{"id":807,"date":"2022-12-22T15:21:00","date_gmt":"2022-12-22T15:21:00","guid":{"rendered":"https:\/\/cybersecuritynest.com\/?p=807"},"modified":"2022-12-22T15:21:00","modified_gmt":"2022-12-22T15:21:00","slug":"squarephish-qr-code-and-auth-device-code-authentication-phishing-tool","status":"publish","type":"post","link":"https:\/\/cybersecuritynest.com\/?p=807","title":{"rendered":"SquarePhish: QR Code and Auth Device Code authentication Phishing tool"},"content":{"rendered":"<aside class=\"mashsb-container mashsb-main mashsb-stretched\"><div class=\"mashsb-box\"><div class=\"mashsb-buttons\"><a class=\"mashicon-facebook mash-large mash-center mashsb-noshadow\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https%3A%2F%2Fcybersecuritynest.com%2F%3Fp%3D807\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Share&nbsp;on&nbsp;Facebook<\/span><\/a><a class=\"mashicon-twitter mash-large mash-center mashsb-noshadow\" href=\"https:\/\/twitter.com\/intent\/tweet?text=&amp;url=https:\/\/cybersecuritynest.com\/?p=807&amp;via=CYBERSECNEST\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Tweet&nbsp;on&nbsp;Twitter<\/span><\/a><a class=\"mashicon-subscribe mash-large mash-center mashsb-noshadow\" href=\"#\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Subscribe&nbsp;to&nbsp;Newsletter<\/span><\/a><div class=\"onoffswitch2 mash-large mashsb-noshadow\" style=\"display:none\"><\/div><\/div>\n            <\/div>\n                <div style=\"clear:both\"><\/div><\/aside>\n            <!-- Share buttons by mashshare.net - Version: 4.0.47--><h1 dir=\"auto\">SquarePhish<\/h1>\n<p dir=\"auto\">SquarePhish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes.<\/p>\n<blockquote>\n<p dir=\"auto\">See\u00a0<a href=\"https:\/\/github.com\/secureworks\/PhishInSuits\">PhishInSuits<\/a>\u00a0for more details on using OAuth Device Code flow for phishing attacks.<\/p>\n<\/blockquote>\n<div class=\"snippet-clipboard-content notranslate position-relative overflow-auto\">\n<pre class=\"notranslate\"><code>\r\n   _____                            _____  _     _     _     \r\n  \/ ____|                          |  __ \\| |   (_)   | |    \r\n | (___   __ _ _   _  __ _ _ __ ___| |__) | |__  _ ___| |__  \r\n  \\___ \\ \/ _` | | | |\/ _` | '__\/ _ \\  ___\/| '_ \\| \/ __| '_ \\ \r\n  ____) | (_| | |_| | (_| | | |  __\/ |    | | | | \\__ \\ | | |\r\n |_____\/ \\__, |\\__,_|\\__,_|_|  \\___|_|    |_| |_|_|___\/_| |_|\r\n            | |                                              \r\n            |_|                                            \r\n                     _________\r\n                    |         | \/(\r\n                    | O       |\/ (\r\n                    |&gt;        |\\ (  v0.1.0\r\n                    |_________| \\(\r\n\r\nusage: squish.py [-h] {email,server} ...\r\n\r\nSquarePhish -- v0.1.0\r\n\r\noptional arguments:\r\n  -h, --help      show this help message and exit\r\n\r\nmodules:\r\n  {email,server}\r\n    email         send a malicious QR Code email to a provided victim\r\n    server        host a malicious server QR Codes generated via the 'email' module will \r\n                  point to that will activate the malicious OAuth Device Code flow\r\n<\/code><\/pre>\n<\/div>\n<h2 dir=\"auto\"><a id=\"user-content-attack-steps\" class=\"anchor\" href=\"https:\/\/github.com\/secureworks\/squarephish#attack-steps\" aria-hidden=\"true\"><\/a>Attack Steps<\/h2>\n<p dir=\"auto\">An attacker can use the\u00a0<code>email<\/code>\u00a0module of SquarePhish to send a malicious QR code email to a victim. The default pretext is that the victim is required to update their Microsoft MFA authentication to continue using mobile email. The current client ID in use is the Microsoft Authenticator App.<\/p>\n<blockquote>\n<p dir=\"auto\">By sending a QR code first, the attacker can avoid prematurely starting the OAuth Device Code flow that lasts only 15 minutes.<\/p>\n<\/blockquote>\n<p dir=\"auto\"><a href=\"https:\/\/github.com\/secureworks\/squarephish\/blob\/main\/resc\/1st_email.