search

Gerenios / AADInternals

AADInternals PowerShell module for administering Azure AD and Office 365
http://aadinternals.com/aadinternals
MIT License
1.24k stars 214 forks source link

AzureHound error "Primary refresh token is not signed with session key" #42

Closed CravateRouge closed 1 year ago

CravateRouge commented 1 year ago

When trying to use a PRT generated using AADInternals for azurehound I have the following error:

$rh = (Read-AADIntAccesstoken (Get-AADIntUserPRTToken)).refresh_token
.\azurehound.exe -r $rh list tenants --tenant "mytenant.com"
AzureHound v1.2.0
Created by the BloodHound Enterprise team - https://bloodhoundenterprise.io

2022-10-15T17:58:01+02:00 ERR encountered unrecoverable error error="Error: map[correlation_id:f754d2bb-1f63-4b6f-bf6e-d09b6ff0af34 error:invalid_grant error_codes:[7.000016e+06] error_description:AADSTS7000016: Primary refresh token is not signed with session key.\r\nTrace ID: 7f1d1d28-807d-41c2-9807-d7f3c97f1500\r\nCorrelation ID: f754d2bb-1f63-4b6f-bf6e-d09b6ff0af34\r\nTimestamp: 2022-10-15 15:58:01Z timestamp:2022-10-15 15:58:01Z trace_id:7f1d1d28-807d-41c2-9807-d7f3c97f1500]"

Which I don't have if I use MSAL.PS:

Get-MsalToken -ClientId 1950a258-227b-4e31-a9cf-717495945fc2
Enable-MsalTokenCacheOnDisk (Get-MsalClientApplication)
$cache_bin = [System.Security.Cryptography.ProtectedData]::Unprotect([System.IO.File]::ReadAllBytes("MSAL.PS.msalcache.bin3"), $null, 0)
$cache_json = ConvertFrom-Json ([System.Text.Encoding]::ASCII.GetString($cache_bin))
$rh = $cache_json.RefreshToken.'[SOME ID]'.secret

.\azurehound.exe -r $rh list tenants --tenant "mytenant.com"
AzureHound v1.2.0
Created by the BloodHound Enterprise team - https://bloodhoundenterprise.io

2022-10-15T18:19:05+02:00 INF finished listing all tenants count=3

What's the difference between how the PRT are requested to have one signed and not the other?

NestoriSyynimaa commented 1 year ago

I'm not sure but I think that azurehound is not using PRTs but regular refresh tokens. PRT is only used to get access/refresh tokens. You should try something like this. If Get-AADIntAccessToken is provided -IncludeRefreshToken $true, it will return an array where the last (index 1) token is refresh token:

$rt = (Get-AADIntAccessToken -ClientId "1950a258-227b-4e31-a9cf-717495945fc2" -Resource "https://graph.microsoft.com" -PRTToken (Get-AADIntUserPRTToken) -IncludeRefreshToken $true)[1]
.\azurehound.exe -r $rt list tenants --tenant "mytenant.com"
CravateRouge commented 1 year ago

Thank you, it's working perfectly!!