Abusing the Google People API

Introducing G-Dir Thief

G-Dir Thief

What is this about?

On top of the inability to download/export the organization’s directory Google has implemented a pagination system on the directory that does not allow one to “select all,” and “copy” the contents of a page. If you want to copy pasta the directory you will have to do it one page at a time. Google uses a page token that ensures that the entire directory is not selectable and only the page with the current page token is visible and thus selectable. Again, frustrating as a Red Teamer, but a pretty cool feature.

So, instead of taking 3 days to copy and paste an organizations directory I decided to code.

Enter Gdir-Thief

There is a bit of work to do before you can run the script. First you’ll need to get access to a target’s google corporate account. You’ll also need to create a Google app, configure OAuth for the app, get OAuth credentials and place them in the working directory’s ./credentials directory, add the victim’s email to the app tester’s list.

I am not going to list the steps out for this here, because I give a detailed, illustrated, step-by-step guide to doing all of this in another blog post here. The only difference here is that instead of selecting the Google Drive APIs for the scope of your app, you will need to select the Google People APIs for the scope.

Google People API

I just select them all. You won’t need them all, but why not?

Select all of the People APIs

Wrapping up

For more Google API abuse, checkout my blog posts and tools for Google Calendar Phishing, and Google Drive Exfiltration:

As always, thanks for reading!

Red Team Pen Testing Nobody | OSCP | InfoSec | Tech Junkie | OIF Veteran | Tweets are mine, not yours, nor anyone else's... Certainly not my employer's