HackTricks CloudAz - Service Bus Enum
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Service Bus
Azure Service Bus is a cloud-based messaging service designed to enable reliable communication between different parts of an application or separate applications. It acts as a secure middleman, ensuring messages are safely delivered, even if the sender and receiver aren’t operating simultaneously. By decoupling systems, it allows applications to work independently while still exchanging data or instructions. It’s particularly useful for scenarios requiring load balancing across multiple workers, reliable message delivery, or complex coordination, such as processing tasks in order or securely managing access.
Key Concepts
- Queues: its purpose is to store messages until the receiver is ready.
- Messages are ordered, timestamped, and durably stored.
- Delivered in pull mode (on-demand retrieval).
- Supports point-to-point communication.
- Topics: Publish-subscribe messaging for broadcasting.
- Multiple independent subscriptions receive copies of messages.
- Subscriptions can have rules/filters to control delivery or add metadata.
- Supports many-to-many communication.
- Namespaces: A container for all messaging components, queues and topics, is like your own slice of a powerful Azure cluster, providing dedicated capacity and optionally spanning across three availability zones.
Advance Features
Some advance features are:
- Message Sessions: Ensures FIFO processing and supports request-response patterns.
- Auto-Forwarding: Transfers messages between queues or topics in the same namespace.
- Dead-Lettering: Captures undeliverable messages for review.
- Scheduled Delivery: Delays message processing for future tasks.
- Message Deferral: Postpones message retrieval until ready.
- Transactions: Groups operations into atomic execution.
- Filters & Actions: Applies rules to filter or annotate messages.
- Auto-Delete on Idle: Deletes queues after inactivity (min: 5 minutes).
- Duplicate Detection: Removes duplicate messages during resends.
- Batch Deletion: Bulk deletes expired or unnecessary messages.
Authorization-Rule / SAS Policy
SAS Policies define the access permissions for Azure Service Bus entities namespace (Most Important One), queues and topics. Each policy has the following components:
- Permissions: Checkboxes to specify access levels:
- Manage: Grants full control over the entity, including configuration and permissions management.
- Send: Allows sending messages to the entity.
- Listen: Allows receiving messages from the entity.
- Primary and Secondary Keys: These are cryptographic keys used to generate secure tokens for authenticating access.
- Primary and Secondary Connection Strings: Pre-configured connection strings that include the endpoint and key for easy use in applications.
- SAS Policy ARM ID: The Azure Resource Manager (ARM) path to the policy for programmatic identification.
NameSpace
sku, authrorization rule,
Enumeration
# Queue Enumeration
az servicebus queue list --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
az servicebus queue show --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --name <MyQueue>
# Topic Enumeration
az servicebus topic list --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
az servicebus topic show --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --name <MyTopic>
# Susbscription Enumeration
az servicebus topic subscription list --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --topic-name <MyTopic>
az servicebus topic subscription show --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --topic-name <MyTopic> --name <MySubscription>
# Namespace Enumeration
az servicebus namespace list
az servicebus namespace network-rule-set list --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
az servicebus namespace show --resource-group <MyResourceGroup> --name <MyNamespace>
az servicebus namespace network-rule-set show --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
az servicebus namespace private-endpoint-connection list --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
az servicebus namespace exists --name ProposedNamespace
# Authorization Rule Enumeration
az servicebus namespace authorization-rule list --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
az servicebus queue authorization-rule list --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --queue-name <MyQueue>
az servicebus topic authorization-rule list --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --topic-name <MyTopic>
az servicebus namespace authorization-rule keys list --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --name <MyAuthRule>
Privilege Escalation
Post Exploitation
Az - Service Bus Post Exploitation
References
- https://learn.microsoft.com/en-us/powershell/module/az.servicebus/?view=azps-13.0.0
- https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview
- https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-quickstart-cli
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.