 and all good online all good online zoom okay I think okay I think we are good to go first double-checking is a zoom stream okay so you can hear my voice okay good so I have two mics and these are quite a bit limiting my movement okay so welcome everybody to this workshop and you can participate if you want to you can sleep if you want to it's okay it's a good place to work also like I think Robert is looking here so let's move forward so we're gonna talk about tokens and tokens tokens tokens wherever multiple displays as always I can now work no okay there we go so Keywords about me so who am I so I'm Nestor Zulimar also known as Dr. Azurady and I work for keyworks been there two years now in counter threat units and what I do there I just research so that's my job so I research I I try to find vulnerabilities from Microsoft products especially from cloud related I report them to Microsoft and they fix it or not and then also we have our own tool called TATUS and they're gonna they are using my research on that also so that we can detect stuff and prevent stuff but that's about that what I'll sign Microsoft MVP in security also MBR which stands for Microsoft most valuable researcher so this is my second year there and every year in black at us they are gonna publish the list of 100 researchers and that's the list I'm on so I'm happy to be there I don't know how it goes this year but we'll see and I created a tool called A8 internals I think at least some of you know that and those who are here I have some stickers so we I have the basic ones like these ones and then shiny ones so you can pick your own when you want to and yeah so the tool and we are going to use that today so you don't have to use that if you don't want to but it's easier for me to present stuff and it's for hacking and administrating Azure AD and Microsoft 365 it's open source so you can download it quite easily and install quite easily and it has been listed by my my to attack since last year February and is it any good I don't know but it has been used by a group called APT 29 also known as mableon so at least they found it useful so learning goes for today so I want that you understand what is the role of tokens when you are you know using cloud services for instance I want you to know that how Azure AD has implemented or standard it's a bit funny and also that you will have skills to start analyzing tokens so that's one of my hobbies and I want you to learn that also so yeah and of course at the end also that you would understand the basic attack scenarios you can do with the tokens so content is there and let's start by having a grass course on how cloud works and by the way you can read as much as you want to from this session it's okay for me and my tag is Dr. Azure AD so how does cloud work so there it is that's how it works so what do we have here so first thing what we have is clients and by clients I mean the piece of software that could be Outlook that could be edge browser or it could be a powerful client so it could be anything and then we have authentication part so before you can do something with your client you need to authenticate and in this case it's Azure AD and it has a different protocols it is supporting so it can be an open ID connect or OOTH2 and usually it's OOTH2 and now after you have authenticated then you can use those services and technically even when you open a browser and go to office for instance and open Outlook what is happening back in is that you are using APIs actually so the browser is a client that is using or calling those APIs and that's how it works so first you need to have the client then you authenticate and when you authenticate you have something called access token and then with that access token you can go and consume the services so that's pretty much simple way or simply put how cloud works and checking all terms so we have identity provider in this case Azure AD and then we have service provider so these are the crucial components so you need to have both so also this identity provider in this case Azure AD it knows about the client and you as a user only what you tell to cloud it has no other way to know anything about you so you need to tell who you are and what's the typical way to do that give username and password right and so on and also the service provider in this case it could be Azure AD if you are calling Azure AD API so or it can be Azure it can be micro 365 so that the service provider is trusting identity provider and again the service provider knows about you only what you tell it same way as what you tell to cloud and service provider also knows about you and the used client only what you tell or identity provider tells actually and how identity provider tells the service provider who you are what device you are using and even what authentication methods you you used is in the form of access token so that's how that information is delivered to to service provider okay what else when you are authenticating again against Azure AD you need to give some proof of identity and here are some options for that so the username and password is a most typical one and if you are calling or if you are using like all of terminology it's called R O P C or resource out of password credentials you can use or indicator software you can you fight or two keys so there are a lot of options that you can you can actually achieve things and in Azure AD we have a lot of things stored there but at least there's three identities so you have the user identity so there's a user object we also have like device identity so if you have devices joined and then we have the application or client it's the same thing different name so we have also identities for those but we're going to see if these in in accents so now let's start our first kind of exercise so how many of you have installed Fiddler or burp suite in your computers so quite many yes so you can use that but if you don't you can use the hacking button as well so i'm going to show show what we we can start this so you can do this also with them your fiddler and by the way doesn't everybody have the credentials provided this small one okay so you can use that or you can use your own credentials so it's up to you but if you don't want to because this is kind of a hacking session you might not want to use your own so yeah okay so i don't know can i talk and type at the same time but let's try so i hit f12 and it opens up the developer's tools right here and now i'm gonna browse to office you know what's your like password wifi password is uh no sec 2023 right okay so now i signed in and the question was that can you see any tokens and i have a hint for you so for instance if you are using this f12 or develop tools and staying with fiddler or burp you can search stuff so if you search for e y j and zero and hit enter you can see a lot of tokens here actually so you might think that when you are looking into office there there's only like one token but no there's a lot of tokens to different services and we're going to see later which services those are actually but as you can see there's a lot of tokens yes okay so that was like a first first kind of small hands hands on exercise so which form of proof of identity did you use actually so what was it use a mem password right so that's how cloud knew who you are so you just type those username and password from that piece of paper and now cloud knows who you are or well who you are pretend to be okay so