Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
In Azure joined machines, it's possible to authenticate from one machine to another using certificates that must be issued by Azure AD CA for the required user (as the subject) when both machines support the NegoEx authentication mechanism.
In super simplified terms:
The machine (client) initiating the connection needs a certificate from Azure AD for a user.
Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and sends it to Azure AD
Azure AD verifies the JWT signature using client session key and security context, checks validity of PRT and responds with the certificate.
In this scenario and after grabbing all the info needed for a Pass the PRT attack:
Username
Tenant ID
PRT
Security context
Derived Key
It's possible to request P2P certificate for the user with the tool PrtToCert:
The certificates will last the same as the PRT. To use the certificate you can use the python tool AzureADJoinedMachinePTC that will authenticate to the remote machine, run PSEXEC and open a CMD on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user.
For more details about how Pass the Certificate works check the original post https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
