rvrsh3ll / tokentactics Goto Github PK
View Code? Open in Web Editor NEWAzure JWT Token Manipulation Toolset
License: BSD 3-Clause "New" or "Revised" License
tokentactics's People
Contributors
Stargazers
Watchers
Forkers
invokethreatguy f-bader dviros fuckup1337 boku7 0xsv1 austinmac56 macagr squirrelhermit robdyke bbhunter realmaxbacon init5-sf askyeye chaos-monkey-island r0secr01x beerandgin jermainlaforce 5l1v3r1 zha0 righteousgambit gavz pwnpy fancysauced pawp81 lunarobliq houssamhammoudi fuzzyun1c0rn justinforbes secanalyst v4nyl digitalarche autochampion djhohnstein thelivestep startagain2016 superuser5 rawsgit duemaster eabasguliyev rootsecdev prsood thekevinwang tailopez147 cheahengsoon redbyte1337 anonimo501 lulzzz virtual-shaolin servomekanism tuxsaporo scs-labrat benatsb pentest01 nckiwourf tigr0w rotarydrone slooppe 0xfl0ki razvialex lleon1435 op0ssum red-infosec sabu-coder mellonaut rybaz mcfreeman dmore jevxtn wikihacker eaagteam neithersound antonybwana josehelps d4op i3i4 day-assassin jaikumar3 cydewinder wh1t3rh1n0 tucommenceapousser emadyay robinfassinamoschiniforks 0i41e adamcysec wisdark naitsirhc41tokentactics's Issues
Issues with Open-OWAMailboxInBrowser not working
I've been trying to use the Open-OWAMailboxInBrowser command, but I can't seem to get it to work for me. Is it possible that this doesn't work in some environments? Or did something change recently that made it stop working?
Steps followed
RefreshTo-OutlookToken -refreshToken $refresh_token -domain example.com -Device Windows -Browser Chrome
Open-OWAMailboxInBrowser -AccessToken $OutlookToken.access_token -Resource Outlook -Device Windows -Browser Chrome
# Or
RefreshTo-SubstrateToken -refreshToken $refresh_token -domain example.com -Device Windows -Browser Chrome
Open-OWAMailboxInBrowser -AccessToken $SubstrateToken.access_token -Device Windows -Browser ChromeThen I copy the response to a burp window with the correct target (either https://Outlook.office.com or https://Substrate.office.com)
GET /owa/ HTTP/2
Host: Outlook.office.com
Authorization: Bearer eyJ0eXAiOi....
or
GET /owa/ HTTP/2
Host: Substrate.office.com
Authorization: Bearer eyJ0eXAi.....
Sending this request returns the following response:
HTTP/2 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 625
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /owa/auth/errorfe.aspx?httpCode=500&msg=641346049&owaError=Microsoft.Exchange.Diagnostics.ExAssertException&owaVer=15.20.5373.17&be=DB3PR0102MB3660&ts=133006360481895636&fe=DB8PR03CA0010&reqid=77d03...28&creqid=&cid=&rt=Form15&et=DefaultPage&pal=0&dag=EURPR01DG229&forest=eurprd01.prod.exchangelabs.com&te=0&refurl=https%3a%2f%2fsubstrate.office.com%3a444%2fowa%2f&hmac=t3XkHy0wTiUvSRckM-EGWjJKvmvS3cTBx1deWVvYaNY.
Server: Microsoft-IIS/10.0
Request-Id: 77d0368c-6d53-d194-5986-ce5f9674da28
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Alt-Svc: h3=":443",h3-29=":443"
X-Calculatedfetarget: DB8PR03CU001.internal.outlook.com
X-Backendhttpstatus: 302
P3p: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ClientId=EAE9FD...; expires=Sun, 25-Jun-2023 13:07:28 GMT; path=/; secure
Set-Cookie: ClientId=EAE9FD...; expires=Sun, 25-Jun-2023 13:07:28 GMT; path=/; secure
Set-Cookie: OIDC=1; expires=Sun, 25-Dec-2022 13:07:28 GMT; path=/; secure; HttpOnly
Set-Cookie: SuiteServiceProxyKey=xoiN+gtbN...BlRA==; path=/; secure
Set-Cookie: ClientId=EAE9FD...; expires=Sun, 25-Jun-2023 13:07:28 GMT; path=/; secure
Set-Cookie: OIDC=1; expires=Sun, 25-Dec-2022 13:07:28 GMT; path=/; secure; HttpOnly
Set-Cookie: SuiteServiceProxyKey=xoiN+gtbN...BlRA==; path=/; secure
Set-Cookie: X-OWA-RedirectHistory=Agm6S...; expires=Sat, 25-Jun-2022 19:09:28 GMT; path=/; secure; HttpOnly
X-Calculatedbetarget: DB3PR0102MB3660.eurprd01.prod.exchangelabs.com
X-Backendhttpstatus: 302
X-Rum-Validated: 1
X-Content-Type-Options: nosniff
X-Besku: WCS5
X-Owa-Userid: 7484...
