Updated get/list-application/s to dynamically resolve app role ids

mlcsec · mlcsec · commit 41d89e7e41f5 · 2024-07-18T20:07:52.000+01:00
diff --git a/.github/getapplication-updated.png b/.github/getapplication-updated.png
diff --git a/README.md b/README.md
@@ -377,6 +377,12 @@ The resourceAppId `00000003-0000-0000-c000-000000000000` is the Microsoft Graph
 
 ![](./.github/getapplication-perms.png)
 
+#### UPDATED
+
+Just updated this and `List-Applications` to dynamically resolve the IDs so you don't have to manually:
+
+![](./.github/getapplications-updated.png)
+
 ### List-RecentOneDriveFiles
 
 List recent OneDrive files belonging to current user:
@@ -646,7 +652,7 @@ Graph permission IDs applied to objects can be easily located with detailed expl
   - [x] `Deploy-MaliciousScript` - add input options to choose runAsAccount, enforceSignatureCheck, etc. and more assignment options
   - [x] `Get-DeviceConfigurationPolicies` - tidy up the templateReference and assignmentTarget output
   - [x] `Add-ApplicationPermission` - updated logic and added ability to grant admin consent for admin permissions assigned from the same command - update `Grant-AppAdminConsent` to handle any failures so users don't have to repeat this whole command again
-  - [ ] `Get-Application` - process the `requiredResourceAccess` attribute and resolved any Graph API app role IDs to their role name/description
+  - [X] `Get-Application` - process the `requiredResourceAccess` attribute and resolved any Graph API app role IDs to their role name/description - `List-Applications` updated with this as well
 - New:
   - [x] `Find-PrivilegedApplications` - identify enterprise applications which have privileged graph api permissions granted
   - [x] `Grant-AppAdminConsent` - grant admin consent for requested/applied admin app permissions (if `Add-ApplicationPermission` fails)
diff --git a/graphpython.py b/graphpython.py
@@ -2524,35 +2524,86 @@ def base64url_encode(data):
 
     # get-application
     elif args.command and args.command.lower() == "get-application":
-            if not args.id:
-                print_red("[-] Error: --id <appid> argument is required for Get-Application command")
-                return
-            
-            print_yellow("\n[*] Get-Application")
-            print("=" * 80)
-            api_url = f"https://graph.microsoft.com/beta/myorganization/applications(appId='{args.id}')" # app id
-            #api_url = f"https://graph.microsoft.com/v1.0/applications/{args.id}" # object id
-            if args.select:
-                api_url += "?$select=" + args.select
+        if not args.id:
+            print_red("[-] Error: --id <appid> argument is required for Get-Application command")
+            return
 
-            user_agent = get_user_agent(args)
-            headers = {
-                'Authorization': f'Bearer {access_token}',
-                'User-Agent': user_agent
-            }
+        print_yellow("\n[*] Get-Application")
+        print("=" * 80)
+        api_url = f"https://graph.microsoft.com/beta/myorganization/applications(appId='{args.id}')" # app id
+        #api_url = f"https://graph.microsoft.com/v1.0/applications/{args.id}" # object id
+        if args.select:
+            api_url += "?$select=" + args.select
+        user_agent = get_user_agent(args)
+        headers = {
+            'Authorization': f'Bearer {access_token}',
+            'User-Agent': user_agent
+        }
+        response = requests.get(api_url, headers=headers)
 
-            response = requests.get(api_url, headers=headers)
-            if response.status_code == 200:
-                response_json = response.json()
+        if response.status_code == 200:
+            response_json = response.json()
 
-                for key, value in response_json.items():
-                    if key != "@odata.context":
-                        print(f"{key}: {value}")
+            def parse_roleids(content):
+                soup = BeautifulSoup(content, 'html.parser')
+                permissions = {}
+                for h3 in soup.find_all('h3'):
+                    permission_name = h3.get_text()
+                    table = h3.find_next('table')
+                    rows = table.find_all('tr')
+                    application_id = rows[1].find_all('td')[1].get_text()
+                    delegated_id = rows[1].find_all('td')[2].get_text()
+                    application_description = rows[2].find_all('td')[1].get_text()
+                    delegated_description = rows[2].find_all('td')[2].get_text()
+                    application_consent = rows[4].find_all('td')[1].get_text() if len(rows) > 4 else "Unknown"
+                    delegated_consent = rows[4].find_all('td')[2].get_text() if len(rows) > 4 else "Unknown"
+                    permissions[application_id] = ('Application', permission_name, application_description, application_consent)
+                    permissions[delegated_id] = ('Delegated', permission_name, delegated_description, delegated_consent)
+                return permissions
+
+            script_dir = os.path.dirname(os.path.abspath(__file__))
+            file_path = os.path.join(script_dir, '.github', 'graphpermissions.txt')
+            try:
+                with open(file_path, 'r') as file:
+                    content = file.read()
+            except FileNotFoundError:
+                print_red(f"\n[-] The file {file_path} does not exist.")
+                sys.exit(1)
+            except Exception as e:
+                print_red(f"\n[-] An error occurred: {e}")
+                sys.exit(1)
 
