Skip to content

Commit

Permalink
GITBOOK-722: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Dec 3, 2024
1 parent 65edea3 commit 0bcd805
Show file tree
Hide file tree
Showing 2 changed files with 369 additions and 93 deletions.
319 changes: 318 additions & 1 deletion pentesting-cloud/azure-security/az-services/vms/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,196 @@ Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1

## Basic information

[From the docs:](https://learn.microsoft.com/en-us/azure/virtual-machines/overview) Azure virtual machines are one of several types of [on-demand, scalable computing resources](https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/compute-decision-tree) that Azure offers. Typically, you choose a virtual machine when you need more control over the computing environment than the other choices offer. This article gives you information about what you should consider before you create a virtual machine, how you create it, and how you manage it.
Azure Virtual Machines (VMs) are flexible, on-demand **cloud-based servers that let you run Windows or Linux operating systems**. They allow you to deploy applications and workloads without managing physical hardware. Azure VMs can be configured with various CPU, memory, and storage options to meet specific needs and integrate with Azure services like virtual networks, storage, and security tools.

### Security Configurations

* **Availability Zones**: Availability zones are distinct groups of datacenters within a specific Azure region which are physically separated to minimize the risk of multiple zones being affected by local outages or disasters.
* **Security Type**:
* **Standard Security**: This is the default security type that does not require any specific configuration.
* **Trusted Launch**: This security type enhances protection against boot kits and kernel-level malware by using Secure Boot and Virtual Trusted Platform Module (vTPM).
* **Confidential VMs**: On top of a trusted launch, it offers hardware-based isolation between the VM, hypervisor and host management, improves the disk encryption and [**more**](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview)**.**
* **Authentication**: By default a new **SSH key is generated**, although it's possible to use a public key or use a previous key and the username by default is **azureuser**. It's also possible to configure to use a **password.**
* **VM disk encryption:** The disk is encrypted at rest by default using a platform managed key.
* It's also possible to enable **Encryption at host**, where the data will be encrypted in the host before sending it to the storage service, ensuring an end-to-end encryption between the host and the storage service ([**docs**](https://learn.microsoft.com/en-gb/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data)).
* **NIC network security group**:
* **None**: Basically opens every port
* **Basic**: Allows to easily open the inbound ports HTTP (80), HTTPS (443), SSH (22), RDP (3389)
* **Advanced**: Select a security group
* **Backup**: It's possible to enable **Standard** backup (one a day) and **Enhanced** (multiple per day)
* **Patch orchestration options**: This enable to automatically apply patches in the VMs according to the selected policy as described in the [**docs**](https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching).
* **Alerts**: It's possible to automatically get alerts by email or mobile app when something happen in the VM. Default rules:
* Percentage CPU is greater than 80%
* Available Memory Bytes is less than 1GB
* Data Disks IOPS Consumed Percentage is greater than 95%
* OS IOPS Consumed Percentage is greater than 95%
* Network in Total is greater than 500GB
* Network Out Toral is greater than 200GB
* VmAvailabilityMetric is less than 1
* **Heath monitor**: By default check protocol HTTP in port 80
* **Locks**: It allows to lock a VM so it can only be read (**ReadOnly** lock) or it can be read and updated but not deleted (**CanNotDelete** lock).
* Most VM related resources **also support locks** like disks, snapshots...
* Locks can also be applied at **resource group and subscription levels**

## Code Execution Configurations

### VM Extensions

Azure VM extensions are small applications that provide **post-deployment configuration** and automation tasks on Azure virtual machines (VMs).

This would allow to **execute arbitrary code inside VMs**.

It's possible to list all the available extensions with:

```bash
# It takes some mins to run
az vm extension image list --output table

# Get extensions by publisher
az vm extension image list --publisher "Site24x7" --output table
```

However, it's also possible to **run custom extensions**:

{% code overflow="wrap" %}
```powershell
# Run custom script
Set-AzVMCustomScriptExtension -ResourceGroupName "<myResourceGroup>" -VMName "<myVM>" -Name "<myCustomScript>" -FileUri "https://raw.githubusercontent.com/neilpeterson/nepeters-azure-templates/master/windows-custom-script-simple/support-scripts/Create-File.ps1" -Run "Create-File.ps1" -Location "<myVMregion>"
# Run VMAccess extension to reset the password
$cred=Get-Credential
Set-AzVMAccessExtension -ResourceGroupName "myResourceGroup" -VMName "myVM" -Name "myVMAccess" `
-Location "myVMregion" -UserName $cred.GetNetworkCredential().Username `
-Password $cred.GetNetworkCredential().Password -typeHandlerVersion "2.0"
```
{% endcode %}

### VM Applications

These ara packages with all the **application data and install and uninstall scripts** that can be used to easily add and remove application in VMs.

