Prompt for password for user/password authentication

[faustocarramate]

When executing without password flag AzureHound should interactively prompt for password but it is not. Affected version v1.1.3.

Executing:
.\azurehound.exe list -u '[email protected]' -t '123-123-123' -b 'abc-abc-abc' --json --log-file 'C:\output'

Output:

No configuration file located at C:\Users\user\.config\azurehound\config.json
{"level":"error","error":"unable to authenticate. no valid credential provided","time":"2022-08-25...","message":"encountered unrecoverable error"}

[ddlees]

@faustocarramate This functionality hasn't been implemented but you are more than welcome to submit a PR.

In the meantime, you can pass in the password using the AZUREHOUND_PASSWORD environment variable or storing it in a config.json which you can generate using azurehound configure.

Examples:

# For POSIX compliant systems
stty -echo; read AZUREHOUND_PASSWORD; stty echo
azurehound list -u '[email protected]' -t 'mytenant.onmicrosoft.com'

# For PowerShell
$password = Read-Host -assecurestring "Please enter your password"
$AZUREHOUND_PASSWORD = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
azurehound list -u '[email protected]' -t 'mytenant.onmicrosoft.com'

[faustocarramate]

Hi @ddlees ,
Thanks for your clarification.
What happens when login method requires MFA?

[ddlees]

@faustocarramate Currently we don't handle MFA but you can get around this limitation by using a refresh token. Fortunately, obtaining a refresh token isn't all that difficult.

1. Run this bit of PowerShell

$body = @{
    "client_id" =     "1950a258-227b-4e31-a9cf-717495945fc2"
    "resource" =      "https://graph.microsoft.com"  
}
$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
$Headers=@{}
$Headers["User-Agent"] = $UserAgent
$authResponse = Invoke-RestMethod `
    -UseBasicParsing `
    -Method Post `
    -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" `
    -Headers $Headers `
    -Body $body
$authResponse

2. Copy the user_code value from the output

3. Open a browser where your user is already logged in or where you user CAN log in.
4. From that browser navigate to https://microsoft.com/devicelogin
5. Enter the user_code value and allow the browser to finish the authentication/authorization process

6. Continuing from the same PowerShell session, run this script

$body=@{
    "client_id" =  "1950a258-227b-4e31-a9cf-717495945fc2" 
    "grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
    "code" =       $authResponse.device_code
}
$a = Invoke-RestMethod `
    -UseBasicParsing `
    -Method Post `
    -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" `
    -Headers $Headers `
    -Body $body
$a

7. Copy the refresh_token value from the output

8. Use AzureHound with the --refresh-token flag and the refresh_token value

azurehound --refresh-token <refresh_token> <subcommand>