Professional Documents
Culture Documents
Azure - Penetration Test Report
Azure - Penetration Test Report
22 February 2016
Prepared by:
Kratos Technology and Training Solutions, Inc.
Bridge Pointe Corporate Centre
4820 Eastgate Mall
San Diego, CA 92121
READ THIS! THIS IS A LEGAL AGREEMENT BETWEEN MICROSOFT CORPORATION ("MICROSOFT") AND THE RECIPIENT OF THESE MATERIALS,
WHETHER AN INDIVIDUAL OR A CORPORATION OR OTHER ENTITY ("YOU"). BY CLICKING "I ACCEPT", DOWNLOADING OR USING THE MATERIALS,
YOU AGREE TO THESE TERMS. IF THIS AGREEMENT IS ATTACHED TO MATERIALS, BY ACCESSING OR USING THE ATTACHED MATERIALS, YOU AGREE
TO THESE TERMS.
1. For good and valuable consideration, the receipt and sufficiency of which are acknowledged, You and Microsoft agree as follows:
(a) If You are an authorized representative of a corporation or other entity ("Company"), and such Company has executed a Microsoft Corporation
Non-Disclosure Agreement that is not limited to a specific subject matter or event ("Microsoft NDA"), You represent that You have authority to act on
behalf of Company and agree that the Confidential Information, as defined in the Microsoft NDA, is subject to the terms and conditions of the
Microsoft NDA and that Company will treat the Confidential Information accordingly;
(b) If You are an individual, and have executed a Microsoft NDA, You agree that the Confidential Information, as defined in the Microsoft NDA, is
subject to the terms and conditions of the Microsoft NDA and that You will treat the Confidential Information accordingly; or
(c) If a Microsoft NDA has not been executed, You (if You are an individual), or Company (if You are an authorized representative of Company), as
applicable, agrees: (a) to refrain from disclosing or distributing the Confidential Information to any third party for five (5) years from the date of
disclosure of the Confidential Information by Microsoft to Company/You; (b) to refrain from reproducing or summarizing the Confidential Information;
and (c) to take reasonable security precautions, at least as great as the precautions it takes to protect its own confidential information, but no less than
reasonable care, to keep confidential the Confidential Information. You/Company, however, may disclose Confidential Information in accordance with a
judicial or other governmental order, provided You/Company either (i) gives Microsoft reasonable notice prior to such disclosure and to allow
Microsoft a reasonable opportunity to seek a protective order or equivalent, or (ii) obtains written assurance from the applicable judicial or
governmental entity that it will afford the Confidential Information the highest level of protection afforded under applicable law or regulation.
Confidential Information shall not include any information, however designated, that: (i) is or subsequently becomes publicly available without
Your/Company’s breach of any obligation owed to Microsoft; (ii) became known to You/Company prior to Microsoft’s disclosure of such information to
You/Company pursuant to the terms of this Agreement; (iii) became known to You/Company from a source other than Microsoft other than by the
breach of an obligation of confidentiality owed to Microsoft; or (iv) is independently developed by You/Company. For purposes of this paragraph,
"Confidential Information" means nonpublic information that Microsoft designates as being confidential or which, under the circumstances
surrounding disclosure ought to be treated as confidential by Recipient. "Confidential Information" includes, without limitation, information in tangible
or intangible form relating to and/or including released or unreleased Microsoft software or hardware products, the marketing or promotion of any
Microsoft product, Microsoft's business policies or practices, and information received from others that Microsoft is obligated to treat as confidential.
2. You may review these Materials only (a) as a reference to validate the platform and assist you in evaluating the referenced product(s) for purchase
and use. All other rights are retained by Microsoft; this agreement does not give You rights under any Microsoft patents. You may not (i) duplicate any
part of these Materials, (ii) remove this agreement or any notices from these Materials, or (iii) give any part of these Materials, or assign or otherwise
provide Your rights under this agreement, to anyone else.
3. If You are an entity and (a) merge into another entity or (b) a controlling ownership interest in You changes, Your right to use these Materials
automatically terminates and You must destroy them.
4. Monetary damages may not sufficiently compensate a breach of these terms. Microsoft may seek court orders to stop the disclosure of Confidential
Information in breach of these terms without the obligation of posting a bond.
5. This agreement is governed by the laws of the State of Washington. Any dispute involving it must be brought in the federal or state superior courts
located in King County, Washington, and You waive any defenses allowing the dispute to be litigated elsewhere. If there is litigation, the losing party
must pay the other party’s reasonable attorneys’ fees, costs and other expenses. If any part of this agreement is unenforceable, it will be considered
modified to the extent necessary to make it enforceable, and the remainder shall continue in effect. This agreement is the entire agreement between
You and Microsoft concerning these Materials; it may be changed only by a written document signed by both You and Microsoft.
