Az - Key Vault

Reading time: 7 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Basic Information

Azure Key Vault ni huduma ya wingu inayotolewa na Microsoft Azure kwa ajili ya kuhifadhi na kusimamia taarifa nyeti kama vile siri, funguo, vyeti, na nywila kwa usalama. Inafanya kazi kama hazina ya kati, ikitoa ufikiaji salama na udhibiti wa kina kwa kutumia Azure Active Directory (Azure AD). Kutoka kwa mtazamo wa usalama, Key Vault inatoa moduli ya usalama wa vifaa (HSM) kwa funguo za kificho, inahakikisha siri zinakuwa zimefichwa wakati wa kupumzika na wakati wa kusafirishwa, na inatoa usimamizi thabiti wa ufikiaji kupitia udhibiti wa ufikiaji kulingana na majukumu (RBAC) na sera. Pia ina kumbukumbu za ukaguzi, uunganisho na Azure Monitor kwa ajili ya kufuatilia ufikiaji, na mzunguko wa funguo wa kiotomatiki ili kupunguza hatari kutokana na kufichuliwa kwa funguo kwa muda mrefu.

Tazama Azure Key Vault REST API overview kwa maelezo kamili.

Kulingana na docs, Vaults zinasaidia kuhifadhi funguo za programu na funguo za HSM. Hifadhi za HSM zinazodhibitiwa zinasaidia tu funguo za HSM.

Muundo wa URL kwa vaults ni https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version} na kwa hifadhi za HSM zinazodhibitiwa ni: https://{hsm-name}.managedhsm.azure.net/{object-type}/{object-name}/{object-version}

Ambapo:

vault-name ni jina la kipekee duniani la vault ya funguo
object-type inaweza kuwa "funguo", "siri" au "vyeti"
object-name ni jina la kipekee la kitu ndani ya vault ya funguo
object-version inatengenezwa na mfumo na inaweza kutumika kwa hiari kuashiria toleo la kipekee la kitu.

Ili kupata ufikiaji wa siri zilizohifadhiwa katika vault, inawezekana kuchagua kati ya mifano 2 ya ruhusa wakati wa kuunda vault:

Sera ya ufikiaji wa vault
Azure RBAC (ya kawaida na inayopendekezwa)
Unaweza kupata ruhusa zote za kina zinazosaidiwa katika https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault

Access Control

Ufikiaji wa rasilimali ya Key Vault unadhibitiwa na ndege mbili:

ndege ya usimamizi, ambayo lengo lake ni management.azure.com.
Inatumika kusimamia vault ya funguo na sera za ufikiaji. Ni Azure tu udhibiti wa ufikiaji kulingana na majukumu (RBAC) unasaidiwa.
ndege ya data, ambayo lengo lake ni <vault-name>.vault.azure.com.
Inatumika kusimamia na kupata data (funguo, siri na vyeti) katika vault ya funguo. Hii inasaidia sera za ufikiaji wa vault au Azure RBAC.

Jukumu kama Mchangiaji ambalo lina ruhusa katika eneo la usimamizi kusimamia sera za ufikiaji linaweza kupata ufikiaji wa siri kwa kubadilisha sera za ufikiaji.

Key Vault RBAC Built-In Roles

Network Access

Katika Azure Key Vault, sheria za firewall zinaweza kuwekwa ili kuruhusu operesheni za ndege ya data tu kutoka kwa mitandao halisi au anwani za IPv4 zilizotajwa. Kikomo hiki pia kinaathiri ufikiaji kupitia lango la usimamizi la Azure; watumiaji hawataweza kuorodhesha funguo, siri, au vyeti katika vault ya funguo ikiwa anwani yao ya IP ya kuingia haiko ndani ya anuwai iliyoidhinishwa.

Kwa ajili ya kuchambua na kusimamia mipangilio hii, unaweza kutumia Azure CLI:

bash

az keyvault show --name name-vault --query networkAcls

Amri ya awali itaonyesha mipangilio ya firewall ya name-vault, ikiwa ni pamoja na anuwai za IP zilizowekwa na sera za trafiki zilizokataliwa.

Zaidi ya hayo, inawezekana kuunda kiunganishi binafsi kuruhusu muunganisho wa kibinafsi kwa vault.

