Skip to main content

Initial Access and Post-Exploitation Tool for AAD and O365 with a browser-based GUI

Project description

PyPi Version Python Version Twitter

GraphSpy

   ________                             _________
  /       /  by RedByte1337    __      /        /           
 /  _____/___________  ______ |  |__  /   _____/_____ ______
/   \  __\_  __ \__  \ \____ \|  |  \ \_____  \\____ \   |  |
\    \_\  \  | \/  __ \|  |_> |   \  \/        \  |_> \___  |
 \______  /__|  |____  |   __/|___|  /_______  /   ___/ ____|
        \/           \/|__|        \/        \/|__|   \/

Table of Contents

Quick Start

Installation

The following goes over the recommended installation process using pipx to avoid any dependency conflicts.

GraphSpy is built to work on every operating system, although it was mainly tested on Linux and Windows.

For other installation options and detailed instructions, check the Installation page on the wiki.

# Install pipx (skip this if you already have it)
apt install pipx
pipx ensurepath

# Install the latest version of GraphSpy from pypi
pipx install graphspy

Execution

After installation, the application can be launched using the graphspy command from any location on the system.

Running GraphSpy without any command line arguments will launch GraphSpy and make it available at http://127.0.0.1:5000 by default.

graphspy

Now simply open http://127.0.0.1:5000 in your favorite browser to get started!

Use the -i and -p arguments to modify the interface and port to listen on.

# Run GraphSpy on http://192.168.0.10
graphspy -i 192.168.0.10 -p 80
# Run GraphSpy on port 8080 on all interfaces
graphspy -i 0.0.0.0 -p 8080

For detailed instructions and other command line arguments, please refer to the Execution page on the wiki.

Usage

Please refer to the GitHub Wiki for full usage details.

For a quick feature overview, check out the official release blog post.

Features

Access and Refresh Tokens

Store your access and refresh tokens for multiple users and scopes in one location.

Access Tokens

Refresh Tokens

Easily switch between them or request new access tokens from any page.

Token Side Bar

Device Codes

Easily create and poll multiple device codes at once. If a user used the device code to authenticate, GraphSpy will automatically store the access and refresh token in its database.

Device Codes

MFA Methods

View, modify and create MFA methods linked to the account of the user.

MFA Methods Overview

The following MFA methods can be added from GraphSpy to set up persistance:

  • Microsoft Authenticator App
  • Custom OTP App, or use GraphSpy as OTP app to generate TOTP codes on the fly!
  • FIDO Security Keys!
  • Alternative email address
  • Mobile/Office/Alternative Phones (SMS or call)

MFA Methods FIDO

Files and SharePoint

Browse through files and folders in the user's OneDrive or any accessible SharePoint site through an intuitive file explorer interface.

Of course, files can also be directly downloaded, or new files can be uploaded.

OneDrive

Additionally, list the user's recently accessed files or files shared with the user.

Recent Files

Outlook

Open the user's Outlook with a single click using just an Outlook access token (FOCI)!

Outlook GraphSpy

Outlook

MS Teams

Read and send messages using the Microsoft Teams module with a FOCI access token of the skype API (https://api.spaces.skype.com/).

MS Teams GraphSpy

Graph Searching

Search for keywords through all Microsoft 365 applications using the Microsoft Search API.

For instance, use this to search for any files or emails containing keywords such as "password", "secret", ...

Graph Search

Custom Requests

Perform custom API requests towards any endpoint using access tokens stored in GraphSpy.

Custom Request

Custom request templates with variables can be stored in the database to allow easy reuse of common custom API requests.

Custom Request

Multiple Databases

GraphSpy supports multiple databases. This is useful when working on multiple assessments at once to keep your tokens and device codes organized.

Graph Request

Dark Mode

Use the dark mode by default, or switch to light mode.

Release Notes

Refer to the Release Notes page on the GitHub Wiki

Upcoming Features

  • Rename files and create folders
  • More authentication options
    • Password, ESTSAuth Cookie, PRT, ...
  • Automatic Access Token Refreshing
  • Improve Microsoft Teams Module
    • Download authenticated files
    • Upload files and images
  • Entra ID
    • List Users, Groups, Applications, Devices, Conditional Access Policies, ...
  • Cleaner exception handling
    • While this should not have any direct impact on the user, edge cases might currently throw exceptions to the GraphSpy output instead of handling them in a cleaner way.

Credits

The main motivation for creating GraphSpy was the lack of an easy to use way to perform post-compromise activities targetting Office365 applications (such as Outlook, Microsoft Teams, OneDrive, SharePoint, ...) with just an access token.

While several command-line tools existed which provided some basic functionality, none of them came close to the intuitive interactive experience which the original applications provide (such as the file explorer-like interface of OneDrive and SharePoint).

However, a lot of previous research was done by countless other persons (specifically regarding Device Code Phishing, which lead to the initial requirement for such a tool in the first place).

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

GraphSpy-1.3.0.tar.gz (72.0 kB view details)

Uploaded Source

File details

Details for the file GraphSpy-1.3.0.tar.gz.

File metadata

  • Download URL: GraphSpy-1.3.0.tar.gz
  • Upload date:
  • Size: 72.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.6

File hashes

Hashes for GraphSpy-1.3.0.tar.gz
Algorithm Hash digest
SHA256 83ab7f50d40afbfa07495af10e4f856cba1b7a7765d13f3bc6a4b5f64f5d00f3
MD5 694106848dc4ec1d3ae95d5208a5b3e8
BLAKE2b-256 81d28fc59021af6309b297319ad5ab7d1fe83f10af41391e31f829559545862a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page