DEV Community

Eng Soon Cheah
Eng Soon Cheah

Posted on

Gathering Subscription access information with PowerZure

*Test at your own risk

1.In an Az PowerShell module-authenticated PowerShell session on your machine, download PowerZure using the following commands:

PS C:\> cd C:\Users\$env:USERNAME
PS C:\> git clone https://github.com/hausec/PowerZure.git
Enter fullscreen mode Exit fullscreen mode

Output
Image description

2.Import the PowerZure module into your PowerShell session with the following commands. If prompted to install the Azure AD module, type Y and press Enter. Close and re-open the PowerShell console:
Image description

3.If you installed the Azure AD module, open a new PowerShell session and use the following commands to re-import PowerZure into the PowerShell console.

PS C:\> cd C:\Users\$env:USERNAME\PowerZure
PS C:\> Import-Module .\PowerZure.ps1
Enter fullscreen mode Exit fullscreen mode

After the module is imported, it will list your current role (Reader) and available subscription. This is useful reconnaissance information.

  • AADRoles: Shows the role that the current user is assigned in Azure AD
  • AzureRoles: Shows the Azure RBAC role assignments and scopes for the user.
  • Available Subscriptions: Shows the subscriptions that the user has some level of permission to. This information is useful to see whether there are opportunities to move laterally to other subscriptions using this user account. Image description

4.To see a list of all the available functions in PowerZure, run the following command.
Image description

5.Part of enumerating the attack surface area is determining the actual access that a credential had and its level of access(read/write/execute). PowerZure had a function called Get-AzureTargets that we can use for this purpose. This function compared the user role to the Azure scope to make this determination. You can run the function using the following command.
Image description
While the Get-AzTargets function of PowerZure is a great way to understand the scope of access that a user has, and the resources that they have access to, MicroBurst also collects this information into flat files for the review of an entire subscription. Each tool has its own benefits, and different situations will call for different tools.

Reference:
https://github.com/PacktPublishing/Penetration-Testing-Azure-for-Ethical-Hackers

Discussion (0)