Pentesting Azure Applications

Pentesting Azure Applications

by Matt Burrough
Released July 2018
Publisher(s): No Starch Press
ISBN: 9781593278632

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

"Pentesting Azure Applications is a comprehensive guide to penetration testing cloud services deployed in Microsoft Azure, the popular cloud computing service provider used by numerous companies. You’ll start by learning how to approach a cloud-focused penetration test and how to obtain the proper permissions to execute it; then, you’ll learn to perform reconnaissance on an Azure subscription, gain access to Azure Storage accounts, and dig into Azure’s Infrastructure as a Service (IaaS).

You’ll also learn how to:

• Uncover weaknesses in virtual machine settings that enable you to acquire passwords, binaries, code, and settings files• Use PowerShell commands to find IP addresses, administrative users, and resource details• Find security issues related to multi-factor authentication and management certificates• Penetrate networks by enumerating firewall rules• Investigate specialized services like Azure Key Vault, Azure Web Apps, and Azure Automation• View logs and security events to find out when you’ve been caught

Packed with sample pentesting scripts, practical advice for completing security assessments, and tips that explain how companies can configure Azure to foil common attacks, Pentesting Azure Applications is a clear overview of how to effectively perform cloud-focused security tests and provide accurate findings and recommendations."

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. About the Author
  5. About the Technical Reviewer
  6. Dedication
  7. BRIEF CONTENTS
  8. CONTENTS IN DETAIL
  9. FOREWORD by Thomas W. Shinder, MD
  10. ACKNOWLEDGMENTS
  11. INTRODUCTION
    1. About Penetration Testing
    2. What This Book Is About
    3. How This Book Is Organized
    4. What You’ll Need to Run the Tools
  12. 1 PREPARATION
    1. A Hybrid Approach
    2. Getting Permission
    3. Summary
  13. 2 ACCESS METHODS
    1. Azure Deployment Models
    2. Obtaining Credentials
    3. Mimikatz
    4. Best Practices: Usernames and Passwords
    5. Usernames and Passwords
    6. Best Practices: Management Certificates
    7. Finding Management Certificates
    8. Best Practices: Protecting Privileged Accounts
    9. Encountering Two-Factor Authentication
    10. Summary
  14. 3 RECONNAISSANCE
    1. Installing PowerShell and the Azure PowerShell Module
    2. Service Models
    3. Best Practices: PowerShell Security
    4. Authenticating with the PowerShell Module and CLI
    5. Authenticating with Management Certificates
    6. Best Practices: Service Principals
    7. Authenticating with Service Principals
    8. Best Practices: Subscription Security
    9. Gathering Subscription Information
    10. Gathering Information on Networking
    11. Consolidated PowerShell Scripts
    12. Summary
  15. 4 EXAMINING STORAGE
    1. Best Practices: Storage Security
    2. Accessing Storage Accounts
    3. Where to Find Storage Credentials
    4. Accessing Storage Types
    5. Summary
  16. 5 TARGETING VIRTUAL MACHINES
    1. Best Practices: VM Security
    2. Virtual Hard Disk Theft and Analysis
    3. Exploring the VHD with Autopsy
    4. Cracking Password Hashes
    5. Password Hash Attack Tools
    6. Using a VHD’s Secrets Against a VM
    7. Resetting a Virtual Machine’s Credentials
    8. Summary
  17. 6 INVESTIGATING NETWORKS
    1. Best Practices: Network Security
    2. Avoiding Firewalls
    3. Cloud-to-Corporate Network Bridging
    4. Summary
  18. 7 OTHER AZURE SERVICES
    1. Best Practices: Key Vault
    2. Examining Azure Key Vault
    3. Targeting Web Apps
    4. Best Practices: Automation
    5. Leveraging Azure Automation
    6. Summary
  19. 8 MONITORING, LOGS, AND ALERTS
    1. Azure Security Center
    2. Operations Management Suite
    3. Secure DevOps Kit
    4. Custom Log Handling
    5. Summary
  20. GLOSSARY
  21. INDEX

Product information

  • Title: Pentesting Azure Applications
  • Author(s): Matt Burrough
  • Release date: July 2018
  • Publisher(s): No Starch Press
  • ISBN: 9781593278632