gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-05 09:17:24 -08:00
Code Issues Packages Projects Releases Wiki Activity

a

Browse Source
This commit is contained in:
carlospolop
2025-05-11 17:04:02 +02:00
parent bb4337235e
commit 13cd85219b
4 changed files with 35 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
View File

@@ -208,6 +208,26 @@ microsoft_office_bearer_tokens_for_graph_api = (
pprint(microsoft_office_bearer_tokens_for_graph_api)
```
## Where to find tokens
From an attackers perspective it's very interesting to know where is it possible to find access and refresh tokens when for example the PC of a victim is compromised:
- Inside **`<HOME>/.Azure`**
- **`azureProfile.json`** contains info about logged in users from the past
- **`clouds.config contains`** info about subscriptions
- **`service_principal_entries.json`** contains applications credentials (tenant id, clients and secret). Only in Linux & macOS
- **`msal_token_cache.json`** contains contains access tokens and refresh tokens. Only in Linux & macOS
- **`service_principal_entries.bin`** and msal_token_cache.bin are used in Windows and are encrypted with DPAPI
- **`msal_http_cache.bin`** is a cache of HTTP request
- Load it: `with open("msal_http_cache.bin", 'rb') as f: pickle.load(f)`
- **`AzureRmContext.json`** contains information about previous logins using Az PowerShell (but no credentials)
- Inside **`C:\Users\<username>\AppData\Local\Microsoft\IdentityCache\*`** are several `.bin` files with **access tokens**, ID tokens and account information encrypted with the users DPAPI.
- Its possible to find more **access tokens** in the `.tbres` files inside **`C:\Users\<username>\AppData\Local\Microsoft\TokenBroken\Cache\`** which contain a base64 encrypted with DPAPI with access tokens.
- In Linux and macOS you can get **access tokens, refresh tokens and id tokens** from Az PowerShell (if used) running `pwsh -Command "Save-AzContext -Path /tmp/az-context.json"`
- In Windows this just generates id tokens.
- Possible to see if Az PowerShell was used in Linux and macSO checking is `$HOME/.local/share/.IdentityService/` exists (although the contained files are empty and useless)
- If the user is **logged inside Azure with the browser**, according to this [**post**](https://www.infosecnoodle.com/p/obtaining-microsoft-entra-refresh?r=357m16&utm_campaign=post&utm_medium=web) it's possible to start the authentication flow with a **redirect to localhost**, make the browser automatically authorize the login, and receive the resh token. Note that there are only a few FOCI applications that allow redicet to localhost (like az cli or the powershell module), so these applications must be allowed.
## References
- [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)