ZorkAzure – Enumerating Azure Resources

When using Azure resources, the naming convention is somewhat irrelevant isn’t it? Well no…..

The naming of the resource is very important. The reason why is that Azure follows the same patterns for its resources. For example:

  • Blob storage: http://mystorageaccount.blob.core.windows.net
  • Table storage: http://mystorageaccount.table.core.windows.net
  • Queue storage: http://mystorageaccount.queue.core.windows.net
  • Azure Files: http://mystorageaccount.file.core.windows.net
  • Database: mystorageaccount.database.windows.net

As you can see, for an attacker it would be easy to find your resources should you use your company name.

I’m not saying you have to go overboard with the naming convention but do consider how you are accessing it. If it’s mapped through automation and requires no user input, having it set to random characters would not hinder access. It would also not reveal anything to the attacker.

There are tools out there at the minute mainly scan for keywords and domains. I would recommend you avoid using your registered domains or keywords such as file, department, share, finance, payment, archive and sensitive when naming your resource. These will look somewhat inviting.

As mentioned in my Azure series, a lot of default are set to allow access from the internet. In this case, even if it isn’t set, you can still resolve the DNS entry. That means you or I can identify what is live and what isn’t.

This is the Default which allows the scan:

Even when it’s locked down, it can still be resolved:

This is why I’ve created a simply PowerShell script to help identify your Azure resources. I’m aware that this can be used for both good and bad however, its intentions are pure.

You should be scanning your own environment frequently to find exposed services as often they are found due to user error.

ZorkAzure

I thought the naming is quite cool to be honest. Because PowerShell has a simple Test-NetConnection module, we can use that to query the resources.

Download here: https://github.com/ctrlaltdel-blog/ZorkAzure

To use ZorkAzure, first import the PS1 file:

import-module .\zorkazure.ps1

Once done, simply run zorkazure.
You will need to generate a wordlist and enter the location as so:

Once ran, Zorkazure will run each word against each domain mentioned above. If it resolves, it will display them, If not, it will move onto the next one:

As you can see, namethatisntreal doesn’t resolve so it skips it.

If PowerShell isn’t your thing, you could always use Google Dorks:

or……

As you can see, naming does matter so be careful what you chose.