let's move forward and let's talk about bearer tokens which you actually saw and what are the bearer tokens so uh according to standard a bearer token is um it's a thing that um the who whoever has that can use that token to any purposes he or she wants to so that's why the name is called bearer so who you who has access to that token can use that token to any purposes in the service that is allowed so you don't need to have that cryptographic material also called as a proof of position so you only need to have that access token or well bearer token and technically it's just the string of something so for client that should be meaningless that that you don't know what it is what it contains it's just a string that client is sending to the service provider like in this case to office like services and bearer tokens are a predominant type of access tokens with all those two and well as I told you it's just an opaque string it's not intended to have any meaning to the client however it could be also jason web token or jwt and this is actually what it usually is and when it's jason web token you can actually see what's inside that and we will come back to that later and as you saw from the previous step or the exercise the way that you deliver this token to the service is the authorization bearer then there's a bearer and then there's the string whatever that is and that can be that jason web token and some terminology uh regarding the oauth so we have this identity provider but it's called authorization server in oauth terminology also the service provider is called a resource server so it's a a little bit different name but same thing and users are resource owners and then the applications like outlook or or teams they are called clients or oauth clients and here's some process that how the authorization flow goes in oauth so first you are a research owner or user and you want to access your data so you are going to use the client and then that client is going to connect to the authorization server and use the proof of identity you have chosen or you have agreed to like using a password and if everything is okay meaning that the authorization server allows you to access services it will create you a bearer token and then the client will connect to that resource server and provide that bearer token and now the service provider will then you know give you that will provide you the service so if you want to read your email you pop up your outlook client you log in and then you access the exit online and it will return you your inbox and so on so so quite basic stuff right so then exercise so when you did that that you log into that office so with authorization server you actually used so those who are watching the stack place so or trace between the your browser and the office so which authorization server did you use or do you know no okay so let's let's try to see if we can find any so now if you type here actually you don't need to type because it's right here so so here so this locking.microsoft online.com so that is the authorization server in this case so that's Azure AD where you send your credentials for instance and that's the that's the correct one and then did we see any resource servers so basically all other here which are not that authorization server all those things that you have that token they are resource servers so if we could quickly look at here we can see that there's graph API then we have web shell we have substrate.office.com and I think that's the most used resource server here okay and any questions at this point no okay why did you look for eYG yeah that's good question so why did you why did I look for eYG well you're gonna have answered that in in the next couple of slides so yeah good question so because of this so json web token or jwt so let's talk about some technical stuff might be boring might be not we'll see so what is a json web token so that's just a compact way to present claims and claims are related to that user or resource owner so it says that who you are for instance it can tell you what device you are using and that kind of information so those are claims and we have two implementations so first one is json web signature and that is usually used as a synonym to jwt and that's wrong but I can live with that so jwt is not jws but it's it's both jws and jwe and I think you all have seen this json web signature kind of token and that was that started with a y z g j and then we have this other thing called json web encryption token and I think we might have time to get into that later on this this day but we'll see about that but now let's talk about jwt so it is used in as already as an access token an id token so that's the standard for that and it has three parts so it has jose or as I say jose so JavaScript object sign and encryption header which is right here the first part and then that is base64 encoded and because that's json it always starts with what is that square bracket and when you like base64 encode that it is going to be a y and j so that's why we search for that then we have a dot and then we have the payload which is usually the claims set as json and then we have the signature part so that's why it's called json web signature so it's not encrypted but it is signed with the key that is trusted by both parties so I mean the authorization server and the resource server so in this case actually the science tab token and then when when you call like for instance extension online APIs extension online plus that signature so that that way they can be sure that you are who you claim you are but that is not encrypted so you can see what is inside that and we're going to do that also in a minute so there's a typical jose header so we have the type here jwt we have the algorithm which means the sign-in algorithm and then we have that idea of the key that you can use to verify the signature so that's how it works and here's a couple of things that you can have so the sign-in algorithm it can be rs256 which is quite typical and then we have it can be hmac, char256 or it can be none which would be nice to hackers because then you could create your own ones if that's not signed and it still happens plus me but not with Azure AD anymore so they they always have to have that signature okay and here's an example of the payload of that access token so what there is typically so we have the audience which says which API you can use these two then if there's an issuer which means that which organization actually issue this token and then we have of course the expiration date and time then we have the application ID who knows what is this application anybody so that's microsoft office for instance and then we have the object ID which is the user's object ID in Azure AD and then we have scope and scope can be like that you can call certain APIs only or if you have used an impersonation which is the best one it means that you can do anything the user have permission to do in that that API we have tenant ID and then we have the user principal name and these here the audience it's the resource server again in all terminology and then we have the issuer which is authorization server then we have the scope which usually is the API so that's what's inside that access token and then how to validate that signature so it's based on standard which means that you have the issuer here and then slash dot well known open ID configuration so issuer here is that one so if you get an access token