{"id":26896894,"url":"https://github.com/mbrg/power-pwn","last_synced_at":"2025-06-29T22:04:11.348Z","repository":{"id":56743051,"uuid":"503333940","full_name":"mbrg/power-pwn","owner":"mbrg","description":"An offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform","archived":false,"fork":false,"pushed_at":"2025-03-20T08:54:43.000Z","size":2078,"stargazers_count":929,"open_issues_count":26,"forks_count":97,"subscribers_count":20,"default_branch":"main","last_synced_at":"2025-04-01T04:03:01.248Z","etag":null,"topics":["ai-red-team","blackhat2023","blackhat2024","copilot-for-microsoft-365","copilotstudio","defcon30","hacking","hacking-tool","lowcode","m365","microsoft365","nocode","pentesting","powerapps","powerautomate","redteam","redteamer","redteaming","roboticprocessautomation","rpa"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mbrg.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"license","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-14T11:40:21.000Z","updated_at":"2025-03-29T16:47:27.000Z","dependencies_parsed_at":"2024-08-18T11:10:35.914Z","dependency_job_id":"894041c8-e196-41f2-b332-288e2e3a5143","html_url":"https://github.com/mbrg/power-pwn","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/mbrg/power-pwn","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbrg%2Fpower-pwn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbrg%2Fpower-pwn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbrg%2Fpower-pwn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbrg%2Fpower-pwn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mbrg","download_url":"https://codeload.github.com/mbrg/power-pwn/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbrg%2Fpower-pwn/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262674943,"owners_count":23346741,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-red-team","blackhat2023","blackhat2024","copilot-for-microsoft-365","copilotstudio","defcon30","hacking","hacking-tool","lowcode","m365","microsoft365","nocode","pentesting","powerapps","powerautomate","redteam","redteamer","redteaming","roboticprocessautomation","rpa"],"created_at":"2025-04-01T04:02:22.061Z","updated_at":"2025-06-29T22:04:11.260Z","avatar_url":"https://github.com/mbrg.png","language":"Python","funding_links":[],"categories":["⚔️ LLM And GenAI Security Testing Tools","Python"],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\t\u003cp\u003e\n\t\t\u003csup\u003eMaintained by:\u003c/sup\u003e\n\t\t\u003cbr\u003e\n\t\t\u003cbr\u003e\n\t\t\u003ca href=\"https://www.zenity.io\"\u003e\n\t\t\t\u003cimg src=\"/zenity_logo.png\"/\u003e\n\t\t\u003c/a\u003e\n        \u003cp\u003e\n        Empower your business, not the adversaries.\n        \u003c/p\u003e\n\t\u003c/p\u003e\n\t\u003chr\u003e\n\u003c/div\u003e\n\n# Overview\n![powerpwn](wiki/powerpwn_asci_black.png)\n[![Black Hat](https://img.shields.io/badge/Black%20Hat-USA%202024-blue)](https://www.toolswatch.org)\n[![SecTor 23](https://img.shields.io/badge/SecTor-23-red)](https://www.blackhat.com/sector/2023/arsenal/schedule/index.html#entraid-guest-to-corp-data-dump-with-powerpwn-36105)\n[![Black Hat](https://img.shields.io/badge/Black%20Hat-USA%202023-blue)](https://www.toolswatch.org)\n[![DEFCON30](https://img.shields.io/badge/DEFCON-30-8A2BE2)](https://forum.defcon.org/node/241932)\n\n[![stars](https://img.shields.io/github/stars/mbrg/power-pwn?icon=github\u0026style=social)](https://github.com/mbrg/power-pwn)\n[![twitter](https://img.shields.io/twitter/follow/mbrg0?icon=twitter\u0026style=social\u0026label=Follow)](https://twitter.com/intent/follow?screen_name=mbrg0)\n[![email me](https://img.shields.io/badge/michael.bargury-owasp.org-red?logo=Gmail)](mailto:michael.bargury@owasp.org)\n\nPower Pwn is an offensive security toolset for Microsoft 365.