GraphSpy: Initial Access and Post-Exploitation Tool for AAD and O365

by ·

GraphSpy

Initial Access and Post-Exploitation Tool for AAD and O365 with a browser-based GUI

O365 Post-Exploitation

Internet traffic

The client-server architecture results in most traffic to the internet being initiated from the GraphSpy application. This includes:

  • The generation and polling of device codes.
  • Creating access tokens with refresh tokens.
  • Any API calls with these access tokens towards Microsoft Entra and Office applications

The only exceptions to this are situations where the browser itself needs to perform an action. This includes:

  • Any traffic from the Outlook module after opening Outlook through the browser.
  • Downloading files from OneDrive or SharePoint. (While the API calls to browse through the files from SharePoint will originate from GraphSpy, the downloading of a file will originate from the browser of the user.)

While this detail should not affect the usage of GraphSpy in general, there might be situations where you want to take this into consideration. (E.g. you are accessing GraphSpy from a host which uses a different public IP address than the host where GraphSpy is running on. Or you rely on GraphSpy to spoof the User-Agent header.)

Features

Access and Refresh Tokens

Store your access and refresh tokens for multiple users and scopes in one location.

Easily switch between them or request new access tokens from any page.

Device Codes

Easily create and poll multiple device codes at once. If a user uses the device code to authenticate, GraphSpy will automatically store the access and refresh token in its database.

Files and SharePoint

Browse through files and folders in the user’s OneDrive or any accessible SharePoint site through an intuitive file explorer interface.

Of course, files can also be directly downloaded.

Additionally, list the user’s recently accessed files or files shared with the user.

Outlook

Open the user’s Outlook with a single click using just an Outlook access token (FOCI)!

Graph Searching

Search for keywords through all Microsoft 365 applications using the Microsoft 365 API.

For instance, use this to search for any files or emails containing keywords such as “password”, “secret”, …

Generic Graph Requests

Perform any other MS Graph requests and display the raw response.

Multiple Databases

GraphSpy supports multiple databases. This is useful when working on multiple assessments at once to keep your tokens and device codes organized.

Dark Mode

Use the dark mode by default, or switch to light mode.

Upcoming Features

  • Upload, Delete, and Rename Files
  • More authentication options
    • Password, ESTSAuth Cookie, PRT, …
  • Advanced token customization options and optional v2 API support (CAE)
  • Automatic Access Token Refreshing
  • Set a custom user agent
  • Microsoft Teams
    • Sadly, most MSGrapgh scopes required for Microsoft Teams can not be obtained through a FOCI client id, limiting the usecases where it could be accessed.
    • So the best option would be to use the Skype API, which is a FOCI resource, although this API is not documented by Microsoft or intended for public use
  • Azure AD
    • List Users, Groups, Applications, Devices, Conditional Access Policies, …
  • Cleaner exception handling
    • While this should not have any direct impact on the user, edge cases might currently throw exceptions to the GraphSpy output instead of handling them in a cleaner way.

Install & Use

Copyright (C) 2024 RedByte1337