Use correct package path & Refactor readme

denniskniep · denniskniep · commit 2fe8c05dd5aa · 2025-04-18T21:00:45.000+02:00
diff --git a/Readme.md b/Readme.md
@@ -28,21 +28,53 @@ For more details, check out the blog post: [Phishing despite FIDO, leveraging th
 5. The victim completes the authentication
 6. The attacker is authenticated
 
-## Run with Docker
-By default, it runs with tenant set to `common` and with the AuthenticationBroker ClientId `29d9ed98-a469-4536-ade2-f981bc1d605e`
+A demo video of the flow can be seen [here](#demo)  
+
+## Install
+Download appropriate binary from [Releases](https://github.com/denniskniep/DeviceCodePhishing/releases)
+or install via go using following command:
 ```shell
-docker run -p 8080:8080 ghcr.io/denniskniep/device-code-phishing:v1.0.0
+go install github.com/denniskniep/DeviceCodePhishing@v1.0.0
 ```
 
+## Start the phishing server
+
+By default, it runs with tenant set to `common` and with the AuthenticationBroker ClientId `29d9ed98-a469-4536-ade2-f981bc1d605e`
+```shell
+DeviceCodePhishing server
+```
 Use the args if one want to define a specific tenant, a different clientId or a custom userAgent
 ```shell
-docker run -p 8080:8080 ghcr.io/denniskniep/device-code-phishing:v1.0.0 --tenant <tenantId> --client-id <clientId> --user-agent <userAgent> --verbose
+DeviceCodePhishing server --tenant <tenantId> --client-id <clientId> --user-agent <userAgent> 
+```
+For further help on syntax or how to use arguments execute:
+```shell
+DeviceCodePhishing server --help
 ```
 
 ## Use
-Open Url: 
+Open Url:
 http://localhost:8080/lure
 
+## Demo
+https://gist.github.com/user-attachments/assets/bf6d1c2d-7199-4394-824d-e6f57e8136a2
+
+## Azure Entra ClientIds
+
+| ClientId                             | Description                     |
+|--------------------------------------|---------------------------------|
+| 29d9ed98-a469-4536-ade2-f981bc1d605e | Microsoft Authentication Broker |
+| 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 | Microsoft Intune Company Portal |
+
+Hint: Use Microsoft Intune Company Portal for bypassing Intune compliant device Conditional Access Policy ([More Details](https://i.blackhat.com/EU-24/Presentations/EU-24-Chudo-Unveiling-the-Power-of-Intune-Leveraging-Intune-for-Breaking-Into-Your-Cloud-and-On-Premise.pdf))
+
+## Next steps with obtained tokens
+Once you have successfully obtained tokens, you can use them with other attack tools, such as:
+* https://github.com/dafthack/GraphRunner
+* https://github.com/f-bader/TokenTacticsV2?tab=readme-ov-file#azure-json-web-token-jwt-manipulation-toolset
+* https://github.com/secureworks/family-of-client-ids-research
+
+
 ## Build it yourself 
 ```shell
 go build main.go
@@ -52,6 +84,11 @@ go build main.go
 ./main server
 ```
 
+## Run with Docker
+```shell
+docker run -p 8080:8080 ghcr.io/denniskniep/device-code-phishing:v1.0.0
+```
+
 
 ## Build & Run it yourself with Docker
 ```shell
@@ -62,20 +99,5 @@ docker build . -t device-code-phishing
 docker run -p 8080:8080 device-code-phishing
 ```
 
-## Entra ClientIds
-
-| ClientId                             | Description                     |
-|--------------------------------------|---------------------------------|
-| 29d9ed98-a469-4536-ade2-f981bc1d605e | Microsoft Authentication Broker |
-| 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 | Microsoft Intune Company Portal |
-
-Hint: Use Microsoft Intune Company Portal for bypassing Intune compliant device Conditional Access Policy ([More Details](https://i.blackhat.com/EU-24/Presentations/EU-24-Chudo-Unveiling-the-Power-of-Intune-Leveraging-Intune-for-Breaking-Into-Your-Cloud-and-On-Premise.pdf))
-
-## Next steps with obtained tokens
-Once you have obtained tokens successfully, you can use them with other attack tools like:
-* https://github.com/dafthack/GraphRunner
-* https://github.com/f-bader/TokenTacticsV2?tab=readme-ov-file#azure-json-web-token-jwt-manipulation-toolset
-* https://github.com/secureworks/family-of-client-ids-research
-
 ## Disclaimer
 Provided as educational content only!
diff --git a/cmd/root.go b/cmd/root.go
@@ -2,8 +2,8 @@ package cmd
 
