Abusing the Google People API

G-Dir Thief

What is this about?

During the last few Red Team Operations I’ve been on, I’ve found myself having phished my way into a victim’s G-Suite account. Among other things, I end up taking a look at the victim’s Google contacts and ultimately look at the victim organization’s Google directory. While you can absolutely export the victim user’s contacts you cannot, however export/download the organization’s directory. While super annoying as a Red Teamer, I give Google a lot of credit for this security-minded feature. Having access to an organizations complete directory is a pretty valuable to an adversary. Armed with this data and adversary has access to the contact information to every employee in the organization. This data is valuable for an adversary who might plan to conduct a spear-phishing campaign, or a social engineering campaign.

Enter Gdir-Thief

I created yet another Google API abuse tool in python. This one abuses the Google People API. It is called Gdir-Thief and can be downloaded from my github page here. It is very simple to use. It takes no arguments, so you just need to run the script and it downloads the target organization’s full Google People Directory in CSV format to the working directory at gdir_thief/loot/directory.csv .

Google People API
Select all of the People APIs

Wrapping up

Hopefully this tool comes in handy for you on your next Red Team operation. I know it will for mine. Let me know if you have any more functionality ideas for this, or fork my repo and request a pull.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
4n7m4n

4n7m4n

Red Team Pen Testing Nobody | OSCP | InfoSec | Tech Junkie | OIF Veteran | Tweets are mine, not yours, nor anyone else's... Certainly not my employer's