Azure Blob Storage

This post investigates how Azure manages its blob storage, and how to create manage and list blob containers and attempt file enumeration and retrieval.

Like Google Storage, Azure Blobs are secure by default; a container and any blobs within it may only be accessed by the owner of the storage account. To give anonymous users read permissions to a container and its blobs, you can set the container permissions to allow public access. Anonymous users can read blobs within a publicly accessible container without authenticating the request.

You can configure a container with the following permissions:

• No public read access: The container and its blobs are private and can only be accessed by the storage account owner. This is the default for all new containers.
• Public read access for blobs only: Blobs within the container can be read by any anonymous Internet user. But container data is not available. Anonymous clients cannot enumerate the blobs within the container.
• Full public read access: All container and blob data can be read by anonymous Internet user. Clients can enumerate blobs within the container by anonymous request, but cannot enumerate containers within the storage account.

Creating a Blob Storage Area

First create a storage account:

Next Choose an appropriate Container

Using Azure Powershell

List Storage Accounts

> Get-AzureRMStorageAccount | Select StorageAccountName, Location

There are additional StorageAccounts depicted, first is for a web-shell interface in Azure, the last one is to gather diagnostics from a test virtual machine.

Using an existing Storage Account

> $resourceGroup = “test”

> $storageAccountName = “netscyllatest”

> $storageAccount = Get-AzureRmStorageAccount -ResourceGroupName $resourceGroup -Name $storageAccountName

Delete a Storage Account

> Remove-AzureRmStorageAccount -ResourceGroup $resourceGroup -AccountName $storageAccountName

List Blobs in a Container

Or list files (blobs) within a container

> $ctx = storageAccount.Context

>Get-AzureStorageBlob -Container $ContainerName -Context $ctx | select Name

Above you can see three containers:

test-blob = public blobs, private container test-cont = public blobs, public container * test-priv = private blobs, private container *=container data should be available but cannot be enumerated.

Test private blob access

To verify that you have no access to the blobs in that container, construct the URL to one of the blobs without a shared access signature and try to view the blob. Using the HTTPS protocol, the URL will be in the following format:

https://storageaccountname.blob.core.windows.net/containername/blobname

Example:

Conclusion

Attacking Azure blob containers is much more difficult than attacking AWS S3, and Google Storage as containers are not easily enumerated. Also to succeed in an attack; the attacker needs to know the specific name of the blob stored in the container.

References

• https://docs.microsoft.com/en-us/azure/storage/blobs/storage-manage-access-to-resources
• https://docs.microsoft.com/en-us/azure/storage/blobs/storage-how-to-use-blobs-powershell

---

Share on: