Skip to content

Releases: Flangvik/TeamFiltration

v3.5.4

22 May 21:15
386f668
Compare
Choose a tag to compare

Release ZIP now contains Linux ARM release, thanks @launchdaemon for the PR #51
Added LastFM format to email enum, thanks @W9HAX for the PR #53
Add support for AWS keys requiring session tokens, thanks @ad0nis for the PR #52
Changes to the Microsoft API broke the way refresh tokens worked, fixed
Updated all Nuget packages, minor change after that broke some stuff
Added icon, updated RADME and Help menu to reflect version
Thanks to Dirkjan for finding a big fat bug breaking the exfil operation

v3.5.3

03 Aug 13:02
Compare
Choose a tag to compare

New exfil argument, --roadtools allows users to provide the .roadtools_auth file generate by ROADTools to be used for exfil
Added '--tenant-info', eums tenant and domain information (Based on Invoke-AADIntReconAsOutsider from AADInternal by @DrAzureAD)
Added error handling for adding AAD users to database
Adjusted the logic for the Teams Enumeration method in order to resolve #36

v3.5.2

24 Apr 15:12
Compare
Choose a tag to compare

Seems Microsoft has patched the "Forbidden" response message bug that allowed tenants who disabled Teams access between users outside of the org to be enumerated.

v3.5.1

19 Apr 16:45
Compare
Choose a tag to compare
  • Fixed a error that caused spraying against common .com tenants to fail 19.04.2023
  • Updated from EOL NET Core 3.2 to NET 7.0. This fixes the SSL library issues reported when running TeamFiltration on the latest Ubuntu and Windows Server 2022, issue #21
  • Updated the Github workflow pipeline with a better naming convention as well as compiling binaries for MacOS ARM64
  • Updated the --validate-msol enum method, thanks to tuxnam for reporting this. Seems MS had changed the JSON response structure rendering the old implementation broken. Issue #25 and #22
  • Re-implemented and added --tokens and --cookie-dump
    --tokens now handles both a single JWT token, JWT tokens separated by , and a file with newline separated JWT tokens as input. Parses and stores tokens in the database and performs exfiltration based on that.
    --cookie-dump now handles two input structures SharpChrome.exe JSON output and/or the Firefox plugin Cookie Quick Manager dump output, parses and stores tokens in the database, and performs exfiltration based on that.
  • Re-written the whole exfiltration and conditional access enumeration process, see the flow diagram for the complete process.
  • Fixed crash when running without specifying config JSON in command line, issue #24
  • Added the email format j.smith@domain.com as requested in issue #25.
  • Added error handling for email format selection
  • Re-written the spray logic to make way for --shuffle-regions, --shuffle-users, --shuffle-passwords and --auto-exfil
  • IPv6 has been disabled to avoid errors when TeamFiltration is used with proxy tools such as proxychains4 and Proxifier
  • --auto-exfil has been added to the spray module, allows TeamFiltration to automatically start exfiltration once a valid set of credentials is found
  • ADFS support, while still in BETA, has been tested more heavily and found to work with FireProx.
  • Exfiltrated Team's chat conversations are now re-produced in HTML for easier viewing locally. Work still remains in better constructing groups chats
  • Added the GetPresence check to Teams Account Enumeration mode, fetched and stored the OutOfOffice message in the database when found
  • Changed the ValidAccount database structure to account for these changes
  • Changed the CSV generator separator from , to ;
  • Added the email format j.smith@domain.com as requested in issue #25.
  • Added error handling for email format selection
  • Updated Nuget packages

v3.5.0

31 Jan 10:45
Compare
Choose a tag to compare

Fixed the horrible piece of logic that caused TeamFiltration to take ages to get back up and running between longer sprays
TeamFiltration no longer requires you to generate and submit a pre-created list of FireProx instances in the configuration file. Instead, TeamFiltration will create and remove FireProx instances automatically, on-demand, when performing tasks that require FireProx endpoints. For TeamFiltration to do so, you must now provide an AWSAccessKey and AWSSecretKey within the configuration file.
The TeamFiltration config now allows you to specify a proxy URL in the configuration, that when used with the argument --debug, will forward all HTTP traffic through your defined proxy. This is useful when debugging problems or crashes.
The TeamFiltration config now allows you to specify your user-agent that will be used for all HTTP traffic.
The interactive database module now has the option to list and remove potentially left-behind FireProx instances. (This might happen if you kill TeamFiltration in the middle of an ongoing password spray)
Merged a pull request fixing an issue related to OneDrive and SharePoint exfiltration method causing a crash.
Merged a pull request that adds functionality to extract access tokens from an exfiltrated Teams database (by specifying a local path) and then uses that to enumerate further.
Account DisplayName is now captured and stored in the Database when performing Teams Account Enumeration. Makes it easier to match emails with names from third-party sources
Updated the output shown when a login attempt is blocked by ACCESS POLICY to include "VALID"
Database column names have been shortened to allow for easier viewing when working inside short terminals.
Added account-name sanity check to teams enumeration method to avoid wasting time enumerating tenants that are not enumerable using teams.

v3.4.2

20 Jan 12:41
a9cc069
Compare
Choose a tag to compare
Update publish.yml

v3.3.8

10 Sep 16:00
Compare
Choose a tag to compare

You can now provide a single JWT token using --token inside the --exfil module. TeamFiltration will decode the JWT and extract data from the resources it has access to. Currently supports Teams (basic info, no chats atm), Outlook and AAD.
Added failsafe when decoding username from JWT, if not found , will use the prefix MissingUsername_.
Exfil module now works completely standalone, no configuration file needed.

V3.3.7

17 Aug 17:25
c607b0b
Compare
Choose a tag to compare

Removed legacy items from the help menu, added --push and internal checks to make sure it triggers correctly. (issue #2)
Added crash handling to pushover trigger
Corrected some of the MANY grammar mistakes, fixed --exclude
Added email validation check to dehashed data (issue #1)
Added EXIT command to Backdoor Module (Really??)
Added IP leak disclaimer and confirmation warning to the exfiltration modules
Fixed credentials checks for --validate-teams when enumeration starts

V3.3.6

14 Aug 01:58
Compare
Choose a tag to compare

First public release of TeamFiltration