Skip to content

Commit

Permalink
Merge pull request #117 from JaimePolop/master
Browse files Browse the repository at this point in the history 
Service Bus
  • Loading branch information
@carlospolop
carlospolop authored Dec 2, 2024
2 parents 2fe8365 + ea841b9 commit 65edea3
Show file tree
Hide file tree
Showing 4 changed files with 422 additions and 0 deletions.
3 changes: 3 additions & 0 deletions SUMMARY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -411,6 +411,7 @@
* [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md)
* [Az - Table Storage](pentesting-cloud/azure-security/az-services/az-table-storage.md)
* [Az - Queue Storage](pentesting-cloud/azure-security/az-services/az-queue-enum.md)
* [Az - Service Bus](pentesting-cloud/azure-security/az-services/az-servicebus-enum.md)
* [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md)
* [Az - Key Vault](pentesting-cloud/azure-security/az-services/keyvault.md)
* [Az - Logic Apps](pentesting-cloud/azure-security/az-services/az-logic-apps.md)
Expand Down Expand Up @@ -441,13 +442,15 @@
* [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md)
* [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
* [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md)
* [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md)
* [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md)
* [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
* [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md)
* [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
* [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md)
* [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md)
* [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md)
* [Az - Service Bus Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md)
* [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md)
* [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md)
* [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md)
Expand Down
136 changes: 136 additions & 0 deletions ...ng-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
# Az - Service Bus Post Exploitation

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Service Bus

For more information check:

{% content-ref url="../az-services/az-servicebus-enum.md" %}
[az-servicebus-enum.md](../az-services/az-servicebus-enum.md)
{% endcontent-ref %}

### Actions: `Microsoft.ServiceBus/namespaces/Delete`

An attacker with this permission can delete an entire Azure Service Bus namespace. This action removes the namespace and all associated resources, including queues, topics, subscriptions, and their messages, causing widespread disruption and permanent data loss across all dependent systems and workflows.

{% code overflow="wrap" %}
```bash
az servicebus namespace delete --resource-group <ResourceGroupName> --name <NamespaceName>
```
{% endcode %}

### Actions: `Microsoft.ServiceBus/namespaces/topics/Delete`

An attacker with this permission can delete an Azure Service Bus topic. This action removes the topic and all its associated subscriptions and messages, potentially causing loss of critical data and disrupting systems and workflows relying on the topic.

{% code overflow="wrap" %}
```bash
az servicebus topic delete --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <TopicName>
```
{% endcode %}

### Actions: `Microsoft.ServiceBus/namespaces/queues/Delete`

An attacker with this permission can delete an Azure Service Bus queue. This action removes the queue and all the messages within it, potentially causing loss of critical data and disrupting systems and workflows dependent on the queue.

{% code overflow="wrap" %}
```bash
az servicebus queue delete --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <QueueName>
```
{% endcode %}

### Actions: `Microsoft.ServiceBus/namespaces/topics/subscriptions/Delete`

An attacker with this permission can delete an Azure Service Bus subscription. This action removes the subscription and all its associated messages, potentially disrupting workflows, data processing, and system operations relying on the subscription.

{% code overflow="wrap" %}
```bash
az servicebus topic subscription delete --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --topic-name <TopicName> --name <SubscriptionName>
```
{% endcode %}

### Actions: `Microsoft.ServiceBus/namespaces/write` & `Microsoft.ServiceBus/namespaces/read`

An attacker with permissions to create or modify Azure Service Bus namespaces can exploit this to disrupt operations, deploy unauthorized resources, or expose sensitive data. They can alter critical configurations such as enabling public network access, downgrading encryption settings, or changing SKUs to degrade performance or increase costs. Additionally, they could disable local authentication, manipulate replica locations, or adjust TLS versions to weaken security controls, making namespace misconfiguration a significant post-exploitation risk.

