-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add post module to steal azure cli tokens/configuration #10113
Conversation
I can add support for OSX very easily if anyone is able to test on that platform. |
I'm happy to test on OSX if you need |
Hey @james-otten, I'm sorry this has been left sitting! To help us understand which PRs are in active development, I am closing this for now and adding the |
Apologies for missing this. I'll give this a quick test on OSX. Code looks great |
Seems to work well on OSX. |
What ever happened to this? From my reading it looks like @james-otten wrote a module, @timwr tested it and it worked on OSX, and it just never got tested for windows/linux? If nothing else, it looks like it should have worked on Windows at the very least and been tested/landed for that? According to my notes, this had a solid 3yrs of potential use before the CLI updated: I'm not sure how useful it may be now, its been almost 2.5yrs since the patch, but maybe to show that these tokens are still around in people's users directories? Maybe some have long term usage? |
@h00die If you've got an azure target and this works/is useful for you, I'm not against it being merged in? |
azcontext.json |
Looks like the file has changed. Of note, |
@james-otten you still around? Any chance you could provide an old copy of the data files that were generated? |
pushing back to draft while I update this for the new formats, test on old formats if i can still get them, etc. |
7b4ea72
to
e8571f2
Compare
going to move the parsing out to a lib so we can have some spec to run with it. I have a few self generated new format files that I'll start building out, then get back to the old version. Ignore these pushes for now. @james-otten just checking again if you have the old formats laying around before I build out a VM and try to install the old versions. |
and |
Update azure lib with process_context_contents Update azure_spec.rb Update azure.rb Update azure_spec.rb Update azure_cli_creds.rb fix lint warning add function to print consolehost_history print_consolehost_history spec updates fixing azure_cli spec, and errors
6e65ce4
to
7594a41
Compare
should use the same processor as |
Still a little more to go:
|
What I have so far though it working great against some multi-tenant, multi-account type azure files I have on hand (can't share), so making some really nice progress. |
Going to open this up for review, I think its as good as I'm going to get it in the time I have to spend on it. |
Hi @h00die, Docker file
Azure Account
Module Output
I will try to attach a debugger and see what is the issue. |
can you |
I think I have found the issue.
And I see from the code you are looking for |
regardless, it should keep going, that's why I'd like to see the |
Azure path is here: |
looks like it was a slash direction problem on linux vs windows. was able to diagnose, get it running right with your docker image, and verify it still works on windows. |
Yep I was investigating the same issue today and writing you some comments. |
I had found one repo on the internet that had an old MSI, but that's nearly as sketchy as you can get. I could do a run against that, but it prob wont be for a week and a half or so |
Yeah that seems a terrible idea, I'll try to find a workaround on that. |
Yep confirmed is working, trying to find a way to test in old azure-cli on Windows. |
Release NotesThis post module allows to exfiltrate azure tokens and configurations from old azure-cli versions using unencrypted formats. |
Add a post module,
post/multi/gather/azure_cli_creds
, to steal Azure CLI configuration files which can be used to impersonate the user when working with Azure from a different host.Installation instructions
Verification
List the steps needed to make sure this thing works
msfconsole
use post/multi/gather/azure_cli_creds
set SESSION [SESSION_ID]
run
Scenarios