FedRAMP Penetration Test Report
Microsoft Azure Public
Microsoft Confidential – Subject to Non-Disclosure Agreement Document Version: 1.1
Executive Summary
Kratos SecureInfo was contracted by Microsoft to complete a FedRAMP Penetration Test on the Azure
Public environment. This report provides the results of the activities performed during the test and
provides a permanent record of all security tests conducted. The testing was performed remotely from
the Kratos SecureInfo Technical Services Center (TSC) in San Antonio, from August 10, 2015 through
November 6, 2015. The test procedures included automated and manual system vulnerability testing
and were designed to obtain an accurate representation of the security posture of the selected targets.
Kratos SecureInfo analyzed the security of Azure Public from multiple vectors. The chart below
illustrates the vulnerability level of the Azure Public systems in scope, as determined by the
vulnerability identification phase of this penetration test and via manual testing..
There were no critical risk vulnerabilities detected. Fourteen (14) high, nineteen (19) moderate and four
(4) low risk vulnerabilities remain open after analysis by Microsoft and Kratos SecureInfo.
Vulnerability Finding
Distribution
14 19
4
ii
FedRAMP Penetration Test Report
Microsoft Azure Public
Microsoft Confidential – Subject to Non-Disclosure Agreement Document Version: 1.1
Table of Contents
Executive Summary .......................................................................................................................................... ii
Introduction................................................................................................................................................... 5
1.1. Overview ................................................................................................................................................ 5
1.2. Scope....................................................................................................................................................... 5
1.3. Constraints ............................................................................................................................................. 5
1.4. Objectives .............................................................................................................................................. 6
1.4.1 Application Security ......................................................................................................................... 6
1.4.2 Network Security.............................................................................................................................. 6
1.4.3 Configuration Management ............................................................................................................ 6
1.4.4 Security Principles ............................................................................................................................ 6
Methodology ................................................................................................................................................. 7
FedRAMP Penetration Testing Vector Analysis......................................................................................... 7
External to Corporate ................................................................................................................................... 7
4.1. Social Engineering.................................................................................................................................. 7
4.1.1 Scope Overview ................................................................................................................................ 7
4.1.2 Threat Model..................................................................................................................................... 7
4.1.3 Information Gathering ..................................................................................................................... 8
4.1.4 Campaign Creation ........................................................................................................................ 10
4.1.5 Statistics Collection Method .......................................................................................................... 12
4.1.6 Exploitation ..................................................................................................................................... 14
4.1.7 Results ............................................................................................................................................. 14
External to Target System........................................................................................................................... 14
5.1. Network and Platform Layers............................................................................................................. 14
5.1.1 Scope Overview .............................................................................................................................. 14
5.1.2 Threat Model................................................................................................................................... 15
5.1.3 Reconnaissance ............................................................................................................................... 15
5.1.4 Vulnerability Assessment .............................................................................................................. 16
5.1.5 Exploitation ..................................................................................................................................... 16
5.2. Application Layer ................................................................................................................................ 16
5.2.1 Scope Overview .............................................................................................................................. 16
5.2.2 Threat Model................................................................................................................................... 18
5.2.3 Application: https://account.activedirectory.windowsazure.com .............................................. 18
5.2.4 Application: https://REDACTEDwindows.net ............................................................................ 21
5.2.5 Application: https://acis-beta.engineering.core.windows.net ..................................................... 23
5.2.6 Application: https://acis.engineering.core.windows.net ............................................................. 24
5.2.7 Application: https://admin.core.windows.net .............................................................................. 25
5.2.8 Application: https://fabriclogs.cloudapp.net ................................................................................ 26
5.2.9 Application: https://global.sts.msft.net ......................................................................................... 27
5.2.10 Application: https://icm.ad.msft.net............................................................................................ 28
5.2.11 Application: https://login.microsoftonline.com ......................................................................... 29
iii
FedRAMP Penetration Test Report
Microsoft Azure Public
Microsoft Confidential – Subject to Non-Disclosure Agreement Document Version: 1.1
iv
FedRAMP Penetration Test Report
Microsoft Azure Public
Microsoft Confidential – Subject to Non-Disclosure Agreement Document Version: 1.1
Introduction
1.1. Overview
Kratos SecureInfo was contracted by Microsoft to complete a FedRAMP penetration test on the Microsoft
Azure Public systems. The objective of this engagement was to identify vulnerable targets and penetrate
the environment. The Kratos SecureInfo testing team also attempted to identify areas of Microsoft Azure
Public platforms that could be leveraged to disclose information or gain access to sensitive data. The
following sections describe the systems reviewed during this assessment, the constraints, and
methodology.
1.2. Scope
The Azure Public platform is a major applications operated as a cloud service by Microsoft and the target
of this assessment.
In order to execute the penetration test in accordance with FedRAMP penetration testing guidance, this test
was broken into multiple sub-tests based upon perspectives of the required vectors. Each vector was
assigned an identified set of primary targets that should be visible to the simulated attacker. Further detail
on the scope of primary targets for a given vector is described in the respective Scope Overview section.
Upon successful compromise of a primary target in a vector, the assessor was authorized to pivot further
into the environment if possible. The scope of this phase of each vector included the full FedRAMP
accreditation boundary for Azure Public unless explicitly unauthorized in the Azure Penetration Testing
Rules of Engagement (RoE) document.