X-Ms-Appid: d3590ed6-52b3-4102-aeff-aad2292ab01c
Restrict-Access-Confirm: 1
X-Owa-Error: Microsoft.Exchange.Diagnostics.ExAssertException
X-Owa-Error: Microsoft.Exchange.Diagnostics.ExAssertException
X-Owa-Diagnosticsinfo: 48;3;0
X-Iids: 0
X-Backend-Begin: 2022-06-25T13:07:28.158
X-Backend-End: 2022-06-25T13:07:28.205
X-Diaginfo: DB3PR0102MB3660
X-Beserver: DB3PR0102MB3660
X-Ua-Compatible: IE=EmulateIE7
X-Proxy-Routingcorrectness: 1
X-Proxy-Backendserverstatus: 302
X-Feproxyinfo: PR0P264CA0056.FRAP264.PROD.OUTLOOK.COM
X-Feefzinfo: CDG
X-Feserver: DB8PR03CA0010
Report-To: {"group":"NelOfficeUpload1","max_age":7200,"endpoints":[{"url":"https://exo.nel.measure.office.net/api/report?TenantId=92d54...&FrontEnd=Cafe&DestinationEndpoint=CDG"}],"include_subdomains":true}
Nel: {"report_to":"NelOfficeUpload1","max_age":7200,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01}
X-Firsthopcafeefz: CDG
X-Feserver: PR0P264CA0056
Date: Sat, 25 Jun 2022 13:07:27 GMT
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/owa/auth/errorfe.aspx?httpCode=500&msg=641346049&owaError=Microsoft.Exchange.Diagnostics.ExAssertException&owaVer=15.20.5373.17&be=DB3PR0102MB3660&ts=133006360481895636&fe=DB8PR03CA0010&reqid=77d0368...9674da28&creqid=&cid=&rt=Form15&et=DefaultPage&pal=0&dag=EURPR01DG229&forest=eurprd01.prod.exchangelabs.com&te=0&refurl=https%3a%2f%2fsubstrate.office.com%3a444%2fowa%2f&hmac=t3XkHy0wTiUvSRckM-EGWjJKvmvS3cTBx1deWVvYaNY.">here</a>.</h2>
</body></html>
Then I right click the response to open it in the browser, open the burp proxy browser and paste the link in a new incognito window. This results in the intended HTTP 500 error page displaying "Something went wrong."
But if I refresh the page, I end up on
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2fsubstrate.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=a8a3f4...&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=...&state=...
Which is the Microsoft online login prompt requesting for an email address and password.
Checking the HTTP traffic in burp that happened when the refresh button was clicked shows the following request first:
GET /owa/auth/errorfe.aspx?httpCode=500&msg=641346049&owaError=Microsoft.Exchange.Diagnostics.ExAssertException&owaVer=15.20.5373.17&be=DB3PR0102MB3660&ts=133006362193798976&fe=DU2PR04CA0267&reqid=9dd6e6c4-90c0-0947-90c8-0bfadf6f10cb&creqid=&cid=&rt=Form15&et=DefaultPage&pal=0&dag=EURPR01DG229&forest=eurprd01.prod.exchangelabs.com&te=0&refurl=https%3a%2f%2foutlook.office.com%3a444%2fowa%2f&hmac=XHvuU5ulX5eXn2m3b3lMGHQoCEx7sFv-FLtnoZW90-k. HTTP/2
Host: substrate.office.com
Cookie: ClientId=686BA...; OIDC=1; SuiteServiceProxyKey=AyJQsSj...WEg==; X-OWA-RedirectHistory=Agm6...
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Referer: http://burpsuite/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
The response is the HTTP 500 error page:
HTTP/2 500 Internal Server Error
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 63813
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
Request-Id: 7ea042....
