You’re a GD Thief!

GD-Thief

What is GD-Thief?

Have you ever been on a Red Team Operation where you have access to a victim’s G-Suite, you are rifling through the victim’s GD, and you wished you had a way to quickly download all of the files? Well that’s what GD-Thief does. GD-Thief is a script I wrote in python that allows the Red Teamer to download every file in the victim’s drive. But, wait there’s more!

How does it work?

GD-Thief uses the Google Drive API to make calls to the victim’s GD. The Red Teamer will need to create an external, testing, Google App, get an API key for the App, give the App permissions to access the required GD APIs, and will need to add the victim’s Gmail address to the list of application testers. I will explain how all of this is done in the tutorial below.

Security Bug Reported 4/23/21
Google’s response
Google won’t fix

A Very Effective Attack Path

Getting access to a target’s Google account can be accomplished fairly easy. I have accomplished this on MANY Red Team operations via a Machine-in-the-Middle (MitM) attack using EvilGinx2 to create a fake Okta page for the target organization. EvilGinx2 basically proxies the authentication traffic sent to the fake web application page (Okta in this case) and forwards it to the real web application page using the credentials provided by the victim. It logs the victim in to the real web application and sends the credentials to the attacker controlled, EvilGinx2 server. This even bypasses 2FA. Let us discuss how this works in greater detail:

EvilGinx2 Attack Path
  1. Phishing Email Sent to target via a Red Team controlled phishing server (GoPhish). Phishing email pretext can be something to do with the target needing to make a change on Workday.
  2. Victim clicks a malicious link and is sent to a fake Okta, login page on a Red Team controlled server (EvilGinx2)
  3. Victim inputs their Okta credentials and EvilGinx2 proxies the credentials to the victim’s real Okta login portal.
  4. The real Okta sends the 2FA push notification to the victim as normal.
  5. Victim accepts the push and is then forwarded by EvilGinx2 to a dummy web page of the Red Team’s choosing. Sticking to the phishing pretext described in step 1, this dummy page could be the victim’s Workday site.
  6. EvilGinx2 gives the Red Team the victim’s credentials as well as the victim’s Okta session token. The Red Team now has an interactive session for the victim’s Okta account.

A Tutorial for Using GD-Thief

Before you ever get a session on a victim’s Google account as described above, you need to do a few things. First you’ll need Python3. Next you’ll need to download GD-Thief from GitHub:

Create a new Google Cloud Platform (GCP) project

Steps to get the Google API Access Token needed for connecting to the API

  1. Create a burner Gmail/google account. You will need to provide a credit card number to start your free Google Cloud account (Get a prepaid CC)
  2. Login to said burner Google account
  3. Navigate to the Google Cloud Console
  4. Next to “Google Cloud Platform,” click the “Select a project” Down arrow. A dialog listing current projects appears.
  5. Click New Project. The New Project screen appears.
Create a new project
Name the project

Enable a Google Workspace API

  1. Next to “Google Cloud Platform,” click the Down arrow and select the project you just created from the dropdown list.
  2. In the top-left corner, click Menu > APIs & Services.
API & Services Library
Search for GD API
Enable GD API

Configure OAuth Consent Screen

  1. On the left side of the Overview page click Credentials. The credential page for your project appears.
  2. Click Configure Consent Screen. The "OAuth consent screen" screen appears.
Configure Consent Screen
OAuth External Application Consent
Application Info
Save Application Info
Add or Remove Scopes
Check all GD API Scopes
Update Scope
Scope list
Save Scope

Create a credential

  1. Click Create Credentials and select OAuth client ID. The "Create OAuth client ID" page appears.
Create OAuth Client ID Credentials
Select “Desktop App,” name it, and create
OAuth Client created

Add the victim’s Google account to the Application’s Test Users

In order to be able to run this script against the victim, you will need to add their Google account to the Test Users list for the App you just created.

  1. On the Left side of the screen click OAuth consent screen. You "OAuth Consent Screen" page appears.
  2. Under Test Users click the Add Users button.
Add test user

First Time running gd_thief

Upon gaining access to a Target’s Google account, you can run gd_thief

  1. The first time running gd_thief, the script opens a new window prompting you to authorize access to your data:
  2. If you are signed in to multiple Google accounts, you are asked to select one account to use for the authorization. Make sure you select the victim’s Google account

Using GD-Thief

Usage for GD-Thief is pretty simple. I won’t rewrite the usage here since it is fully described on the GD-Thief, GitHub README and in the application help, but just make sure you are using Python3.

Wrapping up

Hopefully this tool comes in handy for you on your next Red Team operation, or for a DLP penetration test. Next, I would like to add functionality for a search option that uses Snort’s Sensitive Data Processor regex to find sensitive data in the GD like credit card numbers, social security numbers, email addresses, etc.…

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
4n7m4n

4n7m4n

Red Team Pen Testing Nobody | OSCP | InfoSec | Tech Junkie | OIF Veteran | Tweets are mine, not yours, nor anyone else's... Certainly not my employer's