secureworks/squarephish
GitHub: secureworks/squarephish
SquarePhish 是一款结合 QR 码与 OAuth Device Code 流程的高级钓鱼工具,用于模拟针对 Microsoft 账户的社交工程攻击。
Stars: 341 | Forks: 53
# SquarePhish
SquarePhish 是一款高级钓鱼工具,它结合使用了 OAuth Device code 认证流程和 QR 码技术。
```
_____ _____ _ _ _
/ ____| | __ \| | (_) | |
| (___ __ _ _ _ __ _ _ __ ___| |__) | |__ _ ___| |__
\___ \ / _` | | | |/ _` | '__/ _ \ ___/| '_ \| / __| '_ \
____) | (_| | |_| | (_| | | | __/ | | | | | \__ \ | | |
|_____/ \__, |\__,_|\__,_|_| \___|_| |_| |_|_|___/_| |_|
| |
|_|
_________
| | /(
| O |/ (
|> |\ ( v0.1.0
|_________| \(
usage: squish.py [-h] {email,server} ...
SquarePhish -- v0.1.0
optional arguments:
-h, --help show this help message and exit
modules:
{email,server}
email send a malicious QR Code email to a provided victim
server host a malicious server QR Codes generated via the 'email' module will
point to that will activate the malicious OAuth Device Code flow
```
## 攻击步骤
攻击者可以使用 SquarePhish 的 `email` 模块向受害者发送包含恶意 QR 码的电子邮件。默认的预设场景是,受害者必须更新其 Microsoft MFA 身份验证才能继续使用移动电子邮件。当前使用的 client ID 是 Microsoft Authenticator App。
然后,受害者会使用其移动设备扫描邮件正文中的 QR 码。该 QR 码会将受害者引导至攻击者控制的服务器(运行 SquarePhish 的 `server` 模块),其中 URL 参数被设置为受害者的电子邮件地址。
当受害者访问恶意的 SquarePhish 服务器时,会触发一个后台进程,该进程将启动 OAuth Device Code 身份验证流程,并向受害者发送一封包含生成的 Device Code 的电子邮件,随后要求他们将其输入到合法的 Microsoft Device Code 网站中(这将启动 OAuth Device Code 流程 15 分钟的倒计时)。
然后,SquarePhish 服务器将在后台继续轮询身份验证状态。
```
[2022-04-08 14:31:51,962] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:31:57,185] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:02,372] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:07,516] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:12,847] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:17,993] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:23,169] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:28,492] [info] [minnow@square.phish] Polling for user authentication...
```
随后,受害者将通过电子邮件中提供的链接或在移动设备上访问 SquarePhish URL 后的重定向,访问 Microsoft Device Code 身份验证网站。
然后,受害者将输入收到的 Device Code,系统会提示他们进行授权同意。
在受害者完成身份验证和授权后,一个身份验证 token 将保存在本地,攻击者可借此根据请求应用程序定义的 scope 获取访问权限。
```
[2022-04-08 14:32:28,796] [info] [minnow@square.phish] Token info saved to minnow@square.phish.tokeninfo.json
```
当前的 scope 定义:
```
"scope": ".default offline_access profile openid"
```
# 用法
## Email 模块
向目标受害者发送生成的 QR 码,这将触发 OAuth Device Code 流程。
```
usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
squarephish config file [Default: settings.config]
--debug enable server debugging
-e EMAIL, --email EMAIL
victim email address to send initial QR code email to
-u URL, --url URL force a url to use, this will override the default
and will not work with default device flow or
pretext but can be useful if using squarephish to
send lures directing targets to other servers
```
## Server 模块
托管一个服务器,生成的 QR 码将指向该服务器,并在收到请求时触发 OAuth Device Code 流程。
```
usage: squish.py server [-h] [-c CONFIG] [--debug]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
squarephish config file [Default: settings.config]
--debug enable server debugging
```
## 配置
所有适用于执行的设置都可以在 [settings.config](settings.config) 文件中找到并进行修改。有几项必填信息没有默认值,必须由用户填写:SMTP_EMAIL、SMTP_PASSWORD 和 SQUAREPHISH_SERVER(仅在执行 email 模块时需要)。所有配置选项均已通过行内注释在设置文件中进行了说明。
**注意**:配置文件 'EMAIL' 部分中出现的 `SQUAREPHISH_` 值应与运行 SquarePhish 服务器时设置的值相匹配。
```
[DEFAULT]
SMTP_PORT = 465 # SMTP port, defaulted to 465