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Owa-Error: Microsoft.Exchange.Diagnostics.ExAssertException
X-Owa-Version: 15.20.5373.17
X-Feserver: DU2PR04CA0267
X-Beserver: DB3PR0102MB3660
X-Content-Type-Options: nosniff
X-Request-Url: https://substrate.office.com/owa/auth/errorfe.aspx?httpCode=500&msg=641346049&owaError=Microsoft.Exchange.Diagnostics.ExAssertException&owaVer=15.20.5373.17&be=DB3PR0102MB3660&ts=133006362193798976&fe=DU2PR04CA0267&reqid=9dd6e6c4-90c0-0947-90c8-0bfadf6f10cb&creqid=&cid=&rt=Form15&et=DefaultPage&pal=0&dag=EURPR01DG229&forest=eurprd01.prod.exchangelabs.com&te=0&refurl=https%3a%2f%2foutlook.office.com%3a444%2fowa%2f&hmac=XHvuU5ulX5eXn2m3b3lMGHQoCEx7sFv-FLtnoZW90-k.
X-Aspnet-Version: 4.0.30319
Set-Cookie: AriaEx=ExAssertException; expires=Sat, 25-Jun-2022 13:11:29 GMT; path=/; secure; HttpOnly
X-Feproxyinfo: PR0P264CA0062.FRAP264.PROD.OUTLOOK.COM
X-Feefzinfo: CDG
X-Powered-By: ASP.NET
Date: Sat, 25 Jun 2022 13:10:29 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<!-- Copyright (c) 2011 Microsoft Corporation. All rights reserved. -->
<!-- OwaPage = ASP.auth_errorfe_aspx -->
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=10" />
<meta http-equiv="Content-Type" content="text/html; CHARSET=utf-8">
<title>Error</title>
...
<div class="errorHeader">500</div>
<div class="errorSubHeader">Something went wrong.</div>
<div class="errorSubHeader2"></div>
<div class="errorDetails">An unexpected error occurred and your request couldn't be handled.</div>
<div class="refreshPage">
<button class="refreshPageButton" onclick="refreshPage();">
<span class="refreshButtonText">Refresh the page</span>
</button>
</div>
...Then, the following POST request is send:
POST /owa/plt1.ashx?off=0&PLT=now,0&msg=FormErr&cid=686BA00...8&reqid=9dd6...&fe=DU2PR04CA0267&be=DB3PR0102MB3660&cbe=&tg=&MDB=&pal=0 HTTP/2
Host: substrate.office.com
Cookie: ClientId=686BA00...; OIDC=1; SuiteServiceProxyKey=AyJQsSjL...Eg==; X-OWA-RedirectHistory=Agm6S...; AriaEx=ExAssertException
Content-Length: 53
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Content-Type: text/plain;charset=UTF-8
X-Owa-Plt-Info: &Err=Microsoft.Exchange.Diagnostics.ExAssertException
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://substrate.office.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://substrate.office.com/owa/auth/errorfe.aspx?httpCode=500&msg=641346049&owaError=Microsoft.Exchange.Diagnostics.ExAssertException&owaVer=15.20.5373.17&be=DB3PR0102MB3660&ts=133006362193798976&fe=DU2PR04CA0267&reqid=9dd6e...b&creqid=&cid=&rt=Form15&et=DefaultPage&pal=0&dag=EURPR01DG229&forest=eurprd01.prod.exchangelabs.com&te=0&refurl=https%3a%2f%2foutlook.office.com%3a444%2fowa%2f&hmac=XHvuU5ulX5eXn2m3b3lMGHQoCEx7sFv-FLtnoZW90-k.
