Created
August 26, 2024 13:12
-
-
Save dafthack/b0304ff3eb52c70ac44a837c83d55e9a to your computer and use it in GitHub Desktop.
Quick script to enumerate various things from an Azure Subscription.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-SubscriptionEnum{ | |
| param( | |
| [string]$outputDirectory = "." | |
| ) | |
| $context = Get-AzContext | |
| $subid = $context.Subscription.Id | |
| Write-Host -ForegroundColor Yellow ("[***] Enumerating Subscription " + $subid) | |
| $publicresources = @() | |
| $storageaccountlist = @() | |
| Write-Host -ForegroundColor Yellow "[*] Getting VMs" | |
| # Get all Virtual Machines with Public IP Addresses | |
| $vms = Get-AzVM | |
| $vmDnsNames = @() | |
| foreach ($vm in $vms) { | |
| $nic = Get-AzNetworkInterface -ResourceGroupName $vm.ResourceGroupName -Name $vm.NetworkProfile.NetworkInterfaces[0].Id.Split('/')[-1] | |
| # Check if the network interface has an IP configuration and public IP associated | |
| if ($nic.IpConfigurations[0].PublicIpAddress) { | |
| $publicIpName = $nic.IpConfigurations[0].PublicIpAddress.Id.Split('/')[-1] | |
| $publicIp = Get-AzPublicIpAddress -ResourceGroupName $vm.ResourceGroupName -Name $publicIpName | |
| # Ensure that the public IP object is not null | |
| if ($publicIp) { | |
| [PSCustomObject]@{ | |
| ResourceType = "Virtual Machine" | |
| Name = $vm.Name | |
| PublicIpAddress = $publicIp.IpAddress | |
| DnsName = $publicIp.DnsSettings.Fqdn | |
| } | |
| $publicresources += $publicIp.IpAddress | |
| } | |
| if ($publicIp.DnsSettings.Fqdn) { | |
| $publicresources += $publicIp.DnsSettings.Fqdn | |
| } | |
| } | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting Public IPs" | |
| $publicIps = Get-AzPublicIpAddress | |
| # Create an array to store public IP details | |
| $publicIpDetails = @() | |
| foreach ($publicIp in $publicIps) { | |
| $publicIpDetails += [PSCustomObject]@{ | |
| ResourceType = "Public IP Address" | |
| Name = $publicIp.Name | |
| IpAddress = $publicIp.IpAddress | |
| DnsName = $publicIp.DnsSettings.Fqdn | |
| ResourceGroupName = $publicIp.ResourceGroupName | |
| } | |
| $publicresources += $publicIp.IpAddress | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting Load Balancers" | |
| # Get all Load Balancers with Public IP Addresses | |
| $loadBalancers = Get-AzLoadBalancer | |
| foreach ($lb in $loadBalancers) { | |
| foreach ($frontendIp in $lb.FrontendIpConfigurations) { | |
| # Check if the FrontendIpConfiguration has a PublicIpAddress | |
| if ($frontendIp.PublicIpAddress) { | |
| $publicIpName = $frontendIp.PublicIpAddress.Id.Split('/')[-1] | |
| $publicIp = Get-AzPublicIpAddress -ResourceGroupName $lb.ResourceGroupName -Name $publicIpName | |
| # Ensure that the public IP object is not null | |
| if ($publicIp) { | |
| [PSCustomObject]@{ | |
| ResourceType = "Load Balancer" | |
| Name = $lb.Name | |
| PublicIpAddress = $publicIp.IpAddress | |
| DnsName = $publicIp.DnsSettings.Fqdn | |
| } | |
| $publicresources += $publicIp.IpAddress | |
| } | |
| } | |
| } | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting App Services" | |
| # Get all Azure App Services with DNS Names | |
| $appServices = Get-AzWebApp | |
| foreach ($appService in $appServices) { | |
| [PSCustomObject]@{ | |
| ResourceType = "App Service" | |
| Name = $appService.Name | |
| DnsName = $appService.DefaultHostName | |
| } | |
| $publicresources += $appService.DefaultHostName | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting Databases" | |
| # Get all SQL Databases with DNS Names | |
| $sqlServers = Get-AzSqlServer | |
| foreach ($sqlServer in $sqlServers) { | |
