ScoutSuite
ScoutSuite copied to clipboard
nccgroup
Error with authorization
I have installed scoutsuite-5.10.2 on Kali Linux 2021.2 with Python versions installed is: 2.7.18 and 3.9.2. After installation when I running scout it gives me some errors:
2021-09-05 05:50:26 kali scout[2050] INFO Fetching resources for the App Services service
2021-09-05 05:50:28 kali scout[2050] ERROR network.py L32: Failed to retrieve network security groups: cannot import name 'NetworkSecurityGroupsOperations' from partially initialized module 'azure.mgmt.network.v2018_11_01.operations' (most likely due to a circular import) (/root/ScoutSuite/venv/lib/python3.9/site-packages/azure/mgmt/network/v2018_11_01/operations/init.py)
2021-09-05 05:50:28 kali scout[2050] ERROR network.py L42: Failed to retrieve application security groups: cannot import name 'ApplicationSecurityGroupsOperations' from partially initialized module 'azure.mgmt.network.v2018_11_01.operations' (most likely due to a circular import) (/root/ScoutSuite/venv/lib/python3.9/site-packages/azure/mgmt/network/v2018_11_01/operations/init.py)
2021-09-05 05:50:28 kali scout[2050] ERROR network.py L62: Failed to retrieve network interfaces: cannot import name 'NetworkInterfacesOperations' from partially initialized module 'azure.mgmt.network.v2018_11_01.operations' (most likely due to a circular import) (/root/ScoutSuite/venv/lib/python3.9/site-packages/azure/mgmt/network/v2018_11_01/operations/init.py)
2021-09-05 05:50:28 kali scout[2050] ERROR network.py L22: Failed to retrieve network watchers: cannot import name 'NetworkWatchersOperations' from partially initialized module 'azure.mgmt.network.v2018_11_01.operations' (most likely due to a circular import) (/root/ScoutSuite/venv/lib/python3.9/site-packages/azure/mgmt/network/v2018_11_01/operations/init.py)
2021-09-05 05:52:08 kali scout[2050] ERROR appservice.py L49: Failed to retrieve web app auth settings: (AuthorizationFailed) The client 'xxx' with object id '37---a1' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/ff---e1/resourceGroups/Prod-Platform/providers/Microsoft.Web/sites/prod---/config/authsettings' or the scope is invalid. If access was recently granted, please refresh your credentials.
2021-09-05 05:52:08 kali scout[2050] ERROR appservice.py L49: Failed to retrieve web app auth settings: (AuthorizationFailed) The client 'xxx' with object id '37---a1' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/ff---1/resourceGroups/Prod-Platform/providers/Microsoft.Web/sites/productionblob/config/authsettings' or the scope is invalid. If access was recently granted, please refresh your credentials.
2021-09-05 05:52:09 kali scout[2050] ERROR appservice.py L49: Failed to retrieve web app auth settings: (AuthorizationFailed) The client 'xxx' with object id '371---1a1' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/ff---f5e1/resourceGroups/xxx-prod-solution/providers/Microsoft.Web/sites/xxx-import/config/authsettings' or the scope is invalid. If access was recently granted, please refresh your credentials.
2021-09-05 05:52:09 kali scout[2050] ERROR appservice.py L49: Failed to retrieve web app auth settings: (AuthorizationFailed) The client 'xxx' with object id '37---1a1' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/ff---e1/resourceGroups/dash-lab01/providers/Microsoft.Web/sites/xxx/config/authsettings' or the scope is invalid. If access was recently granted, please refresh your credentials.
2021-09-05 05:52:09 kali scout[2050] ERROR appservice.py L49: Failed to retrieve web app auth settings: (AuthorizationFailed) The client 'xxx' with object id '371---a1' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/ff---e1/resourceGroups/Prod-xxx-analytics/providers/Microsoft.Web/sites/Prod-xxx-analytics/config/authsettings' or the scope is invalid. If access was recently granted, please refresh your credentials.
I have the required permissions Reader and Security Reader roles but still got errors...
Why ? BR
Hi @cgaudit, could you please take a look at my two comments 1 and 2 in issue #963?
Basically the first one has a link to installation instructions and another link about how you can run ScoutSuite in a Docker container.
The second one is related to your issue, which is caused by Python 3.9. Could you please try with Python 3.8?
Thank's alot @lowSoA! I'll try to downgrade the version I have to 3.8.5 using virtualenv method.
To whom it may concern I believe that putting the required working PY version on the scout git installation folder with relevant PY version and instruction on how to downgrade must be done and would be much easier the job for those who use it.
BR
Hi
I still got the current error using python 3.8.10:
ERROR appservice.py L49: Failed to retrieve web app auth settings: (AuthorizationFailed) The client 'xxx.com' with object id '3xxx1' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/fxxx1/resourceGroups/xxx/providers/Microsoft.Web/sites/xxx-import/config/authsettings' or the scope is invalid. If access was recently granted, please refresh your credentials. 2021-09-09 11:19:42 hunter-virtual-machine scout[1767] ERROR appservice.py L49: Failed to retrieve web app auth settings: (AuthorizationFailed) The client 'xxx.com' with object id '3xxx1' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/fxxx1/resourceGroups/xxx-Platform/providers/Microsoft.Web/sites/xxx-xxx-hubspot/config/authsettings' or the scope is invalid. If access was recently granted, please refresh your credentials. 2021-09-09 11:19:42 hunter-virtual-machine scout[1767] ERROR appservice.py L49: Failed to retrieve web app auth settings: (AuthorizationFailed) The client 'xxx.com' with object id '3xxx1' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/fxxx1/resourceGroups/xxx/providers/Microsoft.Web/sites/xxxuctionblob/config/authsettings' or the scope is invalid. If access was recently granted, please refresh your credentials. 2021-09-09 11:19:43 hunter-virtual-machine scout[1767] ERROR appservice.py L49: Failed to retrieve web app auth settings: (AuthorizationFailed) The client 'xxx.com' with object id '3xxx1' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/fxxx1/resourceGroups/xxx-analytics/providers/Microsoft.Web/sites/xxx-xxx-analytics/config/authsettings' or the scope is invalid. If access was recently granted, please refresh your credentials. 2021-09-09 11:19:43 hunter-virtual-machine scout[1767] ERROR appservice.py L49: Failed to retrieve web app auth settings: (AuthorizationFailed) The client 'xxx.com' with object id '3xxx1' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/fxxx1/resourceGroups/dash-lab01/providers/Microsoft.Web/sites/what-if/config/authsettings' or the scope is invalid. If access was recently granted, please refresh your credentials.
Which required permission is missing?
BR
The required permissions for Azure are detailed here: https://github.com/nccgroup/ScoutSuite/wiki/Azure#permissions.
@cgaudit had the same problem. Give the SPN or account you are running with it the Website Contributor Role which has the permission microsoft.web/sites/config/list/action
Best I can tell this is missing from the documentation but it's all you need.
Hi, Website Contributor Role has more permissions than just read permissions. I am not feeling comfortable giving this role to the scanner. I would prefer to use a custom role with the missing permissions tbh, if no built-in role provides the needed permissions.
