Token Extraction in Office 365 Environments

Applications in Office 365 use JSON Web Tokens (JWTs) to authenticate and authorize access to different resources hosted in Azure. Extracting these tokens can be critical during Red Team exercises or authorized offensive audits, as it allows for considerably expanding the attack surface, accessing additional confidential resources and data after initially compromising a computer or server.

SSL/TLS Traffic Interception

An effective technique for obtaining JWT tokens is through SSL/TLS traffic interception. This is done using specialized tools like MITM Proxy, custom SSL/TLS certificates, and control over proxy settings on the target machine. This allows capturing and analyzing JWT tokens during the exchange between the client application and Azure services.

The capture of tokens directed to the Microsoft Graph API is especially relevant, as they provide extensive access to Office 365 services, such as emails, calendars, OneDrive documents, and much more.

Extraction through Memory Dumping

Another complementary technique for obtaining JWT tokens is to perform a memory dump of the active process corresponding to an Office 365 application using tools like Procdump. By analyzing these dumps, it's possible to identify JWT tokens temporarily stored in memory, facilitating their recovery and subsequent exploitation during authorized offensive testing.

Decryption of Cached Tokens

Office applications also store JWT tokens locally in the cache located at:

%LOCALAPPDATA%\Microsoft\TokenBroker\Cache

These tokens are saved in .TBRES files, protected with DPAPI (Data Protection API).

The WAMBam tool allows decrypting these stored tokens, extracting them in clear text. This significantly simplifies the obtaining and use of these tokens in authorized offensive evaluation scenarios.