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" src=\"https:\/\/github.com\/secureworks\/squarephish\/raw\/main\/resc\/1st_email.png\" width=\"400\" \/><\/a><\/p>\n<p dir=\"auto\">The victim will then scan the QR code found in the email body with their mobile device. The QR code will direct the victim to the attacker controlled server (running the\u00a0<code>server<\/code>\u00a0module of SquarePhish), with a URL paramater set to their email address.<\/p>\n<p dir=\"auto\"><a href=\"https:\/\/github.com\/secureworks\/squarephish\/blob\/main\/resc\/qrcode.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" src=\"https:\/\/github.com\/secureworks\/squarephish\/raw\/main\/resc\/qrcode.png\" width=\"400\" \/><\/a><\/p>\n<p dir=\"auto\">When the victim visits the malicious SquarePhish server, a background process is triggered that will start the OAuth Device Code authentication flow and email the victim a generated Device Code they are then required to enter into the legitimate Microsoft Device Code website (this will start the OAuth Device Code flow 15 minute timer).<\/p>\n<p dir=\"auto\"><a href=\"https:\/\/github.com\/secureworks\/squarephish\/blob\/main\/resc\/2nd_email.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" src=\"https:\/\/github.com\/secureworks\/squarephish\/raw\/main\/resc\/2nd_email.png\" width=\"400\" \/><\/a><\/p>\n<p dir=\"auto\">The SquarePhish server will then continue to poll for authentication in the background.<\/p>\n<div class=\"snippet-clipboard-content notranslate position-relative overflow-auto\">\n<pre class=\"notranslate\"><code>[2022-04-08 14:31:51,962] [info] [minnow@square.phish] Polling for user authentication...\r\n[2022-04-08 14:31:57,185] [info] [minnow@square.phish] Polling for user authentication...\r\n[2022-04-08 14:32:02,372] [info] [minnow@square.phish] Polling for user authentication...\r\n[2022-04-08 14:32:07,516] [info] [minnow@square.phish] Polling for user authentication...\r\n[2022-04-08 14:32:12,847] [info] [minnow@square.phish] Polling for user authentication...\r\n[2022-04-08 14:32:17,993] [info] [minnow@square.phish] Polling for user authentication...\r\n[2022-04-08 14:32:23,169] [info] [minnow@square.phish] Polling for user authentication...\r\n[2022-04-08 14:32:28,492] [info] [minnow@square.phish] Polling for user authentication...\r\n<\/code><\/pre>\n<\/div>\n<p dir=\"auto\">The victim will then visit the Microsoft Device Code authentication site from either the link provided in the email or via a redirect from visiting the SquarePhish URL on their mobile device.<\/p>\n<p dir=\"auto\"><a href=\"https:\/\/github.com\/secureworks\/squarephish\/blob\/main\/resc\/mssite.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" src=\"https:\/\/github.com\/secureworks\/squarephish\/raw\/main\/resc\/mssite.png\" width=\"400\" \/><\/a><\/p>\n<p dir=\"auto\">The victim will then enter the provided Device Code and will be prompted for consent.<\/p>\n<p dir=\"auto\"><a href=\"https:\/\/github.com\/secureworks\/squarephish\/blob\/main\/resc\/consent.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" src=\"https:\/\/github.com\/secureworks\/squarephish\/raw\/main\/resc\/consent.png\" width=\"400\" \/><\/a><\/p>\n<p dir=\"auto\">After the victim authenticates and consents, an authentication token is saved locally and will provide the attacker access via the defined scope of the requesting application.<\/p>\n<div class=\"snippet-clipboard-content notranslate position-relative overflow-auto\">\n<pre class=\"notranslate\"><code>[2022-04-08 14:32:28,796] [info] [minnow@square.phish] Token info saved to minnow@square.phish.tokeninfo.json\r\n<\/code><\/pre>\n<\/div>\n<p dir=\"auto\">The current scope definition:<\/p>\n<div class=\"snippet-clipboard-content notranslate position-relative overflow-auto\">\n<pre class=\"notranslate\"><code>\"scope\": \".default offline_access profile openid\"\r\n<\/code><\/pre>\n<\/div>\n<h1 dir=\"auto\"><a id=\"user-content-usage\" class=\"anchor\" href=\"https:\/\/github.com\/secureworks\/squarephish#usage\" aria-hidden=\"true\"><\/a>Usage<\/h1>\n<blockquote>\n<p dir=\"auto\">!IMPORTANT: Before using either module, update the required information in the\u00a0<a href=\"https:\/\/github.com\/secureworks\/squarephish\/blob\/main\/settings.config\">settings.config<\/a>\u00a0file noted with\u00a0<code>Required<\/code>.