Azure - Penetration Test Report

Microsoft Confidential – Subject to Non-Disclosure Agreement
FedRAMP Penetration Test

Prepared for:
22 February 2016
Prepared by:
Kratos Technology and Training Solutions, Inc.
Bridge Pointe Corporate Centre
4820 Eastgate Mall
San Diego, CA 92121
Offered through its dedicated team of cybersecurity experts:

Kratos SecureInfo
4511 Daly Drive, Suite A
888.677.9351
Chantilly, VA 20151
Microsoft Corporation Non-Disclosure Agreement for Compliance Materials
READ THIS! THIS IS A LEGAL AGREEMENT BETWEEN MICROSOFT CORPORATION ("MICROSOFT") AND THE RECIPIENT OF THESE MATERIALS,
WHETHER AN INDIVIDUAL OR A CORPORATION OR OTHER ENTITY ("YOU"). BY CLICKING "I ACCEPT", DOWNLOADING OR USING THE MATERIALS,
YOU AGREE TO THESE TERMS. IF THIS AGREEMENT IS ATTACHED TO MATERIALS, BY ACCESSING OR USING THE ATTACHED MATERIALS, YOU AGREE
TO THESE TERMS.
1. For good and valuable consideration, the receipt and sufficiency of which are acknowledged, You and Microsoft agree as follows:
(a) If You are an authorized representative of a corporation or other entity ("Company"), and such Company has executed a Microsoft Corporation
Non-Disclosure Agreement that is not limited to a specific subject matter or event ("Microsoft NDA"), You represent that You have authority to act on
behalf of Company and agree that the Confidential Information, as defined in the Microsoft NDA, is subject to the terms and conditions of the
Microsoft NDA and that Company will treat the Confidential Information accordingly;
(b) If You are an individual, and have executed a Microsoft NDA, You agree that the Confidential Information, as defined in the Microsoft NDA, is
subject to the terms and conditions of the Microsoft NDA and that You will treat the Confidential Information accordingly; or
(c) If a Microsoft NDA has not been executed, You (if You are an individual), or Company (if You are an authorized representative of Company), as
applicable, agrees: (a) to refrain from disclosing or distributing the Confidential Information to any third party for five (5) years from the date of
disclosure of the Confidential Information by Microsoft to Company/You; (b) to refrain from reproducing or summarizing the Confidential Information;
and (c) to take reasonable security precautions, at least as great as the precautions it takes to protect its own confidential information, but no less than
reasonable care, to keep confidential the Confidential Information. You/Company, however, may disclose Confidential Information in accordance with a
judicial or other governmental order, provided You/Company either (i) gives Microsoft reasonable notice prior to such disclosure and to allow
Microsoft a reasonable opportunity to seek a protective order or equivalent, or (ii) obtains written assurance from the applicable judicial or
governmental entity that it will afford the Confidential Information the highest level of protection afforded under applicable law or regulation.
Confidential Information shall not include any information, however designated, that: (i) is or subsequently becomes publicly available without
Your/Company’s breach of any obligation owed to Microsoft; (ii) became known to You/Company prior to Microsoft’s disclosure of such information to
You/Company pursuant to the terms of this Agreement; (iii) became known to You/Company from a source other than Microsoft other than by the
breach of an obligation of confidentiality owed to Microsoft; or (iv) is independently developed by You/Company. For purposes of this paragraph,
"Confidential Information" means nonpublic information that Microsoft designates as being confidential or which, under the circumstances
surrounding disclosure ought to be treated as confidential by Recipient. "Confidential Information" includes, without limitation, information in tangible
or intangible form relating to and/or including released or unreleased Microsoft software or hardware products, the marketing or promotion of any
Microsoft product, Microsoft's business policies or practices, and information received from others that Microsoft is obligated to treat as confidential.
2. You may review these Materials only (a) as a reference to validate the platform and assist you in evaluating the referenced product(s) for purchase
and use. All other rights are retained by Microsoft; this agreement does not give You rights under any Microsoft patents. You may not (i) duplicate any
part of these Materials, (ii) remove this agreement or any notices from these Materials, or (iii) give any part of these Materials, or assign or otherwise
provide Your rights under this agreement, to anyone else.
3. If You are an entity and (a) merge into another entity or (b) a controlling ownership interest in You changes, Your right to use these Materials
automatically terminates and You must destroy them.
4. Monetary damages may not sufficiently compensate a breach of these terms. Microsoft may seek court orders to stop the disclosure of Confidential
Information in breach of these terms without the obligation of posting a bond.
5. This agreement is governed by the laws of the State of Washington. Any dispute involving it must be brought in the federal or state superior courts
located in King County, Washington, and You waive any defenses allowing the dispute to be litigated elsewhere. If there is litigation, the losing party
must pay the other party’s reasonable attorneys’ fees, costs and other expenses. If any part of this agreement is unenforceable, it will be considered
modified to the extent necessary to make it enforceable, and the remainder shall continue in effect. This agreement is the entire agreement between
You and Microsoft concerning these Materials; it may be changed only by a written document signed by both You and Microsoft.
FedRAMP Penetration Test Report
Microsoft Azure Public
Microsoft Confidential – Subject to Non-Disclosure Agreement Document Version: 1.1
Executive Summary
Kratos SecureInfo was contracted by Microsoft to complete a FedRAMP Penetration Test on the Azure
Public environment. This report provides the results of the activities performed during the test and
provides a permanent record of all security tests conducted. The testing was performed remotely from
the Kratos SecureInfo Technical Services Center (TSC) in San Antonio, from August 10, 2015 through
November 6, 2015. The test procedures included automated and manual system vulnerability testing
and were designed to obtain an accurate representation of the security posture of the selected targets.
Kratos SecureInfo analyzed the security of Azure Public from multiple vectors. The chart below
illustrates the vulnerability level of the Azure Public systems in scope, as determined by the
vulnerability identification phase of this penetration test and via manual testing..
There were no critical risk vulnerabilities detected. Fourteen (14) high, nineteen (19) moderate and four
(4) low risk vulnerabilities remain open after analysis by Microsoft and Kratos SecureInfo.
Vulnerability Finding
Distribution
14 19
4
High Moderate Low
ii
Table of Contents
Executive Summary .......................................................................................................................................... ii
Introduction................................................................................................................................................... 5
1.1. Overview ................................................................................................................................................ 5
1.2. Scope....................................................................................................................................................... 5
1.3. Constraints ............................................................................................................................................. 5
1.4. Objectives .............................................................................................................................................. 6
1.4.1 Application Security ......................................................................................................................... 6
1.4.2 Network Security.............................................................................................................................. 6
1.4.3 Configuration Management ............................................................................................................ 6
1.4.4 Security Principles ............................................................................................................................ 6
Methodology ................................................................................................................................................. 7
FedRAMP Penetration Testing Vector Analysis......................................................................................... 7
External to Corporate ................................................................................................................................... 7
4.1. Social Engineering.................................................................................................................................. 7
4.1.1 Scope Overview ................................................................................................................................ 7
4.1.2 Threat Model..................................................................................................................................... 7
4.1.3 Information Gathering ..................................................................................................................... 8
4.1.4 Campaign Creation ........................................................................................................................ 10
4.1.5 Statistics Collection Method .......................................................................................................... 12
4.1.6 Exploitation ..................................................................................................................................... 14
4.1.7 Results ............................................................................................................................................. 14
External to Target System........................................................................................................................... 14
5.1. Network and Platform Layers............................................................................................................. 14
5.1.1 Scope Overview .............................................................................................................................. 14
5.1.2 Threat Model................................................................................................................................... 15
5.1.3 Reconnaissance ............................................................................................................................... 15
5.1.4 Vulnerability Assessment .............................................................................................................. 16
5.1.5 Exploitation ..................................................................................................................................... 16
5.2. Application Layer ................................................................................................................................ 16
5.2.1 Scope Overview .............................................................................................................................. 16
5.2.2 Threat Model................................................................................................................................... 18
5.2.3 Application: https://account.activedirectory.windowsazure.com .............................................. 18
5.2.4 Application: https://REDACTEDwindows.net ............................................................................ 21
5.2.5 Application: https://acis-beta.engineering.core.windows.net ..................................................... 23
5.2.6 Application: https://acis.engineering.core.windows.net ............................................................. 24
5.2.7 Application: https://admin.core.windows.net .............................................................................. 25
5.2.8 Application: https://fabriclogs.cloudapp.net ................................................................................ 26
5.2.9 Application: https://global.sts.msft.net ......................................................................................... 27
5.2.10 Application: https://icm.ad.msft.net............................................................................................ 28
5.2.11 Application: https://login.microsoftonline.com ......................................................................... 29
iii
5.2.12 Application: https://manage.windowsazure.com ...................................................................... 31

