VitthalS.github.io

View on GitHub

Azure Storage Security: Attacking & Auditing

Hello Guys,

So, in my last blog, I showed you guys how to get started with cloud storage security & check misconfiguration related to AWS Cloud storage.This will be a multipart blog series where I will be demonstrating how to check for different misconfigurations & vulnerabilities that might be present in cloud storage. In this blog, I will be covering Azure storage attacks.

I have also released a tool to attack azure cloud storages : Az-Blob-Attacker, you can check it out.

Before moving further, we will understand what Azure storage is and how to create one.

What is Azure Storage Service?

Azure Storage is Microsoft’s cloud storage solution for modern data storage scenarios. Azure Storage offers a massively scalable object store for data objects, a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store.

We will now explore & understand different azure storage types:

info

Blob storage offers three types of resources:

The following diagram shows the relationship between these resources.

blob1

For the following URL

https://testmystorage101.blob.core.windows.net/testcontainer101/secret.txt

We can say

Storage Account Name: testmystorage101
Container Name : testcontainer101
Blob Name : secret.txt

Now, we know the basics let’s explore how to create one

  1. Navigate to azure portal and click on Storage accounts

    create

  2. Click on the ‘+Add’ button and fill in the relevant fields and click on Review+Create.

    create1

  3. Now click on ‘+Container’ to create & fill all the relevant fields and click on create.

    create2

  4. Navigate to the container we created and click on the ‘Upload’ button & upload a blob and click on upload.

    create3

Note that this is not a secure way to create a container. Our main motto is to get the basic understanding to move on further. Before moving to check azure storage security, we will configure AZ CLI, which can be used later to explore the blobs.

To install AZ CLI, you can refer to the official website.

  1. Now to configure the AZ CLI, Open the console and execute the below command

    az login

    configure

  2. Navigate to the URL and login into your account.

    configure1

  3. You are now logged in.

    configure2

  4. Navigate to the Console and observe you are logged in and information related to your account.

    configure3

We will use AZ CLI in the later section. Let’s check out different methods to find the misconfigured containers.

Enumeration

The azure container is in the following format

https://<storage-account-name>.blob.core.windows.net/<container-name>/

A container name must be a valid DNS name, conforming to the following naming rules:

Dorks

site:github.com web.config "StorageConnectionString" "DefaultEndpointsProtocol"
site:http://blob.core.windows.net

dork

Also, you can use the below projects to find leaks in the GitHub repo.

Shodan

hostname:"core.windows.net"

shodan

Bruteforce

Usually, companies tend to use patterns in naming, such as [company-name]-dev or [company-name]-test. If you are targetting to find a particular company’s container, you can brute-force the name of the container using such patterns. There are a couple of open-source tools available to automate this process. Let’s find a container that we have created earlier using tool cloud_enum which is a Multi-cloud OSINT tool to enumerate public resources in AWS, Azure, and Google Cloud.

Let’s say you were researching “somecompany” whose website is “somecompany.io” You could run the tool like this:

cloudenum.py -k payatu -k payatu.com

cloud_enum

We have found our previously created container and blobs stored in it.

cloud_enum1

You can also use tools like Microburst or CloudScraper to brute-force the azure storage and containers.

microburst

grayhatwarfare.com

This is a searchable database of open buckets. grayhat

We have covered almost all the methods to identify Azure Containers. Let’s try to exploit the misconfigured storage.

Exploitation

Manual

Navigate to the below URL to find out valid blob names.

`https://<storage-account-name>.blob.core.windows.net/<container-name>?restype=container&comp=list`

blobbrute

Add blob name into URL to see contents of blob.

https://<storage-account-name>.blob.core.windows.net/<container-name>/<blob-name>

exploit

Let’s assume you have found a leaked storage account name and key.

Automation

We can automate this whole process using tools. We are going to open-source the tool Az-Blob-Attacker which performs all the operations stated above.

logo

Let’s explore this tool

  1. Run the tool by executing the below command in the console.

    python az-blob-attacker.py

  2. To get the container names associated with the storage account, enter number 1.

    az-blob-attacker

  3. To get the blob names associated with the storage account & container, enter number 2.

    az-blob-attacker1

  4. To Download all the blobs associated with the storage account & container, enter number 3.

    az-blob-attacker2

  5. To upload a blob to the container, enter number 4 and specify the path to the file.

    az-blob-attacker3

  6. To delete a blob from a specified container, enter number 5

    deleteblob

Auditing & Configuration review

Till now, we have covered the offensive part. Let’s check how to audit and check misconfiguration of the container.

Manual

In this section, we will be talking about common storage misconfiguration & how to check them.

  1. Disable anonymous public read access to containers and blobs

    Anonymous public read access to a container and its blobs grants read-only access to those resources to any client. Avoid enabling public read access unless your scenario requires it

    Steps to check :

    1. List all storage accounts

      ` az storage account list –query ‘[*].name’`

      anony

    2. List all containers in a specific storage account

      az storage container list --account-name <XXXX> --query '[*].name'

      anony1

    3. Check for the public access

      az storage container show --account-name <XXXX> --name <XXXX>

      anony2

      You can observe that publicAccess is set to container it means anonymous read access for containers and blobs.

  2. Limit shared access signature (SAS) tokens to HTTPS connections only

    Requiring HTTPS when a client uses a SAS token to access blob data helps to minimize the risk of eavesdropping.

    Steps to Check :

    1. Locate the Shared Access Signature (SAS) token defined within the SAS URL provided to your storage account clients. The SAS token starts with a question mark, followed by a set of various parameters.

