Pass the Certificate (Azure)

In Azure joined machines, it's possible to authenticate from one machine to another using certificates that must be issued by Azure AD CA for the required user (as the subject) when both machines support the NegoEx authentication mechanism.

In super simplified terms:

• The machine (client) initiating the connection needs a certificate from Azure AD for a user.

• Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and sends it to Azure AD

• Azure AD verifies the JWT signature using client session key and security context, checks validity of PRT and responds with the certificate.

In this scenario and after grabbing all the info needed for a Pass the PRT attack:

• Username

• Tenant ID

• PRT

• Security context

• Derived Key

It's possible to request P2P certificate for the user with the tool PrtToCert:

RequestCert.py [-h] --tenantId TENANTID --prt PRT --userName USERNAME --hexCtx HEXCTX --hexDerivedKey HEXDERIVEDKEY [--passPhrase PASSPHRASE]

The certificates will last the same as the PRT. To use the certificate you can use the python tool AzureADJoinedMachinePTC that will authenticate to the remote machine, run PSEXEC and open a CMD on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user.

Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP

References

• For more details about how Pass the Certificate works check the original post https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597