paranoidninja/O365-Doppelganger paranoidninja/O365-Doppelganger

  • Stars
    star
    250
  • Rank 162,397 (Top 4 %)
  • Language
    CSS
  • License
    BSD 2-Clause "Sim...
  • Created over 2 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
paranoidninja/O365-Doppelganger
github

paranoidninja

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A quick handy script to harvest credentials off of a user during a Red Team and get execution of a file from the user

O365-Doppelganger

O365-Doppelganger is NOT a replacement for hardcore phishing activities. There are several other tools which perform OAuth and OTA capture which is not the aim of O365-Doppelganger.

O365-Doppelganger is a quick handy script to harvest credentials of a user during Red Teams. This repository is a quick hack of one of my old red team engagement scripts which I've used several times to capture credentials and use them for making windows access tokens for lateral movement. This code repository basically performs the below tasks:

  • The GO code:
    • hosts the O365 portal (can be replaced with anything in the index.html). It is recommended to use a valid cert and key file (LetsEncrypt?) instead of the one provided in the directory
    • logs all user activity on the web portal in a seperate log file on the server
    • logs the credentials captured in a seperate log file on the server
    • can also be used to return a valid file to the user post capturing the credentials. This can be done by replacing the file named MacroFile.doc in the current directory and replacing it with HTA/ISO/MSI or anything else that the phisher wants. Theres also a small code in the GO code which would need to be modified to specify the user's file name which needs to be returned: content, err := ioutil.ReadFile("MacroFile.doc")
    • Once modified, the target user when enters a valid email ID and password will be asked to save the above file. This file name can be changed using the below code in the GO file: response.Header().Set("Content-Disposition", "attachment; filename=Darkvortex Privacy Policy.doc")
  • The index.html code:

    • renders an O365 portal alongside a small regex which checks for a given user's domain name to make it look a bit more legit. The regex code looks like this: pattern="^([a-zA-Z0-9_\-\.]+)@darkvortex\.([a-zA-Z]{2,5})$" title=" Valid darkvortex email ID"

    • The above regex checks if the given username contains a full valid email address else it will prompt the user to enter a correct username as follows:

  • This same check is also performed in the GO code so that user's do not use something like burp to bypass the check: if strings.Contains(value[i], "@darkvortex") {

  • It's recommended to change the name darkvortex in the index.html file to your own target company name.

  • Once the correct email ID and the password is entered, the user will be asked to save the provided file as follows:

More Repositories

1

CarbonCopy

A tool which creates a spoofed certificate of any online website and signs an Executable for AV Evasion. Works for both Windows and Linux
Python
1,284
star
2

Pandoras-Box

This repo contains my custom scripts for Penetration Testing and Red Team Assessments. I will keep on updating this repo as and when I get time.
C++
345
star
3

Brute-Ratel-C4-Community-Kit

This repository contains scripts, configurations and deprecated payload loaders for Brute Ratel C4 (https://bruteratel.com/)
C
253
star
4

Process-Instrumentation-Syscall-Hook

A simple program to hook the current process to identify the manual syscall executions on windows
C
245
star
5

Boomerang

Boomerang is a tool to expose multiple internal servers to web/cloud. Agent & Server are pretty stable and can be used in Red Team for Multiple levels of Pivoting and exposing multiple internal services to external/other networks
Go
217
star
6

0xdarkvortex-MalwareDevelopment

This repo will contain code snippets for blogs: Malware on Steroids written by me at https://scriptdotsh.com/index.php/category/malware-development/
C++
187
star
7

Proxy-DLL-Loads

The code is a pingback to the Dark Vortex blog:
C
160
star
8

Proxy-Function-Calls-For-ETwTI

The code is a pingback to the Dark Vortex blog: https://0xdarkvortex.dev/hiding-memory-allocations-from-mdatp-etwti-stack-tracing/
C
156
star
9

PIC-Get-Privileges

Building and Executing Position Independent Shellcode from Object Files in Memory
C
150
star
10

Botnet-blogpost

This repo basically contains the code that was mentioned in the blogposts that was written by me at:
C++
88
star
11

Cobaltstrike-Detection

This repo will contain the core detection, only for Cobaltstrike's leaked versions. Non-leaked version detections wont be shared
C
83
star
12

Threat-Hunting

This repo is dedicated to all my tricks, tweaks and modules for testing and hunting threats. This repo contains multiple directories which are in their own, different modules required for threat hunting. This repo will be updated as and when new changes are made.
Shell
56
star
13

alpha-stage-scripts

Repo contains a list of random scripts that I use while testing out random things.
Shell
47
star
14

Brute-Ratel-External-C2-Specification

This repository provides the core to build your own External C2 Server and Connector for Brute Ratel C4
C
46
star
15

0xdarkvortex-Reverse-Engineering

This repo contains all the code that will be referred at https://scriptdotsh.com by Paranoid Ninja
C++
46
star
16

DotNetTracer

C code to enable ETW tracing for Dotnet Assemblies
C
29
star
17

Shuriken

Offensive Android Kernel on Steroids - Shuriken is an Android kernel for Oneplus 5/5T which supports multiple features for pentesting.
C
26
star
18

piBorg

This is a Shell Script to setup NTLM hash sniffing using the Raspberry Pi Zero. This tool can be used during Red Team assessments by attaching it to a Switch and creating a WPAD Proxy Server.
Shell
21
star
19

SheltreX

A Botnet builder built on Elasticsearch and Kibana with the help of C++ and Python3
Python
21
star
20

Chroot-Jail

This Shell script can create a chrooted environment along with a SSH Jail for the same. This can be used either for a single user jail or to create a chroot jailed group.
Shell
18
star
21

BRC4-Seminar-Stage-I

These are the slide decks and source code for Brute Ratel Seminar conducted on 24th August 2023. The youtube video for the seminar can be found here:
C
18
star
22

ATtiny85-RubberDucky-Sketches

This repo contains C-programmed sketches for the custom rubber ducky built using ATtiny85 microchip. Blogs on setting up the environment can be found here:
C++
17
star
23

0xdarkvortex-red-team-ttps-part-2

Code for blog written at 0xdarkvortex.dev Red Team TTPs Part 2
C
17
star