flangvik / teamfiltration Goto Github PK

When I specify creds for the exfil module, I cannot get past the PrepareExfilCreds call. It just returns the error below. Any ideas, I have tried playing with the code but cannot resolve this... :/

[+] Args parsed --outpath . --exfil --all --username <username> --password <password> --debug

[!] The exfiltration modules does not use FireProx, ORIGIN IP WILL BE LOGGED, are you an adult? (Y/N)
Y
[SPRAY] NONE         25/04/2023 05:58:17 EST SOFT ERROR when spraying <username>:<password> => Invalid URI: The URI is empty.

In the --validate-msol method, you check the following, to see if GetCredentialType is supported or not:

if (!string.IsNullOrEmpty(postRespObject.EstsProperties?.CallMetadata?.HisRegion))

However, CallMetadata and HisRegion are not (anymore at least) part of the EstsProperties key from my research.
It will rather give you two main properties: UserTenantBranding and DomainType.
This is based on the triplet DomainType, ThrottleStatus and IfExistsResult that you will be able to see if you can enumerate accounts or not.
Your current way of checking will give "not supported" for probably all tenants today, while it is supported for part of them.

According to the docs, the config will be loaded from the current directory if not specified. This however throws a stack trace with the config being null.

Changing the following line from else if to if seems to correct this by allowing the file to be loaded if it's not specified but does exist:

Any idea what is this error about ?

I am running it from Windows 10 pro machine

[+] Args parsed --outpath .\Out\ --config .\Config.json --spray --domain test.com --usernames .\Valid_Emails.txt --seasons-only
[SPRAY] EST Sleeping between 60-100 minutes for each round
Unhandled exception. System.NullReferenceException: Object reference not set to an instance of an object.
at TeamFiltration.Modules.Spray.SprayAsync(String[] args)
at TeamFiltration.Program.Main(String[] args)
at TeamFiltration.Program.

While running ./create_fireprox_instances.sh in kali. I am getting below error:

Unable to load AWS credentials
[+] Created that points to https://login.microsoftonline.com/
Unable to load AWS credentials
[+] Created that points to https://login.microsoftonline.us/
Unable to load AWS credentials
[+] Created that points to https://teams.microsoft.com/api/mt/
Unable to load AWS credentials
[+] Created that points to https://autologon.microsoftazuread-sso.com/
Unable to load AWS credentials

I am using free AWS tier and have added both access key and security key in the file.

If possible, can we add:

• Jitter: Jitter delay between password requests in seconds per account
• Minimum Delay: Minimum jitter time in seconds

.\TeamFiltration.exe --config C:\Path\To\TeamFiltration\MyConfig.json --outpath C:\Path\To\Output\test\ --enum --domain mytargetdomain.tld --validate-msol

╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╖
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╟╬╬╜╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╡ │ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╡ ││ ╙╬╬╜╘ └╙╜╬╬╬╬╬╬
╬╬╬╬╡ ╓╥╥╬╬╬╬╬╬╥╥╖ ││ │ ╬╬╬╬╬
╬╬╬╬╡ ╓╬╫╬╜╜┘ ╙╜╜╬╫╬┐ ││ ││ └╬╬╬╬
╬╬╬╬┤ ╬╬╜╙╩╬╖╓ ╙╬╬╬ ││ ││ ╬╬╬╬
╬╬╬╬┤ ╬╜ ╙╬╫╖╖ ╓ ╙╬╖ ││ ├││ ╬╬╬╬
╬╬╬╬┤ ╬╬ ╓╖ ╙╬╬╬╬╬╬╦ ╬╬ │┌ ╓╬┤││ ╓╬╬╬╬
╬╬╬╬┤ ╓╬┤ ╬╬╬ ╬╬╬╬╬╬╬╬╜╜╜╬╬╖ ╟╬╬╬╬╬╬╬╬╬╕ ┌╬╬╬╬╬
╬╬╬╬┤ ╬╬┤ ╙╩┘ ╙╬╬╬╬╬╩ ╟╬╬ ╙╜╜╜╜╜╜╜╜╜╬╬╖╖╖╦╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬┤ ╟╬╬ ││ ╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬ ╦╖ ╗╖ ╬╬ ││ │ ╬╬╬╬
╬╬╬╬┤ └╬┐ ╙╬╖╖ ╓╬╬╜ ╓╬┘ ││ │ ╬╬╬╬
╬╬╬╬┤ └╬╖ ╙╩╨╬╬╬╩╨╜╜ ╒╬╬ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╬╬╬╖ ┌╖╫╬╜┘ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╩╬╬╬╥╥╥╥╥╥╫╬╬╜╜ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╙╜╜╜╛ ││ │ ╬╬╬╬
╬╬╬╬┤ ││ │ ╓╖╬╬╬╬╬
╬╬╬╬┤ ││ ╬╦╦╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ││ ╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬╬╖╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
└╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╜
╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜

