Microsoft Azure is a virtual server service that also provides services, such as databases. While Azure maintains the services that it supplies, account security and the integrity of the software that you install are your responsibility.
There are a number of tools that you can use to perform automated sweeps of your Azure resources and others that you can use to support your own penetration testing exercises.
Here is our list of the nine best Azure penetration testing tools:
- Intruder EDITOR’S CHOICE A cloud-based vulnerability scanner that can be launched on demand or on a schedule. Enjoy unlimited on-demand scanning for continuous security monitoring of on-premises systems and cloud services, including Azure accounts. Get a 14-day free trial.
- Invicti A package of testing systems that can be used for automated procedures during penetration testing, as a vulnerability manager, or as a continuous testing tool in a CI/CD pipeline. This system is available as a SaaS package or as software for installation on Windows.
- Acunetix This vulnerability scanner for Web applications and networks can be used as a penetration testing tool and it is able to scan a range of systems, including Azure. Available as a SaaS platform or for installation on Windows, macOS, and Linux.
- Azucar A free PowerShell utility that runs on Windows but probes the statuses of Azure services, particularly Azure AD and databases.
- BloodHound Offered in free and paid versions, this tool focuses on attack strategies that can hit Active Directory implementations, including Azure AD. It runs on Windows, macOS, and Linux.
- PowerZure This free PowerShell utility is built to assess the security of Azure services with permission. It runs within your Azure account.
- ROADtools A free explorer that examines Azure AD structures and assesses them for security weaknesses. It installs on your Azure account.
- Stormspotter An attack surface grapher that identifies weaknesses in Azure and Azure AD. It runs over Docker.
- Burp Suite Available in both free and paid versions, this proxy-based system offers a range of penetration tools and can be run on Azure.
You can read more about each of these tools in the following sections.
Penetration testing is a manual process. Automated security tools are called vulnerability managers. There are some tools that fall between these two categories. These are able to perform repetitive tasks, such as brute force password guessing but they don’t sequence through a full series of vulnerability checks. Some packages can be set to operate as vulnerability managers or as penetration testing tools.
Azure penetration testing ground rules
Microsoft expects customers of Azure to test the system for security weaknesses and even invites account holders to report discovered weaknesses that require system fixes to resolve.
There are just a few rules that you need to stick to when performing penetration testing on Azure. If you break these rules, you could get your Azure account shut down or even get sued.
The rules you need to follow are:
- Don’t try to break into the accounts of other Azure customers – stick to your own account.
- Don’t try to capture or alter the data of other Azure customers.
- Don’t attempt phishing, doxing, or social engineering on Azure technicians.
- Don’t perform a DDoS attack.
- Don’t use automated testing utilities that generate a high volume of traffic in a short space of time.
- Don’t break the Microsoft Online Subscription Agreement.
For more information, see the Azure guidance on penetration testing.
The rules that Microsoft imposes on testing for Azure accounts might tie the hands of many white hat hackers, who are willing to try any of the techniques used by hackers in order to test the security of a system.
It could be said that you won’t get a full assessment of your Azure account’s resilience to hacker attack if your penetration testing tool is tied by the rules laid down for the use of an Azure account.
Some independent penetration testing services might prefer to break the rules. You might think that contracting a consultancy to break into your Azure account gets around the restrictions imposed by Microsoft. However, they don’t because the service argues that you should specify the parameters of an investigation when you agree to a contract with the penetration testing service so that banned activities are prevented.
Best Azure Penetration Testing Tools
Although penetration testing is a specialized niche in IT security management, there is a surprisingly wide definition of what constitutes a penetration testing tool. Many commonly-used network management utilities that are built into the operating system can be used for system research. Ping, for example, is often used to probe networks both by network administrators and by hackers.
This means that this guide will present a range of tools that include system probes and attack utilities.
Our methodology for selecting Azure penetration testing tools:
We reviewed the market for Azure penetration testing packages and analyzed tools based on the following criteria:
- A probe or a hacking utility that can examine an Azure resource from an external location.
- A degree of automation
- A tool that can speed up checks for the OWASP Top 10
- Systems that can run on Linux or Windows
- Cloud-based options
- A free tool or a free trial period to assess the tool without paying
- Value for money from a useful utility or a free tool that is worth getting to know
As penetration testing models the behavior of hackers, tools for the job don’t need you to log into the system first. This also means that these penetration testing systems are versatile and not limited to probing one specific system. They can usually test on-site systems and a range of cloud platforms, such as Azure and AWS.
