Introduction

In a previous article, we discussed how to acquire a Primary Refresh Token (PRT) cookie from a compromised normal user's session on a Windows machine. This Single Sign-On token allows an attacker to impersonate the victim user in Azure AD and opens up a variety of attack possibilities. In this article, we will discuss how to use the acquired PRT to enumerate Azure AD with AzureHound. AzureHound is the official ingestor for the famous BloodHound Active Directory Enumeration tool.

Requesting a PRT

Follow the "Requesting PRTs" step from the previous article to acquire a new Primary Refresh Token from the victim's session. This approach relies on Dirk-jan Mollema's ROADTools and worwot563's aad_prt_bof.

Requesting Tokens for the MS Graph API

According to the documentation, AzureHound can enumerate Azure AD via the Microsoft Graph API. This means that we need to use the acquired PRT to request tokens for this API first. We will impersonate the Azure PowerShell app (1950a258-227b-4e31-a9cf-717495945fc2) in the process to obtain the necessary permissions for the MS Graph API. Luckily, ROADTools makes this very easy:

roadrecon auth --prt-cookie <primary refresh token value> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2"

The previous command wrote tokens to the .roadtools_auth file. The refresh token can be read and copied from this file. This leaves us with a valid refresh token for the MS Graph API, impersonating the Azure PowerShell app as the Pepper Mintstix user in this Azure tenant.

cat .roadtools_auth

AzureHound Enumeration

Finally, we can start the enumeration process of the targeted Azure tenant with the acquired refresh token. We can output the results to output.json in the process.

./azurehound --refresh-token <copied MS Graph refresh token> list --tenant "<target tenant id>" -o output.json

All that is left now, is to import the output.json in BloodHound via the usual "upload data" button and start graphing!

Conclusion

In this article, we explored how to enumerate Azure AD via AzureHound, starting from a Primary Refresh Token request from a normal compromised user session.

References

• https://github.com/BloodHoundAD/AzureHound

• https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/

• https://github.com/dirkjanm/ROADtools

• https://github.com/dirkjanm/ROADtoken

• https://github.com/leechristensen/RequestAADRefreshToken

• https://github.com/trustedsec/CS-Situational-Awareness-BOF

• https://github.com/wotwot563/aad_prt_bof