Skip to content

Commit

Permalink
Merge pull request #51 from petrsnm/patch-1
Browse files Browse the repository at this point in the history
s/PTR/PRT/g
  • Loading branch information
carlospolop authored Jun 4, 2024
2 parents b05b804 + 06f1b44 commit 8de0502
Showing 1 changed file with 3 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ The **LSASS** process will send to the TPM the **KDF context**, and the TPM will

The **KDF context is** a nonce from AzureAD and the PRT creating a **JWT** mixed with a **context** (random bytes).

Therefore, even if the PTR cannot be extracted because it's located inside the TPM, it's possible to abuseLSASS to **request derived keys from new contexts and use the generated keys to sign Cookies**.
Therefore, even if the PRT cannot be extracted because it's located inside the TPM, it's possible to abuseLSASS to **request derived keys from new contexts and use the generated keys to sign Cookies**.

<figure><img src="../../../.gitbook/assets/image (31).png" alt=""><figcaption></figcaption></figure>

Expand Down Expand Up @@ -126,7 +126,7 @@ Connect-AzureAD --AadAccessToken <token> --AccountId <acc_ind>

### Attack - Using roadrecon

### Attack - Using AADInternals an leaked PTR
### Attack - Using AADInternals and a leaked PRT

`Get-AADIntUserPRTToken` **gets user’s PRT token** from the Azure AD joined or Hybrid joined computer. Uses `BrowserCore.exe` to get the PRT token.

Expand Down Expand Up @@ -269,7 +269,7 @@ HttpOnly: Set to True (checked)
The rest should be the defaults. Make sure you can refresh the page and the cookie doesn’t disappear, if it does, you may have made a mistake and have to go through the process again. If it doesn’t, you should be good.
{% endhint %}

#### Option 2 - roadrecon using PTR
#### Option 2 - roadrecon using PRT

* Renew the PRT first, which will save it in `roadtx.prt`:

Expand Down

0 comments on commit 8de0502

Please sign in to comment.