This article is about a content for workshops and contain instructions to test resources on Azure like:
To test this scenario a virtual machine running UBUNTU with DVWA (Damn Vulnerable Web Application) will be used to detect vulnerabilities. Also ARM Templates are available here: https://github.com/fabioharams/azsecurityworkshop/tree/master/template
This environment will support other workshops (under development):
Francesco Molfese | Microsoft MVP
Rodrigo Immaginario | Microsoft MVP & Regional Director
You can use any public region because the features on this lab doesn't require an specific region.
Create a VNET in the same region of Resource Group with the following settings bellow:
Note: you can create Bastion Host (and the Subnet) during the creation of VNET. I recommend you to do this later because you can use the same steps to do in other VNETs. Feel free to do if you have more experience on Azure VNET
Follow these steps to use Azure Bastion. This is importante because the VM was created without Public IP address.
Want more information? Here you can find about how to deploy Azure Bastion. Just remember to use Microsoft Edge/Chrome and disable Pop-ups
DVWA (Damn Vulnerable Web Application) is a PHP/MySql web application very popular to train security specialists against vulnerabilities. For more information about DVWA please click here.
Thomas Laurenson created a nice post about how to install DVWA on UBUNTU and you can use to do the same on Azure. If you want more details you can find here:
Open Azure Portal, select the Ubuntu Virtual Machine created previously (DVWA), click Connect and select Bastion. Insert the following credentials bellow and then click Connect
Note1: if the new tab doesn't open just check if your browser is not blocking Pop-Ups
Note2: Attention - Linux is case sensitive for username
It's recommended to update Ubuntu (or any Virtual Machine) after installation. Execute the following command to update
sudo apt update && sudo apt upgrade -y
These packages are required to install DVWA. Just execute the follwing command. Press Y to confirm:
sudo apt install apache2 mysql-server php php-mysqli php-gd libapache2-mod-php git
Return to home folder
git clone --recurse-submodules https://github.com/ethicalhack3r/DVWA.git
sudo rm /var/www/html/index.html
sudo cp -r ~/DVWA/* /var/www/html/
sudo cp config/config.inc.php.dist config/config.inc.php
Done! now you can connect from other Virtual Machine on Azure (using Azure Bastion) and test if DVWA is up and running (the setup for DVWA require a browser). The DVWA virtual machine doesn't have a Public IP Address so you will need a VM with browser to access and finish the configuration (or adjust anything else you want on DVWA)
Note: The NSG LABSEC and Vnet/Subnet already exists and must be used to accomplish other labs.
On the left side of Server Manager click on Local Server. Click on IE Enhanced Security Configuration. Change to *Off for both Administrators and Users.
Open Azure Portal, click on DVWA virtual machine and take note of Private IP Address. Probably the IP address will be 10.0.0.4 .
Use VM01 to check if DVWA is up and running. Connect to VM01 using Azure Bastion, open Internet Explorer and then type 10.0.0.4 on URL. This will open the DVWA login screen.
Note: Do not click on Create / Reset Database yet because you first need to setup permissions
Connect on DVWA VM using Azure Bastion and type the following commands
sudo chmod 777 /var/www/html/hackable/uploads/
sudo chmod 777 /var/www/html/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
sudo chmod 777 /var/www/html/config
Do not disconnect. You will continue on next step
Open vi with sudo and edit the settings for pho file
sudo vi /etc/php/7.2/apache2/php.ini
Find line 837 and change the parameter allow_url_include = Off to allow_url_include = On
Exit vi by pressing ESC button and type :wq
Now you can access again the DVWA VM through Azure Bastion. Type the following commands to setup the required permission:
sudo mysql -uroot
DROP USER 'root'@'localhost';
CREATE USER 'root'@'localhost' IDENTIFIED BY 'p@ssw0rd';
GRANT ALL PRIVILEGES ON . TO 'root'@'localhost' WITH GRANT OPTION;
Now you are ready to return to VM01 and create the database
Open Azure Portal , select VM01 and connect using Azure Bastion. Once you are connected then open Internet Explorer and access the URL http://10.0.0.4.
Click Create / Reset Database. You will see that the database is created and will be redirected to login screen again. Logon again and the DVWA page will appear.
At this moment we have our DVWA VM ready. Follow the next steps to prepare the monitoring.
All logs will be forwarded to Log Analytics and it's a requirement for Azure Sentinel, Network Watcher, etc. Follow the steps bellow to create your Log Analytics Workspace.
- Create Workspace
Open Azure Portal, click New and type Log Analytics Workspace . Click Create and use these parameters:
Note: Make sure to use the same Resource Group and Region
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.Also includes Web Application Firewall (WAF), a service that provides centralized protection of your web applications from common exploits and vulnerabilities.
- Deploy Application Gateway w/ WAF
For this workshop you will deploy Application Gateway w/ WAF V1 to detect attacks to DVWA VM. The reason to use Application Gateway V1 instead of V2 is about the possibility to restrict access to specific public IP address. Application Gateway will publish a Public IP Address but it's not so simple to restrict wich IP Address can access this environment. It's very useful if you want to test for a long time but don't want anyone from internet to access the DVWA (the credentials to access DVWA are simple). Using Application Gateway V1 it's possible to restrict this traffic using Network Security Group (NSG). Of course it means that you need to change your NSG Rule every time your Public IP Address (from your ISP connection) change. If you don't need this control then you can create your Application Gateway w/ WAF V2.
