TokenLook ‐ TokenUse
This directory inside the main repository contains source code files and configuration files, which will use the JWT tokens to perform mail related actions.
- This is the main source file which calls multiple methods and functions which are implemented in the
tokenlook.pyfile - The file is intended for the command line interface of the tool, and currently takes no command line arguments
- Source code implementing most API methods of the Outlook REST API.
- Also implements other misc functions used in the
main.pyfile - This file has reusable classes and functions, they will also be used in the
app.py, which is the WebUI version of the tool
- WebUI implementation of the TokenLook tool
- The example structure of the JSON configuration is below
{
"current_jwt": ["JWT-VALUE1", "JWT-VALUE2"],
"data_dir": "local_data",
"proxy": ["http://127.0.0.1:8080", "PROXY2", "PROX3"],
"mail_numb": 10,
"keyword_search": ["pass", "username", "credentials", "key"]
}-
current_jwt: specify single or multiple JWT token values, the token values could be for different user accounts -
data_dir: specify the directory path to which the tool will save emails extracted in JSON format, as well as attachments extracted on demand -
proxy: specify the proxy to tunnel traffic through, leave empty to avoid using any proxy. Useful for debugging traffic, by using proxies such as BurpSuite -
mail_num: specify the maximum number of emails to extract, minimum value requirement is 10. Note that the tool extracts the emails universally, without specifying any specific folder such as Inbox or DRAFT. The maximum number specified here will be extracted globally, combined from all folders. -
keyword_search: specify a list of words to search inside the extracted emails, useful for scenarios such as looking for clear text credentials inside email content
- When the tool is run for the first time, it will start with each JWT token present in the
current_jwtlist in the config file. - For each JWT user context, the tool will extract the maximum number of emails specified by the
mail_numbin the config file and then run theSend-Email-->Key-Searchmenus. - If there are multiple JWT user contexts the flow is repeated for each user context.
- In a future update, we will add initial check, which will loop through all JWT tokens present in the list, provide user with option to select the user context to use and then it will run the remaining flow including
Send-EmailandKey-Searchmenu against that particular user context.
- In a future update, we will add initial check, which will loop through all JWT tokens present in the list, provide user with option to select the user context to use and then it will run the remaining flow including
- For all the extracted email a local JSON copy is made, prefixed the message ID of the mail, if the email content type is HTML, the tool also saves the email as HTML file, for conveniently viewing it in browser.
- Below is an image showcasing the tool run with a single JWT user context present in the
current_jwtlist and proxy config specified ashttp://127.0.0.1:8080
- The image below showcases the scenario when the maximum number of emails have been extracted, the user is asked if the user wants to execute the
Send-Emailmenu.- Selecting
Y/ywill open theSend-Emailmenu under the current JWT user context - Selecting
N/nwill automatically move to next JWT user context (if available) and start the specified maximum number of email extraction, and prompt for theSend-Emailmenu. This cycle continues for all the JWT contexts
- Selecting
- Once the tool is finished extracting the maximum number of emails specified in the config file for all the JWT user contexts
- It will automatically run the
Send-Emailmenu - The
Send-Emailmenu is what allows the user to perform various mail related action - Currently the menu has
18options out of which 16 are mail related activities
- This menu option lets the user send an email without attachment.
- currently this option, only supports specifying one recipient at a time, in future we will update this feature to take a list of recipients or multiple recipients
- When this menu option is selected by the user, It prompts the user to answer some questions, as shown in the image below
-
The user is asked to input following: 1.) The subject of the email to send 2.) The content type to send 3.) The content body to send (depending on the content type) 4.) The recipient email 5.) Choose, whether to save the email in JWT context user's sent mailbox or not (
True/False), note that choosing False, will result in email not showing anywhere in the JWT user context (The sent email will basically be invisible to the JWT context user in their outlook app). -
For the 2nd option
Content Typethe tool operator can either selectTextorHTML -
Selecting
Text, prompts the tool operator to type in the email, only when the operator entersend-of-bodyand presses enter, the content body is considered finished. -
Selecting
HTMLprompts the operator to type in the PATH of the HTML file to be sent as email content, good for internal phishing emails and scenarios such as, trying to make your emails look like legitimate document shares on "SharePoint" -
The images below show, the tool operator selecting content type as
HTMLand HTML email content based email delivered to a test mailbox -
Note that the
test.htmlfile was in the same directory, hence only the file name is specified
- This menu option lets the tool operator send an email with attachment.
