initial commit

mandiant · May 21, 2018 · e6753b4 · e6753b4
commit e6753b4
Show file tree

Hide file tree

Showing 48 changed files with 3,450 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,5 @@
+*.pyc
+.idea/
+message.json
+*.log.*
+*.DS_Store
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,21 @@
+FROM python:3
+
+ENV PYTHONUNBUFFERED=1
+ENV OAUTHLIB_RELAX_TOKEN_SCOPE=1
+ENV DOCKER_CONTAINER=1
+ENV DJANGO_ENV=prod
+ENV DJANGO_SITE=localhost
+ENV ERROR_LOG=/var/log/oauth/error.log
+ENV AUDIT_LOG=/var/log/oauth/audit.log
+ENV DEBUG_LOG=/var/log/oauth/debug.log
+ENV SECRET_KEY=%=we7z9!5q0tojpv^lm)lcb@tdp4@thjfs7nrvkojdc^gq2cg2
+RUN mkdir /opt/app
+RUN mkdir /opt/sock
+RUN mkdir /var/log/oauth
+WORKDIR /opt/app
+COPY ./app /opt/app
+
+RUN pip3 install -r /opt/app/requirements.txt
+RUN pip3 install uwsgi
+
+CMD ["uwsgi", "--ini", "/opt/app/uwsgi.ini"]
diff --git a/README.md b/README.md
@@ -0,0 +1,35 @@
+# PwnAuth
+
+A web application framework for launching and managing OAuth abuse campaigns.
+
+## Minimum requirements
+
+* An Internet accessible server (tested running Ubuntu 16.04)
+* Nginx
+* Docker
+* Docker Composer
+* A Valid SSL certificate
+
+## Installation
+
+
+1. Clone the repository onto your server
+2. Inside `Dockerfile` customize the settings to your site. Change `DJANGO_SITE` to match the FQDN of the domain you are using. Change the `SECRET_KEY` to a new random value
+3. Configure your SSL certificates and NGINX. I have provided a sample NGINX configuration in `nginx/oauth.conf`
+2. Run `setup.sh` as root. This will build the docker services for the OAuth application as well as setup an initial Django administrator for you to use the application with.
+
+## Modules
+
+PwnAuth is designed to be modular. A new Identity Provider can easily be supported by developing the necessary database models and views to interact with the Resource Server.
+As long as you follow the module implementation guidelines, the GUI will automatically detect the module and it will be ready for use.
+
+### Office 365
+
+1. You must create a new OAuth application with microsoft at the [Microsoft App Portal](https://apps.dev.microsoft.com)
+2. Be sure to create a secret key and ensure your scopes include `user.read` and `offline_access`
+3. Import the application settings into the application using the GUI
+4. Send out your phishing emails using the `authorization_url_full` link and wait for responses!
+
+## Usage
+
+PwnAuth is designed to be interacted with inside of a browser. There is also an API available available for power users. To learn more about using PwnAuth see the wiki.
diff --git a/app/manage.py b/app/manage.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python
+import os
+import sys
+
+if __name__ == "__main__":
+    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "oauth.settings")
+    try:
+        from django.core.management import execute_from_command_line
+    except ImportError:
+        # The above import may fail for some other reason. Ensure that the
+        # issue is really that Django is missing to avoid masking other
+        # exceptions on Python 2.
+        try:
+            import django
+        except ImportError:
+            raise ImportError(
+                "Couldn't import Django. Are you sure it's installed and "
+                "available on your PYTHONPATH environment variable? Did you "
+                "forget to activate a virtual environment?"
+            )
+        raise
+    execute_from_command_line(sys.argv)
diff --git a/app/oauth/__init__.py b/app/oauth/__init__.py
diff --git a/app/oauth/migrations/__init__.py b/app/oauth/migrations/__init__.py
diff --git a/app/oauth/migrations/site_migrations/0001_initial.py b/app/oauth/migrations/site_migrations/0001_initial.py
@@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.6 on 2018-04-21 17:43
+from __future__ import unicode_literals
+
+import django.contrib.sites.models
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Site',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('domain', models.CharField(max_length=100, unique=True, validators=[django.contrib.sites.models._simple_domain_name_validator], verbose_name='domain name')),
+                ('name', models.CharField(max_length=50, verbose_name='display name')),
+            ],
+            options={
+                'verbose_name': 'site',
+                'verbose_name_plural': 'sites',
+                'db_table': 'django_site',
+                'ordering': ('domain',),
+            },
+            managers=[
+                ('objects', django.contrib.sites.models.SiteManager()),
+            ],
+        ),
+    ]
diff --git a/app/oauth/migrations/site_migrations/0002_auto_20180421_1745.py b/app/oauth/migrations/site_migrations/0002_auto_20180421_1745.py
@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.6 on 2018-04-21 17:45
+from __future__ import unicode_literals
+
+from django.db import migrations
+import os
+
+def insert_site(apps, schema_editor):
+    Site = apps.get_model('sites', 'Site')
+
+    Site.objects.create(
+        domain= os.getenv('DJANGO_SITE', 'google.com'),
+        name= os.getenv('DJANGO_SITE', 'google.com')
+    )
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('sites', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.RunPython(insert_site)
+    ]
diff --git a/app/oauth/migrations/site_migrations/__init__.py b/app/oauth/migrations/site_migrations/__init__.py