SeamlessPass: Leveraging Kerberos tickets to get Microsoft 365 access tokens
SeamlessPass
SeamlessPass is a tool designed to obtain Microsoft 365 access tokens using on-premises Active Directory Kerberos tickets for organizations with Seamless SSO (Desktop SSO) enabled. These tokens can be used for further interaction with Microsoft 365 services via APIs or other tools like ROADTools and AADInternals for more offensive capabilities.
More information about the theory and use case scenarios can be found at the blog post.
Use Cases
SeamlessPass can be used to obtain access tokens for Microsoft 365 services for tenants with enabled Seamless SSO feature. The access tokens can be then fed to other tools like ROADTools and AADInternals for further enumeration or offensive capabilities. The tool can be very handy in various situations where the cleartext password of the user is unavailable but other forms of access are obtainable such as
-
Using compromised user’s Ticket-Granting-Ticket (TGT) or forged Golden Ticket (Interacts with DC)
seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -tgt <base64_encoded_TGT>
-
Using compromised user’s NTLM hash or AES key (Interacts with DC)
seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -username user -ntlm DEADBEEFDEADBEEFDEADBEEFDEADBEEF
-
Acquisition of AZUREADSSOACC$ account NTLM hash or AES key (No interaction with DC is needed)
seamlesspass -tenant corp.com -adssoacc-ntlm DEADBEEFDEADBEEFDEADBEEFDEADBEEF -user-sid S-1-5-21-1234567890-1234567890-1234567890-1234
