If you’re not aware Base64 is an encoding methodology that primarily uses hexadecimal values which to the uninitiated looks like a load of garbled text which spams from A-F and 0-9 that is not natively is human readable, the human readable format is ASCII (after decoding)
Forgot about Teams during Packet Capture
I was doing another article about figuring out iOS software updates and decrypting https:// traffic - and on that journey of trying to figure out where traffic was flowing, I actually forgot I had my Teams client running on my phone.
HTTPS Decryption
This means with description enabled all the data being sent to Teams was going via my VPN configuration, The way the description works means Teams talks to my VPN connection (Which in this case is an application called http watch) that is where the secure channel terminates, from there, my VPN will reestablish the connection to the actual destination.
SSL integrity broken with decryption
This means the integrity of SSL has been broken because I’ve trusted a root certificate and I’ve allowed it to intercept my connection and seamlessly pass it through the application before the application then sends the request on to the final destination.
The technical way of telling you this information is called man in the middle attack (MiTM) in this instance http watcher is that man in the middle.
Teams : Blissfully unaware (and it has no way on knowing either)
Teams, thinking about unicorns and saving the planet is blissfully unaware, but when it tries to talk to its final destination, it’s actually talking to the application that will then break the connection and the application will then seamlessly reestablish a session with the team servers.
In this particular configuration, I can see everything teams to try to access right down to the full URL path which also includes the authorization headers which are base64 encoded, I also observed that this particular application can actually display images within the Teams application.
Emoji images visable in chats
If we look in my application at request 57 that is the point where somebody sent me a party popper Emoji, not only can I tell the server it’s coming from and a full path to that emoji but I can also see a visual representation of that emoji:
Note : in this example I have protected the teams application with app protection which is a InTune policy policy that keeps all my data secure and restricted to the application, However, while I’m unable to see the content, I can see data within the chat that calls external resources because that will be a web request - which is exactly what my VPN is logging.
This will the give you the full request as below which tells you where the "party popper" PNG is coming from and other juicy information like this iOS version and the country as well with the time zone as well:
Chats are logged, but content (excluding external content) is not logged
If we can move right to request 59, this is the request to write data to my chat I’m having with the recipient, you will notice the operation is now “put” not “get”
You can then instantly observe exactly what server it’s talking to in order to display my chat GUID that will then contain the messages as below:
Analysing captured data
You now need to decode this data to ACSII which you can do with the link here you need to paste in the repaired Basse64 and then use the decode button as below:
This will then give you that data in ACSII format, when we decode all this data I ended up being able to extract the following information from that request:
- Tenant ID
- Authentication Method
- Application ID
- Device ID
- Family Name
- Given Name
- Account Type
- Source IP address
- Full Name
- OID
- SID (Active Directory SID)
- Unique Name
- UPN
{"typ":"JWT","nonce":"GrfqwmmtMWP<REDACTED>","alg":"RS256","x5t":"H9nj5A<REDACTED>","kid":"H9nj5A<REDACTED>"}
Encoding Commands with Powershell
If you have commands you want to run using Powershell then you can encode the commands in Base64 and run those commands via Powershell using this command:
Powershell -EncodedCommand “<Base64>”
That code will produce this notification, which is also called a toast notification:
We now need to add this code to a string so to we need to add the sections in bold to the code:
$EncodingScript = @'
$EncodedScript = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($EncodingScript))
Then call $EncodedScript to get the Base64 as you can see below:
You can use this to copy that to the clipboard:
$EncodedScript | Clip
Powershell -EncodedCommand $EncodedScript