Skip to content

f-bader/TokenTacticsV2

BranchesTags

Repository files navigation

  ______      __                 __             __  _                     ___ 
 /_  __/___  / /_____  ____     / /_____ ______/ /_(_)_________   _   __ |__ \
  / / / __ \/ //_/ _ \/ __ \   / __/ __ `/ ___/ __/ / ___/ ___/  | | / / __/ /
 / / / /_/ / ,< /  __/ / / /  / /_/ /_/ / /__/ /_/ / /__(__  )   | |/ / / __/ 
/_/  \____/_/|_|\___/_/ /_/   \__/\__,_/\___/\__/_/\___/____/    |___(_)____/

TokenTactics v2

This is an updated version of TokenTactics originally written by Stephan Borosh @rvrsh3ll & Bobby Cooke @0xBoku.

Azure JSON Web Token ("JWT") Manipulation Toolset

Azure access tokens allow you to authenticate to certain endpoints as a user who signs in with a device code. If you are in possesion of a FOCI (Family of Client IDs) capable refresh token you can use it to get access tokens to all known FOCI capable endpoints. Since the refresh-token also contains the information if the user has done multi-factor authentication you can use this. Once you have a user's access token, it may be possible to access certain apps such as Outlook, SharePoint, OneDrive, MSTeams and more.

For instance, if you have a Graph or MSGraph refresh token, you can then connect to Azure and dump users, groups, etc. You could then, depending on conditional access policies, switch to an Azure Core Management token and run AzureHound. Then, get an Outlook access token and read/send emails or MS Teams and read/send teams messages!

For more on Azure token types Microsoft identity platform access tokens

There are some example requests to endpoints in the resources folder. There is also an example phishing template for device code phishing.

You may also use these tokens with AAD Internals as well. We strongly recommended to check this amazing tool out.

Installation and Usage

Import-Module .\TokenTactics.psd1
Get-Help Get-EntraIDToken
Invoke-RefreshToSubstrateToken -Domain "myclient.org"

Get refresh token using Device Code flow

Get-EntraIDToken -Client MSGraph

Once the user has logged in, you'll be presented with the JWT and it will be saved in the $response variable. To access the access token use $response.access_token from your PowerShell window to display the token. You may also display the refresh token with $response.refresh_token. Hint: You'll want the refresh token to keep refreshing to new tokens!

DOD/Mil Device Code

Get-EntraIDToken -Client DODMSGraph

Sign-in using a passkey

Important

This feature was introduced in v0.2.20 and required PowerShell 7.0

If you have created a passkey in a third party provider like KeePassXC, Bitwarden, 1Password, or similar you can export the private key material.

Caution

Exporting you private key material is extremely dangerous. Make sure you understand the risk before your move on.

The KeePassXC passkey file format is natively supported and you can point the cmdlet to the file directly. The initial sign-in procedure will only get the required ESTSAUTH cookie and you have to use Get-EntraIDTokenFromESTSCookie to exchange this cookie for a bearer token (access token, refresh token, and id token).

# Retrieve the ESTSAUTH cookie value
Invoke-EntraIDPasskeyLogin -Verbose -KeyFilePath "C:\Users\Fabian\Microsoft.passkey"
# Exchange the ESTSAUTH cookie for bearer tokens
Get-EntraIDTokenFromESTSCookie -CookieValue $Global:ESTSAUTH

If you have an unsupported file format you can specify the required values manually and achieve the same goal.

Invoke-EntraIDPasskeyLogin -Verbose -UserPrincipalName "myUserName@example.com" -UserHandle "XYZ" -CredentialId "9e9c8297-0cde-4726-8852-16c141e15bd3" -PrivateKey $PrivateKey
Get-EntraIDTokenFromESTSCookie -CookieValue $Global:ESTSAUTH

Get a Refresh Token from ESTSAuth* Cookie

Get-EntraIDTokenFromESTSCookie -ESTSAuthCookie "0.AbcApTk..."

This module uses authorization code flow to obtain an access token and refresh token using ESTSAuth (or ESTSAuthPersistent) cookie. Useful if you have phished a session via Evilginx or have otherwise obtained this cookie.

