diff --git a/src/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md b/src/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md index 168c17892d..55d7d92ae2 100644 --- a/src/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md +++ b/src/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md @@ -76,7 +76,7 @@ az network nsg show --name az network nsg rule list --nsg-name --resource-group --query "[].{name:name, priority:priority, direction:direction, access:access, protocol:protocol, sourceAddressPrefix:sourceAddressPrefix, destinationAddressPrefix:destinationAddressPrefix, sourcePortRange:sourcePortRange, destinationPortRange:destinationPortRange}" -o table # Get NICs and subnets using this NSG -az network nsg show --name MyLowCostVM-nsg --resource-group Resource_Group_1 --query "{subnets: subnets, networkInterfaces: networkInterfaces}" +az network nsg show --name --resource-group --query "{subnets: subnets, networkInterfaces: networkInterfaces}" ``` {{#endtab }} @@ -85,13 +85,15 @@ az network nsg show --name MyLowCostVM-nsg --resource-group Resource_Group_1 --q ```bash # List NSGs Get-AzNetworkSecurityGroup | Select-Object Name, Location -Get-AzNetworkSecurityGroup -Name -ResourceGroupName # Get NSG rules -(Get-AzNetworkSecurityGroup -ResourceGroupName -Name ).SecurityRules +Get-AzNetworkSecurityGroup -Name -ResourceGroupName | +Select-Object -ExpandProperty SecurityRules | +Select-Object Name, Priority, Direction, Access, Protocol, SourceAddressPrefix, DestinationAddressPrefix, SourcePortRange, DestinationPortRange # Get NICs and subnets using this NSG (Get-AzNetworkSecurityGroup -Name -ResourceGroupName ).Subnets +(Get-AzNetworkSecurityGroup -Name -ResourceGroupName ).NetworkInterfaces ``` {{#endtab }} @@ -99,9 +101,9 @@ Get-AzNetworkSecurityGroup -Name -ResourceGroupName Routes apply at the subnet level; all VMs in that subnet follow the table. + +**Example:** + +- For internet-bound traffic, use the default `0.0.0.0/0` with **Internet** as next hop. +- To inspect outbound traffic, route `0.0.0.0/0` to a Network Virtual Appliance (NVA) IP. ### **Enumeration** @@ -169,7 +176,7 @@ Azure **Route Tables** are used to control the routing of network traffic within az network route-table list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table # List routes for a table -az network route-table route list --route-table-name --resource-group --query "[].{name:name, addressPrefix:addressPrefix, nextHopType:nextHopType, nextHopIpAddress:nextHopIpAddress}" -o table +az network route-table route list --resource-group --route-table-name ``` {{#endtab }} @@ -226,13 +233,65 @@ Get-AzPrivateEndpoint | Select-Object Name, Location, ResourceGroupName, Private {{#endtab }} {{#endtabs }} +### DNS OverDoS via service Private DNS zone links + +When a VNet has a **Virtual Network Link** to a **service Private DNS zone** (e.g., `privatelink.blob.core.windows.net`), Azure **forces hostname resolution** for Private Link registered resources of that service type through the zone. If the zone **lacks the required `A` record** for a resource that workloads still access via its public endpoint, DNS resolution returns **NXDOMAIN** and clients never reach the public IP, causing an **availability DoS** without touching the resource itself. + +**Abuse flow (control-plane DoS):** + +1. Gain RBAC that allows creating **Private Endpoints** or modifying **Private DNS zone links**. +2. Create a Private Endpoint for the same service type in another VNet (Azure auto-creates the service Private DNS zone and links it to that VNet). +3. Link that **service Private DNS zone** to the victim VNet. +4. Because the victim VNet now **forces resolution via the Private DNS zone** and no `A` record exists for the target resource in that zone, name resolution fails and the workload cannot reach the (still-public) endpoint. This applies to any Private Link–supported service (storage, Key Vault, ACR, Cosmos DB, Function Apps, OpenAI, etc.). + +**Discovery at scale (Azure Resource Graph):** + +- VNETs linked to the blob Private DNS zone (forced resolution for PL-registered blob endpoints): + +```kusto +resources +| where type == "microsoft.network/privatednszones/virtualnetworklinks" +| extend + zone = tostring(split(id, "/virtualNetworkLinks")[0]), + vnetId = tostring(properties.virtualNetwork.id) +| join kind=inner ( + resources + | where type == "microsoft.network/privatednszones" + | where name == "privatelink.blob.core.windows.net" + | project zoneId = id +) on $left.zone == $right.zoneId +| project vnetId +``` + +- Storage accounts reachable over public endpoint but **without** Private Endpoint connections (likely to break if above link is added): + +```kusto +Resources +| where type == "microsoft.storage/storageaccounts" +| extend