and you want to you know verify this signature you take this URL and then you put it in front of this and from there you will get a list of things and one of the those are jwks underscore uri and that points to in this case and that's already points to this URL and when you go there you will get a list of keys in chase and format then you just need to pick the correct one like that is matching the sorry wrong wrong direction that is matching the where is actually oh yeah sorry here in uh josey header there's a key ID then you just need to get the the same key ID from here and then you have the key material here and then you can use that to verify the signature so that's how it technically works and also this is an example from as already but um other services who are using access token that should also like work in that way so if you ever wonder that how Azure AD or the service is actually doing that so this is the technical details so how how that is verified okay so other uses for JWT in Azure AD so it's not just for access tokens or ID tokens you only have why you can also use that to get prt who knows what is prt i know roberto nas because he works on microsoft so that is a primary resource token and it's it's stored in computers that are as already joined so it is used for proving identity of the device and i'm going to demonstrate that at the end if we have time also you can use this to obtain prds and then you can send some keys to Azure AD so you use the same like JWT format so but it's not the access token but i'll show them to you at the end okay well yeah primary resource token so so that is a long lived token so it's valid for 90 days not not 14 days as the documentation says it's 90 days and and you can update that using the device certificates and it is used technically in the background it is used to get your new access tokens automatically and these access tokens that you are going to get using prt they have the device claim which means that there's a device id and in Azure AD those who don't know that you can configure things called conditional access conditional access policies and you can for instance say that okay you can log in if you have a device that is compliant and that compliant information is stored in Azure AD in your device object and now when you have access token that has have that device id then Azure AD knows that you are using that device so so that's how this actually works so yeah what else did i have i was supposed to mention about this um i think it might come to my minus standpoint yes there's a question what was that signing frequency well i don't know if i understood the question correctly but uh but uh that is valid for 90 days that's pretty much no this doesn't sign anybody out so you only use this to get a new access token yeah and it happens automatically and um yeah the thing i was gonna mention is that uh just a second so if i go back review slides just a whole lot of expression does it mean that if i get an end on this token i think like i said was really important because again it was this to refresh my session and so on so but when the progress up to 90 days yeah so the question was yeah so the question was that um if you can get that token can you look in like forever uh pretty much a yes but uh it's not easy to get because um uh how would i put this it's it's stored in your computer in a place that you can access really so it involves tpm for instance if you have so you can access that but we have a ways to go around that and and we can even get our own ones but anyways that the primary reverse token is the most powerful one as a proof I did it because you can you know tell who you are and who also that what device you are using but also that you can well we will we will get back to that that um reverse token stuff but um as a reverse token you can get access token to any any client and any service so there are no limits for that but uh we will get back to that back to that later because that's the most in interesting stuff so where will we here so now let's see uh what is inside the AWS and we're going to use uh well you can use whatever site you want to but awt.ms is uh it's okay or then you can use the read ad in access token but uh let's see so now when I go back to developer tools here I should be able to copy this um where it is headers there so just gonna copy this like this control c then I can go to awt.ms or any other tool you want to use and I can then paste it here and then you can see what we have like uh what is the Josie header and then what like things we have here so uh let's give a couple of minutes to you that you can actually see what's the content so then we can have a little discussion of this and I can have a couple more and I'm also gonna show you another way to do that with AA8 internals and loading the module takes long because my code is checking that every time I load it so what I'm doing here now is that um I'm gonna use one of the AAD internals methods or functions called read AAD in access token and then when you provide the token as you can see it starts with AYJ0 and I hit enter it does the same that's that the JWT so it shows what claims there are so let's um talk about what we have here actually so this token here audience is graph.microsoft.com so what that means what what service is this well it's Microsoft Graph API so you can use this token for that purpose and it was issued by this tenant so what is this tenant tenant id uh if you want to know that you can go to AADinternals.com slash Osint so here you can paste the tenant id like this and then it will tell you what tenant that was and some other information so we can see that it's called t2.my0365.side and we can see that there are a couple domains there and so on so on but yeah so using that tenant id you can see what's the organization actually who issued that then we have this time here so because those id are linked to the tenant somewhere or is it written on board and go to your id yeah so the question is that is there a repository that tells you what is that what the tenant id means and no there isn't so this is the tool I created that can get you that information so with tenant id you need to call a certain API and then it returns you information about that tenant id but yeah but there's no well there's a kind of repository it's called Azure AD but we can access that directly so yes so this time here so I 80 I can't remember what the what is that but it's same as not before and and not after or when that expires and this time is it's a what is that linux time called anybody I can't remember either yeah but anyways it's a linux time so it's a second so milliseconds yeah epoch yes epoch time yes so it's a milliseconds from 1st of January 1970 yes and then we have like AIO I don't know what that means but AMR that's interesting because it shows you that what kind of methods you use to sign in so it can be PWD which means password or it can be MFA or it can be RSA and so on but we will see that later and then we see that what's the application id and it says that obis 365 shell wcss client I don't know what that is but something that is used by by the obis portal then we have id type it says it's user and then we have ip address and this is ip address of me and probably you will have the same because we are using the same wi-fi network okay and what else interesting we well here's the score that with this access token you can only use email api from graph api and you have