The Best Azure Penetration Testing Tools

Microsoft Azure is a virtual server service that also provides services, such as databases. While Azure maintains the services that it supplies, account security and the integrity of the software that you install are your responsibility.

There are a number of tools that you can use to perform automated sweeps of your Azure resources and others that you can use to support your own penetration testing exercises.

Here is our list of the eight best Azure penetration testing tools:

Invicti EDITOR’S CHOICE A package of testing systems that can be used for automated procedures during penetration testing, as a vulnerability manager, or as a continuous testing tool in a CI/CD pipeline. This system is available as a SaaS package or as software for installation on Windows.
Acunetix This vulnerability scanner for Web applications and networks can be used as a penetration testing tool and it is able to scan a range of systems, including Azure. Available as a SaaS platform or for installation on Windows, macOS, and Linux.
Azucar A free PowerShell utility that runs on Windows but probes the statuses of Azure services, particularly Azure AD and databases.
BloodHound Offered in free and paid versions, this tool focuses on attack strategies that can hit Active Directory implementations, including Azure AD. It runs on Windows, macOS, and Linux.
PowerZure This free PowerShell utility is built to assess the security of Azure services with permission. It runs within your Azure account.
ROADtools A free explorer that examines Azure AD structures and assesses them for security weaknesses. It installs on your Azure account.
Stormspotter An attack surface grapher that identifies weaknesses in Azure and Azure AD. It runs over Docker.
Burp Suite Available in both free and paid versions, this proxy-based system offers a range of penetration tools and can be run on Azure.

You can read more about each of these tools in the following sections.

Penetration testing is a manual process. Automated security tools are called vulnerability managers. There are some tools that fall between these two categories. These are able to perform repetitive tasks, such as brute force password guessing but they don’t sequence through a full series of vulnerability checks. Some packages can be set to operate as vulnerability managers or as penetration testing tools.

Azure penetration testing ground rules

Microsoft expects customers of Azure to test the system for security weaknesses and even invites account holders to report discovered weaknesses that require system fixes to resolve.

There are just a few rules that you need to stick to when performing penetration testing on Azure. If you break these rules, you could get your Azure account shut down or even get sued.

The rules you need to follow are:

Don’t try to break into the accounts of other Azure customers – stick to your own account.
Don’t try to capture or alter the data of other Azure customers.
Don’t attempt phishing, doxing, or social engineering on Azure technicians.
Don’t perform a DDoS attack.
Don’t use automated testing utilities that generate a high volume of traffic in a short space of time.
Don’t break the Microsoft Online Subscription Agreement.

For more information, see the Azure guidance on penetration testing.

The rules that Microsoft imposes on testing for Azure accounts might tie the hands of many white hat hackers, who are willing to try any of the techniques used by hackers in order to test the security of a system.

It could be said that you won’t get a full assessment of your Azure account’s resilience to hacker attack if your penetration testing tool is tied by the rules laid down for the use of an Azure account.

Some independent penetration testing services might prefer to break the rules. You might think that contracting a consultancy to break into your Azure account gets around the restrictions imposed by Microsoft. However, they don’t because the service argues that you should specify the parameters of an investigation when you agree to a contract with the penetration testing service so that banned activities are prevented.

Best Azure Penetration Testing Tools

Although penetration testing is a specialized niche in IT security management, there is a surprisingly wide definition of what constitutes a penetration testing tool. Many commonly-used network management utilities that are built into the operating system can be used for system research. Ping, for example, is often used to probe networks both by network administrators and by hackers.

This means that this guide will present a range of tools that include system probes and attack utilities.

Our methodology for selecting Azure penetration testing tools: 

We reviewed the market for Azure penetration testing packages and analyzed tools based on the following criteria:

A probe or a hacking utility that can examine an Azure resource from an external location.
A degree of automation
A tool that can speed up checks for the OWASP Top 10
Systems that can run on Linux or Windows
Cloud-based options
A free tool or a free trial period to assess the tool without paying
Value for money from a useful utility or a free tool that is worth getting to know

As penetration testing models the behavior of hackers, tools for the job don’t need you to log into the system first. This also means that these penetration testing systems are versatile and not limited to probing one specific system. They can usually test on-site systems and a range of cloud platforms, such as Azure and AWS.

This list includes both free and paid tools. You should expect to get a better interface and more capabilities from the paid tools than from the free systems. However, you can put together your own penetration toolset by selecting a number of these recommended utilities.

1. Invicti

Invicti

Invicti is a web application vulnerability scanner. It runs from an external viewpoint, so it is able to test applications no matter where they are hosted because the scanner focuses on individual packages rather than hosting systems.

The scanner can be of use to penetration testers because it gives an automated assessment of an application. The package has three modes, enabling it to be run on-demand, on a schedule, or continuously as part of a CI/CD pipeline.

Key Features:

Deployment options
External attack assessment
Run as a penetration tool or as a continuous tester
On-demand or scheduled
Azure Boards integration

When used for automated testing, the Invicti environment can be set up to report findings through to Azure Boards. This enables the use of the test to quickly check through an application, flag issues through Azure Boards, and automatically route those issues through to a pen tester for further investigation.

As well as checking for standard exploits, the Invicti system uses AI to identify potential run conditions that could compromise the security of an application. It can also spot combinations of events that would create a security loophole.

Pros:

Useful for an initial scan in a pen testing scenario
Flags issues for investigation
Speeds up penetration testing
Reduces penetration testing team size
Integrates with team and project management tools and bug trackers

Cons:

More of a vulnerability manager than a penetration testing tool

Invicti is offered as a SaaS platform and also for installation on Windows and Windows Server. It can be assessed by accessing a demo system.