Be sure to use the right cookie! ESTSAuthPersistent is only useful when a CA policy actually grants a persistent session. Otherwise, you should use ESTSAuth. You can usually tell which one to use based on length, the longer cookie is the one you want to use :)

Note: This may not work in all cases as it may require user interaction. If this is the case, either use the Device Code flow above, or try roadtx interactiveauth --estscookie

This feature was backported from the pull request by rotarydrone in the original repo.

Get a refresh token using the authorization code flow

One of the most prominent example for this oauth2 flow (at least at the beginning on 2025) is the Intune Company Portal which allows, for some resources, to bypass device compliance requirements.

This intel was first published by @dirkjan and then released at Black Hat Europe to a wider audience by @TEMP43487580

JumpsecLabs published a blog article and a POC in form of TokenSmith shortly after.

Now the same capabilities are available in TokenTacticsV2.

Get-AzureAuthorizationCode will create a URL you can then use to authenticate to.

Get-EntraIDTokenFromAuthorizationCode uses wither the full URL or can be used with the parameters AuthorizationCode and RedirectUrl to exchange the auth code to an access and refresh token. After that you can try to get access to other resources as always.

How to use the new cmdlets

Refresh to new access token

If you do not specify a refresh token the cmdlets will use $response.refresh_token as a default.

Invoke-RefreshToOutlookToken -domain "myclient.org"

$OutlookToken.access_token

Connect to AzureAD using access token

Connect-AzureAD -AadAccessToken $response.access_token -AccountId user@myclient.org

Connect to MgGraph using access token

Invoke-RefreshToMSGraphToken -Domain "myclient.org"
Connect-MgGraph -AccessToken $MSGraphToken.access_token -Scopes "User.Read.All","Group.ReadWrite.All"

Clear tokens

This will remove any token variables.

Clear-Token -Token All

Continuous Access Evaluation

With continuous access evaluation Microsoft implements additional security measures, but also extend the maximum lifetime of an access token to 24 hours. Certain CAE capable service like MSGraph, Exchange, Teams and SharePoint can blocke access tokens based on certain events triggered by Azure AD. Currently those critical events are:

  • User Account is deleted or disabled
  • Password for a user is changed or reset
  • Multi-factor authentication is enabled for the user
  • Administrator explicitly revokes all refresh tokens for a user
  • High user risk detected by Azure AD Identity Protection (not in Teams and SharePoint Online)
Invoke-RefreshToMSGraphToken -Domain "myclient.org" -UseCAE
if ((Parse-JWTtoken $MSGraphToken.access_token).ValidForHours -gt 23) { "MSGraph token is CAE capable" }

Use with AAD Internals

If you have AADInternals installed as well you can use the created access tokens.

Invoke-RefreshToMSTeamsToken -UseCAE -Domain "myclient.org"
Set-AADIntTeamsStatusMessage -Message "My cool status message" -AccessToken $MSTeamsToken.access_token -Verbose

