{"id":13782639,"url":"https://github.com/NetSPI/FuncoPop","last_synced_at":"2025-05-11T16:30:44.970Z","repository":{"id":184254281,"uuid":"670359423","full_name":"NetSPI/FuncoPop","owner":"NetSPI","description":"Tools for attacking Azure Function Apps","archived":false,"fork":false,"pushed_at":"2024-10-29T15:41:29.000Z","size":4408,"stargazers_count":63,"open_issues_count":0,"forks_count":6,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-11-11T01:21:30.861Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NetSPI.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-24T21:59:56.000Z","updated_at":"2024-10-29T15:41:33.000Z","dependencies_parsed_at":null,"dependency_job_id":"d15df8ca-61fa-49a7-a12c-a341b2517d86","html_url":"https://github.com/NetSPI/FuncoPop","commit_stats":null,"previous_names":["netspi/funcopop"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NetSPI%2FFuncoPop","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NetSPI%2FFuncoPop/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NetSPI%2FFuncoPop/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NetSPI%2FFuncoPop/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NetSPI","download_url":"https://codeload.github.com/NetSPI/FuncoPop/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225068716,"owners_count":17416119,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T18:01:40.560Z","updated_at":"2024-11-17T17:31:53.331Z","avatar_url":"https://github.com/NetSPI.png","language":"PowerShell","funding_links":[],"categories":["0x02 工具 :hammer_and_wrench:"],"sub_categories":["1 云服务工具"],"readme":"![FuncoPopLogo](https://notpayloads.blob.core.windows.net/images/FuncoPop-bg-final.png)\n\u003cbr\u003e \n[![licence badge]][licence] \n[![stars badge]][stars] \n[![forks badge]][forks] \n[![issues badge]][issues]\n\n![Twitter Follow](https://img.shields.io/twitter/follow/kfosaaen.svg?style=social)\n![Twitter Follow](https://img.shields.io/twitter/follow/thomas_elling.svg?style=social)\n\n[licence badge]:https://img.shields.io/badge/license-New%20BSD-blue.svg\n[stars badge]:https://img.shields.io/github/stars/NetSPI/FuncoPop.svg\n[forks badge]:https://img.shields.io/github/forks/NetSPI/FuncoPop.svg\n[issues badge]:https://img.shields.io/github/issues/NetSPI/FuncoPop.svg\n\n\n[licence]:https://github.com/NetSPI/FuncoPop/blob/master/LICENSE.txt\n[stars]:https://github.com/NetSPI/FuncoPop/stargazers\n[forks]:https://github.com/NetSPI/FuncoPop/network\n[issues]:https://github.com/NetSPI/FuncoPop/issues\n\n\n### FuncoPop: PowerShell Tools for Attacking Azure Function Apps\n\nFuncoPop includes functions and scripts that support attacking Azure Funtion Apps, primarily through exploiting Storage Account Access. In many environments, users are granted generous Storage Account permissions (Storage Account Contributor) in Azure RBAC, resulting in access to Storage Accounts that support Function Apps. This unintended cross-service access can give an attacker the ability to pivot through Storage Accounts to gain access to Function Apps. This access includes visibility into the Funtion App keys, ability to run code in the Function App containers, and the ability to access Managed Identities attached to the Function Apps.\n\nThese tools were initially released as part of the \"What the Function: A Deep Dive into Azure Function App Security\" talk from the DEF CON 31 Cloud Village.\n\n### Author, Contributors, and License\n* Author:\n\t* Thomas Elling ([@thomaselling](https://twitter.com/thomas_elling)), NetSPI\n\t* Karl Fosaaen ([@kfosaaen](https://twitter.com/kfosaaen)), NetSPI\n* License: BSD 3-Clause\n* Required Dependencies: Az PowerShell Module\n\n### Tool Usage\nThere are two parts to this tool - Extraction and Decryption\n\n## Key Extraction\nIn order to run the key extraction tool, you will need to have an authenticated Azure (Az) PowerShell login with some role that allows Read/Write access to a vulnerable Function App Storage Account. In Powershell, you will need to import the function in order to run it.\n\n**Importing the function:**\n\t`Import-Module .\\Invoke-AzFunctionAppTakeover.ps1`\n\nOnce imported, you can run the function:\n `Invoke-AzFunctionAppTakeover -Verbose`\n\n```\nVERBOSE: Currently logged in via Az PowerShell as kfosaaen@notatenant.com\nVERBOSE: Use Connect-AzAccount to change your user\nVERBOSE: Dumping Function App information for Selected Subscriptions...\nVERBOSE: Enumerating Function App attached Storage Accounts in the TestEnvironment subscription\nVERBOSE: Function App Storage Account Found - POCstorageAccount1 - mystarterapp Function App\nVERBOSE: Function App Storage Account Found - POCstorageAccount2 - importantbankingapp Function App\nVERBOSE: Function App Storage Account Found - POCstorageAccount2 - lessimportantbankingapp Function App\nVERBOSE: Function App Storage Account Found - POCstorageAccount3 - managedidentityfunction Function App\n[Truncated]\nVERBOSE: 15 Function App Storage Accounts Enumerated in the Subscription\nVERBOSE: Dumping Function App information for selected Storage Accounts\nVERBOSE: Determining Function App Language of the managedidentityfunction function in the POCstorageAccount3 Storage Account\nVERBOSE: Reviewing the managedidentityfunctiona16a File Share\nVERBOSE: ASP.NET folder found in the managedidentityfunctiona16a File Share\nVERBOSE: ASP.NET file found in the site/wwwroot/HttpTrigger1 folder in the managedidentityfunctiona16a File Share\nVERBOSE: ASP.NET file found in the site/wwwroot/HttpTrigger2 folder in the managedidentityfunctiona16a File Share\nVERBOSE: Attempting to add a new ASP.NET function to the managedidentityfunctiona16a File Share in the POCstorageAccount3 Storage Account\nVERBOSE: Creating the MFRgBWvsDIlkyfT folder in the managedidentityfunctiona16a File Share in the POCstorageAccount3 Storage Account and uploading files\nVERBOSE: Sleeping for 60 seconds before calling the new function\nVERBOSE: Calling the new function (until it stops 404-ing) to return the tokens and decryption key, this may take a while...