permissions to use files read fight you open id profile then you have permissions to read fight user information like my information and you have the upn here and this w ibs means that Robert correct me if I I tell something wrong but I think this is a group membership of that user so where what group groups this user is member of and then we have a tenant region scope which means this is a it doesn't mean not available it means North America because the tenant is in North America so all this kind of information we have we also have a signature but this particular service doesn't care about that so it doesn't show it and it doesn't even validate that but with aad internals you can actually try to validate that I don't know that it worked because I haven't tried that in quite a long time so if I provide validate it should validate that is it okay and it says that I can't verify that because there's a bug so don't don't care about that okay any questions about this yes so when you have the scope of user impersonation and you want to access the microsoft graph api are you afraid you're owning them just by having the user impersonation or are you the panel yeah there was a good question so if the scope here is using impersonation so can I read my email yes you can if you have permission to do that in the back end you can read others too if you have permissions in there but user information just means that there are no limits what you can do like api-wise yeah but as far as I know you can get scope user underscore impersonation for microsoft graph api yeah you know because microsoft want to make it more secure and that's one way to do that and and it's actually a very good way okay so then let's move forward or is there any other questions yes yes so that's correct so if you are using service principle to get like an access token yeah it's not user but it doesn't always have the same claims so the claims that depends on which service you are trying to access so this is for graph api so it has like this id type as a user but if that service principle it could be something else but I don't know what it is in this case send the information yeah yeah okay then a couple of words about the other type of jwt which is jwe or json web encryption so that is used in Azure AD to return keys and encrypted data from Azure AD and you don't see that quite often you see that when when you are using the device that is joined and it's using that prt to transfer data from from Azure and back and and that's quite annoying if you want to you know see what is going on between the the device and and as already because those access tokens are encrypted so you can see them so that's that's annoying at least for me as a researcher so but there's the thing that we can we can do to access that but it's a little bit different so we have the same elements like joe's a header then we have the encrypted key then we have the ivy and then we have the ciphertext and finally authentication tag which is just a piece of some text that is embedded to that ciphertext so I don't know what's the usage for that but it is there like appendix but you don't need it to okay and how do we encrypt that or decrypt that's a very very nice graph here how you how you can do that so I'll just leave it here so you can familiarize yourself with that later on so we are not going to go like step by step with this yes so exercise but we actually can't do this yet because there hasn't been any title release yet but there might be later on so we'll see so yeah so actually when I was studying this that how this work we have the encryption algorithm that can be well there are a couple of options what it can be and it can be like a256cbc or a256gbg or whatever that other one is but regardless of what the algorithm says Mike's always used this one so even though it says gcm that's I think that's the correct one so a256cgm it still uses this one so it was very annoying to me because I had everything in place I tried to decrypt that but it didn't work because I was trying to follow the standard and use that method that the algorithm claims it so yeah but I found out this by reverse engineering the part of software that is you know encrypting this so so that's how I found that but yeah it was a bit annoying I have another presentation for that but that will take an hour so well we won't go deeper into that so let's move forward to to next thing which is Azure AD authentication sorry Azure AD token types and we have three different types so we have id token and the standard here is open id connect and the purpose is to identify the user and that is valid for one hour after it's it's used and second one is access token and that is OOS 2 standard and it is used for user identification but also to authorization so what is the difference between id token access token is that access token also contains information about what target you can access and also what you can do there like that scope or is that so that you can access graph API with this API scope and then we have the reverse token also OOS 2 and that is used for requesting new access tokens when they are invalidated and there is no limit for the lifetime for reverse token but you need to use that in every 90 days so that's valid for forever so this this make any sense yeah if you change your password or something will it delete like will you have to re-input the password to have a new token or is it still over yeah so if you reset your password then that invalidates the reverse token and then you need to use whatever new password you have and you can also revoke that manually if you're an admin you can just go and revoke reverse token then you need to give your username and password again so yeah the question many other questions oh okay so then the JWT type so the standard we went through so id token access token they are JWS and then the reverse token is JWE but that is engrypted with the key only loan to Microsoft so we don't know what is inside that token actually so we don't we don't know but we can see what is inside the access token id token and can this be revoked well access token you can't so if you have access token and you reset your password it doesn't matter you can still use that access token as long as it's valid so there might be a one hour gap so even though you reset you reset your password you can still use that one so you need to remember that and same with id token yeah so it's valid yeah even though you reset password you can you can invalidate that but however there are new stuff in as already that um it's called what is that called ship use thanks for our evaluation yeah continue to use access evaluation so that kind of might help you on that okay then about reverse tokens so yeah so reverse tokens are used to acquire new access tokens and id tokens and all of the standard has some security guard rails and the first one is that that refresh token must be bound to the client it was issued well yeah so that that doesn't work actually quite well with as ready and it also must be bound to the scope and resource server consented by the resource owner which means that when you log in you will get the refresh token and that is meant for certain service and for certain resource server and if you use that refresh token to get an access token you should only be able to do that for same scope and for same resource server and that usually works like that however as already implementation allows you to get those tokens for