[♥] TeamFiltration V3.5.0 PUBLIC, created by @Flangvik at @trustedsec
[+] Args parsed --config C:\Path\To\TeamFiltration\MyConfig.json --outpath C:\Path\To\Output\test\ --enum --domain mytargetdomain.tld --validate-msol
[+] AWS SecretKey and AccessKey found, FireProx endpoint will be automagically created for each spray-rotation
|=> [1] [email protected]
|=> [2] [email protected]
|=> [3] [email protected]
|=> [4] [email protected]
|=> [5] [email protected]
|=> [6] [email protected]
|=> [7] [email protected]
|=> [8] [email protected]
|=> [9] [email protected]

[?] Select an email format #> 6
[ENUM] 2/14/2023 5:27:54 PM EST Filtering out previusly attempted accounts
[ENUM] 2/14/2023 5:27:54 PM EST Warning, this method may give some false positive accounts
[ENUM] 2/14/2023 5:27:54 PM EST Enumerating 48705 possible accounts, this will take ~41 minutes
[FIREPROX] 2/14/2023 5:27:57 PM EST Created endpoint https://[REDACTED].execute-api.eu-west-3.amazonaws.com/fireprox/
[ENUM] 2/14/2023 5:27:57 PM EST SOFT ERROR ENUM => Invalid URI: The URI is empty.

Provided an Outlook JWT token, it identified the correct number of emails present in the inbox but the resulted file only contains message IDs while other fields are set to null.

TeamFiltration-Win-v3.3.8->TeamFiltration.exe --config config.json --outpath . --exfil --token <outlook_token> --owa

  ╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╖
 ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤                              ╟╬╬╜╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╡                              │      ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╡                              ││      ╙╬╬╜╘ └╙╜╬╬╬╬╬╬
╬╬╬╬╡         ╓╥╥╬╬╬╬╬╬╥╥╖         ││       │        ╬╬╬╬╬
╬╬╬╬╡     ╓╬╫╬╜╜┘      ╙╜╜╬╫╬┐     ││       ││       └╬╬╬╬
╬╬╬╬┤    ╬╬╜╙╩╬╖╓          ╙╬╬╬    ││       ││        ╬╬╬╬
╬╬╬╬┤   ╬╜      ╙╬╫╖╖ ╓      ╙╬╖   ││      ├││        ╬╬╬╬
╬╬╬╬┤  ╬╬     ╓╖   ╙╬╬╬╬╬╬╦    ╬╬  │┌    ╓╬┤││       ╓╬╬╬╬
╬╬╬╬┤ ╓╬┤     ╬╬╬   ╬╬╬╬╬╬╬╬╜╜╜╬╬╖ ╟╬╬╬╬╬╬╬╬╬╕      ┌╬╬╬╬╬
╬╬╬╬┤ ╬╬┤     ╙╩┘   ╙╬╬╬╬╬╩    ╟╬╬ ╙╜╜╜╜╜╜╜╜╜╬╬╖╖╖╦╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬┤                      ╟╬╬ ││         ╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤  ╬╬   ╦╖            ╗╖   ╬╬  ││         │       ╬╬╬╬
╬╬╬╬┤  └╬┐   ╙╬╖╖      ╓╬╬╜   ╓╬┘  ││         │       ╬╬╬╬
╬╬╬╬┤   └╬╖    ╙╩╨╬╬╬╩╨╜╜   ╒╬╬    ││         │       ╬╬╬╬
╬╬╬╬┤    ╙╬╬╬╖           ┌╖╫╬╜┘    ││         │       ╬╬╬╬
╬╬╬╬┤       ╙╩╬╬╬╥╥╥╥╥╥╫╬╬╜╜       ││         │       ╬╬╬╬
╬╬╬╬┤            ╙╙╜╜╜╛            ││         │       ╬╬╬╬
╬╬╬╬┤                              ││         │    ╓╖╬╬╬╬╬
╬╬╬╬┤                              ││         ╬╦╦╬╬╬╬╬╬╬╬╬
╬╬╬╬┤                              ││     ╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤                              ╬╬╬╖╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
 └╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╜
   ╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜

[�] TeamFiltration V0.3.3.8 PUBLIC, created by @Flangvik @TrustedSec
[+] Args parsed --config config.json --outpath . --exfil --token <outlook_token> --owa
[EXFIL] 1/6/2023 4:57:46 AM EST Exfiltrating emails from Outlook!
[EXFIL] 1/6/2023 4:57:47 AM EST Fetched 3 email ID's , exfiltrating content!

