Breaching Azure+ Intro
Introduction to Azure
Breaching SolarDrops
Breaching Bogus Bank
Threat Hunting using Microsoft Sentinel
Breaching Azure+ Challenges

BA 04 – Anonymous Azure Services Enumeration

Azure Enumeration

Azure enumeration is the systematic process of gathering information about the Azure resources, configuration, permissions and Entra ID (ex Azure AD) tenant for a specific Azure environment. There are two ways to enumerate Azure services: either as an authenticated Azure user or anonymously (without authentication). This section will primarily focus on external (anonymous) reconnaissance techniques. By analyzing this information, you can assess the security posture of Azure environments and identify potential entry points for further exploitation.

Below is a list of Azure services and their associated subdomain:

Microsoft has allocated a unique subdomain for each Azure service. Upon setting up a new service a new unique domain will be created, therefore it is possible to discover the kind of services they use by guessing/brute forcing  their name conventions. 

Anonymous Azure Storage

Anonymous Azure Storage refers to an unsecured configuration within Microsoft Azure that allows public access to storage resources without the need for authentication or proper access controls. This misconfiguration can occur when storage accounts are set to allow anonymous access, making data and resources openly accessible to anyone on the internet. Essentially, it means that the storage containers and blobs can be retrieved without requiring valid credentials, leading to a significant security risk.

In this configuration state, a potential attacker can abuse Anonymous Azure Storage by exploiting the misconfigured settings to exfiltrate sensitive data, upload malicious files, or even disrupt services. The lack of proper authentication mechanisms allows unauthorized individuals to read, modify, or delete data stored in the affected Azure Storage accounts. Attackers might leverage automated tools to scan for and identify such misconfigurations, leading to unauthorized access and potential data breaches. Proper security measures, such as enforcing access controls and making the storage private, are essential to mitigate the risks associated with Anonymous Azure Storage and ensure a robust defense against potential threats.

To identify exposed Azure Storage accounts, leverage popular search engines like Google or specialized tools such as Shodan. The following Google Dorks can aid in your search:

Locate GitHub repositories containing “StorageConnectionString” with the specified default endpoints protocol:

site:github.com "StorageConnectionString" "DefaultEndpointsProtocol"

Identify Azure Storage accounts using the following Google Dork:

site:http://blob.core.windows.net

Enhance your reconnaissance with open-source tools like Microburst , CloudScraper and Grayhatwarfare are designed for effective subdomain enumeration and Cloud asset discovery.

Additional Reading: