Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Douglas Bienstock
committed
May 21, 2018
0 parents
commit e6753b4
Showing
48 changed files
with
3,450 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
*.pyc | ||
.idea/ | ||
message.json | ||
*.log.* | ||
*.DS_Store |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
FROM python:3 | ||
|
||
ENV PYTHONUNBUFFERED=1 | ||
ENV OAUTHLIB_RELAX_TOKEN_SCOPE=1 | ||
ENV DOCKER_CONTAINER=1 | ||
ENV DJANGO_ENV=prod | ||
ENV DJANGO_SITE=localhost | ||
ENV ERROR_LOG=/var/log/oauth/error.log | ||
ENV AUDIT_LOG=/var/log/oauth/audit.log | ||
ENV DEBUG_LOG=/var/log/oauth/debug.log | ||
ENV SECRET_KEY=%=we7z9!5q0tojpv^lm)lcb@tdp4@thjfs7nrvkojdc^gq2cg2 | ||
RUN mkdir /opt/app | ||
RUN mkdir /opt/sock | ||
RUN mkdir /var/log/oauth | ||
WORKDIR /opt/app | ||
COPY ./app /opt/app | ||
|
||
RUN pip3 install -r /opt/app/requirements.txt | ||
RUN pip3 install uwsgi | ||
|
||
CMD ["uwsgi", "--ini", "/opt/app/uwsgi.ini"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# PwnAuth | ||
|
||
A web application framework for launching and managing OAuth abuse campaigns. | ||
|
||
## Minimum requirements | ||
|
||
* An Internet accessible server (tested running Ubuntu 16.04) | ||
* Nginx | ||
* Docker | ||
* Docker Composer | ||
* A Valid SSL certificate | ||
|
||
## Installation | ||
|
||
|
||
1. Clone the repository onto your server | ||
2. Inside `Dockerfile` customize the settings to your site. Change `DJANGO_SITE` to match the FQDN of the domain you are using. Change the `SECRET_KEY` to a new random value | ||
3. Configure your SSL certificates and NGINX. I have provided a sample NGINX configuration in `nginx/oauth.conf` | ||
2. Run `setup.sh` as root. This will build the docker services for the OAuth application as well as setup an initial Django administrator for you to use the application with. | ||
|
||
## Modules | ||
|
||
PwnAuth is designed to be modular. A new Identity Provider can easily be supported by developing the necessary database models and views to interact with the Resource Server. | ||
As long as you follow the module implementation guidelines, the GUI will automatically detect the module and it will be ready for use. | ||
|
||
### Office 365 | ||
|
||
1. You must create a new OAuth application with microsoft at the [Microsoft App Portal](https://apps.dev.microsoft.com) | ||
2. Be sure to create a secret key and ensure your scopes include `user.read` and `offline_access` | ||
3. Import the application settings into the application using the GUI | ||
4. Send out your phishing emails using the `authorization_url_full` link and wait for responses! | ||
|
||
## Usage | ||
|
||
PwnAuth is designed to be interacted with inside of a browser. There is also an API available available for power users. To learn more about using PwnAuth see the wiki. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
#!/usr/bin/env python | ||
import os | ||
import sys | ||
|
||
if __name__ == "__main__": | ||
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "oauth.settings") | ||
try: | ||
from django.core.management import execute_from_command_line | ||
except ImportError: | ||
# The above import may fail for some other reason. Ensure that the | ||
# issue is really that Django is missing to avoid masking other | ||
# exceptions on Python 2. | ||
try: | ||
import django | ||
except ImportError: | ||
raise ImportError( | ||
"Couldn't import Django. Are you sure it's installed and " | ||
"available on your PYTHONPATH environment variable? Did you " | ||
"forget to activate a virtual environment?" | ||
) | ||
raise | ||
execute_from_command_line(sys.argv) |
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# -*- coding: utf-8 -*- | ||
# Generated by Django 1.11.6 on 2018-04-21 17:43 | ||
from __future__ import unicode_literals | ||
|
||
import django.contrib.sites.models | ||
from django.db import migrations, models | ||
|
||
|
||
class Migration(migrations.Migration): | ||
|
||
initial = True | ||
|
||
dependencies = [ | ||
] | ||
|
||
operations = [ | ||
migrations.CreateModel( | ||
name='Site', | ||
fields=[ | ||
('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), | ||
('domain', models.CharField(max_length=100, unique=True, validators=[django.contrib.sites.models._simple_domain_name_validator], verbose_name='domain name')), | ||
('name', models.CharField(max_length=50, verbose_name='display name')), | ||
], | ||
options={ | ||
'verbose_name': 'site', | ||
'verbose_name_plural': 'sites', | ||
'db_table': 'django_site', | ||
'ordering': ('domain',), | ||
}, | ||
managers=[ | ||
('objects', django.contrib.sites.models.SiteManager()), | ||
], | ||
), | ||
] |
24 changes: 24 additions & 0 deletions
24
app/oauth/migrations/site_migrations/0002_auto_20180421_1745.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# -*- coding: utf-8 -*- | ||
# Generated by Django 1.11.6 on 2018-04-21 17:45 | ||
from __future__ import unicode_literals | ||
|
||
from django.db import migrations | ||
import os | ||
|
||
def insert_site(apps, schema_editor): | ||
Site = apps.get_model('sites', 'Site') | ||
|
||
Site.objects.create( | ||
domain= os.getenv('DJANGO_SITE', 'google.com'), | ||
name= os.getenv('DJANGO_SITE', 'google.com') | ||
) | ||
|
||
class Migration(migrations.Migration): | ||
|
||
dependencies = [ | ||
('sites', '0001_initial'), | ||
] | ||
|
||
operations = [ | ||
migrations.RunPython(insert_site) | ||
] |
Empty file.
Oops, something went wrong.