www.kitploit.com
Open in
urlscan Pro
2a06:98c1:3121::7
Public Scan
URL:
https://www.kitploit.com/2022/04/365inspect-powershell-script-that.html
Submission: On April 18 via api from US — Scanned from DE
Submission: On April 18 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
GET /search/max-results=7
<form action="/search/max-results=7" id="searchform" method="get">
<input id="s" name="q" placeholder="Enter search term..." type="text">
<input id="searchsubmit" type="submit" value="Search">
</form>POST https://feedburner.google.com/fb/a/mailverify
<form action="https://feedburner.google.com/fb/a/mailverify" method="post" target="popupwindow"
onsubmit="window.open('https://feedburner.google.com/fb/a/mailverify?uri=PentestTools', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true">
<input name="uri" type="hidden" value="PentestTools">
<input name="loc" type="hidden" value="en_US">
<input id="hbzemailbox" name="email" required="" type="text" placeholder="Your Email">
<input id="hbzemailbutton" title="" type="submit" value="Subscribe to our Newsletter">
</form>POST https://feedburner.google.com/fb/a/mailverify
<form action="https://feedburner.google.com/fb/a/mailverify" method="post" target="popupwindow"
onsubmit="window.open('https://feedburner.google.com/fb/a/mailverify?uri=PentestTools', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true">
<input name="uri" type="hidden" value="PentestTools">
<input name="loc" type="hidden" value="en_US">
<input id="hbzemailbox" name="email" required="" type="text" placeholder="Your Email">
<input id="hbzemailbutton" title="" type="submit" value="Subscribe to our Newsletter">
</form>Text Content
KITPLOIT - PENTEST & HACKING TOOLS
KitPloit - leading source of Security Tools, Hacking Tools, CyberSecurity and
Network Security ☣
*
*
*
*
Home
* Exploits
* Windows
* Linux
* Mac OS
* Android
* iPhone
* SQLi
* Others
* Wireless
* Linux Distribution
* XSS
* DDoS
* OSINT
* Malware
* Remove Adware
* Scanners
* Contact
* Contact
* Submit a Tool
Home / 365Inspect / PowerShell / PowerShell Script / Scanning / Script / Scripts
/ Security Assessment / 365Inspect - A PowerShell Script That Automates The
Security Assessment Of Microsoft Office 365 Environments
365INSPECT - A POWERSHELL SCRIPT THAT AUTOMATES THE SECURITY ASSESSMENT OF
MICROSOFT OFFICE 365 ENVIRONMENTS
4 days ago 8:30 AM | Post sponsored by FaradaySEC | Multiuser Pentest
Environment Zion3R
Further the state of O365 security by authoring a PowerShell script that
automates the security assessment of Microsoft Office 365 environments.
SETUP
365Inspect requires the administrative PowerShell modules for Microsoft Online,
Azure AD (We recommend installing the AzureADPreview module), Exchange
administration, Microsoft Graph, Microsoft Intune, Microsoft Teams, and
Sharepoint administration.
The 365Inspect.ps1 PowerShell script will validate the installed modules.
If you do not have these modules installed, you will be prompted to install
them, and with your approval, the script will attempt installation. Otherwise,
you should be able to install them with the following commands in an
administrative PowerShell prompt, or by following the instructions at the
references below:
Install-Module -Name MSOnline
Install-Module -Name AzureADPreview
Install-Module -Name ExchangeOnlineManagement
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
Install-Module -Name Microsoft.Graph
Install-Module -Name MicrosoftTeams
Install-Module -Name Microsoft.Graph.Intune
Install MSOnline PowerShell
Install Azure AD PowerShell
Install Exchange Online PowerShell
Install SharePoint
Install Microsoft Graph SDK
Install Microsoft Teams PowerShell Module
Install Microsoft Intune PowerShell SDK
Once the above are installed, download the 365Inspect source code folder from
Github using your browser or by using git clone.
As you will run 365Inspect with administrative privileges, you should place it
in a logical location and make sure the contents of the folder are readable and
writable only by the administrative user. This is especially important if you
intend to install 365Inspect in a location where it will be executed frequently
or used as part of an automated process.
USAGE
To run 365Inspect, open a PowerShell console and navigate to the folder you
downloaded 365Inspect into:
cd 365Inspect
You will interact with 365Inspect by executing the main script file,
365Inspect.ps1, from within the PowerShell command prompt.
All 365Inspect requires to inspect your O365 tenant is access via an O365
account with proper permissions, so most of the command line parameters relate
to the organization being assessed and the method of authentication.