2. Acunetix

Acunetix is a vulnerability scanner that runs both internal and external checks. This automated tester can be used for an initial sweep of a system and it can also be launched on demand, focusing on specific strategies, making it a pen-testing tool..

The secret weapon of Acunetix is that it can integrate OpenVAS into its runs, including reports from that tool into its own assessments. This gives it a strong internal vulnerability report that can tell you what a hacker could do once he got inside your system.

Key Features:

External scans
Triage tool to speed up the investigation
Includes OpenVAS
Routes through project management tools

Acunetix can be triggered by project management tools and feed results through to bug trackers, letting you use the package to pre-scan a system and then automatically allocate investigation tasks to human pen-testers. This greatly cuts down the time that a penetration testing exercise can take and reduces the number of white hat hackers that you need on staff.

Pros:

Can be used in CI/CD pipelines
Manual option for trial-and-error probing
Cost cutter
Project management automation

Cons:

Doesn’t break into systems, just checks on the possibility

Acunetix is available as a SaaS platform or as a software package for Windows, macOS, and Linux. Assess Acunetix through its demo system.

3. Azucar

Azucar is a PowerShell utility that assesses Azure accounts to which it is given access. This package won’t try to break into your Azure security, it will explore it from the inside and let you know where potential problems lie.

If you want to perform a full red team exercise, you could run this tool first and then hand a list of issues to your hacker team to see if they can use them to break in.

Key Features:

Won’t break the rules of Azure
Assesses AD setup
Checks database security

The areas covered by this tool include general virtual server security, Azure AD, and the database services offered by the platform. Use this system for an initial research phase.

Pros:

Only operates on behalf of the Azure account owner
Extracts a report on Azure account settings
Fast scans

Cons:

Command line tool

Azucar is free to use and you can download it from GitHub. The utility runs on Windows through PowerShell.

4. BloodHound

BloodHound is a free tool that focuses on all implementations of Active Directory no matter what applications they govern, or where they are hosted, so it will work for Azure AD.

This system uses a graphing system to map through permissions in AD and identify weaknesses.

Key Features:

Reveals access attack paths
Nice front end
Useful for both red and blue teams

You can use BloodHound to proactively defend a system or to find a route for attack. It is able to spot very complicated attack paths that the human eye could not possibly assess.

Pros:

Easy to use
Good for attack and defense purposes
Free version available

Cons:

Results need to be interpreted

The paid version of this system is called BloodHound Enterprise and you can get a demo of it. There is a free version called BloodHound Open-Source, which can be downloaded from GitHub.

5. PowerZure

PowerZure is a free tool that is written in PowerShell. This package won’t help you break into an Azure account because you need to give it an access credentials token before it can extract data from your Azure resources.

Key Features:

Keeps within the Azure rules
Maps AD permissions
Identifies attack paths

The PowerZure package includes routines for mapping access rights that are extracted from Azure AD. This information can help your red team to plan an attack strategy or let your blue team see which permissions need to be tightened in order to defend the system.

Pros:

Exportable results
Detailed examination of permissions in AD
Useful for system administrators

Cons:

Doesn’t include attack utilities

PowerZure runs from within Azure or remotely from a device running Windows. Download the package from GitHub.

6. ROADtools

ROADtools is a library of procedures that can be used to assess Azure AD security issues. The package requires you to create a program of your own in order to run these processes. However, that doesn’t need to be much more than a basic script.

The processes extract AD data and put them into a database. You can then use a querying front end, provided with the library, to access the database’s entries. The system doesn’t break into the Azure account but as it is a set of procedures, you could add in functions from other sources to create an attack utility.

Key Features:

Built-it-yourself package
Creates a database
Focused on Active Directory analysis

The database that ROADtools creates isn’t just a copying over of Active Directory records. The entries in the database include a structure index, which shows you the relationships between records. The querying interface is also more than just a data viewer because it is able to reassemble the recorded structure into a hierarchy and identify security weaknesses in the configuration.

Pros:

Flexible set of processes
Use for research into access paths
Helps identify security weaknesses

Cons:

Not a complete facility

The ROADtools library is written in Python, so you can run the functions on any operating system that has Python installed on it – including on Azure. Download the package for free from GitHub.

7. Stormspotter

Stormspotter is a free utility that has a nice graphical front end and shows the relationship between records in Azure AD. It is also able to query Azure Resource Manager. This isn’t an attack system because it requires you to give it access credentials for your Azure account.

Pros:

Complies with Azure rules
Useful for investigations
Greats a visual map of access rights and permissions

Cons:

Not an attack tool

You would use Stormspotter for blue team defense rather than to attack Azure instances. This system runs over Docker and you can download it for free from GitHub.

8. Burp Suite

Burp Suite is available for free with a Community Edition. There is a paid version, called the Professional Edition. The free version offers penetration testing tools, while the paid system also has automated testing systems that can be used for vulnerability scanning. There is also a higher plan, called the Enterprise Edition, which is a full vulnerability scanner.

Key Features:

Use for research and for attack
Variables automatically copied between screens
Version for Azure

BurpSuite operates by launching a proxy and then using that as a launch pad for external attacks. This enables the system to act as an external attack tool even though it is hosted on the system that is being tested.

Pros:

Easy to use
Offers a range of attacks
Allows variables to be entered into a file for automatic cycling

Cons:

Don’t be drawn into the paid version’s vulnerability scanner

Burp Suite runs Windows, macOS, Linux, and also Azure. Download the Community edition for free or get a free trial of the Professional edition.

L’article The Best Azure Penetration Testing Tools est apparu en premier sur Comparitech.