{"id":13742665,"url":"https://github.com/f-bader/TokenTacticsV2","last_synced_at":"2025-05-09T00:31:34.244Z","repository":{"id":141211461,"uuid":"525470406","full_name":"f-bader/TokenTacticsV2","owner":"f-bader","description":"A fork of the great TokenTactics with support for CAE and token endpoint v2","archived":false,"fork":false,"pushed_at":"2025-02-25T14:14:25.000Z","size":1701,"stargazers_count":290,"open_issues_count":2,"forks_count":39,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-05-06T22:16:18.672Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/f-bader.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-16T17:00:45.000Z","updated_at":"2025-04-30T22:22:23.000Z","dependencies_parsed_at":null,"dependency_job_id":"a75fb99d-c50c-4b29-810f-9de5007d44ea","html_url":"https://github.com/f-bader/TokenTacticsV2","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f-bader%2FTokenTacticsV2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f-bader%2FTokenTacticsV2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f-bader%2FTokenTacticsV2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f-bader%2FTokenTacticsV2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/f-bader","download_url":"https://codeload.github.com/f-bader/TokenTacticsV2/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253170954,"owners_count":21865273,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T05:00:34.784Z","updated_at":"2025-05-09T00:31:34.232Z","avatar_url":"https://github.com/f-bader.png","language":"PowerShell","funding_links":[],"categories":["Tools","Credential Abuse"],"sub_categories":["CLI","Spraying Tools"],"readme":"```\n ______ __ __ __ _ ___ \n /_ __/___ / /_____ ____ / /_____ ______/ /_(_)_________ _ __ |__ \\\n / / / __ \\/ //_/ _ \\/ __ \\ / __/ __ `/ ___/ __/ / ___/ ___/ | | / / __/ /\n / / / /_/ / ,\u003c / __/ / / / / /_/ /_/ / /__/ /_/ / /__(__ ) | |/ / / __/ \n/_/ \\____/_/|_|\\___/_/ /_/ \\__/\\__,_/\\___/\\__/_/\\___/____/ |___(_)____/ \n```\n\n# TokenTactics v2\n\nThis is an updated version of [TokenTactics](https://github.com/rvrsh3ll/TokenTactics) originally written by Stephan Borosh [@rvrsh3ll](https://github.com/rvrsh3ll) \u0026 Bobby Cooke [@0xBoku](https://github.com/boku7).\n\n### 0.2.10 (2025-02-25)\n\n* Bugfix: Wrong type initialization\n\n### 0.2.9 (2025-02-17)\n\n* Add `ResourceTenant` for `Get-AzureToken` to support B2B device code phishing\n* Switch out Azure Management client id\n* Add `UseCodeVerifier` to support Proof Key for Code Exchange (PKCE)\n* Add `UseV1Endpoint` to some functions to support a broader variety of endpoint tests\n\n### 0.2.8 (2025-01-18)\n\n* Add `Get-AzureTokenFromRefreshTokenCredentialCookie` (\"x-ms-RefreshTokenCredential\") and add modularized `Get-AzureTokenFromCookie`\n* Add parameter to choose cookie type (ESTSAuth, ESTSAUTHPERSISTENT) to `Get-AzureTokenFromESTSCookie`\n* Add sample output for `Get-AzureTokenFromAuthorizationCode` to `Get-AzureAuthorizationCode` output\n* Improved output and more verbose error handling\n\n### 0.2.7 (2025-01-08) \n\n* Expand `Get-AzureTokenFromESTSCookie` to support the **appverify** endpoint\n* Improve cookie management of `Get-AzureTokenFromESTSCookie`\n\n### 0.2.6 (2025-01-04)\n\n* Fix bug custom scopes in `Get-AzureAuthorizationCode` and `Get-AzureTokenFromAuthorizationCode`\n* Change default redirect Uri for `Get-AzureAuthorizationCode`\n\n### 0.2.5 (2025-01-04)\n\n* Added new cmdlets `Get-AzureAuthorizationCode` and `Get-AzureTokenFromAuthorizationCode` \\\n Those cmdlets are heavily inspired by [TokenSmith](https://github.com/JumpsecLabs/TokenSmith) maintained by [@gladstomych](https://github.com/gladstomych)\n* Added new cmdlet `Invoke-RefreshToDeviceRegistrationToken` which is a TokenTactics version of the [AADInternals](https://github.com/Gerenios/AADInternals) cmdlet [`Get-AccessTokenForAADJoin`](https://github.com/Gerenios/AADInternals/blob/b23a7845f6dc5ea8c57b10351421a4d00466cd90/AccessToken.ps1#L877)\n* Added v1 endpoint support for `Invoke-RefreshToToken` with the `UseV1Endpoint`. This was required to add `Invoke-RefreshToDeviceRegistrationToken`\n* Added pipeline support for `ConvertFrom-JWTtoken`\n* Add default values to `Get-ForgedUserAgent`\n\n### 0.2.1 (2023-07-21)\n\n* Support for Linux as a device platform\n* Support for OS/2 as a device platform :grin:\n\n### 0.2.2 (2023-07-22)\n\n* Backported [Yammer token support](https://github.com/rvrsh3ll/TokenTactics/commit/9b364e45e39c70cc3d0a0c5ca85d36e395df8930)\n* Backported [switch to allowed PowerShell verbs](https://github.com/rvrsh3ll/TokenTactics/commit/1e46bf26bcc799d4796b621e7f778fd0a24806ff), added alias for backward compatibility\n\n### 0.2.3 (2023-07-23)\n\n* Backported [pull request](https://github.com/rvrsh3ll/TokenTactics/pull/9/) by [rotarydrone](https://github.com/rotarydrone) to convert ESTSAuth to access token\n\n## New Features in v2\n\n* Switched to `v2.0` of the Azure AD OAuth2 endpoint\n* Support for [continuous access evaluation](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation) using the new `-UseCAE` switch\n* Made `ClientId` a parameter\n* Changed `client_id` for MSTeams\n* Added support for OneDrive and SharePoint\n* Added `IssuedAt`, `NotBefore`, `ExpirationDate` and `ValidForHours` in `ConvertFrom-JWTtoken` output in human readable format\n* Refactored the codebase to for easier maintenance\n\n## Azure JSON Web Token (\"JWT\") Manipulation Toolset\n\nAzure access tokens allow you to authenticate to certain endpoints as a user who signs in with a device code. If you are in possesion of a [FOCI (Family of Client IDs)](https://github.com/secureworks/family-of-client-ids-research) capable refresh token you can use it to get access tokens to all known [FOCI capable endpoints](https://github.com/secureworks/family-of-client-ids-research/blob/main/known-foci-clients.csv). Since the refresh-token also contains the information if the user has done multi-factor authentication you can use this. Once you have a user's access token, it may be possible to access certain apps such as Outlook, SharePoint, OneDrive, MSTeams and more.\n\nFor instance, if you have a Graph or MSGraph refresh token, you can then connect to Azure and dump users, groups, etc. You could then, depending on conditional access policies, switch to an Azure Core Management token and run [AzureHound](https://github.com/BloodHoundAD/AzureHound). Then, get an Outlook access token and read/send emails or MS Teams and read/send teams messages!\n\nFor more on Azure token types [Microsoft identity platform access tokens](https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens)\n\nThere are some example requests to endpoints in the resources folder. There is also an example phishing template for device code phishing.\n\nYou may also use these tokens with [AAD Internals](https://o365blog.com/aadinternals/) as well. We strongly recommended to check this amazing tool out.\n\n## Installation and Usage\n\n```powershell\nImport-Module .\\TokenTactics.psd1\nGet-Help Get-AzureToken\nInvoke-RefreshToSubstrateToken -Domain \"myclient.org\"\n```\n\n### Get refresh token using Device Code flow\n\n```powershell\nGet-AzureToken -Client MSGraph\n```\n\nOnce the user has logged in, you'll be presented with the JWT and it will be saved in the `$response` variable. To access the access token use ```$response.access_token``` from your PowerShell window to display the token. You may also display the refresh token with ```$response.refresh_token```. Hint: You'll want the refresh token to keep refreshing to new tokens!\n\n#### DOD/Mil Device Code\n\n```powershell\nGet-AzureToken -Client DODMSGraph\n```\n\n### Get a Refresh Token from ESTSAuth* Cookie\n\n```powershell\nGet-AzureTokenFromESTSCookie -ESTSAuthCookie \"0.AbcApTk...\"\n```\n\nThis module uses authorization code flow to obtain an access token and refresh token using ESTSAuth (or ESTSAuthPersistent) cookie. Useful if you have phished a session via Evilginx or have otherwise obtained this cookie.\n\nBe sure to use the right cookie! `ESTSAuthPersistent` is only useful when a CA policy actually grants a persistent session. Otherwise, you should use `ESTSAuth`. You can usually tell which one to use based on length, the longer cookie is the one you want to use :)\n\n*Note: This may not work in all cases as it may require user interaction. If this is the case, either use the Device Code flow above, or try `roadtx interactiveauth --estscookie`*\n\nThis feature was backported from the [pull request](https://github.com/rvrsh3ll/TokenTactics/pull/9/) by [rotarydrone](https://github.com/rotarydrone) in the original repo.\n\n### Get a refresh token using the authorization code flow\n\nOne of the most prominent example for this [oauth2 flow](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow) (at least at the beginning on 2025) is the Intune Company Portal which allows, for some resources, to bypass device compliance requirements.\n\nThis intel was first published by [@dirkjan](https://bsky.app/profile/dirkjanm.io/post/3ld4nbbhqd222) and then released at [Black Hat Europe](https://github.com/secureworks/pytune) to a wider audience by [@TEMP43487580](https://x.com/TEMP43487580/status/1866882057743282432)\n\nJumpsecLabs published a [blog article](https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/) and a POC in form of [TokenSmith](https://github.com/JumpsecLabs/TokenSmith) shortly after.\n\nNow the same capabilities are available in TokenTacticsV2.\n\n`Get-AzureAuthorizationCode` will create a URL you can then use to authenticate to.