5.2.13 Application: https://mats.cloudapp.net ...................................................................................... 32
5.2.14 Application: https://monitoring.windows.net ............................................................................ 33
5.2.15 Application: https://portal.aadrm.com ....................................................................................... 34
5.2.16 Application: https://portal.azurerms.com................................................................................... 35
5.2.17 Application: https://production.billing.monitoring.core.windows.net .................................... 36
5.2.18 Application: https://production.diagnostics.monitoring.core.windows.net ............................ 37
5.2.19 Application: https://production.runners.monitoring.core.windows.net.................................. 38
5.2.20 Application: https://rma.trafficmanager.net ............................................................................... 39
5.2.21 Application: https://wanetmon.cloudapp.net ............................................................................ 40
Tenant to Target System ............................................................................................................................. 41
6.1.1 Scope Overview .............................................................................................................................. 41
6.1.2 Threat Model................................................................................................................................... 41
6.1.3 Reconnaissance ............................................................................................................................... 41
6.1.5 Exploitation ..................................................................................................................................... 42
6.2.1 Scope Overview .............................................................................................................................. 42
6.2.2 Threat Model................................................................................................................................... 42
6.2.3 Application: https://manage.windowsazure.com ........................................................................ 42
6.2.4 Application: https://login.microsoftonline.com ........................................................................... 49
Tenant to Tenant ......................................................................................................................................... 54
7.1.1 Scope Overview .............................................................................................................................. 54
7.1.2 Threat Model................................................................................................................................... 54
7.1.3 Application: https://manage.windowsazure.com ........................................................................ 55
7.1.4 Application: https://login.microsoftonline.com ........................................................................... 55
Corporate to Azure Public Management System ..................................................................................... 56
8.1.1 Scope Overview .............................................................................................................................. 56
8.1.2 Threat Model................................................................................................................................... 56
8.1.3 Information Gathering ................................................................................................................... 56
8.1.5 Exploitation ..................................................................................................................................... 60
8.2.1 Scope Overview .............................................................................................................................. 63
Vulnerability Summary .............................................................................................................................. 64
Conclusion ................................................................................................................................................. 65
iv
Appendix A – Phishing Artifacts ............................................................................................................. 67

Appendix B – External to Target Artifacts .............................................................................................. 67
Appendix C – Tenant to Target Artifacts ................................................................................................ 68
Appendix D – Simulated Internal Artifacts ............................................................................................ 68
Introduction
1.1. Overview
Kratos SecureInfo was contracted by Microsoft to complete a FedRAMP penetration test on the Microsoft
Azure Public systems. The objective of this engagement was to identify vulnerable targets and penetrate
the environment. The Kratos SecureInfo testing team also attempted to identify areas of Microsoft Azure
Public platforms that could be leveraged to disclose information or gain access to sensitive data. The
following sections describe the systems reviewed during this assessment, the constraints, and
methodology.
1.2. Scope
The Azure Public platform is a major applications operated as a cloud service by Microsoft and the target
of this assessment.
In order to execute the penetration test in accordance with FedRAMP penetration testing guidance, this test
was broken into multiple sub-tests based upon perspectives of the required vectors. Each vector was
assigned an identified set of primary targets that should be visible to the simulated attacker. Further detail
on the scope of primary targets for a given vector is described in the respective Scope Overview section.
Upon successful compromise of a primary target in a vector, the assessor was authorized to pivot further
into the environment if possible. The scope of this phase of each vector included the full FedRAMP
accreditation boundary for Azure Public unless explicitly unauthorized in the Azure Penetration Testing
Rules of Engagement (RoE) document.
The overall scope of the FedRAMP penetration test included all devices and applications in the Azure
Public accreditation boundary as either a primary or secondary target unless unauthorized.
1.3. Constraints
During the engagement, Kratos SecureInfo did not perform any tests that would knowingly result in a
denial of service to networks, servers, or telephone systems.
v
Document Version: 1.1
1.4. Objectives
Kratos SecureInfo attempted to identify and exploit vulnerabilities to demonstrate security weaknesses in
the target environment. Kratos SecureInfo performed tests that would reveal weaknesses in the following
areas of security.
1.4.1 Application Security

Application security is arguably the most heavily exploited security area. Applications are in continual
need of updates to fix the various security issues discovered during the application’s lifetime. Kratos
SecureInfo attempted to identify vulnerabilities in the applications deployed throughout the organization.
 Strong authentication is used by the application

 Proper input validation
 Security enforcement occurs on the server side.
1.4.2 Network Security

Once an intruder has gained access to a host, the next major barrier is the network’s security.
Compartmentalized network architectures can often contain an intruder and prevent infiltrator access to
other systems on the network. The protocols in use will be evaluated to ensure they are resistant to various
attacks against design flaws.
 No unnecessary ports and network services are accessible

 Strong authentication is used where possible
 Data is encrypted in transit where necessary
 The network has sufficient segregation
 Unauthorized services
1.4.3 Configuration Management

Continual security processes should be streamlined and easily managed. Before new systems are added to
the network, they should undergo a configuration process which includes the removal of unnecessary
functionality, configuration of security settings, and an overall configuration tuned and implemented
relative to their function and environment.
 Default passwords changed

 Default accounts removed or renamed
 Additional security options are specified
 Secure configurations are effective
1.4.4 Security Principles

The assessment will reveal how effective security principles have been implemented throughout the
system. Adherence to these principles can return significant long-term security benefits.
 Least privileged
6
 Segregation
 Default Deny
 Layered Security
Methodology
The purpose of the Kratos SecureInfo penetration testing methodology is to identify and exploit relevant
vulnerabilities and suggest countermeasures to reduce the system’s overall risk. Testing for this penetration
test followed the Kratos SecureInfo FedRAMP Penetration Testing Methodology included in the Microsoft
Azure Penetration Testing RoE.
FedRAMP Penetration Testing Vector Analysis

Kratos SecureInfo determined that the following vectors were applicable:
 External to Corporate
 External to Target System
 Tenant to Target System
 Tenant to Tenant
 Corporate to CSP Management System
Kratos SecureInfo determined that the Physical Penetration Testing vector was not applicable. The Azure
Public platforms reside in Microsoft Global Foundation Services (GFS) managed datacenters. Microsoft
GFS maintains a current FedRAMP PATO and provides security mechanisms to the Azure environments
as a service. Physical penetration testing for GFS datacenters was performed within the past 365 days.
Kratos SecureInfo also determined that the ‘Mobile Application’ vector was not applicable. The Azure
Public environment has no mobile phone related applications, services, or connections in scope for the
FedRAMP accreditation.
External to Corporate
4.1. Social Engineering
4.1.1 Scope Overview
A spear phishing exercise was designed and conducted as the social engineering test for Microsoft Azure.
The possible scope of the Microsoft Azure phishing reconnaissance included selected Azure operations
personnel with administrative access to environments in the accreditation boundary in addition to
Microsoft designated “vendor” accounts. The actual scope of the exercise was determined during the
Microsoft Azure RoE creation, which included an agreed upon sample of accounts provided by Microsoft.
4.1.2 Threat Model

This vector simulated an attack by external untrusted entity against internal untrusted Microsoft Azure
and Microsoft designated “vendor” accounts.
7
4.1.3 Information Gathering

The assessor began the information gathering phase by attempting to discover key words and phrases
related to the business conducted by Microsoft Azure. The assessor conducted Bing and Google searches
for “Microsoft Azure” as the first step in gathering publicly available keywords related to employees
working with the target system. From these searches, the assessor discovered keywords like “architect”,
“engineer”, “storage”, “security”, “active directory”, “application”, etc.
The assessor determined that the LinkedIn platform would offer the best mechanism to gather potential
phishing victims. Large organizations like Microsoft have many employees with duties unrelated to the
target system. LinkedIn allowed for relatively accurate determination of a profile’s employer and offered a
freeform “title” field, which was used to target specific areas of an organization. This justified the use of
LinkedIn as the primary source of phishing targets.
The assessor was able to discover several highly networked LinkedIn profiles by using both the Bing and
Google search engines combined with the key words and phrases discovered previously. The following
searches were executed and resulted in usable profiles:
 Google/Bing results for "inurl:linkedin" "microsoft" "azure" "architect"

o https://www.linkedin.com/REDACTED
 Google/Bing results for "inurl:linkedin" "microsoft" "azure" "seattle"