Resulting file:

{
  "@odata.context": "https://outlook.office.com/api/v2.0/$metadata#Me/Messages(Id)",
  "@odata.nextLink": null,
  "value": [
    {
      "odatacontext": null,
      "odataid": null,
      "odataetag": null,
      "Id": "bs64id1",
      "CreatedDateTime": null,
      "LastModifiedDateTime": null,
      "ChangeKey": null,
      "Categories": null,
      "ReceivedDateTime": null,
      "SentDateTime": null,
      "HasAttachments": false,
      "InternetMessageId": null,
      "Subject": null,
      "BodyPreview": null,
      "Importance": null,
      "ParentFolderId": null,
      "ConversationId": null,
      "ConversationIndex": null,
      "IsDeliveryReceiptRequested": null,
      "IsReadReceiptRequested": false,
      "IsRead": false,
      "IsDraft": false,
      "WebLink": null,
      "InferenceClassification": null,
      "Body": null,
      "Sender": null,
      "From": null,
      "ToRecipients": null,
      "CcRecipients": null,
      "BccRecipients": null,
      "ReplyTo": null,
      "Flag": null
    },
    {
      "odatacontext": null,
      "odataid": null,
      "odataetag": null,
      "Id": "bs64id2",
      "CreatedDateTime": null,
      "LastModifiedDateTime": null,
      "ChangeKey": null,
      "Categories": null,
      "ReceivedDateTime": null,
      "SentDateTime": null,
      "HasAttachments": false,
      "InternetMessageId": null,
      "Subject": null,
      "BodyPreview": null,
      "Importance": null,
      "ParentFolderId": null,
      "ConversationId": null,
      "ConversationIndex": null,
      "IsDeliveryReceiptRequested": null,
      "IsReadReceiptRequested": false,
      "IsRead": false,
      "IsDraft": false,
      "WebLink": null,
      "InferenceClassification": null,
      "Body": null,
      "Sender": null,
      "From": null,
      "ToRecipients": null,
      "CcRecipients": null,
      "BccRecipients": null,
      "ReplyTo": null,
      "Flag": null
    },
    {
      "odatacontext": null,
      "odataid": null,
      "odataetag": null,
      "Id": "bs64id3",
      "CreatedDateTime": null,
      "LastModifiedDateTime": null,
      "ChangeKey": null,
      "Categories": null,
      "ReceivedDateTime": null,
      "SentDateTime": null,
      "HasAttachments": false,
      "InternetMessageId": null,
      "Subject": null,
      "BodyPreview": null,
      "Importance": null,
      "ParentFolderId": null,
      "ConversationId": null,
      "ConversationIndex": null,
      "IsDeliveryReceiptRequested": null,
      "IsReadReceiptRequested": false,
      "IsRead": false,
      "IsDraft": false,
      "WebLink": null,
      "InferenceClassification": null,
      "Body": null,
      "Sender": null,
      "From": null,
      "ToRecipients": null,
      "CcRecipients": null,
      "BccRecipients": null,
      "ReplyTo": null,
      "Flag": null
    }
  ]
}

Good afternoon,

I am receiving SOFT ERROR ENUM => Object reference not set to an instance of an object error when attempting to --validate-teams.

I ran the command - .\TeamFiltration.exe --outpath .\MyOutputDir --config .\myConfig.json --enum --validate-teams --domain mydomain.com

My config file:

Some clients may have configured their Tenant in such a way that you cannot search up emails/accounts for their org using the Teams API / Search functionally. TeamFiltration should confirm that lookup is possible as a pre-check before enumeration.