The overall scope of the FedRAMP penetration test included all devices and applications in the Azure
Public accreditation boundary as either a primary or secondary target unless unauthorized.
1.3. Constraints
During the engagement, Kratos SecureInfo did not perform any tests that would knowingly result in a
denial of service to networks, servers, or telephone systems.
v
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
1.4. Objectives
Kratos SecureInfo attempted to identify and exploit vulnerabilities to demonstrate security weaknesses in
the target environment. Kratos SecureInfo performed tests that would reveal weaknesses in the following
areas of security.
Least privileged
6
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
Segregation
Default Deny
Layered Security
Methodology
The purpose of the Kratos SecureInfo penetration testing methodology is to identify and exploit relevant
vulnerabilities and suggest countermeasures to reduce the system’s overall risk. Testing for this penetration
test followed the Kratos SecureInfo FedRAMP Penetration Testing Methodology included in the Microsoft
Azure Penetration Testing RoE.
Kratos SecureInfo determined that the Physical Penetration Testing vector was not applicable. The Azure
Public platforms reside in Microsoft Global Foundation Services (GFS) managed datacenters. Microsoft
GFS maintains a current FedRAMP PATO and provides security mechanisms to the Azure environments
as a service. Physical penetration testing for GFS datacenters was performed within the past 365 days.
Kratos SecureInfo also determined that the ‘Mobile Application’ vector was not applicable. The Azure
Public environment has no mobile phone related applications, services, or connections in scope for the
FedRAMP accreditation.
External to Corporate
4.1. Social Engineering
4.1.1 Scope Overview
A spear phishing exercise was designed and conducted as the social engineering test for Microsoft Azure.
The possible scope of the Microsoft Azure phishing reconnaissance included selected Azure operations
personnel with administrative access to environments in the accreditation boundary in addition to
Microsoft designated “vendor” accounts. The actual scope of the exercise was determined during the
Microsoft Azure RoE creation, which included an agreed upon sample of accounts provided by Microsoft.
The assessor determined that the LinkedIn platform would offer the best mechanism to gather potential
phishing victims. Large organizations like Microsoft have many employees with duties unrelated to the
target system. LinkedIn allowed for relatively accurate determination of a profile’s employer and offered a
freeform “title” field, which was used to target specific areas of an organization. This justified the use of
LinkedIn as the primary source of phishing targets.
The assessor was able to discover several highly networked LinkedIn profiles by using both the Bing and
Google search engines combined with the key words and phrases discovered previously. The following
searches were executed and resulted in usable profiles:
8
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
o https://www.linkedin.com/REDACTED
The LinkedIn profiles discovered previously were used to seed a LinkedIn crawling module of the recon-
ng tool to gather real names of potential targets networked to these seed profiles that also reported
“Microsoft” or “Microsoft Azure” as their employer. A total of ~3 hours of crawling time were expended
between the two seeded profiles. This resulted in a total of 1522 Microsoft profiles scraped from LinkedIn.
The scraping of LinkedIn resulted in the collection of names, titles, regions, and corporate email addresses.
The assessor observed that, in general, Microsoft corporate email addresses were of the form <First
Initial><Last Name>@microsoft.com with a soft maximum of 7 characters for the last name. The recon-ng
module ‘mangle’ was used, along with manual editing, to generate guesses at each users correct corporate
email address.
Finally, the recon-ng database was queried for potential victims whose titles contained keywords specific
to Microsoft Azure.
recon-ng][webex] > query select first_name,last_name,email,title,region,module from contacts
where title like "%Azure%"
The following table summarizes results of the reconnaissance after accuracy analysis by Microsoft.
9
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
Metric Result
It was determined that the eleven (11) Azure employees with correct email aliases (above) were below the
acceptable threshold for the phishing campaign, therefore Microsoft supplied an additional 29 vendor
accounts of which fourteen (14) more random Azure accounts were to be selected. The total number of
approved accounts thus added up to 25 for the Microsoft phishing campaign.
10
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
REDACTED
A sample phishing mail delivered to the assessors own account for testing is shown below. There are
several easily recognizable anomalies to the phishing email such as:
11
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
REDACTED
Lastly, a webserver in the Kratos SecureInfo lab was configured to serve bogus, yet realistic, content to
phishing victims. When the user clicks the phishing email hyperlink, a custom URL with the hashed
identifier such as https://www.azure-security.com/?u=0e3e88b5 redirects a browser to the azure-
security.com phishing website as shown below.
12
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
Access logs from the webserver are then used to monitor for successful phishing clicks. A sample log entry
generated during testing of the campaign is provided below.
13
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
4.1.6 Exploitation
The Microsoft Azure phishing exercise was launched from the Kratos SecureInfo lab on Wednesday,
November 4, 2015 at 22:13 UTC. A total of 25 potential victims were targeted during the exercise. The
assessor was able to observe victim interaction with the scam during the same day. Phishing ended
November 6, 2015 at 22:08hrs.