 Google/Bing results for "inurl:linkedin" "microsoft" "azure" "storage"

o https://www.linkedin.com/REDACTED -> no findings
 Google/Bing results for "inurl:linkedin" "microsoft" "azure" "security"

8
 Google/Bing results for "inurl:linkedin" "microsoft" "active directory" "seattle"

 Google/Bing results for "inurl:linkedin" "microsoft" "sql"

 Google/Bing results for "inurl:linkedin" "microsoft" "application"

The LinkedIn profiles discovered previously were used to seed a LinkedIn crawling module of the recon-
ng tool to gather real names of potential targets networked to these seed profiles that also reported
“Microsoft” or “Microsoft Azure” as their employer. A total of ~3 hours of crawling time were expended
between the two seeded profiles. This resulted in a total of 1522 Microsoft profiles scraped from LinkedIn.
The scraping of LinkedIn resulted in the collection of names, titles, regions, and corporate email addresses.
The assessor observed that, in general, Microsoft corporate email addresses were of the form <First
Initial><Last Name>@microsoft.com with a soft maximum of 7 characters for the last name. The recon-ng
module ‘mangle’ was used, along with manual editing, to generate guesses at each users correct corporate
email address.
Finally, the recon-ng database was queried for potential victims whose titles contained keywords specific
to Microsoft Azure.
 recon-ng][webex] > query select first_name,last_name,email,title,region,module from contacts
where title like "%Azure%"
The following table summarizes results of the reconnaissance after accuracy analysis by Microsoft.
9
Metric Result
Total Azure Employees with Correct Email Alias 11

Total Azure Employees with Incorrect Email Alias 0
Total Microsoft Employees not associated with 24
Microsoft Azure
Total Contacts Submitted for Evaluation 35
It was determined that the eleven (11) Azure employees with correct email aliases (above) were below the
acceptable threshold for the phishing campaign, therefore Microsoft supplied an additional 29 vendor
accounts of which fourteen (14) more random Azure accounts were to be selected. The total number of
approved accounts thus added up to 25 for the Microsoft phishing campaign.
4.1.4 Campaign Creation

A click based spear-phishing campaign was chosen as the exploit for the social engineering vector. Kratos
SecureInfo collaborated with the Azure Security team to design an acceptable email campaign based on
corporate alerts commonly delivered to Azure administrators. A legitimate phishing email was constructed
and an example is pictured below.
10
REDACTED
Figure 1 - Azure Phishing Email
A sample phishing mail delivered to the assessors own account for testing is shown below. There are
several easily recognizable anomalies to the phishing email such as:
11
 Non-Microsoft sending domain (azure-security.com)

 Hyperlink to a non-Microsoft domain
 Modified report structure
4.1.5 Statistics Collection Method

In order to identify/track individual users, each victim received a unique hyperlink embedded in the
message. A SHA-256 hash of the victim’s email address was truncated and combined with the phishing
domain to create the unique hyperlink, as shown below.
REDACTED
Figure 2 - Azure Phishing Execution
Lastly, a webserver in the Kratos SecureInfo lab was configured to serve bogus, yet realistic, content to
phishing victims. When the user clicks the phishing email hyperlink, a custom URL with the hashed
identifier such as https://www.azure-security.com/?u=0e3e88b5 redirects a browser to the azure-
security.com phishing website as shown below.
12
Figure 3 - Azure Phishing Page
Access logs from the webserver are then used to monitor for successful phishing clicks. A sample log entry
generated during testing of the campaign is provided below.
Figure 4 - Azure Phishing SSL Logs
13
4.1.6 Exploitation
The Microsoft Azure phishing exercise was launched from the Kratos SecureInfo lab on Wednesday,
November 4, 2015 at 22:13 UTC. A total of 25 potential victims were targeted during the exercise. The
assessor was able to observe victim interaction with the scam during the same day. Phishing ended
November 6, 2015 at 22:08hrs.
4.1.7 Results
In total, zero (0) unique Azure Public users were observed interacting with the phishing webserver. One
hundred percent (100%) of the victims resisted phishing successfully. A full listing of victims, emails, and
raw logs can be found in Appendix A. Kratos SecureInfo recommends refresher security awareness
training to reduce the likelihood of a successful phishing campaign, especially for Microsoft-designated
vendors.
Phishing Attack Results Summary
Victims from Kratos Contact Set
Victims from Microsoft Contact

Set, Vendors
Victims from Microsoft Contact
Set, Microsoft Employees
Resisted Phishing
A full listing of victims, emails, and raw logs can be found in Appendix A.
External to Target System

5.1. Network and Platform Layers
The scope of the network layer testing for this vector is described in the Azure Penetration Testing Rules of
Engagement document section 4.2.1.1. This selection covers Azure Public devices that are internet facing as
the primary targets, but includes the Azure Public inventory as possible post exploitation targets.
14
5.1.2 Threat Model

This vector simulated an attack by external untrusted entity against edge devices of Azure Public at the
network layer.
5.1.3 Reconnaissance
5.1.3.1. Information Gathering
The assessor attempted web searches (internet) for Azure Public-related vulnerabilities that are public
knowledge or have been published to the internet. No vulnerability data was uncovered.
5.1.3.2. Network Endpoint Enumeration

The targets in scope were scanned with the integrated port scanner from Nessus to detect live systems and
running services that may be exposed. The following table provides a summary of the scans.
Time of Scan Port Scan Targets and Configuration
2015/9/16 21:15 Port range : 1-65535
5.1.3.3. Network Service Enumeration and Fingerprinting

As part of the scans described above, the Nessus tool was used to fingerprint live host operating system
versions and network service versions. The following table summarizes the open ports and service
fingerprints discovered during the scan.
Port and Protocol Nmap Service Fingerprinting Results
53/TCP TCPwrapped
80/TCP HTTP
443/TCP SSL/TLSv1
1025/TCP Unknown
2601/TCP Zebra
2602/TCP Zebra
4567/TCP HTTP
7676/TCP Unknown
37215/TCP Unknown
37443/TCP Unknown
61023/TCP telnet
61080/TCP HTTP
61081/TCP HTTP
15
5.1.4 Vulnerability Assessment

Kratos SecureInfo uses the Tenable Nessus tool as the network service vulnerability scanner of choice. A
Nessus scanner located in the Kratos SecureInfo lab was tuned using network port scanning results
completed in section 5.1.3. The following table summarizes the network service vulnerabilities discovered
by Nessus.
Nessus Severity Vulnerability Instances
Moderate Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key 1
Moderate SSL Medium Strength Cipher Suites Supported 2
Moderate SSL RC4 Cipher Suites Supported 4
Moderate SSL Version 2 and 3 Protocol Detection 1
Moderate Unencrypted Telnet Server 1
5.1.5 Exploitation
5.1.5.1. Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key
The assessor verified the finding however no additional access was gained.
5.1.5.2. SSL Related Vulnerabilities

All SSL related vulnerabilities described in section 5.1.4 were not exploited for additional access to
sensitive information. Exploitation of these vulnerabilities requires an advantageous network position with
access to an active connection containing sensitive information. Since no access to a connection was
obtained with this vector, no exploitation could be accomplished.
5.1.5.3. Unencrypted Telnet Server

The Unencrypted Telnet Server vulnerability described in section 5.1.4 was not exploited for additional
access to sensitive information. Exploitation of this vulnerability requires an advantageous network
position with access to an active connection containing sensitive information. Since no access to a
connection was obtained with this vector, no exploitation could be accomplished.
5.2. Application Layer

The scope of the application layer testing for this vector is described in the Azure Penetration RoE
document section 4.2.2. This selection covers Azure Public applications that are externally available. The
following table describes the name and function of Azure Public web applications and services in scope for
this vector.
16
Azure External
Endpoints - Microsoft Azure Penetration Testing ROE.xlsx
The following applications produced little or no interaction during assessment:
 https://global.sts.msft.net/adfs/ls
 https://vault.azure.net
 https://ch1prdstr05b.stamp-diagnostics.store.core.windows.net/cws/
 BL2PrdApp01-t1-dsts.dsts.core.windows.net
 BN1PrdApp02-t1-dsts.dsts.core.windows.net
 BY1PrdApp06-t1-dsts.dsts.core.windows.net
 CH1PrdApp10-t1-dsts.dsts.core.windows.net
17
 CH3PrdApp09-T1-dsts.dsts.core.windows.net
 DM1PrdApp02-t1-dsts.dsts.core.windows.net
 SN2PrdApp01-t1-dsts.dsts.core.windows.net
 SN3PrdApp11-T1-dsts.dsts.core.windows.net
 SN3PrdApp12-T1-dsts.dsts.core.windows.net
 https://login.microsoftonline-p.net
 https://admin.core.windows.net
 https://ch1prdstr05b.stamp-diagnostics.store.core.windows.net/sds/
 https://production.secretstore.core.windows.net
 https://passwordreset.microsoftonline.com/
 https://ch1prdstr05b.stamp-diagnostics.store.core.windows.net/
 https://location.core.windows.net
 https://storageaccount.core.windows.net
 https://xlocationsn3prod.location-diagnostics.store.core.windows.net/
5.2.2 Threat Model

This vector simulated an attack by external untrusted entity against internal Azure Public applications at
the application layer.
5.2.3 Application: https://account.activedirectory.windowsazure.com

The assessor performed internet searches for documentation, cached pages, vulnerability information
about the account.activedirectory.windowsazure.com application.
18
Search engine results from the Bing and Google engines provided cached pages, however no interesting
site versions were discovered.
Similarly, internet archiving projects, such as https://archive.org/web, did contain cached versions of the
application’s content dated as early January 12, 2015. No additional information was discovered through
the browsing of old application cached pages.
5.2.3.2. Reconnaissance
5.2.3.2.1. Application Architecture

The assessor leveraged the scripting tool ‘whatweb’ in order to perform fingerprinting of additional
middleware, frameworks, or technologies in use at the application layer. Whatweb uncovered the use of
Microsoft-IIS 8.0 and ASP.NET, but was unable to fingerprint further technologies.
5.2.3.2.2. Account Roles and Authorization

No accounts were provided for this external vector.
5.2.3.2.3. Application Mapping

The assessor completed application mapping using a combination of manual browsing and automated
spidering with the Burp Suite Pro attack proxy.
A summary report of the automated and manual application mapping is provided below.
account.activedirectory.windowsazure.com_analyze.html
5.2.3.3. Vulnerability Assessment

Dynamic pages identified in Section 5.2.3.2.3 were selected for scanning using the Burp Suite Pro web
application scanner with full vulnerability checks selected. One (1) moderate finding and one (1) low
finding was discovered.
BurpSuite Vulnerability Instances

Severity
Moderate SSL Cookie without Secure Flag Set 2

Low Cookie without HttpOnly Flag Set 2
The assessor reviewed the false positive finding reported by the scanner.
BurpSuite False Positive Vulnerability Justification Instances

Severity
19
High XPath Injection The assessor reviewed all instanced of XPath 30

injection. Burp Suite incorrectly concluded
strings of characters in the response body of
the form “XPathEvaluator” an XPath error
message. Upon further review values
identified by BurpSuite appear to be
JavaScript. This is evidenced by the string
“var f=new XPathEvaluator” observed in the
application communications.
Moderate Cross-site Request Forgery The assessor reviewed all instanced of 1
CSRF. Burp Suite incorrectly concluded
there were no anti-CSRF tokens on this page
however a VIEWSTATE is observable in the
application communications.
Low Open Redirection (DOM-based) The assessor reviewed all instanced of open 3
redirects. Only POST requests were
generated and the assessor was unable to
incite an open redirect.
Low Source Code Disclosure The assessor reviewed all instanced of open 4
redirects. Code disclosed appears to be
JavaScript intended to be delivered to the
browser.
5.2.3.4. Exploitation
5.2.3.4.1. Authentication and Session Management

Two issues were identified related to Authentication and Session Management. Further exploitation of the
“SSL Cookie without Secure Flag Set” and “Cookie without HttpOnly Flag Set” vulnerabilities would have required
attacking authenticated users outside the scope of this assessment. Observing the properties of the cookies set by the
application was sufficient to confirm the absence of these attributes on the application cookies.
5.2.3.4.2. Authorization
No issues with authorization were discovered by the automated vulnerability scanner. The scan results
returned no findings for directory traversal or sensitive URL disclosure.
The assessor also attempted to forcibly browse potentially sensitive URLs using the ‘Discover Content’
engagement tool provided within Burp Suite Pro. No additional “admin” pages or similar were
discovered.
5.2.3.4.3. Application Logic

No issues with application logic were discovered by the automated vulnerability scanner. Interaction with
the services provided by the application produced the expected results.
5.2.3.4.4. Input Validation

No issues with authorization were discovered by the automated vulnerability scanner.
20
5.2.4 Application: https://<REDACTED>windows.net

about the REDACTEDwindows.net application. Search engine results from the Bing and Google engines
provided cached pages of “Federation Metadata” under the URL “/FederationMetadata/2007-
06/FederationMetadata.xml” A screenshot of sample results is provided below.
21
REDACTED
Figure 5 - Sample OSINT Results
Similarly, internet archiving projects, such as https://archive.org/web, contained only a single snapshot of
content from this application dated January 23, 2015. No interesting information was observed.
22

whatweb-accounts.accesscontrol.windows.net.txt


accounts.accesscontrol.windows.net_analyze.html

application scanner with full vulnerability checks selected. No vulnerabilities were discovered.
Since no vulnerabilities were uncovered during Vulnerability Assessment, no exploitation activities were
performed.
5.2.5 Application: https://acis-beta.engineering.core.windows.net

about the acis-beta.engineering.core.windows.net application. Search engine results from the Bing and
Google engines provided no cached pages. Similarly, internet archiving projects, such as
https://archive.org/web/, did not contain cached versions of the application’s content.
23

whatweb-acis-beta.engineering.core.windows.net.txt


acis-beta.engineering.core.windows.net._analyze.html

performed.
5.2.6 Application: https://acis.engineering.core.windows.net

about the acis.engineering.core.windows.net application.
Search engine results from the Google engine provided only a cached login page.
Archiving projects, such as https://archive.org/web/, did not contain cached versions of the application’s
content.
24

whatweb-acis.engineering.core.windows.net.txt


acis.engineering.core.windows.net._analyze.html

performed.
5.2.7 Application: https://admin.core.windows.net

about the acis.engineering.core.windows.net application.
Search engine results from the Google and Bing search engines contained no results.
content.
25

middleware, frameworks, or technologies in use at the application layer. Whatweb was unable to
fingerprint technologies.
whatweb-admin.core.windows.net.txt


admin.core.windows.net_analyze.html

performed.
5.2.8 Application: https://fabriclogs.cloudapp.net

about the fabriclogs.cloudapp.net.
content.
26

Microsoft-IIS 7.5 and ASP.NET 4.0.30319, but was unable to fingerprint further technologies.
whatweb-fabriclogs.cloudapp.net.txt


fabriclogs.cloudapp.net_analyze.html

performed.
5.2.9 Application: https://global.sts.msft.net

about the global.sts.msft.net applications.
content.
27

middleware, frameworks, or technologies in use at the application layer. Whatweb was unable to
fingerprint technologies.
whatweb-global.sts.msft.net.txt


fabriclogs.cloudapp.net_analyze.html

performed.
5.2.10 Application: https://icm.ad.msft.net

about the icm.ad.msft.net applications.
content.
28

whatweb-icm.ad.msft.net.txt


icm.ad.msft.net_analyze.html

performed.
5.2.11 Application: https://login.microsoftonline.com

about the login.microsoftonline.com application.
Search engine results from the Google and Bing search engines contained cached versions of the login page
in various languages.
Archiving projects, such as https://archive.org/web/, contained 1025 snapshots of the application’s content
dated November 25, 2010 through current.
29

whatweb-login.microsoftonline.com.txt


login.microsoftonline.com_analyze.html

application scanner with full vulnerability checks selected. One (1) moderate finding was discovered.

