Trinacria
Published in

Trinacria

Gone Calishing

It was Halloween, October 31 2018​ and Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed to Google, step-by-step as to how anyone with a gmail account could add an event, as “accepted” to any Google Calendar via the Google Calendar API. Bullock and Felch also published a blog post that explains this attack in detail.

I gave a talk on this topic at the Texas Cyber Summit on Saturday, 10/12/2019 entitled “Gone Calishing: A Red Team Approach to weaponizing Google Calendar and How to Stop It​,” where I show exactly how to conduct this attack using my script called G-Calisher. My script is basically the python version of Bullock and Felch’s Invoke-InjectGEventAPI module from their MailSniper PowerShell script.

I have been asked for the slides, but since I will be giving this talk at two other upcoming conferences I decided to write this Medium post instead. In this post I will simply give the step-by-step instructions for conducting this attack using my G-Calisher tool.

Step 1: Create a new gmail account or login to your current gmail account.​

​This will be your attacker account (who is originating the calendar event) so​make it work for your operation​. If I’m pretending to be Tom Jones from carbon black for example tjones.carbonblack@gmail.com​. Make sure you know the cover company’s email structure to look as legitimate as possible​.

Creating a new gmail account

Step 2 : Go to https://console.developers.google.com/flows/enableapi?apiid=calendar&pli=1

  • Create/select a Project and agree to ToS and continue
  • Create a new project or select one that you already have
  • Click “continue”
Select Project
  • Agree to the terms and service in the popup
  • Choose your country and click “Agree and Continue”
Agree to ToS

Step 3: Name your project and click “create”

Step 4: Click “Go to Credentials”

Step 5: On the “Add credentials to your project” page click “cancel”

Step 6: On the left of the page Select the “OAuth consent screen” tab.

OAuth Consent Tab

Step 7: On the OAuth consent page select an Email address, enter a Product name if not already set, and click the Save button.

Application Name and Attacker Email Address
Save

Step 8: Select the Credentials tab

  • Click the “Create credentials” button and…
Create Credentials Button

… select OAuth client ID.

OAuth Client ID

Step 9: Select the application type Web application, under “Authorized redirect URIs”

Web App, Authorized Redirect

Step 10: From the popup, copy your “Client ID” and “Client Secret”

Copy your ID and Secret

Step 11: Navigate here: https://developers.google.com/oauthplayground/

  • Click the gear in the upper right-hand corner
OAuth Playground

Step 12: — Enter the OAuth2 client ID and OAuth2 client secret in the boxes.

  • check the box to “Use your own OAuth credentials”
  • Make sure that “OAuth flow” is set to Server-side
  • And “Access Type” is set to offline.
  • Click close
Use Your Own OAuth Credentials

Step 13: Back over on the left hand side of the OAuth Playground screen

  • Select the “Calendar API v3” dropdown
  • and click both URLs to add them to scope.
  • Click Authorize APIs
AUthorize Calendar API

Step 14: Select the account you want to authorize, then click Allow.

  • This is going to be the attacker email address that you just created or logged into
Select the Attacker Account to Authorize
Allow Calendar Access

If there is an error such as “Error: redirect urimismatch” then it’s possible the changes haven’t propagated yet. Just wait a few minutes, hit the back button and try to authorize again.)

Step 15: You should now be at “Step 2: Exchange authorization code for tokens.”

  • Click the “Exchange authorization code for tokens button”.
  • The “Access token” is the item we need for accessing the API.
  • Copy the value of the “Access token.”
Access Token

That is all of the steps to take in order to get the API Access Token needed to do an API Calendar Injection.

Now all you need to do is use G-Calisher to send your calendar injection to the email addresses of your victim(s).

First, you will need to clone the G-Calisher github repo:

git clone https://github.com/antman1p/G-Calisher.git

Then install the python requests library using pip:

pip install requests

Here is an example from the injection I sent at the Texas Cyber Summit:

I recommend taking a look at the usage statement for the script, which you can read from the Terminal, or from the github page. This will break down the mandatory and optional parameters for you. The above screenshot uses all of the mandatory parameters as well as the two optional parameters for “Title” and “Description.” I recommend using those two optional parameters so that your event does not look odd on the receiver’s end.

Thanks to everyone who came out to my talk at the Texas Cyber Summit and thanks for all of the slide requests. I hope that these instructions will hold you over until I am done giving my talks and can post the slides.

I will be speaking at ToorCon 2019 at The Point in Mission Bay, in San Diego, CA. 8–10 NOV 2019. https://sandiego.toorcon.net/

AND

Hackfest 2019 in Quebec City, Canada 1–2 NOV 2019. https://hackfest.ca/en/

I will post the slides soon.

Much Love… 4n7m4n

G-Calisher.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
4n7m4n

4n7m4n

Red Team Pen Testing Nobody | OSCP | InfoSec | Tech Junkie | OIF Veteran | Tweets are mine, not yours, nor anyone else's... Certainly not my employer's