4.1.7 Results
In total, zero (0) unique Azure Public users were observed interacting with the phishing webserver. One
hundred percent (100%) of the victims resisted phishing successfully. A full listing of victims, emails, and
raw logs can be found in Appendix A. Kratos SecureInfo recommends refresher security awareness
training to reduce the likelihood of a successful phishing campaign, especially for Microsoft-designated
vendors.
A full listing of victims, emails, and raw logs can be found in Appendix A.
14
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
5.1.3 Reconnaissance
5.1.3.1. Information Gathering
The assessor attempted web searches (internet) for Azure Public-related vulnerabilities that are public
knowledge or have been published to the internet. No vulnerability data was uncovered.
53/TCP TCPwrapped
80/TCP HTTP
443/TCP SSL/TLSv1
1025/TCP Unknown
2601/TCP Zebra
2602/TCP Zebra
4567/TCP HTTP
7676/TCP Unknown
37215/TCP Unknown
37443/TCP Unknown
61023/TCP telnet
61080/TCP HTTP
61081/TCP HTTP
15
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
Moderate Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key 1
5.1.5 Exploitation
5.1.5.1. Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key
The assessor verified the finding however no additional access was gained.
16
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
Azure External
Endpoints - Microsoft Azure Penetration Testing ROE.xlsx
https://global.sts.msft.net/adfs/ls
https://vault.azure.net
https://ch1prdstr05b.stamp-diagnostics.store.core.windows.net/cws/
BL2PrdApp01-t1-dsts.dsts.core.windows.net
BL2PrdApp02-t1-dsts.dsts.core.windows.net
BL2PrdApp02-t2-dsts.dsts.core.windows.net
BL2PrdApp11-t1-dsts.dsts.core.windows.net
BL2PrdApp11-t2-dsts.dsts.core.windows.net
BL2PrdApp12-t1-dsts.dsts.core.windows.net
BL3PrdApp06-t1-dsts.dsts.core.windows.net
BL3PrdApp11-t1-dsts.dsts.core.windows.net
BL4PrdApp01-t1-dsts.dsts.core.windows.net
BN1PrdApp02-t1-dsts.dsts.core.windows.net
BN1PrdApp03-t1-dsts.dsts.core.windows.net
BN1PrdApp04-t1-dsts.dsts.core.windows.net
BN3PrdApp01-t1-dsts.dsts.core.windows.net
BN3PrdApp02-t1-dsts.dsts.core.windows.net
BN3PrdApp02-t2-dsts.dsts.core.windows.net
BN3PrdApp04-t1-dsts.dsts.core.windows.net
BN3PrdApp08-t1-dsts.dsts.core.windows.net
BY1PrdApp06-t1-dsts.dsts.core.windows.net
BY1PrdApp06-t2-dsts.dsts.core.windows.net
BY1PrdApp10-t1-dsts.dsts.core.windows.net
BY1PrdApp10-t2-dsts.dsts.core.windows.net
BY1PrdApp14-t1-dsts.dsts.core.windows.net
BY2PrdApp02-t1-dsts.dsts.core.windows.net
BY2PrdApp03-t1-dsts.dsts.core.windows.net
BY2PrdApp05-t1-dsts.dsts.core.windows.net
BY3PrdApp01-t1-dsts.dsts.core.windows.net
BY3PrdApp02-t1-dsts.dsts.core.windows.net
BY3PrdApp12-t1-dsts.dsts.core.windows.net
BY3PrdApp13-t1-dsts.dsts.core.windows.net
BY4PrdApp01-t1-dsts.dsts.core.windows.net
CH1PrdApp10-t1-dsts.dsts.core.windows.net
CH1PrdApp13-t1-dsts.dsts.core.windows.net
17
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
CH1PrdApp14-t1-dsts.dsts.core.windows.net
CH3PrdApp04-t1-dsts.dsts.core.windows.net
CH3PrdApp04-t2-dsts.dsts.core.windows.net
CH3PrdApp09-T1-dsts.dsts.core.windows.net
CH3PrdApp11-T1-dsts.dsts.core.windows.net
CH3PrdApp11-T2-dsts.dsts.core.windows.net
DM1PrdApp02-t1-dsts.dsts.core.windows.net
DM1PrdApp03-t1-dsts.dsts.core.windows.net
DM1PrdApp04-t1-dsts.dsts.core.windows.net
DM2PrdApp01-t1-dsts.dsts.core.windows.net
DM2PrdApp02-t1-dsts.dsts.core.windows.net
DM2PrdApp03-t1-dsts.dsts.core.windows.net
DM2PrdApp04-t1-dsts.dsts.core.windows.net
DM2PrdApp05-t1-dsts.dsts.core.windows.net
DM2PrdApp06-t1-dsts.dsts.core.windows.net
SN2PrdApp01-t1-dsts.dsts.core.windows.net
SN2PrdApp07-t1-dsts.dsts.core.windows.net
SN3PrdApp01-t1-dsts.dsts.core.windows.net
SN3PrdApp02-t1-dsts.dsts.core.windows.net
SN3PrdApp11-T1-dsts.dsts.core.windows.net
SN3PrdApp12-T1-dsts.dsts.core.windows.net
SN3PrdApp12-t2-dsts.dsts.core.windows.net
SN3PrdApp15-t1-dsts.dsts.core.windows.net
https://login.microsoftonline-p.net
https://admin.core.windows.net
https://ch1prdstr05b.stamp-diagnostics.store.core.windows.net/sds/
https://production.secretstore.core.windows.net
https://passwordreset.microsoftonline.com/
https://ch1prdstr05b.stamp-diagnostics.store.core.windows.net/
https://location.core.windows.net
https://storageaccount.core.windows.net
https://xlocationsn3prod.location-diagnostics.store.core.windows.net/
18
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
Search engine results from the Bing and Google engines provided cached pages, however no interesting
site versions were discovered.
