Az - Pass the Certificate
In Azure joined machines, it's possible to authenticate from one machine to another using certificates that must be issued by Azure AD CA for the required user (as the subject) when both machines support the NegoEx authentication mechanism.
In super simplified terms:
- The machine (client) initiating the connection needs a certificate from Azure AD for a user.
- Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and sends it to Azure AD
- Azure AD verifies the JWT signature using client session key and security context, checks validity of PRT and responds with the certificate.
- Tenant ID
- Security context
- Derived Key
RequestCert.py [-h] --tenantId TENANTID --prt PRT --userName USERNAME --hexCtx HEXCTX --hexDerivedKey HEXDERIVEDKEY [--passPhrase PASSPHRASE]
The certificates will last the same as the PRT. To use the certificate you can use the python tool AzureADJoinedMachinePTC **** that will authenticate to the remote machine, run PSEXEC and open a CMD on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user.
Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP