TeamFiltration icon indicating copy to clipboard operation
TeamFiltration copied to clipboard
verified publisher icon Flangvik

Enum using --validate-teams does not work

Open ville87 opened this issue 1 year ago • 3 comments

It seems that the teams based validation of useraccounts does not work anymore. It fails always with Pre-Enum sanity check failed, cannot enum this tenant!

Example

./TeamFiltration --outpath ./TFOUT2 --config TeamFiltrationConfig.json --enum --validate-teams --usernames userlist.txt --debug http://127.0.0.1
[...]
[♥] TeamFiltration V3.5.4 PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --outpath ./TFOUT2 --config TeamFiltrationConfig.json --enum --validate-teams --usernames userlist.txt --debug http://127.0.0.1
[ENUM] 5/21/2024 1:52:48 AM EST Filtering out previusly attempted accounts
[ENUM] 5/21/2024 1:52:49 AM EST Enumerating 23 possible accounts, this will take ~0 minutes
[ENUM] 5/21/2024 1:52:51 AM EST Successfully got Teams token for sacrificial account
[ENUM] 5/21/2024 1:52:52 AM EST Loaded 23 usernames
[FIREPROX] 5/21/2024 1:52:53 AM EST Created endpoint https://xxxxxx.execute-api.eu-west-2.amazonaws.com/fireprox/
[ENUM] 5/21/2024 1:52:55 AM EST [email protected] valid!
[ENUM] 5/21/2024 1:52:55 AM EST Pre-Enum sanity check failed, cannot enum this tenant!
[FIREPROX] 5/21/2024 1:52:55 AM EST Deleted endpoint https://xxxxxx.execute-api.eu-west-2.amazonaws.com/fireprox/

Intercepting the request in Burp shows that the request is answered with HTTP 403 Forbidden:

GET /fireprox/amer/beta/users/[email protected]/externalsearchv3 HTTP/1.1
Host: xxxxxx.execute-api.eu-west-2.amazonaws.com
Authorization: Bearer eyJ0[...]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36
x-ms-client-caller: x-ms-client-caller
x-ms-client-version: 27/1.0.0.2021011237
Referer: https://teams.microsoft.com/_
ClientInfo: [...]
Authentication: skypetoken=eyJh[...]
X-Skypetoken: eyJh[...]

Response:

HTTP/2 403 Forbidden
Date: Tue, 21 May 2024 05:52:55 GMT
[...]
{"errorCode":"Forbidden"}

When using the --validate-msol for example, it works as expected:

./TeamFiltration --outpath ./TFOUT1 --config TeamFiltrationConfig.json --enum --validate-msol --usernames userlist.txt --debug http://127.0.0.1
[...]
[♥] TeamFiltration V3.5.4 PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --outpath ./TFOUT1 --config TeamFiltrationConfig.json --enum --validate-msol --usernames userlist.txt --debug http://127.0.0.1
[ENUM] 5/21/2024 1:48:01 AM EST Filtering out previusly attempted accounts
[ENUM] 5/21/2024 1:48:03 AM EST Warning, this method may give some false positive accounts
[ENUM] 5/21/2024 1:48:03 AM EST Enumerating 23 possible accounts, this will take ~0 minutes
[FIREPROX] 5/21/2024 1:48:05 AM EST Created endpoint https://xxxx.execute-api.eu-north-1.amazonaws.com/fireprox/
[ENUM] 5/21/2024 1:48:09 AM EST [...] valid!
[ENUM] 5/21/2024 1:48:09 AM EST [...] valid!
[...]
[FIREPROX] 5/21/2024 1:48:10 AM EST Deleted endpoint https://xxxx.execute-api.eu-north-1.amazonaws.com/fireprox/

I tried various tenants (one of which has all default settings applied) and ensured that the sacrifical user can use MS Teams and that MFA is disabled. Maybe Microsoft changed something that this method cannot be used anymore?

ville87 avatar May 21 '24 06:05 ville87

The enumeration function seems to be broken for me we as well. I am assuming Microsoft has changed something as many of the other 365 enumeration projects seem to have stopped working as well. But I found an endpoint on Teams that can be used to enumerate users:

curl 'https://teams.live.com/api/mt/beta/users/searchUsers' \
--header 'authorization: Bearer BEARER_TOKEN_HERE' \
--header 'x-skypetoken: X_SKYPETOKEN_HERE' \
--header 'Content-Type: application/json' \
--data-raw '{"emails":["TARGET_EMAIL_HERE"],"phones":[]}

sdushantha avatar Sep 05 '24 08:09 sdushantha

My first guess here would be that this is specific to this tenant's configuration. I'll rerun some tests to confirm. As for that endpoint, @sdushantha, I recall it only working for looking up internal users (not external accounts), hence the 'externalsearchv3' reference in the API I'm currently using: https://github.com/Flangvik/TeamFiltration/blob/main/TeamFiltration/TeamFiltration/Handlers/TeamsHandler.cs#L168C111-L168C127

Flangvik avatar Sep 24 '24 08:09 Flangvik

I've noticed that some tenants it doesn't work with. With others, if you try statistically likely usernames, it won't validate all the users in the environment. On subsequent runs, it'll show different sampling of the users as validated (and sometimes overlapping users).

brettgus avatar Dec 16 '24 22:12 brettgus