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
&Err=Microsoft.Exchange.Diagnostics.ExAssertException
With the following response:
HTTP/2 401 Unauthorized
Server: Microsoft-IIS/10.0
Request-Id: d337b858-e681-8911-ceca-8ef206956d4c
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Alt-Svc: h3=":443",h3-29=":443"
X-Calculatedfetarget: MR1P264CU004.internal.outlook.com
X-Backendhttpstatus: 401
Set-Cookie: RoutingKeyCookie=; expires=Thu, 25-Jun-1992 13:10:32 GMT; path=/; secure
Set-Cookie: HostSwitchPrg=; expires=Thu, 25-Jun-1992 13:10:32 GMT; path=/; secure
Set-Cookie: OptInPrg=; expires=Thu, 25-Jun-1992 13:10:32 GMT; path=/; secure
Www-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize"
X-Calculatedbetarget: MR1P264MB2929.FRAP264.PROD.OUTLOOK.COM
X-Backendhttpstatus: 401
X-Rum-Validated: 1
X-Content-Type-Options: nosniff
X-Besku: WCS6
X-Owa-Diagnosticsinfo: 0;0;0
X-Iids: 0
X-Backend-Begin: 2022-06-25T13:10:32.450
X-Backend-End: 2022-06-25T13:10:32.450
X-Diaginfo: MR1P264MB2929
X-Beserver: MR1P264MB2929
X-Ua-Compatible: IE=EmulateIE7
X-Proxy-Routingcorrectness: 1
X-Proxy-Backendserverstatus: 401
X-Feproxyinfo: PR0P264CA0062.FRAP264.PROD.OUTLOOK.COM
X-Feefzinfo: CDG
X-Feserver: MR1P264CA0085
Report-To: {"group":"NelOfficeUpload1","max_age":7200,"endpoints":[{"url":"https://exo.nel.measure.office.net/api/report?TenantId=&FrontEnd=Cafe&DestinationEndpoint=CDG"}],"include_subdomains":true}
Nel: {"report_to":"NelOfficeUpload1","max_age":7200,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01}
X-Firsthopcafeefz: CDG
X-Feserver: PR0P264CA0062
Date: Sat, 25 Jun 2022 13:10:32 GMT
Content-Length: 0
After that, the following request is sent:
GET / HTTP/2
Host: substrate.office.com
Cookie: ClientId=686BA...; OIDC=1; SuiteServiceProxyKey=AyJQs...WEg==; X-OWA-RedirectHistory=Agm6...; AriaEx=ExAssertException
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://burpsuite/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
With the following response:
HTTP/2 302 Found
Cache-Control: no-cache
Pragma: no-cache
Location: https://substrate.office.com/owa/
Server: Microsoft-IIS/10.0
Request-Id: a8a3e1f9-3eaa-acd4-22bc-0965ff1cd4aa
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Feserver: PR0P264CA0062
X-Requestid: a7d61ba0-e0e7-4d18-84f0-515c04a2c663
X-Feproxyinfo: PR0P264CA0062.FRAP264.PROD.OUTLOOK.COM
X-Feefzinfo: CDG
Ms-Cv: +eGjqKo+1KwivAll/xzUqg.0
X-Powered-By: ASP.NET
X-Feserver: PR0P264CA0062
Date: Sat, 25 Jun 2022 13:10:35 GMT
Content-Length: 0
After which the browser follows the redirect and requests:
GET /owa/ HTTP/2
Host: substrate.office.com
Cookie: ClientId=686BA0...; OIDC=1; SuiteServiceProxyKey=AyJQs...WEg==; X-OWA-RedirectHistory=Agm...; AriaEx=ExAssertException
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Referer: http://burpsuite/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
With the following response to redirect the browser to login.microsoft.com:
HTTP/2 302 Found
Content-Length: 784
Content-Type: text/html; charset=utf-8
Location: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2fsubstrate.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=a88b6...&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=63791759...&state=DcuxFYAwC...
Server: Microsoft-IIS/10.0
Request-Id: a88b6...
