TREVORspray icon indicating copy to clipboard operation
TREVORspray copied to clipboard
verified publisher icon blacklanternsecurity

Add Teams Photo User Enumeration Module and OfficeHome Sprayer

Open aconite33 opened this issue 6 months ago • 0 comments

Add Teams Photo User Enumeration Module and OfficeHome Sprayer

Description

This PR adds two major features:

  1. A new user enumeration module that leverages Microsoft Teams profile photo endpoints to identify valid users in Microsoft 365/Azure AD environments
  2. A new OfficeHome sprayer module that uses the OfficeHome resource and application IDs for authentication

Changes

  • Added new teams_photo.py enumerator module
  • Created base Enumerator class in base.py for better code organization
  • Updated __init__.py to properly register all enumerator modules
  • Fixed module discovery logic to ensure all enumerators are available
  • Added new officehome.py sprayer module with OfficeHome resource and application IDs
  • Updated authentication to use OfficeHome IDs instead of Windows Sign In

Technical Details

Teams Photo Enumerator

The Teams photo enumerator uses the following endpoint: https://{tenantname}-my.sharepoint.com/personal/{username}{domain}/_layouts/15/userphoto.aspx

It follows the same pattern as the OneDrive enumerator:

  • Returns 200/401/403/302 for valid users
  • Returns 404 for invalid users
  • No authentication required
  • Uses tenant and domain structure

OfficeHome Sprayer

The OfficeHome sprayer uses the following configuration:

  • Resource ID: 4765445b-32c6-49b0-83e6-1d93765276ca (OfficeHome)
  • Application ID: 4765445b-32c6-49b0-83e6-1d93765276ca (OfficeHome)
  • Uses Chrome User-Agent for better compatibility
  • Maintains all existing sprayer features (threading, delays, etc.)

Usage

Teams Photo Enumeration

trevorspray -u users.txt -r domain.com

[USER] Which user enumeration method would you like to use? (onedrive|seamless_sso|teams_photo)

OfficeHome Spraying

trevorspray -m officehome -u users.txt -p password123

Benefits

Teams Photo Enumerator

  • Provides an alternative enumeration method
  • Uses a different endpoint than OneDrive, allowing for:
    • Better success rate when OneDrive is blocked
    • Reduced chance of detection
    • Ability to cross-reference results
  • Maintains compatibility with existing TREVORspray infrastructure
  • Follows the same patterns as other enumerators

OfficeHome Sprayer

  • Uses OfficeHome resource and application IDs for authentication
  • Provides an alternative to the default MSOL sprayer
  • May bypass certain detection mechanisms that look for Windows Sign In
  • Uses modern Chrome User-Agent for better compatibility
  • Maintains all existing sprayer features and protections

aconite33 avatar Jun 13 '25 19:06 aconite33