Severity
Low Password field with autocomplete enabled 1

Severity
High SQL Injection The assessor reviewed all instanced of SQL 1
injection. Burp Suite incorrectly concluded
that dynamic nonce values returned in the
application response were caused by the SQL
injection attempt.
Moderate Session Token in URL The assessor reviewed all instanced of 1
Session Token in URL. Burp Suite
30
incorrectly concluded a nonce value in the

URL string contained session data.

One issue as identified related to Authentication and Session Management. Further exploitation of the and
“Password field with autocomplete enabled” vulnerability would have required attacking authenticated users outside
the scope of this assessment. Observing the properties of the field set by the application was sufficient to confirm the
absence of these attributes on the field.
discovered.


5.2.12 Application: https://manage.windowsazure.com

about the manage.windowsazure.com application.
Search engine results from the Google and Bing search engines contained cached login pages.
content.

31
whatweb-manage.windowsazure.com.txt


manage.windowsazure.com_analyze.html

performed.
5.2.13 Application: https://mats.cloudapp.net

about the mats.cloudapp.net application.
Search engine results from the Google and Bing search engines contained cached login pages.
content.

32
whatweb-mats.cloudapp.net.txt


mats.cloudapp.net_analyze.html

performed.
5.2.14 Application: https://monitoring.windows.net

about the monitoring.windows.net application.
content.

Microsoft-HTTPAPI/2.0, but was unable to fingerprint further technologies.
33


monitoring.windows.net_analyze.html

performed.
5.2.15 Application: https://portal.aadrm.com

about the portal.aadrm.com application.
Search engine results from the Google and Bing search engines contained cached pages of the login portal
and legal notices.
Archiving projects, such as https://archive.org/web/, did contained cached versions of the application’s
content dated September 4, 2013 through current.

Microsoft-IIS 8.0 and ASP.NET 4.0.30319 MVC4.0, but was unable to fingerprint further technologies.
whatweb-portal.aadrm.com.txt
34


portal.aadrm.com_analyze.html

performed.
5.2.16 Application: https://portal.azurerms.com

about the portal.azurerms.com application.
and home page.
content.

whatweb-portal.azurerms.com.txt
35


portal.azurerms.com_analyze.html

performed.
5.2.17 Application: https://production.billing.monitoring.core.windows.net

about the production.billing.monitoring.core.windows.net application.
and home page.
content.

whatweb-production.billing.monitoring.core.windows.net.txt
36


production.billing.monitoring.core.windows.net_analyze.html

performed.
5.2.18 Application: https://production.diagnostics.monitoring.core.windows.net

about the production.diagnostics.monitoring.core.windows.net application.
Search engine results from the Google and Bing search engines contained cached pages of the login portal.
content.

whatweb-production.diagnostics.monitoring.core.windows.net.txt
37


production.diagnostics.monitoring.core.windows.net_analyze.html

performed.
5.2.19 Application: https://production.runners.monitoring.core.windows.net

about the production.runners.monitoring.core.windows.net application.
Search engine results from the Google and Bing search engines contained no cached pages of the
application.
content.

whatweb-production.runners.monitoring.core.windows.net.txt
38


production.runners.monitoring.core.windows.net_analyze.html

performed.
5.2.20 Application: https://rma.trafficmanager.net

about the rma.trafficmanager.net application.
Search engine results from the Google and Bing search engines contained cached login pages of the
application.
content.

whatweb-rma.trafficmanager.net.txt
39


rma.trafficmanager.net_analyze.html

performed.
5.2.21 Application: https://wanetmon.cloudapp.net

about the wanetmon.cloudapp.net application.
Search engine results from the Google and Bing search engines contained no cached pages of the
application.
content.

whatweb-wanetmon.cloudapp.net.txt
40


wanetmon.cloudapp.net_analyze.html

performed.
Tenant to Target System

Engagement document section 4.2.1.1. This selection covers Azure Public devices that are tenant facing as
the primary targets, but includes the Azure Public inventory as possible post exploitation targets. Devices
that provide an access path for Azure Public administrators were also targeted. Testing was performed
from a virtual machine, created by an Azure Public tenant, against the Azure Public management stack.
6.1.2 Threat Model

This vector simulated an attack by external trusted entity against edge devices of Azure Public at the
network layer.
6.1.3 Reconnaissance
The assessor attempted web searches (internet) for Azure Public-related vulnerabilities that are public
knowledge or have been published to the internet. No vulnerability data was uncovered.
41

The targets in scope were scanned with the nmap tool to detect live systems and running services that may
be exposed. The following table provides a summary of the scans.
Tue Oct 27 17:27:23 2015 nmap -T5 -PN -oN APFT-output.txt -iL
All hosts targeted in this scan failed to resolve for further investigation.

Since no targets were resolved during the endpoint mapping phase, no service enumeration or
fingerprinting could be accomplished. The nmap scans referenced in section 6.1.3.2 show all hosts timed
out.

Since no targets were resolved during the endpoint mapping phase, no vulnerability assessment could be
accomplished.
6.1.5 Exploitation
Since no targets were resolved during the endpoint mapping phase, no exploitation could be
accomplished.

The scope of the application layer testing for this vector is all services available in the Azure Public
management portal for the tenant accounts described in the Azure Penetration RoE document section 4.2.2.
This selection covers Azure Public applications that are available from a tenant perspective. The following
table describes the name and function of Azure Public web applications and services in scope for this
vector.
6.2.2 Threat Model

This vector simulated an attack by external trusted entity against the Azure Public application at the
application layer.

about the msasset application. Search engine results from the Bing and Google engines provided no cached
pages. Similarly, internet archiving projects, such as https://archive.org/web/ , did not contain cached
versions of the application’s content.
42
The assessor was able to review user documentation about the Microsoft Azure service via the official
location at https://azure.microsoft.com/en-us/documentation/

Based upon the information gathering conducted in 6.2.3.1, the assessor was able to determine that the
fabric layer of Windows Azure is built using a custom operating system called Microsoft Azure. A custom
version of Microsoft’s virtualization solution Hyper-V, known as the Microsoft Azure Hypervisor,
provides the hypervisor layer.
Microsoft-IIS 8.5, but was unable to fingerprint further technologies.
whatweb-manage.windowsazure.com.txt

The assessor was able to review the use of a role-based access control scheme for segregating users within
the same subscription during the documentation review in section 6.2.3.1. Azure Active Directory provides
a familiar Active Directory service to managing authorization.
The assessor was provisioned a customer administrator account upon creation of each trial tenant
environment.

spidering with the Burpsuite Pro attack proxy.
The Azure Public dashboard provides the main mechanism for customers to manage services offered by
the system. Instances of individual services can be launched through the management portal by navigating
to the appropriate section and selecting “create new.”
A sample portal screenshot from in-progress testing is provided below for reference.
43
REDACTED
Figure 6 - Sample Azure Portal Screenshot
The assessor instantiated all services readily available to the tenant to observe the interaction between the
tenant administrator’s browser and Azure management portal. Some services required additional
infrastructure or resources which made thorough testing untenable. Services available for the tenants are
listed in the following table.
Azure Public Tenant Services
Web Apps CDN

Virtual Machines Automation
Mobile Services Scheduler
Cloud Services API Management
Batch Services Machine Learning
SQL Databases Steam Analysis
Storage Operational Insights
HDInsight Networks
Media Services Traffic Manager
44
Mobile Engagement Remote App

Visual Studio Online Management Services
Cache Active Directory
Biztalk Services Marketplace
Recovery Services StorSimple
manage.windowsazure.com_analyze.html

Dynamic pages identified in Section 6.2.3.2 were selected for scanning using the Burp Suite Pro web
application scanner with full vulnerability checks selected. Two (2) high findings were discovered.