publicNetworkAccess = properties.publicNetworkAccess +| extend defaultAction = properties.networkAcls.defaultAction +| extend vnetRules = properties.networkAcls.virtualNetworkRules +| extend ipRules = properties.networkAcls.ipRules +| extend privateEndpoints = properties.privateEndpointConnections +| where publicNetworkAccess == "Enabled" +| where defaultAction == "Deny" +| where (isnull(privateEndpoints) or array_length(privateEndpoints) == 0) +| extend allowedVnets = iif(isnull(vnetRules), 0, array_length(vnetRules)) +| extend allowedIps = iif(isnull(ipRules), 0, array_length(ipRules)) +| where allowedVnets > 0 or allowedIps > 0 +| project id, name, vnetRules, ipRules +``` + + ## Azure Service Endpoints -Azure Service Endpoints extend your virtual network private address space and the identity of your VNet to Azure services over a direct connection. By enabling service endpoints, **resources in your VNet can securely connect to Azure services**, like Azure Storage and Azure SQL Database, using Azure's backbone network. This ensures that the **traffic from the VNet to the Azure service stays within the Azure network**, providing a more secure and reliable path. +Azure Service Endpoints extend your virtual network private address space and the identity of your VNet to Azure services over a direct connection. By enabling service endpoints, **resources in your VNet can securely connect to Azure services**, like Azure Storage and Azure SQL Database, over the Azure backbone network. This is particularly useful when combined with Network Security Groups (NSGs) for granular traffic control. **Example:** -For instance, an **Azure Storage** account by default is accessible over the public internet. By enabling a **service endpoint for Azure Storage within your VNet**, you can ensure that only traffic from your VNet can access the storage account. The storage account firewall can then be configured to accept traffic only from your VNet. +- With **Storage** Account and Service Endpoint **enabled** in a VNET, it's possible to allow inbound traffic **only from a VNET in the storage account firewall**, forcing a **secure connection** without needing public IP access for the storage service. + +Service Endpoints **do not require private IP addresses** for the services and instead rely on the Azure backbone for secure connectivity. They're **easier to set up** compared to Private Links but **do not provide the same level of isolation and granularity** as Private Links. ### **Enumeration** @@ -240,20 +299,17 @@ For instance, an **Azure Storage** account by default is accessible over the pub {{#tab name="az cli" }} ```bash -# List Virtual Networks with Service Endpoints -az network vnet list --query "[].{name:name, location:location, serviceEndpoints:serviceEndpoints}" -o table - # List Subnets with Service Endpoints -az network vnet subnet list --resource-group --vnet-name --query "[].{name:name, serviceEndpoints:serviceEndpoints}" -o table +az network vnet subnet list --resource-group --vnet-name --query "[].{name:name, serviceEndpoints:serviceEndpoints}" + +# List Service Endpoints for a Subnet +az network vnet subnet show --resource-group --vnet-name --name --query "serviceEndpoints" ``` {{#endtab }} {{#tab name="PowerShell" }} ```bash -# List Virtual Networks with Service Endpoints -Get-AzVirtualNetwork - # List Subnets with Service Endpoints (Get-AzVirtualNetwork -ResourceGroupName -Name ).Subnets ``` @@ -287,112 +343,72 @@ In summary, while both Service Endpoints and Private Links provide secure connec ## Azure Front Door (AFD) & AFD WAF -**Azure Front Door** is a scalable and secure entry point for **fast delivery** of your global web applications. It **combines** various services like global **load balancing, site acceleration, SSL offloading, and Web Application Firewall (WAF)** capabilities into a single service. Azure Front Door provides intelligent routing based on the **closest edge location to the user**, ensuring optimal performance and reliability. Additionally, it offers URL-based routing, multiple-site hosting, session affinity, and application layer security. +**Azure Front Door** is a scalable and secure entry point for **fast delivery** of your global web applications. It **combines** various services like **application acceleration, SSL offloading, and application layer security** (through Web Application Firewall - WAF). It's built on the concept of edge POP (Point of Presence) locations around the world to bring your applications closer to your users. -**Azure Front Door WAF** is designed to **protect web applications from web-based attacks** without modification to back-end code. It includes custom rules and managed rule sets to protect against threats such as SQL injection, cross-site scripting, and other