Add files via upload

rolling-code · web-flow · commit c35769c159ab · 2025-12-03T15:08:11.000-05:00
diff --git a/Azure Active Directory/generate_oauth_phishing_url2.ps1 b/Azure Active Directory/generate_oauth_phishing_url2.ps1
@@ -0,0 +1,88 @@
+
+<#
+Scenario 1 – Org-only SAT (working)
+
+This script generates a tenant-specific OAuth URL for a single-tenant app (AzureADMyOrg) and redirects
+to your GitHub Pages training page (success.html). The goal is to show how legit Microsoft login + app
+names can mislead users, and to teach verification of publisher and permissions.
+
+Prerequisites, TODO:
+- GitHub Pages enabled for https://rolling-code.github.io/PowerShell-Scripts/
+- The file 'docs/success.html' MUST exist in your repo (served by Pages).
+- Azure CLI installed and logged in (az login).
+- Your app must be registered in YOUR org (AzureADMyOrg) and have the redirect URI(s) added.
+
+Consistency CLI (run once to set up the app):
+1) Login to Azure
+   az login
+   # Authenticate to Azure CLI in the org where the app will live
+
+2) Create the app registration (captures appId)
+   az ad app create `
+     --display-name "TODO Security Portal" `    # Neutral name; avoid 'Microsoft', 'Teams', etc.
+     --sign-in-audience AzureADMyOrg `
+     --web-redirect-uris "https://rolling-code.github.io/PowerShell-Scripts/success.html" `
+     --enable-id-token-issuance true
+   # Creates the app and enables ID tokens
+   # Save the returned "appId" (client ID) and your tenant ID/domain
+
+3) Create the service principal
+   az ad sp create --id <APP_ID>   # Use your appId here
+   # Links the app to your tenant so users can sign in
+
+4) Declare Graph delegated scopes (User.Read, etc.)
+   # We do this programmatically by calling scope_declaration_function() below
+   # Ensures the consent screen shows the same permissions as requested in the URL
+
+5) (Optional) Add another redirect URI if desired
+   az ad app update `
+     --id <APP_ID> `               # Use your appId here
+     --web-redirect-uris "https://rolling-code.github.io/PowerShell-Scripts/success.html" `
+                         "https://rolling-code.github.io/PowerShell-Scripts/"
+   # Keep URIs synchronized with your GitHub Pages files
+
+6) Run this script to generate the URL and test in a browser
+#>
+
+[CmdletBinding()]
+param(
+    [string] $RedirectUri = "https://rolling-code.github.io/PowerShell-Scripts/success.html",  # TODO MUST exist in GitHub /docs
+    [string] $ClientId    = "TODO",                            # TODO Use YOUR appId here (from Step 2)
+    [string] $Tenant      = "TODO",                            # TODO or "acme.onmicrosoft.com"
+    [string] $Scope       = "openid profile email User.Read"
+)
+
+# ---- include helper ----
+. .\helper_scopes.ps1
+
+# Ensure app's required resource access matches scopes requested
+# Fails if not az logged in, fine if already done. 
+# Presumable if you created the app for this URL you were logged in or are logged in.
+scope_declaration_function -AppId $ClientId -IncludeMailAndFiles  # (optional) add Mail.Read + Files.Read
+
+function Encode([string] $s) { [System.Uri]::EscapeDataString($s) }
+
+# Exact match is required: redirect in URL must equal the registered URI (including path)
+$encRedirect = Encode $RedirectUri
+$encScope    = Encode $Scope
+$state       = "sim-" + [Guid]::NewGuid().ToString()
+
+# Single-tenant app => use tenant-specific authority
+$base = "https://login.microsoftonline.com/$Tenant/oauth2/v2.0/authorize"
+
+$authUrl = "$base" +
+           "?client_id=$ClientId" +
+           "&response_type=code" +
+           "&redirect_uri=$encRedirect" +
+           "&scope=$encScope" +
+           "&state=$state"
+
+Write-Host ([Environment]::NewLine + "--- OAuth Simulation URL (Org-only) ---") -ForegroundColor Green
+Write-Host $authUrl -ForegroundColor Yellow
+
+try {
+    $authUrl | clip
+    Write-Host ([Environment]::NewLine + "(Copied to clipboard.)") -ForegroundColor Cyan
+} catch {
+    Write-Verbose ('Clipboard copy failed: ' + $_)
+}
diff --git a/Azure Active Directory/generate_oauth_phishing_url_MS_App2.ps1 b/Azure Active Directory/generate_oauth_phishing_url_MS_App2.ps1
@@ -0,0 +1,59 @@
+
+<#
+Scenario 2 – Spoofed Microsoft app (intentional error)
+
+This script builds an OAuth URL using a Microsoft-owned client ID to demonstrate that a trusted app name
+is NOT enough. The flow breaks after sign-in with AADSTS50011 because the redirect URI is not one of the
+official URIs registered for that Microsoft app.
