buermsjaan
commented
1 year ago Additionally, I see Interrupted or Failed Sign-in attempts on Azure AD. The failure reason is the following "Failure reason For security reasons, user confirmation is required for this request. Please repeat the request allowing user interaction." Running Goosey auth with the --interactive parameter doesn't seem to solve the issue.
victoriawallace-cisa
🐛 Summary
I receive an error when trying to run Goosey Honk
To reproduce
Ubuntu 22.04
Expected behavior
Expected log collection, got an error instead
Any helpful log output or screenshots
Goosey Auth output:
goosey auth 2023-05-30 11:39:41,114 - auth - INFO - Attempting to automatically auth via device code. You may have to accept MFA prompts. (auth.py:116) 2023-05-30 11:40:06,023 - auth - INFO - Device code authentication - Your MFA code is: xx (auth.py:196) 2023-05-30 11:41:36,717 - auth - INFO - Attempting to automatically auth as an user. You may have to accept MFA prompts. (auth.py:315) 2023-05-30 11:41:40,676 - auth - INFO - m365 auth set to False. Not gathering Exchange cookies. (auth.py:586)
Goosey honk Traceback (most recent call last): File "/home/jaan/.local/bin/goosey", line 8, in
sys.exit(main())
File "/home/jaan/.local/lib/python3.10/site-packages/goosey/main.py", line 89, in main
honkmain(args)
File "/home/jaan/.local/lib/python3.10/site-packages/goosey/honk.py", line 278, in main
asyncio.run(run(args, config, auth, auth_un_pw))
File "/usr/lib/python3.10/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib/python3.10/asyncio/base_events.py", line 646, in run_until_complete
return future.result()
File "/home/jaan/.local/lib/python3.10/site-packages/goosey/honk.py", line 134, in run
azure_dumper = AzureDataDumper(args.output_dir, args.reports_dir, maindumper.ahsession, mgmt_app_auth, config, auth_un_pw, args.debug)
File "/home/jaan/.local/lib/python3.10/site-packages/goosey/azure_dumper.py", line 87, in init
self.subscription_id_list = config['auth']['subscriptionid'].split(",")
File "/usr/lib/python3.10/configparser.py", line 964, in getitem
raise KeyError(key)
KeyError: 'auth'
my .auth file: [auth] username=xxxx@yyyyyy.xxx password=redacted appid=0a435e77-fxxx-xxxd-xxxe-cxxxxxxxxxxx clientsecret=redacted
my .conf file:
[config] tenant=axxxx-xxx0f-xxxxxxxxxxxxxxxx us_government=False exo_us_government=False subscriptionid=xxxxxxxxx m365=False
[filters] date_start=2023-05-10 date_end=2023-05-29
[azure] activity_log=True alerts=False all_azure_subscriptions=False all_resources=False assessments=False bastion_logs=False compliance=False container_config=False diagnostic_settings=False file_shares=False key_vault_log=False network=False nsg_flow_logs=False portal_alerts=False portal_defendersettings=False portal_pcap=False portal_sensors=False security_center=False storage_accounts=False vm_config=False
[azuread] applications=False azuread_audit=True azuread_provisioning=False conditional_access=False devices=False directory_roles=False groups=False identity_provider=False organization=False policies=False risk_detections=False risky_objects=False security=False service_principals=False signins_adfs=False signins_msi=False signins_rt=False signins_sp=False summaries=False users=False
[m365] exo_addins=False exo_groups=False exo_inboxrules=False exo_mailbox=False powershell_calls=False ual=False
[mde] advanced_hunting_query=False alerts=False indicators=False investigations=False library_files=False machine_vulns=False machines=False recommendations=False software=False
[msgtrc] setemailaddress=False direction=False notifyaddress=False originalclientip=False recipientaddress=False reporttitle=False reporttype=False senderaddress=False