RSS Parrot

BETA

🦜 dirkjanm.io

@dirkjanm.io@rss-parrot.net

I'm an automated parrot! I relay a website's RSS feed to the Fediverse. Every time a new post appears in the feed, I toot about it. Follow me to get all new posts in your Mastodon timeline! Brought to you by the RSS Parrot.

---

Dirk-jan's personal blog, mostly containing research on topics I find interesting, such as (Azure) Active Directory internals, protocols and vulnerabilities.

Your feed and you don't want it here? Just e-mail the birb.

Site URL: dirkjanm.io/

Feed URL: dirkjanm.io/feed.xml

Posts: 10

Followers: 1

Phishing for Primary Refresh Tokens and Windows Hello keys

https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/

Published: October 10, 2023 16:08

In Microsoft Entra ID (formerly Azure AD, in this blog referred to as “Azure AD”), there are different types of OAuth tokens. The most powerful token is a Primary Refresh Token, which is linked to a user’s device and can be used to sign in to any Entra ID…

Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust

https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/

Published: June 13, 2023 11:08

Many modern enterprises operate in a hybrid environment, where Active Directory is used together with Azure Active Directory. In most cases, identities will be synchronized from the on-premises Active Directory to Azure AD, and the on-premises AD remains…

Introducing ROADtools Token eXchange (roadtx) - Automating Azure AD authentication, Primary Refresh Token (ab)use and device registration

https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/

Published: November 9, 2022 11:08

Ever since the initial release of ROADrecon and the ROADtools framework I have been adding new features to it, especially on the authentication side. As a result, it supports many forms of authentication, such as using Primary Refresh Tokens (PRTs), PRT…

Relaying Kerberos over DNS using krbrelayx and mitm6

https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/

Published: February 22, 2022 18:08

One thing I love is when I think I understand a topic well, and then someone proves me quite wrong. That was more or less what happened when James Forshaw published a blog on Kerberos relaying, which disproves my conclusion that you can’t relay Kerberos…

NTLM relaying to AD CS - On certificates, printers and a little hippo

https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/

Published: July 28, 2021 17:08

I did not expect NTLM relaying to be a big topic again in the summer of 2021, but among printing nightmares and bad ACLs on registry hives, there has been quite some discussion around this topic. Since there seems to be some confusion out there on the how…

Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass

https://dirkjanm.io/active-directory-forest-trusts-part-two-trust-transitivity/

Published: June 10, 2021 18:08

In my first personal blog post in 2018 I wrote about Active Directory forest trusts and how they work under the hood. Part two of the series was since then promised but never delivered. I researched this topic again in 2019 and ended up finding a logic…

A different way of abusing Zerologon (CVE-2020-1472)

https://dirkjanm.io/a-different-way-of-abusing-zerologon/

Published: September 24, 2020 19:00

In August 2020, Microsoft patched CVE-2020-1472 aka Zerologon. This is in my opinion one of the most critical Active Directory vulnerabilities of the past few years, since it allows for instant escalation to Domain Admin without credentials. The most…

Digging further into the Primary Refresh Token

https://dirkjanm.io/digging-further-into-the-primary-refresh-token/

Published: August 5, 2020 18:38

In my previous blog I talked about using the Primary Refresh Token (PRT). The PRT can be used for Single Sign On in Azure AD through PRT cookies. These cookies can be created by attackers if they have code execution on a victim’s machine. I also theorized…