-            else:
-                print_red(f"[-] Failed to retrieve Azure Application details: {response.status_code}")
-                print_red(response.text)
-            print("=" * 80)
+            permissions = parse_roleids(content)
+
+            for key, value in response_json.items():
+                if key == "requiredResourceAccess":
+                    if value:
+                        print_green(f"{key}:")
+                        for resource in value:
+                            print_green(f"  Resource App ID: {resource['resourceAppId']}")
+                            for access in resource['resourceAccess']:
+                                role_id = access['id']
+                                role_type = access['type']
+                                if role_id in permissions:
+                                    perm_type, role_name, description, consent_required = permissions[role_id]
+                                    print_green(f"    Role ID: {role_id}")
+                                    print_green(f"    Role Name: {role_name}")
+                                    print_green(f"    Description: {description}")
+                                    print_green(f"    Type: {role_type}")
+                                    print_green(f"    Permission Type: {perm_type}")
+                                    print_green(f"    Admin Consent Required: {consent_required}")
+                                else:
+                                    print_red(f"    Role ID: {role_id} (Information not found)")
+                                    print_red(f"    Type: {role_type}")
+                                print("    ---")
+                    else:
+                        print_red(f"{key} : No assignments")
+                elif key != "@odata.context":
+                    print(f"{key}: {value}")
+        else:
+            print_red(f"[-] Failed to retrieve Azure Application details: {response.status_code}")
+            print_red(response.text)
+        print("=" * 80)
 
     # get-appserviceprincipal
     elif args.command and args.command.lower() == "get-appserviceprincipal":
@@ -2971,13 +3022,61 @@ def base64url_encode(data):
         else:
             print_red(f"[-] Error: API request failed with status code {response.status_code}")
             applications = None
-                
+        
+        def parse_roleids(content):
+            soup = BeautifulSoup(content, 'html.parser')
+            permissions = {}
+            for h3 in soup.find_all('h3'):
+                permission_name = h3.get_text()
+                table = h3.find_next('table')
+                rows = table.find_all('tr')
+                application_id = rows[1].find_all('td')[1].get_text()
+                delegated_id = rows[1].find_all('td')[2].get_text()
+                application_description = rows[2].find_all('td')[1].get_text()
+                delegated_description = rows[2].find_all('td')[2].get_text()
+                application_consent = rows[4].find_all('td')[1].get_text() if len(rows) > 4 else "Unknown"
+                delegated_consent = rows[4].find_all('td')[2].get_text() if len(rows) > 4 else "Unknown"
+                permissions[application_id] = ('Application', permission_name, application_description, application_consent)
+                permissions[delegated_id] = ('Delegated', permission_name, delegated_description, delegated_consent)
+            return permissions
+        
+        script_dir = os.path.dirname(os.path.abspath(__file__))
+        file_path = os.path.join(script_dir, '.github', 'graphpermissions.txt')
+        try:
+            with open(file_path, 'r') as file:
+                content = file.read()
+        except FileNotFoundError:
+            print_red(f"\n[-] The file {file_path} does not exist.")
+            sys.exit(1)
+        except Exception as e:
+            print_red(f"\n[-] An error occurred: {e}")
+            sys.exit(1)
+        
+        permissions = parse_roleids(content)
+        
         if applications and 'value' in applications:
             for app in applications['value']:
                 for key, value in app.items():
                     if key == 'requiredResourceAccess':
                         if value:
-                            print_green(f"{key} : {value}")
+                            print_green(f"{key}:")
+                            for resource in value:
+                                print_green(f"  Resource App ID: {resource['resourceAppId']}")
+                                for access in resource['resourceAccess']:
+                                    role_id = access['id']
+                                    role_type = access['type']
+                                    if role_id in permissions:
+                                        perm_type, role_name, description, consent_required = permissions[role_id]
+                                        print_green(f"    Role ID: {role_id}")
+                                        print_green(f"    Role Name: {role_name}")
+                                        print_green(f"    Description: {description}")
+                                        print_green(f"    Type: {role_type}")
+                                        print_green(f"    Permission Type: {perm_type}")
+                                        print_green(f"    Admin Consent Required: {consent_required}")
+                                    else:
+                                        print_red(f"    Role ID: {role_id} (Information not found)")
+                                        print_red(f"    Type: {role_type}")
+                                    print("    ---")
                         else:
                             print_red(f"{key} : No assignments")
                     else:
