• Stars
    star
    470
  • Rank 93,399 (Top 2 %)
  • Language
    PowerShell
  • License
    BSD 3-Clause "New...
  • Created over 3 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Azure JWT Token Manipulation Toolset

TokenTactics

Azure JSON Web Token ("JWT") Manipulation Toolset

Azure access tokens allow you to authenticate to certain endpoints as a user who signs in with a device code. Even if they used multi-factor authentication. Once you have a user's access token, it may be possible to access certain apps such as Outlook, SharePoint, OneDrive, MSTeams and more.

For instance, if you have a Graph or MSGraph token, you can then connect to Azure and dump users, groups, etc. You could then, depending on conditional access policies, switch to an Azure Core Management token and run AzureHound. Then, switch to an Outlook token and read/send emails or MS Teams and read/send messages!

For more on Azure token types Microsoft identity platform access tokens

There are some example requests to endpoints in the resources folder. There is also an example phishing template for device code phishing.

You may also use these tokens with AAD Internals as well. We strongly recommended to check this amazing tool out.

Installation and Usage

Import-Module .\TokenTactics.psd1

Get-Help Get-Azure-Token

RefreshTo-SubstrateToken

Generate Device Code

Get-AzureToken -Client MSGraph Once the user has logged in, you'll be presented with the JWT and it will be saved in the $response variable. To access the access token use $response.access_token from your PowerShell window to display the token. You may also display the refresh token with $response.refresh_token. Hint: You'll want the refresh token to keep refreshing to new access tokens! By default, Get-AzureToken results are logged to TokenLog.log.

DOD/Mil Device Code

Get-AzureToken -Client DODMSGraph

Refresh or Switch Tokens

RefreshTo-OutlookToken -domain myclient.org -refreshToken ey..

$OutlookToken.access_token

Connect

Connect-AzureAD -AadAccessToken $response.access_token -AccountId [email protected]

Clear tokens

Clear-Token -Token All

Commands

Get-Command -Module TokenTactics

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Clear-Token                                        0.0.1      TokenTactics
Function        Dump-OWAMailboxViaMSGraphApi                       0.0.1      TokenTactics
Function        Forge-UserAgent                                    0.0.1      TokenTactics
Function        Get-AzureToken                                     0.0.1      TokenTactics
Function        Get-TenantID                                       0.0.1      TokenTactics
Function        Open-OWAMailboxInBrowser                           0.0.1      TokenTactics
Function        Parse-JWTtoken                                     0.0.1      TokenTactics
Function        RefreshTo-AzureCoreManagementToken                 0.0.1      TokenTactics
Function        RefreshTo-AzureManagementToken                     0.0.1      TokenTactics
Function        RefreshTo-DODMSGraphToken                          0.0.1      TokenTactics
Function        RefreshTo-GraphToken                               0.0.1      TokenTactics
Function        RefreshTo-MAMToken                                 0.0.1      TokenTactics
Function        RefreshTo-MSGraphToken                             0.0.1      TokenTactics
Function        RefreshTo-MSManageToken                            0.0.1      TokenTactics
Function        RefreshTo-MSTeamsToken                             0.0.1      TokenTactics
Function        RefreshTo-O365SuiteUXToken                         0.0.1      TokenTactics
Function        RefreshTo-OfficeAppsToken                          0.0.1      TokenTactics
Function        RefreshTo-OfficeManagementToken                    0.0.1      TokenTactics
Function        RefreshTo-OutlookToken                             0.0.1      TokenTactics
Function        RefreshTo-SubstrateToken                           0.0.1      TokenTactics
Function        RefreshTo-YammerToken                           0.0.1      TokenTactics

Authors and contributors

  • @0xBoku co-author and researcher.

TokenTactic's methods are highly influenced by the great research of Dr Nestori Syynimaa at https://o365blog.com/.

More Repositories

1

Misc-Powershell-Scripts

Random Tools
PowerShell
770
star
2

FindFrontableDomains

Search for potential frontable domains
Python
559
star
3

BOF_Collection

Various Cobalt Strike BOFs
C
444
star
4

CPLResourceRunner

Run shellcode from resource
C#
244
star
5

Rubeus-Rundll32

Run Rubeus via Rundll32
C#
171
star
6

SharpPrinter

Discover Printers
C#
161
star
7

MSBuildAPICaller

MSBuild Without MSBuild.exe
C#
155
star
8

SharpSMBSpray

Spray a hash via smb to check for local administrator access
C#
140
star
9

NoMSBuild

MSBuild without MSbuild.exe
C#
128
star
10

SharpCOM

CSHARP DCOM Fun
C#
112
star
11

SharpExcel4-DCOM

Port of Invoke-Excel4DCOM
C#
98
star
12

Azure-App-Tools

Collection of tools to use with Azure Applications
HTML
97
star
13

Word-Doc-Video-Embed-EXE-POC

HTML
92
star
14

SharpFruit

A C# penetration testing tool to discover low-haning web fruit via web requests.
C#
88
star
15

RendezvousRAT

Self-healing RAT utilizing libp2p
Go
84
star
16

MimeSpray

MimeCast Password Spraying Tool
Python
43
star
17

CrypoCurrencyPowerShell

PowerShell
30
star
18

FlaskRedirectorProtector

Protect your servers with a secret header
Python
28
star
19

MSSQLUDPScanner

Discover MSSQL Instances via UDP Scanning
C#
24
star
20

HashCant

Some Hashcat Rules for 2020 and beyond. Contributions encouraged!
24
star
21

PELoader

Load PE via XML Attribute
C#
23
star
22

OSGiScanner

Scan for OSGi Consoles
Python
21
star
23

SharpSSDP

SSDP Service Discovery
C#
16
star
24

FindIngressEmail

Find Inbound Email Domains
PowerShell
15
star
25

UACSilentCleanup

C#
14
star
26

Carnac

Carnac The Magnificent: Pancakeswap Prediction Market Bot
Python
14
star
27

eavesarp

Analyze ARP requests to identify hosts that are communicating with one another.
Python
13
star
28

SharpEdge

C# Implementation of Get-VaultCredential
C#
12
star
29

Armitage-Cortana-Resource-Opener

Open Resource Files in Armitage with Cortana
11
star
30

CanaryServer

Fake SMB and SAMR data
Python
10
star
31

POSH-Commander

Invoke remote powershell scripts in memory of compromised hosts.
Ruby
10
star
32

ADEnum

Active Directory Enumeration Tool
Python
6
star
33

SkiDzEX

A modded version of ConfuserEx | SkiDzEx
C#
6
star
34

OracleCommander

Oracle Commander
C#
6
star
35

X-Commander

MySQLlX Multitool
Python
6
star
36

BeaconSMS

Set Cobalt Strike Beacons to SMS you upon arrival.
6
star
37

Posh-Runas

PowerShell
5
star
38

MiniDump

alternative to procdump
C#
5
star
39

azure_scripts

Scripts for attacking azure
Python
3
star
40

glorious-wizard

HTML
3
star
41

rvrsh3ll

things
1
star
42

MalDoc-Embedded-EXE-Bin-

This is a technique one can use for their MalDoc.
Visual Basic .NET
1
star
43

aldpro

Install ALD Pro
Shell
1
star
44

rvrsh3ll.github.io

Python
1
star