Severity
High External Service Interaction (DNS) 2

High External Service Interaction (HTTP) 2

No issues with authentication or session management were discovered by the automated vulnerability
scanner.
Authentication for testing accounts was handled by a redirection to the login.microsoftonline.com

application discussed in section 6.2.4 of this report.
Session tokens used by the application were analyzed for vulnerabilities. All cookies which appeared to
contain session information were marked with the ‘http-only’ and ‘secure’ attributes. This is similarly
confirmed by the Burp Suite Pro scanner results. The manage.windowsazure.com application set the
following cookie values after authentication.
45
Figure 7 - Application Cookies and Sample Value
The cookies listed above were manipulated in an attempt to access to a session belonging to one of the
‘victim’ tenants listed in the Azure Penetration Test RoE. No additional session access was gained.
discovered.
46


Two input validation issues were discovered by the Burp Suite Pro vulnerability scanning performed in
section 6.2.3.3, which are listed as External Service Interaction (DNS) and External Service Interaction (HTTP). In
both cases, portions of the manage.windowsazure.com application could be induced to interact with an
arbitrary external entity. Interaction was available via HTTP and DNS. The following URLs were abused to
generate HTTP requests for exploitation:
 https://manage.windowsazure.com/Alert/GetRulesAndStats [SubscriptionId JSON parameter]

 https://manage.windowsazure.com/BatchService/GetBatchServiceCreationStatus [locationUrl JSON
parameter]
The assessor chose the GetRulesAndStats instance as the primary vulnerability instance for further
investigation. Manual confirmation of the vulnerability against a Kratos SecureInfo lab asset was executed.
This was a blind interaction with the Kratos SecureInfo lab since the results are not viewable in the server
response. The following screenshot shows the request/response pair used to confirm the vulnerability.
REDACTED
Figure 8 - Burp Suite Exploit Request/Response
47
The following screenshot shows HTTP access logs from the Kratos SecureInfo asset indicating the Azure
Public service accessing an external service.
Figure 9 - External Service Interaction
Next, the assessor attempted to leverage this access to create a server side scanning mechanism for further
reconnaissance. The following screenshots show examples of attempting to access a Kratos SecureInfo asset
on ports 8000 and 8001. Port 8000, as above, had a simple HTTP server while port 8001 had no service
running.
Figure 10 - Exploit Timing Examples
Request times for ports without an active network service consistently completed close to 2100
milliseconds. Similarly, request times for ports with an active network service consistently completed close
to 1100 milliseconds. Via this timing channel, the assessor was able to determine if the target device was
listening on a particular port, regardless of the actual service.
A Burp Suite Pro Intruder attack was configured to issue requests with incrementing port numbers to a
particular target. In the case below, the attack is configured to issue HTTP requests to ports on the local
host from port 75 to port 85.
Figure 11 - Sample "Port Scanner" Configuration
48
Figure 12 - Configuring Exploit to scan Ports 75-85
In the attack results shown below, a significantly faster response time for port 80 can be observed. While
the total round trip is less than observed against the Kratos SecureInfo assets, this is to be expected due to
the network proximity.
Figure 13 - Sample Exploit Results
This test confirmed the use of if this vulnerability as a TCP connect scanner.
The assessor attempted to scan more of the internal network, however full port scans of the internal
environment proved to be too slow to accomplish at 1 port per second. No further access to Azure Public
hosts or networks was obtained.

about the login.microsoftonline.com application.
Search engine results from the Bing and Google engines provided cached pages, however no interesting
site versions were discovered.
Similarly, internet archiving projects, such as https://archive.org/web, did contain cached versions of the
application’s content dated as early as November 25, 2010. No additional information was discovered
through the browsing of old application cached pages.
49

Microsoft-IIS 8.5 and JQuery, but was unable to fingerprint further technologies.
whatweb-login.microsoftonline.com.txt

The login.microsoftonline.com application provides identity management for Microsoft online services.
The only account role and authorization available to the assessor was management of his/her own account
properties.
The assessor was provisioned an account upon creation of each trial tenant environment.

The login.microsoftonline.com application was identified the main mechanism for customers to manage
their identity and authenticate to Microsoft online services.
A sample portal screenshot from in-progress testing is provided below for reference.
50
Figure 14 - Sample Portal Page
login.microsoftonline.com_analyze.html

application scanner with full vulnerability checks selected. One (1) moderate finding and one (1) low
finding was discovered.

Severity
Moderate Cross Site Request Forgery (CSRF) 1
Low Password Field with Autocomplete Enabled 2

Severity
51
Moderate Session token in URL The assessor reviewed all instanced of 2

Session tokens in URLs. Burp Suite
incorrectly concluded strings of characters in
the URL of the form “cfbc834e-36d2-4a6c-
8bfe-799b9be70cb7” contained session state.
Upon further review, the dynamic values
identified by BurpSuite appear to be nonce
values and intended to change between
requests. This is evidenced by the parameter
name “nonce=” observed in the application
communications.
Low Open redirection (DOM-based) The assessor reviewed all instanced of Open 18
Redirection and was unable to execute a
redirect.

One issue with authentication was discovered by the automated vulnerability scanner. The vulnerability
related to “Cross Site Request Forgery (CSRF)” identified in Section 6.2.4.3 was explored as a proof of concept, but
further exploitation was not pursued.
The “/login.srf” endpoint was targeted by the scanning tool Burp Suite Pro. Burp attempts to submit two requests
differing in the “Referrer:” header in order to determine if the application changes behavior. Since the application
appears to perform the login function regardless of the specified Referrer, Burp determined this to be a CSRF
vulnerability.
Further exploitation of this vulnerability for additional access would have required targeting users outside the scope of
this engagement. No further access was attempted or gained using this vulnerability.
discovered.


52

Information gathering for this target was completed in the External to Target System vector in Section
5.2.3.1.

Information gathering for this target was completed in the External to Target System vector in Section
5.2.3.2.

The login.microsoftonline.com application provides identity management for Microsoft online services.
The only account role and authorization available to the assessor was management of his/her own account
properties.
The assessor was provisioned an account upon creation of each trial tenant environment.

The account.activedirectory.windowsazure.com application was identified as a passthrough for customers

to manage their identity and authenticate to Microsoft online services.
No GUI was available for this application.
account.activedirectory.windowsazure.com_analyze.html

application scanner with full vulnerability checks selected. No findings were discovered.

Severity
53
High XPath Injection The assessor reviewed all instanced of XPath 4

Ijections. Burp Suite incorrectly concluded
that strings of characters in the body of the
response were XPath related errors. Upon
further review, the strings identified by Burp
were all of the form “var f=new
XPathEvaluator” and delivered as a part of
the application JavaScript.

No issues with authentication or session management were discovered by the automated vulnerability
scanner.
discovered.


Tenant to Tenant
The scope of the application layer testing for this vector is described in the Azure Penetration RoE
document section 4.2.2. This selection covers Azure Public applications that are available to consumers of
the service.
7.1.2 Threat Model

This vector simulated an attack by external trusted customer against other consumers of the service.
54

The assessor reviewed vulnerability information generated from the External to Target System and Tenant
to Target system vectors specifically for use against a tenant of the Azure Public system.
The assessor performed reconnaissance activities for this application in section 6.2.3.

Vulnerabilities identified for this application were useful in attacking the Azure Public service itself, but
were not directly useful to attack or uncover an Azure Public tenant.
The assessor attempted to review interactions with the application to determine if a subscription ID could
be targeted. No vulnerabilities were discovered that would allow one tenant to manipulate services
deployed to another tenant.
Since no vulnerable conditions were observed, no exploitation activities were performed.


Vulnerabilities identified for this application were useful in attacking an authenticated user. The assessor
did not attempt to weaponized the CSRF vulnerability identified by automated scanning.

55

No vulnerabilities were uncovered by automated scanning.
Corporate to Azure Public Management System

This vector represents the “Simulated Internal Attack” vector described in the FedRAMP Penetration
Guidance v1.0.1. Microsoft provided a representative corporate image and laptop as well as access to the
Microsoft corporate network in Redmond, WA via Microsoft VPN.

Engagement document Appendix A. This selection covers Azure Public devices that are used for
environment access by Azure and Azure Government administrators as the primary targets, but includes
the Azure and Azure Government FedRAMP inventory as possible post-exploitation targets.
As part of the efforts to complete the Azure Public Rules of Engagement document, Kratos SecureInfo and
Microsoft identified devices used by Azure Public administrators to access their respective environments.
These devices are listed in section 2.1.1.1 of the Azure Simulated Internal Testing Appendix A document
included in the Rules of Engagement.
8.1.2 Threat Model

This vector simulated an attack from a compromised corporate asset by an internal untrusted entity against
edge devices of Azure and Azure Government at the network layer.
8.1.3 Information Gathering

The Microsoft corporate laptop issued to the assessor was looted for any residual sensitive information.
Applications installed by default on the device were normal productivity and corporate remote access
products.
56
The assessor was able to dump local passwords stored within Windows. Due to the Windows 10 operating
system installed on the corporate asset, normal password dumping utilities like Windows Credential
Editor or mimikatz were ineffective. The assessor used a PowerShell suite ‘Reveal Windows Memory
Credentials (RWMC)’ in order to perform the dump. Only credentials for the local Administrator account
used to log into the asset were discovered.