Execution of 365Inspect looks like this:
.\365Inspect.ps1 -OrgName <value> -OutPath <value> -Auth <MFA|ALREADY_AUTHED>
For example, to log in by entering your credentials in a browser with MFA
support:
.\365Inspect.ps1 -OrgName mycompany -OutPath ..\365_report -Auth MFA
365Inspect can be run with only specified Inspector modules, or conversely, by
excluding specified modules.
For example, to log in by entering your credentials in a browser with MFA
support:
.\365Inspect.ps1 -OrgName mycompany -OutPath ..\365_report -Auth MFA -SelectedInspectors inspector1, inspector2
or
.\365Inspect.ps1 -OrgName mycompany -OutPath ..\365_report -Auth MFA -ExcludedInspectors inspector1, inspector2, inspector3
To break down the parameters further:
* OrgName is the name of the core organization or "company" of your O365
instance, which will be inspected.
* If you do not know your organization name, you can navigate to the list of
all Exchange domains in O365. The topmost domain should be named
domain_name.onmicrosoft.com. In that example, domain_name is your
organization name and should be used when executing 365Inspect.
* OutPath is the path to a folder where the report generated by 365Inspect will
be placed.
* Auth is a selector that should be one of the literal values "MFA", "CMDLINE",
or "ALREADY_AUTHED".
* Auth controls how 365Inspect will authenticate to all of the Office 365
services.
* Auth MFA will produce a graphical popup in which you can type your
credentials and even enter an MFA code for MFA-enabled accounts.
* Auth ALREADY_AUTHED instructs 365Inspect not to authenticate before
scanning. This may be preferable if you are executing 365Inspect from a
PowerShell prompt where you already have valid sessions for all of the
described services, such as one where you have already executed 365Inspect.
* SelectedInspectors is the name or names of the inspector or inspectors you
wish to run with 365Inspect. If multiple inspectors are selected they must be
comma separated. Only the named inspectors will be run.
* ExcludedInspectors is the name or names of the inspector or inspectors you
wish to prevent from running with 365Inspect. If multiple inspectors are
selected they must be comma separated. All modules other included modules
will be run.
When you execute 365Inspect with -Auth MFA, it may produce several graphical
login prompts that you must sequentially log into. This is normal behavior as
Exchange, SharePoint etc. have separate administration modules and each requires
a different login session. If you simply log in the requested number of times,
365Inspect should begin to execute. This is the opposite of fun and we're
seeking a workaround, but needless to say we feel the results are worth the
minute spent looking at MFA codes.
As 365Inspect executes, it will steadily print status updates indicating which
inspection task is running.
365Inspect may take some time to execute. This time scales with the size and
complexity of the environment under test. For example, some inspection tasks
involve scanning the account configuration of all users. This may occur
near-instantly for an organization with 50 users, or could take entire minutes
(!) for an organization with 10000.
OUTPUT
365Inspect creates the directory specified in the out_path parameter. This
directory is the result of the entire 365Inspect inspection. It contains three
items of note:
* Report.html: graphical report that describes the O365 security issues
identified by 365Inspect, lists O365 objects that are misconfigured, and
provides remediation advice.
* Various text files named [Inspector-Name]: these are raw output from
inspector modules and contain a list (one item per line) of misconfigured
O365 objects that contain the described security flaw. For example, if a
module Inspect-FictionalMFASettings were to detect all users who do not have
MFA set up, the file "Inspect-FictionalMFASettings" in the report ZIP would
contain one user per line who does not have MFA set up. This information is
only dumped to a file in cases where more than 15 affected objects are
discovered. If less than 15 affected objects are discovered, the objects are
listed directly in the main HTML report body.
* Report.zip: zipped version of this entire directory, for convenient
distribution of the results in cases where some inspector modules generated a
large amount of findings.
NECESSARY PRIVILEGES
365Inspect can't run properly unless the O365 account you authenticate with has
appropriate privileges. 365Inspect requires, at minimum, the following:
* Global Administrator
* SharePoint Administrator
We realize that these are extremely permissive roles, unfortunately due to the
use of Microsoft Graph, we are restricted from using lesser prileges by
Microsoft. Application and Cloud Application Administrator roles (used to grant
delegated and application permissions) are restricted from granting permissions
for Microsoft Graph or Azure AD PowerShell modules.
