MicroBurst: A collection of scripts for assessing Microsoft Azure security

by do son ·

MicroBurst

MicroBurst: A PowerShell Toolkit for Attacking Azure

MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping. It is intended to be used during penetration tests where Azure is in use.

MicroBurst

Functions Information

  • Get-AzurePasswords.ps1
    PS C:> Get-Help Get-AzurePasswords
    NAME: Get-AzurePasswords
    SYNOPSIS: Dumps all available credentials from an Azure subscription. Pipe to Out-Gridview or Export-CSV for easier parsing.
    SYNTAX: Get-AzurePasswords [[-Subscription] ] [[-ExportCerts] ] []
    DESCRIPTION: This function will look for any available credentials and certificates store in Key Vaults, App Services Configurations, and Automation accounts. If the Azure management account has permissions, it will read the values directly out of the Key Vaults and App Services Configs. A runbook will be spun up for dumping automation account credentials, so it will create a log entry in the automation jobs.
  • Invoke-EnumerateAzureBlobs.ps1PS C:> Import-Module .\Invoke-EnumerateAzureBlobs.ps1

    PS C:> Get-Help Invoke-EnumerateAzureBlobs

    NAME: Invoke-EnumerateAzureBlobs

    SYNOPSIS: PowerShell function for enumerating public Azure Blobs and Containers.

    SYNTAX: Invoke-EnumerateAzureBlobs [[-Base] ] [[-OutputFile] ] [[-Permutations] ] [[-Folders] ] [[-BingAPIKey] ] []

    DESCRIPTION: The function will check for valid .blob.core.windows.net hostnames via DNS. If a BingAPIKey is supplied, a Bing search will be made for the base word under the .blob.core.windows.net site. After completing storage account enumeration, the function then checks for valid containers via the Azure REST API methods. If a valid container has public files, the function will list them out.

  • Invoke-EnumerateAzureSubDomains.ps1PS C:> Import-Module .\Invoke-EnumerateAzureSubDomains.ps1

    PS C:> Get-Help Invoke-EnumerateAzureSubDomains

    NAME: Invoke-EnumerateAzureSubDomains

    SYNOPSIS: PowerShell function for enumerating public Azure services.

    SYNTAX: Invoke-EnumerateAzureSubDomains [-Base] [[-Permutations] ] []

    DESCRIPTION: The function will check for valid Azure subdomains, based off of a base word, via DNS.

  • Get-AzureDomainInfo.ps1PS C:> Import-Module .\Get-AzureDomainInfo.ps1

    PS C:> Get-Help Get-AzureDomainInfo

    NAME: Get-AzureDomainInfo

    SYNOPSIS: PowerShell function for dumping information from Azure subscriptions via authenticated ASM and ARM connections.

    SYNTAX: Get-AzureDomainInfo [[-folder] ] [[-Subscription] ] [[-ResourceGroup] ] [[-Users] ] [[-Groups] ] [[-StorageAccounts] ] [[-Resources] ] [[-VMs] ] [[-NetworkInfo] ] [[-RBAC] ] [[-LoginBypass] ] []

    DESCRIPTION: The function will dump available information for an Azure domain out to CSV and txt files in the -folder parameter directory.

  • Get-MSOLDomainInfo.ps1PS C:> Import-Module .\Get-MSOLDomainInfo.ps1

    PS C:> Get-Help Get-MSOLDomainInfo

    NAME: Get-MSOLDomainInfo

    SYNOPSIS: PowerShell function for dumping information from an Office365 domain via an authenticated MSOL connection.

    SYNTAX: Get-MSOLDomainInfo [[-folder] ] [[-Users] ] [[-Groups] ] []

    DESCRIPTION: The function will dump available information for an Office365 domain out to CSV and txt files in the -folder parameter directory.

Download

git clone https://github.com/NetSPI/MicroBurst.git
Import-Module .\MicroBurst.psm1

Copyright (c) 2018, NetSPI
All rights reserved.

Source: https://github.com/NetSPI/

Tags: MicroBurst