Summary

Power Pwn is an offensive and defensive security toolset designed for Microsoft 365, specifically targeting Power Platform and AI services like Microsoft Copilot and Copilot Studio. It empowers security professionals to identify misconfigurations and vulnerabilities within these cloud environments, enhancing both offensive testing and defensive posture assessment.

How It Works

The toolset employs a modular architecture, featuring distinct components for specialized tasks. Modules like PowerDump conduct comprehensive tenant scanning, while others, such as Copilot Studio Hunter and Custom GPT Hunter, focus on discovering and testing misconfigured bots and GPTs. LLM Hound leverages Shodan for internet-wide AI agent discovery, and Copilot M365 and Power Pages modules specifically test for unauthorized data retrieval and Dataverse table leaks, respectively.

Quick Start & Requirements

Standard installation is via pip install powerpwn. For developers, a full installation involves running python init_repo.py --install-external-tools and activating a virtual environment. Python 3.11 is recommended for GUI modules. External dependencies like ffuf, subfinder, Node.js, and Puppeteer are required for full functionality; Windows users must install these manually. Comprehensive documentation is available on the project's Wiki and in INSTALLATION.md.

Highlighted Details

• PowerDump: Facilitates in-depth Microsoft 365 tenant scanning and data collection.
• Copilot Studio Hunter: Detects and probes misconfigured Copilot Studio bots accessible to unauthenticated users.
• Custom GPT Hunter: Enumerates and analyzes custom GPTs and agent builders.
• LLM Hound: Discovers publicly exposed AI agents across the internet using Shodan.
• Copilot M365: Tests Microsoft 365 Copilot for unauthorized data retrieval vulnerabilities.
• Power Pages: Identifies misconfigured Power Pages that may leak sensitive Dataverse tables.

Maintenance & Community

No specific details regarding maintainers, community channels (e.g., Discord, Slack), or roadmap were provided in the README snippet.

Licensing & Compatibility

The license type and compatibility notes for commercial use or closed-source linking are not specified in the provided README content.

Limitations & Caveats

Windows users face manual installation requirements for external tools. Compatibility issues may arise with GUI modules (PowerDump) if not using Python 3.11.