Similarly, internet archiving projects, such as https://archive.org/web, did contain cached versions of the
application’s content dated as early January 12, 2015. No additional information was discovered through
the browsing of old application cached pages.
5.2.3.2. Reconnaissance
A summary report of the automated and manual application mapping is provided below.
account.activedirectory.windowsazure.com_analyze.html
The assessor reviewed the false positive finding reported by the scanner.
19
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
5.2.3.4. Exploitation
5.2.3.4.2. Authorization
No issues with authorization were discovered by the automated vulnerability scanner. The scan results
returned no findings for directory traversal or sensitive URL disclosure.
The assessor also attempted to forcibly browse potentially sensitive URLs using the ‘Discover Content’
engagement tool provided within Burp Suite Pro. No additional “admin” pages or similar were
discovered.
21
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
REDACTED
Similarly, internet archiving projects, such as https://archive.org/web, contained only a single snapshot of
content from this application dated January 23, 2015. No interesting information was observed.
22
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
5.2.4.2. Reconnaissance
whatweb-accounts.accesscontrol.windows.net.txt
A summary report of the automated and manual application mapping is provided below.
accounts.accesscontrol.windows.net_analyze.html
5.2.4.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
23
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
5.2.5.2. Reconnaissance
whatweb-acis-beta.engineering.core.windows.net.txt
A summary report of the automated and manual application mapping is provided below.
acis-beta.engineering.core.windows.net._analyze.html
5.2.5.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google engine provided only a cached login page.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
24
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
5.2.6.2. Reconnaissance
whatweb-acis.engineering.core.windows.net.txt
A summary report of the automated and manual application mapping is provided below.
acis.engineering.core.windows.net._analyze.html
5.2.6.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained no results.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
25
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
5.2.7.2. Reconnaissance
whatweb-admin.core.windows.net.txt
A summary report of the automated and manual application mapping is provided below.
admin.core.windows.net_analyze.html
5.2.7.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained no results.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
26
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
5.2.8.2. Reconnaissance
whatweb-fabriclogs.cloudapp.net.txt
A summary report of the automated and manual application mapping is provided below.
fabriclogs.cloudapp.net_analyze.html
5.2.8.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained no results.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
27
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
5.2.9.2. Reconnaissance
whatweb-global.sts.msft.net.txt
A summary report of the automated and manual application mapping is provided below.
fabriclogs.cloudapp.net_analyze.html
5.2.9.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained no results.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
28
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
5.2.10.2. Reconnaissance
whatweb-icm.ad.msft.net.txt
A summary report of the automated and manual application mapping is provided below.
icm.ad.msft.net_analyze.html
5.2.10.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained cached versions of the login page
in various languages.
Archiving projects, such as https://archive.org/web/, contained 1025 snapshots of the application’s content
dated November 25, 2010 through current.
29
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
5.2.11.2. Reconnaissance
whatweb-login.microsoftonline.com.txt
A summary report of the automated and manual application mapping is provided below.
login.microsoftonline.com_analyze.html
The assessor reviewed the false positive finding reported by the scanner.
30
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
5.2.11.4. Exploitation
5.2.11.4.2. Authorization
No issues with authorization were discovered by the automated vulnerability scanner. The scan results
returned no findings for directory traversal or sensitive URL disclosure.
The assessor also attempted to forcibly browse potentially sensitive URLs using the ‘Discover Content’
engagement tool provided within Burp Suite Pro. No additional “admin” pages or similar were
discovered.
Search engine results from the Google and Bing search engines contained cached login pages.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
5.2.12.2. Reconnaissance
whatweb-manage.windowsazure.com.txt
A summary report of the automated and manual application mapping is provided below.
manage.windowsazure.com_analyze.html
5.2.12.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained cached login pages.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
5.2.13.2. Reconnaissance
32
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
whatweb-mats.cloudapp.net.txt
A summary report of the automated and manual application mapping is provided below.
mats.cloudapp.net_analyze.html
5.2.13.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained no results.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
5.2.14.2. Reconnaissance
33
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
A summary report of the automated and manual application mapping is provided below.
monitoring.windows.net_analyze.html
5.2.14.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained cached pages of the login portal
and legal notices.
Archiving projects, such as https://archive.org/web/, did contained cached versions of the application’s
content dated September 4, 2013 through current.
5.2.15.2. Reconnaissance
whatweb-portal.aadrm.com.txt
34
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
A summary report of the automated and manual application mapping is provided below.
portal.aadrm.com_analyze.html
5.2.15.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained cached pages of the login portal
and home page.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
5.2.16.2. Reconnaissance
whatweb-portal.azurerms.com.txt
35
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
A summary report of the automated and manual application mapping is provided below.
portal.azurerms.com_analyze.html
5.2.16.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained cached pages of the login portal
and home page.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
5.2.17.2. Reconnaissance
whatweb-production.billing.monitoring.core.windows.net.txt
36
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
A summary report of the automated and manual application mapping is provided below.
production.billing.monitoring.core.windows.net_analyze.html
5.2.17.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained cached pages of the login portal.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
5.2.18.2. Reconnaissance
whatweb-production.diagnostics.monitoring.core.windows.net.txt
37
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
A summary report of the automated and manual application mapping is provided below.
production.diagnostics.monitoring.core.windows.net_analyze.html
5.2.18.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained no cached pages of the
application.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
5.2.19.2. Reconnaissance
whatweb-production.runners.monitoring.core.windows.net.txt
38
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
A summary report of the automated and manual application mapping is provided below.
production.runners.monitoring.core.windows.net_analyze.html
5.2.19.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained cached login pages of the
application.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
5.2.20.2. Reconnaissance
whatweb-rma.trafficmanager.net.txt
39
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
A summary report of the automated and manual application mapping is provided below.
rma.trafficmanager.net_analyze.html
5.2.20.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
Search engine results from the Google and Bing search engines contained no cached pages of the
application.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
5.2.21.2. Reconnaissance
whatweb-wanetmon.cloudapp.net.txt
40
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
A summary report of the automated and manual application mapping is provided below.
wanetmon.cloudapp.net_analyze.html
5.2.21.4. Exploitation
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
6.1.3 Reconnaissance
6.1.3.1. Information Gathering
The assessor attempted web searches (internet) for Azure Public-related vulnerabilities that are public
knowledge or have been published to the internet. No vulnerability data was uncovered.
41
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
Tue Oct 27 17:27:23 2015 nmap -T5 -PN -oN APFT-output.txt -iL
All hosts targeted in this scan failed to resolve for further investigation.
6.1.5 Exploitation
Since no targets were resolved during the endpoint mapping phase, no exploitation could be
accomplished.
42
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
The assessor was able to review user documentation about the Microsoft Azure service via the official
location at https://azure.microsoft.com/en-us/documentation/
6.2.3.2. Reconnaissance
The assessor leveraged the scripting tool ‘whatweb’ in order to perform fingerprinting of additional
middleware, frameworks, or technologies in use at the application layer. Whatweb uncovered the use of
Microsoft-IIS 8.5, but was unable to fingerprint further technologies.
whatweb-manage.windowsazure.com.txt
The assessor was provisioned a customer administrator account upon creation of each trial tenant
environment.
The Azure Public dashboard provides the main mechanism for customers to manage services offered by
the system. Instances of individual services can be launched through the management portal by navigating
to the appropriate section and selecting “create new.”
A sample portal screenshot from in-progress testing is provided below for reference.
43
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
REDACTED
The assessor instantiated all services readily available to the tenant to observe the interaction between the
tenant administrator’s browser and Azure management portal. Some services required additional
infrastructure or resources which made thorough testing untenable. Services available for the tenants are
listed in the following table.
44
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
A summary report of the automated and manual application mapping is provided below.
manage.windowsazure.com_analyze.html
6.2.3.4. Exploitation
Session tokens used by the application were analyzed for vulnerabilities. All cookies which appeared to
contain session information were marked with the ‘http-only’ and ‘secure’ attributes. This is similarly
confirmed by the Burp Suite Pro scanner results. The manage.windowsazure.com application set the
following cookie values after authentication.
45
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
The cookies listed above were manipulated in an attempt to access to a session belonging to one of the
‘victim’ tenants listed in the Azure Penetration Test RoE. No additional session access was gained.
6.2.3.4.2. Authorization
No issues with authorization were discovered by the automated vulnerability scanner. The scan results
returned no findings for directory traversal or sensitive URL disclosure.
The assessor also attempted to forcibly browse potentially sensitive URLs using the ‘Discover Content’
engagement tool provided within Burp Suite Pro. No additional “admin” pages or similar were
discovered.
46
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
The assessor chose the GetRulesAndStats instance as the primary vulnerability instance for further
investigation. Manual confirmation of the vulnerability against a Kratos SecureInfo lab asset was executed.
This was a blind interaction with the Kratos SecureInfo lab since the results are not viewable in the server
response. The following screenshot shows the request/response pair used to confirm the vulnerability.
REDACTED
47
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
The following screenshot shows HTTP access logs from the Kratos SecureInfo asset indicating the Azure
Public service accessing an external service.
