exploitgraph 1.0.0__py3-none-any.whl

modules/cloud/azure_enum.py

@@ -0,0 +1,289 @@
+"""
+ExploitGraph Module: Azure Blob Storage Enumerator
+Category: cloud
+
+Detects publicly accessible Azure Blob Storage containers.
+Works without credentials (anonymous HTTP mode).
+With Azure SDK: deeper analysis including SAS token validation.
+
+Real-world misconfigurations detected:
+  - Public blob containers (anonymous read access)
+  - Storage accounts with public network access
+  - Exposed SAS tokens in URLs/responses
+  - Misconfigured CORS on storage accounts
+
+Azure Parallel:
+  az storage container list --account-name ACCOUNT --auth-mode login
+  az storage blob list --container-name CONTAINER --account-name ACCOUNT
+"""
+from __future__ import annotations
+import re
+from typing import TYPE_CHECKING
+
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+from modules.base import BaseModule, ModuleResult
+
+if TYPE_CHECKING:
+    from core.session_manager import Session
+
+# Common Azure storage account naming patterns
+AZURE_SUFFIXES = [
+    "-storage", "-backup", "-backups", "-assets", "-static", "-media",
+    "-files", "-data", "-uploads", "-logs", "-config", "-prod", "-dev",
+    "storage", "backup", "assets", "static", "files",
+]
+
+# Common container names inside storage accounts
+COMMON_CONTAINERS = [
+    "$web", "public", "static", "assets", "files", "images", "media",
+    "uploads", "backups", "backup", "data", "logs", "config", "documents",
+    "reports", "exports", "archive", "temp", "web", "cdn",
+]
+
+# SAS token pattern
+SAS_PATTERN = re.compile(
+    r'(?:https?://[a-z0-9]+\.blob\.core\.windows\.net[^\s"\'<>]*\?sv=[^\s"\'<>]*sig=[A-Za-z0-9%+/=]+)',
+    re.IGNORECASE
+)
+
+
+class AzureEnum(BaseModule):
+
+    NAME        = "azure_enum"
+    DESCRIPTION = "Enumerate Azure Blob Storage containers — detect public access and exposed SAS tokens"
+    AUTHOR      = "ExploitGraph Team"
+    VERSION     = "1.0.0"
+    CATEGORY    = "cloud"
+    SEVERITY    = "CRITICAL"
+    MITRE       = ["T1530", "T1580"]
+    AWS_PARALLEL = "Azure equivalent of: aws s3 ls s3://bucket --no-sign-request"
+
+    OPTIONS = {
+        "TARGET":         {"default": "",          "required": True,  "description": "Target URL or Azure storage account name"},
+        "ACCOUNT_NAME":   {"default": "",          "required": False, "description": "Azure storage account name to test directly"},
+        "WORDLIST":       {"default": "",          "required": False, "description": "Custom storage account name wordlist"},
+        "TIMEOUT":        {"default": "8",         "required": False, "description": "Request timeout in seconds"},
+        "CONTAINERS":     {"default": "",          "required": False, "description": "Comma-separated container names to probe"},
+        "DOWNLOAD_FILES": {"default": "true",      "required": False, "description": "Download discovered files for secret analysis"},
+    }
+
+    def run(self, session: "Session") -> ModuleResult:
+        from core.config import cfg
+        from core.logger import log
+
+        target  = self.get_option("TARGET") or session.target
+        timeout = int(self.get_option("TIMEOUT", "8"))
+        download = self.get_option("DOWNLOAD_FILES", "true").lower() == "true"
+
+        self._timer_start()
+        log.section("Azure Blob Storage Enumeration")
+        log.info("MITRE: T1530 — Data from Cloud Storage Object")
+        log.info("Azure: az storage container list --auth-mode anonymous")
+
+        found_accounts   = []
+        found_containers = []
+        sas_tokens       = []
+
+        # Step 1: Extract account names from target responses
+        account_names = self._discover_account_names(target, timeout)
+
+        # Step 2: Direct account if specified
+        if acct := self.get_option("ACCOUNT_NAME"):
+            account_names.insert(0, acct)
+
+        # Step 3: Test each account
+        containers_to_test = COMMON_CONTAINERS.copy()
+        if custom := self.get_option("CONTAINERS"):
+            containers_to_test = [c.strip() for c in custom.split(",")] + containers_to_test
+
+        for account in account_names[:20]:
+            result = self._test_account(account, containers_to_test, timeout, download, session)
+            if result:
+                found_accounts.append(result)
+                found_containers.extend(result.get("containers", []))
+
+        # Step 4: Scan target responses for SAS tokens
+        sas_tokens = self._scan_for_sas_tokens(target, timeout, session)
