Stars: 278
Forks: 73
Pull Requests: 1
Issues: 6
Watchers: 12
Last Updated: 2023-06-15 19:56:12
365-Stealer is a phishing simualtion tool written in python3. It can be used to execute Illicit Consent Grant Attack.
License: Other
Languages: Python, CSS, JavaScript, PHP, HTML
365-Stealer is a tool written in Python3 which can be used in illicit consent grant attacks. When the victim grant his consent we get their Refresh Token which can be used to request multiple Tokens that can help us in accessing data like Mails, Notes, Files from OneDrive etc. Doing this manually will take a lot of time so this tool helps in automating the process.
365-Stealer comes with 2 interfaces:
In an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to. After the application has been granted consent, it has user account-level access to the data without the need for an organizational account.
In simple words when the victim clicks on that beautiful blue button of "Accept", Azure AD sends a token to the third party site which belongs to an attacker where attacker will use the token to perform actions on behalf the victims like accessing all the Files, Read Mails, Send Mails etc.
--run-app
in the terminal or by using 365-Stealer Management.--no-stealing
flag 365-Stealer will only steal token's that can be leverage to steal data.--refresh-token
, --client-id
, --client-secret
flag.--custom-steal
flag.Follow the below mentioned steps to register an application in Azure
https://portal.azure.com
Azure Active Directory
App registrations
New registration
Accounts in any organizational directory (Any Azure AD directory - Multitenant)
https://<DOMAIN/IP>:<PORT>/login/authorized
.Register
Certificates & secrets
New client secret
then enter the Description
and click on Add
.API permissions
Add a permission
Microsoft Graph
Delegated permissions
git clone https://github.com/AlteredSecurity/365-Stealer.git
Save the extracted in C:\xampp\htdocs\
or at any location that can help us to host the PHP application and run Python.
Install the required application
Python3 PHP CLI or Xampp server
pip install -r requirements.txt
PHP (php.ini)
extension=sqlite3
and remove ;
from the begining as it is considered as a comment and then save the file.(File location: C:\xampp\php\php.ini
)Note: 365-Stealer will by default run on Port 443 (that can be changed by using --port
flag) so we need to run apache server on another Port. This can be done by changing Port in Xampp server to avoid conflict between our 365-Stealer Phishing application & Management portal. We can also use PHP CLI command from the "./yourVictims/" directory as mentioned below.
php -S localhost:8000
Modify the path of 365-Stealer.py, database and python3 in C:/xampp/htdocs/yourvictims/index.php if needed.
If our python.exe is installed in "Program Files" or some directory that contains space in the path then we need to use quotes as shown below screenshot.
By default whitelisting is enabled and the portal can only be accessed from localhost. We can add a Remote IP or disable whitelisting ( $enableIpWhiteList = false; )
Access to the 365-Stealer Management portal shall only be allowed from the infrastructure that you own. Don't expose the 365-Stealer Management portal on the Internet.
usage: 365-Stealer.py [-h] [--set-config] [--get-config] [--code CODE] [--token TOKEN] [--client-id CLIENT_ID]
[--client-secret CLIENT_SECRET] [--refresh-token REFRESH_TOKEN] [--token-path TOKEN_PATH]
[--refresh-all] [--refresh-user REFRESH_USER] [--redirect-url REDIRECT_URL]
[--database-path DATABASE_PATH] [--no-stealing] [--upload UPLOAD] [--create-rules CREATE_RULES]
[--send-mail SEND_MAIL] [--delete-all-data] [--delete-user-data DELETE_USER_DATA] [--run-app]
[--no-ssl] [--port PORT] [--disable-logs]
[--custom-steal {listusers,checklicence,outlook,onedrive,onenote} [{listusers,checklicence,outlook,onedrive,onenote} ...]]
[--delay DELAY]
optional arguments:
-h, --help show this help message and exit
--set-config Set 365-Stealer Configuration
--get-config Get 365-Stealer Configuration
--code CODE Provide Authorization Code
--token TOKEN Provide Access Token
--client-id CLIENT_ID
Provide Application Client ID
--client-secret CLIENT_SECRET
Provide Application Client Secret
--refresh-token REFRESH_TOKEN
Provide Refresh Token
--token-path TOKEN_PATH
Provide Access Token file path
--refresh-all Steal all user's data again.
--refresh-user REFRESH_USER
Steal particular user's data again.(Provide EmailID)
--redirect-url REDIRECT_URL
Redirect Url
--database-path DATABASE_PATH
Provide Database Path
--no-stealing Steal only Tokens
--upload UPLOAD Add files in victim's OneDrive(Provide File Path)
--create-rules CREATE_RULES
Provide json file containing outlook rules
--send-mail SEND_MAIL
Provide json file to send email
--delete-all-data Delete all data from the database!
--delete-user-data DELETE_USER_DATA
Delete specific user data from the database!
--run-app Host the Phising App
--no-ssl Use http(port 80)
--port PORT Provide custom port to Host the Phishing App
--disable-logs Disable all http access logs
--custom-steal {listusers,checklicence,outlook,onedrive,onenote} [{listusers,checklicence,outlook,onedrive,onenote} ...]
Steal specific data
--delay DELAY Delay the request by specifying time in seconds while stealing
Please raise an issue if you encounter a bug or have a feature request.
If you want to contribute to a project and make it better, your help is very welcome.
Thanks to 0x09AL for writing office365-attack-toolkit.