From e8c62dce2db9fa9c21d08f2188f2c325483bf4ba Mon Sep 17 00:00:00 2001 From: Melvin L Date: Tue, 11 Apr 2023 12:48:53 +0200 Subject: [PATCH] Updated help menu --- README.md | 102 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 56 insertions(+), 46 deletions(-) diff --git a/README.md b/README.md index 4657a05..17d6b25 100644 --- a/README.md +++ b/README.md @@ -13,69 +13,77 @@ This tool has been used internally since January 2021 and was publicly released ``` - ╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╖ + ╔╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╗ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ -╬╬╬╬┤ ╟╬╬╜╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ -╬╬╬╬╡ │ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ -╬╬╬╬╡ ││ ╙╬╬╜╘ └╙╜╬╬╬╬╬╬ -╬╬╬╬╡ ╓╥╥╬╬╬╬╬╬╥╥╖ ││ │ ╬╬╬╬╬ -╬╬╬╬╡ ╓╬╫╬╜╜┘ ╙╜╜╬╫╬┐ ││ ││ └╬╬╬╬ -╬╬╬╬┤ ╬╬╜╙╩╬╖╓ ╙╬╬╬ ││ ││ ╬╬╬╬ -╬╬╬╬┤ ╬╜ ╙╬╫╖╖ ╓ ╙╬╖ ││ ├││ ╬╬╬╬ -╬╬╬╬┤ ╬╬ ╓╖ ╙╬╬╬╬╬╬╦ ╬╬ │┌ ╓╬┤││ ╓╬╬╬╬ -╬╬╬╬┤ ╓╬┤ ╬╬╬ ╬╬╬╬╬╬╬╬╜╜╜╬╬╖ ╟╬╬╬╬╬╬╬╬╬╕ ┌╬╬╬╬╬ -╬╬╬╬┤ ╬╬┤ ╙╩┘ ╙╬╬╬╬╬╩ ╟╬╬ ╙╜╜╜╜╜╜╜╜╜╬╬╖╖╖╦╬╬╬╬╬╬╬ -╬╬╬╬┤ ╬╬┤ ╟╬╬ ││ ╬╬╬╬╬╬╬╬╬╬╬╬ -╬╬╬╬┤ ╬╬ ╦╖ ╗╖ ╬╬ ││ │ ╬╬╬╬ -╬╬╬╬┤ └╬┐ ╙╬╖╖ ╓╬╬╜ ╓╬┘ ││ │ ╬╬╬╬ -╬╬╬╬┤ └╬╖ ╙╩╨╬╬╬╩╨╜╜ ╒╬╬ ││ │ ╬╬╬╬ -╬╬╬╬┤ ╙╬╬╬╖ ┌╖╫╬╜┘ ││ │ ╬╬╬╬ -╬╬╬╬┤ ╙╩╬╬╬╥╥╥╥╥╥╫╬╬╜╜ ││ │ ╬╬╬╬ -╬╬╬╬┤ ╙╙╜╜╜╛ ││ │ ╬╬╬╬ -╬╬╬╬┤ ││ │ ╓╖╬╬╬╬╬ +╬╬╬╬┤ ╠╬╬╝╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ +╬╬╬╬╣ │ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ +╬╬╬╬╣ ││ ╚╬╬╝╚ └╚╝╬╬╬╬╬╬ +╬╬╬╬╣ ╔╦╦╬╬╬╬╬╬╦╦╗ ││ │ ╬╬╬╬╬ +╬╬╬╬╣ ╔╬╬╬╝╝┘ ╚╝╝╬╬╬┐ ││ ││ └╬╬╬╬ +╬╬╬╬┤ ╬╬╝╚╩╬╗╔ ╚╬╬╬ ││ ││ ╬╬╬╬ +╬╬╬╬┤ ╬╝ ╚╬╬╗╗ ╔ ╚╬╗ ││ ├││ ╬╬╬╬ +╬╬╬╬┤ ╬╬ ╔╗ ╚╬╬╬╬╬╬╦ ╬╬ │┌ ╔╬┤││ ╔╬╬╬╬ +╬╬╬╬┤ ╔╬┤ ╬╬╬ ╬╬╬╬╬╬╬╬╝╝╝╬╬╗ ╠╬╬╬╬╬╬╬╬╬╗ ┌╬╬╬╬╬ +╬╬╬╬┤ ╬╬┤ ╚╩┘ ╚╬╬╬╬╬╩ ╠╬╬ ╚╝╝╝╝╝╝╝╝╝╬╬╗╗╗╦╬╬╬╬╬╬╬ +╬╬╬╬┤ ╬╬┤ ╠╬╬ ││ ╬╬╬╬╬╬╬╬╬╬╬╬ +╬╬╬╬┤ ╬╬ ╦╗ ╗╗ ╬╬ ││ │ ╬╬╬╬ +╬╬╬╬┤ └╬┐ ╚╬╗╗ ╔╬╬╝ ╔╬┘ ││ │ ╬╬╬╬ +╬╬╬╬┤ └╬╗ ╚╩╩╬╬╬╩╩╝╝ ╔╬╬ ││ │ ╬╬╬╬ +╬╬╬╬┤ ╚╬╬╬╗ ┌╗╬╬╝┘ ││ │ ╬╬╬╬ +╬╬╬╬┤ ╚╩╬╬╬╦╦╦╦╦╦╬╬╬╝╝ ││ │ ╬╬╬╬ +╬╬╬╬┤ ╚╚╝╝╝╝ ││ │ ╬╬╬╬ +╬╬╬╬┤ ││ │ ╔╗╬╬╬╬╬ ╬╬╬╬┤ ││ ╬╦╦╬╬╬╬╬╬╬╬╬ -╬╬╬╬┤ ││ ╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ -╬╬╬╬┤ ╬╬╬╖╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ +╬╬╬╬┤ ││ ╔╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ +╬╬╬╬┤ ╬╬╬╗╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬ - └╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╜ - ╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜ + └╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╝ + ╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝ -[] TeamFiltration V0.3.3.7 PUBLIC, created by @Flangvik @TrustedSec +[] TeamFiltration V3.5.1 PUBLIC, created by @Flangvik at @TrustedSec +[+] Args parsed Usage: --outpath Output path to store database and exfiltrated information (Needed for all modules) --config Local path to your TeamFiltration.json configuration file, if not provided will load from the current path - --exfil Load the exfiltration module + --exfil Load the exfiltration module --username Override to target a given username that does not exist in the database --password Override to target a given password that does not exist in the database - --cookie-dump Override to target a given account using it's refresk-cookie-collection + --tokens Override to target a (file with newline seperated JWT tokens|single JWT| , seperated JWT tokens) and perfom exfiltration + --cookie-dump Override to target a given account using it's refresh-cookie-collection --all Exfiltrate information from ALL SSO resources (Graph, OWA, SharePoint, OneDrive, Teams) --aad Exfiltrate information from Graph API (domain users and groups) --teams Exfiltrate information from Teams API (files, chatlogs, attachments, contactlist) + --teams-db Exfiltrate cookies and authentication tokens from an exfiltrated Teams database --onedrive Exfiltrate information from OneDrive/SharePoint API (accessible SharePoint files and the users entire OneDrive directory) --owa Exfiltrate information from the Outlook REST API (The last 2k emails, both sent and received) - --owa-limit Set the max amount of emails to exfiltrate, default is 2k. - --jwt-tokens Exfiltrate JSON formated