PynAuth is a python-based proof of concept framework for performing OAuth token stealing campaigns against Office365 accounts with the Microsoft Graph API. The tool is built on top of the Microsoft Quick Start Python code.
"PynAuth" is a play on the naming of FireEye's "PwnAuth", which is a web application framework for launching the same types of campaigns.
I developed this framework as I wanted a quick-start, python-based, modular way to perform these attacks with little over-head. I am also old-school and like terminal based tools. This project is very much in beta and I am sure there are bugs or more efficient ways to code the functionality. (Still working on those python skills :D).
Do not use this tool for unauthorized malicious purposes.
For other great resources on this type of attack and tools, be sure to check out the following research from FireEye and MDSec which sparked this:
- Create an application within the Azure Portal.
- Add the following attributes from your app to the 'app_config.py' file:
- Client ID
- Client Secret
- Redirect Path
- Scope (Permissions)
- Modify the 'login.html' and 'index.html' page within the 'templates' folder to your liking. Currently, they are basically just the Microsoft Quick Start defaults
(Blog coming soon which will go more in depth on this setup)
-
Start webserver by running 'app.py'. This will start a Flask based web server. (Securing the server is up to you. Recommend putting behind a HTTPS redirector if open to the internet)
-
Have a user open the configured link to sign-in to the portal
-
An access and refresh token will be returned and written to a pickle file. Currently, only one set of tokens can be stored per user.
-
Once tokens have been collected, run 'mainAPI.py' and choose the action you wish to take
This module will pull user's information from the Graph API. Good way to check if token is still valid.
This module can send a new or templated email. The template email can be edited within the 'apiSendMail.py' module. Attachments are not currently supported.
Due to the built-in permissions of the Graph API, this module will only work for work and school accounts (not personal Microsoft accounts). This module will query the users inbox for a specified keyword and return up to 25 results (can be modified). For each result, it can display the received time, sender, receiver, attachment list, and body text to the terminal. If the email has attachments, they can be downloaded.
This module works as an interactive terminal to the user's OneDrive. To traverse to a folder or download a file, simply choose the corresponding number.
This module will create a mail rule for the user's Outlook inbox. The rule can be modified within the 'apiCreateInboxRule.py' module. Current config looks for "password" and "reset" in an email. Please see the official Microsoft documentation on how to create these rules.
This module will list any current inbox rules for the user. If any exist, it will give you the option to delete them. This is a good way to remove your created rule in the previous module after it is no longer needed. (I need to work on making the output prettier).
By default, the user's access token is only valid for one hour. This module uses the refresh token provided by OAuth to refresh the access token for another hour. The refresh token is valid for 14 days.
- Make some outputs prettier
- Add additional error handing as necessary
- Make code more efficient
- Change user-agent. Currently in Azure logs, shows as "Python-urllib"
- Add more modules
Constructive feedback always welcome.