This list includes both free and paid tools. You should expect to get a better interface and more capabilities from the paid tools than from the free systems. However, you can put together your own penetration toolset by selecting a number of these recommended utilities.
1. Intruder (FREE TRIAL)
Intruder is a SaaS vulnerability scanner that is built around a vulnerability scanner and managed by experienced penetration testers. This system offers options for monthly scheduled scans and continuous testing. You also get access to the controls of the vulnerability scanner, giving you the option to launch a scan whenever you want.
The Intruder system is an external scanner, which is able to check on cloud systems, such as Azure. Integrations with the cloud platforms enable the scanner to fully document its findings of configuration weaknesses in terms of the services that the customer subscribes to. Web application scanning is also included with all of the plans of the Intruder service and higher plans also get internal scanning for networks and on-site applications.
- External scanning
- Cloud account scanning for Azure and other platforms
- Integration with collaboration and project management services
- Web application scanning
- Scheduled or on demand
Intruder provides a CloudBot for Azure, AWS, and GCP that constantly checks for abandoned connections and requests from illogical sources. You might have many accounts on each platform because, technically, each service operates on its own separate system even though a single sign-on mechanism makes it seem that they are all added to your core platform subscription. The Intruder system isn’t blocked by service account segmentation and scans across services.
The Intruder service provides a comprehensive hosted vulnerability scanning solution, leveraging the expertise of third-party tools to enhance its capabilities. The base package, known as the Essential plan, incorporates the powerful OpenVAS scanner. For advanced features, the Pro and Premium plans include the Tenable Nessus vulnerability scanner. The SaaS package also includes storage for comprehensive details on detected vulnerabilities, which are carefully overseen by the dedicated team of penetration testers. Additionally, users have the option to request a manual pen testing exercise from our experienced professionals.
- Option for continuous scanning for security monitoring
- Guidance of vulnerability remediation
- Scans connections to Azure services
- Identifies weaknesses in Web applications
- Project management integration
- Only the top-tier plan unlocks all features
Intruder is a SaaS platform with three plan levels. You can assess the system with a 14-day free trial.
Intruder is our top pick for an Azure penetration testing tool because it offers automated testing that has its results verified by human penetration testers. This is a money saver on the fully manual penetration testing scenario but it still offers the option of a full pentesting service if you need it. This is like having a pen testing team on retainer. Three plan levels make this tool accessible to businesses of all sizes. Users of the Azure platform get external testing, Web application scanning, and internal service connection checking.
Download: Get 14-day FREE Trial
Official Site: https://portal.intruder.io/free_trial
Invicti is a web application vulnerability scanner. It runs from an external viewpoint, so it is able to test applications no matter where they are hosted because the scanner focuses on individual packages rather than hosting systems.
The scanner can be of use to penetration testers because it gives an automated assessment of an application. The package has three modes, enabling it to be run on-demand, on a schedule, or continuously as part of a CI/CD pipeline.
- Deployment options
- External attack assessment
- Run as a penetration tool or as a continuous tester
- On-demand or scheduled
- Azure Boards integration
When used for automated testing, the Invicti environment can be set up to report findings through to Azure Boards. This enables the use of the test to quickly check through an application, flag issues through Azure Boards, and automatically route those issues through to a pen tester for further investigation.
As well as checking for standard exploits, the Invicti system uses AI to identify potential run conditions that could compromise the security of an application. It can also spot combinations of events that would create a security loophole.
- Useful for an initial scan in a pen testing scenario
- Flags issues for investigation
- Speeds up penetration testing
- Reduces penetration testing team size
- Integrates with team and project management tools and bug trackers
- More of a vulnerability manager than a penetration testing tool
Invicti is offered as a SaaS platform and also for installation on Windows and Windows Server. It can be assessed by accessing a demo system.
Acunetix is a vulnerability scanner that runs both internal and external checks. This automated tester can be used for an initial sweep of a system and it can also be launched on demand, focusing on specific strategies, making it a pen-testing tool..
The secret weapon of Acunetix is that it can integrate OpenVAS into its runs, including reports from that tool into its own assessments. This gives it a strong internal vulnerability report that can tell you what a hacker could do once he got inside your system.
- External scans
- Triage tool to speed up the investigation
- Includes OpenVAS
- Routes through project management tools
Acunetix can be triggered by project management tools and feed results through to bug trackers, letting you use the package to pre-scan a system and then automatically allocate investigation tasks to human pen-testers. This greatly cuts down the time that a penetration testing exercise can take and reduces the number of white hat hackers that you need on staff.
