-
Notifications
You must be signed in to change notification settings - Fork 0
Network Ports
network-ports is the rule-view command for visible inbound port and allow posture.
Use it when you need to know which inbound rules or port paths deserve review first without pretending that rule data alone proves end-to-end reachability.
- Which visible inbound allow paths matter most first?
- Which rules, source ranges, or ports look most permissive?
- Which network path should you validate or correlate next?
ho-azure network-ports --output tableFor saved structured output:
ho-azure network-ports --output json| asset | endpoint | protocol | port | allow source | confidence |
|---|---|---|---|---|---|
vm-web-01 |
52.160.10.20 |
TCP |
22 |
Any via nic-nsg:.../allow-ssh-internet |
high |
vm-web-01 |
52.160.10.20 |
TCP |
443 |
AzureLoadBalancer via subnet-nsg:.../allow-https... |
medium |
vm-web-01 |
52.160.10.20 |
TCP |
8080 |
10.20.0.0/16 via subnet-nsg:.../allow-app-port |
low |
- when inbound rule posture is the clearest next network question
- after
endpointsornetwork-effectivesuggests exposed assets - when you need exact port, protocol, and source-range context before workload follow-up
- broad inbound allow rules
- management or otherwise sensitive ports
- source ranges such as
Anyor similarly broad patterns - rules tied to public-facing or already-interesting workloads
Visible inbound rules often explain why an endpoint deserves attention.
A broad allow rule, risky management port, or surprisingly open source range can change priority
quickly. network-ports gives you the rule evidence behind that story without claiming it is the
entire network truth.
- broad inbound allow rules
- management and sensitive ports
- rules tied to public-facing or important workloads
- clear target context so the path is understandable quickly
- If you see a broad source such as
Anyon a management port like22, go next to Network-Effective because it shows whether that rule combines with a real endpoint into a stronger exposure story. - If the rule is tied to a VM or scale set, go next to
vmsorvmssbecause those commands show the workload context behind the port. - If the reachable asset also carries managed identity, go next to Managed-Identities because it shows whether that exposure is also an Azure token path.
- Treat the top rules as validation targets, not proof on their own.
- Pair port posture with endpoint and workload context before deciding what matters most.
- Use this command when you need rule-level grounding behind a stronger exposure story.
Loot currently keeps the top-ranked rows for this command. That ordering is useful, but it is not
yet a shipped semantic high / medium / low analyst contract unless the command explicitly
labels rows with a defended priority contract.
network-ports is an evidence and grounding command.
It should rank the clearest inbound allow paths. It is not full effective-exposure modeling or confirmed end-to-end reachability.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to HarrierOps Azure: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)