different scopes so which means that you well let's imagine that you have a refresh token for outlook client for let's say a certain service input and then you use that refresh token so you must use same client id of course because that's outlook client but you can change the resource so you can have an access token the other tenant for instance so you can do that so it it doesn't work as the standard says and then we have the foresee which is a totally different stuff and we're going to get back to that later so anybody heard about foresee really okay well there's something new and interesting for you guys okay so then a little bit longer exercise which you can use to get access tokens using different methods and here i'm using a eight internals because you can choose what kind of things you are using and when you get that access token and you dump that you can see that there are different information now for instance for for that what authentication methods you used so i'm going to show examples here and you can try that back at home and or at the same time if you want to by the way who of you have eight internals installed already one two couple yeah so you can do this at the same time so let's see so the first one is was the ropc which was resource only password when it's sold so let's try that sorry about that first second so if we now dump the access token we can see that it used this password and the client id was a bit different so it was one b seven three or something and that's Azure Active Directory PowerShell so that's what Azure eight sorry eight internals is using to get that access token and now let's do the same in interactive way so i don't provide the credentials here using this method i just leave it like this and it enter now it opens up so if you have mfa enabled for instance you can now use this and well you'll see so i'm going to do now mfa hopefully yeah and now when i dump the token you can see that i use my own name here and now when we go to AMR we can see that i use password but also mfa so that information is stored in access token so if you are trying to access service that that you are required in mfa and you don't have it here then you will be prompted that you need to log in again but now because we have that mfa claim we can use this to service it that require mfa because it is the claim is here and also we have some new information here because this user has been synchronized from on prem ad to azure ad we can see that on prem sit for instance so you can match this user with on prem user you have in your on prem ad and you can also see that the scope is a little bit different so i have a much more stuff here than in the previous one okay and the next one is that i use device device code authentication globe and it says that i should go to this address here which i'm going to do now like this and then i need to give this number or string i give it here and then it asks me to authenticate myself so i can use that which i already had and that's it so that's the one authentication method so let's see how it looks now so it's also only the same information like i used password to log in and that's device code authentication flow is actually quite nice for phishing because you can save the link to user that please authenticate or log in and the user does that user doesn't know what the user was doing the or she just logs in and and you will get the access token and now you can do whatever same thing that the user can do how to block that device code authentication flow you can't yeah that's the only way okay so the next one is that we try to use refresh token to do that um and now let's see if we can get one so actually if i go to one of these and request to that um log in at maxonline.com i should have it here let's try so i'm just going to copy the whole response here uh and open my notepad plus plus i need to prettify this so i should have some plugins here format and here we have refresh token so when you actually log in that way you will have three tokens you have the access token you have id token and refresh token well this actually also depends on the uh service you are accessing but in this case we have the refresh token so i'm just gonna copy that so i'm gonna paste that and then i need to provide client id which was somewhere here like this and then the scope was or resource in this case and it didn't work of course it didn't work so what was wrong uh the grant is invalid which means that it didn't like my refresh token for some reason i don't know why what was that yeah that that's what i thought that it might be no it doesn't want to do that well that was my demo but it should work but we haven't you know put any more time for this now so so the next kind of uh question here no let's go here so why there are so many different methods to get access token so is there any anybody any opinions or any guesses why yeah so there are a lot of different kind of systems and different situations where is that refresh token thing is because you need to renew them every now and then and then that device code it's meant for devices that don't have like display that you can use to log in or not even a keyboard maybe so that's the reason for that why it is turned on by by default i don't know because usually you don't need to do that but it is there anyways and then you need to have that interactive flow so that you can provide in the bay because you can do that in common live so so that's why why they are so so many different ones and what token type was with return so that was actually answered already here so we got access token refresh token and id token and then also some client information in certain cases but yeah okay so then if there's no any questions we can move forward okay so the next topic is that what is inside a refresh token so that's that has been invested me a long time but uh yeah these kind of things they are or taking a background so first of all everything is encrypted using a public key it's a funny way to do that but that's how it works at least with microsoft and it's decrypted using a private key and keys are only known to microsoft so you can't even get the public key anywhere uh so this means that we don't know what it's inside as already with this token but we know what is inside adfs refresh token and adfs is like a federating services and as already is at least partly based on same code base not exactly but but anyways at least partly so let's try to see what is inside adfs because that's we know what we know so here is the anatomy of the adfs refresh token so we have the token blob which is here on green and then we have the signature blob which is in red so token blob it has certain information so we have the token set well we will get back to this later but it has a lot of information and then the signature of course it's a token signing private key or you use the token signing private key to sign that uh refresh token and here's the refresh token or the token blob looks nice right and we know a couple of things here so we know that here's has of that certificate you use to encrypt this and we have some size information and then we have the encrypted key and iB blob here and then the size of the encrypted token and the last part of that token is the actual encrypted token and the size depends so it can be anything because it has claims also so it's not always the same but the header stuff is usually same or well it is always the same so what is then inside