As an example, I configured a personal (free) Microsoft account that can login to Teams. I specified those in the config.json as sacrificial username & password. I don't get output from the --validate-teams option - also not that the sacrificial account is not valid. Does the Microsoft account need to meet certain conditions to be used with the API?

ubuntu@ip-10-0-0-24:/tmp$ uname -a
Linux ip-10-0-0-24 5.15.0-1028-aws #32-Ubuntu SMP Mon Jan 9 12:28:07 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@ip-10-0-0-24:/tmp$ ./TeamFiltration --outpath ./out --config ./TeamFiltrationConfig_Example.json --enum --validate-msol --domain example.com

╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╖
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╟╬╬╜╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╡ │ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╡ ││ ╙╬╬╜╘ └╙╜╬╬╬╬╬╬
╬╬╬╬╡ ╓╥╥╬╬╬╬╬╬╥╥╖ ││ │ ╬╬╬╬╬
╬╬╬╬╡ ╓╬╫╬╜╜┘ ╙╜╜╬╫╬┐ ││ ││ └╬╬╬╬
╬╬╬╬┤ ╬╬╜╙╩╬╖╓ ╙╬╬╬ ││ ││ ╬╬╬╬
╬╬╬╬┤ ╬╜ ╙╬╫╖╖ ╓ ╙╬╖ ││ ├││ ╬╬╬╬
╬╬╬╬┤ ╬╬ ╓╖ ╙╬╬╬╬╬╬╦ ╬╬ │┌ ╓╬┤││ ╓╬╬╬╬
╬╬╬╬┤ ╓╬┤ ╬╬╬ ╬╬╬╬╬╬╬╬╜╜╜╬╬╖ ╟╬╬╬╬╬╬╬╬╬╕ ┌╬╬╬╬╬
╬╬╬╬┤ ╬╬┤ ╙╩┘ ╙╬╬╬╬╬╩ ╟╬╬ ╙╜╜╜╜╜╜╜╜╜╬╬╖╖╖╦╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬┤ ╟╬╬ ││ ╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬ ╦╖ ╗╖ ╬╬ ││ │ ╬╬╬╬
╬╬╬╬┤ └╬┐ ╙╬╖╖ ╓╬╬╜ ╓╬┘ ││ │ ╬╬╬╬
╬╬╬╬┤ └╬╖ ╙╩╨╬╬╬╩╨╜╜ ╒╬╬ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╬╬╬╖ ┌╖╫╬╜┘ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╩╬╬╬╥╥╥╥╥╥╫╬╬╜╜ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╙╜╜╜╛ ││ │ ╬╬╬╬
╬╬╬╬┤ ││ │ ╓╖╬╬╬╬╬
╬╬╬╬┤ ││ ╬╦╦╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ││ ╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬╬╖╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
└╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╜
╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜

[♥] TeamFiltration V3.5.0 PUBLIC, created by @Flangvik at @trustedsec
[+] Args parsed --outpath ./out --config ./TeamFiltrationConfig_Example.json --enum --validate-msol --domain example.com
No usable version of libssl was found
Aborted (core dumped)

First of all thanks for the development in this tool so far this has been awesome!

Below is an error I have seen occur at the same spot of reserved usernames from the statistically likely enum method.

[+] Args parsed --config config.json --outpath C:\Users\null\OneDrive\Desktop\Pentests\null\external --enum --domain null --validate-login

"({myamazonid}.execute-api.us-west-2.amazonaws.com:443)) (Only one usage of each socket address (protocol/network address/port) is normally permitted."

The above error is outputted to the console.

Also to note if I re-run the enumeration for 30 minutes or so nothing is outputted and the number of potential enumerateable accounts stays the same.

After moving over to using a config (due to public release), the --pushover menu items are dead.

Expect this to be fixed when I get back home from BH/Defcon

In a lot of organisations IT Bulk reset accounts, and what's observed is that you have a valid login, but you need to update a password, or more so in the cloud it hasnt done it's MFA onboarding yet, because that account is unmanaged and still has the Password1 from the last bulk reset, so you login but you get the 'we need some more information' page, this shows as VALID BUT MFA (79)

I think there's good wiggleroom here to separate the nuance of credentials working but protected by MFA and credentials working but needs to onboard / configure MFA

Loving your work, this tool is awesome.
Thank you.

If a username-password combo is tested with the result LOCKED, it is stored as attempt in the database. However, it should not be stored because the password was not actually tested. It should be repeated in another run.

Flangvik-

Issue when attempting to exfil after successfully spray. I am getting an IDX12709 error that the JWT is not well formed.