\nCheck out our [Wiki](https://github.com/mbrg/power-pwn/wiki) for docs, guides and related talks!\n\nAn review of the tool's basic modules is available here:\n\n[![BlackHat Arsenal USA 2023 - Power Pwn](https://img.youtube.com/vi/LpdckZyBwvs/0.jpg)](https://www.youtube.com/watch?v=LpdckZyBwvs)\n\n# Installation\n1. Install with `pip install powerpwn`.\n2. Please review the following modules' [Wiki](https://github.com/mbrg/power-pwn/wiki) pages for additional installation dependencies:\n   - [Powerdump](https://github.com/mbrg/power-pwn/wiki/Modules:-PowerDump)\n   - [Copilot Studio Hunter - deep-scan](https://github.com/mbrg/power-pwn/wiki/Modules:-Copilot-Studio-Hunter-%E2%80%90-Deep-Scan)\n   - [Copilot Studio Hunter - enum](https://github.com/mbrg/power-pwn/wiki/Modules:-Copilot-Studio-Hunter-%E2%80%90-Enum)\n   - [CopilotM365](https://github.com/mbrg/power-pwn/wiki/Modules:-Copilot-Connector-and-Automator)\n  \n## Quick Guide for Developers\n1. Clone the repository and setup a virtual environment in your IDE. Install python packages by running:\n\n```\n  python init_repo.py\n```\n2. If not active already, run the folloeing to activate the virtual environment (.venv):\n```\n  .\\.venv\\Scripts\\activate (Windows)\n\n  source .venv/bin/activate (Linux \u0026 MacOS)\n```\n\n3. Verify all dependencies are installed:\n\n```\n  pip install .\n```\n\n**Notes**: \n1. To handle the GUI properly, please use Python 3.8 for the above virtual environment, if it is not already the default.\n2. If the project directory isn't set up correctly you can use this command (or one similar to it) to set it up manually:\n   - `export PYTHONPATH=/[your_powerpwn_directory]/src:$PYTHONPATH` (Linux)\n   - `$env:PYTHONPATH = \"C:\\[your_powerpwn_directory]\\src;\" + $env:PYTHONPATH` (Windows PowerShell)\n\n3. To handle the PowerDump module's GUI properly, please use Python 3.8 for the above `pip` version if it is not already the default. Alternatively, you can install the above within a Python 3.8 virtual environment.\n4. When pushing PR, you can run `black -C -l 150 {file to path}` to fix any formatting issues related to _black_.\n\n# Usage\n## Quick Start\n1. For quickly getting started with scanning your tenant, please check the [powerdump](https://github.com/mbrg/power-pwn/wiki/Modules:-PowerDump) module here.\n2. For testing your M365 Copilot for retrieval of internal information (e.g., via a compromised user), please check the C365 modules:\n  * [whoami](https://github.com/mbrg/power-pwn/wiki/Modules:-Copilot-M365-%E2%80%90-Whoami)\n  * [C365 dump](https://github.com/mbrg/power-pwn/wiki/Modules:-Copilot-M365-%E2%80%90-Dump)\n3. For testing misconfigured Copilot Studio bots available to unauthenticated users please check the Copilot Hunter _deep-scan_ module [here](https://github.com/mbrg/power-pwn/wiki/Modules:-Copilot-Studio-Hunter-%E2%80%90-Deep-Scan).\n4. To test misconfigured Power Pages which could allow for Dataverse tables to be leak, please check the [powerpages](https://github.com/mbrg/power-pwn/wiki/Modules:-Power-Pages) module.\n\nPlease review the [Wiki](https://github.com/mbrg/power-pwn/wiki) for a full module list and detailed usage.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmbrg%2Fpower-pwn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmbrg%2Fpower-pwn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmbrg%2Fpower-pwn/lists"}