TokenLook ‐ TokenExtract
- The method of extracting JWT tokens from outlook app memory has already been highlighted before https://mrd0x.com/stealing-tokens-from-office-applications/
- For our purpose, we created a simple
C#program that uses legitimate Process Dump binary from Microsoft in combination with custom parsing to extract tokens from the Outlook process memory - Process Dump binary can be downloaded from https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
- This version of the program is a simple extractor, that works in following steps:
- The program first looks for
ProcessDump.exein the current directory - Once the Process Dump binary is found, the program looks for PID of the running Outlook APP
- During testing it was found that Outlook APP on windows can run as either
OUTLOOK.exeorotlk.exe - Hence the program falls back to
otlk.exeifOUTLOOK.exeis not found - Once the process ID is found, the program executes ProcessDump against the outlook process ID to create a full memory dump
- The memory is saved to the current user's APPDATA directory.
- The memory dump is then parsed chunk by chunk, to extract human readable strings and saved to a TXT file locally.
- JWT tokens can be extracted from the TXT file by searching for a pattern
eyJ0
- The program first looks for
- From the extracted JWT tokens, we are looking for a JWT token which on decoding has the "aud" value set to
https://outlook.office.comorhttps://outlook.office365.com