JTW-tokens for SSO resources (MsGraph,AdGraph, Outlook, SharePoint, OneDrive, Teams) + --owa-limit Set the max amount of emails to exfiltrate, default is 2k. + --jwt-tokens Dump all gathered JSON formated JTW-tokens for SSO resources (MsGraph,AdGraph, Outlook, SharePoint, OneDrive, Teams) --spray Load the spraying module - --aad-sso Use SecureWorks recent Azure Active Directory password brute-forcing vuln for spraying + --aad-sso Use SecureWorks's Azure Active Directory password brute-forcing technique when spraying --us-cloud When spraying companies attached to US Tenants (https://login.microsoftonline.us/) - --time-window Defines a time windows where spraying should accour, in the military time format <12:00-19:00> + --passwords Path to a list of passwords, common weak-passwords will be generated if not supplied - --seasons-only Password generated for spraying will only be based on seasons + --exclude Path to a list of emails to exclude from spraying + --seasons-only Password genersated for spraying will only be based on seasons --months-only Password generated for spraying will only be based on months --common-only Spray with the top 20 most common passwords - --combo Path to a combolist of username:password - --exclude Path to a list of emails to exclude from spraying + --shuffle-passwords Shuffle the passwordlist before spraying + --shuffle-users Shuffle the target userlist before spraying + --shuffle-regions Shuffle FireProx regions when spraying + + --auto-exfil If valid login is found, auto start the exfil module --sleep-min Minimum minutes to sleep between each full rotation of spraying default=60 --sleep-max Maximum minutes to sleep between each full rotation of spraying default=100 - --delay Delay in seconds between each individual authentication attempt. default=0 + --jitter Seconds between each individual authentication attempt. default=0 + --time-window Defines a time windows where spraying should accour, in the military time format <12:00-19:00> --push Get Pushover notifications when valid credentials are found (requires pushover keys in config) --push-locked Get Pushover notifications when an sprayed account gets locked (requires pushover keys in config) --force Force the spraying to proceed even if there is less the time since the last attempt @@ -93,21 +101,23 @@ Usage: --database Loads the interactive database browser module - --debug Add burp as a proxy on 127.0.0.1:8080 + --debug Proxy all outgoing HTTP requests through the proxy specified in the config Examples: - --outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push - --outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt - --outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00 - --outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --exfil --all - --outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --exfil --aad - --outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000 - --outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive - --outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams - --outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt - --outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --backdoor - --outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --database + --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push --shuffle-users --shuffle-regions + --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt + --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00 + --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all + --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --aad + --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --tokens C:\\OutputTokens.txt --onedrive --owa + --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000 + --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive + --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams + --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt + --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --backdoor + --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --database + ``` ## Credits