Enum using --validate-teams does not work

Question

Enum using --validate-teams does not work

Opened this issue a month ago · 0 comments

It seems that the teams based validation of useraccounts does not work anymore.
It fails always with Pre-Enum sanity check failed, cannot enum this tenant!

Example

./TeamFiltration --outpath ./TFOUT2 --config TeamFiltrationConfig.json --enum --validate-teams --usernames userlist.txt --debug http://127.0.0.1
[...]
[♥] TeamFiltration V3.5.4 PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --outpath ./TFOUT2 --config TeamFiltrationConfig.json --enum --validate-teams --usernames userlist.txt --debug http://127.0.0.1
[ENUM] 5/21/2024 1:52:48 AM EST Filtering out previusly attempted accounts
[ENUM] 5/21/2024 1:52:49 AM EST Enumerating 23 possible accounts, this will take ~0 minutes
[ENUM] 5/21/2024 1:52:51 AM EST Successfully got Teams token for sacrificial account
[ENUM] 5/21/2024 1:52:52 AM EST Loaded 23 usernames
[FIREPROX] 5/21/2024 1:52:53 AM EST Created endpoint https://xxxxxx.execute-api.eu-west-2.amazonaws.com/fireprox/
[ENUM] 5/21/2024 1:52:55 AM EST ThisUserShouldNotExist@xxxx.com valid!
[ENUM] 5/21/2024 1:52:55 AM EST Pre-Enum sanity check failed, cannot enum this tenant!
[FIREPROX] 5/21/2024 1:52:55 AM EST Deleted endpoint https://xxxxxx.execute-api.eu-west-2.amazonaws.com/fireprox/

Intercepting the request in Burp shows that the request is answered with HTTP 403 Forbidden:

GET /fireprox/amer/beta/users/ThisUserShouldNotExist@xxxx.com/externalsearchv3 HTTP/1.1
Host: xxxxxx.execute-api.eu-west-2.amazonaws.com
Authorization: Bearer eyJ0[...]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36
x-ms-client-caller: x-ms-client-caller
x-ms-client-version: 27/1.0.0.2021011237
Referer: https://teams.microsoft.com/_
ClientInfo: [...]
Authentication: skypetoken=eyJh[...]
X-Skypetoken: eyJh[...]

Response:

HTTP/2 403 Forbidden
Date: Tue, 21 May 2024 05:52:55 GMT
[...]
{"errorCode":"Forbidden"}

When using the --validate-msol for example, it works as expected:

./TeamFiltration --outpath ./TFOUT1 --config TeamFiltrationConfig.json --enum --validate-msol --usernames userlist.txt --debug http://127.0.0.1
[...]
[♥] TeamFiltration V3.5.4 PUBLIC, created by @Flangvik at @TrustedSec
[+] Args parsed --outpath ./TFOUT1 --config TeamFiltrationConfig.json --enum --validate-msol --usernames userlist.txt --debug http://127.0.0.1
[ENUM] 5/21/2024 1:48:01 AM EST Filtering out previusly attempted accounts
[ENUM] 5/21/2024 1:48:03 AM EST Warning, this method may give some false positive accounts
[ENUM] 5/21/2024 1:48:03 AM EST Enumerating 23 possible accounts, this will take ~0 minutes
[FIREPROX] 5/21/2024 1:48:05 AM EST Created endpoint https://xxxx.execute-api.eu-north-1.amazonaws.com/fireprox/
[ENUM] 5/21/2024 1:48:09 AM EST [...] valid!
[ENUM] 5/21/2024 1:48:09 AM EST [...] valid!
[...]
[FIREPROX] 5/21/2024 1:48:10 AM EST Deleted endpoint https://xxxx.execute-api.eu-north-1.amazonaws.com/fireprox/

I tried various tenants (one of which has all default settings applied) and ensured that the sacrifical user can use MS Teams and that MFA is disabled.
Maybe Microsoft changed something that this method cannot be used anymore?