octoberfest7 / teamsphisher Goto Github PK
View Code? Open in Web Editor NEWSend phishing messages and attachments to Microsoft Teams users
Send phishing messages and attachments to Microsoft Teams users
Line 213 in c5fb827
add &top=999 parameter to increase the page size for user list retrieval
url += f"?skipToken={skipToken}"
to
url += f"?skipToken={skipToken}&top=999"
I have reported to Microsoft a vulnerability to bypass restrictions on "Anyone with the link". They see it as a feature, not a bug. It would be nice to integrate this "feature" into this project.
Does the TeamsPhisher still bypass the "Someone outside your organization messaged you, are you sure you want to view it" splash screen? When I test the TeamsPhisher, I always get the splash screen as a warning
First of all thank you for the tool!
I am testing your tool however it fails to upload file on SharePoint! I made sure my user has the full control rights to upload file on SharePoint however keeps failing! Any insight of how can I fix it?
`Operational mode: Sending phishing messages to targets!
Time left to abort: 00
Authenticating, verifying files, and uploading attachment
Reading target email list..................................................[+] SUCCESS!
Fetching Bearer token for Teams............................................[+] SUCCESS!
Fetching Skype token.......................................................[+] SUCCESS!
Fetching sender info.......................................................[+] SUCCESS!
Fetching Bearer token for SharePoint.......................................[+] SUCCESS!
Uploading file: .\README.MD................................................[-] Error uploading file: 401`
Fetching Bearer token for Teams............................................[-] AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
Is there anything that I can do/check on this or is it secured?
Looks like the splash screen bypass has once again been patched by Microsoft reducing the effectiveness of TeamsPhisher.
Now when you remove the victim from the group they are only able to preview the message and the button for clicking through the splash screen is greyed out.
Given reliance is once again on the user to click through the splash screen and they can't be removed - I do wonder if its better to revert TeamsPhisher back to just messaging a user without adding them to a group at all.
First of all, thanks for the tool
I get this error when trying to send the message:
.[-] Error fetching sharing link: 500
{"error":{"code":"-1, System.Text.DecoderFallbackException","message":{"lang":"es-ES","value":"Unable to translate bytes [ED] at index 460 from specified code page to Unicode."}}}
On Windows 11.
Used the --log switch (I can't chose a name, I believe by design).
It attempts to create a file:
[+] Logging TeamsPhisher output at: C:\Users\MYUSERNAME/13:11_06Jul23_teamsphisher.log
All that is created is an empty file called "13" - in the correct location. This is just before the illegal character ":"
Hello,
nice work. But I think you need a different url for a non-english tenant.
In a german tenant, for example "Microsoft Teams Chatfiles" does not exist, but "Microsoft Teams Chatdateien" exists.
Maybe you can add an option to specify this, if you find some time.
Also the user domain part from a specified sharepoint server can be different too :
senderDrive = "%s_%s_onmicrosoft_com"
Best regards
mbst83r
Hi i am having issues with file uploading
here is the log
[+] Try to personalize greeting by using targets first name
[-] Sending file link that is accessible by anyone with the link
[-] No delay between messages
[+] Using greeting: Hi, --personalize greeting: Hi ,
[+] Logging TeamsPhisher output at: /root/10-26_06Jul23_teamsphisher.log
Operational mode: Sending phishing messages to targets!
Authenticating, verifying files, and uploading attachment
Fetching Bearer token for Teams............................................[+] SUCCESS!
Fetching Skype token.......................................................[+] SUCCESS!
Fetching sender info.......................................................[+] SUCCESS!
Fetching Bearer token for SharePoint.......................................[+] SUCCESS!
Uploading file: test.txt...................................................[-] Error uploading file: 404
When running the tool, I can successfully authenticate my device, however when the tool gathers the SharePoint bearer token it seems to be adding in a space between the first part of the URL. i.e. my domain is fredbloggs.com, and when getting the token the error shows https://fred bloggs-my.sharepoint.com
Not sure what is causing this though. Any ideas?
I got this error below:
Reading target email list..................................................[+] SUCCESS!
Fetching Bearer token for Teams............................................[-] AADSTS50034: The user account {EmailHidden} does not exist in the 667d9ece-a83f-49d2-9b96-722ed643c25f directory. To sign into this application, the account must be added to the directory.
Trace ID: 05cb4c6d-1567-46da-b272-a069972a4c00
Correlation ID: f0566341-6b34-46d9-a8da-7f83e7817bac
Timestamp: 2023-07-07 02:51:50Z
How can I be successful on authenticating my login account?
OS: Ubuntu 22
Python 3.10.6
Authenticating, verifying files, and uploading attachment
Reading target email list..................................................[+] SUCCESS!