Any advice?

Thanks!

          Having the same issue here, config file is set up appropriately as far as I can tell

Originally posted by @PocketDC in #47 (comment)

Hi!

If I use the "--spray --aad-sso" options, I keep getting the response of "AADSTS81016", even though the password I entered is correct. The database marks the attempt as "Valid=false".

However, when I omit the "--aad-sso" parameter, everything works as expected, and I get the response "VALID, MUST ENROLL MFA."

Apologies for the horrible-quality paste.
attempting to run this from a more-or-less current kali linux VM and it blows up before it gets very far at all...

./TeamFiltration --config MyConfig.json --outpath ./test/ --enum --domain 'mytargetdomain.tld' --validate-msol 1 ⨯ ╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╖ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ ╬╬╬╬┤ ╟╬╬╜╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ ╬╬╬╬╡ │ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ ╬╬╬╬╡ ││ ╙╬╬╜╘ └╙╜╬╬╬╬╬╬ ╬╬╬╬╡ ╓╥╥╬╬╬╬╬╬╥╥╖ ││ │ ╬╬╬╬╬ ╬╬╬╬╡ ╓╬╫╬╜╜┘ ╙╜╜╬╫╬┐ ││ ││ └╬╬╬╬ ╬╬╬╬┤ ╬╬╜╙╩╬╖╓ ╙╬╬╬ ││ ││ ╬╬╬╬ ╬╬╬╬┤ ╬╜ ╙╬╫╖╖ ╓ ╙╬╖ ││ ├││ ╬╬╬╬ ╬╬╬╬┤ ╬╬ ╓╖ ╙╬╬╬╬╬╬╦ ╬╬ │┌ ╓╬┤││ ╓╬╬╬╬ ╬╬╬╬┤ ╓╬┤ ╬╬╬ ╬╬╬╬╬╬╬╬╜╜╜╬╬╖ ╟╬╬╬╬╬╬╬╬╬╕ ┌╬╬╬╬╬ ╬╬╬╬┤ ╬╬┤ ╙╩┘ ╙╬╬╬╬╬╩ ╟╬╬ ╙╜╜╜╜╜╜╜╜╜╬╬╖╖╖╦╬╬╬╬╬╬╬ ╬╬╬╬┤ ╬╬┤ ╟╬╬ ││ ╬╬╬╬╬╬╬╬╬╬╬╬ ╬╬╬╬┤ ╬╬ ╦╖ ╗╖ ╬╬ ││ │ ╬╬╬╬ ╬╬╬╬┤ └╬┐ ╙╬╖╖ ╓╬╬╜ ╓╬┘ ││ │ ╬╬╬╬ ╬╬╬╬┤ └╬╖ ╙╩╨╬╬╬╩╨╜╜ ╒╬╬ ││ │ ╬╬╬╬ ╬╬╬╬┤ ╙╬╬╬╖ ┌╖╫╬╜┘ ││ │ ╬╬╬╬ ╬╬╬╬┤ ╙╩╬╬╬╥╥╥╥╥╥╫╬╬╜╜ ││ │ ╬╬╬╬ ╬╬╬╬┤ ╙╙╜╜╜╛ ││ │ ╬╬╬╬ ╬╬╬╬┤ ││ │ ╓╖╬╬╬╬╬ ╬╬╬╬┤ ││ ╬╦╦╬╬╬╬╬╬╬╬╬ ╬╬╬╬┤ ││ ╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ ╬╬╬╬┤ ╬╬╬╖╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ └╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╜ ╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜ [♥] TeamFiltration V3.5.0 PUBLIC, created by @Flangvik at @trustedsec [+] Args parsed --config MyConfig.json --outpath ./tec_test/ --enum --domain mytargetdomain.tld --validate-msol Unhandled exception. System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> System.TypeInitializationException: The type initializer for 'SslMethods' threw an exception. ---> System.TypeInitializationException: The type initializer for 'Ssl' threw an exception. ---> System.TypeInitializationException: The type initializer for 'SslInitializer' threw an exception. ---> Interop+Crypto+OpenSslCryptographicException: error:0E076071:configuration file routines:module_run:unknown module name at Interop.SslInitializer..cctor() --- End of inner exception stack trace --- at Interop.Ssl..cctor() --- End of inner exception stack trace --- at Interop.Ssl.SslV2_3Method() at Interop.Ssl.SslMethods..cctor() --- End of inner exception stack trace --- at Interop.OpenSsl.AllocateSslContext(SslProtocols protocols, SafeX509Handle certHandle, SafeEvpPKeyHandle certKeyHandle, EncryptionPolicy policy, SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SafeDeleteSslContext..ctor(SafeFreeSslCredentials credential, SslAuthenticationOptions sslAuthenticationOptions) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, ArraySegment1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions) --- End of inner exception stack trace --- at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken) at System.Net.Security.SslStream.BeginAuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__65_0(SslClientAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state) at System.Threading.Tasks.TaskFactory1.FromAsyncImpl[TArg1,TArg2](Func5 beginMethod, Func2 endFunction, Action1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func5 beginMethod, Action1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func5 beginMethod, Action1 endMethod, TArg1 arg1, TArg2 arg2, Object state) at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts) at Nager.PublicSuffix.WebTldRuleProvider.LoadFromUrlAsync(String url) at Nager.PublicSuffix.WebTldRuleProvider.BuildAsync() at Nager.PublicSuffix.DomainParser..ctor(ITldRuleProvider ruleProvider, IDomainNormalizer domainNormalizer) at TeamFiltration.Handlers.GlobalArgumentsHandler..ctor(String[] args, DatabaseHandler databaseHandler, Boolean exfilModule) at TeamFiltration.Modules.Enumerate.EnumerateAsync(String[] args) at TeamFiltration.Program.Main(String[] args) at TeamFiltration.Program.