+
+Prerequisites:
+- GitHub Pages enabled; 'docs/index.html' should exist for your base landing page.
+- No app registration changes are possible for Microsoft-owned client IDs.
+
+Consistency CLI (no app create here; demonstration only):
+1) TODO Confirm GitHub Pages is serving your landing page:
+   https://rolling-code.github.io/PowerShell-Scripts/
+
+2) Run this script and open the URL. Observe:
+   - Microsoft login and trusted app name
+   - Then AADSTS50011 redirect mismatch (by design)
+#>
+
+[CmdletBinding()]
+param(
+    [string] $RedirectUri = "https://rolling-code.github.io/PowerShell-Scripts/",        # TODO MUST exist in GitHub /docs
+    [string] $ClientId    = "00000002-0000-0ff1-ce00-000000000000",                      # Exchange Online public appId
+    [string] $Scope       = "openid profile email"
+)
+
+# ---- include helper (guarded) ----
+. .\helper_scopes.ps1
+
+# Guard: skip scope configuration for Microsoft-owned client IDs (helper detects & warns)
+scope_declaration_function -AppId $ClientId | Out-Null
+
+function Encode([string] $s) { [System.Uri]::EscapeDataString($s) }
+
+$encRedirect = Encode $RedirectUri
+$encScope    = Encode $Scope
+$state       = "sim-" + [Guid]::NewGuid().ToString()
+
+# Public Microsoft app => /common authority
+$base = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
+
+$authUrl = "$base" +
+           "?client_id=$ClientId" +
+           "&response_type=code" +
+           "&redirect_uri=$encRedirect" +
+           "&scope=$encScope" +
+           "&state=$state"
+
+Write-Host ([Environment]::NewLine + "--- OAuth URL (Spoof Microsoft App; expect AADSTS50011) ---") -ForegroundColor Green
+Write-Host $authUrl -ForegroundColor Yellow
+
+try {
+    $authUrl | clip
+    Write-Host ([Environment]::NewLine + "(Copied to clipboard.)") -ForegroundColor Cyan
+} catch {
+    Write-Verbose ('Clipboard copy failed: ' + $_)
+}
diff --git a/Azure Active Directory/generate_oauth_phishing_url_pwnd2.ps1 b/Azure Active Directory/generate_oauth_phishing_url_pwnd2.ps1
@@ -0,0 +1,83 @@
+
+<#
+Scenario 3 – Multi-tenant attacker-style (realistic consent phishing)
+
+This script generates an OAuth URL for a multi-tenant app (AzureADMultipleOrgs) and redirects to pwndstars.html.
+It demonstrates how attackers use the real Microsoft sign-in page and a convincing consent prompt to obtain
+access/refresh tokens (if consent is granted). For SAT, we DO NOT exchange codes for tokens.
+
+Prerequisites:
+- GitHub Pages enabled; the file 'docs/pwndstars.html' MUST exist and be published.
+- Your multi-tenant app must be registered and the redirect URI(s) added.
+
+Consistency CLI (run once to set up the app):
+1) Login to Azure
+   az login
+   # Authenticate to Azure CLI in the tenant where you own this app
+
+2) Create the multi-tenant app (captures appId)
+   az ad app create `
+     --display-name "TODO Security Portal" `     # Neutral name; avoid 'Microsoft', 'Teams', etc.
+     --sign-in-audience AzureADMultipleOrgs `
+     --web-redirect-uris "https://rolling-code.github.io/PowerShell-Scripts/pwndstars.html" `
+     --enable-id-token-issuance true
+   # Save the returned "appId" (client ID)
+
+3) Create the service principal (optional but recommended)
+   az ad sp create --id <APP_ID>               # Use YOUR appId here
+   # Makes the app manageable under Enterprise applications
+
+4) Declare Graph delegated scopes (identical across scenarios)
+   # We do this programmatically by calling scope_declaration_function() below
+   # Ensures the consent screen shows User.Read, Mail.Read, Files.Read (and offline_access requested in URL)
+
+5) Add additional redirect URIs if needed
+   az ad app update `
+     --id <APP_ID> `                            # Use YOUR appId here
+     --web-redirect-uris "https://rolling-code.github.io/PowerShell-Scripts/pwndstars.html" `
+                         "https://rolling-code.github.io/PowerShell-Scripts/"
+   # Keep URIs synchronized with GitHub
+
+6) Run this script to generate the URL and test in a browser
+#>
+
+[CmdletBinding()]
+param(
+    [string] $RedirectUri = "https://rolling-code.github.io/PowerShell-Scripts/pwndstars.html",   # TODO MUST exist in GitHub /docs
+    [string] $ClientId    = "TODO",                               # TODO Use YOUR appId here (from Step 2)
+    [string] $Scope       = "openid profile offline_access User.Read Mail.Read Files.Read"
+)
+
+# ---- include helper ----
+. .\helper_scopes.ps1
+
+# Configure app's required resource access so consent screen matches URL scopes
+# Fails if not az logged in, fine if already done. 