Click Next: Frontends
Click Next: Configuration
Click Add a routing rule
Click Next: Tags
Click Next: Review + create
Wait few minutes to finish the deployment (˜10min) and then click on APPGW (located on your Resource Group). You can see the public IP address assigned to App Gateway. Take note of this IP address and then access using Internet Explorer on VM01. This is just a test to make sure that the traffic to DVWA is handled by Application Gateway w/ WAF.
Note: This Frontend public IP address is fake.
Restrict access to Application Gateway (optional)
As explained before if you want to restrict wich IP address from internet can access the DVWA then you need to configure the Network Security Group. If not just ignore this step.
Now you can open again the Resource Group LABSECURITY and click on NSG APPLABSECURITY
Note: You must change your rule AccessFromHome (field Source IP address) and use your Public IP address that you are using. You can easily find this just openning Google and typing what is my ip. This is the IP Address that you will need to insert on Source IP address field.
Note: Now you have Application Gateway forwarding to DVWA VM and only allowing access from your Public IP. Next step you will forward logs from NSG and Application Gateway to Log Analytics.
Network Watcher is a network performance monitoring and diagnostics solution on Azure. We will use this solution to forward NSG Logs and Diagnostic logs to Log Analytics workspace.
Firts create a storage account. This will be used to retain logs.
- Enable Network Watcher on your region
Open Azure Portal and type Network Watcher on Search bar. Press Enter
On Region click to expand. Check if East US is enabled. If not click on "..." and the click Enable network watcher
Note: if you cannot enable Network watcher then just follow this documentation to manually register.
- Forward NSG flow logs
- Forward Diagnostics logs
Repeat the steps for all resources. Use the same Storage Account and Log Analytics Workspace. You can use any name for Diagnostics settings name you want. After configuring all resources you will have something like this:
If you have time just wait few hours and click on Traffic Analytics option on Logs. This dashboard show all the traffic to your public resources on Azure. Also you can check malicious flow to your resources on Azure, etc.
Security Center can monitor both Azure and on-premises resources. First it's necessary to onboard the Azure Subscription to Standard,
- Onboard Azure Subscription
Follow the steps bellow to enable Standard Tier. By default any Azure subscription is Free.
- Add Azure Application Gateway WAF source
On Azure Security Center click on Security Solution (located on RESOURCE SECURITY HYGIENE). Click on ADD button on Azure Application Gateway WAF. After that click on Create
- Enable data collection on Log Analytics workspace
Now you can connect Log Analytics Workspace to Sentinel. Follow the steps bellow:
- Open Azure Portal and type Sentinel on Search bar.Click on Azure Sentinel.
- On Azure Sentinel workspaces click on +Add button, select WORKSPACESECURITY01 and click again on Add Azure Sentinel button.
- The Azure Sentinel dashboard will appear
On the left side click on Data connectors (Configuration panel). Select Azure Security Center and then click on Open connector page (right side).
- Click on Connect.
This step may not be required if you had previously configured Diagnostic Logs for Application Gatewa. Inf not just follow here: on the left side click on Data connectors (Configuration panel). Select Microsoft web application firewall(WAF) and then click on Open connector page (right side).
- On Azure Sentinel click on Workbooks (located at the left side | Threat management). On Templates click on Microsoft Web Application Firewall (WAF) - firewall events and then click on Save (rigth side)
- A pop-up will appear to Save workbook to... and you can choose the same region.
After saving you can click on View saved workbook on the right side.
- Repeat the steps to add other 2 workbooks missing:
All the commands to test are available on OWASP Foundation website (link bellow)
Vulnerability: Command injection
127.0.0.1; ls -al
system("cd /var/yp && make &> /dev/null");
Vulnerability: SQL Injection
%’ or 1=’1
SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'
SELECT /*!32302 1/0, */ 1 FROM tablename
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’; # priv
<script>alert(“voce foi invadido”)</script>
Sample queries to detect actions blocked by WAF. More queries available bellow .
search * | where (action_s == "Blocked")
AzureDiagnostics | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog" | summarize count() by clientIp_s, bin(TimeGenerated, 1m) | render timechart
Create a Microsoft TechCommunity account to access these contents (it's free)
Azure Networking Basics https://myignite.techcommunity.microsoft.com/sessions/83202?source=sessions
Modernize your SIEM in the cloud with Azure Sentinel https://myignite.techcommunity.microsoft.com/sessions/79817?source=sessions
Protect your cloud workload from threats using Azure Security Center https://myignite.techcommunity.microsoft.com/sessions/81972?source=sessions
Get visibility into your hybrid network with Network Watcher https://myignite.techcommunity.microsoft.com/sessions/83951?source=sessions
Using Azure Web Application Firewall to protect your web applications and web APIs https://myignite.techcommunity.microsoft.com/sessions/82947?source=sessions
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.