Some scripts to utilise device code authorization for phishing.

Related tags

Authenticationdevicecode_phishing
Overview

OAuth Device Code Authorization Phishing

Some scripts to utilise device code authorization for phishing.

High level overview as per the instructions as: https://o365blog.com/post/phishing/

  1. An attacker connects to /devicecode endpoint and sends client_id and resource
  2. After receiving verification_uri and user_code, create an email containing a link to verification_uri and user_code, and send it to the victim. (delivering the phishing email is not in scope for this project)
  3. Victim clicks the link, provides the code and completes the sign in.
  4. The attacker receives access_token and refresh_token and can now mimic the victim (Interact with the various Microsoft API endpoints to perform various tasks).

Some of the API endpoints include:

Note: Uses version 1.0 which is different to v2.0 flow used in the documentation.

The official Microsoft Device Code Authorization Flow documentation can be found here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code

devicecode_phish.py

This script will first request the initial user_code from the Azure AD devicecode endpoint. Next, it will start polling Microsoft token endpoint (login.microsoftonline.com/Common/oauth2/token?api-version=1.0) for the authentication status using the interval value returned by the initial request (default every 5 seconds).

The script takes the following arguments:

Argument Default Value Required or Optional
-r or --resource graph.microsoft.com Optional
-c or --client_id d3590ed6-52b3-4102-aeff-aad2292ab01c Optional

Example:

python3 devicecode_phish.py
[*] User code: PF2PSG7LW
[*] User code expires at: 2021-10-21 15:03:00.206630
[*] Polling Microsoft for user authentication...
[*] Status: authorization_pending at 14:48:00

The attacker will need to send the verification_uri (https://microsoft.com/devicelogin) URI to the victim. This is the URI the user should go to with the user_code (PF2PSG7LW from the above example) in order to sign in.

Note: If the user authenticates with a personal account (on /common or /consumers), they will be asked to sign in again in order to transfer authentication state to the device. They will also be asked to provide consent, to ensure they are aware of the permissions being granted. This does not apply to work or school accounts used to authenticate.

refresh_tokens.py

This script is used to request new access & refresh tokens for different resources (Microsoft API endpoints).

Argument Default Value Required or Optional
-t or --refreshtoken - Required
-r or --resource - Required
-s or --scope openid Optional
-c or --client_id d3590ed6-52b3-4102-aeff-aad2292ab01c Optional

fetch_emails.py

Dump victims emails to file using an access token (must be valid for https://graph.microsoft.com resource).

Owner
Daniel Underhay
Daniel Underhay
GitHub Repository
Phishing Abusing Microsoft 365 OAuth Authorization Flow

Microsoft365_devicePhish Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack This is a simple proof-of-concept script that allows an at

bigb0ss 11 Dec 11, 2022
A simple username/password database authentication solution for Streamlit

TL;DR: This is a simple username/password login authentication solution using a backing database. Both SQLite and Airtable are supported.

Arvindra 49 Nov 25, 2022
Get inside your stronghold and make all your Django views default login_required

Stronghold Get inside your stronghold and make all your Django views default login_required Stronghold is a very small and easy to use django app that

Mike Grouchy 384 Nov 23, 2022
🔐 Login & Register System

🔐 Login & Register System This is a developable login and register system. Enter your username and password to register or login to account. Automati

Firdevs Akbayır 10 Dec 12, 2022
Easy and secure implementation of Azure AD for your FastAPI APIs 🔒 Single- and multi-tenant support.

Easy and secure implementation of Azure AD for your FastAPI APIs 🔒 Single- and multi-tenant support.

Intility 220 Jan 05, 2023
AddressBookApp - Address Book App in Django

AddressBookApp Application Name Address Book App in Django, 2022 Technologies La

Joshua K 1 Aug 18, 2022
Crie seus tokens de autenticação com o AScrypt.

AScrypt tokens O AScrypt é uma forma de gerar tokens de autenticação para sua aplicação de forma rápida e segura. Todos os tokens que foram, mesmo que

Jaedson Silva 0 Jun 24, 2022
Skit-auth - Authorization for skit.ai's platform

skit-auth This is a simple authentication library for Skit's platform. Provides

Skit 3 Jan 08, 2022
Ready-to-use and customizable users management for FastAPI

FastAPI Users Ready-to-use and customizable users management for FastAPI Documentation: https://frankie567.github.io/fastapi-users/ Source Code: https

François Voron 2.4k Jan 04, 2023
Per object permissions for Django

django-guardian django-guardian is an implementation of per object permissions [1] on top of Django's authorization backend Documentation Online docum

3.3k Jan 01, 2023
OAuthlib support for Python-Requests!

Requests-OAuthlib This project provides first-class OAuth library support for Requests. The OAuth 1 workflow OAuth 1 can seem overly complicated and i

1.6k Dec 28, 2022
API-key based security utilities for FastAPI, focused on simplicity of use

FastAPI simple security API key based security package for FastAPI, focused on simplicity of use: Full functionality out of the box, no configuration

Tolki 154 Jan 03, 2023
This is a Python library for accessing resources protected by OAuth 2.0.

This is a client library for accessing resources protected by OAuth 2.0. Note: oauth2client is now deprecated. No more features will be added to the l

Google APIs 787 Dec 13, 2022
Object Moderation Layer

django-oml Welcome to the documentation for django-oml! OML means Object Moderation Layer, the idea is to have a mixin model that allows you to modera

Angel Velásquez 12 Aug 22, 2019
Includes Automation and Personal Projects

Python Models, and Connect Forclient & OpenCv projects Completed Automation** Alarm (S

tushar malhan 1 Jan 15, 2022
A JOSE implementation in Python

python-jose A JOSE implementation in Python Docs are available on ReadTheDocs. The JavaScript Object Signing and Encryption (JOSE) technologies - JSON

Michael Davis 1.2k Dec 28, 2022
This script will pull and analyze syscalls in given application(s) allowing for easier security research purposes

SyscallExtractorAnalyzer This script will pull and analyze syscalls in given application(s) allowing for easier security research purposes Goals Teach

Truvis Thornton 18 Jul 09, 2022
MikroTik Authentication POCs

Proofs of concept which successfully authenticate with MikroTik Winbox and MAC Telnet servers running on RouterOS version 6.45.1+

Margin Research 56 Dec 08, 2022
Python module for generating and verifying JSON Web Tokens

python-jwt Module for generating and verifying JSON Web Tokens. Note: From version 2.0.1 the namespace has changed from jwt to python_jwt, in order to

David Halls 210 Dec 24, 2022
A flask extension for managing permissions and scopes

Flask-Pundit A simple flask extension to organize resource authorization and scoping. This extension is heavily inspired by the ruby Pundit library. I

Anurag Chaudhury 49 Dec 23, 2022