Next, the assessor attempted to leverage this access to create a server side scanning mechanism for further
reconnaissance. The following screenshots show examples of attempting to access a Kratos SecureInfo asset
on ports 8000 and 8001. Port 8000, as above, had a simple HTTP server while port 8001 had no service
running.
Request times for ports without an active network service consistently completed close to 2100
milliseconds. Similarly, request times for ports with an active network service consistently completed close
to 1100 milliseconds. Via this timing channel, the assessor was able to determine if the target device was
listening on a particular port, regardless of the actual service.
A Burp Suite Pro Intruder attack was configured to issue requests with incrementing port numbers to a
particular target. In the case below, the attack is configured to issue HTTP requests to ports on the local
host from port 75 to port 85.
48
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
In the attack results shown below, a significantly faster response time for port 80 can be observed. While
the total round trip is less than observed against the Kratos SecureInfo assets, this is to be expected due to
the network proximity.
This test confirmed the use of if this vulnerability as a TCP connect scanner.
The assessor attempted to scan more of the internal network, however full port scans of the internal
environment proved to be too slow to accomplish at 1 port per second. No further access to Azure Public
hosts or networks was obtained.
Search engine results from the Bing and Google engines provided cached pages, however no interesting
site versions were discovered.
Similarly, internet archiving projects, such as https://archive.org/web, did contain cached versions of the
application’s content dated as early as November 25, 2010. No additional information was discovered
through the browsing of old application cached pages.
49
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
6.2.4.2. Reconnaissance
whatweb-login.microsoftonline.com.txt
The assessor was provisioned an account upon creation of each trial tenant environment.
The login.microsoftonline.com application was identified the main mechanism for customers to manage
their identity and authenticate to Microsoft online services.
A sample portal screenshot from in-progress testing is provided below for reference.
50
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
A summary report of the automated and manual application mapping is provided below.
login.microsoftonline.com_analyze.html
The assessor reviewed the false positive finding reported by the scanner.
51
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
6.2.4.4. Exploitation
The “/login.srf” endpoint was targeted by the scanning tool Burp Suite Pro. Burp attempts to submit two requests
differing in the “Referrer:” header in order to determine if the application changes behavior. Since the application
appears to perform the login function regardless of the specified Referrer, Burp determined this to be a CSRF
vulnerability.
Further exploitation of this vulnerability for additional access would have required targeting users outside the scope of
this engagement. No further access was attempted or gained using this vulnerability.
6.2.4.4.2. Authorization
No issues with authorization were discovered by the automated vulnerability scanner. The scan results
returned no findings for directory traversal or sensitive URL disclosure.
The assessor also attempted to forcibly browse potentially sensitive URLs using the ‘Discover Content’
engagement tool provided within Burp Suite Pro. No additional “admin” pages or similar were
discovered.
The assessor was provisioned an account upon creation of each trial tenant environment.
A summary report of the automated and manual application mapping is provided below.
account.activedirectory.windowsazure.com_analyze.html
The assessor reviewed the false positive finding reported by the scanner.
53
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
6.2.5.4. Exploitation
6.2.5.4.2. Authorization
No issues with authorization were discovered by the automated vulnerability scanner. The scan results
returned no findings for directory traversal or sensitive URL disclosure.
The assessor also attempted to forcibly browse potentially sensitive URLs using the ‘Discover Content’
engagement tool provided within Burp Suite Pro. No additional “admin” pages or similar were
discovered.
Tenant to Tenant
7.1. Application Layer
7.1.1 Scope Overview
The scope of the application layer testing for this vector is described in the Azure Penetration RoE
document section 4.2.2. This selection covers Azure Public applications that are available to consumers of
the service.
54
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
7.1.3.2. Reconnaissance
The assessor performed reconnaissance activities for this application in section 6.2.3.
The assessor attempted to review interactions with the application to determine if a subscription ID could
be targeted. No vulnerabilities were discovered that would allow one tenant to manipulate services
deployed to another tenant.
7.1.3.4. Exploitation
Since no vulnerable conditions were observed, no exploitation activities were performed.
7.1.4.2. Reconnaissance
The assessor performed reconnaissance activities for this application in section 6.2.4.
The assessor attempted to review interactions with the application to determine if a subscription ID could
be targeted. No vulnerabilities were discovered that would allow one tenant to manipulate services
deployed to another tenant.
7.1.4.4. Exploitation
Since no vulnerable conditions were observed, no exploitation activities were performed.
55
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
7.1.5.2. Reconnaissance
The assessor performed reconnaissance activities for this application in section 6.2.5.
The assessor attempted to review interactions with the application to determine if a subscription ID could
be targeted. No vulnerabilities were discovered that would allow one tenant to manipulate services
deployed to another tenant.
7.1.5.4. Exploitation
Since no vulnerable conditions were observed, no exploitation activities were performed.
As part of the efforts to complete the Azure Public Rules of Engagement document, Kratos SecureInfo and
Microsoft identified devices used by Azure Public administrators to access their respective environments.
These devices are listed in section 2.1.1.1 of the Azure Simulated Internal Testing Appendix A document
included in the Rules of Engagement.