| [PSCustomObject]@{ | |
| ResourceType = "SQL Database" | |
| Name = $sqlServer.FullyQualifiedDomainName | |
| DnsName = $sqlServer.FullyQualifiedDomainName | |
| } | |
| $publicresources += $sqlServer.FullyQualifiedDomainName | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting Storage Accounts" | |
| # Get all Storage Accounts with DNS Names | |
| $storageAccounts = Get-AzStorageAccount | |
| foreach ($storageAccount in $storageAccounts) { | |
| $primaryEndpoints = $storageAccount.PrimaryEndpoints | |
| # Remove the 'https://' prefix and the trailing '/' from the Blob endpoint | |
| $blobEndpoint = ($primaryEndpoints.Blob -replace "https://", "").TrimEnd('/') | |
| # Create a custom object with the processed DNS name | |
| [PSCustomObject]@{ | |
| ResourceType = "Storage Account" | |
| Name = $storageAccount.StorageAccountName | |
| DnsName = $blobEndpoint | |
| } | |
| # Add the processed DNS name to the public resources array | |
| $storageaccountlist += $blobEndpoint | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting Azure Functions" | |
| # Get all Azure Functions with DNS Names | |
| $functions = Get-AzFunctionApp | |
| foreach ($function in $functions) { | |
| [PSCustomObject]@{ | |
| ResourceType = "Function App" | |
| Name = $function.Name | |
| DnsName = $function.DefaultHostName | |
| } | |
| $publicresources += $function.DefaultHostName | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting Containers (ACR)" | |
| # Get all Container Registries with DNS Names | |
| $containerRegistries = Get-AzContainerRegistry | |
| foreach ($containerRegistry in $containerRegistries) { | |
| [PSCustomObject]@{ | |
| ResourceType = "Container Registry" | |
| Name = $containerRegistry.Name | |
| DnsName = $containerRegistry.LoginServer | |
| } | |
| $publicresources += $containerRegistry.LoginServer | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting Kubernetes (AKS)" | |
| # Azure Kubernetes Service (AKS) | |
| $aksClusters = Get-AzAksCluster | |
| foreach ($aks in $aksClusters) { | |
| [PSCustomObject]@{ | |
| ResourceType = "AKS Cluster" | |
| Name = $aks.Name | |
| DnsName = $aks.DnsPrefix + ".hcp." + $aks.Location + ".azmk8s.io" | |
| } | |
| $publicresources += $aks.DnsPrefix + ".hcp." + $aks.Location + ".azmk8s.io" | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting Front Door" | |
| # Azure Front Door | |
| $frontDoors = Get-AzFrontDoor | |
| foreach ($fd in $frontDoors) { | |
| [PSCustomObject]@{ | |
| ResourceType = "Front Door" | |
| Name = $fd.Name | |
| DnsName = $fd.Hostname | |
| } | |
| $publicresources += $fd.Hostname | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting Traffic Manager" | |
| # Azure Traffic Manager | |
| $trafficManagers = Get-AzTrafficManagerProfile | |
| foreach ($tm in $trafficManagers) { | |
| [PSCustomObject]@{ | |
| ResourceType = "Traffic Manager" | |
| Name = $tm.Name | |
| DnsName = $tm.DnsName + ".trafficmanager.net" | |
| } | |
| $publicresources += $tm.DnsName + ".trafficmanager.net" | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting CDNs" | |
| # Retrieve all CDN profiles | |
| $cdnProfiles = Get-AzCdnProfile | |
| foreach ($profile in $cdnProfiles) { | |
| # Retrieve all endpoints for each CDN profile | |
| $cdnEndpoints = Get-AzCdnEndpoint -ProfileName $profile.Name -ResourceGroupName $profile.ResourceGroupName | |
| foreach ($cdnEndpoint in $cdnEndpoints) { | |
| [PSCustomObject]@{ | |
| ResourceType = "CDN Endpoint" | |
| ProfileName = $profile.Name | |
| EndpointName = $cdnEndpoint.Name | |
| DnsName = $cdnEndpoint.HostName | |
| } | |
