Az - Pass the Certificate

Support HackTricks and get benefits!

Pass the Certificate (Azure)

In Azure joined machines, it's possible to authenticate from one machine to another using certificates that must be issued by Azure AD CA for the required user (as the subject) when both machines support the NegoEx authentication mechanism.
In super simplified terms:
  • The machine (client) initiating the connection needs a certificate from Azure AD for a user.
  • Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and sends it to Azure AD
  • Azure AD verifies the JWT signature using client session key and security context, checks validity of PRT and responds with the certificate.
In this scenario and after grabbing all the info needed for a Pass the PRT attack:
  • Username
  • Tenant ID
  • PRT
  • Security context
  • Derived Key
It's possible to request P2P certificate for the user with the tool PrtToCert: [-h] --tenantId TENANTID --prt PRT --userName USERNAME --hexCtx HEXCTX --hexDerivedKey HEXDERIVEDKEY [--passPhrase PASSPHRASE]
The certificates will last the same as the PRT. To use the certificate you can use the python tool AzureADJoinedMachinePTC **** that will authenticate to the remote machine, run PSEXEC and open a CMD on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user. [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP


Support HackTricks and get benefits!