Commands

Get-Command -Module TokenTactics

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Alias           Forge-UserAgent                                    0.2.20     TokenTactics
Alias           Get-AzureAuthorizationCode                         0.2.20     TokenTactics
Alias           Get-AzureToken                                     0.2.20     TokenTactics
Alias           Get-AzureTokenFromAuthorizationCode                0.2.20     TokenTactics
Alias           Get-AzureTokenFromCookie                           0.2.20     TokenTactics
Alias           Get-AzureTokenFromESTSCookie                       0.2.20     TokenTactics
Alias           Get-AzureTokenFromRefreshTokenCredentialCookie     0.2.20     TokenTactics
Alias           Parse-JWTtoken                                     0.2.20     TokenTactics
Alias           RefreshTo-AzureCoreManagementToken                 0.2.20     TokenTactics
Alias           RefreshTo-AzureKeyVaultToken                       0.2.20     TokenTactics
Alias           RefreshTo-AzureManagementToken                     0.2.20     TokenTactics
Alias           RefreshTo-AzureStorageToken                        0.2.20     TokenTactics
Alias           RefreshTo-DeviceRegistrationToken                  0.2.20     TokenTactics
Alias           RefreshTo-DODMSGraphToken                          0.2.20     TokenTactics
Alias           RefreshTo-GraphToken                               0.2.20     TokenTactics
Alias           RefreshTo-MAMToken                                 0.2.20     TokenTactics
Alias           RefreshTo-MSGraphToken                             0.2.20     TokenTactics
Alias           RefreshTo-MSManageToken                            0.2.20     TokenTactics
Alias           RefreshTo-MSTeamsToken                             0.2.20     TokenTactics
Alias           RefreshTo-OfficeAppsToken                          0.2.20     TokenTactics
Alias           RefreshTo-OfficeManagementToken                    0.2.20     TokenTactics
Alias           RefreshTo-OneDriveToken                            0.2.20     TokenTactics
Alias           RefreshTo-OutlookToken                             0.2.20     TokenTactics
Alias           RefreshTo-SharePointToken                          0.2.20     TokenTactics
Alias           RefreshTo-SubstrateToken                           0.2.20     TokenTactics
Alias           RefreshTo-YammerToken                              0.2.20     TokenTactics
Function        Clear-Token                                        0.2.20     TokenTactics
Function        ConvertFrom-JWTtoken                               0.2.20     TokenTactics
Function        ConvertTo-Base64Url                                0.2.20     TokenTactics
Function        ConvertTo-PEMPrivateKey                            0.2.20     TokenTactics
Function        ConvertTo-URLParameters                            0.2.20     TokenTactics
Function        Get-EntraIDAuthorizationCode                       0.2.20     TokenTactics
Function        Get-EntraIDToken                                   0.2.20     TokenTactics
Function        Get-EntraIDTokenFromAuthorizationCode              0.2.20     TokenTactics
Function        Get-EntraIDTokenFromCookie                         0.2.20     TokenTactics
Function        Get-EntraIDTokenFromESTSCookie                     0.2.20     TokenTactics
Function        Get-EntraIDTokenFromRefreshTokenCredentialCookie   0.2.20     TokenTactics
Function        Get-ForgedUserAgent                                0.2.20     TokenTactics
Function        Get-TenantID                                       0.2.20     TokenTactics
Function        Get-TTCodeChallenge                                0.2.20     TokenTactics
Function        Get-TTCodeVerifier                                 0.2.20     TokenTactics
Function        Invoke-EntraErrorHandling                          0.2.20     TokenTactics
Function        Invoke-EntraIDPasskeyLogin                         0.2.20     TokenTactics
Function        Invoke-RefreshToAzureCoreManagementToken           0.2.20     TokenTactics
Function        Invoke-RefreshToAzureKeyVaultToken                 0.2.20     TokenTactics
Function        Invoke-RefreshToAzureManagementToken               0.2.20     TokenTactics
Function        Invoke-RefreshToAzureStorageToken                  0.2.20     TokenTactics
Function        Invoke-RefreshToDeviceRegistrationToken            0.2.20     TokenTactics
Function        Invoke-RefreshToDODMSGraphToken                    0.2.20     TokenTactics
Function        Invoke-RefreshToGraphToken                         0.2.20     TokenTactics
Function        Invoke-RefreshToMAMToken                           0.2.20     TokenTactics
Function        Invoke-RefreshToMSGraphToken                       0.2.20     TokenTactics
Function        Invoke-RefreshToMSManageToken                      0.2.20     TokenTactics
Function        Invoke-RefreshToMSTeamsToken                       0.2.20     TokenTactics
Function        Invoke-RefreshToOfficeAppsToken                    0.2.20     TokenTactics
Function        Invoke-RefreshToOfficeManagementToken              0.2.20     TokenTactics
Function        Invoke-RefreshToOneDriveToken                      0.2.20     TokenTactics
Function        Invoke-RefreshToOutlookToken                       0.2.20     TokenTactics
Function        Invoke-RefreshToSharePointToken                    0.2.20     TokenTactics
Function        Invoke-RefreshToSubstrateToken                     0.2.20     TokenTactics
Function        Invoke-RefreshToToken                              0.2.20     TokenTactics
Function        Invoke-RefreshToYammerToken                        0.2.20     TokenTactics
Function        New-FidoAuthenticatorData                          0.2.20     TokenTactics
Function        New-FidoSignature                                  0.2.20     TokenTactics

Authors and contributors

  • @rvrsh3ll Author of TokenTactics (original)
  • @0xBoku co-author of TokenTactics (original) and researcher.
  • @f-bader updated TokenTactics to support V2 endpoint and additional features like CAE. Maintainer of TokenTacticsV2
  • @Pri3st added functions to fetch Storage and Key Vault access tokens and a custom user agent

TokenTactic's methods are highly influenced by the great research of Dr Nestori Syynimaa at https://o365blog.com/.