SMTP_SERVER = "smtp.gmail.com" # SMTP server, defaulted to GMail
SMTP_PROTO = "ssl" # SMTP protocol: {ssl, tls, None (leave empty)}
SMTP_EMAIL = "" # Provide authenticating email address here
SMTP_PASSWORD = "" # Provide authenticating password here
[EMAIL]
SQUAREPHISH_SERVER = "" # Required: Provide IP address/domain name of hosted SquarePhish server
SQUAREPHISH_PORT = 8443 # Hosted SquarePhish server port, defaulted to 8443 (this should match the below server value)
SQUAREPHISH_ENDPOINT = "/mfa" # Hosted SquarePhish endpoint to trigger OAuth Device Code flow, defaulted to an MFA pretext (this should match the below server value)
FROM_EMAIL = "admin@square.phish" # Default FROM address when sending an email
SUBJECT = "ACTION REQUIRED: Multi-Factor Authentication (MFA) Update" # Default SUBJECT when sending an email, defauled to an MFA pretext
EMAIL_TEMPLATE = "pretexts/mfa/qrcode_email.html" # Email body template for QR code email to victim
[SERVER]
PORT = 8443
FROM_EMAIL = "admin@square.phish" # Default FROM address when sending an email
SUBJECT = "ACTION REQUIRED: Multi-Factor Authentication (MFA) Update" # Default SUBJECT when sending an email, defauled to an MFA pretext
CLIENT_ID = "4813382a-8fa7-425e-ab75-3b753aab3abb" # Authenticating client ID, defaulted to Microsoft Authenticator App
ENDPOINT = "/mfa" # Hosted endpoint to trigger OAuth Device Code flow, defaulted to an MFA pretext
CERT_CRT = "" # Server SSL certificate .crt file
CERT_KEY = "" # Server SSL certificate .key file
EMAIL_TEMPLATE = "pretexts/mfa/devicecode_email.html" # Email body template for device code email to victim
PERMISSION_SCOPE = ".default offline_access profile openid" # OAuth permission scope - https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
```
## 自定义预设场景
目前,预定义的预设场景可以在 [pretexts](pretexts/) 文件夹中找到。
要编写自定义的预设场景,请通过 [pretexts/iphone/](pretexts/iphone/) 文件夹使用现有的模板。无论是初始 QR 码电子邮件还是后续的 device code 电子邮件,都需要提供相应的电子邮件模板。
**重要提示**:在编写自定义预设场景时,请注意两个预设模板中是否存在 `%s`。它的存在是为了让 SquarePhish 在生成电子邮件时能够填充正确的数据(QR 码数据和/或 device code 值)。
## OPSEC
在 [utils.py](squarephish/utils.py#L28) 文件中定义了几个 HTTP 响应头。这些头信息旨在覆盖任何现有的 Flask 响应头值,并使服务器提供更具“合法性”的响应。可以修改或删除这些头信息的值,也可以包含额外的头信息以实现更好的 OPSEC。
```
{
"vary": "Accept-Encoding",
"server": "Microsoft-IIS/10.0",
"tls_version": "tls1.3",
"content-type": "text/html; charset=utf-8",
"x-appversion": "1.0.8125.42964",
"x-frame-options": "SAMEORIGIN",
"x-ua-compatible": "IE=Edge;chrome=1",
"x-xss-protection": "1; mode=block",
"x-content-type-options": "nosniff",
"strict-transport-security": "max-age=31536000",
}
```
然后,受害者会使用其移动设备扫描邮件正文中的 QR 码。该 QR 码会将受害者引导至攻击者控制的服务器(运行 SquarePhish 的 `server` 模块),其中 URL 参数被设置为受害者的电子邮件地址。
当受害者访问恶意的 SquarePhish 服务器时,会触发一个后台进程,该进程将启动 OAuth Device Code 身份验证流程,并向受害者发送一封包含生成的 Device Code 的电子邮件,随后要求他们将其输入到合法的 Microsoft Device Code 网站中(这将启动 OAuth Device Code 流程 15 分钟的倒计时)。
然后,SquarePhish 服务器将在后台继续轮询身份验证状态。
```
[2022-04-08 14:31:51,962] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:31:57,185] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:02,372] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:07,516] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:12,847] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:17,993] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:23,169] [info] [minnow@square.phish] Polling for user authentication...
[2022-04-08 14:32:28,492] [info] [minnow@square.phish] Polling for user authentication...