| $publicresources += $cdnEndpoint.HostName | |
| } | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting Bastion" | |
| # Azure Bastion | |
| $bastions = Get-AzBastion | |
| foreach ($bastion in $bastions) { | |
| $bastionIp = Get-AzPublicIpAddress -ResourceGroupName $bastion.ResourceGroupName -Name $bastion.IpConfigurations[0].PublicIpAddress.Id.Split('/')[-1] | |
| if ($bastionIp) { | |
| [PSCustomObject]@{ | |
| ResourceType = "Bastion" | |
| Name = $bastion.Name | |
| PublicIpAddress = $bastionIp.IpAddress | |
| DnsName = $bastionIp.DnsSettings.Fqdn | |
| } | |
| $publicresources += $bastionIp.DnsSettings.Fqdn | |
| } | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting Redis Cache" | |
| # Azure Redis Cache | |
| $redisCaches = Get-AzRedisCache | |
| foreach ($redis in $redisCaches) { | |
| [PSCustomObject]@{ | |
| ResourceType = "Redis Cache" | |
| Name = $redis.Name | |
| DnsName = $redis.HostName | |
| } | |
| $publicresources += $redis.HostName | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting API Management" | |
| # Azure API Management | |
| $apiManagementServices = Get-AzApiManagement | |
| foreach ($apiMgmt in $apiManagementServices) { | |
| [PSCustomObject]@{ | |
| ResourceType = "API Management" | |
| Name = $apiMgmt.Name | |
| DnsName = $apiMgmt.GatewayUrl | |
| } | |
| $publicresources += $apiMgmt.GatewayUrl | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting DNS Zones" | |
| # Azure DNS Zones | |
| $dnsZones = Get-AzDnsZone | |
| foreach ($dnsZone in $dnsZones) { | |
| [PSCustomObject]@{ | |
| ResourceType = "DNS Zone" | |
| Name = $dnsZone.Name | |
| DnsName = $dnsZone.Name | |
| } | |
| $publicresources += $dnsZone.Name | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting Application Gateway" | |
| # Azure Application Gateway | |
| $appGateways = Get-AzApplicationGateway | |
| foreach ($appGateway in $appGateways) { | |
| foreach ($frontendIp in $appGateway.FrontendIpConfigurations) { | |
| $publicIp = Get-AzPublicIpAddress -ResourceGroupName $appGateway.ResourceGroupName -Name $frontendIp.PublicIpAddress.Id.Split('/')[-1] | |
| if ($publicIp) { | |
| [PSCustomObject]@{ | |
| ResourceType = "Application Gateway" | |
| Name = $appGateway.Name | |
| PublicIpAddress = $publicIp.IpAddress | |
| DnsName = $publicIp.DnsSettings.Fqdn | |
| } | |
| $publicresources += $publicIp.DnsSettings.Fqdn | |
| } | |
| } | |
| } | |
| Write-Host -ForegroundColor Yellow "[*] Getting SignalR Service" | |
| # Azure SignalR Service | |
| $signalRServices = Get-AzSignalR | |
| foreach ($signalR in $signalRServices) { | |
| [PSCustomObject]@{ | |
| ResourceType = "SignalR Service" | |
| Name = $signalR.Name | |
| DnsName = $signalR.HostName | |
| } | |
| $publicresources += $signalR.HostName | |
| } | |
| Write-Host -ForegroundColor Yellow "[***] Sorting..." | |
| Write-Host "------------------IPs & DNS Addresses----------------" | |
| $publicresources | sort -u | |
| $publicresources | sort -u | Out-File ("$outputDirectory\$subid-PublicResources.txt") | |
| Write-Host "-----------------------------------------------------" | |
| Write-Host "--------------------Storage Accounts-----------------" | |
| $storageaccountlist | sort -u | |
| $storageaccountlist | sort -u | Out-File ("$outputDirectory\$subid-StorageAccounts.txt") | |
| Write-Host ("[+] Results have been written to " + $outputDirectory + "\" + $subid + "-StorageAccounts.txt" + " and " + $outputDirectory + "\" + $context.subid + "-PublicResources.txt") | |
| Write-Host "-----------------------------------------------------" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment