Microsoft Authenticator

[p1r473]

Hi, I am having an issue with my Microsoft Authenticator its not grabbing my personal 8 digit microsoft.com code I simply set up the default Microsoft.com personal authenticator with the Microsoft Authenticator app. Very vanilla install. It works with my 3 work Microsoft OTPs, but it does not work with my very standard Microsoft.com personal one

root@Debian10:~/Desktop# python3 -m android_otp_extractor --verbose --include microsoft_authenticator
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] INFO Testing if your phone uses binary: 'toybox'
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] INFO Checking if adb already runs as root
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] INFO Attempting to enable adb root
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] INFO Listing contents of / as root
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Listing directory /
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] INFO Reading and hashing contents of build.prop as root
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Hashing file $ANDROID_ROOT/build.prop
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Trying to read file $ANDROID_ROOT/build.prop
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Successfully read 2018 bytes
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Hashing file $ANDROID_ROOT/build.prop
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Trying to read file $ANDROID_ROOT/build.prop
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Successfully read 2018 bytes
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] INFO Using command line utility binary: 'toybox'
2021-06-01 12:26:20 Debian10 android_otp_extractor.apps[1038] INFO Reading Microsoft Authenticator accounts
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Trying to read file $ANDROID_DATA/data/com.azure.authenticator/databases/PhoneFactor
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Successfully read 24576 bytes
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Trying to read file $ANDROID_DATA/data/com.azure.authenticator/databases/PhoneFactor-journal
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Trying to read file $ANDROID_DATA/data/com.azure.authenticator/databases/PhoneFactor-wal
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Successfully read 309032 bytes
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Trying to read file $ANDROID_DATA/data/com.azure.authenticator/databases/PhoneFactor-shm
2021-06-01 12:26:20 Debian10 android_otp_extractor.adb[1038] DEBUG Successfully read 32768 bytes

_2021-06-01 12:26:20 Debian10 android_otpextractor.apps[1038] WARNING Unknown Microsoft account type: 1

{'_id': 2,
 'aad_authority': '',
 'aad_ngc_totp_enabled': 0,
 'aad_security_defaults_policy_enabled': 0,
 'aad_tenant_id': '',
 'aad_user_id': '',
 'account_capability': 7,
 'account_type': 1,
 'cached_pin': '',
 'cid': 'XXXXXXXXXXXXXXXX',
 'encrypted_oath_secret_key': '',
 'group_key': '00000000000000000000000000000000',
 'has_password': 1,
 'identity_provider': '',
 'is_totp_code_shown': 0,
 'mfa_pin_encryption_key_alias': '',
 'name': 'Microsoft',
 'ngc_ski': 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
 'oath_enabled': 1,
 'oath_secret_key': 'XXXXXXXXXXXXXXXX',
 'paws_url': '',
 'restore_capability': 0,
 'username': 'myemail@gmail.com',
 'ux_position': 2}

[phodina]

Hi, is there a way how to decode the columns from a record in the SQLite3 database?

I attempted to extract the 2FA keys but they generate invalid values so I guess the scheme changed.

[DrPlamsa]

@phodina If you do it too soon after setting up your account, the OTP key will not have been written to the SQL database yet. You can fix this by grabbing the PhoneFactor, PhoneFactor-wal, and PhoneFactor-shm files to your local desktop and running the ".recover" SQL command from within sqlite3 or similar. This will cause the written-ahead changes stored in PhoneFactor-wal to write to PhoneFactor, whereupon you can use SQL queries to extract the OTP key, such as: "select username, oath_secret_key from accounts;"