JJK96 · February 24, 2023 12:05
diff --git a/azure_enumeration.ps1 b/azure_enumeration.ps1
 # DO NOT RUN THIS SCRIPT BLINDLY!
 # This script provides functions to enumerate open ports and network security configurations (NSG) in Azure.
 # Copy and paste snippets of the script to perform the tasks you need.

 $ips = <local_ips>
 $subscription = <subscription_id>
 
 function IPInRange {
    # https://github.com/omniomi/PSMailTools/blob/v0.2.0/src/Private/spf/IPInRange.ps1
    [cmdletbinding()]
    [outputtype([System.Boolean])]
    param(
        # IP Address to find.
        [parameter(Mandatory,
                   Position=0)]
        [validatescript({
            ([System.Net.IPAddress]$_).AddressFamily -eq 'InterNetwork'
        })]
        [string]
        $IPAddress,
 
        # Range in which to search using CIDR notation. (ippaddr/bits)
        [parameter(Mandatory,
                   Position=1)]
        [validatescript({
            $IP   = ($_ -split '/')[0]
            $Bits = ($_ -split '/')[1]
 
            (([System.Net.IPAddress]($IP)).AddressFamily -eq 'InterNetwork')
 
            if (-not($Bits)) {
                throw 'Missing CIDR notiation.'
            } elseif (-not(0..32 -contains [int]$Bits)) {
                throw 'Invalid CIDR notation. The valid bit range is 0 to 32.'
            }
        })]
        [alias('CIDR')]
        [string]
        $Range
    )
 
    # Split range into the address and the CIDR notation
    [String]$CIDRAddress = $Range.Split('/')[0]
    [int]$CIDRBits       = $Range.Split('/')[1]
 
    # Address from range and the search address are converted to Int32 and the full mask is calculated from the CIDR notation.
    [int]$BaseAddress    = [System.BitConverter]::ToInt32((([System.Net.IPAddress]::Parse($CIDRAddress)).GetAddressBytes()), 0)
    [int]$Address        = [System.BitConverter]::ToInt32(([System.Net.IPAddress]::Parse($IPAddress).GetAddressBytes()), 0)
    [int]$Mask           = [System.Net.IPAddress]::HostToNetworkOrder(-1 -shl ( 32 - $CIDRBits))
 
    # Determine whether the address is in the range.
    if (($BaseAddress -band $Mask) -eq ($Address -band $Mask)) {
        $true
    } else {
        $false
    }
 }
 
 Set-AzContext -Subscription $subscription
 $resourcegroups = Get-AzResourceGroup
 $vms = $resourcegroups | foreach { Get-AzVM -ResourceGroupName $_.ResourceGroupName }
 $vms_with_nsg = $vms | Select Name, ResourceGroupName, `
   @{N='NIC';E={
        $_.NetworkProfile.NetworkInterfaces.ID.Split('/')[-1]}}, `
   @{N='NSG';E={
      $nic = $_.NetworkProfile.NetworkInterfaces.ID.Split('/')[-1]
      $nic = Get-AzNetworkInterface -Name $nic
      if ($nic.NetworkSecurityGroup) {
          $nic.NetworkSecurityGroup.Id.Split('/')[-1]
      } elseif ($nic.IpConfigurations.subnet) {
          $subnet = $nic.IpConfigurations.subnet.Id
          $network = Get-AzVirtualNetwork -Name $subnet.Split('/')[-3]
          $nsg = $network.Subnets | where {$_.Id -eq $subnet} | select -expand NetworkSecurityGroup
          $nsg.Id.split('/')[-1]
      }
   }}
 $vms_with_ports = $vms_with_nsg | Select *, `
    @{N='ports'; E={
        $nsg = Get-AzNetworkSecurityGroup -Name $_.NSG
        $nsg.SecurityRules | where {$_.Direction -eq 'Inbound'} | where {$_.Access -eq "Allow"}
    }}
 $vms_with_public_ports = $vms_with_ports | Select *, `
    @{N='public_ports'; E={
        $_.ports | where {$_.SourceAddressPrefix.Contains('*')}
    }} | where {$_.public_ports} | where {(Get-AzNetworkInterface -Name $_.NIC).IpConfigurations.PublicIpAddress}
 # $nsgs = $vms_with_nsg | select -expand NSG | sort | uniq | foreach {Get-AzNetworkSecurityGroup -Name $_}
 $nsgs = Get-AzNetworkSecurityGroup
 $inbound_rules = $nsgs | select -expand SecurityRules | where {$_.Direction -eq 'Inbound'} | where {$_.Access -eq "Allow"}
 # $public_rules = $inbound_rules | where {$_.SourceAddressPrefix.Contains('*')}   
 $ips = Get-AzPublicIpAddress | select IpAddress,@{N="config";E={$_.IpConfiguration.Id}}
 
