Stormspotter creates an “attack graph” of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.
Most users may find it easier to install Stormspotter via Docker. This is the recommended method.
git clone https://github.com/Azure/Stormspotter
docker-compose up
The docker-compose
file will create three containers:
By default, the Stormspotter container will expose the UI on port 9091. The neo4j container will expose neo4j on ports 7474 (HTTP), and 7687 (Bolt). Default configuration of Neo4j does not have SSL enabled, therefore you may initially interact directly with the neo4j interface on port 7474.
Note: Currently, Stormspotter only supports running these containers locally. Attempting to upload to the frontend hosted remotely will be unsuccessful but this behavior is expected to change in the future.
The default credentials for neo4j are: neo4j/password. You can change this in the docker-compose
file via the NEO4JAUTH environment variable.
You can then visit http://localhost:9091 in your browser.
Stormcollector is the portion of Stormspotter that allows you to enumerate the subscriptions the provided credentials have access to. The RECOMMENDED way to use Stormcollector is to run the sscollector.pyz
package, found in the release file for your operating system. This PYZ has been created with Shiv and comes with all the packages already zipped up! The dependencies will extract themselves to a .shiv
folder in the user’s home directory.
cd stormcollector
python3 sscollector.pyz -h
If for some reason you don’t want to use the provided package, you may install the required packages with pip
or pipenv
. With this approach, it’s highly recommended to install Stormcollector in a virtual environment to prevent package conflicts. If you have issues managing your virtual environments, you should use the recommended method above.
cd stormcollector
python3 -m pip install pipenv
pipenv install .
python3 ./sscollector.py
$ python3 -m pip install pipenv
[...]
$ pipenv install .
[...]
✔ Successfully created virtual environment!
To activate this project's virtualenv, run pipenv shell.
Alternatively, run a command inside the virtualenv with pipenv run.
$ pipenv shell
$ . /home/crypt0rr/.local/share/virtualenvs/stormcollector-wansJJO3/bin/activate
((stormcollector) ) ╭─ ~/tools/Stormspotter/stormcollector
╰─$ python3 sscollector.py -h
usage: sscollector.py [-h] {cli,spn} ...
positional arguments:
{cli,spn} Methods of authentication
optional arguments:
-h, --help show this help message and exit
Current login types supported:
az login
first)You can check out all of the options Stormcollector offers by using the -h
switch as shown above. The most basic usages of Stormcollector are:
python3 sscollector.pyz cli
python3 sscollector.pyz spn -t <tenant> -c <clientID> -s <clientSecret>
Once you’ve started up the UI, you will see a section in the database tab labeled “Stormcollector Upload”. Add your file to this uploader and the processing will begin. As the results get processed, you can check the backend logs to view progress, and the results should also be reflected in the same Database View tab.