{% code overflow="wrap" %}
```bash
az servicebus namespace create --resource-group <ResourceGroupName> --name <NamespaceName> --location <Location>
az servicebus namespace update --resource-group <ResourceGroupName> --name <NamespaceName> --tags <Key=Value>
```
{% endcode %}


### Actions: `Microsoft.ServiceBus/namespaces/queues/write` (`Microsoft.ServiceBus/namespaces/queues/read`)

An attacker with permissions to create or modify Azure Service Bus queues (to modiffy the queue you will also need the Action:`Microsoft.ServiceBus/namespaces/queues/read`) can exploit this to intercept data, disrupt workflows, or enable unauthorized access. They can alter critical configurations such as forwarding messages to malicious endpoints, adjusting message TTL to retain or delete data improperly, or enabling dead-lettering to interfere with error handling. Additionally, they could manipulate queue sizes, lock durations, or statuses to disrupt service functionality or evade detection, making this a significant post-exploitation risk.

{% code overflow="wrap" %}
```bash
az servicebus queue create --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <QueueName>
az servicebus queue update --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <QueueName>
```
{% endcode %}

### Actions: `Microsoft.ServiceBus/namespaces/topics/write` (`Microsoft.ServiceBus/namespaces/topics/read`)

An attacker with permissions to create or modify topics (to modiffy the topic you will also need the Action:`Microsoft.ServiceBus/namespaces/topics/read`) within an Azure Service Bus namespace can exploit this to disrupt message workflows, expose sensitive data, or enable unauthorized actions. Using commands like az servicebus topic update, they can manipulate configurations such as enabling partitioning for scalability misuse, altering TTL settings to retain or discard messages improperly, or disabling duplicate detection to bypass controls. Additionally, they could adjust topic size limits, change status to disrupt availability, or configure express topics to temporarily store intercepted messages, making topic management a critical focus for post-exploitation mitigation.

{% code overflow="wrap" %}
```bash
az servicebus topic create --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <TopicName>
az servicebus topic update --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --name <TopicName>
```
{% endcode %}

### Actions: `Microsoft.ServiceBus/namespaces/topics/subscriptions/write` (`Microsoft.ServiceBus/namespaces/topics/subscriptions/read`)

An attacker with permissions to create or modify subscriptions (to modiffy the subscription you will also need the Action: `Microsoft.ServiceBus/namespaces/topics/subscriptions/read`) within an Azure Service Bus topic can exploit this to intercept, reroute, or disrupt message workflows. Using commands like az servicebus topic subscription update, they can manipulate configurations such as enabling dead lettering to divert messages, forwarding messages to unauthorized endpoints, or modifying TTL and lock duration to retain or interfere with message delivery. Additionally, they can alter status or max delivery count settings to disrupt operations or evade detection, making subscription control a critical aspect of post-exploitation scenarios.


{% code overflow="wrap" %}
```bash
az servicebus topic subscription create --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --topic-name <TopicName> --name <SubscriptionName>
az servicebus topic subscription update --resource-group <ResourceGroupName> --namespace-name <NamespaceName> --topic-name <TopicName> --name <SubscriptionName>
```
{% endcode %}


### Actions: `AuthorizationRules` Send & Recive Messages

Take a look here:

{% content-ref url="../az-services/az-queue-privesc.md" %}
[az-queue-privesc.md](../az-services/az-queue-privesc.md)
{% endcontent-ref %}

## References

* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
* https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless
* https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus
* https://learn.microsoft.com/en-us/cli/azure/servicebus/namespace?view=azure-cli-latest
* https://learn.microsoft.com/en-us/cli/azure/servicebus/queue?view=azure-cli-latest

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
164 changes: 164 additions & 0 deletions pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
# Az - Service Bus Privesc

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Service Bus

For more information check:

{% content-ref url="../az-services/az-servicebus-enum.md" %}
[az-servicebus-enum.md](../az-services/az-servicebus-enum.md)
{% endcontent-ref %}


### Send Messages. Action: `Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action` OR `Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action`

You can retrieve the `PrimaryConnectionString`, which acts as a credential for the Service Bus namespace. With this connection string, you can fully authenticate as the Service Bus namespace, enabling you to send messages to any queue or topic and potentially interact with the system in ways that could disrupt operations, impersonate valid users, or inject malicious data into the messaging workflow.