that refresh token the red one when you encrypt this or sorry decrypt this so we have claims so pretty much same thing that you have with access tokens so we can safely assume that these kind of information is also in actuality refresh token although we cannot be sure so what we have we have the client ID we have the resource and then we have the issuer and then we have some more information about the actual user i don't think that part is there because this is windows related stuff but if we look inside what is inside that single sign-on token so we have this kind of information so these are just pretty much stuff related to on premade so this is not in Azure AD i assume but but this is in on premade anywhere so we are going to just skip these but if you want to see what is inside ADF refresh token you can then come to come back to this but anyways it is safe to assume that at least this kind of information is included there so when you use refresh token as already knows that what is the what the client ID what was the resource and also who was the issuer and who are you so that information is probably stored in in refresh token okay then to foxy and this was actually quite interesting so i i found out this by accident then my colleague kind of made a little more research and published a paper about this so foxy stands for family of client IDs and that is a group of microsoft first party applications and there's a list in that in our github so i think there's a roughly 36 or something so we can actually see so how many there are actually so 33 at the moment and this is what we know of there might be others but these are those clients and they have a special refresh token called family refresh token or frt and that's not the refresh token for foxy clients or foxy access tokens now the behavior is a little bit different so you can use any frt to get access token to any foxy client and resource so this is violating every card well standard so basically this means that if you have refresh token for teams clients you you can get an access token for outlaw client and so on and and this makes like that device code authentication flow quite powerful because if you use that to get well for instance teams access token you can exchange that to any other access token you want if they are sharing the same client sorry if they are foxy clients so this is this was like my phase when i i learned that how how that worked uh yes so let's uh let's uh do a little bit exercise and uh i try to do this actually using a feed layer let's see how it works again michael is checking the module okay and there is yes so first time when you use aad internals and you are going you are trying to use the interactive it needs to set some register register keys for it to work so i need to restart that oh yeah this is a server operating system so so i need to get this internet explorer enhanced security to off yeah these are the joins of live demos there we go okay so now i i got an access token for teams so let's see how that traffic looks like the last part where you actually get the access tokens so here is the last response and you get an access token and refresh token and then of course id token now uh this is the latest edition and it was published like uh last week during the blackout asia so i uh kind of re-engineered the whole cash handling so it now supports posik lines which means that if you have a method or function that requires certain posik client and you don't have that in cash it can use the refresh token to get one so so let's see how how it works so i'm going to use a run a function that gets some recon information as an insider from you as already tenant and it is using a different client id but it's posik line it's trying to use so it should work because we have that and when we use that verbose we can we can see what is actually happening there maybe too much information but we can go to go to filer and what was the last thing yes so this is where we are now so i'm gonna just mark that as red and now i'm trying to find out a a correct place where we actually or is that one yes so we here we are actually using refresh token of that teams teams client because we have that and we can use that so because posik works as it works we don't need to care about anymore like do we have the correct access token to that certain service so it's enough that we have one that is a posik or frfrt actually and we can use that to other clients however we want to and now if we go further up here in the beginning of this nice verbose stop we can see that it wanted to have an access token with this client id to this resource but it didn't find but it says that okay this is a known posik client so it's trying to get one using like that posik refresh token yes so the question is that how can we recognize posik token does anybody have any any idea so if you are looking the trace and you tube a bit oh let's see it doesn't work actually why not okay yes so whenever you are getting access token that is a posik there's a posik equals one so now you know that that is a posik client so it's quite easy actually to spot but the actual access token doesn't have that information so it's only when you are request requesting that so then that information is included but otherwise no and by the way if you are using aad internals and and you will get an access token that is a posik line that we don't know of it will tell you that hey there's a new posik line please report this to us so that we can add it into that list so the posik stuff is just important for you to understand that how it works because it can be used in a bad purposes and that's how it works and by the way when we asked from microsoft why is it this way so do you know why yeah so it has it's been used as a single sign-on solution for mobile phones so that's why why it is like this but you don't need that anymore because you have prt's for instance so but it is still there i don't know why it might go away maybe yeah so some attack scenarios so we have the phishing stuff so you might have this manual middle or adversary in the middle attacks or you can use device code or then you can steal the token you can do the token theft so you can steal token from a browser or you can use a prt and i'm going to demonstrate this to you actually and then you can also spoof the proof of identity so if you you can use so-called golden sample attack so if you are able to create a sample token you can exchange that to access token also if you have the thing called seamless single sign-on configured you can use so-called silver tickets purpose silver tickets and you can exchange those to to access tokens and then you if you have the device certificates i mean the computer that it's showing to us already and you can get your hands to that certificate you can get your own prt and with that you can get again any any access token you want so do you want to see a demo about this yes some attack scenarios okay so let's do that then so let's start with some we need to prepare something first so so we have this filler here so what we're going to do is is that we're going to join a device to Azure AD and i'm going to show you that how you can monitor the traffic between that device and Azure AD all the time even before it's joined so that you can see what is happening and for that purpose we actually created a plugin and that is available in github the cqworks github sorry github and we have a plugin for both piddler and also