Az - Storage Unauth

Reading time: 2 minutes

Storage Unauth

For more information about storage check:

Az - Storage Accounts & Blobs

Open Storage

You could discover open storage with a tool such as InvokeEnumerateAzureBlobs.ps1 which will use the file Microburst/Misc/permutations.txt to generate permutations (very simple) to try to find open storage accounts.

Import-Module .\MicroBurst\MicroBurst.psm1
Invoke-EnumerateAzureBlobs -Base corp
[...]
https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
[...]

# Access https://corpcommon.blob.core.windows.net/secrets?restype=container&comp=list
# Check: <Name>ssh_info.json</Name>
# Access then https://corpcommon.blob.core.windows.net/secrets/ssh_info.json

You can also use a method from MicroBust for such goal. This function will search the base domain name (and a few permutations) in several azure domains (including storage domains):

Import-Module .\MicroBurst\MicroBurst.psm1 -Verbose
Invoke-EnumerateAzureSubDomains -Base corp -Verbose

SAS URLs

A shared access signature (SAS) URL is an URL that provides access to certain part of a Storage account (could be a full container, a file...) with some specific permissions (read, write...) over the resources. If you find one leaked you could be able to access sensitive information, they look like this (this is to access a container, if it was just granting access to a file the path of the URL will also contain that file):

https://<storage_account_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D

Use Storage Explorer to access the data