 $ips_and_ports = Get-AzLoadBalancer | foreach {
    $loadbalancer = $_
    $_.LoadBalancingRules | foreach {
        $ipconfig = Get-AzLoadBalancerFrontendIpConfig -Name $_.FrontendIpConfiguration.Id.split('/')[-1] -loadbalancer $loadbalancer
        if ($ipconfig.PublicIpAddress) {
            [pscustomobject]@{
                LoadBalancer = $loadbalancer
                Port = $_.FrontendPort
                IP = $ipconfig.PublicIpAddress.Id.split('/')[-1]
            }
        }
    }} | group IP | foreach {
        $PublicIpAddress = Get-AzPublicIpAddress -Name $_.Name
        [pscustomobject]@{
            IP = $PublicIpAddress.IpAddress
            Hostname = $PublicIpAddress.HostName
            Ports = $_.Group | select -exp Port
            LoadBalancer = $_.Group | select -exp LoadBalancer | uniq
        }
    }
 
 $ips_and_ports | foreach {
    $ports = $_.Ports | Join-String -Separator ','
    [string]::format("nmap -Pn -p {0} -sV -A {1}", $ports, $_.IP)
 }
 
 $accessible = $vms_with_ports | foreach {
   $new_ports = $_.Ports.Where({
        $_.SourceAddressPrefix.Where({
            $sourcecidr = $_
            if ($sourcecidr.Contains('/')) {
                $ips.Where({IPInRange $_ $sourcecidr}).Count -gt 0
            } else {
                $false
            }
        }).Count -gt 0
    })
    $_ | add-member -NotePropertyName "AccessiblePorts" -NotePropertyValue $new_ports
    if ($new_ports.Count -gt 0) {
        $_
    }
 }
 
 $accessible_with_ips = $accessible | select *,@{N="IP";E={
    $nic = Get-AzNetworkInterface -Name $_.NIC
    $nic.IpConfigurations[0].PrivateIpAddress
 }}
 
 $accessible_with_ips | foreach {
    $ports = $_.AccessiblePorts | select -exp DestinationPortRange | sort | uniq| Join-String -Separator ','
    [string]::format("nmap -Pn -p {0} -sV -A {1}", $ports, $_.IP)
 }
 
 #Storage accounts
 $accounts = Get-AzStorageAccount     
 
 # Keyvaults
 $keyvaults = Get-AzKeyVault | foreach {Get-AzKeyVault -VaultName $_.VaultName}
 $keyvaults | select -exp AccessPolicies | select -exp DisplayName | sort | uniq
	# DO NOT RUN THIS SCRIPT BLINDLY!
	# This script provides functions to enumerate open ports and network security configurations (NSG) in Azure.
	# Copy and paste snippets of the script to perform the tasks you need.

	$ips = <local_ips>
	$subscription = <subscription_id>

	function IPInRange {
	# https://github.com/omniomi/PSMailTools/blob/v0.2.0/src/Private/spf/IPInRange.ps1
	[cmdletbinding()]
	[outputtype([System.Boolean])]
	param(
	# IP Address to find.
	[parameter(Mandatory,
	Position=0)]
	[validatescript({
	([System.Net.IPAddress]$_).AddressFamily -eq 'InterNetwork'
	})]
	[string]
	$IPAddress,

	# Range in which to search using CIDR notation. (ippaddr/bits)
	[parameter(Mandatory,
	Position=1)]
	[validatescript({
	$IP = ($_ -split '/')[0]
	$Bits = ($_ -split '/')[1]

	(([System.Net.IPAddress]($IP)).AddressFamily -eq 'InterNetwork')

	if (-not($Bits)) {
	throw 'Missing CIDR notiation.'
	} elseif (-not(0..32 -contains [int]$Bits)) {
	throw 'Invalid CIDR notation. The valid bit range is 0 to 32.'
	}
	})]
	[alias('CIDR')]
	[string]
	$Range
	)

	# Split range into the address and the CIDR notation
	[String]$CIDRAddress = $Range.Split('/')[0]
	[int]$CIDRBits = $Range.Split('/')[1]

	# Address from range and the search address are converted to Int32 and the full mask is calculated from the CIDR notation.
	[int]$BaseAddress = [System.BitConverter]::ToInt32((([System.Net.IPAddress]::Parse($CIDRAddress)).GetAddressBytes()), 0)
	[int]$Address = [System.BitConverter]::ToInt32(([System.Net.IPAddress]::Parse($IPAddress).GetAddressBytes()), 0)
	[int]$Mask = [System.Net.IPAddress]::HostToNetworkOrder(-1 -shl ( 32 - $CIDRBits))

	# Determine whether the address is in the range.
	if (($BaseAddress -band $Mask) -eq ($Address -band $Mask)) {
	$true
	} else {
	$false
	}
	}