trying to build and recieving this error:
Severity Code Description
Error NETSDK1045 The current .NET SDK does not support targeting .NET 7.0. Either target .NET 6.0 or lower, or use a version of the .NET SDK that supports .NET 7.0.

I have SDK versions 6 + 7 insalled.

dotnet --list-sdks
5.0.411 [C:\Program Files\dotnet\sdk]
6.0.400 [C:\Program Files\dotnet\sdk]
7.0.203 [C:\Program Files\dotnet\sdk]

It seems that the teams based validation of useraccounts does not work anymore.
It fails always with Pre-Enum sanity check failed, cannot enum this tenant!

Example

./TeamFiltration --outpath ./TFOUT2 --config TeamFiltrationConfig.json --enum --validate-teams --usernames userlist.txt --debug http://127.0.0.1
[...]
[♥] TeamFiltration V3.5.4 PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --outpath ./TFOUT2 --config TeamFiltrationConfig.json --enum --validate-teams --usernames userlist.txt --debug http://127.0.0.1
[ENUM] 5/21/2024 1:52:48 AM EST Filtering out previusly attempted accounts
[ENUM] 5/21/2024 1:52:49 AM EST Enumerating 23 possible accounts, this will take ~0 minutes
[ENUM] 5/21/2024 1:52:51 AM EST Successfully got Teams token for sacrificial account
[ENUM] 5/21/2024 1:52:52 AM EST Loaded 23 usernames
[FIREPROX] 5/21/2024 1:52:53 AM EST Created endpoint https://xxxxxx.execute-api.eu-west-2.amazonaws.com/fireprox/
[ENUM] 5/21/2024 1:52:55 AM EST [email protected] valid!
[ENUM] 5/21/2024 1:52:55 AM EST Pre-Enum sanity check failed, cannot enum this tenant!
[FIREPROX] 5/21/2024 1:52:55 AM EST Deleted endpoint https://xxxxxx.execute-api.eu-west-2.amazonaws.com/fireprox/

Intercepting the request in Burp shows that the request is answered with HTTP 403 Forbidden:

GET /fireprox/amer/beta/users/[email protected]/externalsearchv3 HTTP/1.1
Host: xxxxxx.execute-api.eu-west-2.amazonaws.com
Authorization: Bearer eyJ0[...]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36
x-ms-client-caller: x-ms-client-caller
x-ms-client-version: 27/1.0.0.2021011237
Referer: https://teams.microsoft.com/_
ClientInfo: [...]
Authentication: skypetoken=eyJh[...]
X-Skypetoken: eyJh[...]

