacked App Services Storage Accounts Automation Accounts Virtual Machines Key Vaults Azure SQL Azure Container Registry/ Azure Container Instances
Azure Penetration Testing Tools Windows or Linux administration tools • JQ,httpie,wget,curl,unzip , and PowerShell General Penetration testing tools • Gobuster,nmap,dnscan,and hydra Azure-specific penetration testing tools • Microbust,Lava,Koboko,PowerZure,Stormspotter nd BloodHound
Azure Penetration Testing Scopes Anonymous external testing Read-only configuration review Internal network testing Architecture review
Steps to follow while conducting Azure Pentest • Identifying attack surfaces • Data collection for security reviews (using Azure Security Center) • Vulnerability scanning through automated tools like Nessus, OpenVAS or Nexpose etc. Using these tools you will get a list of all possible weaknesses along with suggestions to fix them. • Thereafter run manual vulnerability analysis using traditional methods such as fuzzing or web application vulnerability scanners like Astra Pentest or Acunetix WP scan respectively if required depending upon the criticality of identified issues. • Perform external pentesting for your Azure environment.
Azure Penetration Testing Steps Accessing Azure cloud services Securing the database Encryption
Accessing Azure cloud services
Securing the database
Encryption
Demo Test at your own risk
Identifying vulnerabilities in public-facing services MicroBurst Virtual Machine with WSL
Add the following names to the Notepad file. Save the file and close it: Scripts Templates Archieve 2020 2019 2018
Conclusion
Reference • Penetration Testing Azure for Ethical Hackers: Develop practical skills to perform pentesting and risk assessment of Microsoft Azure environments

Recomendados

Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
Cheah Eng Soon
 
Penetration Testing Azure for Ethical Hackers
Penetration Testing Azure for Ethical HackersPenetration Testing Azure for Ethical Hackers
Penetration Testing Azure for Ethical Hackers
Cheah Eng Soon
 
Deep Dive into AWS SAM
Deep Dive into AWS SAMDeep Dive into AWS SAM
Deep Dive into AWS SAM
Amazon Web Services
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
saurabhpandey251355
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 

Recomendados

Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
Cheah Eng Soon
 
Penetration Testing Azure for Ethical Hackers
Penetration Testing Azure for Ethical HackersPenetration Testing Azure for Ethical Hackers
Penetration Testing Azure for Ethical Hackers
Cheah Eng Soon
 
Deep Dive into AWS SAM
Deep Dive into AWS SAMDeep Dive into AWS SAM
Deep Dive into AWS SAM
Amazon Web Services
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
A Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptxA Guide to AWS Penetration Testing.pptx
A Guide to AWS Penetration Testing.pptx
saurabhpandey251355
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
Simon Bennetts
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Azure WAF
Azure WAFAzure WAF
Azure WAF
Cheah Eng Soon
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
Cheah Eng Soon
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm ÖnerileriDNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
BGA Cyber Security
 
Microservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudMicroservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring Cloud
Eberhard Wolff
 
Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
Sanjeev Kumar Jaiswal
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
PencilData
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust Security
Centrify Corporation
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike Martin1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike Martin
NETUserGroupBern
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Azure WAF
Azure WAFAzure WAF
Azure WAF
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure20 common security vulnerabilities and misconfiguration in Azure
20 common security vulnerabilities and misconfiguration in Azure
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm ÖnerileriDNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
DNS Protokolüne Yönelik Güncel Saldırı Teknikleri & Çözüm Önerileri
 
Microservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring CloudMicroservice With Spring Boot and Spring Cloud
Microservice With Spring Boot and Spring Cloud
 
Container Security
Container SecurityContainer Security
Container Security
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Security testing
Security testingSecurity testing
Security testing
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
Debunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust SecurityDebunked: 5 Myths About Zero Trust Security
Debunked: 5 Myths About Zero Trust Security
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 

