HackTricks CloudAz - File Shares
Reading time: 7 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
Azure Files is a fully managed cloud file storage service that provides shared file storage accessible via standard SMB (Server Message Block) and NFS (Network File System) protocols. Although the main protocol used is SMB as NFS Azure file shares aren't supported for Windows (according to the docs). It allows you to create highly available network file shares that can be accessed simultaneously by multiple virtual machines (VMs) or on-premises systems, enabling seamless file sharing across environments.
Access Tiers
- Transaction Optimized: Optimized for transaction-heavy operations.
- Hot: Balanced between transactions and storage.
- Cool: Cost-effective for storage.
- Premium: High-performance file storage optimized for low-latency and IOPS-intensive workloads.
Backups
- Daily backup: A backup point is created each day at an indicated time (e.g. 19.30 UTC) and stored for from 1 to 200 days.
- Weekly backup: A backup point is created each week at an indicated day and time (Sunday at 19.30) and stored for from 1 to 200 weeks.
- Monthly backup: A backup point is created each month at an indicated day and time (e.g. first Sunday at 19.30) and stored for from 1 to 120 months.
- Yearly backup: A backup point is created each year at an indicated day and time (e.g. January first Sunday at 19.30) and stored for from 1 to 10 years.
- It's also possible to perform manual backups and snapshots at any time. Backups and snapshots are actually the same in this context.
Supported Authentications via SMB
- On-premises AD DS Authentication: It uses on-premises Active Directory credentials synced with Microsoft Entra ID for identity-based access. It requires network connectivity to on-premises AD DS.
- Microsoft Entra Domain Services Authentication: It leverages Microsoft Entra Domain Services (cloud-based AD) to provide access using Microsoft Entra credentials.
- Microsoft Entra Kerberos for Hybrid Identities: It enables Microsoft Entra users to authenticate Azure file shares over the internet using Kerberos. It supports hybrid Microsoft Entra joined or Microsoft Entra joined VMs without requiring connectivity to on-premises domain controllers. But it does not support cloud-only identities.
- AD Kerberos Authentication for Linux Clients: It allows Linux clients to use Kerberos for SMB authentication via on-premises AD DS or Microsoft Entra Domain Services.
Enumeration
# Get storage accounts
az storage account list #Get the account name from here
# List file shares
az storage share list --account-name <name>
az storage share-rm list --storage-account <name> # To see the deleted ones too --include-deleted
# Get dirs/files inside the share
az storage file list --account-name <name> --share-name <share-name>
## If type is "dir", you can continue enumerating files inside of it
az storage file list --account-name <name> --share-name <prev_dir/share-name>
# Download a complete share (with directories and files inside of them)
az storage file download-batch -d . --source <share-name> --account-name <name>
# Get snapshots/backups
az storage share list --account-name <name> --include-snapshots --query "[?snapshot != null]"
# List contents of a snapshot/backup
az storage file list --account-name <name> --share-name <share-name> --snapshot <snapshot-version> #e.g. "2024-11-25T11:26:59.0000000Z"
# Download snapshot/backup
az storage file download-batch -d . --account-name <name> --source <share-name> --snapshot <snapshot-version>
note
By default az cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters --auth-mode login --enable-file-backup-request-intent.
tip
Use the param --account-key to indicate the account key to use
Use the param --sas-token with the SAS token to access via a SAS token
Connection
These are the scripts proposed by Azure at the time of the writing to connect a File Share:
You need to replace the <STORAGE-ACCOUNT>, <ACCESS-KEY> and <FILE-SHARE-NAME> placeholders.
$connectTestResult = Test-NetConnection -ComputerName filescontainersrdtfgvhb.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded) {
# Save the password so the drive will persist on reboot
cmd.exe /C "cmdkey /add:`"<STORAGE-ACCOUNT>.file.core.windows.net`" /user:`"localhost\<STORAGE-ACCOUNT>`" /pass:`"<ACCESS-KEY>`""
# Mount the drive
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<STORAGE-ACCOUNT>.file.core.windows.net\<FILE-SHARE-NAME>" -Persist
} else {
Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}
Regular storage enumeration (access keys, SAS...)
Privilege Escalation
Same as storage privesc:
Post Exploitation
Az - File Share Post Exploitation
Persistence
Same as storage persistence:
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.