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator
DEVELOPING INSPECTOR MODULES
365Inspect is designed to be easy to expand, with the hope that it enables
individuals and organizations to either utilize their own 365Inspect modules
internally, or publish those modules for the O365 community.
All of 365Inspect's inspector modules are stored in the .\inspectors folder.
It is simple to create an inspector module. Inspectors have two files:
* ModuleName.ps1: the PowerShell source code of the inspector module. Should
return a list of all O365 objects affected by a specific issue, represented
as strings.
* ModuleName.json: metadata about the inspector itself. For example, the
finding name, description, remediation information, and references.
The PowerShell and JSON file names must be identical for 365Inspect to recognize
that the two belong together. There are numerous examples in 365Inspect's
built-in suite of modules, but we'll put an example here too.
Example .ps1 file, BypassingSafeAttachments.ps1:
# Define a function that we will later invoke.
# 365Inspect's built-in modules all follow this pattern.
function Inspect-BypassingSafeAttachments {
# Query some element of the O365 environment to inspect. Note that we did not have to authenticate to Exchange
# to fetch these transport rules within this module; assume main 365Inspect harness has logged us in already.
$safe_attachment_bypass_rules = (Get-TransportRule | Where { $_.SetHeaderName -eq "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" }).Identity
# If some of the parsed O365 objects were found to have the security flaw this module is inspecting for,
# return a list of strings representing those objects. This is what will end up as the "Affected Objects"
# field in the report.
If ($safe_attachment_bypass_rules.Count -ne 0) {
return $safe_attachment_bypass_rules
}
# If none of the parsed O365 obj ects were found to have the security flaw this module is inspecting for,
# returning $null indicates to 365Inspect that there were no findings for this module.
return $null
}
# Return the results of invoking the inspector function.
return Inspect-BypassingSafeAttachments
Example .json file, BypassingSafeAttachments.json:
{
"FindingName": "Do Not Bypass the Safe Attachments Filter",
"Description": "In Exchange, it is possible to create mail transport rules that bypass the Safe Attachments detection capability. The rules listed above bypass the Safe Attachments capability. Consider revie1wing these rules, as bypassing the Safe Attachments capability even for a subset of senders could be considered insecure depending on the context or may be an indicator of compromise.",
"Remediation": "Navigate to the Mail Flow -> Rules screen in the Exchange Admin Center. Look for the offending rules and begin the process of assessing who created them and whether they are necessary to the continued function of your organization. If they are not, remove the rules.",
"AffectedObjects": "",
"References": [
{
"Url": "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules",
"Text": "Manage Mail Flow Rules in Exch ange Online"
},
{
"Url": "https://www.undocumented-features.com/2018/05/10/atp-safe-attachments-safe-links-and-anti-phishing-policies-or-all-the-policies-you-can-shake-a-stick-at/#Bypass_Safe_Attachments_Processing",
"Text": "Undocumented Features: Safe Attachments, Safe Links, and Anti-Phishing Policies"
}
]
}
Once you drop these two files in the .\inspectors folder, they are considered
part of 365Inspect's module inventory and will run the next time you execute
365Inspect.
You have just created the BypassingSafeAttachments Inspector module. That's all!
365Inspect will throw a pretty loud and ugly error if something in your module
doesn't work or doesn't follow 365Inspect conventions, so monitor the command
line output.
ABOUT SECURITY
365Inspect is a script harness that runs other inspector script modules stored
in the .\inspectors folder. As with any other script you may run with elevated
privileges, you should observe certain security hygiene practices:
* No untrusted user should have write access to the 365Inspect folder/files, as
that user could then overwrite scripts or templates therein and induce you to
run malicious code.
* No script module should be placed in .\inspectors unless you trust the source
of that script module.
Download 365Inspect
365Inspect - A PowerShell Script That Automates The Security Assessment Of
Microsoft Office 365 Environments Reviewed by Zion3R on 8:30 AM Rating: 5
Tags 365Inspect X PowerShell X PowerShell Script X Scanning X Script X Scripts X
Security Assessment
Facebook
365INSPECT - A POWERSHELL SCRIPT THAT AUTOMATES THE SECURITY ASSESSMENT OF
MICROSOFT OFFICE 365 ENVIRONMENTS
CLOUDSPLAINING - AN AWS IAM SECURITY ASSESSMENT TOOL THAT IDENTIFIES VIOLATIONS
OF LEAST PRIVILEGE AND GENERATES A RISK-PRIORITIZED REPORT
DROZER V2.4.4 - THE LEADING SECURITY ASSESSMENT FRAMEWORK FOR ANDROID
* Next vAPI - Vulnerable Adversely Programmed Interface Which Is Self-Hostable
API That Mimics OWASP API Top 10 Scenarios Through Exercises
* Previous Presshell - Quick And Dirty Wordpress Command Execution Shell
POST COMMENTS
* facebook
* disqus
FOLLOW US!