+
+        elapsed = self._timer_stop()
+        log.success(f"Azure enum done in {elapsed}s — {len(found_accounts)} accounts, "
+                    f"{len(found_containers)} containers, {len(sas_tokens)} SAS tokens")
+
+        if found_accounts or found_containers:
+            session.add_graph_node("azure_exposure",
+                                   f"Azure Storage\nExposed ({len(found_containers)} containers)",
+                                   "exposure", "CRITICAL")
+            session.add_graph_edge("http_enum", "azure_exposure",
+                                   "public blob access", "T1530")
+
+        return ModuleResult(True, {
+            "accounts_found":    len(found_accounts),
+            "containers_found":  len(found_containers),
+            "sas_tokens_found":  len(sas_tokens),
+        })
+
+    def _discover_account_names(self, target: str, timeout: int) -> list[str]:
+        from core.logger import log
+        from urllib.parse import urlparse
+        names = set()
+
+        hostname = urlparse(target).hostname or ""
+        base = hostname.split(".")[0]
+
+        # Generate candidates from base hostname
+        if base and base not in ("localhost", "127"):
+            names.add(base)
+            for suffix in AZURE_SUFFIXES:
+                names.add(f"{base}{suffix}")
+                names.add(f"{base.replace('-','')}{suffix}")
+
+        # Scan target for Azure storage references
+        log.step("Scanning for Azure storage references in target responses...")
+        try:
+            r = requests.get(target, timeout=timeout, verify=False)
+            # Find storage account names in response
+            for match in re.finditer(
+                r'([a-z0-9]{3,24})\.blob\.core\.windows\.net', r.text, re.IGNORECASE
+            ):
+                name = match.group(1).lower()
+                if 3 <= len(name) <= 24:
+                    names.add(name)
+                    log.found(f"Azure storage reference: {name}.blob.core.windows.net")
+        except Exception:
+            pass  # network/connection error — continue scanning
+
+        return list(names)
+
+    def _test_account(self, account: str, containers: list[str],
+                       timeout: int, download: bool, session: "Session") -> dict | None:
+        from core.logger import log
+
+        base_url  = f"https://{account}.blob.core.windows.net"
+        acct_data = {"name": account, "url": base_url, "containers": []}
+
+        # Test account existence (list containers)
+        list_url = f"{base_url}/?comp=list"
+        try:
+            r = requests.get(list_url, timeout=timeout, verify=False)
+            if r.status_code == 200 and "<EnumerationResults" in r.text:
+                log.critical(f"PUBLIC AZURE ACCOUNT: {account}.blob.core.windows.net")
+                log.info(f"Azure cmd: az storage container list --account-name {account} --auth-mode anonymous")
+
+                # Parse container list from XML
+                listed = re.findall(r"<Name>([^<]+)</Name>", r.text)
+                log.success(f"  Containers listed: {listed}")
+
+                session.add_finding(
+                    module="azure_enum",
+                    title=f"Public Azure Storage Account: {account}",
+                    severity="CRITICAL",
+                    description=f"Azure storage account '{account}' allows unauthenticated container listing.",
+                    evidence=f"URL: {list_url}\nHTTP 200\nContainers: {listed}",
+                    recommendation=(
+                        "Disable anonymous access:\n"
+                        f"az storage account update --name {account} "
+                        "--allow-blob-public-access false"
+                    ),
+                    cvss_score=9.8,
+                    aws_parallel="S3 bucket with s3:ListBucket granted to AllUsers",
+                    mitre_technique="T1530",
+                )
+                containers = listed + [c for c in containers if c not in listed]
+
+        except Exception:
+            pass  # network/connection error — continue scanning
+
+        # Test individual containers
+        for container in containers[:30]:
+            url = f"{base_url}/{container}?restype=container&comp=list"
+            try:
+                r = requests.get(url, timeout=timeout, verify=False)
+                if r.status_code == 200 and ("<EnumerationResults" in r.text or "<Blobs>" in r.text):