for burps we and the burp one is a bit nicer because piddler is well it's a piddler so it's not that nice but i'm gonna copy these and they need to be copied where actually yeah so it's a app data local programs piddler and inspectors so i'm gonna paste those here those dls so now when we start piddler it should have those in place so let's see if i'm gonna select something change the inspectors and now we have a new tab for prt and same here and also the at for access tokens but we can we can use those yet because we don't have any data problems okay now i move to the windows 10 box i'm gonna join to Azure AD which is right here and first thing first so next thing is that i want to configure this computer to use that other server as a proxy so that we can see all the traffic so there's a function for that in AAD terminals so it's called set AAD in proxy settings and we're gonna provide a proxy address need to copy that because kind of remember and it's port 888 and then i provide suites called trust piddler you can also use trust burp if we are using burps with but so this will set all the possible proxy settings i i can i could find in in uh windows and then it also trust automatically the piddler root certificate so it can actually block that okay wow ah yeah do you know why i'm not an admin robert could you disable this checking of AAD terminals every time i i know yes and now even when system is trying to use something uh everything goes through my my piddler now so now let's try to join this to Azure AD or do we need to reboot this maybe i'll just reboot this first and now just let's hope it's not gonna instantly update because then we're gonna be here in 3pm okay so we go to settings we go to accounts we go to access work or school and then connect but because we want to join not register we need to click here down here so join this device already so don't type here because that will register it and that's a different thing so we join and are you sure about this so yes we are and done so now it's connected and now we need to restart this again so that we can then login as that user now we change the other user now if we change to piddler we can see that there's a lot of trapping going on there so we can see login does microsoft online and so on and so on and actually you might want to filter things from piddler so so that you don't want to see everything like every like a javascript or whatever you can just filter that out so get rid of or any images you don't need those either and this could actually take a while when you first time using piddler or perhaps because you don't want to see everything there are still some image files so we are now locked in here so let's try to see some stuff yeah so i tried to find a line with get key data so let's see what we have inside here so here we can see some token traffic going on you can see reverse tokens and then we can see a thing called session key jwe and that is used to encrypt and decrypt stuff so i'm going to show it to you how how that works in a second but before going there so for instance here what we see is that you are asking an access token and what you get back is just the json blob let me get it to you let's put it in okay like here and now when i go search for a dot i'm going to replace that with dot and enter so we can see that we asked for access token and what we got back was actually jwe so encrypted stuff and if i open this one here so we can see what's inside so we can see that it is well it's lying to us that it is using gcm it is using cbc but anyways we can see that this is a jwe and the content of that is encrypted so we can see the access token and that's because the device is using prt to get that so let's see if there's something that we can do about that so i will go to device now and because this is a virtual server a virtual computer uh i i don't have a tpm yeah which means that i can actually export the keys of this device so i can export the device device uh what is transportation key but whatever well we'll see but i'll start the power power cell here as an admin vocal admin to do this oh let's try again i like to use the isd because i can tune that phone so it's easy for you to read so what i'm actually doing here well two things so first of all i can steal the this device identity but now i just want to get the key that i can uh degrade the traffic so i export the certificate like that and then the transport key which is the most important one so now i'm just going to copy this and copy that to that server we are running filler so she's going to put it here on the desktop that's the good place for your keys right so uh i'm going to go to this get get key data and i'm going to switch to prt and now it is asking which transport key i want to use and i want to use the one that we stored in desktop right like that and then when i change to whatever request that has the session key like here we go well i'll show you so we have this session key w e w w e so this again that encrypt that stuff then now when i have the key i can decrypt that and this is what this tool automatically does so it shows that okay i found this decrypted session key so if you want to use that just click the use and i'm doing that and now i am going to see these other requests that are encrypted and i have that session key i can now decrypt that so for instance i changed this one and now without this it it would look like that chasing stuff like like here so here's the encrypted stuff part and now the tool can automatically decrypt that so now we can see what access token you actually have here and we can see that it's a forcing again uh we get repressed token and we have access tokens and so on so so this way you can now start to learn what actually happens between the device and the as already so so yeah so that was the the first demo related to that but now that's the question sorry uh i would choose to type that kind of uh like session you don't have anything or you can detect that because that's a lessed way to do stuff so so you can't detect that because from as already point of view it's just another normal request so right yeah so yeah okay uh then uh i will start another session of the uh puzzle and now i'm not an admin i'm just a regular user and i'm running this command now as a user and because i'm locked in a computer that is uh as already joined i can i can get my well even though this would be using tpm i couldn't get my hands to that prt but because uh how windows as windows works with as already child computer is that you can ask from windows to give me prt so we can do that so let's try so i can just ask prt token and it will give it to me because that's how windows works so i'm using the same method here than than for instance outlook is using to get a new access token so if you are able to compromise end user computer you can just ask that prt like this and then you can use that to get access tokens so here's an example like this well actually let's use prt here that's no nice and now when we dump this we can see something interesting so when we go to amr we can see that there's a password and rsa so the rsa means that you i use prt to get that and if i would have used mfa when i logged in or joined this computer just already the mfa would be here too so you would have an mfa claim so this is an easy way to steal the token so let's try this another way so let's see does it work so i copied the prt to clipboard and i'm going to use that from