- webmaster03668
Introduction To 365-Stealer - Understanding and Executing the Illicit Consent Grant Attack
Updated: Feb 2
Illicit Consent Grant Attack
What is illicit? In simple words illegal or against the rules.
What is consent? Granting permissions.
What is Illicit Consent Grant Attack? In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to. After the application has been granted consent, it has user account-level access to the data without the need for an organizational account.
In simple words when the victim clicks on that beautiful blue button of "Accept", Azure AD sends a token to the third party site which belongs to an attacker where attacker will use the token to perform actions on behalf the victims like accessing all the Files, Read Mails, Send Mails etc.
Attack Flow
To gain better understanding about the Illicit Consent Grant attack let's assume a scenario where we have 2 fictitious organizations, named "ECorp" and "PentestCorp".
PentestCorp have got a contract to simulate a phishing attack from ECorp where the goal is to gain information about the users, extract sensitive information from the user's email, OneDrive, OneNote etc.
PentestCorp decided to perform Illicit Consent Grant attack where they can easily attract and entice users to click a link, that takes them to the legitimate Microsoft third-party apps consent page.
To perform this attack PentestCorp registered a domain with name "safedomainlogin.com" and created a subdomain "ecorp.safedomainlogin.com" where they hosted the application to capture the authorization code and then request for the access tokens.
PentestCorp then registered an Multi Tenant Application in their Azure AD Tenant and named it as "ecorp" and added the Redirect URL that points to the "ecorp.safedomainlogin.com" which host's an application to capture the authorization code.
PentestCorp also create a new client secret and added few API permissions such Mail.Read, Notes.Read.All, Files.ReadWrite.All, User.ReadBasic.All, User.Read in the application. So that once the user grant the consent to the application, PentestCorp can extract the sensitive information on behalf of the user.
PentestCorp then creates the link that contained the client id of the malicious application and shared the link with the targeted users to gain their consent.
PentestCorp receives the authorization code for the users those who granted their consent to the third-party application named "ecorp". PentestCorp then requested for access token by using authorization code and used the access tokens to extract all the information using GraphAPI.
To reduce the overhead of performing manual task of extracting data we can use 365-Stealer tool and follow the steps mentioned in the below section to configure and leverage 365-Stealer for performing Illicit Consent Grant Attack.
365-Stealer
365-Stealer is a tool written in Python3 which can be used in illicit consent grant attacks. When the victim grant his consent we get their Refresh Token which can be used to request multiple Tokens that can help us in accessing data like Mails, Notes, Files from OneDrive etc. Doing this manually will take a lot of time so this tool helps in automating the process.
What's special about this tool?
Well we can use this tool to perform illicit consent grant attack to steal tokens of the users and leverage the tokens to perform post exploitation attacks in real life and also customize the tool as per our needs.
Features
Steals Refresh Token which can be used to grant new Access Tokens for at least 90 days.
Can send mails with attachments from the victim user to another user.
Creates Outlook Rules like forwarding any mail that the victim receives.
Upload any file in victims OneDrive.
Steal's files from OneDrive, OneNote and dump all the Mails including the attachments.
365-Stealer Management portal allows us to manage all the data of the victims.
Can backdoor .docx file located in OneDrive by injecting macros and replace the file extension with .doc.
All the data like Refresh Token, Mails, Files, Attachments, list of all the users in the victim's tenant and our Configuration are stored in database.
Delay the request by specifying time in seconds while stealing the data
Tool also helps in hosting the dummy application for performing illicit consent grant attack by using --run-app in the terminal or by using 365-Stealer Management.
By using --no-stealing flag 365-Stealer will only steal token's that can be leverage to steal data.
We can also request New Access Tokens for all the user’s or for specific user.
We can easily get a new access token using --refresh-token, --client-id, --client-secret flag.
Configuration can be done from 365-Stealer CLI or Management portal.
The 365-Stealer CLI gives an option to use it in our own way and set up our own Phishing pages.
Allow us to steal particular data eg, OneDrive, Outlook etc. by passing a --custom-steal flag.
All the stolen data are saved in database.db file which we can share with our team to leverage the existing data, tokens etc.
We can search emails with specific keyword, subject, user's email address or by filtering the emails containing attachments from the 365-Stealer Management portal.
We can dump the user info from the target tenant and export the same to CSV.
Setup Attacking Environment (365-Stealer)
Register Application
Follow the below mentioned steps to register an application in Azure
1. Login to https://portal.azure.com
2. Navigate to Azure Active Directory
3. Click on App registrations
3. Click New registration
4. Enter the Name for our application (The same name will be displayed to the victim while granting consent)
5. Under support account types select "Accounts in any organizational directory (Any Azure AD directory - Multitenant)"
6. Enter the Redirect URL. This URL should be pointed towards our 365-Stealer application that we will host for hosting our phishing page. Make sure the endpoint is https://<DOMAIN/IP>:<PORT>/login/authorized.
7. Click Register