\nVERBOSE: Avoid hitting ctrl+C to break out of this, you will need to manually remove the added Storage Account files in order to clean up\nVERBOSE: Removing the files from the Storage Account\nVERBOSE: Completed attacking the managedidentityfunction Function App in the managedidentityfunctiona16a File Share\n\nFunctionApp : managedidentityfunction\nEncryptedMasterKey : bm9[Truncated]=\nEncryptionKey : 1B1[Truncated]9\nManagementToken : eyJ[Truncated]g\nVaultToken : eyJ[Truncated]g\nGraphToken : eyJ[Truncated]Q\n\nVERBOSE: All Function App / Storage Account attacks have completed\n```\n\nThe function will prompt you to select a Subscription to attack. Once it has enumerated vulnerable Storage Accounts, you will be prompted with a list of accounts to attack. Select the ones you want to attack and the function will add malicious functions to the Storage Accounts, and attempt to execute them. These malicious functions will return the decryption key for the Function App Master Key, along with Managed Identity tokens (*if available).\n\nPlease note that the function supports PowerShell, ASP.NET, Python, and Node for payloads. At this time, attacking Java Function Apps is not supported, but may be added in the future.\n\nRequired Module to install:\n* \u003ca href=\"https://docs.microsoft.com/en-us/powershell/azure/new-azureps-module-az?view=azps-3.6.1\"\u003eAz\u003c/a\u003e\n\n## Key Decryption\nThe easiest way to decrypt the keys returned from the PowerShell function is to run the Function App that we created to do the decryption.\n### Host your own Function App to decrypt the keys\nUse the following Deploy button to deploy a function app to your Azure subscription that can be used to decrypt the extracted keys.\n\n[![Deploy to Azure](https://github.com/Azure-Samples/function-app-arm-templates/blob/main/images/deploytoazure.png?raw=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FNetSPI%2FFuncoPop%2Fmain%2Fazuredeploy.json)\n\n![image](https://github.com/NetSPI/FuncoPop/assets/2163397/64504f17-d872-4094-9106-5f2fe4be03b7)\n\n\n\n\n### Related Blogs\n* \u003ca href=\"https://www.netspi.com/blog/technical/cloud-penetration-testing/what-the-function-decrypting-azure-function-app-keys/\"\u003eWhat the Function: Decrypting Azure Function App Keys\u003c/a\u003e\n* \u003ca href=\"https://blog.netspi.com/lateral-movement-azure-app-services/\"\u003eLateral Movement in Azure App Services\u003c/a\u003e\n\n### Presentations\n* \u003ca href=\"https://www.youtube.com/watch?v=f0ryxWuNzT4\"\u003eWhat the Function: A Deep Dive into Azure Function App Security - DEF CON 31 - Cloud Village\u003c/a\u003e\n - \u003ca href=\"https://github.com/NetSPI/FuncoPop/blob/main/WhatTheFunction-DC31_CV.pdf\"\u003eSlides\u003c/a\u003e\n* \u003ca href=\"https://www.youtube.com/live/VI76DUQ4DHI?t=15313s\"\u003eWhat the Function: A Deep Dive into Azure Function App Security - BSides PDX 2024\u003c/a\u003e\n - \u003ca href=\"https://github.com/NetSPI/FuncoPop/blob/main/WhatTheFunction-2024-BSidesPDX.pdf\"\u003eSlides\u003c/a\u003e\n\n### Previous Research\n* \u003ca href=\"https://rogierdijkman.medium.com/privilege-escalation-via-storage-accounts-bca24373cc2e\"\u003eRogier Dijkman - Privilege Escalation via storage accounts\u003c/a\u003e\n* \u003ca href=\"https://orca.security/resources/blog/azure-shared-key-authorization-exploitation/\"\u003eRoi Nisimi - From listKeys to Glory: How We Achieved a Subscription Privilege Escalation and RCE by Abusing Azure Storage Account Keys\u003c/a\u003e\n* \u003ca href=\"https://msrc.microsoft.com/blog/2023/04/best-practices-regarding-azure-storage-keys-azure-functions-and-azure-role-based-access/\"\u003eMSRC - Best practices regarding Azure Storage Keys, Azure Functions, and Azure Role Based Access\u003c/a\u003e\n* \u003ca href=\"https://medium.com/xm-cyber/10-ways-of-gaining-control-over-azure-function-apps-7e7b84367ce6\"\u003eBill Ben Haim \u0026 Zur Ulianitzky - 10 ways of gaining control over Azure function Apps\u003c/a\u003e\n* \u003ca href=\"https://posts.specterops.io/abusing-azure-app-service-managed-identity-assignments-c3adefccff95\"\u003eAndy Robbins – Abusing Azure App Service Managed Identity Assignments\u003c/a\u003e\n* \u003ca href=\"https://whiteknightlabs.com/2024/05/07/abusing-azure-logic-apps-part-1/\"\u003eChirag Savla and Raunak Parmar – Abusing Azure Logic Apps – Part 1\u003c/a\u003e\n\n\n\t\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNetSPI%2FFuncoPop","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNetSPI%2FFuncoPop","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNetSPI%2FFuncoPop/lists"}