Abusing the Google People API

Introducing G-Dir Thief

G-Dir Thief

During the last few Red Team Operations I’ve been on, I’ve found myself having phished my way into a victim’s G-Suite account. Among other things, I end up taking a look at the victim’s Google contacts and ultimately look at the victim organization’s Google directory. While you can absolutely export the victim user’s contacts you cannot, however export/download the organization’s directory. While super annoying as a Red Teamer, I give Google a lot of credit for this security-minded feature. Having access to an organizations complete directory is a pretty valuable to an adversary. Armed with this data and adversary has access to the contact information to every employee in the organization. This data is valuable for an adversary who might plan to conduct a spear-phishing campaign, or a social engineering campaign.

On top of the inability to download/export the organization’s directory Google has implemented a pagination system on the directory that does not allow one to “select all,” and “copy” the contents of a page. If you want to copy pasta the directory you will have to do it one page at a time. Google uses a page token that ensures that the entire directory is not selectable and only the page with the current page token is visible and thus selectable. Again, frustrating as a Red Teamer, but a pretty cool feature.

So, instead of taking 3 days to copy and paste an organizations directory I decided to code.

I created yet another Google API abuse tool in python. This one abuses the Google People API. It is called Gdir-Thief and can be downloaded from my github page here. It is very simple to use. It takes no arguments, so you just need to run the script and it downloads the target organization’s full Google People Directory in CSV format to the working directory at gdir_thief/loot/directory.csv .

There is a bit of work to do before you can run the script. First you’ll need to get access to a target’s google corporate account. You’ll also need to create a Google app, configure OAuth for the app, get OAuth credentials and place them in the working directory’s ./credentials directory, add the victim’s email to the app tester’s list.

I am not going to list the steps out for this here, because I give a detailed, illustrated, step-by-step guide to doing all of this in another blog post here. The only difference here is that instead of selecting the Google Drive APIs for the scope of your app, you will need to select the Google People APIs for the scope.

Google People API

I just select them all. You won’t need them all, but why not?

Select all of the People APIs

Hopefully this tool comes in handy for you on your next Red Team operation. I know it will for mine. Let me know if you have any more functionality ideas for this, or fork my repo and request a pull.

For more Google API abuse, checkout my blog posts and tools for Google Calendar Phishing, and Google Drive Exfiltration:

As always, thanks for reading!

Red Team Pen Testing Nobody | OSCP | InfoSec | Tech Junkie | OIF Veteran | Tweets are mine, not yours, nor anyone else's... Certainly not my employer's