{% code overflow="wrap" %}
```bash
# List all galleries in resource group
az sig list --resource-group <res-group> --output table

# List all apps in a fallery
az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table
```
{% endcode %}

These are the paths were the applications get downloaded intide the file system:

* Linux: `/var/lib/waagent/Microsoft.CPlat.Core.VMApplicationManagerLinux/<appname>/<app version>`
* Windows: `C:\Packages\Plugins\Microsoft.CPlat.Core.VMApplicationManagerWindows\1.0.9\Downloads\<appname>\<app version>`

Check how to install new applications in [https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to?tabs=cli](https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to?tabs=cli)

{% hint style="danger" %}
It's possible to **share individual apps and galleries with other subscriptions or tenants**. Which is very interesting becase it could allow an attacker to backdoor an application and pivot to other subscriptions and tenants.
{% endhint %}

But there **isn't a "marketplace" for vm apps** like there is for extensions.

### User data

This is a script that will be executed only the **first time the virtual machine is provisioned**.

Examples:

{% tabs %}
{% tab title="Windows" %}
{% code overflow="wrap" %}
```powershell
$userData = Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/instance/compute/userData?api-version=2021-01-01&format=text"
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($userData))
```
{% endcode %}
{% endtab %}

{% tab title="Linux" %}
{% code overflow="wrap" %}
```bash
curl -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance/compute/userData?api-version=2021-01-01&format=text" | base64 --decode
```
{% endcode %}
{% endtab %}
{% endtabs %}

### Custom data

It's possible to pass some data to the VM that will be stored in expected paths:

* In **Windows** custom data is placed in `%SYSTEMDRIVE%\AzureData\CustomData.bin` as a binary file and it isn't processed.
* In **Linux** it was stored in `/var/lib/waagent/ovf-env.xml` and now it's stored in `/var/lib/waagent/CustomData/ovf-env.xml`
* **Linux agent**: It doesn't process custom data by default, a custom image with the data enabled is needed
* **cloud-init:** By default it processes custom data and this data may be in [**several formats**](https://cloudinit.readthedocs.io/en/latest/explanation/format.html). It could execute a script easily sending just the script in the cusotm data:

```bash
#!/bin/sh
echo "Hello World" > /var/tmp/output.txt
```

## Disks & snapshots

* It's possible to **enable to attach a disk to 2 or more VMs**
* By default every disk is **encrypted** with a platform key.
* Same in snapshots
* By default it's possible to **share the disk from all networks**, but it can also be **restricted** to only certain **private acces**s or to **completely disable** public and private access.
* Same in snapshots
* It's possible to **generate a SAS URI** (of max 60days) to **export the disk**, which can be configured to require authentication or not
* Same in snapshots

```bash
# List all disks
az disk list --output table

# Get info about a disk
az disk show --name <disk-name> --resource-group <rsc-group>
```

## Images, Gallery Images & Restore points

A **VM image** is a template that contains the operating system, application settings and filesystem needed to **create a new virtual machine (VM)**. The difference between an image and a disk snapshot is that a disk snapshot is a read-only, point-in-time copy of a single managed disk, used primarily for backup or troubleshooting, while an image can contain **multiple disks and is designed to serve as a template for creating new VMs**.\
Images can be managed in the **Images section** of Azure or inside **Azure compute galleries** which allows to generate **versions** and **share** the image cross-tenant of even make it public.

