Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft Authenticator #49

Open
p1r473 opened this issue Jun 1, 2021 · 2 comments
Open

Microsoft Authenticator #49

p1r473 opened this issue Jun 1, 2021 · 2 comments

Comments

@p1r473
Copy link

p1r473 commented Jun 1, 2021
edited
Loading

Hi,
I am having an issue with my Microsoft Authenticator
its not grabbing my personal 8 digit microsoft.com code
I simply set up the default Microsoft.com personal authenticator with the Microsoft Authenticator app. Very vanilla install.
It works with my 3 work Microsoft OTPs, but it does not work with my very standard Microsoft.com personal one

root@Debian10:~/Desktop# python3 -m android_otp_extractor --verbose --include microsoft_authenticator
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] INFO Testing if your phone uses binary: 'toybox'
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] INFO Checking if adb already runs as root
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] INFO Attempting to enable adb root
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] INFO Listing contents of / as root
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Listing directory /
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] INFO Reading and hashing contents of build.prop as root
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Hashing file $ANDROID_ROOT/build.prop
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Trying to read file $ANDROID_ROOT/build.prop
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Successfully read 2018 bytes
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Hashing file $ANDROID_ROOT/build.prop
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Trying to read file $ANDROID_ROOT/build.prop
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Successfully read 2018 bytes
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] INFO Using command line utility binary: 'toybox'
2021-06-01 12:26:20 Debian10 android_otp_extractor.apps[1038] INFO Reading Microsoft Authenticator accounts
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Trying to read file $ANDROID_DATA/data/com.azure.authenticator/databases/PhoneFactor
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Successfully read 24576 bytes
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Trying to read file $ANDROID_DATA/data/com.azure.authenticator/databases/PhoneFactor-journal
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Trying to read file $ANDROID_DATA/data/com.azure.authenticator/databases/PhoneFactor-wal
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Successfully read 309032 bytes
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Trying to read file $ANDROID_DATA/data/com.azure.authenticator/databases/PhoneFactor-shm
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Successfully read 32768 bytes

2021-06-01 12:26:20 Debian10 android_otp_extractor.apps[1038] WARNING Unknown Microsoft account type: 1

{'_id': 2,
 'aad_authority': '',
 'aad_ngc_totp_enabled': 0,
 'aad_security_defaults_policy_enabled': 0,
 'aad_tenant_id': '',
 'aad_user_id': '',
 'account_capability': 7,
 'account_type': 1,
 'cached_pin': '',
 'cid': 'XXXXXXXXXXXXXXXX',
 'encrypted_oath_secret_key': '',
 'group_key': '00000000000000000000000000000000',
 'has_password': 1,
 'identity_provider': '',
 'is_totp_code_shown': 0,
 'mfa_pin_encryption_key_alias': '',
 'name': 'Microsoft',
 'ngc_ski': 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
 'oath_enabled': 1,
 'oath_secret_key': 'XXXXXXXXXXXXXXXX',
 'paws_url': '',
 'restore_capability': 0,
 'username': '[email protected]',
 'ux_position': 2}
@phodina
Copy link

phodina commented Jul 19, 2021

Hi,
is there a way how to decode the columns from a record in the SQLite3 database?

I attempted to extract the 2FA keys but they generate invalid values so I guess the scheme changed.

@DrPlamsa
Copy link

DrPlamsa commented Sep 2, 2022

@phodina
If you do it too soon after setting up your account, the OTP key will not have been written to the SQL database yet. You can fix this by grabbing the PhoneFactor, PhoneFactor-wal, and PhoneFactor-shm files to your local desktop and running the ".recover" SQL command from within sqlite3 or similar. This will cause the written-ahead changes stored in PhoneFactor-wal to write to PhoneFactor, whereupon you can use SQL queries to extract the OTP key, such as: "select username, oath_secret_key from accounts;"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@phodina @p1r473 @DrPlamsa