-
Notifications
You must be signed in to change notification settings - Fork 183
Azure Commands
Seth Art edited this page Jan 23, 2024
·
22 revisions
Before you can use the Azure commands, you need to:
- Download the latest CloudFox binary from our releases page
NOTE: if the latest pre-compiled binary doesn't have all functionality present in this guide, please download from one of our dev branches and build from source. - Install Azure CLI
- Authenticate with the client:
# az login
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code [REDACTED] to authenticate.
[
{
"cloudName": "AzureCloud",
"homeTenantId": "[REDACTED]",
"id": "[REDACTED]",
"isDefault": true,
"managedByTenants": [],
"name": "[REDACTED]",
"state": "Enabled",
"tenantId": "[REDACTED]",
"user": {
"name": "[REDACTED]",
"type": "user"
}
},
...omitted for brevity...
To list Azure commands:
./cloudfox azure -h
For help with a specific subcommand:
./cloudfox azure [command_name] -h
CloudFox offers a --wrap flag for all subcommands that will adjust the table output to the terminal screen when used. This flag does not have any effect on output files.
The whoami command displays information on the current tenant, subscriptions and resource groups available to your current Azure CLI session. This is useful to provide situation awareness on what tenant and subscription IDs to use with the other sub commands.
./cloudfox azure whoami
[๐ฆ cloudfox DEV ๐ฆ ][whoami] Enumerating Azure CLI sessions...
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฎ
โ Tenant ID โ Subscription ID โ Subscription Name โ RG Name โ Region โ Domain โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโโโค
โ 11111111-1111-1111-1111-11111111 โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ SubscriptionA โ ResourceGroupA1 โ eastus โ cloudfox1.local โ
โ 11111111-1111-1111-1111-11111111 โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ SubscriptionA โ ResourceGroupA2 โ eastus โ cloudfox1.local โ
โ 11111111-1111-1111-1111-11111111 โ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB โ SubscriptionB โ ResourceGroupB1 โ eastus โ cloudfox1.local โ
โ 11111111-1111-1111-1111-11111111 โ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB โ SubscriptionB โ ResourceGroupB2 โ eastus โ cloudfox1.local โ
โ 22222222-2222-2222-2222-22222222 โ CCCCCCCC-CCCC-CCCC-CCCC-CCCCCCCC โ SubscriptionC โ ResourceGroupC1 โ eastus โ cloudfox2.local โ
โ 22222222-2222-2222-2222-22222222 โ CCCCCCCC-CCCC-CCCC-CCCC-CCCCCCCC โ SubscriptionC โ ResourceGroupC2 โ eastus โ cloudfox2.local โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโโโฏ
The vms command enumerates the Compute instances' useful information at subscription or tenant level
Example 1: enumerating instances for a specific subscription
./cloudfox azure vms --tenant 11111111-1111-1111-1111-11111111
[๐ฆ cloudfox DEV ๐ฆ ][vms] Enumerating VMs for tenant 11111111-1111-1111-1111-11111111
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฎ
โ Subscription ID โ VM Name โ VM Location โ Private IPs โ Public IPs โ Admin Username โ Resource Group Name โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโค
โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ TestVM-1 โ us-east-1 โ 192.168.0.1 โ 72.88.100.1 โ admin โ ResourceGroupA1 โ
โ โ โ โ 192.168.0.2 โ 72.88.100.2 โ โ โ
โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ TestVM-3 โ us-east-2 โ 192.168.0.5 โ 72.88.100.5 โ admin โ ResourceGroupA1 โ
โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ TestVM-2 โ us-west-2 โ 192.168.0.3 โ 72.88.100.3 โ admin โ ResourceGroupA2 โ
โ โ โ โ 192.168.0.4 โ 72.88.100.4 โ โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโฏ
[instances] Output written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-11111111/table/vms.txt]
[instances] Output written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-11111111/csv/vms.csv]
Example 2: enumerating instances for a specific tenant
./cloudfox azure vms --subscription AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA
[๐ฆ cloudfox DEV ๐ฆ ][vms] Enumerating VMs for subscription AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฎ
โ Subscription ID โ VM Name โ VM Location โ Private IPs โ Public IPs โ Admin Username โ Resource Group Name โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโค
โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ TestVM-1 โ us-east-1 โ 192.168.0.1 โ 72.88.100.1 โ admin โ ResourceGroupA1 โ
โ โ โ โ 192.168.0.2 โ 72.88.100.2 โ โ โ
โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ TestVM-3 โ us-east-2 โ 192.168.0.5 โ 72.88.100.5 โ admin โ ResourceGroupA1 โ
โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ TestVM-2 โ us-west-2 โ 192.168.0.3 โ 72.88.100.3 โ admin โ ResourceGroupA2 โ
โ โ โ โ 192.168.0.4 โ 72.88.100.4 โ โ โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโฏ
[instances] Output written to [cloudfox-output/azure/subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA/table/vms.txt]
[instances] Output written to [cloudfox-output/azure/subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA/csv/vms.csv]
The rbac command maps the Azure RBAC role assignments at subscription or tenant level
Example 1: enumerating Azure RBAC role assignment at subscription level
./cloudfox azure rbac --subscription AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA
[๐ฆ cloudfox DEV ๐ฆ ][rbac] Enumerating RBAC permissions for subscription AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA
โญโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ User Name โ Role Name โ Role Scope โ
โโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ User 1 โ Reader โ /subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ
โ User 2 โ Contributor โ /subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ
โฐโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[rbac] Output written to [cloudfox-output/azure/subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA/table/rbac.txt]
[rbac] Output written to [cloudfox-output/azure/subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA/csv/rbac.csv]
Example 2: enumerating Azure RBAC role assignment at tenant level
./cloudfox azure rbac --tenant 11111111-1111-1111-1111-11111111
[๐ฆ cloudfox DEV ๐ฆ ][rbac] Enumerating RBAC permissions for tenant 11111111-1111-1111-1111-11111111
โญโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ User Name โ Role Name โ Role Scope โ
โโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ User 1 โ Reader โ /subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ
โ User 2 โ Contributor โ /subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ
โ User 1 โ Data Labeling - Labeler โ /subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB โ
โ User 3 โ Data Labeling - Labeler โ /subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB โ
โ User 1 โ Reader โ /subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ
โ User 2 โ Contributor โ /subscriptions/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAA โ
โ User 1 โ Data Labeling - Labeler โ /subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB โ
โ User 3 โ Data Labeling - Labeler โ /subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB โ
โฐโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
[rbac] Output written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-11111111/table/rbac.txt]
[rbac] Output written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-11111111/csv/rbac.csv]
The storage command lists the storage containers in a tenant or subscription, and for the containers that have public blobs it parses their public URLs and writes it to a loot file.
Example 1: enumerating storage accounts at tenant level
./cloudfox az storage --tenant 11111111-1111-1111-1111-11111111
[๐ฆ cloudfox DEV ๐ฆ ][storage] Enumerating storage accounts for tenant 11111111-1111-1111-1111-11111111
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฎ
โ Subscription ID โ Storage Account Name โ Container Name โ Access Status โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโค
โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA โ storageo8mpi8ly68 โ container0ud33jox9x โ private โ
โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA โ storageo8mpi8ly68 โ containerbghlpn3f96 โ public โ
โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA โ storageo8mpi8ly68 โ containerto6e4m5qrq โ private โ
โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA โ storageo8mpi8ly68 โ containerx7mib885sz โ private โ
โ AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA โ storaget24glzw6uv โ container3vsww2t0fi โ public โ
โ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB โ storaget24glzw6uv โ container9osxp02mza โ public โ
โ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB โ storaget24glzw6uv โ containerefnkpiaibh โ private โ
โ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB โ storaget24glzw6uv โ container2768ebzuf0 โ private โ
โ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB โ storaget24glzw6uv โ container2vx3qx3kth โ public โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโฏ
[storage][tenant-11111111-1111-1111-1111-111111111111] Output written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-111111111111/table/storage.txt]
[storage][tenant-11111111-1111-1111-1111-111111111111] Output written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-111111111111/csv/storage.csv]
[storage][tenant-11111111-1111-1111-1111-111111111111] Loot file written to [cloudfox-output/azure/tenants/11111111-1111-1111-1111-111111111111/loot/public-blob-urls.txt]
Example 2: enumerating storage accounts at subscription level
./cloudfox az storage --subscription BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB
[๐ฆ cloudfox DEV ๐ฆ ][storage] Enumerating storage accounts for subscription BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBB
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฎ
โ Subscription ID โ Storage Account Name โ Container Name โ Access Status โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโค
โ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB โ storaget24glzw6uv โ container9osxp02mza โ public โ
โ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB โ storaget24glzw6uv โ containerefnkpiaibh โ private โ
โ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB โ storaget24glzw6uv โ container2768ebzuf0 โ private โ
โ BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB โ storaget24glzw6uv โ container2vx3qx3kth โ public โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโฏ
[storage][subscription-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB] Output written to [cloudfox-output/azure/subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB/table/storage.txt]
[storage][subscription-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB] Output written to [cloudfox-output/azure/subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB/csv/storage.csv]
[storage][subscription-BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB] Loot file written to [cloudfox-output/azure/subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB/loot/public-blob-urls.txt]
Moreover, the storage command will create a file in the loot folder with the public object URLs to make it easy to access:
$ cat ./cloudfox-output/azure/subscriptions/BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB/loot/public-blob-urls.txt
https://storageo8mpi8ly68.blob.core.windows.net/containerbghlpn3f96/test1.txt
https://storageo8mpi8ly68.blob.core.windows.net/containerbghlpn3f96/test2.txt
https://storageo8mpi8ly68.blob.core.windows.net/containerbghlpn3f96/test3.txt
https://storageo8mpi8ly68.blob.core.windows.net/containerbghlpn3f96/test4.txt
...omitted for brevity...