Response:

HTTP/2 403 Forbidden
Date: Tue, 21 May 2024 05:52:55 GMT
[...]
{"errorCode":"Forbidden"}

When using the --validate-msol for example, it works as expected:

./TeamFiltration --outpath ./TFOUT1 --config TeamFiltrationConfig.json --enum --validate-msol --usernames userlist.txt --debug http://127.0.0.1
[...]
[♥] TeamFiltration V3.5.4 PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --outpath ./TFOUT1 --config TeamFiltrationConfig.json --enum --validate-msol --usernames userlist.txt --debug http://127.0.0.1
[ENUM] 5/21/2024 1:48:01 AM EST Filtering out previusly attempted accounts
[ENUM] 5/21/2024 1:48:03 AM EST Warning, this method may give some false positive accounts
[ENUM] 5/21/2024 1:48:03 AM EST Enumerating 23 possible accounts, this will take ~0 minutes
[FIREPROX] 5/21/2024 1:48:05 AM EST Created endpoint https://xxxx.execute-api.eu-north-1.amazonaws.com/fireprox/
[ENUM] 5/21/2024 1:48:09 AM EST [...] valid!
[ENUM] 5/21/2024 1:48:09 AM EST [...] valid!
[...]
[FIREPROX] 5/21/2024 1:48:10 AM EST Deleted endpoint https://xxxx.execute-api.eu-north-1.amazonaws.com/fireprox/

I tried various tenants (one of which has all default settings applied) and ensured that the sacrifical user can use MS Teams and that MFA is disabled.
Maybe Microsoft changed something that this method cannot be used anymore?

Currently the only available formats offered appear to be:

    |=> [1] [email protected]
    |=> [2] [email protected]
    |=> [3] [email protected]
    |=> [4] [email protected]
    |=> [5] [email protected]
    |=> [6] [email protected]
    |=> [7] [email protected]
    |=> [8] [email protected]
    |=> [9] [email protected]

Would love to see and option to specify an email format or add more formats to the list. Had a engagement where the format was [email protected]

URL declaration needs to remove the $ and the spaces around the equals sign
IE
$url = "STUFF"
to
url="STUFF"

Receiving this message: "Third party authentication detected - Spraying will NOT work properly, sorry!" Is this due to okta? If so, is there a work around?

Hi apologies if this is obvious, when I try using the following on a known domain :

TeamFiltration.exe --config C:\data\TeamFiltration\TeamFiltrationConfig_Example.json --outpath C:\data\TeamFiltration\TeamFiltration\outpath --enum --domain DOMAIN.COM --validate-login

I get:

SOFT ERROR ENUM => Object reference not set to an instance of an object.

Am i missing somthing? It's my understanding that i dont have to specify a microsoft account if using the --validate-login option right?

Looking to achieve grabbing and validating legit email address from a tennant from a non joined domain machine.

Hello,
I was testing the tool out but was unable to find or enumerate any of my domains no matter what i tried.
I think this has to do with the names being enumerated - is it possible to supply a list of names related to my country somehow?

Custom one of these:
https://github.com/Flangvik/TeamFiltration/blob/main/TeamFiltration/TeamFiltration/Modules/Enumerate.cs#L293

The --username did not resolve this for me (as im looking for an option to import my list of first and lastnames separately and cycle through them).
Perhaps its a simple solution of OSINT, but then i know :)

Thanks, keep up the great work! 👍

I am using the Teams technique in TeamFiltration. Using the Debug option, I see that some emails return a valid TenantId and that the email is valid and found in many attributes in the JSON response. However, the UserPrincipalName does not match the username, but the givenName matches the email.

Here is an example for the username [email protected]. I anonymized all the data.

[{"tenantId":"REDACTED","isShortProfile":false,"accountEnabled":true,"featureSettings":{"coExistenceMode":"TeamsOnly"},"userPrincipalName":"[email protected]","givenName":"[email protected]","surname":"","email":"[email protected]","tenantName":"REDACTED","displayName":"Dave Bauer","type":"Federated","mri":"8:orgid:REDACTED","objectId":"REDACTED"}]

I was wondering why do you check that the UserPrincipalName should be equal to the email in this line:

I am very confused how to import emails when I use spray ,there are only --passwords parameters, not --usernames. Do I need to modify the database directly to import the email list?

Implement a version of aad_brokerplugin_prt_auth from Dirk-Jans's amazing RoadTools project. So that TeamFiltration can exhange an PRT to an normal refresh token, refresh into different resourcs and exfiltrate all the loot!

Currently the script at https://github.com/Flangvik/TeamFiltration#generate-fireprox-urls reads :

#!/bin/bash
# create_fireprox_instances.sh
# Possible AWS regions
array=( us-east-1 us-west-1 us-west-2 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 eu-north-1 )

#Endpoint to be proxied
$url="https://login.microsoftonline.com/"

The $ is not required in front of the url variable here.

