cisagov / untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Creative Commons Zero v1.0 Universal
912 stars 79 forks source link

goosey auth fails, replicate of #9 #33

Closed jpeacblth closed 1 year ago

jpeacblth commented 1 year ago

I have the same errors show as @Pavel-Sushko in issue #9 with the below items. I did change the time to 120 and I still hit the same errors.

I then tried the above, but with the pip install, and it just reset items back to 10. tested with same output. Then changed to 120 and ran goosey auth.. same errors.

Stacktrace: RemoteError@chrome://remote/content/shared/RemoteError.sys.mjs:8:8 WebDriverError@chrome://remote/content/shared/webdriver/Errors.sys.mjs:182:5 NoSuchElementError@chrome://remote/content/shared/webdriver/Errors.sys.mjs:394:5 element.find/</<@chrome://remote/content/marionette/element.sys.mjs:134:16 (auth.py:575)

Originally posted by @victoriawallace-cisa in https://github.com/cisagov/untitledgoosetool/issues/9#issuecomment-1485981338

victoriawallace-cisa commented 1 year ago

@jpeacblth You shouldn't need to do that with the latest version of the tool. I increased the waits from 10 to 60 seconds. Can you ensure you have the latest version of the Untitled Goose Tool and run a pip install? Afterwards, run goosey auth --debug and post your output here.

jpeacblth commented 1 year ago

Hello, I grabbed the latest version and did the pip install. Here is the results from my goosey auth --debug

Stacktrace:
RemoteError@chrome://remote/content/shared/RemoteError.sys.mjs:8:8
WebDriverError@chrome://remote/content/shared/webdriver/Errors.sys.mjs:182:5
UnexpectedAlertOpenError@chrome://remote/content/shared/webdriver/Errors.sys.mjs:508:5
GeckoDriver.prototype._handleUserPrompts@chrome://remote/content/marionette/driver.sys.mjs:2696:13
 (auth.py:575)
2023-05-04 16:33:41,403 - auth - INFO - User authentication complete. (auth.py:584)
2023-05-04 16:33:45,421 - auth - DEBUG - App Authentication authority uri: https://login.microsoftonline.com/0c4d6a21-2cf4-4197-9333-aa5fadb76709 (auth.py:288)
2023-05-04 16:33:45,422 - auth - DEBUG - App authentication resource uri: https://graph.microsoft.com/.default (auth.py:289)
2023-05-04 16:33:45,811 - auth - DEBUG - App Authentication authority uri: https://login.microsoftonline.com/0c4d6a21-2cf4-4197-9333-aa5fadb76709 (auth.py:288)
2023-05-04 16:33:45,812 - auth - DEBUG - App authentication resource uri: https://api.securitycenter.microsoft.com/.default (auth.py:289)
2023-05-04 16:33:46,165 - auth - DEBUG - App Authentication authority uri: https://login.microsoftonline.com/0c4d6a21-2cf4-4197-9333-aa5fadb76709 (auth.py:288)
2023-05-04 16:33:46,168 - auth - DEBUG - App authentication resource uri: https://management.azure.com/.default (auth.py:289)
victoriawallace-cisa commented 1 year ago

Thanks, if you run goosey auth --debug --interactive, can you describe what is happening (the browser steps will show up on screen; please don't interact with the browser while it is attempting to authenticate as the user)? I'm unable to replicate the issue, so seeing what selenium looks like to the user can help me understand what is going on.

jpeacblth commented 1 year ago

The authentication windows pop up and they appear to log-in without a problem. we do have SSO enabled, and it even looks like that it is getting passed. Things moved so quickly that I couldn't grab screenshots.

Not sure if it changes anything. But I think the IAM team setup the principal account as non-interactive log in.. it was set to application login.

victoriawallace-cisa commented 1 year ago

Since you have SSO enabled, if you manually navigate to portal.azure.com, does it just log you in?

jpeacblth commented 1 year ago

no, it look is asking for me to login.

victoriawallace-cisa commented 1 year ago

When you ran the tool with --interactive, did the debug logs show the same error as you initially reported even though it seemed to log-in without an issue?

victoriawallace-cisa commented 1 year ago

@jpeacblth Also, can you create a cloud-only account (without any on-premise connection) with the permissions needed? I think that will solve the SSO issue you are running into.

jpeacblth commented 1 year ago

@victoriawallace-cisa , Hello. I was able to get the cloud account tested. It appears that resolved the problem. I did get an error, but I am guess it is due to permissions.

2023-05-22 15:36:39,237 - auth - INFO - Attempting to automatically auth via device code. You may have to accept MFA prompts. (auth.py:116) 2023-05-22 15:37:14,405 - auth - INFO - Device code authentication complete. (auth.py:279) 2023-05-22 15:37:18,415 - auth - INFO - Attempting to automatically auth as an user. You may have to accept MFA prompts. (auth.py:315) 2023-05-22 15:38:27,052 - auth - INFO - First tab: Obtained audit log cookies. (auth.py:523) 2023-05-22 15:38:27,069 - auth - ERROR - Error obtaining .AspNet cookie - admin.exchange.microsoft.com: 'NoneType' object has no attribute 'get' (auth.py:532) 2023-05-22 15:38:27,071 - auth - INFO - Third tab: Obtained Exchange cookies. (auth.py:541) 2023-05-22 15:38:27,091 - auth - INFO - Second tab: Exchange Control Panel cookies acquired. (auth.py:569) 2023-05-22 15:38:30,502 - auth - INFO - User authentication complete. (auth.py:584)

victoriawallace-cisa commented 1 year ago

@jpeacblth Due to the fickleness of the Microsoft environment, you might have to re-auth until you don't receive an error message. I'll go ahead and add needing a cloud-only account to the readme in order to remediate this issue for future users.