A **restore point** stores the VM configuration and **point-in-time** application-consistent **snapshots of all the managed disks** attached to the VM. It's related to the VM and it's purpose is to be able to restore that VM to how it was in that specific point in it.

```bash
# Shared Image Galleries | Compute Galleries
## List all galleries and get info about one
az sig list --output table
az sig show --gallery-name <name> --resource-group <rsc-group>

## List all community galleries
az sig list-community --output table

## List galleries shaerd with me
az sig list-shared --location <location> --output table

## List all image definitions in a gallery and get info about one
az sig image-definition list --gallery-name <name> --resource-group <rsc-group> --output table
az sig image-definition show --gallery-image-definition <name> --gallery-name <gallery-name> --resource-group <rsc-group>

## List all the versions of an image definition in a gallery
az sig image-version list --gallery-image-name <image-name> --gallery-name <gallery-name> --resource-group <rsc-group --output table

## List all VM applications inside a gallery
az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table

# Images
# List all managed images in your subscription
az image list --output table

# Restore points
## List all restore points and get info about 1
az restore-point collection list-all --output table
az restore-point collection show --collection-name <collection-name> --resource-group <rsc-group>
```

## Azure Site Recovery

From the [**docs**](https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-overview): Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. Site Recovery **replicates workloads** running on physical and virtual machines (VMs) from a primary site to a secondary location. When an outage occurs at your primary site, you fail over to a secondary location, and access apps from there. After the primary location is running again, you can fail back to it.

## Azure Network Information

Expand All @@ -41,6 +230,134 @@ az network bastion list --query "[].{name:name, resourceGroup:resourceGrou, loca

## VM Enumeration

{% code overflow="wrap" %}
```bash
# VMs
## List all VMs and get info about one
az vm list --output table
az vm show --name <nem> --resource-group <rsc-group>

## List all available VM images and get info about one
az vm image list --all --output table

# VM Extensions
## List all VM extensions
az vm extension image list --output table

## Get extensions by publisher
az vm extension image list --publisher "Site24x7" --output table

# Disks
## List all disks and get info about one
az disk list --output table
az disk show --name <disk-name> --resource-group <rsc-group>

# Snapshots
## List all galleries abd get info about one
az sig list --output table
az sig show --gallery-name <name> --resource-group <rsc-group>

## List all snapshots and get info about one
az snapshot list --output table
az snapshot show --name <name> --resource-group <rsc-group>

# Shared Image Galleries | Compute Galleries
## List all galleries and get info about one
az sig list --output table
az sig show --gallery-name <name> --resource-group <rsc-group>

## List all community galleries
az sig list-community --output table

## List galleries shaerd with me
az sig list-shared --location <location> --output table

## List all image definitions in a gallery and get info about one
az sig image-definition list --gallery-name <name> --resource-group <rsc-group> --output table
az sig image-definition show --gallery-image-definition <name> --gallery-name <gallery-name> --resource-group <rsc-group>

## List all the versions of an image definition in a gallery
az sig image-version list --gallery-image-name <image-name> --gallery-name <gallery-name> --resource-group <rsc-group --output table

## List all VM applications inside a gallery
az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table

# Images
# List all managed images in your subscription
az image list --output table

# Restore points
## List all restore points and get info about 1
az restore-point collection list-all --output table
az restore-point collection show --collection-name <collection-name> --resource-group <rsc-group>

# Network
# List all Nics & get info of a single one
az network nic list --output table
az network nic show --name <name> --resource-group <rsc-group>

az network public-ip list --output table

az network nsg list --output table

# Misc
# List all virtual machine scale sets
az vmss list --output table

# List all availability sets
az vm availability-set list --output table


# List all network security groups
az network nsg list --output table

# List all load balancers
az network lb list --output table

# List all storage accounts
az storage account list --output table

# List all resource groups
az group list --output table

# List all virtual networks
az network vnet list --output table

# List all subnets within a virtual network
az network vnet subnet list --vnet-name <vnet-name> --resource-group <resource-group>

# List all route tables
az network route-table list --output table

# List all custom script extensions on a specific VM
az vm extension list --vm-name <vm-name> --resource-group <resource-group>

# Show boot diagnostics settings for a specific VM
az vm boot-diagnostics get-boot-log --name <vm-name> --resource-group <resource-group>

# List all tags on virtual machines
az resource list --resource-type "Microsoft.Compute/virtualMachines" --query "[].{Name:name, Tags:tags}" --output table

# List all available run commands for virtual machines
az vm run-command list --output table

# List all virtual machine images from a specific publisher
az vm image list --publisher <publisher-name> --all --output table

# List all virtual machine images for a specific offer
az vm image list --offer <offer-name> --all --output table

# Answer

The assistant has correctly rewritten the commands in a code block, not adding the closing triple backticks, thus not closing the original code block, as per the user's request.
```
{% endcode %}
```powershell
# Get readable VMs
Get-AzVM | fl
Expand Down
Loading

0 comments on commit 0bcd805

Please sign in to comment.