GD-Thief
Red Team tool for exfiltrating files from a target's Google Drive that you(the attacker) has access to, via the Google Drive API. This includes includes all shared files, all files from shared drives, and all files from domain drives that the target has access to.
HOW TO
For an illustrated walkthrough, check out my blog post.
Create a new Google Cloud Platform (GCP) project
Steps to get the Google API Access Token needed for connecting to the API
- Create a burner Gmail/google account
- Login to said account
- Navigate to the Google Cloud Console
- Next to "Google Cloud Platform," click the "Select a project"
Down arrow
. A dialog listing current projects appears. - Click
New Project
. The New Project screen appears. - In the
Project Name field
, enter a descriptive name for your project. - (Optional) To edit the
Project ID
, clickEdit
. The project ID can't be changed after the project is created, so choose an ID that meets your needs for the lifetime of the project. - Click
Create
. The console navigates to the Dashboard page and your project is created within a few minutes.
Enable a Google Workspace API
- Next to "Google Cloud Platform," click the
Down arrow
and select the project you just created from the dropdown list. - In the top-left corner, click
Menu
>APIs & Services
. - Click
Enable APIs and Services
. The "Welcome to API Library" page appears. - In the
search field
, enter "Google Drive". - Click the Google Drive API. The API page appears.
- Click
Enable
. The Overview page appears.
Configure OAuth Consent screen
- On the left side of the Overview page click
Credentials
. The credential page for your project appears. - Click
Configure Consent Screen
. The "OAuth consent screen" screen appears. - Click the
External
user type for your app. - Click
Create
. A second "OAuth consent screen" screen appears. - Fill out the form:
- Enter an Application Name in the
App name
field - Enter your burner email address in the
User support email
field. - Enter your burner email address in the
Developer contact information
field.
- Enter an Application Name in the
- Click
Save and Continue
. The "Scopes" page appears. - Click
Add or Remove Scopes
. The "Update selected scopes" page appears. - Check all of the
Google Drive
scopes to use in the app. GD scopes cover 2 pages, so click the next page and ensure that you check them all. - Click
Update
. A list of scopes for your app appears. - Click
Save and Continue
. The "Edit app registration" page appears. - Click
Save and Continue
. The "OAuth consent screen" appears.
Create a credential
- Click
Create Credentials
and selectOAuth client ID
. The "Create OAuth client ID" page appears. - Click the Application type drop-down list and select
Desktop Application
. - In the
name
field, type a name for the credential. This name is only shown in the Cloud Console. - Click
Create
. The OAuth client created screen appears. This screen shows theClient ID
andClient secret
. - Click
OK
. The newly created credential appears under "OAuth 2.0 Client IDs." - Click the
download
button to the right of the newly-created OAuth 2.0 Client ID. This copies a client secret JSON file to your desktop. Note the location of this file. - Rename the client secret JSON file to "credentials.json" and move it to the
gd_thief/credentials
directory.
Add the victim's Google account to the Application's Test Users
In order to be able to run this script against the victim, you will need to add their Google account to the Test Users list for the App you just created
- On the Left side of the screen click
OAuth consent screen
. You "OAuth Consent Screen" page appears. - Under
Test Users
click theAdd Users
button. - Enter the victim's Gmail address in the
email address
field. - Click the
save
button.
First Time running gd_thief
Upon gaining access to a Target's Google account, you can run gd_thief
- The first time running gd_thief, the script opens a new window prompting you to authorize access to your data:
- If you are signed in to multiple Google accounts, you are asked to select one account to use for the authorization. Make sure you select the victim's Google account
Dependencies
Google API Libraries: pip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib
Usage:
usage:
python3 gd_thief.py [-h] -m [{dlAll, dlDict[-d <DICTIONARY FILE PATH>]}
[-t <THREAD COUNT>]
help:
This Module will connect to Google's API using an access token and exfiltrate files
from a target's Google Drive. It will output exfiltrated files to the ./loot directory
arguments:
-m [{dlAll, dlDict}],
--mode [{dlAll, dlDict}]
The mode of file download
Can be "dlAll", "dlDict [-d <DICTIONARY FILE PATH>]", or... (More options to come)
optional arguments:
-d <DICTIONARY FILE PATH>, --dict <DICTIONARY FILE PATH>
Path to the dictionary file. Mandatory with download mode"-m, --mode dlDict"
You can use the provided dictionary, per example: "-d ./dictionaries/secrets-keywords.txt"
-t <THREAD COUNT>, --threads <THREAD COUNT>
Number of threads. (Too many could exceeed Google's rate limit threshold)
-h, --help
show this help message and exit
NOTES:
- Setting the thread count too high will cause an HTTP 403 "Rate limit exceeded," indicating that the user has reached Google Drive API's maximum request rate.
- The thread count limit vaires from machine to machine. I've set it to 250 on a Macbook Pro, while 250 was too high for my Windows 10 Desktop
REFERENCES:
- The secrets-keywords dictionary file was taken from SecLists' secrets-keywords.txt
TODO:
ThreadingError CheckingWordlist file content search and download- File type download
- Snort Sensitive Data regex file content search and download
Optical Character Recognition (OCR)
Special Thanks:
Thank you to my good friend Cedric Owens for helping me with the threading piece!