```
随后,受害者将通过电子邮件中提供的链接或在移动设备上访问 SquarePhish URL 后的重定向,访问 Microsoft Device Code 身份验证网站。
然后,受害者将输入收到的 Device Code,系统会提示他们进行授权同意。
在受害者完成身份验证和授权后,一个身份验证 token 将保存在本地,攻击者可借此根据请求应用程序定义的 scope 获取访问权限。
```
[2022-04-08 14:32:28,796] [info] [minnow@square.phish] Token info saved to minnow@square.phish.tokeninfo.json
```
当前的 scope 定义:
```
"scope": ".default offline_access profile openid"
```
# 用法
## Email 模块
向目标受害者发送生成的 QR 码,这将触发 OAuth Device Code 流程。
```
usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
squarephish config file [Default: settings.config]
--debug enable server debugging
-e EMAIL, --email EMAIL
victim email address to send initial QR code email to
-u URL, --url URL force a url to use, this will override the default
and will not work with default device flow or
pretext but can be useful if using squarephish to
send lures directing targets to other servers
```
## Server 模块
托管一个服务器,生成的 QR 码将指向该服务器,并在收到请求时触发 OAuth Device Code 流程。
```
usage: squish.py server [-h] [-c CONFIG] [--debug]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
squarephish config file [Default: settings.config]
--debug enable server debugging
```
## 配置
所有适用于执行的设置都可以在 [settings.config](settings.config) 文件中找到并进行修改。有几项必填信息没有默认值,必须由用户填写:SMTP_EMAIL、SMTP_PASSWORD 和 SQUAREPHISH_SERVER(仅在执行 email 模块时需要)。所有配置选项均已通过行内注释在设置文件中进行了说明。
**注意**:配置文件 'EMAIL' 部分中出现的 `SQUAREPHISH_` 值应与运行 SquarePhish 服务器时设置的值相匹配。
```
[DEFAULT]
SMTP_PORT = 465 # SMTP port, defaulted to 465
SMTP_SERVER = "smtp.gmail.com" # SMTP server, defaulted to GMail
SMTP_PROTO = "ssl" # SMTP protocol: {ssl, tls, None (leave empty)}
SMTP_EMAIL = "" # Provide authenticating email address here
SMTP_PASSWORD = "" # Provide authenticating password here
[EMAIL]
SQUAREPHISH_SERVER = "" # Required: Provide IP address/domain name of hosted SquarePhish server
SQUAREPHISH_PORT = 8443 # Hosted SquarePhish server port, defaulted to 8443 (this should match the below server value)
SQUAREPHISH_ENDPOINT = "/mfa" # Hosted SquarePhish endpoint to trigger OAuth Device Code flow, defaulted to an MFA pretext (this should match the below server value)
FROM_EMAIL = "admin@square.phish" # Default FROM address when sending an email
SUBJECT = "ACTION REQUIRED: Multi-Factor Authentication (MFA) Update" # Default SUBJECT when sending an email, defauled to an MFA pretext
EMAIL_TEMPLATE = "pretexts/mfa/qrcode_email.html" # Email body template for QR code email to victim
[SERVER]
PORT = 8443
FROM_EMAIL = "admin@square.phish" # Default FROM address when sending an email
SUBJECT = "ACTION REQUIRED: Multi-Factor Authentication (MFA) Update" # Default SUBJECT when sending an email, defauled to an MFA pretext
CLIENT_ID = "4813382a-8fa7-425e-ab75-3b753aab3abb" # Authenticating client ID, defaulted to Microsoft Authenticator App
ENDPOINT = "/mfa" # Hosted endpoint to trigger OAuth Device Code flow, defaulted to an MFA pretext
CERT_CRT = "" # Server SSL certificate .crt file
CERT_KEY = "" # Server SSL certificate .key file
EMAIL_TEMPLATE = "pretexts/mfa/devicecode_email.html" # Email body template for device code email to victim
PERMISSION_SCOPE = ".default offline_access profile openid" # OAuth permission scope - https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
```
## 自定义预设场景
目前,预定义的预设场景可以在 [pretexts](pretexts/) 文件夹中找到。
要编写自定义的预设场景,请通过 [pretexts/iphone/](pretexts/iphone/) 文件夹使用现有的模板。无论是初始 QR 码电子邮件还是后续的 device code 电子邮件,都需要提供相应的电子邮件模板。
**重要提示**:在编写自定义预设场景时,请注意两个预设模板中是否存在 `%s`。它的存在是为了让 SquarePhish 在生成电子邮件时能够填充正确的数据(QR 码数据和/或 device code 值)。
## OPSEC
在 [utils.py](squarephish/utils.py#L28) 文件中定义了几个 HTTP 响应头。这些头信息旨在覆盖任何现有的 Flask 响应头值,并使服务器提供更具“合法性”的响应。可以修改或删除这些头信息的值,也可以包含额外的头信息以实现更好的 OPSEC。
```
{
"vary": "Accept-Encoding",
"server": "Microsoft-IIS/10.0",
"tls_version": "tls1.3",
"content-type": "text/html; charset=utf-8",
"x-appversion": "1.0.8125.42964",
"x-frame-options": "SAMEORIGIN",
"x-ua-compatible": "IE=Edge;chrome=1",
"x-xss-protection": "1; mode=block",
"x-content-type-options": "nosniff",
"strict-transport-security": "max-age=31536000",
}
```
标签:ESC8, Modbus, OAuth认证, 二维码, 社会工程学, 网络安全, 逆向工具, 隐私保护