56
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
The assessor was able to dump local passwords stored within Windows. Due to the Windows 10 operating
system installed on the corporate asset, normal password dumping utilities like Windows Credential
Editor or mimikatz were ineffective. The assessor used a PowerShell suite ‘Reveal Windows Memory
Credentials (RWMC)’ in order to perform the dump. Only credentials for the local Administrator account
used to log into the asset were discovered.
(Azure) Wed Oct 14 15:52:50 2015 nmap -vvv -n -Pn -sT -p- --version-all
--version-trace -sC -e ppp0
--max-retries 1 --max-rtt-timeout 400ms
--initial-rtt-timeout 400ms -T5
80/tcp http
82/tcp www
88/tcp kerberos-sec
135/tcp msrpc
139/tcp netbios-ssn
443/tcp https
445/tcp microsoft-ds
593/tcp http-rpc-epmap
1009/tcp www
1026/tcp dce-rpc
1027/tcp IIS
1102/tcp www
1556/tcp veritas_pbx
57
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
1801/tcp msmq
2103/tcp dce-rpc
2105/tcp dce-rpc
2107/tcp msmq-mgmt
2179/tcp vmrdp
2381/tcp www
3389/tcp msrdp
6667/tcp www
6699/tcp www
8300/tcp unknown
8400/tcp cvd
8402/tcp abarsd
13782/tcp netbackup
49153/tcp dce-rpc
49154/tcp dce-rpc
49154/tcp dce-rpc
49155/tcp dce-rpc
49156/tcp dce-rpc
49157/tcp unknown
49158/tcp unknown
49160/tcp unknown
49161/tcp unknown
49163/tcp dce-rpc
49167/tcp dce-rpc
55555/tcp unknown
64623/tcp unknown
59
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
Three vulnerabilities reported by Nessus have instances which are false-positives. In all cases,
misidentification of the SSL certificates resulted in false positives traced back to initial Nessus Scanner
configuration. An Excel embedded pivot-chart is attached below depicting scanner results.
Microsoft Azure
Nessus Scan Results.xlsx
* Refer to attached pivot table for false-positive assignment
8.1.5 Exploitation
8.1.5.1. HP System Management Homepage Multiple Vulnerabilities
Host <REDACTED>.redmond.corp.microsoft.com (tcp/2381) has HP System Management Homepage
v6.1.0.102 installed. The installed version contains critical vulnerabilities applicable for penetration
exploitation. CVE-2011-1540 requires authentication and efforts were made to gain credentials in order to
verify the CVE; however no credentials were obtained. CVE-2011-1541 does not require authentication,
however no public exploit is available to the assessor. Vendor updates are available to mitigate these
vulnerabilities. These vulnerabilities are deemed high.
60
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
REDACTED
61
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
REDACTED
REDACTED
Vulnerability Summary
The following vulnerability table provides a de-duplicated listing of all vulnerabilities across all vectors
and all types of testing.
64
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
Conclusion
This report documents the network, system, and web application penetration testing performed by Kratos
SecureInfo for the Azure Public environment. Physical penetration testing was conducted on the hosting
IaaS, GFS. This testing is leveraged for the physical test vector as Azure inherits the physical and
environmental security controls from GFS. The security testing was designed to reveal and exploit
weaknesses in many aspects of Azure Public operation. The following summarizes the penetration testing
findings -
One high severity issue was determined to allow internal and external port scanning from a
Microsoft host using a flaw in XML parsing of a crafted request.
Moderate and low severity issues were discovered during internal and external testing; however
these vulnerabilities could not be leveraged for additional access.
65
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
Kratos SecureInfo recommends reviewing the configuration of XML parsing libraries used to process user
generated application traffic.
Kratos SecureInfo recommends conducting refresher security awareness training for Azure Public
administrators to reduce the likelihood of successful attack.
Kratos SecureInfo recommends reviewing and updating the configurations for devices implementing SSL
to ensure reliable transport security is always available.
Kratos SecureInfo finally recommends that vulnerability assessments and penetration tests continue to be
repeated at regular intervals to monitor the current level of risk. As always, continued vigilance in system
security is needed to help ensure future incidents do not occur.
66
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
This template is the base for all spear phishing emails sent in this campaign.
azure-phish-template.html
Azure_Public_External_discovery.zip
This archive contains Nessus scans from the service fingerprinting and
vulnerability assessment phases.1
Azure_Public_Nessus_raw.zip
This archive contains Burp Suite Pro results from all phases of the
application penetration testing.
Azure_Public_Application_Burp.zip
67
FedRAMP Penetration Test Report
Microsoft Azure Public
Document Version: 1.1
Azure_Public_Tenant_to_Target_nmap.zip
This archive contains Burp Suite Pro results from all phases of the
application penetration testing.
Azure_Public_Tenant_to_Target_Burp.zip
This archive contains nmapscans from the endpoint enumeration and service
fingerprinting phase.
Azure_Public_Sim_Internal_nmap.zip
Azure_Public_Sim_Internal_Nessus.zip
68