+                    blobs = re.findall(r"<Name>([^<]+)</Name>", r.text)
+                    log.found(f"Public container: {account}/{container} ({len(blobs)} blobs)")
+                    for b in blobs[:5]:
+                        log.secret("Blob", b)
+
+                    acct_data["containers"].append({
+                        "name": container, "blobs": blobs,
+                        "url": f"{base_url}/{container}",
+                    })
+
+                    session.add_finding(
+                        module="azure_enum",
+                        title=f"Public Azure Container: {account}/{container}",
+                        severity="CRITICAL",
+                        description=f"Container '{container}' in storage account '{account}' is publicly accessible.",
+                        evidence=f"URL: {url}\nBlobs: {', '.join(blobs[:5])}{'...' if len(blobs)>5 else ''}",
+                        recommendation=(
+                            f"az storage container set-permission --name {container} "
+                            f"--account-name {account} --public-access off"
+                        ),
+                        cvss_score=9.5,
+                        aws_parallel="S3 bucket object with public-read ACL",
+                        mitre_technique="T1530",
+                    )
+
+                    if download:
+                        self._download_blobs(account, container, blobs[:10], timeout, session)
+
+            except Exception:
+                pass  # network/connection error — continue scanning
+
+        return acct_data if acct_data["containers"] else None
+
+    def _download_blobs(self, account: str, container: str, blobs: list[str],
+                         timeout: int, session: "Session"):
+        from core.logger import log
+        INTERESTING = [".env", ".json", ".yaml", ".yml", ".conf", ".ini",
+                        ".key", ".pem", ".zip", ".sql", "config", "secret",
+                        "password", "credential", "backup"]
+        for blob in blobs:
+            if any(ext in blob.lower() for ext in INTERESTING):
+                url = f"https://{account}.blob.core.windows.net/{container}/{blob}"
+                try:
+                    r = requests.get(url, timeout=timeout, verify=False)
+                    if r.status_code == 200:
+                        log.found(f"Downloaded blob: {blob} ({len(r.content)} bytes)")
+                        session.exposed_files.append({
+                            "url": url, "path": blob,
+                            "content": r.text if len(r.content) < 1_000_000 else None,
+                            "source": "azure_enum",
+                        })
+                except Exception:
+                    pass  # network/connection error — continue scanning
+
+    def _scan_for_sas_tokens(self, target: str, timeout: int, session: "Session") -> list[str]:
+        from core.logger import log
+        tokens = []
+        try:
+            r = requests.get(target, timeout=timeout, verify=False)
+            for match in SAS_PATTERN.finditer(r.text):
+                token_url = match.group(0)
+                tokens.append(token_url)
+                log.critical(f"SAS TOKEN EXPOSED: {token_url[:80]}...")
+                session.add_secret(
+                    secret_type="AZURE_SAS_TOKEN",
+                    value=token_url,
+                    source=target,
+                    severity="CRITICAL",
+                    description="Azure SAS token exposed in HTTP response. Grants time-limited storage access.",
+                    aws_parallel="Pre-signed S3 URL exposed in response — grants temporary access",
+                )
+                session.add_finding(
+                    module="azure_enum",
+                    title="Azure SAS Token Exposed",
+                    severity="CRITICAL",
+                    description="A Shared Access Signature (SAS) token was found in the application response.",
+                    evidence=f"Source: {target}\nToken: {token_url[:80]}...",
+                    recommendation="Rotate SAS token immediately. Use Managed Identities instead of SAS tokens.",
+                    cvss_score=9.0,
+                    aws_parallel="Pre-signed S3 URL leaked in JavaScript/HTML source",
+                    mitre_technique="T1552.001",
+                )
+        except Exception:
+            pass  # network/connection error — continue scanning
+        return tokens