Navigating The Shadows
  • About This Gitbook
  • Red Team Operations
    • Initial Access
      • Webshells
        • Java (JSP) - Bring Your Own Jar
        • IIS - SOAP
      • Macro Attacks
        • Talking Documents with SpVoice COM
        • Binary File Write via Microsoft Speech API
        • Mark-Of-The-Web Bypass with 7-zip
    • Azure and O365
      • PRT Abuse from Userland with Cobalt Strike
      • Enumerate Azure AD with AzureHound from Userland
    • AWS
      • Role Abuse: SSM
    • OffSecOps
      • Arsenal Aggressor Script
  • Red Team Infrastructure
    • AWS
      • Connectionless Ansible Deployment with Terraform via SSM
  • Training
    • Operational Purple Teaming for Defenders
  • Training Reviews
    • Offensive Security
      • OSED
  • VULNERABILITY RESEARCH
    • RCE In HPE Insight Cluster Management Utility (CVE-2024-13804)
Powered by GitBook
On this page
  • Introduction
  • Requesting a PRT
  • Requesting Tokens for the MS Graph API
  • AzureHound Enumeration
  • Conclusion
  • References
  1. Red Team Operations
  2. Azure and O365

Enumerate Azure AD with AzureHound from Userland

This page describes how to enumerate Azure AD with AzureHound, starting from a non-privileged user session on a Windows machine.

PreviousPRT Abuse from Userland with Cobalt StrikeNextAWS

Last updated 2 years ago

Introduction

In a , we discussed how to acquire a Primary Refresh Token (PRT) cookie from a compromised normal user's session on a Windows machine. This Single Sign-On token allows an attacker to impersonate the victim user in Azure AD and opens up a variety of attack possibilities. In this article, we will discuss how to use the acquired PRT to enumerate Azure AD with . AzureHound is the official ingestor for the famous Active Directory Enumeration tool.

Requesting a PRT

Follow the "Requesting PRTs" step from the to acquire a new Primary Refresh Token from the victim's session. This approach relies on 's and worwot563's .

Requesting Tokens for the MS Graph API

According to the , AzureHound can enumerate Azure AD via the . This means that we need to use the acquired PRT to request tokens for this API first. We will impersonate the Azure PowerShell app () in the process to obtain the necessary permissions for the MS Graph API. Luckily, ROADTools makes this very easy:

roadrecon auth --prt-cookie <primary refresh token value> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2"

The previous command wrote tokens to the .roadtools_auth file. The refresh token can be read and copied from this file. This leaves us with a valid refresh token for the MS Graph API, impersonating the Azure PowerShell app as the Pepper Mintstix user in this Azure tenant.

cat .roadtools_auth

AzureHound Enumeration

Finally, we can start the enumeration process of the targeted Azure tenant with the acquired refresh token. We can output the results to output.json in the process.

./azurehound --refresh-token <copied MS Graph refresh token> list --tenant "<target tenant id>" -o output.json

All that is left now, is to import the output.json in BloodHound via the usual "upload data" button and start graphing!

Conclusion

In this article, we explored how to enumerate Azure AD via AzureHound, starting from a Primary Refresh Token request from a normal compromised user session.

References

https://github.com/BloodHoundAD/AzureHound
https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/
https://github.com/dirkjanm/ROADtools
https://github.com/dirkjanm/ROADtoken
https://github.com/leechristensen/RequestAADRefreshToken
https://github.com/trustedsec/CS-Situational-Awareness-BOF
https://github.com/wotwot563/aad_prt_bof
previous article
AzureHound
BloodHound
previous article
Dirk-jan Mollema
ROADTools
aad_prt_bof
documentation
Microsoft Graph API
1950a258-227b-4e31-a9cf-717495945fc2
Command to request a new access and refresh token for the MS Graph API
Copying the refresh token for MS Graph.
Successful enumeration of the targeted tenant with the acquired MS Graph refresh token
Browsing the imported AzureHound data