Fetching Bearer token for Teams............................................Traceback (most recent call last):
File "/home/user/TeamsPhisher/teamsphisher.py", line 688, in <module>
bToken, skypeToken, sharepointToken, senderInfo = authenticate(args)
File "/home/user/TeamsPhisher/teamsphisher.py", line 247, in authenticate
bToken = getBearerToken(args.username, args.password, 'https://api.spaces.skype.com/.default')
File "/home/user/TeamsPhisher/teamsphisher.py", line 144, in getBearerToken
result = app.acquire_token_by_username_password(username, password, scopes=[scope])
File "/home/user/.local/lib/python3.10/site-packages/msal/application.py", line 1610, in acquire_token_by_username_password
response = _clean_up(self._acquire_token_by_username_password_federated(
File "/home/user/.local/lib/python3.10/site-packages/msal/application.py", line 1637, in _acquire_token_by_username_password_federated
wstrust_result = wst_send_request(
File "/home/user/.local/lib/python3.10/site-packages/msal/wstrust_request.py", line 60, in send_request
return parse_response(resp.text)
File "/home/user/.local/lib/python3.10/site-packages/msal/wstrust_response.py", line 48, in parse_response
error = parse_error(body)
File "/home/user/.local/lib/python3.10/site-packages/msal/wstrust_response.py", line 52, in parse_error
dom = ET.fromstring(body)
File "/usr/lib/python3.10/xml/etree/ElementTree.py", line 1343, in XML
return parser.close()
xml.etree.ElementTree.ParseError: no element found: line 1, column 0
I do have masl installed
user@dumpster:~/TeamsPhisher$ pip3 install msal
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: msal in /home/user/.local/lib/python3.10/site-packages (1.22.0)
Requirement already satisfied: PyJWT[crypto]<3,>=1.0.0 in /home/user/.local/lib/python3.10/site-packages (from msal) (2.7.0)
Requirement already satisfied: cryptography<43,>=0.6 in /home/user/.local/lib/python3.10/site-packages (from msal) (39.0.2)
Requirement already satisfied: requests<3,>=2.0.0 in /home/user/.local/lib/python3.10/site-packages (from msal) (2.26.0)
Requirement already satisfied: cffi>=1.12 in /home/user/.local/lib/python3.10/site-packages (from cryptography<43,>=0.6->msal) (1.15.1)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in /usr/lib/python3/dist-packages (from requests<3,>=2.0.0->msal) (1.26.5)
Requirement already satisfied: idna<4,>=2.5 in /usr/lib/python3/dist-packages (from requests<3,>=2.0.0->msal) (3.3)
Requirement already satisfied: charset-normalizer~=2.0.0 in /home/user/.local/lib/python3.10/site-packages (from requests<3,>=2.0.0->msal) (2.0.12)
Requirement already satisfied: certifi>=2017.4.17 in /usr/lib/python3/dist-packages (from requests<3,>=2.0.0->msal) (2020.6.20)
Requirement already satisfied: pycparser in /home/user/.local/lib/python3.10/site-packages (from cffi>=1.12->cryptography<43,>=0.6->msal) (2.21)
Line 208 in 4e34fce
I think you can skip the whole looping over users (lines 208-230):
url = f"https://teams.microsoft.com/api/mt/emea/beta/users/{userID}"
response = requests.get(url, headers=headers)
senderInfo = json.loads(response.text)['value']
Always get the following error message. Tried multiple tenants, any idea?
Fetching Bearer token for Teams............................................�[31m[-]
AADSTS50034: The user account {EmailHidden} does not exist in the 03ba08ac-c27d-4d87-8d6b-6f3e22c9aXXX directory. To sign into this application, the account must be added to the directory.
Trace ID: 3aad7c3f-3d6f-4477-801e-ce719deb5XXX
Correlation ID: 813571dc-e6fb-427c-8f53-8179de047XXX
Line 424 in 3d5770f
Why does this line contain references to your sharepoint? This message is sent to victims and contains our sharepoint but also sends your sharepoint URL.
It appears that all the previous steps are successful however, when the file is being uploaded I'm seeing this message "Name or service not known" I'm assuming it is unable to resolve the tenant name? The machine is configured with a proper DNS so I wonder why I'm seeing the below message:
`[+] SUCCESS!
Uploading file: /root/test/text.txt........................................Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 159, in _new_conn
conn = connection.create_connection(
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 61, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 996, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 314, in connect
conn = self._new_conn()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 171, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f475bdea4f0>: Failed to establish a new connection: [Errno -2] Name or service not known`
Hi, I just fixed this ( error [-] Error sending message + attachment to user: 500 ) by writing again the message on the message.txt file that I originally created.
Could it be that the error was about wrong formatting of the message on my side or its something more random and not user related?
just to know because as I said it seems fixed as of now
PS: i tried using something that JSON cant format like " or \ and the error given back was 400 => the right one btw :)
Hi, first thanks for this tool,
I have an issus for sending messages :
[-] Error fetching sharing link: 400
{"error":{"code":"-21, System.InvalidOperationException","message":{"lang":"fr-FR","value":"Operation is not valid due to the current state of the object."}}}
I guess it's because my system is in French but I don't know why, I have switch my office 365 in english. Do you know how can I resolve that ?
Thanks
After preceding success, the file upload fails with 404.
Hello,
The bug of the upload was supposed to be fixed but i have still the 401 error and i don't understand why.
So I'm trying to replicate what the tool does manually to fully understand what's behind it, also with the help of the articles linked
What I'm trying to do is to add the attachment after sending the message with burp suite.
What's not clear to me is how you came up with the crafting of the body especially the file part in the properties.
On my side I inserted a print to retrieve the body from Teamphisher so I can reuse it on burp
Then I inserted the file part in my intercepted part on burp but as you might guess it's not working and I think I'm doing something wrong
Let me know if you want more info or u want me to reach u privately
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.