-
Notifications
You must be signed in to change notification settings - Fork 128
Database
Melvin L edited this page Jan 23, 2023
·
5 revisions
The TeamFiltration database keeps track of information such as valid user accounts, previously attempted username and password combinations, valid username and password combinations, retrieved access tokens, and much more. This information is kept not only for later access and an easier reporting process, but also to avoid account lockouts and unnecessary login attempts.
The TeamFiltration database can be accessed interactively using the --database argument
.\TeamFiltration.exe --outpath DemoClient --config config.json --database
╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╖
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╟╬╬╜╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╡ │ ╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╡ ││ ╙╬╬╜╘ └╙╜╬╬╬╬╬╬
╬╬╬╬╡ ╓╥╥╬╬╬╬╬╬╥╥╖ ││ │ ╬╬╬╬╬
╬╬╬╬╡ ╓╬╫╬╜╜┘ ╙╜╜╬╫╬┐ ││ ││ └╬╬╬╬
╬╬╬╬┤ ╬╬╜╙╩╬╖╓ ╙╬╬╬ ││ ││ ╬╬╬╬
╬╬╬╬┤ ╬╜ ╙╬╫╖╖ ╓ ╙╬╖ ││ ├││ ╬╬╬╬
╬╬╬╬┤ ╬╬ ╓╖ ╙╬╬╬╬╬╬╦ ╬╬ │┌ ╓╬┤││ ╓╬╬╬╬
╬╬╬╬┤ ╓╬┤ ╬╬╬ ╬╬╬╬╬╬╬╬╜╜╜╬╬╖ ╟╬╬╬╬╬╬╬╬╬╕ ┌╬╬╬╬╬
╬╬╬╬┤ ╬╬┤ ╙╩┘ ╙╬╬╬╬╬╩ ╟╬╬ ╙╜╜╜╜╜╜╜╜╜╬╬╖╖╖╦╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬┤ ╟╬╬ ││ ╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬ ╦╖ ╗╖ ╬╬ ││ │ ╬╬╬╬
╬╬╬╬┤ └╬┐ ╙╬╖╖ ╓╬╬╜ ╓╬┘ ││ │ ╬╬╬╬
╬╬╬╬┤ └╬╖ ╙╩╨╬╬╬╩╨╜╜ ╒╬╬ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╬╬╬╖ ┌╖╫╬╜┘ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╩╬╬╬╥╥╥╥╥╥╫╬╬╜╜ ││ │ ╬╬╬╬
╬╬╬╬┤ ╙╙╜╜╜╛ ││ │ ╬╬╬╬
╬╬╬╬┤ ││ │ ╓╖╬╬╬╬╬
╬╬╬╬┤ ││ ╬╦╦╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ││ ╓╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬┤ ╬╬╬╖╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬
└╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╬╜
╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜╜
[♥] TeamFiltration VX.X.X PUBLIC, created by @Flangvik @TrustedSec
[+] Args parsed --outpath DemoClient --config config.json --database
[+] Attempting to load database file DemoClient\TeamFiltration.db
[+] Available commands:
show <emails|creds|attempts|summary>
export <emails|creds|attempts|summary> <csv|json> <path>
delete <*|fireprox-id> <fireprox-region>
exit
[?] CMD #>
Once inside the interactive menu, you can show or export information from the database.
show will print out a shorter version of the information to the screen, and export will save a full copy of the information to disk
Show (print out) valid credentials found so far from password spraying
[?] CMD #> show creds
+-------+-----------------------+--------------+-------+-------------------+-----------------------------------+-------------+
| Id | DateTime | Disqualified | Valid | ConditionalAccess | Username | Password |
+-------+-----------------------+--------------+-------+-------------------+-----------------------------------+-------------+
| 33280 | 8/24/2022 3:32:37 PM | False | True | False | [email protected] | Summer2022 |
+-------+-----------------------+--------------+-------+-------------------+-----------------------------------+-------------+
| 64143 | 8/25/2022 6:07:22 PM | False | True | True | [email protected] | Autumn2022 |
+-------+-----------------------+--------------+-------+-------------------+-----------------------------------+-------------+
| 67895 | 8/27/2022 1:46:20 PM | False | True | False | [email protected] | Autumn2022! |
+-------+-----------------------+--------------+-------+-------------------+-----------------------------------+-------------+
| 70489 | 8/28/2022 2:04:41 PM | False | True | True | [email protected] | Autumn2022! |
+-------+-----------------------+--------------+-------+-------------------+-----------------------------------+-------------+
Export valid credentials found so far from password spraying in the csv format into file DemoClient_ValidCredentials.csv
[?] CMD #> export creds csv DemoClient_ValidCredentials.csv
Show (print out) valid credentials found so far from password spraying
[?] CMD #> show emails
+--------------------------------------+--------------------------------------------+--------------------------------------+
| Id | Username | objectId |
+--------------------------------------+--------------------------------------------+--------------------------------------+
| 0003d477-0ac1-d44d-b230-000dce480314 | [email protected] | cc712fac-ab08-48d0-ac3d-5db0157799d1 |
+--------------------------------------+--------------------------------------------+--------------------------------------+
| 0007b1c8-29d4-3501-bcce-32490fd23959 | [email protected] | 67615e8a-9de3-43b2-93ff-ab680b554b84 |
+--------------------------------------+--------------------------------------------+--------------------------------------+
| 0018d044-3cdc-8e2b-92e2-ce9780b24137 | [email protected] | 9f152508-3aa1-4bd9-9f21-1c2022e58cf6 |
+--------------------------------------+--------------------------------------------+--------------------------------------+
| 002ad941-93bc-df0f-bcc3-874c17d96a5c | [email protected] | 040cacb1-99eb-4261-9f54-6fcec4b26497 |
+--------------------------------------+--------------------------------------------+--------------------------------------+
| 002d018a-1580-08c2-cac7-b1cbd248b967 | [email protected] | dbccb9c8-bd31-4861-b6fe-e5b774030fdf |
