1+ #!/usr/bin/env python3
2+
3+ import sys
4+ import argparse
5+ import textwrap
6+ from Graphpython .commands import outsider , auth , enum , exploit , intune_enum , intune_exploit , cleanup , locators
7+ from Graphpython .utils .helpers import list_commands , print_red
8+
9+ def parseArgs ():
10+
11+ version = "1.0"
12+ print (f"\n \033 [3mGraphpython v{ version } \033 [0m\n " )
13+ parser = argparse .ArgumentParser (
14+ formatter_class = argparse .RawDescriptionHelpFormatter ,
15+ epilog = textwrap .dedent ('''\
16+
17+ graphpython --command invoke-reconasoutsider --domain company.com
18+ graphpython --command invoke-userenumerationasoutsider --username <[email protected] /emails.txt> 19+ graphpython --command get-graphtokens
20+ graphpython --command invoke-refreshtoazuremanagementtoken --tenant <tenant-id> --token refresh-token
21+ graphpython --command get-users --token eyJ0... -- select displayname,id [--id <userid>]
22+ graphpython --command list-recentonedrivefiles --token token
23+ graphpython --command invoke-search --search "credentials" --entity driveItem --token token
24+ graphpython --command invoke-customquery --query https://graph.microsoft.com/v1.0/sites/{siteId}/drives --token token
25+ graphpython --command assign-privilegedrole --token token
26+ graphpython --command spoof-owaemailmessage [--id <userid to spoof>] --token token --email email-body.txt
27+ graphpython --command get-manageddevices --token intune-token
28+ graphpython --command deploy-maliciousscript --script malicious.ps1 --token token
29+ graphpython --command backdoor-script --id <scriptid> --script backdoored-script.ps1 --token token
30+ graphpython --command add-exclusiongrouptopolicy --id <policyid> --token token
31+ graphpython --command reboot-device --id <deviceid> --token eyj0...
32+ ''' )
33+ )
34+ parser .add_argument ("--command" , help = "Command to execute" )
35+ parser .add_argument ("--list-commands" , action = "store_true" , help = "List available commands" )
36+ parser .add_argument ("--token" , help = "Microsoft Graph access token or refresh token for FOCI abuse" )
37+ parser .add_argument ("--estsauthcookie" , help = "'ESTSAuth' or 'ESTSAuthPersistent' cookie" )
38+ parser .add_argument ("--use-cae" , action = "store_true" , help = "Flag to use Continuous Access Evaluation (CAE) - add 'cp1' as client claim to get an access token valid for 24 hours" )
39+ parser .add_argument ("--cert" , help = "X509Certificate path (.pfx)" )
40+ parser .add_argument ("--domain" , help = "Target domain" )
41+ parser .add_argument ("--tenant" , help = "Target tenant ID" )
42+ parser .add_argument ("--username" , help = "Username or file containing usernames (invoke-userenumerationasoutsider)" )
43+ parser .add_argument ("--secret" , help = "Enterprise application secretText (invoke-appsecrettoaccesstoken)" )
44+ parser .add_argument ("--id" , help = "ID of target object" )
45+ parser .add_argument ("--select" , help = "Fields to select from output" )
46+ parser .add_argument ("--query" , help = "Raw API query URL (GET only)" )
47+ parser .add_argument ("--search" , help = "Search string" )
48+ parser .add_argument ("--entity" , choices = ['driveItem' , 'message' , 'chatMessage' , 'site' , 'event' ],help = "Search entity type: driveItem(OneDrive), message(Mail), chatMessage(Teams), site(SharePoint), event(Calenders)" )
49+ parser .add_argument ("--device" , choices = ['Mac' , 'Windows' , 'AndroidMobile' , 'iPhone' ], help = "Device type for User-Agent forging" )
50+ parser .add_argument ("--browser" , choices = ['Android' , 'IE' , 'Chrome' , 'Firefox' , 'Edge' , 'Safari' ], help = "Browser type for User-Agent forging" )
51+ parser .add_argument ("--only-return-cookies" , action = "store_true" , help = "Only return cookies from the request (open-owamailboxinbrowser)" )
52+ parser .add_argument ("--mail-folder" , choices = ['Allitems' , 'inbox' , 'archive' , 'drafts' , 'sentitems' , 'deleteditems' , 'recoverableitemsdeletions' ], help = "Mail folder to dump (dump-owamailbox)" )
53+ parser .add_argument ("--top" , type = int , help = "Number (int) of messages to retrieve (dump-owamailbox)" )
54+ parser .add_argument ("--script" , help = "File containing the script content (deploy-maliciousscript or backdoor-script)" )
55+ parser .add_argument ("--email" , help = "File containing OWA email message body content (spoof-owaemailmessage)" )
56+
57+ args = parser .parse_args ()
58+ return args , parser
59+
60+ def main ():
61+
62+ args , parser = parseArgs ()
63+
64+ available_commands = [
65+ "invoke-reconasoutsider" ,"invoke-userenumerationasoutsider" ,"get-graphtokens" , "get-tenantid" , "get-tokenscope" , "decode-accesstoken" ,
66+ "invoke-refreshtomsgraphtoken" , "invoke-refreshtoazuremanagementtoken" , "invoke-refreshtovaulttoken" ,
67+ "invoke-refreshtomsteamstoken" , "invoke-refreshtoofficeappstoken" , "invoke-refreshtoofficemanagementtoken" ,
68+ "invoke-refreshtooutlooktoken" , "invoke-refreshtosubstratetoken" , "invoke-refreshtoyammertoken" , "invoke-refreshtointuneenrollmenttoken" ,
69+ "invoke-refreshtoonedrivetoken" , "invoke-refreshtosharepointtoken" , "invoke-certtoaccesstoken" , "invoke-estscookietoaccesstoken" , "invoke-appsecrettoaccesstoken" ,
70+ "new-signedjwt" , "get-currentuser" , "get-currentuseractivities" , "get-orginfo" , "get-domains" , "get-user" , "get-userproperties" ,
71+ "get-userprivileges" , "get-usertransitivegroupmembership" , "get-group" , "get-groupmember" , "get-userapproleassignments" , "get-serviceprincipalapproleassignments" ,
72+ "get-conditionalaccesspolicy" , "get-personalcontacts" , "get-crosstenantaccesspolicy" , "get-partnercrosstenantaccesspolicy" ,
73+ "get-userchatmessages" , "get-administrativeunitmember" , "get-onedrivefiles" , "get-userpermissiongrants" , "get-oauth2permissiongrants" ,
74+ "get-messages" , "get-temporaryaccesspassword" , "get-password" , "list-authmethods" , "list-directoryroles" , "list-notebooks" ,
75+ "list-conditionalaccesspolicies" , "list-conditionalauthenticationcontexts" , "list-conditionalnamedlocations" , "list-sharepointroot" ,
76+ "list-sharepointsites" ,"list-sharepointurls" , "list-externalconnections" , "list-applications" , "list-serviceprincipals" , "list-tenants" , "list-joinedteams" ,
77+ "list-chats" , "list-chatmessages" , "list-devices" , "list-administrativeunits" , "list-onedrives" , "list-recentonedrivefiles" , "list-onedriveurls" ,
78+ "list-sharedonedrivefiles" , "invoke-customquery" , "invoke-search" , "find-privilegedroleusers" , "find-updatablegroups" , "find-dynamicgroups" ,"find-securitygroups" ,
79+ "locate-objectid" , "update-userpassword" , "add-applicationpassword" , "add-usertap" , "add-groupmember" , "create-application" ,
80+ "create-newuser" , "invite-guestuser" , "assign-privilegedrole" , "open-owamailboxinbrowser" , "dump-owamailbox" , "spoof-owaemailmessage" ,
81+ "delete-user" , "delete-group" , "remove-groupmember" , "delete-application" , "delete-device" , "wipe-device" , "retire-device" ,
82+ "get-manageddevices" , "get-userdevices" , "get-caps" , "get-devicecategories" , "get-devicecompliancepolicies" , "update-deviceconfig" ,
83+ "get-devicecompliancesummary" , "get-deviceconfigurations" , "get-deviceconfigurationpolicies" , "get-deviceconfigurationpolicysettings" ,
84+ "get-deviceenrollmentconfigurations" , "get-devicegrouppolicyconfigurations" ,"update-userproperties" , "dump-windowsapps" , "dump-iosapps" , "dump-androidapps" ,
85+ "get-devicegrouppolicydefinition" , "dump-devicemanagementscripts" , "get-scriptcontent" , "find-privilegedapplications" , "dump-macosapps" , "deploy-maliciousweblink" ,
86+ "get-roledefinitions" , "get-roleassignments" , "display-avpolicyrules" , "display-asrpolicyrules" , "display-diskencryptionpolicyrules" , "display-firewallconfigpolicyrules" ,
87+ "display-firewallrulepolicyrules" , "display-lapsaccountprotectionpolicyrules" , "display-usergroupaccountprotectionpolicyrules" , "get-appserviceprincipal" ,
88+ "display-edrpolicyrules" ,"add-exclusiongrouptopolicy" , "deploy-maliciousscript" , "reboot-device" , "shutdown-device" , "lock-device" , "backdoor-script" ,
89+ "add-applicationpermission" , "new-signedjwt" , "add-applicationcertificate" , "get-application" , "locate-permissionid" , "get-serviceprincipal" , "grant-appadminconsent"
90+ ]
91+
92+ if len (sys .argv ) == 1 :
93+ parser .print_help ()
94+ sys .exit ()
95+
96+ if args .list_commands :
97+ list_commands ()
98+ return
99+
100+ if args .command and args .command .lower () in [
101+ "invoke-refreshtomsgraphtoken" , "invoke-refreshtoazuremanagementtoken" ,
102+ "invoke-refreshtovaulttoken" , "invoke-refreshtomsteamstoken" ,
103+ "invoke-refreshtoofficeappstoken" , "invoke-refreshtoofficemanagementtoken" ,
104+ "invoke-refreshtooutlooktoken" ,"invoke-refreshtosubstratetoken" , "invoke-refreshtoyammertoken" ,
105+ "invoke-refreshtointuneenrollmenttoken" , "invoke-refreshtoonedrivetoken" , "invoke-refreshtosharepointtoken" ,
106+ "get-tokenscope" , "decode-accesstoken" , "get-manageddevices" , "get-userdevices" , "get-user" ,
107+ "get-userproperties" , "get-userprivileges" , "get-usertransitivegroupmembership" , "get-group" ,
108+ "get-groupmember" , "get-userapproleassignments" , "get-conditionalaccesspolicy" , "get-personalcontacts" ,
109+ "get-crosstenantaccesspolicy" , "get-partnercrosstenantaccesspolicy" , "get-userchatmessages" ,
110+ "get-administrativeunitmember" , "get-onedrivefiles" , "get-userpermissiongrants" , "get-oauth2permissiongrants" ,
111+ "get-messages" , "get-temporaryaccesspassword" , "get-password" , "get-currentuser" ,
112+ "get-currentuseractivities" , "get-orginfo" , "get-domains" , "list-authmethods" , "list-directoryroles" ,
113+ "list-notebooks" , "list-conditionalaccesspolicies" , "list-conditionalauthenticationcontexts" ,
114+ "list-conditionalnamedlocations" , "list-sharepointroot" , "list-sharepointsites" , "list-sharepointurls" ,"list-externalconnections" ,
115+ "list-applications" , "list-serviceprincipals" , "list-tenants" , "list-joinedteams" , "list-chats" , "deploy-maliciousweblink" ,
116+ "list-chatmessages" , "list-devices" , "list-administrativeunits" , "list-onedrives" , "list-recentonedrivefiles" , "list-onedriveurls" ,
117+ "list-sharedonedrivefiles" , "invoke-customquery" , "invoke-search" , "find-privilegedroleusers" , "display-firewallconfigpolicyrules" ,
118+ "find-updatablegroups" , "find-dynamicgroups" ,"find-securitygroups" , "locate-objectid" , "update-userpassword" , "add-applicationpassword" ,