The targets in scope were scanned with the port scanner nmap to detect live systems and running services
that may be exposed. The following table provides a summary of the scans.
(Azure) Wed Oct 14 15:52:50 2015 nmap -vvv -n -Pn -sT -p- --version-all
--version-trace -sC -e ppp0
--max-retries 1 --max-rtt-timeout 400ms
--initial-rtt-timeout 400ms -T5

As part of the scans described above, the nmap tool was used to perform network service enumeration.
Please note that connection to Microsoft CorpNet is through a VPN point-to-point tunnel. It is not possible
to use certain nmap tactics such as creating raw UDP datagrams over PPP. This limitation was due to the
originating laptop Windows 10 operating system. As such, operating system fingerprinting and UDP
service scanning was not possible. The following table summarizes the open ports and service fingerprints
discovered during the scan.
Port and Protocol Nmap Service Fingerprinting Results
80/tcp http
82/tcp www
88/tcp kerberos-sec
135/tcp msrpc
139/tcp netbios-ssn
443/tcp https
445/tcp microsoft-ds
593/tcp http-rpc-epmap
1009/tcp www
1026/tcp dce-rpc
1027/tcp IIS
1102/tcp www
1556/tcp veritas_pbx
57
1801/tcp msmq
2103/tcp dce-rpc
2105/tcp dce-rpc
2107/tcp msmq-mgmt
2179/tcp vmrdp
2381/tcp www
3389/tcp msrdp
6667/tcp www
6699/tcp www
8300/tcp unknown
8400/tcp cvd
8402/tcp abarsd
13782/tcp netbackup
49153/tcp dce-rpc
49154/tcp dce-rpc
49154/tcp dce-rpc
49155/tcp dce-rpc
49156/tcp dce-rpc
49157/tcp unknown
49158/tcp unknown
49160/tcp unknown
49161/tcp unknown
49163/tcp dce-rpc
49167/tcp dce-rpc
55555/tcp unknown
64623/tcp unknown

Kratos SecureInfo uses the Tenable Nessus tool as the network service vulnerability scanner of choice. A
Nessus scanner located in the Kratos SecureInfo lab was tuned using network port scanning results
completed in section 5.1.3. The following table summarizes the network service vulnerabilities discovered
by Nessus.
58
Nessus Severity Vulnerability Instances
High HP System Management Homepage < 6.2 Multiple Vulnerabilities 1

High HP System Management Homepage < 7.1.1 Multiple Vulnerabilities 1
High HP System Management Homepage < 7.2.0.14 iprange Parameter Code
Execution 1
High HP System Management Homepage < 7.2.1.0 Multiple Vulnerabilities
(BEAST) 1
HP System Management Homepage < 7.2.4.1 / 7.3.3.1 OpenSSL Multiple
High
Vulnerabilities 1
HP System Management Homepage < 7.4.1 Single Sign On Buffer
High
Overflow RCE 1
HP System Management Homepage < 7.5.0 Multiple Vulnerabilities
High
(FREAK) 1
High HP System Management Homepage ginkgosnmp.inc Command Injection 1
High Microsoft Windows SMB Shares Unprivileged Access 5
Medium DNS Server Cache Snooping Remote Information Disclosure 1
Medium HP System Management Homepage < 7.3 Multiple Vulnerabilities 1
Medium Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle
Weakness 5
Medium SMB Signing Required 4
Medium SSL Certificate Cannot Be Trusted 363
Medium SSL Certificate Expiry 2
Medium SSL Certificate Signed Using Weak Hashing Algorithm 106
Medium SSL RC4 Cipher Suites Supported (Bar Mitzvah) 224
Medium SSL Self-Signed Certificate 355
Medium SSL Version 2 and 3 Protocol Detection 33
Medium SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability
(POODLE) 30
Medium Terminal Services Doesn't Use Network Level Authentication (NLA)
Only 5
59
Medium Terminal Services Encryption Level is Medium or Low 1

Low SSL Certificate Chain Contains RSA Keys Less Than 2048 bits 1
Low Terminal Services Encryption Level is not FIPS-140 Compliant 4
Three vulnerabilities reported by Nessus have instances which are false-positives. In all cases,
misidentification of the SSL certificates resulted in false positives traced back to initial Nessus Scanner
configuration. An Excel embedded pivot-chart is attached below depicting scanner results.
Nessus Severity False Positive Vulnerability Justification Instances
SSL Certificate with Wrong Nessus Scanner

Medium 330*
Hostname Misconfiguration
Nessus Scanner
Medium SSL Certificate Cannot Be Trusted 245*
Misconfiguration
Nessus Scanner
Medium SSL Self-Signed Certificate 243*
Misconfiguration
Microsoft Azure
Nessus Scan Results.xlsx
* Refer to attached pivot table for false-positive assignment
8.1.5 Exploitation
8.1.5.1. HP System Management Homepage Multiple Vulnerabilities
Host <REDACTED>.redmond.corp.microsoft.com (tcp/2381) has HP System Management Homepage
v6.1.0.102 installed. The installed version contains critical vulnerabilities applicable for penetration
exploitation. CVE-2011-1540 requires authentication and efforts were made to gain credentials in order to
verify the CVE; however no credentials were obtained. CVE-2011-1541 does not require authentication,
however no public exploit is available to the assessor. Vendor updates are available to mitigate these
vulnerabilities. These vulnerabilities are deemed high.
60
REDACTED
Figure 15 – HP Management Authentication Portal
8.1.5.2. Microsoft Windows SMB Shares Unprivileged Access

Several SMB shares were found to be publically accessible during the penetration test. In addition to the
Nessus vulnerability finding, a public writable user share was identified on <REDACTED> as shown in the
following figures. Remove directory read/write permissions for accounts not requiring access to shares.
This vulnerability is deemed high.
61
REDACTED
Figure 16 – Open Share
Figure 17 – Confirming Read/Write on Share
8.1.5.3. Gateway Remote Logon User Harvest

During the looting process of unauthenticated shares, host share <REDACTED> contained script file
\\<REDACTED> \TSGateWay\checkGatewayLogon.cmd parsing a text file named \\<REDACTED>
62
\TSGateWay\GatewayRemoteLogonUsers.txt . A screenshot of the text file shows the enumeration of user

account names. These accounts were further tested for logon via brute-force attacks. The brute force was
unsuccessful using generic password wordlists. To mitigate this finding, remove files associated with
enumeration of user account names as required. This vulnerability is deemed moderate.
REDACTED
Figure 18 – Accounts Scraped
8.1.5.4. SSL Related Vulnerabilities

All SSL related vulnerabilities described in section 6.1.4 were not exploited for additional access to
sensitive information. Exploitation of these vulnerabilities requires an advantageous network position with
access to an active connection containing sensitive information. Although access to the Microsoft corporate
network was obtained as part of the vector, insertion as a man-in-the-middle attacker would have required
attacking out of scope corporate assets and users. Since no access to a local connection was obtained with
this vector, no exploitation could be accomplished. To mitigate SSL vulnerabilities, apply encryption
levels as per NIST control requirements. The SSL vulnerabilities are deemed moderate.