Ulinzi wa Kufuta

Wakati vault ya funguo inaundwa, idadi ya chini ya siku za kuruhusu kufutwa ni 7. Hii inamaanisha kwamba kila wakati unajaribu kufuta vault hiyo ya funguo itahitaji angalau siku 7 kufutwa.

Hata hivyo, inawezekana kuunda vault yenye ulinzi wa kufuta usioamilishwa ambayo inaruhusu vault ya funguo na vitu kufutwa wakati wa kipindi cha uhifadhi. Ingawa, mara ulinzi huu unapowekwa kwa vault hauwezi kuzuiliwa.

Uhesabuji

bash

# List all Key Vaults in the subscription
az keyvault list
# List Key Vaults in a specific Resource Group
az keyvault list --resource-group <ResourceGroupName>
# Show details of a specific Key Vault
az keyvault show --name <KeyVaultName> # If accessPolicies, you can see them here
# List all keys in a Key Vault
az keyvault key list --vault-name <KeyVaultName>
# List all secrets in a Key Vault
az keyvault secret list --vault-name <KeyVaultName>
# Get versions of a secret
az keyvault secret list-versions --vault-name <KeyVaultName> --name <SecretName>
# List all certificates in a Key Vault
az keyvault certificate list --vault-name <KeyVaultName>
# List all deleted Key Vaults in the subscription
az keyvault list-deleted
# Get properties of a deleted Key Vault
az keyvault show-deleted --name <KeyVaultName>
# Get assigned roles
az role assignment list --include-inherited --scope "/subscriptions/<subscription-uuid>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<vault-name>"

# Get secret value
az keyvault secret show --vault-name <KeyVaultName> --name <SecretName>
# Get old versions secret value
az keyvault secret show --id https://<KeyVaultName>.vault.azure.net/secrets/<KeyVaultName>/<idOldVersion>

bash

# Get keyvault token
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER

# Connect with PS AzureAD
## $token from management API
Connect-AzAccount -AccessToken $token -AccountId 1937ea5938eb-10eb-a365-10abede52387 -KeyVaultAccessToken $keyvaulttoken

# Get details of a specific Key Vault
Get-AzKeyVault -VaultName <KeyVaultName>
# List all keys in a Key Vault
Get-AzKeyVaultKey -VaultName <KeyVaultName>
# List all secrets in a Key Vault
Get-AzKeyVaultSecret -VaultName <KeyVaultName>
# List all certificates in a Key Vault
Get-AzKeyVaultCertificate -VaultName <KeyVaultName>
# List all deleted Key Vaults in the subscription
Get-AzKeyVault -InRemovedState
# Get properties of a deleted Key Vault
Get-AzKeyVault -VaultName <KeyVaultName> -InRemovedState
# Get secret values
Get-AzKeyVaultSecret -VaultName <vault_name> -Name <secret_name> -AsPlainText

bash

#!/bin/bash

# Dump all keyvaults from the subscription

# Define Azure subscription ID
AZ_SUBSCRIPTION_ID="your-subscription-id"

# Specify the filename for output
CSV_OUTPUT="vault-names-list.csv"

# Login to Azure account
az login

# Select the desired subscription
az account set --subscription $AZ_SUBSCRIPTION_ID

# Retrieve all resource groups within the subscription
AZ_RESOURCE_GROUPS=$(az group list --query "[].name" -o tsv)

# Initialize the CSV file with headers
echo "Vault Name,Associated Resource Group" > $CSV_OUTPUT

# Iterate over each resource group
for GROUP in $AZ_RESOURCE_GROUPS
do
# Fetch key vaults within the current resource group
VAULT_LIST=$(az keyvault list --resource-group $GROUP --query "[].name" -o tsv)

# Process each key vault
for VAULT in $VAULT_LIST
do
# Extract the key vault's name
VAULT_NAME=$(az keyvault show --name $VAULT --resource-group $GROUP --query "name" -o tsv)

# Append the key vault name and its resource group to the file
echo "$VAULT_NAME,$GROUP" >> $CSV_OUTPUT
done
done

Kuinua Mamlaka

Az - Key Vault Privesc

Baada ya Kutekeleza

Az - Key Vault Post Exploitation

tip

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

HackTricks Cloud