- Test at your own risk
1.In the PowerShell console, iport the PowerZure module with the following commands.
2.Obtain a list of all unattached VM disks using the following command.
The output of command should return all managed disks that are not currently attached to a running VM and their encryption status. In your output, you should see a disk that has a name starting with winvm02, make a note of the disk name as it will be needed in the next step.
3.In the PowerShell console, use the following command to generate a publicly accessible URL to export the disk identified in the previous step. Replace placeholder with the name of the disk that was identified in the previous step.
Get-AzureVMDisk is a PowerZure Module that exploits the Disk Export feature to generate a link to download a VM's disk. You should get a URL from the command output. Make a note of this URL as it will be needed in the next step.
4.This final step is completely optional. If you want to save time, bandwidth, and disk space here, you can pause the exercise and keep the technique in mind for when you run into disks in future tests. Outside of doing some forensics on the disk to find files and hashes, there is not much for us to do with the disk at this point. If you want to download the disk, open a web browser and browse to the URL that you obtained in the previous step to download the disk from the internet.
At this point, we will have access to the VHD hard drive file for the VM. This can be mounted directly in another VM, and you can parse out sensitive files and the Windows password hashes at this point.
Reference
https://github.com/cheahengsoon/Penetration-Testing-Azure-for-Ethical-Hackers
Top comments (0)