119+ "add-usertap" , "add-groupmember" , "create-application" , "create-newuser" , "invite-guestuser" , "update-deviceconfig" ,
120+ "assign-privilegedrole" , "open-owamailboxinbrowser" , "dump-owamailbox" , "spoof-owaemailmessage" , "dump-androidapps" ,
121+ "delete-user" , "delete-group" , "remove-groupmember" , "delete-application" , "delete-device" , "wipe-device" , "retire-device" ,
122+ "get-caps" , "get-devicecategories" , "display-devicecompliancepolicies" , "get-devicecompliancesummary" , "dump-macosapps" ,
123+ "get-deviceconfigurations" , "get-deviceconfigurationpolicies" , "get-deviceconfigurationpolicysettings" , "dump-iosapps" ,
124+ "get-deviceenrollmentconfigurations" , "get-devicegrouppolicyconfigurations" , "grant-appadminconsent" , "dump-windowsapps" ,
125+ "get-devicegrouppolicydefinition" , "dump-devicemanagementscripts" , "update-userproperties" , "find-privilegedapplications" ,
126+ "get-scriptcontent" , "get-roledefinitions" , "get-roleassignments" , "display-avpolicyrules" ,"get-appserviceprincipal" ,
127+ "display-asrpolicyrules" , "display-diskencryptionpolicyrules" , "display-firewallrulepolicyrules" , "backdoor-script" ,
128+ "display-edrpolicyrules" , "display-lapsaccountprotectionpolicyrules" , "display-usergroupaccountprotectionpolicyrules" ,
129+ "add-exclusiongrouptopolicy" ,"deploy-maliciousscript" , "reboot-device" , "add-applicationpermission" , "new-signedjwt" ,
130+ "add-applicationcertificate" , "get-application" , "get-serviceprincipal" , "get-serviceprincipalapproleassignments" ]:
131+ if not args .token :
132+ print_red (f"[-] Error: --token is required for command" )
133+ return
134+
135+ try :
136+ # Outsider commands
137+ if args .command in ["invoke-reconasoutsider" , "invoke-userenumerationasoutsider" ]:
138+ getattr (outsider , args .command .replace ("-" , "_" ))(args )
139+
140+ # Authentication commands
141+ elif args .command in ["get-graphtokens" , "get-tenantid" , "get-tokenscope" , "decode-accesstoken" ,
142+ "invoke-refreshtomsgraphtoken" , "invoke-refreshtoazuremanagementtoken" ,
143+ "invoke-refreshtovaulttoken" , "invoke-refreshtomsteamstoken" ,
144+ "invoke-refreshtoofficeappstoken" , "invoke-refreshtoofficemanagementtoken" ,
145+ "invoke-refreshtooutlooktoken" , "invoke-refreshtosubstratetoken" ,
146+ "invoke-refreshtoyammertoken" , "invoke-refreshtointuneenrollmenttoken" ,
147+ "invoke-refreshtoonedrivetoken" , "invoke-refreshtosharepointtoken" ,
148+ "invoke-certtoaccesstoken" , "invoke-estscookietoaccesstoken" ,
149+ "invoke-appsecrettoaccesstoken" , "new-signedjwt" ]:
150+ getattr (auth , args .command .replace ("-" , "_" ))(args )
151+
152+ # Enumeration commands
153+ elif args .command in ["get-currentuser" , "get-currentuseractivities" , "get-orginfo" , "get-domains" ,
154+ "get-user" , "get-userproperties" , "get-userprivileges" ,
155+ "get-usertransitivegroupmembership" , "get-group" , "get-groupmember" ,
156+ "get-userapproleassignments" , "get-conditionalaccesspolicy" ,
157+ "get-application" , "get-personalcontacts" , "get-crosstenantaccesspolicy" ,
158+ "get-partnercrosstenantaccesspolicy" , "get-userchatmessages" ,
159+ "get-administrativeunitmember" , "get-onedrivefiles" , "get-userpermissiongrants" ,
160+ "get-oauth2permissiongrants" , "get-messages" , "get-temporaryaccesspassword" ,
161+ "get-password" , "list-authmethods" , "list-directoryroles" , "list-notebooks" ,
162+ "list-conditionalaccesspolicies" , "list-conditionalauthenticationcontexts" ,
163+ "list-conditionalnamedlocations" , "list-sharepointroot" , "list-sharepointsites" ,