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Alt-Svc: h3=":443",h3-29=":443"
X-Calculatedfetarget: MRXP264CU001.internal.outlook.com
X-Backendhttpstatus: 302
P3p: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: RoutingKeyCookie=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.token.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.token.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.id_token.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.code.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_nonce.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_correlation_id=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.tokenPostPath=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.id_token.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.code.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_nonce.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_correlation_id=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.tokenPostPath=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.nonce.v3._mqEJL_-TPei...4=637917...789a1d65; expires=Sat, 25-Jun-2022 14:10:36 GMT; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: HostSwitchPrg=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OptInPrg=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: SuiteServiceProxyKey=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: RoutingKeyCookie=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.token.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.token.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.id_token.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.code.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_nonce.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_correlation_id=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.tokenPostPath=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.id_token.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.code.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_nonce.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_correlation_id=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.tokenPostPath=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.nonce.v3._mqEJL_-TPeiEa...Iz4=637917594...d65; expires=Sat, 25-Jun-2022 14:10:36 GMT; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: HostSwitchPrg=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OptInPrg=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: SuiteServiceProxyKey=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: X-OWA-RedirectHistory=ArLym...2gg; expires=Sat, 25-Jun-2022 19:12:36 GMT; path=/;SameSite=None; secure; HttpOnly
X-Calculatedbetarget: MRZP264MB2394.FRAP264.PROD.OUTLOOK.COM
X-Backendhttpstatus: 302
X-Rum-Validated: 1
X-Content-Type-Options: nosniff
X-Besku: WCS6
X-Owa-Diagnosticsinfo: 1;0;0
X-Iids: 0
X-Backend-Begin: 2022-06-25T13:10:36.075
X-Backend-End: 2022-06-25T13:10:36.075
X-Diaginfo: MRZP264MB2394
X-Beserver: MRZP264MB2394
X-Ua-Compatible: IE=EmulateIE7
X-Proxy-Routingcorrectness: 1
X-Proxy-Backendserverstatus: 302
X-Feproxyinfo: PR0P264CA0062.FRAP264.PROD.OUTLOOK.COM
X-Feefzinfo: CDG
X-Feserver: MRXP264CA0015
Report-To: {"group":"NelOfficeUpload1","max_age":7200,"endpoints":[{"url":"https://exo.nel.measure.office.net/api/report?TenantId=&FrontEnd=Cafe&DestinationEndpoint=CDG"}],"include_subdomains":true}
Nel: {"report_to":"NelOfficeUpload1","max_age":7200,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01}
X-Firsthopcafeefz: CDG
X-Feserver: PR0P264CA0062
Date: Sat, 25 Jun 2022 13:10:35 GMT
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2fsubstrate.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=a88b6...401e&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=63791...a1d65&state=DcuxF...36g8">here</a>.</h2>
</body></html>Other techniques do work
There is nothing wrong with the access or refresh tokens as any other technique does seem to work without any issues.
For example:
RefreshTo-MSGraphToken -refreshToken $refresh_token -domain example.com -Device Windows -Browser Chrome
Dump-OWAMailboxViaMSGraphApi -AccessToken $MSGraphToken.access_token -mailFolder inbox -top 5 -Device Windows -Browser ChromeThis shows me the last 5 mails from the user's mailbox without problems.
P.S. very nice tool by the way!
Capture Token via device code phishing
Hi,
Are you aware of scenarios where it's not possible to capture via the dynamic device code phishing technique ? I've setup everything and tested it using an Office365 account I have - token was captured correctly. I then tried it again with an org Office365 account but it's not capture properly.. Any ideas ?
User code displayed by Microsoft and processed by capturetokenphish.py don't match
I was hoping you could enlighten me on the whole process - as I'm a bit confused and I'm trying to troubleshoot why some tokens are not captured.
The device code that gets displayed to the target user (using the 'Azure-App-Tools' template) is different from the code that gets generated by capturetokenphish.ps1 on the Azure server (tailing nohup.out). Is that normal ? I would have thought it’s meant to be the same.
Looking at the workflow - it first grabs the code from Microsoft directly (this is where the CORS anywhere server comes in handy), then use the returned response to populate the page that’s displayed to the user (data.message).
Then it sends the verification code to https://..cloudapp.azure.com/?id=, which was deployed using deploycaptureserver.ps1. At the end, I'm not sure what capturetokenphish.ps1 does with this.
However, when I manually send the verification code to the cloudapp host, the user/device code shown in nohup.out doesn’t map to what was provided by Microsoft initially.
Forge-UserAgent : The term 'Forge-UserAgent' is not recognized as the name of a cmdlet, function, script file, or operable program.
When executing Invoke-DumpOWAMailboxViaMSGraphApi getting:
Forge-UserAgent : The term 'Forge-UserAgent' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\me\OneDrive\Pulpit\device_code\TokenTactics\modules\OutlookEmailAbuse.ps1:108 char:30
+ $UserAgent = Forge-UserAgent -Device $Device
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Forge-UserAgent:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Invoke-RestMethod : Object reference not set to an instance of an object.
At C:\Users\me\OneDrive\Pulpit\device_code\TokenTactics\modules\OutlookEmailAbuse.ps1:133 char:21
+ ... $response = Invoke-RestMethod -Uri $url -ContentType "application/jso ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Invoke-RestMethod], NullReferenceException
+ FullyQualifiedErrorId : System.NullReferenceException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
RefreshTo-Refresh
I wonder if something like “RefreshTo-Refresh” function would be viable? (thus offering a way of persistence by using a refresh token to issue a new refresh token)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.