From 3153e9e1129dab8fc4850a52149edc290c224508 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Wed, 14 May 2025 15:49:14 +0200 Subject: [PATCH] a --- .../az-basic-information/az-tokens-and-public-applications.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md b/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md index 428ece7a0..210c4ac27 100644 --- a/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md +++ b/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md @@ -227,6 +227,7 @@ From an attackers perspective it's very interesting to know where is it possible - In Windows this just generates id tokens. - Possible to see if Az PowerShell was used in Linux and macSO checking is `$HOME/.local/share/.IdentityService/` exists (although the contained files are empty and useless) - If the user is **logged inside Azure with the browser**, according to this [**post**](https://www.infosecnoodle.com/p/obtaining-microsoft-entra-refresh?r=357m16&utm_campaign=post&utm_medium=web) it's possible to start the authentication flow with a **redirect to localhost**, make the browser automatically authorize the login, and receive the resh token. Note that there are only a few FOCI applications that allow redicet to localhost (like az cli or the powershell module), so these applications must be allowed. + - Another option explained in the blog is to use the tool [**BOF-entra-authcode-flow**](https://github.com/sudonoodle/BOF-entra-authcode-flow) which can use any application because it'll **get the OAuth code to then get a refresh token from the title of the final auth** page using the redirect URI `https://login.microsoftonline.com/common/oauth2/nativeclient`. ## References