<\/p>\n<\/blockquote>\n<h2 dir=\"auto\"><a id=\"user-content-email-module\" class=\"anchor\" href=\"https:\/\/github.com\/secureworks\/squarephish#email-module\" aria-hidden=\"true\"><\/a>Email Module<\/h2>\n<p dir=\"auto\">Send the target victim a generated QR code that will trigger the OAuth Device Code flow.<\/p>\n<div class=\"snippet-clipboard-content notranslate position-relative overflow-auto\">\n<pre class=\"notranslate\"><code>usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]\r\n\r\noptional arguments:\r\n  -h, --help            show this help message and exit\r\n\r\n  -c CONFIG, --config CONFIG\r\n                        squarephish config file [Default: settings.config]\r\n\r\n  --debug               enable server debugging\r\n\r\n  -e EMAIL, --email EMAIL\r\n                        victim email address to send initial QR code email to\r\n<\/code><\/pre>\n<\/div>\n<h2 dir=\"auto\"><a id=\"user-content-server-module\" class=\"anchor\" href=\"https:\/\/github.com\/secureworks\/squarephish#server-module\" aria-hidden=\"true\"><\/a>Server Module<\/h2>\n<p dir=\"auto\">Host a server that a generated QR code will be pointed to and when requested will trigger the OAuth Device Code flow.<\/p>\n<div class=\"snippet-clipboard-content notranslate position-relative overflow-auto\">\n<pre class=\"notranslate\"><code>usage: squish.py server [-h] [-c CONFIG] [--debug]\r\n\r\noptional arguments:\r\n  -h, --help            show this help message and exit\r\n\r\n  -c CONFIG, --config CONFIG\r\n                        squarephish config file [Default: settings.config]\r\n\r\n  --debug               enable server debugging\r\n<\/code><\/pre>\n<\/div>\n<h2 dir=\"auto\"><a id=\"user-content-configuration\" class=\"anchor\" href=\"https:\/\/github.com\/secureworks\/squarephish#configuration\" aria-hidden=\"true\"><\/a>Configuration<\/h2>\n<p dir=\"auto\">All of the applicable settings for execution can be found and modified via the\u00a0<a href=\"https:\/\/github.com\/secureworks\/squarephish\/blob\/main\/settings.config\">settings.config<\/a>\u00a0file. There are several pieces of required information that do not have a default value that must be filled out by the user: SMTP_EMAIL, SMTP_PASSWORD, and SQUAREPHISH_SERVER (only when executing the email module). All configuration options have been documented within the settings file via in-line comments.<\/p>\n<p dir=\"auto\"><strong>Note<\/strong>: The\u00a0<code>SQUAREPHISH_<\/code>\u00a0values present in the &#8216;EMAIL&#8217; section of the configuration should match the values set when running the SquarePhish server.<\/p>\n<div class=\"snippet-clipboard-content notranslate position-relative overflow-auto\">\n<pre class=\"notranslate\" lang=\"conf\"><code>[DEFAULT]\r\nSMTP_PORT            = 465                                                                      # SMTP port, defaulted to 465\r\nSMTP_SERVER          = \"smtp.gmail.com\"                                                         # SMTP server, defaulted to GMail\r\nSMTP_PROTO           = \"ssl\"                                                                    # SMTP protocol: {ssl, tls, None (leave empty)}\r\nSMTP_EMAIL           = \"\"                                                                       # Provide authenticating email address here\r\nSMTP_PASSWORD        = \"\"                                                                       # Provide authenticating password here\r\n\r\n[EMAIL]\r\nSQUAREPHISH_SERVER   = \"\"                                                                       # Required: Provide IP address\/domain name of hosted SquarePhish server\r\nSQUAREPHISH_PORT     = 8443                                                                     # Hosted SquarePhish server port, defaulted to 8443 (this should match the below server value)\r\nSQUAREPHISH_ENDPOINT = \"\/mfa\"                                                                   # Hosted SquarePhish endpoint to trigger OAuth Device Code flow, defaulted to an MFA pretext (this should match the below server value)\r\nFROM_EMAIL           = \"admin@square.phish\"                                                     # Default FROM address when sending an email\r\nSUBJECT              = \"ACTION REQUIRED: Multi-Factor Authentication (MFA) Update\"              # Default SUBJECT when sending an email, defauled to an MFA pretext\r\nEMAIL_TEMPLATE       = \"pretexts\/mfa\/qrcode_email.html\"                                         # Email body template for QR code email to victim\r\n\r\n[SERVER]\r\nPORT                 = 8443\r\nFROM_EMAIL           = \"admin@square.phish\"                                                     # Default FROM address when sending an email\r\nSUBJECT              = \"ACTION REQUIRED: Multi-Factor Authentication (MFA) Update\"              # Default SUBJECT when sending an email, defauled to an MFA pretext\r\nCLIENT_ID            = \"4813382a-8fa7-425e-ab75-3b753aab3abb\"                                   # Authenticating client ID, defaulted to Microsoft Authenticator App\r\nENDPOINT             = \"\/mfa\"                                                                   # Hosted endpoint to trigger OAuth Device Code flow, defaulted to an MFA pretext\r\nCERT_CRT             = \"\"                                                                       # Server SSL certificate .crt file\r\nCERT_KEY             = \"\"                                                                       # Server SSL certificate .key file\r\nEMAIL_TEMPLATE       = \"pretexts\/mfa\/devicecode_email.html\"                                     # Email body template for device code email to victim\r\nPERMISSION_SCOPE     = \".default offline_access profile openid\"                                 # OAuth permission scope - https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-permissions-and-consent\r\n<\/code><\/pre>\n<\/div>\n<h2 dir=\"auto\"><a id=\"user-content-custom-pretexts\" class=\"anchor\" href=\"https:\/\/github.com\/secureworks\/squarephish#custom-pretexts\" aria-hidden=\"true\"><\/a>Custom Pretexts<\/h2>\n<p dir=\"auto\">Currently, the pre-defined pretexts can be found in the\u00a0<a href=\"https:\/\/github.com\/secureworks\/squarephish\/blob\/main\/pretexts\">pretexts<\/a>\u00a0folder.<\/p>\n<p dir=\"auto\">To write custom pretexts, use the existing template via the\u00a0<a href=\"https:\/\/github.com\/secureworks\/squarephish\/blob\/main\/pretexts\/iphone\">pretexts\/iphone\/<\/a>\u00a0folder. An email template is required for both the initial QR code email as well as the follow up device code email.<\/p>\n<p dir=\"auto\"><strong>Important<\/strong>: When writing a custom pretext, note the existence of\u00a0<code>%s<\/code>\u00a0in both pretext templates. This exists to allow SquarePhish to populate the correct data when generating emails (QR code data and\/or device code value).<\/p>\n<h2 dir=\"auto\"><a id=\"user-content-opsec\" class=\"anchor\" href=\"https:\/\/github.com\/secureworks\/squarephish#opsec\" aria-hidden=\"true\"><\/a>OPSEC<\/h2>\n<p dir=\"auto\">There are several HTTP response headers defined in the\u00a0<a href=\"https:\/\/github.com\/secureworks\/squarephish\/blob\/main\/squarephish\/utils.py#L28\">utils.py<\/a>\u00a0file. These headers are defined to override any existing Flask response header values and to provide a more &#8216;legitimate&#8217; response from the server. These header values can be modified, removed and\/or additional headers can be included for better OPSEC.