365-Stealer
Table of Contents
- About 365-Stealer
- About Illicit Consent Grant Attack
- Features
- Setup Attacking Environment
- Setup 365-Stealer
- Configure 365-Stealer Management portal
- OPSEC Consideration
- Command Line Help
- Blog
- Video
- Bugs and Feature Requests
- Contributing
- Credits
About
365-Stealer is a tool written in Python3 which can be used in illicit consent grant attacks. When the victim grant his consent we get their Refresh Token which can be used to request multiple Tokens that can help us in accessing data like Mails, Notes, Files from OneDrive etc. Doing this manually will take a lot of time so this tool helps in automating the process.
365-Stealer comes with 2 interfaces:
- CLI - The CLI is purely written in python3.
- Web UI - The Web UI is written in PHP and it also leverages python3 for executing commands in background.
About Illicit Consent Grant Attack
In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to. After the application has been granted consent, it has user account-level access to the data without the need for an organizational account.
In simple words when the victim clicks on that beautiful blue button of "Accept", Azure AD sends a token to the third party site which belongs to an attacker where attacker will use the token to perform actions on behalf the victims like accessing all the Files, Read Mails, Send Mails etc.
Features
- Steals Refresh Token which can be used to grant new Access Tokens for at least 90 days.
- Can send mails with attachments from the victim user to another user.
- Creates Outlook Rules like forwarding any mail that the victim receives.
- Upload any file in victims OneDrive.
- Steal's files from OneDrive, OneNote and dump all the Mails including the attachments.
- 365-Stealer Management portal allows us to manage all the data of the victims.
- Can backdoor .docx file located in OneDrive by injecting macros and replace the file extension with .doc.
- All the data like Refresh Token, Mails, Files, Attachments, list of all the users in the victim's tenant and our Configuration are stored in database.
- Delay the request by specifying time in seconds while stealing the data
- Tool also helps in hosting the dummy application for performing illicit consent grant attack by using
--run-app
in the terminal or by using 365-Stealer Management. - By using
--no-stealing
flag 365-Stealer will only steal token's that can be leverage to steal data. - We can also request New Access Tokens for all the user’s or for specific user.
- We can easily get a new access token using
--refresh-token
,--client-id
,--client-secret
flag. - Configuration can be done from 365-Stealer CLI or Management portal.
- The 365-Stealer CLI gives an option to use it in our own way and set up our own Phishing pages.
- Allow us to steal particular data eg, OneDrive, Outlook etc. by passing a
--custom-steal
flag. - All the stolen data are saved in database.db file which we can share with our team to leverage the existing data, tokens etc.
- We can search emails with specific keyword, subject, user's email address or by filtering the emails containing attachments from the 365-Stealer Management portal.
- We can dump the user info from the target tenant and export the same to CSV.
Setup Attacking Environment
Register Application
Follow the below mentioned steps to register an application in Azure
- Login to
https://portal.azure.com
- Navigate to
Azure Active Directory
- Click on
App registrations
- Click
New registration
- Enter the Name for our application (The same name will be displayed to the victim while granting consent)
- Under support account types select
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
- Enter the Redirect URL. This URL should be pointed towards our 365-Stealer application that we will host for hosting our phishing page. Make sure the endpoint is
https://<DOMAIN/IP>:<PORT>/login/authorized
. - Click
Register
Configure Application
Create Client Secrets
- Click on
Certificates & secrets
- Click on
New client secret
then enter theDescription
and click onAdd
. - Save the secret's value somewhere in a safe place.
Add API Permissions
- Click on
API permissions
- Click
Add a permission
- Click on
Microsoft Graph
- Click on
Delegated permissions
- Search and select the below mentioned permissions and click on Add permission (This depends upon what permissions we want from the victim)
- Contacts.Read
- Mail.Read
- Notes.Read.All
- Mailboxsettings.ReadWrite
- Files.ReadWrite.All
- Mail.Send
- User.ReadBasic.All
Setup 365-Stealer
- Clone 365-Stealer from https://github.com/AlteredSecurity/365-Stealer
git clone https://github.com/AlteredSecurity/365-Stealer.git
-
Save the extracted in
C:\xampp\htdocs\
or at any location that can help us to host the PHP application and run Python. -
Install the required application
Python3 PHP CLI or Xampp server
- Install the required python modules
pip install -r requirements.txt
Enable sqlite3 in apache server
- Open Xampp server, click on config of Apache and select
PHP (php.ini)
- Search for
extension=sqlite3
and remove;
from the begining as it is considered as a comment and then save the file.(File location:C:\xampp\php\php.ini
) - Start the Apache server.
Note: 365-Stealer will by default run on Port 443 (that can be changed by using --port
flag) so we need to run apache server on another Port. This can be done by changing Port in Xampp server to avoid conflict between our 365-Stealer Phishing application & Management portal. We can also use PHP CLI command from the "./yourVictims/" directory as mentioned below.
php -S localhost:8000
Configure 365-Stealer Management portal
Modify the path of 365-Stealer.py, database and python3 in C:/xampp/htdocs/yourvictims/index.php if needed.
If our python.exe is installed in "Program Files" or some directory that contains space in the path then we need to use quotes as shown below screenshot.
Enable IP whitelisting for 365-Stealer Management portal
By default whitelisting is enabled and the portal can only be accessed from localhost. We can add a Remote IP or disable whitelisting ( $enableIpWhiteList = false; )
OPSEC Consideration
Access to the 365-Stealer Management portal shall only be allowed from the infrastructure that you own. Don't expose the 365-Stealer Management portal on the Internet.
Command Line Help
usage: 365-Stealer.py [-h] [--set-config] [--get-config] [--code CODE] [--token TOKEN] [--client-id CLIENT_ID]
[--client-secret CLIENT_SECRET] [--refresh-token REFRESH_TOKEN] [--token-path TOKEN_PATH]
[--refresh-all] [--refresh-user REFRESH_USER] [--redirect-url REDIRECT_URL]
[--database-path DATABASE_PATH] [--no-stealing] [--upload UPLOAD] [--create-rules CREATE_RULES]
[--send-mail SEND_MAIL] [--delete-all-data] [--delete-user-data DELETE_USER_DATA] [--run-app]
[--no-ssl] [--port PORT] [--disable-logs]
[--custom-steal {listusers,checklicence,outlook,onedrive,onenote} [{listusers,checklicence,outlook,onedrive,onenote} ...]]
[--delay DELAY]
optional arguments:
-h, --help show this help message and exit
--set-config Set 365-Stealer Configuration
--get-config Get 365-Stealer Configuration
--code CODE Provide Authorization Code
--token TOKEN Provide Access Token
--client-id CLIENT_ID
Provide Application Client ID
--client-secret CLIENT_SECRET
Provide Application Client Secret
--refresh-token REFRESH_TOKEN
Provide Refresh Token
--token-path TOKEN_PATH
Provide Access Token file path
--refresh-all Steal all user's data again.
--refresh-user REFRESH_USER
Steal particular user's data again.(Provide EmailID)
--redirect-url REDIRECT_URL
Redirect Url
--database-path DATABASE_PATH
Provide Database Path
--no-stealing Steal only Tokens
--upload UPLOAD Add files in victim's OneDrive(Provide File Path)
--create-rules CREATE_RULES
Provide json file containing outlook rules
--send-mail SEND_MAIL
Provide json file to send email
--delete-all-data Delete all data from the database!
--delete-user-data DELETE_USER_DATA
Delete specific user data from the database!
--run-app Host the Phising App
--no-ssl Use http(port 80)
--port PORT Provide custom port to Host the Phishing App
--disable-logs Disable all http access logs
--custom-steal {listusers,checklicence,outlook,onedrive,onenote} [{listusers,checklicence,outlook,onedrive,onenote} ...]
Steal specific data
--delay DELAY Delay the request by specifying time in seconds while stealing
Blog
Bugs and Feature Requests
Please raise an issue if you encounter a bug or have a feature request.
Contributing
If you want to contribute to a project and make it better, your help is very welcome.
Credits
Thanks to 0x09AL for writing office365-attack-toolkit.