Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enum using --validate-teams does not work #54

Open
ville87 opened this issue May 21, 2024 · 3 comments
Open

Enum using --validate-teams does not work #54

ville87 opened this issue May 21, 2024 · 3 comments

Comments

@ville87
Copy link

ville87 commented May 21, 2024

It seems that the teams based validation of useraccounts does not work anymore.
It fails always with Pre-Enum sanity check failed, cannot enum this tenant!

Example

./TeamFiltration --outpath ./TFOUT2 --config TeamFiltrationConfig.json --enum --validate-teams --usernames userlist.txt --debug http://127.0.0.1
[...]
[♥] TeamFiltration V3.5.4 PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --outpath ./TFOUT2 --config TeamFiltrationConfig.json --enum --validate-teams --usernames userlist.txt --debug http://127.0.0.1
[ENUM] 5/21/2024 1:52:48 AM EST Filtering out previusly attempted accounts
[ENUM] 5/21/2024 1:52:49 AM EST Enumerating 23 possible accounts, this will take ~0 minutes
[ENUM] 5/21/2024 1:52:51 AM EST Successfully got Teams token for sacrificial account
[ENUM] 5/21/2024 1:52:52 AM EST Loaded 23 usernames
[FIREPROX] 5/21/2024 1:52:53 AM EST Created endpoint https://xxxxxx.execute-api.eu-west-2.amazonaws.com/fireprox/
[ENUM] 5/21/2024 1:52:55 AM EST [email protected] valid!
[ENUM] 5/21/2024 1:52:55 AM EST Pre-Enum sanity check failed, cannot enum this tenant!
[FIREPROX] 5/21/2024 1:52:55 AM EST Deleted endpoint https://xxxxxx.execute-api.eu-west-2.amazonaws.com/fireprox/

Intercepting the request in Burp shows that the request is answered with HTTP 403 Forbidden:

GET /fireprox/amer/beta/users/[email protected]/externalsearchv3 HTTP/1.1
Host: xxxxxx.execute-api.eu-west-2.amazonaws.com
Authorization: Bearer eyJ0[...]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36
x-ms-client-caller: x-ms-client-caller
x-ms-client-version: 27/1.0.0.2021011237
Referer: https://teams.microsoft.com/_
ClientInfo: [...]
Authentication: skypetoken=eyJh[...]
X-Skypetoken: eyJh[...]

Response:

HTTP/2 403 Forbidden
Date: Tue, 21 May 2024 05:52:55 GMT
[...]
{"errorCode":"Forbidden"}

When using the --validate-msol for example, it works as expected:

./TeamFiltration --outpath ./TFOUT1 --config TeamFiltrationConfig.json --enum --validate-msol --usernames userlist.txt --debug http://127.0.0.1
[...]
[♥] TeamFiltration V3.5.4 PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --outpath ./TFOUT1 --config TeamFiltrationConfig.json --enum --validate-msol --usernames userlist.txt --debug http://127.0.0.1
[ENUM] 5/21/2024 1:48:01 AM EST Filtering out previusly attempted accounts
[ENUM] 5/21/2024 1:48:03 AM EST Warning, this method may give some false positive accounts
[ENUM] 5/21/2024 1:48:03 AM EST Enumerating 23 possible accounts, this will take ~0 minutes
[FIREPROX] 5/21/2024 1:48:05 AM EST Created endpoint https://xxxx.execute-api.eu-north-1.amazonaws.com/fireprox/
[ENUM] 5/21/2024 1:48:09 AM EST [...] valid!
[ENUM] 5/21/2024 1:48:09 AM EST [...] valid!
[...]
[FIREPROX] 5/21/2024 1:48:10 AM EST Deleted endpoint https://xxxx.execute-api.eu-north-1.amazonaws.com/fireprox/

I tried various tenants (one of which has all default settings applied) and ensured that the sacrifical user can use MS Teams and that MFA is disabled.
Maybe Microsoft changed something that this method cannot be used anymore?
@sdushantha
Copy link

The enumeration function seems to be broken for me we as well. I am assuming Microsoft has changed something as many of the other 365 enumeration projects seem to have stopped working as well. But I found an endpoint on Teams that can be used to enumerate users:

curl 'https://teams.live.com/api/mt/beta/users/searchUsers' \
--header 'authorization: Bearer BEARER_TOKEN_HERE' \
--header 'x-skypetoken: X_SKYPETOKEN_HERE' \
--header 'Content-Type: application/json' \
--data-raw '{"emails":["TARGET_EMAIL_HERE"],"phones":[]}

@Flangvik
Copy link
Owner

My first guess here would be that this is specific to this tenant's configuration. I'll rerun some tests to confirm. As for that endpoint, @sdushantha, I recall it only working for looking up internal users (not external accounts), hence the 'externalsearchv3' reference in the API I'm currently using: https://github.com/Flangvik/TeamFiltration/blob/main/TeamFiltration/TeamFiltration/Handlers/TeamsHandler.cs#L168C111-L168C127

@brettgus
Copy link

I've noticed that some tenants it doesn't work with. With others, if you try statistically likely usernames, it won't validate all the users in the environment. On subsequent runs, it'll show different sampling of the users as validated (and sometimes overlapping users).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@brettgus @Flangvik @sdushantha @ville87