the other computer now and it seemed to work so let's just copy that and and i was able to use that so this is a stealing tokens this is a fun stuff uh we have still a bit of time so i'll try to show you something i i can't remember by heart but let's see we can do this together so i have that key already so it's just going to copy also the certificate to that server like here so when you have the the certificate and then you have that transport key you actually have just stolen the identity of that device which means that you can get your own prt using that as another user sounds weird right let's see how this goes now i need to remember the commands i have to take yeah that was yes so what i need now is that i'm going to get a prt key so it has a certain uh grid cryptographic material and i can do that because i have the both the device certificate and then that's once per key and i can get this to other users so i use that post theoma but i'm now i'm going to use some other user that's nice okay so this thing group is in finish so it wants me to use mfa but i'm configured this in a way that you can actually do that so i can use show you the demo but anyways after getting those prt keys the access tokens that i would get with that prt would have the device id but it but because i locked in as another user it would be for another user but anyways if you're able to like steal the device identity and this way to get access token the as already things that you are using that device which you are not using you only have that certificate and key so you kind of store the identity and you can pretend to be that device if that device is compliant then all the access tokens you use you get with that prt as ready things that you are using compliant device even that you are not here okay so i showed you the device code stuff the prt how you can use that to if you're just a normal user you can ask windows to give me prt because that's how it works and then i showed you that how you can now if you if you want to you can see what is happening between the as already joined device and the the as already with those keys but that was all i got planned for today so if you have any questions you are free to ask i'll be around here so if you want to ask offline that's also okay any questions now thank you no okay thank you all right so we're back thank you so much for attending this regroups engineering workshop in go language my name is Ivan Ketkovsky and i work for Tyspersky i'm a reverse engineer slash cybersky researcher and the daily job that i do is i investigate APD cases and write reports on what we see and the types of attack that uh yeah we are the tree on out there so of course my job and something you've never seen before for me i kind of go long time well a few years ago now it was something back then many people thought that go was going to be the number one language for malware in the future and so on there were kind of good reasons to think it might become more popular i think it might not have been the case but still it's something we see occasionally from time to time and so you can never rule out finding yourself in a situation where eventually you were we will have to reverse engineer something that has been written in go language and as such it's kind of a good idea to at least have some general idea of how to approach such binaries now usually when that turns out to be the case when you encounter a new language if you're familiar with reverse engineering c programs or c plus plus program you can kind of figure out how to where to go from there like this experience usually translates pretty well to other languages if you know of c reversing and probably delphi is not going to be too difficult c plus plus and rust most likely you'll be able to get into it but go tends to be sort of its own thing and so i have noticed that among my peers direct co-workers and even further in the industry a lot of people were sort of scared it might not be the correct word but the people were kind of reluctant to look into program written in go language they would be like okay i have this new malware it's ready to go so maybe i will look at it make like zero when i have some time so i just put it away and never have to look at it ever again so i mean i understand this because having to look at go it really means i think to acquire some sort of new skills but at the same time i promise you that go turns out to be a language that i think is fairly easy to reverse engineer and in fact much more much more enjoyable than languages like c plus plus that's in my opinion so i mean we will be able to talk about this in a little bit but although the entry ticket is a little bit expensive when it comes to go because you have to learn new things that you might have not learned before or that you might not be aware of as soon as you get this entry level knowledge about the language and about the way that the compiler sorts out things it's like binaries then i think you'll probably do very fine so let us talk a little bit about this workshop what we're going to do is talk first of all about the theory and then it's going to be mostly practical tutorials usually when i work on a new language i don't really like to look into the syntax of the specifics of it and the reason for this is that you know there are so many languages out there you really don't need slash font to become an expert in all of them and most of the time as i mentioned earlier that you really don't need to anyway like if you get a program written in i don't know whatever new combined language out there odds are that if you just look at it and either decompile it and look at the assembly if you know c or c plus plus you will be able to figure things out and so you don't have to think about the way that you don't have to learn the syntax of that programming language you don't have to think about the programming concepts because at the end of the day they're always going to be traditional oop or stuff like this but i love to admit that go turns out to be sort of different enough for from other languages that we won't really be able to escape this so one of the first things that we will be doing in this tutorial is we will look at simple go programs and we will study the generated code this is actually a general methodology that i tend to use whenever i want to go into a new programming language or new programming language reverse engineer which is i just generate some hello worlds modify them a little bit and then figure out exactly how this source code translates into how it translates into the a binary so um a little bit about go maybe uh why is that important well we thought it would become more and more used by malware authors i think it's somewhat true also somewhat somewhat not true uh two days ago maybe three days ago now i think there was a an article from i don't it was a immediate blog post i don't recall exactly who wrote it but was about a kim suki malware i'll fast something i don't recall the name exactly but they this group actually developed a go equivalent of their main malware family actually i was really thinking of using this one for this tutorial because it's something quite new but unfortunately it's it's protected with the unprotected so it's kind of not suitable for what we want to be doing there but i mean go tends to show up here and there but it's not really it's not really prevalent or not as prevalent as we thought it would be initial um one of the reasons