Maintained by:
Empower your business, not the adversaries.
Power Pwn is an offensive security toolset for Microsoft 365. Check out our Wiki for docs, guides and related talks!
An review of the tool's basic modules is available here:
- Install with
pip install powerpwn. - Please review the following modules' Wiki pages for additional installation dependencies:
- Clone the repository and setup a virtual environment in your IDE. Install python packages by running:
python init_repo.py
- If not active already, run the following to activate the virtual environment (.venv):
.\.venv\Scripts\activate (Windows)
source .venv/bin/activate (Linux & MacOS)
- Verify all dependencies are installed:
pip install .
- If local changes aren't reflected when testing PPWN, try reinstalling the package in editable mode with
pip install -e .to ensure updates take effect.
Notes:
-
To handle the GUI properly, please use Python 3.11 for the above virtual environment, if it is not already the default.
-
If the project directory isn't set up correctly you can use this command (or one similar to it) to set it up manually:
export PYTHONPATH=/[your_powerpwn_directory]/src:$PYTHONPATH(Linux)$env:PYTHONPATH = "C:\[your_powerpwn_directory]\src;" + $env:PYTHONPATH(Windows PowerShell)
-
To handle the PowerDump module's GUI properly, please use Python 3.11 for the above
pipversion if it is not already the default. Alternatively, you can install the above within a Python 3.11 virtual environment. -
When pushing PR, you can run
black -C -l 150 {file to path}to fix any formatting issues related to black.
- For quickly getting started with scanning your tenant, please check the powerdump module here.
- For testing your M365 Copilot for retrieval of internal information (e.g., via a compromised user), please check the C365 modules:
- For testing misconfigured Copilot Studio bots available to unauthenticated users please check the Copilot Hunter deep-scan module here. Additional modules related to Copilot Studio here:
- To test misconfigured Power Pages which could allow for Dataverse tables to be leak, please check the powerpages module.
Please review the Wiki for a full module list and detailed usage.