- Selecting this option prompts the operator to enter relevant details such as the target email, attachment path etc.
- Below is an example run using this option.
- The tool give the operator an option to choose a different file name than the original filename for the attachment.
- Selecting this menu option allows the operator to reply to a message.
- This is a standard single reply, similar to the "reply" option in standard Outlook app (Replies only to the From addresses in the email chain).
- To reply to an email message the operator will have to input the message ID of the mail message.
- The message ID can be found from the email JSON (value "Id") files saved on the disk.
- Below is an example run for replying to an email
- Similar to the "reply all" in outlook app, the operator can also do a "reply all".
- This menu option also requires the operator to input the message ID value
- This menu option allows the operator to create a DRAFT message in the JWT user's default DRAFT folder
- Note that this option doesn't allow adding attachments.
- Below is an example run of creating a DRAFT message
- This menu option allows sending the mail messages which are currently in DRAFT
- The operator is required to input the message ID of the email currently in DRAFT state.
- Note that if you created the DRAFT in first place, the tool does print the ID of the created draft on screen.
- The ID can also be found from the JSON file after running the extraction again, which will cause the DRAFT message to also be pulled and saved to disk
- Below is an example run of sending a DRAFT message
- This option allows the operator to delete mail messages from the JWT users global Mail-box
- Once selected, the tool will prompt the operator to input single or multiple message IDs separated by a comma ",".
- The respective message or messages are deleted one by one.
- Note that these messages are permanently deleted and will no longer be present in the JWT context user's Mail-box.
- Below is an example run of deleting two emails at once.
- Selecting this menu option will display the current auto reply settings configured for the JWT user context.
- Below is an example run, displaying the scheduled auto reply setting for the current JWT user context
- The operator can also change the existing auto reply settings or enable new auto reply.
- Currently the tool only supports creating a scheduled auto reply.
- In future release, the option to configure a permanent auto reply will be configured.
- When this menu option is selected, the tool prompts the operator to input start, end data as well as the message to send in auto reply.
- The start and end timestamps follow a specific format
YYYY-MM-DD-HH(hours in 24hr format)-MM(Minutes), it is recommended that the operator enter time according to the UTC converted hours equivalent to the desired timestamp specific to the timezone of choosing. - Below is an example run of updating the auto reply settings, the update is also showcased in the teams account of the JWT user context.
- This menu option allows the user to download attachments for single or multiple emails
- The program will prompt the operator to input email message ID(s), for multiple the IDs multiple values can be input. separated by space.
- Each message will be processed one by one.
- Looping through each message the tool will first scan available attachments in that message, and display the attachment name and its unique ID.
- The tool will then prompt the user to input the ID of attachment to download, for multiple attachments, multiple attachment IDs can be input separated by space.
- In example run below, from an email message a
sample.pdfattachment is downloaded. - Note that on disk these attachments are saved to the local data directory specific to the current JWT user context.
- In current case a unique directory specific to the current JWT user context is created inside
local_data, emails extracted in JSON or HTML including attachments are saved to this directory - In case an attachment with same name is downloaded more than once, it gets overwritten (IMPORTANT THING TO KEEP IN MIND)
- This option allows the operator to delete attachments from mail messages
- Note that this can delete attachments from any type of message (that is sent or DRAFTS etc.), however the attachments are deleted from the current JWT user's context. For example, for a sent message the deleted attachment will be gone from the current JWT user's Mailbox, but the attachment will still be available in the mailbox of receiving user.
- For the current JWT user context deleted attachments are permanently deleted, and can't be recovered.
- Below is an example run of deleting a PDF attachment from an email.
- To be implemented in future updates
- To be implemented in future updates
- To be implemented in future updates
- To be implemented in future updates
- To be implemented in future updates
- To be implemented in future updates