Changelog

0.2.20 (2026-01-01)

  • Renamed all Get-Azure cmdlets to Get-EntraID
  • Add aliases for backwards compatibility
  • Add improved error handling for ConvergedSignIn interrupts
  • Add Invoke-EntraIDPasskeyLogin to automate Passkey sign-in flows. This will save the ESTSAUTH cookie and websession as global variables for reuse in other cmdlets like Get-EntraIDTokenFromESTSCookie
  • Add proxy support for Invoke-EntraIDPasskeyLogin, Get-EntraIDTokenFromCookie, Get-EntraIDTokenFromRefreshTokenCredentialCookie and Get-EntraIDTokenFromESTSCookie

0.2.14 (2025-09-11)

  • Add parameter -Username to prefill the login_hint parameter in cmdlet Get-AzureAuthorizationCode
  • Add parameter -CopyToClipboard in cmdlet Get-AzureAuthorizationCode

0.2.13 (2025-07-29)

  • Fix for Custom User Agent parameter

0.2.12 (2025-06-22)

  • Add awareness for current runspace and minimize output if run as PSTask (e.g. if run in Foreach-Object -parallel)

0.2.11 (2025-06-08)

  • Add the ability to freely define any UserAgent using the new -CustomUserAgent property. Thanks to Pri3st

0.2.10 (2025-02-25)

  • Bugfix: Wrong type initialization

0.2.9 (2025-02-17)

  • Add ResourceTenant for Get-EntraIDToken to support B2B device code phishing
  • Switch out Azure Management client id
  • Add UseCodeVerifier to support Proof Key for Code Exchange (PKCE)
  • Add UseV1Endpoint to some functions to support a broader variety of endpoint tests

0.2.8 (2025-01-18)

  • Add Get-AzureTokenFromRefreshTokenCredentialCookie ("x-ms-RefreshTokenCredential") and add modularized Get-AzureTokenFromCookie
  • Add parameter to choose cookie type (ESTSAuth, ESTSAUTHPERSISTENT) to Get-AzureTokenFromESTSCookie
  • Add sample output for Get-AzureTokenFromAuthorizationCode to Get-AzureAuthorizationCode output
  • Improved output and more verbose error handling

0.2.7 (2025-01-08)

  • Expand Get-AzureTokenFromESTSCookie to support the appverify endpoint
  • Improve cookie management of Get-AzureTokenFromESTSCookie

0.2.6 (2025-01-04)

  • Fix bug custom scopes in Get-AzureAuthorizationCode and Get-AzureTokenFromAuthorizationCode
  • Change default redirect Uri for Get-AzureAuthorizationCode

0.2.5 (2025-01-04)

  • Added new cmdlets Get-AzureAuthorizationCode and Get-AzureTokenFromAuthorizationCode
    Those cmdlets are heavily inspired by TokenSmith maintained by @gladstomych
  • Added new cmdlet Invoke-RefreshToDeviceRegistrationToken which is a TokenTactics version of the AADInternals cmdlet Get-AccessTokenForAADJoin
  • Added v1 endpoint support for Invoke-RefreshToToken with the UseV1Endpoint. This was required to add Invoke-RefreshToDeviceRegistrationToken
  • Added pipeline support for ConvertFrom-JWTtoken
  • Add default values to Get-ForgedUserAgent

0.2.1 (2023-07-21)

  • Support for Linux as a device platform
  • Support for OS/2 as a device platform 😁

0.2.2 (2023-07-22)

0.2.3 (2023-07-23)

New Features in v2

  • Switched to v2.0 of the Azure AD OAuth2 endpoint
  • Support for continuous access evaluation using the new -UseCAE switch
  • Made ClientId a parameter
  • Changed client_id for MSTeams
  • Added support for OneDrive and SharePoint
  • Added IssuedAt, NotBefore, ExpirationDate and ValidForHours in ConvertFrom-JWTtoken output in human readable format
  • Passkey sign-in support
  • Refactored the codebase to for easier maintenance

About

A fork of the great TokenTactics with support for CAE and token endpoint v2

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

375 stars

Watchers

5 watching

Forks

46 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 5

Languages