{% code overflow="wrap" %}
```python
#You need to install the following libraries
#pip install azure-servicebus
#pip install aiohttp
#pip install azure-identity

import asyncio
from azure.servicebus.aio import ServiceBusClient
from azure.servicebus import ServiceBusMessage

# Constants
NAMESPACE_CONNECTION_STR = "<PrimaryConnectionString>"
TOPIC_NAME = "<TOPIC_NAME>"

# Function to send a single message to a Service Bus topic
async def send_individual_message(publisher):
# Prepare a single message with updated content
single_message = ServiceBusMessage("Hacktricks-Training: Single Item")
# Send the message to the topic
await publisher.send_messages(single_message)
print("Sent a single message containing 'Hacktricks-Training'")

# Function to send multiple messages to a Service Bus topic
async def send_multiple_messages(publisher):
# Generate a collection of messages with updated content
message_list = [ServiceBusMessage(f"Hacktricks-Training: Item {i+1} in list") for i in range(5)]
# Send the entire collection of messages to the topic
await publisher.send_messages(message_list)
print("Sent a list of 5 messages containing 'Hacktricks-Training'")

# Function to send a grouped batch of messages to a Service Bus topic
async def send_grouped_messages(publisher):
# Send a grouped batch of messages with updated content
async with publisher:
grouped_message_batch = await publisher.create_message_batch()
for i in range(10):
try:
# Append a message to the batch with updated content
grouped_message_batch.add_message(ServiceBusMessage(f"Hacktricks-Training: Item {i+1}"))
except ValueError:
# If batch reaches its size limit, handle by creating another batch
break
# Dispatch the batch of messages to the topic
await publisher.send_messages(grouped_message_batch)
print("Sent a batch of 10 messages containing 'Hacktricks-Training'")

# Main function to execute all tasks
async def execute():
# Instantiate the Service Bus client with the connection string
async with ServiceBusClient.from_connection_string(
conn_str=NAMESPACE_CONNECTION_STR,
logging_enable=True) as sb_client:
# Create a topic sender for dispatching messages to the topic
publisher = sb_client.get_topic_sender(topic_name=TOPIC_NAME)
async with publisher:
# Send a single message
await send_individual_message(publisher)
# Send multiple messages
await send_multiple_messages(publisher)
# Send a batch of messages
await send_grouped_messages(publisher)

# Run the asynchronous execution
asyncio.run(execute())
print("Messages Sent")
print("----------------------------")

```
{% endcode %}

### Recieve Messages. Action: `Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action` OR `Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action`
You can retrieve the PrimaryConnectionString, which serves as a credential for the Service Bus namespace. Using this connection string, you can receive messages from any queue or subscription within the namespace, allowing access to potentially sensitive or critical data, enabling data exfiltration, or interfering with message processing and application workflows.

{% code overflow="wrap" %}
```python
#You need to install the following libraries
#pip install azure-servicebus
#pip install aiohttp
#pip install azure-identity

import asyncio
from azure.servicebus.aio import ServiceBusClient

NAMESPACE_CONNECTION_STR = "<PrimaryConnectionString>"
TOPIC_NAME = "<TOPIC_NAME>"
SUBSCRIPTION_NAME = "<TOPIC_SUBSCRIPTION_NAME>" #Topic Subscription

# Function to receive and process messages from a Service Bus subscription
async def receive_and_process_messages():
# Create a Service Bus client using the connection string
async with ServiceBusClient.from_connection_string(
conn_str=NAMESPACE_CONNECTION_STR,
logging_enable=True) as servicebus_client:

# Get the Subscription Receiver object for the specified topic and subscription
receiver = servicebus_client.get_subscription_receiver(
topic_name=TOPIC_NAME,
subscription_name=SUBSCRIPTION_NAME,
max_wait_time=5
)

async with receiver:
# Receive messages with a defined maximum wait time and count
received_msgs = await receiver.receive_messages(
max_wait_time=5,
max_message_count=20
)
for msg in received_msgs:
print("Received: " + str(msg))
# Complete the message to remove it from the subscription
await receiver.complete_message(msg)

# Run the asynchronous message processing function
asyncio.run(receive_and_process_messages())
print("Message Receiving Completed")
print("----------------------------")
```


## References

* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
* https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless
* https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
Loading

0 comments on commit 65edea3

Please sign in to comment.