common attacks. +> Azure Front Door provides a globally distributed network of edge locations to **route and accelerate** incoming traffic to your web applications (in Azure or elsewhere), improve performance, and enhance security. **Example:** -Imagine you have a globally distributed application with users all around the world. You can use Azure Front Door to **route user requests to the nearest regional data center** hosting your application, thus reducing latency, improving user experience and **defending it from web attacks with the WAF capabilities**. If a particular region experiences downtime, Azure Front Door can automatically reroute traffic to the next best location, ensuring high availability. +- For a global e-commerce platform with users worldwide, **Azure Front Door can cache static content at edge locations** and offer **SSL offloading**, reducing latency and providing a more responsive user experience. Additionally, it provides **WAF** to protect your applications from common web vulnerabilities (like SQL injection or XSS). -### Enumeration +Azure Front Door also offers **smart load balancing** by routing traffic to the nearest available backend based on health probes and latency, ensuring consistent performance and availability. By integrating **WAF**, it helps protect against common web threats. + +### **Enumeration** {{#tabs }} {{#tab name="az cli" }} ```bash -# List Azure Front Door Instances -az network front-door list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table +# List Azure Front Door profiles +az afd profile list --query "[].{name:name, location:location, resourceGroup:resourceGroup}" -o table -# List Front Door WAF Policies -az network front-door waf-policy list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table +# List AFD endpoints +az afd endpoint list --profile-name --resource-group --query "[].{name:name, hostName:hostName, state:resourceState}" -o table ``` {{#endtab }} {{#tab name="PowerShell" }} ```bash -# List Azure Front Door Instances -Get-AzFrontDoor +# List Azure Front Door profiles +Get-AzFrontDoorCdnProfile | Select-Object Name, Location, ResourceGroupName -# List Front Door WAF Policies -Get-AzFrontDoorWafPolicy -Name -ResourceGroupName +# List AFD endpoints +Get-AzFrontDoorCdnEndpoint -ProfileName -ResourceGroupName | Select-Object Name, HostName, ResourceState ``` {{#endtab }} {{#endtabs }} -## Azure Application Gateway and Azure Application Gateway WAF +## VNet Peering & HUB and Spoke topologies -Azure Application Gateway is a **web traffic load balancer** that enables you to manage traffic to your **web** applications. It offers **Layer 7 load balancing, SSL termination, and web application firewall (WAF) capabilities** in the Application Delivery Controller (ADC) as a service. Key features include URL-based routing, cookie-based session affinity, and secure sockets layer (SSL) offloading, which are crucial for applications that require complex load-balancing capabilities like global routing and path-based routing. +### VNet Peering -**Example:** - -Consider a scenario where you have an e-commerce website that includes multiple subdomains for different functions, such as user accounts and payment processing. Azure Application Gateway can **route traffic to the appropriate web servers based on the URL path**. For example, traffic to `example.com/accounts` could be directed to the user accounts service, and traffic to `example.com/pay` could be directed to the payment processing service.\ -And **protect your website from attacks using the WAF capabilities.** - -### **Enumeration** - -{{#tabs }} -{{#tab name="az cli" }} - -```bash -# List the Web Application Firewall configurations for your Application Gateways -az network application-gateway waf-config list --gateway-name --resource-group --query "[].{name:name, firewallMode:firewallMode, ruleSetType:ruleSetType, ruleSetVersion:ruleSetVersion}" -o table -``` - -{{#endtab }} -{{#tab name="PowerShell" }} - -```bash -# List the Web Application Firewall configurations for your Application Gateways -(Get-AzApplicationGateway -Name -ResourceGroupName ).WebApplicationFirewallConfiguration -``` - -{{#endtab }} -{{#endtabs }} - -## Azure Hub, Spoke & VNet Peering - -**VNet Peering** is a networking feature in Azure that **allows different Virtual Networks (VNets) to be connected directly and seamlessly**. Through VNet peering, resources in one VNet can communicate with resources in another VNet using private IP addresses, **as if they were in the same network**.\ +**VNet Peering** is a feature in Azure that **allows different Virtual Networks (VNets) to be connected directly and seamlessly**. Through VNet peering, resources in one VNet can communicate with resources in another VNet using private IP addresses, **as if they were in the same network**.