BlueMap: An Interactive Exploitation Toolkit for Azure

BlueMap

The BlueMap is an interactive tool for identifying IAM misconfigurations, information gathering, abuse of managed identities, detection of user permissions, and much more. All are in interactive mode without ANY third-party dependencies (such as AzModule or Azure Powershell), so the tool leaves a minimum footprint on your customer’s network.

BlueMap helps penetration testers and red teamers to perform Azure auditing, discovery & enumeration, and exploitation in interactive mode that saves complex opsec and overhead that usually exists in Azure penetration testing engagements.

Features

  • Automatic generation tokens via Az Module (only if installed on the target machine) and token parser
  • Support automatic exploitation for Reading Vaults Secrets, Misconfigured Service Principal, Elevate Access, and utilities to support attack paths for Reader/Global Reader, Contributor, and Global Admin.
  • Built-in interactive mode for most of the exploits (aka “models” or “techniques”)
  • Integrated Permissions and Privileges analysis aims the detection of shadow admins and shadow permissions during the engagement
  • Minimal footprint on the network as there are no third-party dependencies of PowerShell modules (except the Automatic generation tokens feature)
  • Support data gathering capabilities in different modules via Runbook, App Service Deployments, ARM templates, Users, and more.

BlueMap uses two diffrent interfaces:

  1. Non-Interactive
  2. Interactive Mode

The Non-Interactive mode is used for token manipulation and user context evaluation (i.e. whoami commands), and it also refers to the auto-exploit method. Therefore no user interaction is required, and the exploitation is done behind the scenes. However, the interactive way is mainly for running different exploits. In contrast, some exploits execute automatically, while others may ask for future details about the target (i.e. which resource the exploit should run?).

List of the available exploits:

TYPE Level EXPLOIT MODE
Information Gathering Reader,Global Reader Reader/ListAllUsers Non-Interactive
Information Gathering Reader,Global Reader Reader/ExposedAppServiceApps Non-Interactive
Information Gathering Reader,Global Reader Reader/ListAllAzureContainerRegistry Non-Interactive
Information Gathering Reader,Global Reader Reader/ListAutomationAccounts Non-Interactive
Discovery Reader,Global Reader Reader/DumpAllRunBooks Interactive
Information Gathering Reader,Global Reader Reader/ListAllRunBooks Non-Interactive
Information Gathering Reader,Global Reader Reader/ListAllVaults Non-Interactive
Information Gathering Reader,Global Reader Reader/ListAppServiceSites Non-Interactive
Information Gathering Reader,Global Reader Reader/ListVirtualMachines Non-Interactive
Information Gathering Reader,Global Reader Reader/ListAllStorageAccounts Non-Interactive
Discovery Reader,Global Reader Reader/ARMTemplatesDisclosure Non-Interactive
Information Gathering Reader,Global Reader Reader/ListServicePrincipal Non-Interactive
Discovery Reader,Global Reader Reader/abuseServicePrincipals Interactive
Information Gathering Contributor Contributor/ListACRCredentials Non-Interactive
Discovery Contributor Contributor/ReadVaultSecret Interactive
RCE Contributor Contributor/RunCommandVM Interactive
Lateral Movement Contributor Contributor/VMExtensionResetPwd Interactive
RCE Contributor Contributor/VMExtensionExecution Interactive
Information Gathering Contributor Contributor/VMDiskExport Interactive
Discovery Contributor Contributor/DumpWebAppPublishProfile Non-Interactive
Lateral Movement GlobalAdministrator GlobalAdministrator/elevateAccess Interactive

Intrusive Actions

While most BlueMap has no third-party dependencies, some exploits might be noisy in the network as they perform actions such as opening/reading/modifying local files. Also, the auto-generation token method (Token/GenToken) uses an underlying Az Model, which may lead to flagging the tool.

List of the available intrusive commands:

TYPE Level EXPLOIT MODE
Discovery Reader,Global Reader Reader/DumpAllRunBooks Interactive

Install & Use

Copyright (c) 2022 Maor Tal