Skip to content

TokenLook ‐ TokenUse

Jump to bottom
vrikodar edited this page Jun 21, 2026 · 29 revisions

Introduction

This directory inside the main repository contains source code files and configuration files, which will use the JWT tokens to perform mail related actions.

The main.py file

  • This is the main source file which calls multiple methods and functions which are implemented in the tokenlook.py file
  • The file is intended for the command line interface of the tool, and currently takes no command line arguments

The tokenlook.py file

  • Source code implementing most API methods of the Outlook REST API.
  • Also implements other misc functions used in the main.py file
  • This file has reusable classes and functions, they will also be used in the app.py, which is the WebUI version of the tool

The app.py file

  • WebUI implementation of the TokenLook tool

The tokenlook_config.json configuration file

  • The example structure of the JSON configuration is below
{
  "current_jwt": ["JWT-VALUE1", "JWT-VALUE2"],
  "data_dir": "local_data",
  "proxy": ["http://127.0.0.1:8080", "PROXY2", "PROX3"],
  "mail_numb": 10,
  "keyword_search": ["pass", "username", "credentials", "key"]
}
  • current_jwt : specify single or multiple JWT token values, the token values could be for different user accounts
  • data_dir: specify the directory path to which the tool will save emails extracted in JSON format, as well as attachments extracted on demand
  • proxy: specify the proxy to tunnel traffic through, leave empty to avoid using any proxy. Useful for debugging traffic, by using proxies such as BurpSuite
  • mail_num: specify the maximum number of emails to extract, minimum value requirement is 10. Note that the tool extracts the emails universally, without specifying any specific folder such as Inbox or DRAFT. The maximum number specified here will be extracted globally, combined from all folders.
  • keyword_search: specify a list of words to search inside the extracted emails, useful for scenarios such as looking for clear text credentials inside email content

Example execution

  • When the tool is run for the first time, it will start with each JWT token present in the current_jwt list in the config file.
  • For each JWT user context, the tool will extract the maximum number of emails specified by the mail_numb in the config file and then run the Send-Email --> Key-Search menus.
  • If there are multiple JWT user contexts the flow is repeated for each user context.
    • In a future update, we will add initial check, which will loop through all JWT tokens present in the list, provide user with option to select the user context to use and then it will run the remaining flow including Send-Email and Key-Search menu against that particular user context.
  • For all the extracted email a local JSON copy is made, prefixed the message ID of the mail, if the email content type is HTML, the tool also saves the email as HTML file, for conveniently viewing it in browser.
  • Below is an image showcasing the tool run with a single JWT user context present in the current_jwt list and proxy config specified as http://127.0.0.1:8080

Example execution 1

  • The image below showcases the scenario when the maximum number of emails have been extracted, the user is asked if the user wants to execute the Send-Email menu.
    • Selecting Y/y will open the Send-Email menu under the current JWT user context
    • Selecting N/n will automatically move to next JWT user context (if available) and start the specified maximum number of email extraction, and prompt for the Send-Email menu. This cycle continues for all the JWT contexts

Example exec 2

The Send-Email menu

Send-Email Menu

  • Once the tool is finished extracting the maximum number of emails specified in the config file for all the JWT user contexts
  • It will automatically run the Send-Email menu
  • The Send-Email menu is what allows the user to perform various mail related action
  • Currently the menu has 18 options out of which 16 are mail related activities

Send Email without attachment - Menu option1

  • This menu option lets the user send an email without attachment.
  • currently this option, only supports specifying one recipient at a time, in future we will update this feature to take a list of recipients or multiple recipients
  • When this menu option is selected by the user, It prompts the user to answer some questions, as shown in the image below

Send-Email Menu Opt1

  • The user is asked to input following: 1.) The subject of the email to send 2.) The content type to send 3.) The content body to send (depending on the content type) 4.) The recipient email 5.) Choose, whether to save the email in JWT context user's sent mailbox or not (True/False), note that choosing False, will result in email not showing anywhere in the JWT user context (The sent email will basically be invisible to the JWT context user in their outlook app).

  • For the 2nd option Content Type the tool operator can either select Text or HTML

  • Selecting Text, prompts the tool operator to type in the email, only when the operator enters end-of-body and presses enter, the content body is considered finished.

  • Selecting HTML prompts the operator to type in the PATH of the HTML file to be sent as email content, good for internal phishing emails and scenarios such as, trying to make your emails look like legitimate document shares on "SharePoint"

  • The images below show, the tool operator selecting content type as HTML and HTML email content based email delivered to a test mailbox

  • Note that the test.html file was in the same directory, hence only the file name is specified

Send-Email opt1 HTML Send-Email opt1 HTML recv

Send Email with attachment - Menu option2

  • This menu option lets the tool operator send an email with attachment.
  • Selecting this option prompts the operator to enter relevant details such as the target email, attachment path etc.
  • Below is an example run using this option.
  • The tool give the operator an option to choose a different file name than the original filename for the attachment.

Send-Email attach 1 Send-Email attach 2

Reply to a message (standard single reply) - Menu option3

  • Selecting this menu option allows the operator to reply to a message.
  • This is a standard single reply, similar to the "reply" option in standard Outlook app (Replies only to the From addresses in the email chain).
  • To reply to an email message the operator will have to input the message ID of the mail message.
  • The message ID can be found from the email JSON (value "Id") files saved on the disk.
  • Below is an example run for replying to an email

Reply single

Reply all to a message (reply all (same as mail app)) - Menu option4

Create a draft message without attachment (saved to the Drafts folder) - Menu option5

Send a draft message - Menu option6

Delete mail messages (Permanently Deleted) - Menu option7

Get current auto reply settings (view current auto reply settings) - Menu option8

Schedule auto reply [e.g OOO] - Menu option9

Get email attachment(s) - Menu option10

Delete email attachment(s) (Permanently Deleted) - Menu option11

Get folder collection (Get Info on all the Folders in mail client) - Menu option12

  • To be implemented in future updates

Create new folder - Menu option13

  • To be implemented in future updates

Update folder - Menu option14

  • To be implemented in future updates

Delete folder - Menu option15

  • To be implemented in future updates

Move or Copy folder - Menu option16

  • To be implemented in future updates

The Key-Search menu

  • To be implemented in future updates

Clone this wiki locally