I have been currently working on Azure and Office365 to explore and learn various techniques to abuse its features. In this blog we will see how Azure app registration feature can be leveraged to phish users in the same tenant and steal their access token which will allow us to do malicious activity.
Before introducing my tool, I would like to thank 0x09AL for writing office365-attack-toolkit.
Office365 Attack Toolkit was originally written in Golang when I first started using this tool. It was a bit difficult to understand the setup since it requires many things to be installed like gcc (MinGw 64 bit), Git, and some Golang packages.
Also, there is no option where we can clear the database or save the access token for a particular user. And it doesn't create outlook rules due to some minor issue.
So, I decided to create a replica of Office365 Attack Toolkit in python to learn and improve my programming skills and I have tried to keep the setup very simple and easy.
Introducing 365-Stealer
365-Stealer is the tool written in python3 which steals data from victims office365 by using access_token which we get by phishing.
It steals outlook mails, attachments, OneDrive files, OneNote notes and injects macros.
You can find the tool here https://github.com/AlteredSecurity/365-Stealer/
Before setting up the tool let's first register an application in Azure Active Directory.
Create App registration
Registering your application establishes a trust relationship between your app and the Microsoft identity platform.
1. Register an app in Azure active directory and enable access_token and token_id in authentication.
2. Copy the clientId from overview tab and replace it with $client_id value in index.php also the $redirect_uri if its not the same as yours
Now will see how to set up this tool:
Make sure to run this tool in a Windows machine that has Microsoft Word installed.
Move all the files of the tool to its resources to C:\xampp\htdocs directory.
Run the following command in cmd pip install requests crayons
Open index.php and replace the client_id and redirect_uri with the one that we setup while registering our application on Azure. Then we are ready to use the tool.
Start the apache server from xampp and visit http://localhost/
Note - This application can also be hosted on the cloud infrastructure.
This is just a simple page we can further edit as per our needs.
As soon as a user clicks on the Read more button or any link and accepts the requested permissions, for now it will be redirected back to http://localhost but the same can be modified.
In the background our 365-Stealer will be stealing all emails, attachments, OneNote notes and files from OneDrive.
Visit http://localhost/yourVictims/ to see all the users who got hacked also you can find an access_token.txt file that contains the user's access token that will be valid for 1 hour. Access tokens are the thing that applications use to make API requests on behalf of a user. The access token represents the authorization of a specific application to access specific parts of a user's data.
To understand the features of this tool lets use it in the command line.
Firstly we need to grab that access token and run the following command.
python 365-Stealer.py -t eyJ0eXAiOiJKV1QiLCJ………
This will run like the following
Features
Note: All configuration is done in 365-Stealer.py itself
1. We need to provide extensions that we want to download from onedrive and outlook, and keywords that we want to search in the mails like 'password' and also the macros location which you want to inject in the doc file.
2. Tool is also capable of sending email from the particular victim id, we need to edit fromUser field as shown in the above screenshot. To create mails we need to edit the mail variable which is in json form as shown below in the screenshot.
3. We can create outlook rules by editing rules variable
4. Comment out any feature that we don't want to use
Posted by:
Security Researcher at AlteredSecurity