Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Know Your Organization : Mapping Entities in Go...

CyberWarFare Labs
September 25, 2022
Education
0
140

Know Your Organization : Mapping Entities in Google Workspace

c0c0n 2022 PPT

CyberWarFare Labs

September 25, 2022
Tweet

More Decks by CyberWarFare Labs

See All by CyberWarFare Labs
Introduction to Red Teaming in Hybrid Multi-Cloud Environment
cyberwarfarelabs
0
2.5k

Other Decks in Education

See All in Education
HCI Research Methods - Lecture 7 - Human-Computer Interaction (1023841ANR)
signer
PRO
0
710
Medidas en informática
irocho
0
300
HP用_松尾研紹介資料.pdf
matsuolab
0
170
Web Application Frameworks - Lecture 4 - Web Technologies (1019888BNR)
signer
PRO
0
2.6k
1030
cbtlibrary
0
300
1113
cbtlibrary
0
260
HTML5 and the Open Web Platform - Lecture 3 - Web Technologies (1019888BNR)
signer
PRO
1
2.6k
Ch2_-_Partie_2.pdf
bernhardsvt
0
110
世界のオープンソースロボットたち #1
shiba_8ro
0
140
Nodiレクチャー 「CGと数学」講義資料 2024/11/19
masatatsu
2
190
老人会? いえ、技術継承です @ builderscon 2024 LT
s3i7h
0
110
開発終了後こそ成長のチャンス!プロダクト運用を見送った先のアクションプラン
ohmori_yusuke
2
160

Featured

See All Featured
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
How GitHub (no longer) Works
holman
310
140k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Scaling GitHub
holman
458
140k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Embracing the Ebb and Flow
colly
84
4.5k
Designing for humans not robots
tammielis
250
25k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Speed Design
sergeychernyshev
25
620
Writing Fast Ruby
sferik
627
61k
Side Projects
sachag
452
42k

Transcript

  1. Know your Organization? Mapping Entities in Google WorkSpace By Manish

    Gupta & Yash Bharadwaj Copyright CyberWarFare R&D Pvt. Ltd.

  2. About us Manish Gupta • Co-Founder & CEO @CyberWarFare Labs

    • Interested in On-Prem & Cloud Offensive Information Security • Presented Research / Training at various International Conferences / Govt. Agencies Yash Bharadwaj • Co-Founder & CTO @CyberWarFare Labs • R&D in On-Prem & Enterprise Security Evasion • Presented Cyber Security Research / Training at various National / International Conferences • Twitter : @flopyash

  3. AGENDA 1. Uber Hack 2. About Google WorkSpace 3. Challenges

    4. Ideas to overcome challenges 5. Working methodology to map entities 6. Integrating with Attack Vectors 7. Extending to GUI support

  4. Uber Hack Case Study

  5. None

  6. Google WorkSpace [Previously G-Suite] • Collection of cloud computing, productivity

    & collaboration products • Large Customer Base of more than 6 Million Users • Used by Fortune 500, MNCs for day to day operations

  7. Challenges Discovery Restricted Mapping Entities Thousands of Entities (Users, Groups)

    in a single workspace account ONLY Accessible to Organization Administrators Tedious tasks to map the User / Group entities for Possible Attack Paths

  8. Ideas to Overcome Challenges Step 3 Lure the target to

    “Allow” the asked permissions with organization email Step 1 Create Application with OAuth Credential Step 2 Define the Scope to “Directory.ReadOnly” & “cloud-identity.groups.ReadOnly” Getting into Organization Google Workspace

  9. Implementation

  10. Generate OAuth Creds Obtain OAuth Creds so attacker app can

    request user’s data App follow OAuth Flow Generated OAuth Creds can be used to obtain “Client Authorization code” Directory Read Permissions Once Authorization Code is obtained, Read from the org directory Profit Use the information for identifying possible attack vectors 11.01.XX

  11. Weaponizing with Illicit Consent Grant Attack

  12. Tool Demonstration Link : https://vimeo.com/751984378

  13. None

  14. ANY QUESTIONS! [email protected] https://github.com/RedTeamOperations/GoogleWorkspaceDirectoryDump • Twitter : @cyberwarfarelab • LinkedIn

    : https://www.linkedin.com/company/cyberwarfare