Navigating The Shadows
  • About This Gitbook
  • Red Team Operations
    • Initial Access
      • Webshells
        • Java (JSP) - Bring Your Own Jar
        • IIS - SOAP
      • Macro Attacks
        • Talking Documents with SpVoice COM
        • Binary File Write via Microsoft Speech API
        • Mark-Of-The-Web Bypass with 7-zip
    • Azure and O365
      • PRT Abuse from Userland with Cobalt Strike
      • Enumerate Azure AD with AzureHound from Userland
    • AWS
      • Role Abuse: SSM
    • OffSecOps
      • Arsenal Aggressor Script
  • Red Team Infrastructure
    • AWS
      • Connectionless Ansible Deployment with Terraform via SSM
  • Training
    • Operational Purple Teaming for Defenders
  • Training Reviews
    • Offensive Security
      • OSED
  • VULNERABILITY RESEARCH
    • RCE In HPE Insight Cluster Management Utility (CVE-2024-13804)
Powered by GitBook
On this page
  • Introduction
  • Requesting a PRT
  • Requesting Tokens for the MS Graph API
  • AzureHound Enumeration
  • Conclusion
  • References
  1. Red Team Operations
  2. Azure and O365

Enumerate Azure AD with AzureHound from Userland

This page describes how to enumerate Azure AD with AzureHound, starting from a non-privileged user session on a Windows machine.

PreviousPRT Abuse from Userland with Cobalt StrikeNextAWS

Last updated 2 years ago

Introduction

In a previous article, we discussed how to acquire a Primary Refresh Token (PRT) cookie from a compromised normal user's session on a Windows machine. This Single Sign-On token allows an attacker to impersonate the victim user in Azure AD and opens up a variety of attack possibilities. In this article, we will discuss how to use the acquired PRT to enumerate Azure AD with AzureHound. AzureHound is the official ingestor for the famous BloodHound Active Directory Enumeration tool.

Requesting a PRT

Follow the "Requesting PRTs" step from the previous article to acquire a new Primary Refresh Token from the victim's session. This approach relies on Dirk-jan Mollema's ROADTools and worwot563's aad_prt_bof.

Requesting Tokens for the MS Graph API

According to the documentation, AzureHound can enumerate Azure AD via the Microsoft Graph API. This means that we need to use the acquired PRT to request tokens for this API first. We will impersonate the Azure PowerShell app (1950a258-227b-4e31-a9cf-717495945fc2) in the process to obtain the necessary permissions for the MS Graph API. Luckily, ROADTools makes this very easy:

roadrecon auth --prt-cookie <primary refresh token value> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2"

The previous command wrote tokens to the .roadtools_auth file. The refresh token can be read and copied from this file. This leaves us with a valid refresh token for the MS Graph API, impersonating the Azure PowerShell app as the Pepper Mintstix user in this Azure tenant.

cat .roadtools_auth

AzureHound Enumeration

Finally, we can start the enumeration process of the targeted Azure tenant with the acquired refresh token. We can output the results to output.json in the process.

./azurehound --refresh-token <copied MS Graph refresh token> list --tenant "<target tenant id>" -o output.json

All that is left now, is to import the output.json in BloodHound via the usual "upload data" button and start graphing!

Conclusion

In this article, we explored how to enumerate Azure AD via AzureHound, starting from a Primary Refresh Token request from a normal compromised user session.

References

  • https://github.com/BloodHoundAD/AzureHound

  • https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/

  • https://github.com/dirkjanm/ROADtools

  • https://github.com/dirkjanm/ROADtoken

  • https://github.com/leechristensen/RequestAADRefreshToken

  • https://github.com/trustedsec/CS-Situational-Awareness-BOF

  • https://github.com/wotwot563/aad_prt_bof

Command to request a new access and refresh token for the MS Graph API
Copying the refresh token for MS Graph.
Successful enumeration of the targeted tenant with the acquired MS Graph refresh token
Browsing the imported AzureHound data