+--------------------------------------+--------------------------------------------+--------------------------------------+
Export valid emails found in the csv format into file DemoClient_ValidEmails.csv
[?] CMD #> export creds csv DemoClient_ValidEmails.csv
Show (print out) all login attempts (attempted usernames and passwords) so far from password spraying
[?] CMD #> show attempts
+--------+-----------------------+--------------+-------+-------------------+--------------------------------------------+----------------+
| Id | DateTime | Disqualified | Valid | ConditionalAccess | Username | Password |
+--------+-----------------------+--------------+-------+-------------------+--------------------------------------------+----------------+
| 1 | 8/23/2022 11:20:22 AM | False | False | False | [email protected] | Welcome@2022! |
+--------+-----------------------+--------------+-------+-------------------+--------------------------------------------+----------------+
| 2 | 8/23/2022 11:20:22 AM | False | False | False | [email protected] | Welcome@2022! |
+--------+-----------------------+--------------+-------+-------------------+--------------------------------------------+----------------+
| 3 | 8/23/2022 11:20:23 AM | False | False | False | [email protected] | Welcome@2022! |
+--------+-----------------------+--------------+-------+-------------------+--------------------------------------------+----------------+
| 4 | 8/23/2022 11:20:23 AM | False | False | False | [email protected] | Welcome@2022! |
+--------+-----------------------+--------------+-------+-------------------+--------------------------------------------+----------------+
| 5 | 8/23/2022 11:20:24 AM | False | False | False | [email protected] | Welcome@2022! |
+--------+-----------------------+--------------+-------+-------------------+--------------------------------------------+----------------+
| 6 | 8/23/2022 11:20:24 AM | False | False | False | [email protected] | Welcome@2022! |
+--------+-----------------------+--------------+-------+-------------------+--------------------------------------------+----------------+
Export all login attempts (attempted usernames and passwords) so far from password spraying in the csv format into file DemoClient_AllAttempts.csv
[?] CMD #> export creds csv DemoClient_AllAttempts.csv
Show (print out) an summary of your password spraying attempts
[?] CMD #> show summary
+-----------------------+-----------------------+----------------+-------------+------------+
| StartTime | StopTime | Password | SuccesCount | TotalCount |
+-----------------------+-----------------------+----------------+-------------+------------+
| 8/23/2022 11:20:22 AM | 8/23/2022 11:40:44 AM | Welcome@2022! | 0 | 3761 |
+-----------------------+-----------------------+----------------+-------------+------------+
| 8/23/2022 12:59:59 PM | 8/23/2022 1:25:38 PM | Summer2022 | 1 | 3761 |
+-----------------------+-----------------------+----------------+-------------+------------+
| 8/23/2022 7:57:14 PM | 8/23/2022 8:24:16 PM | Welcome2022 | 0 | 3761 |
+-----------------------+-----------------------+----------------+-------------+------------+
| 8/23/2022 9:36:14 PM | 8/23/2022 9:57:34 PM | Welcome123! | 0 | 3742 |
+-----------------------+-----------------------+----------------+-------------+------------+
| 8/23/2022 10:09:17 PM | 8/23/2022 11:43:41 PM | Autumn2022 | 1 | 3742 |
+-----------------------+-----------------------+----------------+-------------+------------+
| 8/24/2022 1:02:30 AM | 8/24/2022 1:37:29 AM | Autumn2022! | 2 | 3742 |
+-----------------------+-----------------------+----------------+-------------+------------+
| 9/1/2022 10:04:36 AM | 9/1/2022 10:20:09 AM | April2022 | 0 | 3710 |
+-----------------------+-----------------------+----------------+-------------+------------+
Export an summary of your password spraying attempts in the csv format into file DemoClient_SprayingSummary.csv
[?] CMD #> export summary csv DemoClient_SprayingSummary.csv
If TeamFiltration was unable to remove a created FireProx instance automatically (say software crash or forced stop). The database fireprox command can be used to show FireProx endpoints.
[?] CMD #> show fireprox
+----+---------------------+---------------------------------------------------------------------+------------+--------+---------+------------------------------------+--------------+
| Id | DateTime | FireProxURL | RestApiId | Active | Deleted | URL | Region |
+----+---------------------+---------------------------------------------------------------------+------------+--------+---------+------------------------------------+--------------+
| 1 | 23.01.2023 12:55:00 | https://XXXXXXXXXX.execute-api.ca-central-1.amazonaws.com/fireprox/ | XXXXXXXXXX| True | False | https://teams.microsoft.com/api/mt | ca-central-1 |
+----+---------------------+---------------------------------------------------------------------+------------+--------+---------+------------------------------------+--------------+
As well delete FireProx instances given their RestApiId and region
[?] CMD #> delete XXXXXXXXXXca-central-1
[FIREPROX] 23.01.2023 14:25:04 EST Deleted endpoint https://XXXXXXXXXX.execute-api.ca-central-1.amazonaws.com/fireprox/