Convert Figma logo to code with AI

mdsecactivebreach logoo365-attack-toolkit

A toolkit to attack Office365

1,026
211
1,026
15
View on GitHub

Top Related Projects

Gerenios's avatar

AADInternals

1,245

AADInternals PowerShell module for administering Azure AD and Office 365

Quick Overview

The o365-attack-toolkit is a collection of tools and scripts designed for penetration testing and security assessment of Microsoft Office 365 environments. It provides various functionalities to simulate and test different attack vectors against O365, helping security professionals identify potential vulnerabilities and improve their organization's security posture.

Pros

  • Comprehensive set of tools for testing O365 security
  • Regularly updated to keep pace with evolving O365 security features
  • Helps organizations identify and address potential vulnerabilities
  • Supports both red team and blue team activities

Cons

  • Requires careful handling to avoid unintended consequences in production environments
  • May require frequent updates as Microsoft changes O365 security features
  • Could potentially be misused by malicious actors if not properly secured
  • Limited documentation for some advanced features

Code Examples

# Example 1: Authenticating to Office 365
from O365 import Account

credentials = ('client_id', 'client_secret')
account = Account(credentials)
if account.authenticate(scopes=['basic', 'message_all']):
    print('Authenticated successfully')

# Example 2: Enumerating users
from o365_attack_toolkit import UserEnumerator

enumerator = UserEnumerator(tenant_id='your_tenant_id')
valid_users = enumerator.enumerate_users(['user1@domain.com', 'user2@domain.com'])
print(f"Valid users: {valid_users}")

# Example 3: Performing password spraying
from o365_attack_toolkit import PasswordSprayer

sprayer = PasswordSprayer(tenant_id='your_tenant_id')
results = sprayer.spray_passwords(['user1@domain.com', 'user2@domain.com'], 'Password123!')
print(f"Successful logins: {results['successful']}")

Getting Started

To get started with the o365-attack-toolkit:

  1. Clone the repository:

    git clone https://github.com/mdsecactivebreach/o365-attack-toolkit.git

  2. Install dependencies:

    pip install -r requirements.txt

  3. Configure your Azure AD application:

    • Register a new application in Azure AD
    • Grant necessary permissions
    • Note down the client ID and client secret

  4. Update the configuration file with your Azure AD details:

    cp config.example.json config.json
# Edit config.json with your Azure AD application details

  5. Run the desired tool:

    python tool_name.py

Remember to use this toolkit responsibly and only on systems you have permission to test.

Competitor Comparisons

Gerenios logo

AADInternals

1,245

AADInternals PowerShell module for administering Azure AD and Office 365

Pros of AADInternals

  • More comprehensive toolkit for Azure AD and Office 365 management and security testing
  • Regularly updated with new features and improvements
  • Supports a wider range of Azure AD and Office 365 related tasks

Cons of AADInternals

  • Steeper learning curve due to more complex functionality
  • Requires PowerShell knowledge to use effectively
  • May be overkill for simpler Office 365 security assessments

Code Comparison

AADInternals:

# Get Azure AD access token
$AccessToken = Get-AADIntAccessTokenForAADGraph -Resource "https://graph.windows.net"

# Get user information
Get-AADIntUser -AccessToken $AccessToken -UserPrincipalName "user@domain.com"

o365-attack-toolkit:

# Authenticate and get access token
access_token = get_access_token(username, password)

# Get user information
user_info = get_user_info(access_token, user_principal_name)

Both tools provide functionality for Azure AD and Office 365 security testing, but AADInternals offers a more extensive set of features and is PowerShell-based, while o365-attack-toolkit is Python-based and focuses on specific attack scenarios. AADInternals is better suited for in-depth Azure AD management and security testing, while o365-attack-toolkit may be more accessible for quick, targeted assessments.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

What is o365-attack-toolkit

o365-attack-toolkit allows operators to perform oauth phishing attacks.

We decided to move from the old model of static definitions to fully "interactive" with the account in real-time.

Some of the changes

  • Interactive E-mail Search - Allows you to search for user e-mails like you would having full access to it.
  • Send e-mails - Allows you to send HTML/TEXT e-mails with attachments from the user mailbox.
  • Interactive File Search and Download - Allows you to search for files using specific keywords and download them offline.
  • File Replacement - Implemented as a replacement for the macro backdooring functionality.

Architecture

The toolkit consists of several components

Phishing endpoint

The phishing endpoint is responsible for serving the HTML file that performs the OAuth token phishing.

Backend services

Afterward, the token will be used by the backend services to perform the defined attacks.

Management interface

The management interface can be utilized to inspect the extracted information from the Microsoft Graph API.

Features

Interactive E-mail Search

User e-mails can be accessed by searching for specific keywords using the management interface. The old feature of downloading keyworded e-mails has been discontinued.

Send E-mails

The new version of this tool allows you to send HTML/TXT e-mails, including attachments to a specific e-mail address from the compromised user. This feature is extremly useful as sending a spear-phishing e-mail from the user is more belivable.

File Search

Microsoft Graph API can be used to access files across OneDrive, OneDrive for Business and SharePoint document libraries. User files can be searched and downloaded interactively using the management interface. The old feature of downloading keyworded files has been discontinued.

Document Replacing

Users document hosted on OneDrive/Sharepoint can be modified by using the Graph API. In the initial version of this toolkit, the last 10 files would be backdoored with a pre-defined macro. This was risky during Red Team operations hence the limited usage. For this reason, we implemented a manual file replacement feature to have more control over the attack.

How to set up

Compile

cd %GOPATH%
git clone https://github.com/mdsecactivebreach/o365-attack-toolkit
cd o365-attack-toolkit
dep ensure
go build

Configuration

An example configuration as below :

[server]
host = 127.0.0.1
externalport = 30662
internalport = 8080


[oauth]
clientid = [REDACTED]
clientsecret = [REDACTED]
scope = "offline_access contacts.read user.read mail.read mail.send files.readWrite.all files.read files.read.all openid profile"
redirecturi = "http://localhost:30662/gettoken"

Deployment

Before start using this toolkit you need to create an Application on the Azure Portal. Go to Azure Active Directory -> App Registrations -> Register an application.

After creating the application, copy the Application ID in the configuration file.

You need to create a client secret which can be done as shown on the following image:

Update the client secret on the configuration file.

Management Interface

The management interface allows the operator to interact with the compromised users.

Users View

Search User E-mails

View E-mail

Send E-mail

Search Files

Replace File