\ **VNet Peering can also used with a on-prem networks** by setting up a site-to-site VPN or Azure ExpressRoute. -**Azure Hub and Spoke** is a network topology used in Azure to manage and organize network traffic. **The "hub" is a central point that controls and routes traffic between different "spokes"**. The hub typically contains shared services such as network virtual appliances (NVAs), Azure VPN Gateway, Azure Firewall, or Azure Bastion. The **"spokes" are VNets that host workloads and connect to the hub using VNet peering**, allowing them to leverage the shared services within the hub. This model promotes clean network layout, reducing complexity by centralizing common services that multiple workloads across different VNets can use. - -> [!CAUTION] > **VNET pairing is non-transitive in Azure**, which means that if spoke 1 is connected to spoke 2 and spoke 2 is connected to spoke 3 then spoke 1 cannot talk directly to spoke 3. +**Azure Hub and Spoke** is a network architecture that leverages VNet peering to create a central **Hub VNet** which connects to multiple **Spoke VNets**. The hub typically contains shared services (such as firewalls, DNS, or Active Directory) while spokes host application workloads. This design simplifies management, enhances security through centralized controls, and reduces redundancy. **Example:** -Imagine a company with separate departments like Sales, HR, and Development, **each with its own VNet (the spokes)**. These VNets **require access to shared resources** like a central database, a firewall, and an internet gateway, which are all located in **another VNet (the hub)**. By using the Hub and Spoke model, each department can **securely connect to the shared resources through the hub VNet without exposing those resources to the public internet** or creating a complex network structure with numerous connections. +A large enterprise with multiple departments (Finance, HR, IT) can create a **Hub VNet with shared services** like firewalls and DNS servers. Each department can have its own Spoke VNet that connects to the Hub via peering. This allows departments to securely communicate and use shared services without exposing their resources to the public internet. -### Enumeration +### **Enumeration** {{#tabs }} {{#tab name="az cli" }} ```bash -# List all VNets in your subscription -az network vnet list --query "[].{name:name, location:location, addressSpace:addressSpace}" -o table - -# List VNet peering connections for a given VNet -az network vnet peering list --resource-group --vnet-name --query "[].{name:name, peeringState:peeringState, remoteVnetId:remoteVnetId}" -o table - -# List Shared Resources (e.g., Azure Firewall) in the Hub -az network firewall list --query "[].{name:name, location:location, resourceGroup:resourceGroup}" -o table +# List VNet Peerings +az network vnet peering list --resource-group --vnet-name --query "[].{name:name, remoteVnetId:remoteVirtualNetwork.id, allowForwardedTraffic:allowForwardedTraffic, allowGatewayTransit:allowGatewayTransit}" ``` {{#endtab }} {{#tab name="PowerShell" }} ```bash -# List all VNets in your subscription -Get-AzVirtualNetwork - -# List VNet peering connections for a given VNet -(Get-AzVirtualNetwork -ResourceGroupName -Name ).VirtualNetworkPeerings - -# List Shared Resources (e.g., Azure Firewall) in the Hub -Get-AzFirewall +# List VNet Peerings +Get-AzVirtualNetworkPeering -ResourceGroupName -VirtualNetworkName ``` {{#endtab }} @@ -400,7 +416,7 @@ Get-AzFirewall ## Site-to-Site VPN -A Site-to-Site VPN in Azure allows you to **connect your on-premises network to your Azure Virtual Network (VNet)**, enabling resources such as VMs within Azure to appear as if they are on your local network. This connection is established through a **VPN gateway that encrypts traffic** between the two networks. +A **Site-to-Site VPN** in Azure establishes a secure and **persistent connection from your on-premises network to your Azure Virtual Network (VNet)**, enabling resources such as VMs within Azure to appear as if they are on your local network. This connection is established through a **VPN gateway that encrypts traffic** between the two networks. **Example:** @@ -462,7 +478,10 @@ Get-AzExpressRouteCircuit {{#endtab }} {{#endtabs }} -{{#include ../../../../banners/hacktricks-training.md}} - +## References +- [DNS OverDoS: Are Private Endpoints Too Private?](https://unit42.paloaltonetworks.com/dos-attacks-and-azure-private-endpoint/) +- [Azure Private Endpoint DNS configuration](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) +- [Private DNS fallback to internet](https://learn.microsoft.com/en-us/azure/dns/private-dns-fallback) +{{#include ../../../../banners/hacktricks-training.md}}