trouble-1 / vajra Goto Github PK

Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure and AWS environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces.

License: GNU Affero General Public License v3.0

Python 13.91% CSS 62.81% JavaScript 8.58% HTML 14.70%

azure azuread aws gcp cloudsecurity redteam-tools toolkit python3

vajra's Introduction

Vajra - Your Weapon To Cloud

About Vajra

Vajra is a UI based tool with multiple techniques for attacking and enumerating in target's Azure environment.

The term Vajra refers to the Weapon of God Indra in Indian mythology (God of Thunder & Storms). Its connection to the cloud makes it a perfect name for the tool.

Vajra presently supports Azure and AWS Cloud environments, with plans to add support for Google Cloud Platform and certain OSINT in the future.

Following features are available at the moment:

Azure
- Attacking
  1. OAuth Based Phishing (Illicit Consent Grant Attack)
    - Exfiltrate Data
    - Enumerate Environment
    - Deploy Backdoors
    - Send mails/Create Rules
  2. Password Spray
  3. Password Brute Force
- Enumeration
  1. Users
  2. Subdomain
  3. Azure Ad
  4. Azure Services
- Specific Service
  1. Storage Accounts
AWS
- Attacking(In progress)
  1. Under Development
- Enumeration
  1. IAM Enumeration
  2. S3 Scanner
  3. Under Development
- Misconfiguration

Note: This tool have been tested in a environment which had around 3 Lakh principals like users, groups, enterprise application, etc.

It features an intuitive web-based user interface built with the Python Flask module for a better user experience.

About Author

Raunak Parmar is an information security professional whose areas of interest include web penetration testing, Azure/AWS security, source code review, scripting, and development. He has 3+ years of experience in information security. Raunak holds OSWE certification and likes to research new attack methodologies and create open-source tools that can be used during Cloud Security assessments. He has worked extensively on Azure and AWS.

He is the author of Vajra an offensive cloud security tool and has spoken at multiple conferences like NullCon, Defcon, Blackhat, and local meetups.

Social Media Links

Twitter: https://twitter.com/trouble1_raunak
YouTube: https://www.youtube.com/channel/UCkJ_sEF8iUDXPCI3UL0DAcg
Linkedin: https://www.linkedin.com/in/trouble1raunak/
GitHub: https://github.com/TROUBLE-1/

Installation

Docker

Pull the image file from dockerhub

docker pull tr0uble1/vajra

Run Vajra with following and navigate to http://localhost

docker run -p 80:80 -d tr0uble1/vajra

Manually

Run the following command to install all the modules.

pip install -r requirements.txt

Once installed run the following to start the application.

python app.py

How to use Vajra?

A detailed usage guide is available on Documentation section of the Wiki.

Bugs and Feature Requests

Please raise an issue if you encounter a bug or have a feature request.

Contributing

If you want to contribute to a project and make it better, your help is very welcome.

vajra's People

Contributors

Stargazers

Watchers

vajra's Issues

Error Phishing

Description
When using the phishing module and the victim is redirected to: https://[...].com/azure/getcode/3965[...]f?code=0.AYIAT0FRU5LMWk6duuByeVEJD[...] the browser shows a 500.

The console of Varja throws the following error:

[2023-01-31 13:50:17,168] ERROR in app: Exception on /azure/getcode/3965a7c339a842f8b00ea4e4dda8b07f [GET]
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/flask/app.py", line 2077, in wsgi_app
    response = self.full_dispatch_request()
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/flask/app.py", line 1525, in full_dispatch_request
    rv = self.handle_user_exception(e)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/flask/app.py", line 1523, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/flask/app.py", line 1509, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/Vajra/Code/vajra/routes.py", line 477, in getcode
    return redirect(f"/azure/getcode/{current_user.id}")
                                      ^^^^^^^^^^^^^^^
AttributeError: 'AnonymousUserMixin' object has no attribute 'id'

JWT Decoding error

Describe the bug
When using Enumeration=> Azure AD with an access token, fetched from the victims page, the app says the token is invalid.
In the function startAzureAdEnumeration in function.py the application crashes.

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 2095, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/local/lib/python3.9/dist-packages/flask_socketio/__init__.py", line 45, in __call__
    return super(_SocketIOMiddleware, self).__call__(environ,
  File "/usr/local/lib/python3.9/dist-packages/engineio/middleware.py", line 74, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 2080, in wsgi_app
    response = self.handle_exception(e)
  File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 2077, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 1525, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 1523, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.9/dist-packages/flask/app.py", line 1509, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
  File "/usr/local/lib/python3.9/dist-packages/flask_login/utils.py", line 277, in decorated_view
    return current_app.ensure_sync(func)(*args, **kwargs)
  File "/opt/Vajra/Code/vajra/routes.py", line 544, in azureAdEnumeration
    res = startAzureAdEnumeration(form)
  File "/opt/Vajra/Code/vajra/functions.py", line 418, in startAzureAdEnumeration
    username = jwt.decode(accessToken, options={"verify_signature": False})["upn"]
  File "/usr/lib/python3/dist-packages/jwt/api_jwt.py", line 104, in decode
    self._validate_claims(payload, merged_options, **kwargs)
  File "/usr/lib/python3/dist-packages/jwt/api_jwt.py", line 140, in _validate_claims
    self._validate_aud(payload, audience)
  File "/usr/lib/python3/dist-packages/jwt/api_jwt.py", line 189, in _validate_aud
    raise InvalidAudienceError('Invalid audience')
jwt.exceptions.InvalidAudienceError: Invalid audience

Replacing in function.py:
username = jwt.decode(accessToken, options={"verify_signature": False})["upn"]

With:
username = jwt.decode(accessToken, options={"verify_signature": False, "verify_aud": False})["upn"]

fixed the issue

To Reproduce
Steps to reproduce the behavior:

Go to 'http://127.0.0.1/azure/office365/victims'
Click on 'Get Token'
Go to 'https://vajra.hackmich.net/azure/enumeration/AzureAdEnumeration'
Paste the token in the corresponding field
Click 'Enumerate'