Releases: Flangvik/TeamFiltration
v3.5.4
Release ZIP now contains Linux ARM release, thanks @launchdaemon for the PR #51
Added LastFM format to email enum, thanks @W9HAX for the PR #53
Add support for AWS keys requiring session tokens, thanks @ad0nis for the PR #52
Changes to the Microsoft API broke the way refresh tokens worked, fixed
Updated all Nuget packages, minor change after that broke some stuff
Added icon, updated RADME and Help menu to reflect version
Thanks to Dirkjan for finding a big fat bug breaking the exfil operation
v3.5.3
New exfil argument, --roadtools allows users to provide the .roadtools_auth file generate by ROADTools to be used for exfil
Added '--tenant-info', eums tenant and domain information (Based on Invoke-AADIntReconAsOutsider from AADInternal by @DrAzureAD)
Added error handling for adding AAD users to database
Adjusted the logic for the Teams Enumeration method in order to resolve #36
v3.5.2
Seems Microsoft has patched the "Forbidden" response message bug that allowed tenants who disabled Teams access between users outside of the org to be enumerated.
v3.5.1
- Fixed a error that caused spraying against common .com tenants to fail 19.04.2023
- Updated from EOL NET Core 3.2 to NET 7.0. This fixes the SSL library issues reported when running TeamFiltration on the latest Ubuntu and Windows Server 2022, issue #21
- Updated the Github workflow pipeline with a better naming convention as well as compiling binaries for MacOS ARM64
- Updated the
--validate-msol
enum method, thanks to tuxnam for reporting this. Seems MS had changed the JSON response structure rendering the old implementation broken. Issue #25 and #22 - Re-implemented and added
--tokens
and--cookie-dump
--tokens
now handles both a single JWT token, JWT tokens separated by,
and a file with newline separated JWT tokens as input. Parses and stores tokens in the database and performs exfiltration based on that.
--cookie-dump
now handles two input structures SharpChrome.exe JSON output and/or the Firefox pluginCookie Quick Manager
dump output, parses and stores tokens in the database, and performs exfiltration based on that. - Re-written the whole exfiltration and conditional access enumeration process, see the flow diagram for the complete process.
- Fixed crash when running without specifying config JSON in command line, issue #24
- Added the email format
j.smith@domain.com
as requested in issue #25. - Added error handling for email format selection
- Re-written the spray logic to make way for
--shuffle-regions
,--shuffle-users
,--shuffle-passwords
and--auto-exfil
- IPv6 has been disabled to avoid errors when TeamFiltration is used with proxy tools such as proxychains4 and Proxifier
--auto-exfil
has been added to the spray module, allows TeamFiltration to automatically start exfiltration once a valid set of credentials is found- ADFS support, while still in BETA, has been tested more heavily and found to work with FireProx.
- Exfiltrated Team's chat conversations are now re-produced in HTML for easier viewing locally. Work still remains in better constructing groups chats
- Added the GetPresence check to Teams Account Enumeration mode, fetched and stored the OutOfOffice message in the database when found
- Changed the ValidAccount database structure to account for these changes
- Changed the CSV generator separator from
,
to;
- Added the email format j.smith@domain.com as requested in issue #25.
- Added error handling for email format selection
- Updated Nuget packages
v3.5.0
Fixed the horrible piece of logic that caused TeamFiltration to take ages to get back up and running between longer sprays
TeamFiltration no longer requires you to generate and submit a pre-created list of FireProx instances in the configuration file. Instead, TeamFiltration will create and remove FireProx instances automatically, on-demand, when performing tasks that require FireProx endpoints. For TeamFiltration to do so, you must now provide an AWSAccessKey and AWSSecretKey within the configuration file.
The TeamFiltration config now allows you to specify a proxy URL in the configuration, that when used with the argument --debug, will forward all HTTP traffic through your defined proxy. This is useful when debugging problems or crashes.
The TeamFiltration config now allows you to specify your user-agent that will be used for all HTTP traffic.
The interactive database module now has the option to list and remove potentially left-behind FireProx instances. (This might happen if you kill TeamFiltration in the middle of an ongoing password spray)
Merged a pull request fixing an issue related to OneDrive and SharePoint exfiltration method causing a crash.
Merged a pull request that adds functionality to extract access tokens from an exfiltrated Teams database (by specifying a local path) and then uses that to enumerate further.
Account DisplayName is now captured and stored in the Database when performing Teams Account Enumeration. Makes it easier to match emails with names from third-party sources
Updated the output shown when a login attempt is blocked by ACCESS POLICY to include "VALID"
Database column names have been shortened to allow for easier viewing when working inside short terminals.
Added account-name sanity check to teams enumeration method to avoid wasting time enumerating tenants that are not enumerable using teams.
v3.4.2
Update publish.yml
v3.3.8
You can now provide a single JWT token using --token inside the --exfil module. TeamFiltration will decode the JWT and extract data from the resources it has access to. Currently supports Teams (basic info, no chats atm), Outlook and AAD.
Added failsafe when decoding username from JWT, if not found , will use the prefix MissingUsername_.
Exfil module now works completely standalone, no configuration file needed.
V3.3.7
Removed legacy items from the help menu, added --push and internal checks to make sure it triggers correctly. (issue #2)
Added crash handling to pushover trigger
Corrected some of the MANY grammar mistakes, fixed --exclude
Added email validation check to dehashed data (issue #1)
Added EXIT command to Backdoor Module (Really??)
Added IP leak disclaimer and confirmation warning to the exfiltration modules
Fixed credentials checks for --validate-teams when enumeration starts