 import (
 	"fmt"
+	"github.com/denniskniep/DeviceCodePhishing/pkg/utils"
 	"log/slog"
-	"main/pkg/utils"
 	"os"
 	"strings"
 
@@ -17,7 +17,7 @@ var (
 )
 
 var rootCmd = &cobra.Command{
-	Use:     "devicecodephishing",
+	Use:     "DeviceCodePhishing",
 	Short:   "Phishing access-tokens with the Device Code Flow",
 	Long:    `DeviceCodePhishing is an advanced phishing tool. It can be used for phishing access-tokens with the Device Code Flow.`,
 	Version: version,
diff --git a/cmd/server.go b/cmd/server.go
@@ -1,11 +1,11 @@
 package cmd
 
 import (
+	"github.com/denniskniep/DeviceCodePhishing/pkg/entra"
+	"github.com/denniskniep/DeviceCodePhishing/pkg/utils"
 	"github.com/spf13/cobra"
 	"log"
 	"log/slog"
-	"main/pkg/entra"
-	"main/pkg/utils"
 	"net/http"
 	"time"
 )
@@ -23,16 +23,16 @@ var (
 
 func init() {
 	rootCmd.AddCommand(runCmd)
-	runCmd.Flags().StringVarP(&address, "address", "a", ":8080", "Provide the listening address (Default ':8080').")
-	runCmd.Flags().StringVarP(&userAgent, "user-agent", "u", EdgeOnWindows, "User-Agent string sent in HTTP requests (Default Edge on Windows).")
-	runCmd.Flags().StringVarP(&clientId, "client-id", "c", MsAuthenticationBroker, "ClientId to request token for. (Default Microsoft Authentication Broker)")
-	runCmd.Flags().StringVarP(&tenant, "tenant", "t", DefaultTenant, "Tenant to request token for. (Default 'common')")
+	runCmd.Flags().StringVarP(&address, "address", "a", ":8080", "Provide the servers listening address")
+	runCmd.Flags().StringVarP(&userAgent, "user-agent", "u", EdgeOnWindows, "User-Agent used by HeadlessBrowser & API calls")
+	runCmd.Flags().StringVarP(&clientId, "client-id", "c", MsAuthenticationBroker, "ClientId for requesting token")
+	runCmd.Flags().StringVarP(&tenant, "tenant", "t", DefaultTenant, "Tenant for requesting token")
 }
 
 var runCmd = &cobra.Command{
 	Use:   "server",
 	Short: "Starts the phishing server",
-	Long:  "Starts the phishing server by default on http://localhost:8080/lure",
+	Long:  "Starts the phishing server. Listens by default on http://localhost:8080/lure",
 	Run: func(cmd *cobra.Command, args []string) {
 		// Set up a resource handler
 		http.HandleFunc("/lure", lureHandler)
diff --git a/go.mod b/go.mod
@@ -1,4 +1,4 @@
-module main
+module github.com/denniskniep/DeviceCodePhishing
 
 go 1.23.4
 
diff --git a/main.go b/main.go
@@ -1,7 +1,7 @@
 package main
 
 import (
-	"main/cmd"
+	"github.com/denniskniep/DeviceCodePhishing/cmd"
 )
 
 func main() {

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-module main`
	`1`	`+module github.com/denniskniep/DeviceCodePhishing`
`2`	`2`
`3`	`3`	`go 1.23.4`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`package main`
`2`	`2`
`3`	`3`	`import (`
`4`		`- "main/cmd"`
	`4`	`+ "github.com/denniskniep/DeviceCodePhishing/cmd"`
`5`	`5`	`)`
`6`	`6`
`7`	`7`	`func main() {`