      Example SAS token : ?sv=2020-02-10&ss=b&srt=co&sp=rlx&se=2021-03-18T15:10:53Z&st=2021-03-18T07:10:53Z&spr=https,http&sig=<XXXX>%3D

    2. Identify the spr parameter, for example, spr=https,http.

      If it is set to http, it is not compliant.

  3. Shared Access Signature Tokens should be expired.

    If a SAS is compromised, you will want to revoke that SAS as soon as possible. To revoke a user delegation SAS, revoke the user delegation key to quickly invalidate all signatures associated with that key. To revoke a service SAS that is associated with a stored access policy, you can delete the stored access policy, rename the policy, or change its expiry time to a time that is in the past.

    Steps to Check :

    1. Locate the Shared Access Signature (SAS) token defined within the SAS URL provided to your storage account clients. The SAS token starts with a question mark, followed by a set of various parameters.

      Example SAS token : ?sv=2020-02-10&ss=b&srt=co&sp=rlx&se=2021-03-18T15:10:53Z&st=2021-03-18T07:10:53Z&spr=https,http&sig=<XXXX>%3D

    2. Identify the parameters se & st, It should expire within an hour from its creation.

  4. Turn on soft delete for blobs

    Soft delete for blobs enables you to recover blob data after it has been deleted.

    Steps to check :

    1. Run the below command

      az storage blob service-properties delete-policy show --account-name <XXXX>

      softdelete

    2. Observe that if enabled is set to false means soft delete is not enabled.

  5. Turn on soft delete for containers.

    Soft delete for containers protects your data from being accidentally or maliciously deleted. When container soft delete is enabled for a storage account, any deleted container and its contents are retained in Azure Storage for the period that you specify. During the retention period, you can restore previously deleted containers. Restoring a container restores any blobs within that container when it was deleted.

    Steps to check :

    1. Run the below command

      az feature show --namespace Microsoft.Storage --name ContainerSoftDelete

      containersoftdelete

    2. If the command returns the output in-state “NotRegistered”, it means the feature is not enabled.

  6. Enable Azure Resource lock.

    Apply an Azure Resource Manager lock to your storage account to protect the account from accidental or malicious deletion or configuration change. Locking a storage account does not prevent data within that account from being deleted. It only prevents the account itself from being deleted.

    Steps to check :

    1. Run the below command

      az lock list

      lock

    2. If the command returns empty output, it means that the Azure Resource lock is not enabled.

  7. Enable secure transfer (HTTPS) to the storage account

    When you require a secure transfer for a storage account, all requests to the storage account must be made over HTTPS. Any requests made over HTTP are rejected.

    Steps to check :

    1. Run the below command

      az storage account show --resource-group <XXXX> --name <XXXX> --query enableHttpsTrafficOnly

      httpsonly

    2. If the command returns false output, it means that secure transfer (HTTPS) to the storage account is not enabled.

  8. Grant limited access to Azure Storage resources using shared access signatures (SAS)

    A shared access signature (SAS) provides secure delegated access to resources in your storage account. With SAS, you have granular control over how a client can access your data.

    Steps to Check :

    1. Locate the Shared Access Signature (SAS) token defined within the SAS URL provided to your storage account clients. The SAS token starts with a question mark, followed by a set of various parameters.

      Example SAS token : ?sv=2020-02-10&ss=b&srt=co&sp=rwdlacx&se=2021-03-18T15:10:53Z&st=2021-03-18T07:10:53Z&spr=https,http&sig=<XXXX>%3D

    2. Identify the parameters sp which has rwdlacx, which means this token has Read, Write, Delete, List, Add, Create permission.

  9. Regenerate your account keys periodically

    Rotating the account keys periodically reduces the risk of exposing your data to malicious actors.

  10. Disallow Shared Key authorization

    When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Azure AD will succeed.

    Steps to check :

    1. Run the below command

      az storage account show --resource-group <XXXX> --name <XXXX> --query allowSharedKeyAccess

      sharedaccess

    2. If the command returns true output, it means that Shared Key authorization is not enabled.

  11. Enable firewall rules to access from IP.

    Configure firewall rules to limit access to your storage account to requests that originate from specified IP addresses.

    Steps to check :

    1. Run the below command

      az storage account show --resource-group <XXXX> --name <XXXX> --query networkRuleSet

      network

    2. If the command returns empty output, it means that Enable firewall rules to access from IP are not enabled.

  12. Limit network access to specific networks

    Limiting network access to networks hosting clients requiring access reduces the exposure of your resources to network attacks.

    Steps to check :

    1. Run the below command

      az storage account show --resource-group <XXXX> --name <XXXX> --query networkRuleSet

      network1

    2. If the command returns allow in “defaultAction” output, it means that network access to specific networks is not enabled and all networks, including the Internet, can access the selected Azure Storage account

  13. Use Customer-managed keys for Azure Storage encryption

    You can use your encryption key to protect the data in your storage account. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data.

    Steps to check :

    1. Run the below command

      az storage account show --resource-group <XXXX> --name <XXXX> --query encryption

      encryption

    2. If the “keyVaultProperties” is set to null then Customer-managed keys for Azure Storage encryption are not used.

Automation

For this, we will be using the Azucar tool & ScoutSuite.

Let’s explore how to check misconfiguration using this tool.

Let’s run the Azucar using the below command

azucar1

We can analyze the generated result in the following format.

azucar

Let’s run the Scoutsuite using the below command

scoutsuite

We can analyze the generated result in the following format.

scoutsuite1

We can analyze that running different automated tools will not cover all the test cases.

This concludes our blog. In the next blog, we will be exploring the cloud storage of another cloud service provider.

References