DEV Community

Eng Soon Cheah
Eng Soon Cheah

Posted on

Enumerating subscription information with MicroBurst

*Test at your own risk

1.In an authenticated Az module PowerShell session on your machine, import the MicroBurst module using the following commands. If you get a non-fatal error about MSOnline, you can ignore it as that module is not installed on the machine it is not used.



PS C:\> cd C:\Users\$env:USERNAME\MicroBurst
PS C:\> Import-Module .\MicrosBurst.psm1


Enter fullscreen mode Exit fullscreen mode

2.Create a folder to store the output of the function that we are about to run using the following command.



PS C:\> New-Item -Name "microburst-output" -ItemType "directory"


Enter fullscreen mode Exit fullscreen mode

3.Run the MicroBurst function to enumerate the Azure subscription using the following command. When a windows opens displaying the subscription, click OK to proceed.



PS C:\> Get-AzDomainInfo -Verboes -Folder microburst-output


Enter fullscreen mode Exit fullscreen mode

Image description
The function will output the enumerated results in CSV and the text files will be stored in the specified output folder.

4.Open the output folder using the following command. This will open the microburst-output folder in File Explorer.



PS C:\> explorer microburst-output


Enter fullscreen mode Exit fullscreen mode

You will see a single folder called Az in the opened view.
Image description

5.Review the contents of the files and folders specified as follows. The content contains the resource inventory collected by the function (you can open the CSV files with Visual Studio Code):

  • Az-> (in our case, our subscription is called Development, but this will be different for you)-> PublicIPs.csv
  • Az->->Resources
  • Az->-> Virtual Machine The information can be parsed to obtain external targets that are provisioned in the subscription (App Service applications ,storage accounts ,public IP addresses and domains). The information can then be used to target hosted services for vulnerability assessments or misconfigurations. Image description

6.Review the contents of the files specified as follows. The content contains the user list collected by the function:

Az->->Users.csv

Useful information such as usernames, email addresses, account type, and target credential guessing or phishing attacks.
Image description

7.Review the contents of the folder specified as follows. The content contains lists of privileged users collected by the function:

Az->-> RBAC

These users can be targeted for credential theft attacks to escalate privileges.

The MicroBurst function that we used -Get-AzDomainInfo- is a powerful authenticated enumeration tool. It does more than what we are able to review here.You can review the contents of Az directory to see other enumerated output results.

Reference:
https://github.com/cheahengsoon/Penetration-Testing-Azure-for-Ethical-Hackers

Top comments (0)