The scope of the application layer testing for this vector is described in the Azure Public Penetration
Testing Rules of Engagement. This selection covers Azure Public applications that are used by Azure
Public administrators as the primary targets, but includes the Azure Public FedRAMP inventory as
possible post exploitation targets. The assessor determined that this target listing matches the same targets
defined for the External to Target application layer scope in Section 5.2 of this document. Since no
preference was given to application layer connections originating from the internal Microsoft corporate IP
space, results will not be repeated for this section. Please refer to Section 5.2 for testing of these targets.
63
Vulnerability Summary
The following vulnerability table provides a de-duplicated listing of all vulnerabilities across all vectors
and all types of testing.
Severity Vulnerability Instances
High External Service Interaction (DNS) 2

High External Service Interaction (HTTP) 2
HP System Management Homepage < 7.5.0 Multiple Vulnerabilities
High
(FREAK) 1
HP System Management Homepage ginkgosnmp.inc Command
High
Injection 1
High Microsoft Windows SMB Shares Unprivileged Access 5
High HP System Management Homepage < 7.1.1 Multiple Vulnerabilities 1
High HP System Management Homepage < 7.2.0.14 iprange Parameter
Code Execution 1
High HP System Management Homepage < 7.2.1.0 Multiple Vulnerabilities
(BEAST) 1
HP System Management Homepage < 7.2.4.1 / 7.3.3.1 OpenSSL
High
Multiple Vulnerabilities 1
HP System Management Homepage < 7.4.1 Single Sign On Buffer
High
Overflow RCE 1
Moderate DNS Server Cache Snooping Remote Information Disclosure 1
Moderate HP System Management Homepage < 7.3 Multiple Vulnerabilities 1
Moderate Microsoft Windows Remote Desktop Protocol Server Man-in-the-
Middle Weakness 5
Moderate SMB Signing Required 4
Moderate SSL Certificate Cannot Be Trusted 118
64
Moderate SSL Certificate Expiry 2

Moderate SSL Certificate Signed Using Weak Hashing Algorithm 106
Moderate SSL Certificate with Wrong Hostname 330
Moderate SSL RC4 Cipher Suites Supported (Bar Mitzvah) 228
Moderate SSL Self-Signed Certificate 112
Moderate SSL Version 2 and 3 Protocol Detection 34
Moderate SSLv3 Padding Oracle On Downgraded Legacy Encryption
Vulnerability (POODLE) 30
Moderate Terminal Services Doesn't Use Network Level Authentication (NLA)
Only 5
Moderate Terminal Services Encryption Level is Medium or Low 1
Moderate Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key 1
Moderate SSL Medium Strength Cipher Suites Supported 2
Moderate Cross Site Request Forgery (CSRF) 1

Moderate Unencrypted Telnet Server 1
Moderate SSL Cookie without Secure Flag Set 2

Low Cookie without HttpOnly Flag Set 2
Low Password field with autocomplete enabled 3
Low SSL Certificate Chain Contains RSA Keys Less Than 2048 bits 1
Low Terminal Services Encryption Level is not FIPS-140 Compliant 4
Conclusion
This report documents the network, system, and web application penetration testing performed by Kratos
SecureInfo for the Azure Public environment. Physical penetration testing was conducted on the hosting
IaaS, GFS. This testing is leveraged for the physical test vector as Azure inherits the physical and
environmental security controls from GFS. The security testing was designed to reveal and exploit
weaknesses in many aspects of Azure Public operation. The following summarizes the penetration testing
findings -
 One high severity issue was determined to allow internal and external port scanning from a
Microsoft host using a flaw in XML parsing of a crafted request.
 Moderate and low severity issues were discovered during internal and external testing; however
these vulnerabilities could not be leveraged for additional access.
65
Kratos SecureInfo recommends reviewing the configuration of XML parsing libraries used to process user
generated application traffic.
Kratos SecureInfo recommends conducting refresher security awareness training for Azure Public
administrators to reduce the likelihood of successful attack.
Kratos SecureInfo recommends reviewing and updating the configurations for devices implementing SSL
to ensure reliable transport security is always available.
Kratos SecureInfo finally recommends that vulnerability assessments and penetration tests continue to be
repeated at regular intervals to monitor the current level of risk. As always, continued vigilance in system
security is needed to help ensure future incidents do not occur.
66
Appendix A – Phishing Artifacts

For the phishing exercise, a collection of Microsoft admins for both Azure Public and Azure Government
environments were selected as targets. This does not indicate that any of these personnel have access to
both environments.
The results below detail the all-inclusive list of targets regardless of environment, the results of the
phishing, and the mechanism used for the phishing exercise. The key difference is that all targets that were
successfully phished were administrators for Azure Government. None of the Azure Public targets were
successfully phished.
Table A-1. Supplemental Files

Attachments
File Description
This template is the base for all spear phishing emails sent in this campaign.
azure-phish-template.html
This spreadsheet represents raw results generated by the spear phishing

campaign.
Azure Phishing Final

Results.xlsx
Appendix B – External to Target Artifacts

Table B-1. Supplemental Files
Attachments
File Description
This archive contains Nessus scans from the endpoint enumeration phase.
Azure_Public_External_discovery.zip
This archive contains Nessus scans from the service fingerprinting and
vulnerability assessment phases.1
Azure_Public_Nessus_raw.zip
This archive contains Burp Suite Pro results from all phases of the
application penetration testing.
Azure_Public_Application_Burp.zip
67
Appendix C – Tenant to Target Artifacts

Table C-1. Supplemental Files
Attachments
File Description
This archive contains nmapscans from the endpoint enumeration phase.
Azure_Public_Tenant_to_Target_nmap.zip
This archive contains Burp Suite Pro results from all phases of the
application penetration testing.
Azure_Public_Tenant_to_Target_Burp.zip
Appendix D – Simulated Internal Artifacts

Table D-1. Supplemental Files
Attachments
File Description
This archive contains nmapscans from the endpoint enumeration and service
fingerprinting phase.
Azure_Public_Sim_Internal_nmap.zip
This archive contains Nessus scans from the s vulnerability assessment

phase.
Azure_Public_Sim_Internal_Nessus.zip
68

Azure - Penetration Test Report

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Azure - Penetration Test Report

Uploaded by

Copyright:

Available Formats

Microsoft Confidential – Subject to Non-Disclosure Agreement

FedRAMP Penetration Test

Offered through its dedicated team of cybersecurity experts:

High Moderate Low

5.2.12 Application: https://manage.windowsazure.com ...................................................................... 31

Appendix A – Phishing Artifacts ............................................................................................................. 67

1.4.1 Application Security

 Strong authentication is used by the application

1.4.2 Network Security

 No unnecessary ports and network services are accessible

1.4.3 Configuration Management

 Default passwords changed

1.4.4 Security Principles

FedRAMP Penetration Testing Vector Analysis

4.1.2 Threat Model

4.1.3 Information Gathering

 Google/Bing results for "inurl:linkedin" "microsoft" "azure" "architect"

 Google/Bing results for "inurl:linkedin" "microsoft" "azure" "seattle"

 Google/Bing results for "inurl:linkedin" "microsoft" "azure" "storage"

 Google/Bing results for "inurl:linkedin" "microsoft" "azure" "security"

 Google/Bing results for "inurl:linkedin" "microsoft" "active directory" "seattle"

 Google/Bing results for "inurl:linkedin" "microsoft" "sql"

 Google/Bing results for "inurl:linkedin" "microsoft" "application"

Total Azure Employees with Correct Email Alias 11

4.1.4 Campaign Creation

Figure 1 - Azure Phishing Email

 Non-Microsoft sending domain (azure-security.com)

4.1.5 Statistics Collection Method

Figure 2 - Azure Phishing Execution

Figure 3 - Azure Phishing Page

Figure 4 - Azure Phishing SSL Logs

Phishing Attack Results Summary

Victims from Kratos Contact Set

Victims from Microsoft Contact

External to Target System

5.1.2 Threat Model

5.1.3.2. Network Endpoint Enumeration

Time of Scan Port Scan Targets and Configuration

2015/9/16 21:15 Port range : 1-65535

5.1.3.3. Network Service Enumeration and Fingerprinting

Port and Protocol Nmap Service Fingerprinting Results

5.1.4 Vulnerability Assessment

Nessus Severity Vulnerability Instances

Moderate SSL Medium Strength Cipher Suites Supported 2

Moderate SSL RC4 Cipher Suites Supported 4

Moderate SSL Version 2 and 3 Protocol Detection 1

Moderate Unencrypted Telnet Server 1

5.1.5.2. SSL Related Vulnerabilities

5.1.5.3. Unencrypted Telnet Server

5.2. Application Layer

The following applications produced little or no interaction during assessment:

5.2.2 Threat Model

5.2.3 Application: https://account.activedirectory.windowsazure.com

5.2.3.2.1. Application Architecture

5.2.3.2.2. Account Roles and Authorization

5.2.3.2.3. Application Mapping

5.2.3.3. Vulnerability Assessment

BurpSuite Vulnerability Instances

Moderate SSL Cookie without Secure Flag Set 2

BurpSuite False Positive Vulnerability Justification Instances

High XPath Injection The assessor reviewed all instanced of XPath 30

5.2.3.4.1. Authentication and Session Management