Hope that helps!

Hi.

I was testing the program with the following command:

./TeamFiltration --config TeamFiltrationConfig_Example.json --outpath testclient --spray --debug --jitter 10 --passwords passwords_for_testing.txt --shuffle-users --shuffle-passwords

Spraying otherwise works fine, but changing the jitter value has no effect on the functionality. TeamFiltration will just spray as the jitter was 0. I tried hardcoding the value to 60 with no effect, maybe there is an issue with the Thread.sleep in Spray.cs on line 180?

Hey,

thanks for sharing your awesome work here!

I tried to use TeamFiltration with a free o365 test account. I go the following output when running it:

[ENUM] 8/29/2023 8:39:13AM EST Filtering out previusly attempted accounts
[ENUM] 8/29/2023 8:39:13AM EST Enumerating 43549 possible accounts, this will take ~2 minutes
[ENUM] 8/29/2023 8:39:19AM EST Teams enumeration failed, error: AADSTS50034: The user account {EmailHidden} does not exist in the outlook.com directory. To sign into this application, the account must be added to the directory.

Complete Response:

{"error":"invalid_grant","error_description":"AADSTS50034: The user account {EmailHidden} does not exist in the outlook.com directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: dc6afdc9-fdee-4118-aef0-821794514600\r\nCorrelation ID: ca9f072c-8efe-45fa-a805-2bd800e95c68\r\nTimestamp: 2023-08-29 12:41:05Z","error_codes":[50034],"timestamp":"2023-08-29 12:41:05Z","trace_id":"dc6afdc9-fdee-4118-aef0-821794514600","correlation_id":"ca9f072c-8efe-45fa-a805-2bd800e95c68","error_uri":"https://login.microsoftonline.com/error?code=50034"}

Do you know any way to work around it?

Thanks in advance

Hello,
I'm trying to test TeamFiltration, everything goes fine until I choose the email format. Then I have an SSL connection issue (see the screen shot below). I'm clearly not sure where this is coming from, I tried different test domain but the same error is showing up.

Any clues on what could be the cause ?

Thank you ! :)

Hi, im trying to test the TeamFiltration.exe, but unfortunately I'm not able to start it properly.
I get the following Error for all validation methods:

TeamFiltration.exe --outpath C:\Clients\Example\TFOutput --config TeamFiltrationConfig_Example.json --enum --validate-login --domain censored.onmicrosoft.com

[ENUM] 11.08.2023 09:20:39 EST Filtering out previusly attempted accounts
[ENUM] 11.08.2023 09:20:40 EST Warning, THIS METHOD WILL PRODUCE LOGIN ATTEMPTS AND IF USED FREQUENTLY,MAY LOCKOUT ACCOUNTS!
[ENUM] 11.08.2023 09:20:40 EST Enumerating 248231 accounts with password Welcome@2023!, this will take ~41 minutes
[ENUM] 11.08.2023 09:20:40 EST SOFT ERROR ENUM => Object reference not set to an instance of an object.

The Config File looks like this:
{
"pushoverAppKey": "",
"pushoverUserKey": "",
"dehashedEmail" : "",
"dehashedApiKey": "",
"sacrificialO365Username": "[email protected]",
"sacrificialO365Passwords": "censored",
"proxyEndpoint": "http://127.0.0.1:8080",
"AWSAccessKey": "",
"AWSSecretKey": "",
"UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36",
"AwsRegions":["us-east-1", "us-west-1", "us-west-2", "ca-central-1", "eu-central-1", "eu-west-1", "eu-west-2", "eu-west-3", "eu-north-1"]
}
Do you have any idea what the problem could be?
Thanks in advance!

The Dehashed module sometimes fails to clean up input email and data, this causes corrupt data to be stored in the database. Will be improving/adding the usage of regex to confirm emails are in a valid format, end with the target domain name, etc++.

Expect this to be fixed when I get back home from BH/Defcon

Hey,

More a feature request than an issue.

In some situations it might not be needed to go over FireProx, e.g. if you already have valid creds (so no Smart Lockout Anyway) and just want to use the exfiltration module. It would be nice from my point of view to also have a switch for not using FireProx in those cases.

In the moment it will just crash when not having a proper FireProx config.

Greetings