Semelhante a Azure Penetration Testing

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Karl Ots
 
Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssist
Bryan Ferrario
 

Semelhante a Azure Penetration Testing (20)

1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike Martin1,2,3 … Testing : Is this thing on(line)? with Mike Martin
1,2,3 … Testing : Is this thing on(line)? with Mike Martin
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
Devops architecture
Devops architectureDevops architecture
Devops architecture
 
Serverless Application Development with Azure
Serverless Application Development with AzureServerless Application Development with Azure
Serverless Application Development with Azure
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
DevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid themDevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid them
 
Manage your devices with Azure IoT...and more
Manage your devices with Azure IoT...and moreManage your devices with Azure IoT...and more
Manage your devices with Azure IoT...and more
 
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
Continuous delivery by sergey seletsky
Continuous delivery by sergey seletskyContinuous delivery by sergey seletsky
Continuous delivery by sergey seletsky
 
CNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and TestingCNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and Testing
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
 
Acunetix Training and ScanAssist
Acunetix Training and ScanAssistAcunetix Training and ScanAssist
Acunetix Training and ScanAssist
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 

Mais de Cheah Eng Soon

Mais de Cheah Eng Soon (20)

Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for Endpoint
 
Azure Active Directory - Secure and Govern
Azure Active Directory - Secure and GovernAzure Active Directory - Secure and Govern
Azure Active Directory - Secure and Govern
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero Trust
 
MEM for OnPrem Environments
MEM for OnPrem EnvironmentsMEM for OnPrem Environments
MEM for OnPrem Environments
 
Microsoft Threat Protection Automated Incident Response
Microsoft Threat Protection Automated Incident Response Microsoft Threat Protection Automated Incident Response
Microsoft Threat Protection Automated Incident Response
 
Microsoft Threat Protection Automated Incident Response Demo
Microsoft Threat Protection Automated Incident Response DemoMicrosoft Threat Protection Automated Incident Response Demo
Microsoft Threat Protection Automated Incident Response Demo
 
Microsoft Secure Score Demo
Microsoft Secure Score DemoMicrosoft Secure Score Demo
Microsoft Secure Score Demo
 
Microsoft Cloud App Security Demo
Microsoft Cloud App Security DemoMicrosoft Cloud App Security Demo
Microsoft Cloud App Security Demo
 
M365 Attack Simulation Demo
M365 Attack Simulation DemoM365 Attack Simulation Demo
M365 Attack Simulation Demo
 
Cloud Security Demo
Cloud Security DemoCloud Security Demo
Cloud Security Demo
 
Azure Active Directory - External Identities Demo
Azure Active Directory - External Identities Demo Azure Active Directory - External Identities Demo
Azure Active Directory - External Identities Demo
 
Azure Weekend 2020 Build Malaysia Bus Uncle Chatbot
Azure Weekend 2020 Build Malaysia Bus Uncle ChatbotAzure Weekend 2020 Build Malaysia Bus Uncle Chatbot
Azure Weekend 2020 Build Malaysia Bus Uncle Chatbot
 
Microsoft Azure的20大常见安全漏洞与配置错误
Microsoft Azure的20大常见安全漏洞与配置错误Microsoft Azure的20大常见安全漏洞与配置错误
Microsoft Azure的20大常见安全漏洞与配置错误
 
Integrate Microsoft Graph with Azure Bot Services
Integrate Microsoft Graph with Azure Bot ServicesIntegrate Microsoft Graph with Azure Bot Services
Integrate Microsoft Graph with Azure Bot Services
 
Azure Sentinel with Office 365
Azure Sentinel with Office 365Azure Sentinel with Office 365
Azure Sentinel with Office 365
 
3 Steps Integrate Microsoft Graph with Azure Bot Services
3 Steps Integrate Microsoft Graph with Azure Bot Services3 Steps Integrate Microsoft Graph with Azure Bot Services
3 Steps Integrate Microsoft Graph with Azure Bot Services
 
