function Invoke-SubscriptionEnum{ param( [string]$outputDirectory = "." ) $context = Get-AzContext $subid = $context.Subscription.Id Write-Host -ForegroundColor Yellow ("[***] Enumerating Subscription " + $subid) $publicresources = @() $storageaccountlist = @() Write-Host -ForegroundColor Yellow "[*] Getting VMs" # Get all Virtual Machines with Public IP Addresses $vms = Get-AzVM $vmDnsNames = @() foreach ($vm in $vms) { $nic = Get-AzNetworkInterface -ResourceGroupName $vm.ResourceGroupName -Name $vm.NetworkProfile.NetworkInterfaces[0].Id.Split('/')[-1] # Check if the network interface has an IP configuration and public IP associated if ($nic.IpConfigurations[0].PublicIpAddress) { $publicIpName = $nic.IpConfigurations[0].PublicIpAddress.Id.Split('/')[-1] $publicIp = Get-AzPublicIpAddress -ResourceGroupName $vm.ResourceGroupName -Name $publicIpName # Ensure that the public IP object is not null if ($publicIp) { [PSCustomObject]@{ ResourceType = "Virtual Machine" Name = $vm.Name PublicIpAddress = $publicIp.IpAddress DnsName = $publicIp.DnsSettings.Fqdn } $publicresources += $publicIp.IpAddress } if ($publicIp.DnsSettings.Fqdn) { $publicresources += $publicIp.DnsSettings.Fqdn } } } Write-Host -ForegroundColor Yellow "[*] Getting Public IPs" $publicIps = Get-AzPublicIpAddress # Create an array to store public IP details $publicIpDetails = @() foreach ($publicIp in $publicIps) { $publicIpDetails += [PSCustomObject]@{ ResourceType = "Public IP Address" Name = $publicIp.Name IpAddress = $publicIp.IpAddress DnsName = $publicIp.DnsSettings.Fqdn ResourceGroupName = $publicIp.ResourceGroupName } $publicresources += $publicIp.IpAddress } Write-Host -ForegroundColor Yellow "[*] Getting Load Balancers" # Get all Load Balancers with Public IP Addresses $loadBalancers = Get-AzLoadBalancer foreach ($lb in $loadBalancers) { foreach ($frontendIp in $lb.FrontendIpConfigurations) { # Check if the FrontendIpConfiguration has a PublicIpAddress if ($frontendIp.PublicIpAddress) { $publicIpName = $frontendIp.PublicIpAddress.Id.Split('/')[-1] $publicIp = Get-AzPublicIpAddress -ResourceGroupName $lb.ResourceGroupName -Name $publicIpName # Ensure that the public IP object is not null if ($publicIp) { [PSCustomObject]@{ ResourceType = "Load Balancer" Name = $lb.Name PublicIpAddress = $publicIp.IpAddress DnsName = $publicIp.DnsSettings.Fqdn } $publicresources += $publicIp.IpAddress } } } } Write-Host -ForegroundColor Yellow "[*] Getting App Services" # Get all Azure App Services with DNS Names $appServices = Get-AzWebApp foreach ($appService in $appServices) { [PSCustomObject]@{ ResourceType = "App Service" Name = $appService.Name DnsName = $appService.DefaultHostName } $publicresources += $appService.DefaultHostName } Write-Host -ForegroundColor Yellow "[*] Getting Databases" # Get all SQL Databases with DNS Names $sqlServers = Get-AzSqlServer foreach ($sqlServer in $sqlServers) { [PSCustomObject]@{ ResourceType = "SQL Database" Name = $sqlServer.FullyQualifiedDomainName DnsName = $sqlServer.FullyQualifiedDomainName } $publicresources += $sqlServer.FullyQualifiedDomainName } Write-Host -ForegroundColor Yellow "[*] Getting Storage Accounts" # Get all Storage Accounts with DNS Names $storageAccounts = Get-AzStorageAccount foreach ($storageAccount in $storageAccounts) { $primaryEndpoints = $storageAccount.PrimaryEndpoints # Remove the 'https://' prefix and the trailing '/' from the Blob endpoint $blobEndpoint = ($primaryEndpoints.Blob -replace "https://", "").TrimEnd('/') # Create a custom object with the processed DNS name [PSCustomObject]@{ ResourceType = "Storage Account" Name = $storageAccount.StorageAccountName DnsName = $blobEndpoint } # Add the processed DNS name to the public resources array $storageaccountlist += $blobEndpoint } Write-Host -ForegroundColor Yellow "[*] Getting Azure Functions" # Get all Azure Functions with DNS Names $functions = Get-AzFunctionApp foreach ($function in $functions) { [PSCustomObject]@{ ResourceType = "Function App" Name = $function.Name DnsName = $function.DefaultHostName } $publicresources += $function.DefaultHostName } Write-Host -ForegroundColor Yellow "[*] Getting Containers (ACR)" # Get all Container Registries with DNS Names $containerRegistries = Get-AzContainerRegistry foreach ($containerRegistry in $containerRegistries) { [PSCustomObject]@{ ResourceType = "Container Registry" Name = $containerRegistry.Name DnsName = $containerRegistry.LoginServer } $publicresources += $containerRegistry.LoginServer } Write-Host -ForegroundColor Yellow "[*] Getting Kubernetes (AKS)" # Azure Kubernetes Service (AKS) $aksClusters = Get-AzAksCluster foreach ($aks in $aksClusters) { [PSCustomObject]@{ ResourceType = "AKS Cluster" Name = $aks.Name DnsName = $aks.DnsPrefix + ".hcp." + $aks.Location + ".azmk8s.io" } $publicresources += $aks.DnsPrefix + ".hcp." + $aks.Location + ".azmk8s.io" } Write-Host -ForegroundColor Yellow "[*] Getting Front Door" # Azure Front Door $frontDoors = Get-AzFrontDoor foreach ($fd in $frontDoors) { [PSCustomObject]@{ ResourceType = "Front Door" Name = $fd.Name DnsName = $fd.Hostname } $publicresources += $fd.Hostname } Write-Host -ForegroundColor Yellow "[*] Getting Traffic Manager" # Azure Traffic Manager $trafficManagers = Get-AzTrafficManagerProfile foreach ($tm in $trafficManagers) { [PSCustomObject]@{ ResourceType = "Traffic Manager" Name = $tm.Name DnsName = $tm.DnsName + ".trafficmanager.net" } $publicresources += $tm.DnsName + ".trafficmanager.net" } Write-Host -ForegroundColor Yellow "[*] Getting CDNs" # Retrieve all CDN profiles $cdnProfiles = Get-AzCdnProfile foreach ($profile in $cdnProfiles) { # Retrieve all endpoints for each CDN profile $cdnEndpoints = Get-AzCdnEndpoint -ProfileName $profile.Name -ResourceGroupName $profile.ResourceGroupName foreach ($cdnEndpoint in $cdnEndpoints) { [PSCustomObject]@{ ResourceType = "CDN Endpoint" ProfileName = $profile.Name EndpointName = $cdnEndpoint.Name DnsName = $cdnEndpoint.HostName } $publicresources += $cdnEndpoint.HostName } } Write-Host -ForegroundColor Yellow "[*] Getting Bastion" # Azure Bastion $bastions = Get-AzBastion foreach ($bastion in $bastions) { $bastionIp = Get-AzPublicIpAddress -ResourceGroupName $bastion.ResourceGroupName -Name $bastion.IpConfigurations[0].PublicIpAddress.Id.Split('/')[-1] if ($bastionIp) { [PSCustomObject]@{ ResourceType = "Bastion" Name = $bastion.Name PublicIpAddress = $bastionIp.IpAddress DnsName = $bastionIp.DnsSettings.Fqdn } $publicresources += $bastionIp.DnsSettings.Fqdn } } Write-Host -ForegroundColor Yellow "[*] Getting Redis Cache" # Azure Redis Cache $redisCaches = Get-AzRedisCache foreach ($redis in $redisCaches) { [PSCustomObject]@{ ResourceType = "Redis Cache" Name = $redis.Name DnsName = $redis.HostName } $publicresources += $redis.HostName } Write-Host -ForegroundColor Yellow "[*] Getting API Management" # Azure API Management $apiManagementServices = Get-AzApiManagement foreach ($apiMgmt in $apiManagementServices) { [PSCustomObject]@{ ResourceType = "API Management" Name = $apiMgmt.Name DnsName = $apiMgmt.GatewayUrl } $publicresources += $apiMgmt.GatewayUrl } Write-Host -ForegroundColor Yellow "[*] Getting DNS Zones" # Azure DNS Zones $dnsZones = Get-AzDnsZone foreach ($dnsZone in $dnsZones) { [PSCustomObject]@{ ResourceType = "DNS Zone" Name = $dnsZone.Name DnsName = $dnsZone.Name } $publicresources += $dnsZone.Name } Write-Host -ForegroundColor Yellow "[*] Getting Application Gateway" # Azure Application Gateway $appGateways = Get-AzApplicationGateway foreach ($appGateway in $appGateways) { foreach ($frontendIp in $appGateway.FrontendIpConfigurations) { $publicIp = Get-AzPublicIpAddress -ResourceGroupName $appGateway.ResourceGroupName -Name $frontendIp.PublicIpAddress.Id.Split('/')[-1] if ($publicIp) { [PSCustomObject]@{ ResourceType = "Application Gateway" Name = $appGateway.Name PublicIpAddress = $publicIp.IpAddress DnsName = $publicIp.DnsSettings.Fqdn } $publicresources += $publicIp.DnsSettings.Fqdn } } } Write-Host -ForegroundColor Yellow "[*] Getting SignalR Service" # Azure SignalR Service $signalRServices = Get-AzSignalR foreach ($signalR in $signalRServices) { [PSCustomObject]@{ ResourceType = "SignalR Service" Name = $signalR.Name DnsName = $signalR.HostName } $publicresources += $signalR.HostName } Write-Host -ForegroundColor Yellow "[***] Sorting..." Write-Host "------------------IPs & DNS Addresses----------------" $publicresources | sort -u $publicresources | sort -u | Out-File ("$outputDirectory\$subid-PublicResources.txt") Write-Host "-----------------------------------------------------" Write-Host "--------------------Storage Accounts-----------------" $storageaccountlist | sort -u $storageaccountlist | sort -u | Out-File ("$outputDirectory\$subid-StorageAccounts.txt") Write-Host ("[+] Results have been written to " + $outputDirectory + "\" + $subid + "-StorageAccounts.txt" + " and " + $outputDirectory + "\" + $context.subid + "-PublicResources.txt") Write-Host "-----------------------------------------------------" }