- Can be used in CI/CD pipelines
- Manual option for trial-and-error probing
- Cost cutter
- Project management automation
- Doesn’t break into systems, just checks on the possibility
Acunetix is available as a SaaS platform or as a software package for Windows, macOS, and Linux. Assess Acunetix through its demo system.
Azucar is a PowerShell utility that assesses Azure accounts to which it is given access. This package won’t try to break into your Azure security, it will explore it from the inside and let you know where potential problems lie.
If you want to perform a full red team exercise, you could run this tool first and then hand a list of issues to your hacker team to see if they can use them to break in.
- Won’t break the rules of Azure
- Assesses AD setup
- Checks database security
The areas covered by this tool include general virtual server security, Azure AD, and the database services offered by the platform. Use this system for an initial research phase.
- Only operates on behalf of the Azure account owner
- Extracts a report on Azure account settings
- Fast scans
- Command line tool
Azucar is free to use and you can download it from GitHub. The utility runs on Windows through PowerShell.
BloodHound is a free tool that focuses on all implementations of Active Directory no matter what applications they govern, or where they are hosted, so it will work for Azure AD.
This system uses a graphing system to map through permissions in AD and identify weaknesses.
- Reveals access attack paths
- Nice front end
- Useful for both red and blue teams
You can use BloodHound to proactively defend a system or to find a route for attack. It is able to spot very complicated attack paths that the human eye could not possibly assess.
- Easy to use
- Good for attack and defense purposes
- Free version available
- Results need to be interpreted
The paid version of this system is called BloodHound Enterprise and you can get a demo of it. There is a free version called BloodHound Open-Source, which can be downloaded from GitHub.
PowerZure is a free tool that is written in PowerShell. This package won’t help you break into an Azure account because you need to give it an access credentials token before it can extract data from your Azure resources.
- Keeps within the Azure rules
- Maps AD permissions
- Identifies attack paths
The PowerZure package includes routines for mapping access rights that are extracted from Azure AD. This information can help your red team to plan an attack strategy or let your blue team see which permissions need to be tightened in order to defend the system.
- Exportable results
- Detailed examination of permissions in AD
- Useful for system administrators
- Doesn’t include attack utilities
PowerZure runs from within Azure or remotely from a device running Windows. Download the package from GitHub.
ROADtools is a library of procedures that can be used to assess Azure AD security issues. The package requires you to create a program of your own in order to run these processes. However, that doesn’t need to be much more than a basic script.
The processes extract AD data and put them into a database. You can then use a querying front end, provided with the library, to access the database’s entries. The system doesn’t break into the Azure account but as it is a set of procedures, you could add in functions from other sources to create an attack utility.
- Built-it-yourself package
- Creates a database
- Focused on Active Directory analysis
The database that ROADtools creates isn’t just a copying over of Active Directory records. The entries in the database include a structure index, which shows you the relationships between records. The querying interface is also more than just a data viewer because it is able to reassemble the recorded structure into a hierarchy and identify security weaknesses in the configuration.
- Flexible set of processes
- Use for research into access paths
- Helps identify security weaknesses
- Not a complete facility
The ROADtools library is written in Python, so you can run the functions on any operating system that has Python installed on it – including on Azure. Download the package for free from GitHub.
Stormspotter is a free utility that has a nice graphical front end and shows the relationship between records in Azure AD. It is also able to query Azure Resource Manager. This isn’t an attack system because it requires you to give it access credentials for your Azure account.
- Complies with Azure rules
- Useful for investigations
- Greats a visual map of access rights and permissions
- Not an attack tool
You would use Stormspotter for blue team defense rather than to attack Azure instances. This system runs over Docker and you can download it for free from GitHub.
9. Burp Suite
Burp Suite is available for free with a Community Edition. There is a paid version, called the Professional Edition. The free version offers penetration testing tools, while the paid system also has automated testing systems that can be used for vulnerability scanning. There is also a higher plan, called the Enterprise Edition, which is a full vulnerability scanner.
- Use for research and for attack
- Variables automatically copied between screens
- Version for Azure
BurpSuite operates by launching a proxy and then using that as a launch pad for external attacks. This enables the system to act as an external attack tool even though it is hosted on the system that is being tested.
- Easy to use
- Offers a range of attacks
- Allows variables to be entered into a file for automatic cycling
- Don’t be drawn into the paid version’s vulnerability scanner
Burp Suite runs Windows, macOS, Linux, and also Azure. Download the Community edition for free or get a free trial of the Professional edition.