\n\n`Get-AzureTokenFromAuthorizationCode` uses wither the full URL or can be used with the parameters `AuthorizationCode` and `RedirectUrl` to exchange the auth code to an access and refresh token. After that you can try to get access to other resources as always.\n\n![How to use the new cmdlets](./images/EntraIDAuthorizationCodeFlow.gif)\n\n### Refresh to new access token\n\nIf you do not specify a refresh token the cmdlets will use `$response.refresh_token` as a default.\n\n```powershell\nInvoke-RefreshToOutlookToken -domain \"myclient.org\"\n\n$OutlookToken.access_token\n```\n\n### Connect to AzureAD using access token\n\n```powershell\nConnect-AzureAD -AadAccessToken $response.access_token -AccountId user@myclient.org\n```\n\n### Connect to MgGraph using access token\n\n```powershell\nInvoke-RefreshToMSGraphToken -Domain \"myclient.org\"\nConnect-MgGraph -AccessToken $MSGraphToken.access_token -Scopes \"User.Read.All\",\"Group.ReadWrite.All\"\n```\n\n### Clear tokens\n\nThis will remove any token variables.\n\n```powershell\nClear-Token -Token All\n```\n\n### Continuous Access Evaluation\n\nWith [continuous access evaluation](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation) Microsoft implements additional security measures, but also extend the maximum lifetime of an access token to 24 hours. Certain CAE capable service like MSGraph, Exchange, Teams and SharePoint can blocke access tokens based on certain events triggered by Azure AD. Currently those critical events are:\n\n* User Account is deleted or disabled\n* Password for a user is changed or reset\n* Multi-factor authentication is enabled for the user\n* Administrator explicitly revokes all refresh tokens for a user\n* High user risk detected by Azure AD Identity Protection (not in Teams and SharePoint Online)\n\n```powershell\nInvoke-RefreshToMSGraphToken -Domain \"myclient.org\" -UseCAE\nif ( $global:MSGraphTokenValidForHours -gt 23) { \"MSGraph token is CAE capable\" }\n```\n\n### Use with AAD Internals\n\nIf you have AADInternals installed as well you can use the created access tokens.\n\n```powershell\nInvoke-RefreshToMSTeamsToken -UseCAE -Domain \"myclient.org\"\nSet-AADIntTeamsStatusMessage -Message \"My cool status message\" -AccessToken $MSTeamsToken.access_token -Verbose\n```\n\n### Commands\n\n```powershell\nGet-Command -Module TokenTactics\n\nCommandType Name Version Source\n----------- ---- ------- ------\nFunction Clear-Token 0.3.0 TokenTactics\nFunction ConvertFrom-JWTtoken 0.3.0 TokenTactics\nFunction Get-AzureAuthorizationCode 0.3.0 TokenTactics\nFunction Get-AzureToken 0.3.0 TokenTactics\nFunction Get-AzureTokenFromAuthorizationCode 0.3.0 TokenTactics\nFunction Get-AzureTokenFromESTSCookie 0.3.0 TokenTactics\nFunction Get-ForgedUserAgent 0.3.0 TokenTactics\nFunction Get-TenantID 0.3.0 TokenTactics\nFunction Invoke-RefreshToAzureCoreManagementToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToAzureKeyVaultToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToAzureManagementToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToAzureStorageToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToDeviceRegistrationToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToDODMSGraphToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToGraphToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToMAMToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToMSGraphToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToMSManageToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToMSTeamsToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToOfficeAppsToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToOfficeManagementToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToOneDriveToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToOutlookToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToSharePointToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToSubstrateToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToToken 0.3.0 TokenTactics\nFunction Invoke-RefreshToYammerToken 0.3.0 TokenTactics\n```\n\n## Authors and contributors\n- [@rvrsh3ll](https://github.com/rvrsh3ll)\n- [@0xBoku](https://github.com/boku7) co-author and researcher.\n- [@f-bader](https://github.com/f-bader) updated CAE capable version\n- [@Pri3st](https://github.com/Pri3st) added functions to fetch Storage and Key Vault access tokens\n\nTokenTactic's methods are highly influenced by the great research of Dr Nestori Syynimaa at https://o365blog.com/.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff-bader%2FTokenTacticsV2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff-bader%2FTokenTacticsV2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff-bader%2FTokenTacticsV2/lists"}