	Set-AzContext -Subscription $subscription
	$resourcegroups = Get-AzResourceGroup
	$vms = $resourcegroups \| foreach { Get-AzVM -ResourceGroupName $_.ResourceGroupName }
	$vms_with_nsg = $vms \| Select Name, ResourceGroupName, `
	@{N='NIC';E={
	$_.NetworkProfile.NetworkInterfaces.ID.Split('/')[-1]}}, `
	@{N='NSG';E={
	$nic = $_.NetworkProfile.NetworkInterfaces.ID.Split('/')[-1]
	$nic = Get-AzNetworkInterface -Name $nic
	if ($nic.NetworkSecurityGroup) {
	$nic.NetworkSecurityGroup.Id.Split('/')[-1]
	} elseif ($nic.IpConfigurations.subnet) {
	$subnet = $nic.IpConfigurations.subnet.Id
	$network = Get-AzVirtualNetwork -Name $subnet.Split('/')[-3]
	$nsg = $network.Subnets \| where {$_.Id -eq $subnet} \| select -expand NetworkSecurityGroup
	$nsg.Id.split('/')[-1]
	}
	}}
	$vms_with_ports = $vms_with_nsg \| Select *, `
	@{N='ports'; E={
	$nsg = Get-AzNetworkSecurityGroup -Name $_.NSG
	$nsg.SecurityRules \| where {$_.Direction -eq 'Inbound'} \| where {$_.Access -eq "Allow"}
	}}
	$vms_with_public_ports = $vms_with_ports \| Select *, `
	@{N='public_ports'; E={
	$_.ports \| where {$_.SourceAddressPrefix.Contains('*')}
	}} \| where {$_.public_ports} \| where {(Get-AzNetworkInterface -Name $_.NIC).IpConfigurations.PublicIpAddress}
	# $nsgs = $vms_with_nsg \| select -expand NSG \| sort \| uniq \| foreach {Get-AzNetworkSecurityGroup -Name $_}
	$nsgs = Get-AzNetworkSecurityGroup
	$inbound_rules = $nsgs \| select -expand SecurityRules \| where {$_.Direction -eq 'Inbound'} \| where {$_.Access -eq "Allow"}
	# $public_rules = $inbound_rules \| where {$_.SourceAddressPrefix.Contains('*')}
	$ips = Get-AzPublicIpAddress \| select IpAddress,@{N="config";E={$_.IpConfiguration.Id}}

	$ips_and_ports = Get-AzLoadBalancer \| foreach {
	$loadbalancer = $_
	$_.LoadBalancingRules \| foreach {
	$ipconfig = Get-AzLoadBalancerFrontendIpConfig -Name $_.FrontendIpConfiguration.Id.split('/')[-1] -loadbalancer $loadbalancer
	if ($ipconfig.PublicIpAddress) {
	[pscustomobject]@{
	LoadBalancer = $loadbalancer
	Port = $_.FrontendPort
	IP = $ipconfig.PublicIpAddress.Id.split('/')[-1]
	}
	}
	}} \| group IP \| foreach {
	$PublicIpAddress = Get-AzPublicIpAddress -Name $_.Name
	[pscustomobject]@{
	IP = $PublicIpAddress.IpAddress
	Hostname = $PublicIpAddress.HostName
	Ports = $_.Group \| select -exp Port
	LoadBalancer = $_.Group \| select -exp LoadBalancer \| uniq
	}
	}

	$ips_and_ports \| foreach {
	$ports = $_.Ports \| Join-String -Separator ','
	[string]::format("nmap -Pn -p {0} -sV -A {1}", $ports, $_.IP)
	}

	$accessible = $vms_with_ports \| foreach {
	$new_ports = $_.Ports.Where({
	$_.SourceAddressPrefix.Where({
	$sourcecidr = $_
	if ($sourcecidr.Contains('/')) {
	$ips.Where({IPInRange $_ $sourcecidr}).Count -gt 0
	} else {
	$false
	}
	}).Count -gt 0
	})
	$_ \| add-member -NotePropertyName "AccessiblePorts" -NotePropertyValue $new_ports
	if ($new_ports.Count -gt 0) {
	$_
	}
	}

	$accessible_with_ips = $accessible \| select *,@{N="IP";E={
	$nic = Get-AzNetworkInterface -Name $_.NIC
	$nic.IpConfigurations[0].PrivateIpAddress
	}}

	$accessible_with_ips \| foreach {
	$ports = $_.AccessiblePorts \| select -exp DestinationPortRange \| sort \| uniq\| Join-String -Separator ','
	[string]::format("nmap -Pn -p {0} -sV -A {1}", $ports, $_.IP)
	}

	#Storage accounts
	$accounts = Get-AzStorageAccount

	# Keyvaults
	$keyvaults = Get-AzKeyVault \| foreach {Get-AzKeyVault -VaultName $_.VaultName}
	$keyvaults \| select -exp AccessPolicies \| select -exp DisplayName \| sort \| uniq