164+ "list-sharepointurls" , "list-externalconnections" , "list-applications" , "list-onedriveurls" ,
165+ "list-serviceprincipals" , "list-tenants" , "list-joinedteams" , "list-chats" ,
166+ "list-chatmessages" , "list-devices" , "list-administrativeunits" , "list-onedrives" ,
167+ "list-recentonedrivefiles" , "list-sharedonedrivefiles" , "get-appserviceprincipal" ,
168+ "get-serviceprincipal" , "get-serviceprincipalapproleassignments" ]:
169+ getattr (enum , args .command .replace ("-" , "_" ))(args )
170+
171+ # Exploitation commands
172+ elif args .command in ["invoke-customquery" ,"invoke-search" , "find-privilegedroleusers" , "find-privilegedapplications" ,
173+ "find-updatablegroups" ,"find-dynamicgroups" , "find-securitygroups" ,
174+ "update-userpassword" , "update-userproperties" , "add-usertap" , "add-groupmember" ,
175+ "create-application" , "create-newuser" , "invite-guestuser" ,
176+ "assign-privilegedrole" , "open-owamailboxinbrowser" , "dump-owamailbox" ,
177+ "spoof-owaemailmessage" , "add-applicationpermission" , "add-applicationcertificate" ,
178+ "add-applicationpassword" , "grant-appadminconsent" ]:
179+ getattr (exploit , args .command .replace ("-" , "_" ))(args )
180+
181+ # Intune enum commands
182+ elif args .command in ["get-manageddevices" , "get-userdevices" , "get-caps" , "get-devicecategories" ,
183+ "get-devicecompliancesummary" , "get-deviceconfigurations" ,
184+ "get-deviceconfigurationpolicies" , "get-deviceconfigurationpolicysettings" ,
185+ "get-deviceenrollmentconfigurations" , "get-devicegrouppolicyconfigurations" ,
186+ "get-devicegrouppolicydefinition" , "get-roledefinitions" , "get-roleassignments" ,
187+ "get-devicecompliancepolicies" ]:
188+ getattr (intune_enum , args .command .replace ("-" , "_" ))(args )
189+
190+ # Intune exploit commands
191+ elif args .command in ["dump-devicemanagementscripts" ,"dump-windowsapps" , "dump-iosapps" ,
192+ "dump-androidapps" , "dump-macosapps" ,"get-scriptcontent" ,
193+ "display-avpolicyrules" , "display-asrpolicyrules" ,
194+ "display-diskencryptionpolicyrules" , "display-firewallconfigpolicyrules" ,
195+ "display-firewallrulepolicyrules" , "display-edrpolicyrules" ,
196+ "display-lapsaccountprotectionpolicyrules" ,
197+ "display-usergroupaccountprotectionpolicyrules" , "add-exclusiongrouptopolicy" ,
198+ "deploy-maliciousscript" , "deploy-maliciousweblink" , "backdoor-script" ,
199+ "update-deviceconfig" , "reboot-device" , "retire-device" , "lock-device" ,
200+ "shutdown-device" ]:
201+ getattr (intune_exploit , args .command .replace ("-" , "_" ))(args )
202+
203+ # Cleanup commands
204+ elif args .command in ["delete-user" , "delete-group" , "remove-groupmember" , "delete-application" ,
205+ "delete-device" , "wipe-device" ]:
206+ getattr (cleanup , args .command .replace ("-" , "_" ))(args )
207+
208+ # Locator commands
209+ elif args .command in ["locate-objectid" , "locate-permissionid" ]:
210+ getattr (locators , args .command .replace ("-" , "_" ))(args )
211+
212+ # ...
213+ elif args .command and args .command .lower () not in available_commands :
214+ print_red (f"[-] Error: Unknown command '{ args .command } )
215+
216+ except KeyboardInterrupt :
217+ print_red ("\n [-] Operation cancelled by user" )
218+ sys .exit (1 )
219+ except Exception as e :
220+ print_red (f"\n [-] An error occurred while executing '{ args .command } { str (e )} )
221+ sys .exit (1 )
222+
223+ if __name__ == "__main__" :
224+ main ()
0 commit comments