<\/p>\n<div class=\"highlight highlight-source-json notranslate position-relative overflow-auto\" dir=\"auto\">\n<pre>{\r\n    <span class=\"pl-ent\">\"vary\"<\/span>: <span class=\"pl-s\"><span class=\"pl-pds\">\"<\/span>Accept-Encoding<span class=\"pl-pds\">\"<\/span><\/span>,\r\n    <span class=\"pl-ent\">\"server\"<\/span>: <span class=\"pl-s\"><span class=\"pl-pds\">\"<\/span>Microsoft-IIS\/10.0<span class=\"pl-pds\">\"<\/span><\/span>,\r\n    <span class=\"pl-ent\">\"tls_version\"<\/span>: <span class=\"pl-s\"><span class=\"pl-pds\">\"<\/span>tls1.3<span class=\"pl-pds\">\"<\/span><\/span>,\r\n    <span class=\"pl-ent\">\"content-type\"<\/span>: <span class=\"pl-s\"><span class=\"pl-pds\">\"<\/span>text\/html; charset=utf-8<span class=\"pl-pds\">\"<\/span><\/span>,\r\n    <span class=\"pl-ent\">\"x-appversion\"<\/span>: <span class=\"pl-s\"><span class=\"pl-pds\">\"<\/span>1.0.8125.42964<span class=\"pl-pds\">\"<\/span><\/span>,\r\n    <span class=\"pl-ent\">\"x-frame-options\"<\/span>: <span class=\"pl-s\"><span class=\"pl-pds\">\"<\/span>SAMEORIGIN<span class=\"pl-pds\">\"<\/span><\/span>,\r\n    <span class=\"pl-ent\">\"x-ua-compatible\"<\/span>: <span class=\"pl-s\"><span class=\"pl-pds\">\"<\/span>IE=Edge;chrome=1<span class=\"pl-pds\">\"<\/span><\/span>,\r\n    <span class=\"pl-ent\">\"x-xss-protection\"<\/span>: <span class=\"pl-s\"><span class=\"pl-pds\">\"<\/span>1; mode=block<span class=\"pl-pds\">\"<\/span><\/span>,\r\n    <span class=\"pl-ent\">\"x-content-type-options\"<\/span>: <span class=\"pl-s\"><span class=\"pl-pds\">\"<\/span>nosniff<span class=\"pl-pds\">\"<\/span><\/span>,\r\n    <span class=\"pl-ent\">\"strict-transport-security\"<\/span>: <span class=\"pl-s\"><span class=\"pl-pds\">\"<\/span>max-age=31536000<span class=\"pl-pds\">\"<\/span><\/span>,<\/pre>\n<\/div>\n<aside class=\"mashsb-container mashsb-main mashsb-stretched\"><div class=\"mashsb-box\"><div class=\"mashsb-buttons\"><a class=\"mashicon-facebook mash-large mash-center mashsb-noshadow\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https%3A%2F%2Fcybersecuritynest.com%2F%3Fp%3D807\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Share&nbsp;on&nbsp;Facebook<\/span><\/a><a class=\"mashicon-twitter mash-large mash-center mashsb-noshadow\" href=\"https:\/\/twitter.com\/intent\/tweet?text=&amp;url=https:\/\/cybersecuritynest.com\/?p=807&amp;via=CYBERSECNEST\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Tweet&nbsp;on&nbsp;Twitter<\/span><\/a><a class=\"mashicon-subscribe mash-large mash-center mashsb-noshadow\" href=\"#\" target=\"_top\" rel=\"nofollow\"><span class=\"icon\"><\/span><span class=\"text\">Subscribe&nbsp;to&nbsp;Newsletter<\/span><\/a><div class=\"onoffswitch2 mash-large mashsb-noshadow\" style=\"display:none\"><\/div><\/div>\n            <\/div>\n                <div style=\"clear:both\"><\/div><\/aside>\n            <!-- Share buttons by mashshare.net - Version: 4.0.47-->","protected":false},"excerpt":{"rendered":"<p>SquarePhish SquarePhish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR codes. See\u00a0PhishInSuits\u00a0for more details on using OAuth Device Code flow for phishing attacks. _____ _____ _ _ _ \/ ____| | __ \\| | (_) | | | (___ __ _ _ _ __ _ [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":808,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[8],"tags":[],"class_list":["post-807","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ethical-hacking"],"aioseo_notices":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts\/807"}],"collection":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=807"}],"version-history":[{"count":2,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts\/807\/revisions"}],"predecessor-version":[{"id":810,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/posts\/807\/revisions\/810"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=\/wp\/v2\/media\/808"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynest.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}