+# Presumable if you created the app for this URL you were logged in or are logged in.
+scope_declaration_function -AppId $ClientId -IncludeMailAndFiles
+
+function Encode([string] $s) { [System.Uri]::EscapeDataString($s) }
+
+$encRedirect = Encode $RedirectUri
+$encScope    = Encode $Scope
+$state       = "sim-" + [Guid]::NewGuid().ToString()
+
+# Multi-tenant app => /common authority
+$base = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
+
+$authUrl = "$base" +
+           "?client_id=$ClientId" +
+           "&response_type=code" +
+           "&redirect_uri=$encRedirect" +
+           "&scope=$encScope" +
+           "&state=$state"
+
+Write-Host ([Environment]::NewLine + "--- OAuth URL (Multi-tenant pwnd demo) ---") -ForegroundColor Green
+Write-Host $authUrl -ForegroundColor Yellow
+
+try {
+    $authUrl | clip
+    Write-Host ([Environment]::NewLine + "(Copied to clipboard.)") -ForegroundColor Cyan
+} catch {
+    Write-Verbose ('Clipboard copy failed: ' + $_)
+}
diff --git a/Azure Active Directory/helper_scopes.ps1 b/Azure Active Directory/helper_scopes.ps1
@@ -0,0 +1,79 @@
+
+<#
+helper_scopes.ps1
+
+Configures Microsoft Graph delegated scopes on an app registration so the consent prompt
+shows the same permissions the OAuth URL requests.
+
+Prereqs:
+- Azure CLI installed and logged in (az login).
+- AppId must be YOUR app's client ID (not a Microsoft-owned client ID).
+#>
+
+function scope_declaration_function {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string] $AppId,                       # TODO 
+
+        [Parameter(Mandatory = $false)]
+        [switch] $IncludeMailAndFiles,         # add Mail.Read & Files.Read
+
+        [Parameter(Mandatory = $false)]
+        [switch] $UseTempFile                  # fallback: write JSON to temp file and pass by path
+    )
+
+    # Microsoft Graph resource app ID (fixed)
+    $graphAppId = "00000003-0000-0000-c000-000000000000"
+
+    # Guard: refuse Microsoft-owned client IDs (we can't modify those anyway)
+    if ($AppId -match '^(00000002-0000-0ff1-ce00-000000000000|1fec8e78-bce4-4aaf-ab1b-5451d15019d1)$') {
+        Write-Warning "AppId '$AppId' looks like a Microsoft-owned client ID. Skipping scope configuration."
+        return
+    }
+
+    # Delegated scope GUIDs
+    $UserRead  = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read
+    $MailRead  = "570282fd-fa5c-430d-a7fd-fc8dc98a9dca" # Mail.Read
+    $FilesRead = "df85f4d6-205c-4ac5-a5ea-6bf408dba283" # Files.Read
+
+    # Build the resourceAccess array
+    $resourceAccess = @(
+        @{ id = $UserRead;  type = "Scope" }
+    )
+
+    if ($IncludeMailAndFiles) {
+        $resourceAccess += @{ id = $MailRead;  type = "Scope" }
+        $resourceAccess += @{ id = $FilesRead; type = "Scope" }
+    }
+
+    # Full payload (array of one item)
+    $payload = @(
+        @{
+            resourceAppId  = $graphAppId
+            resourceAccess = $resourceAccess
+        }
+    )
+
+    # Serialize to compact JSON (no comments, no line breaks)
+    $json = $payload | ConvertTo-Json -Depth 6 -Compress
+
+    Write-Host "Applying required resource access to appId $AppId ..." -ForegroundColor Cyan
+
+    # Try direct pass first
+    $result = az ad app update --id $AppId --required-resource-access $json 2>&1
+    if ($LASTEXITCODE -ne 0) {
+        Write-Warning "Direct JSON pass failed; retrying with a temp file..."
+        # Fallback: write to temp file and pass by path (quoted string so PowerShell doesn't treat '@' specially)
+        $tmp = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), "reqresaccess.$([Guid]::NewGuid().ToString()).json")
+        Set-Content -Path $tmp -Value $json -Encoding UTF8
+        $result = az ad app update --id $AppId --required-resource-access "@$tmp" 2>&1
+        Remove-Item $tmp -ErrorAction SilentlyContinue
+    }
+
+    if ($LASTEXITCODE -ne 0) {
+        Write-Error "Failed to update scopes. Azure CLI returned:`n$result"
+    } else {
+        Write-Host "Scopes updated successfully." -ForegroundColor Green
+    }
+}