POPULAR
* Melody - A Transparent Internet Sensor Built For Threat Intelligence
Melody Monitor the Internet's background noise Melody is a transparent
internet sensor built for threat intelligence and supported ...
* Kraken - A Multi-Platform Distributed Brute-Force Password Cracking System
Kraken is an online distributed brute force password cracking tool. It allows
you to parallelize dictionaries and crunch word generator...
* EvilSelenium - A Tool That Weaponizes Selenium To Attack Chromium Based
Browsers
EvilSelenium is a new project that weaponizes Selenium to abuse
Chromium-based browsers. The current features right now are: Steal st...
* linWinPwn - A Bash Script That Automates A Number Of Active Directory
Enumeration And Vulnerability Checks
linWinPwn is a bash script that automates a number of Active Directory
Enumeration and Vulnerability checks. The script leverages and is...
* Presshell - Quick And Dirty Wordpress Command Execution Shell
presshell Quick & dirty Wordpress Command Execution Shell. Execute shell
commands on your wordpress server. Uploaded shell will...
BLOG ARCHIVE
Blog Archive April 2022 (35) March 2022 (59) February 2022 (50) January 2022
(53) December 2021 (44) November 2021 (60) October 2021 (62) September 2021 (63)
August 2021 (62) July 2021 (61) June 2021 (59) May 2021 (63) April 2021 (61)
March 2021 (56) February 2021 (55) January 2021 (61) December 2020 (53) November
2020 (60) October 2020 (60) September 2020 (62) August 2020 (63) July 2020 (65)
June 2020 (63) May 2020 (65) April 2020 (61) March 2020 (66) February 2020 (58)
January 2020 (64) December 2019 (57) November 2019 (60) October 2019 (62)
September 2019 (60) August 2019 (62) July 2019 (62) June 2019 (61) May 2019 (62)
April 2019 (60) March 2019 (62) February 2019 (56) January 2019 (60) December
2018 (56) November 2018 (59) October 2018 (61) September 2018 (60) August 2018
(62) July 2018 (62) June 2018 (60) May 2018 (60) April 2018 (60) March 2018 (61)
February 2018 (56) January 2018 (62) December 2017 (61) November 2017 (60)
October 2017 (62) September 2017 (57) August 2017 (59) July 2017 (52) June 2017
(33) May 2017 (32) April 2017 (31) March 2017 (34) February 2017 (28) January
2017 (31) December 2016 (29) November 2016 (30) October 2016 (31) September 2016
(28) August 2016 (31) July 2016 (22) June 2016 (27) May 2016 (26) April 2016
(26) March 2016 (27) February 2016 (25) January 2016 (32) December 2015 (29)
November 2015 (23) October 2015 (20) September 2015 (21) August 2015 (29) July
2015 (23) June 2015 (37) May 2015 (33) April 2015 (19) March 2015 (16) February
2015 (20) January 2015 (29) December 2014 (16) November 2014 (16) October 2014
(13) September 2014 (18) August 2014 (30) July 2014 (40) June 2014 (41) May 2014
(29) April 2014 (44) March 2014 (60) February 2014 (52) January 2014 (69)
December 2013 (68) November 2013 (37) October 2013 (32) September 2013 (25)
August 2013 (42) July 2013 (16) June 2013 (18) May 2013 (22) April 2013 (41)
March 2013 (26) February 2013 (22) January 2013 (16) December 2012 (16) November
2012 (39)
RECOMMENDED
1. SSD cloud server on DigitalOcean
2. Exploit Collector
3. BlackPloit
4. Hacking Reviews
5. Hacking Land
SOCIAL
Copyright © 2022 KitPloit - PenTest & Hacking Tools
Back To Top
Powered by Blogger.
Diese Website verwendet Cookies von Google, um Dienste anzubieten und Zugriffe
zu analysieren. Deine IP-Adresse und dein User-Agent werden zusammen mit
Messwerten zur Leistung und Sicherheit für Google freigegeben. So können
Nutzungsstatistiken generiert, Missbrauchsfälle erkannt und behoben und die
Qualität des Dienstes gewährleistet werden.Weitere InformationenOk