Data Science - The Most Profitable Movie Characteristic
Data Science - The Most Profitable Movie CharacteristicData Science - The Most Profitable Movie Characteristic
Data Science - The Most Profitable Movie Characteristic
 
Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure Sentinel
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure Sentinel
 
Start Building Machine Learning Models Faster Than You Think
Start Building Machine Learning Models Faster Than You ThinkStart Building Machine Learning Models Faster Than You Think
Start Building Machine Learning Models Faster Than You Think
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Azure Penetration Testing

  • 1.
  • 2. Azure Penetration Testing Eng Soon Cheah Microsoft MVP
  • 3. Agenda • Overview of Azure Services • Most common Azure Services that will be attacked • Azure Penetration Testing Tools • Guidelines for Azure Penetration Testing • Demo
  • 5. How Microsoft’s Azure Penetration Testing Works Blue Team • Collect all evidence regarding the incident • Notify all operations and engineering teams • Classify the threat to decide whether it requires further investigation • Create a plan to alleviate the threat • Execute the plan and recover the affected systems Blue and Red Team • Timing of the breach • Mechanism of the breach • Compromised systems and assets • If the Blue team was able to mitigate the attack • Whether recovery was successful and effective
  • 6. Azure Penetration Testing Policies Prohibited • Scanning or conducting tests on other Azure customer assets • Accessing data that is not completely self-owned • Conducting any DDoS attacks • Conducting any intensive network fuzzing against Azure virtual machines • Any tests that generate a huge amount of traffic through automated testing methods • Attempt phishing or any social engineering attacks on Microsoft’s employees • Utilizing any services that violate the acceptable usage policies as mentioned in the online usage terms Encouraged • Create multiple test or trial accounts to test cross- account access vulnerabilities. However, using these test accounts to access other customer’s data is prohibited. • Running vulnerability scanning tools, port scan, or fuzz on your virtual machine. • Testing your account by generating traffic which is expected to match regular working periods and can also include surge capacity. • Try to break out of Azure services to access other customer assets. If any such vulnerability is found, you should inform Microsoft and cease any further tests. • Test Microsoft Intune to ensure all restrictions function as expected.
  • 7. Overview of Azure Services Host applications Store data for applications Create applications Enhance applications Monitor or manage application
  • 8. Most common Azure Services that will be attacked App Services Storage Accounts Automation Accounts Virtual Machines Key Vaults Azure SQL Azure Container Registry/ Azure Container Instances
  • 9. Azure Penetration Testing Tools Windows or Linux administration tools • JQ,httpie,wget,curl,unzip , and PowerShell General Penetration testing tools • Gobuster,nmap,dnscan,and hydra Azure-specific penetration testing tools • Microbust,Lava,Koboko,PowerZure,Stormspotter nd BloodHound
  • 10. Azure Penetration Testing Scopes Anonymous external testing Read-only configuration review Internal network testing Architecture review
  • 11. Steps to follow while conducting Azure Pentest • Identifying attack surfaces • Data collection for security reviews (using Azure Security Center) • Vulnerability scanning through automated tools like Nessus, OpenVAS or Nexpose etc. Using these tools you will get a list of all possible weaknesses along with suggestions to fix them. • Thereafter run manual vulnerability analysis using traditional methods such as fuzzing or web application vulnerability scanners like Astra Pentest or Acunetix WP scan respectively if required depending upon the criticality of identified issues. • Perform external pentesting for your Azure environment.
  • 12. Azure Penetration Testing Steps Accessing Azure cloud services Securing the database Encryption
  • 16.
  • 17. Demo Test at your own risk
  • 18. Identifying vulnerabilities in public-facing services MicroBurst Virtual Machine with WSL
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24. Add the following names to the Notepad file. Save the file and close it: Scripts Templates Archieve 2020 2019 2018
  • 25.
  • 27. Reference • Penetration Testing Azure for Ethical Hackers: Develop practical skills to perform pentesting and risk assessment of Microsoft Azure environments