### Install ROADtools Source: https://github.com/dirkjanm/roadtools/blob/master/roadoidc/README.md Clone the repository and install the necessary libraries using pip. ```bash git clone https://github.com/dirkjanm/ROADtools cd ROADtools/ pip install roadlib/ pip install roadtx/ cd roadoidc ``` -------------------------------- ### Setup ROADtools Frontend Development Source: https://github.com/dirkjanm/roadtools/blob/master/README.md Clone the ROADtools repository and install frontend dependencies using npm. This setup is for developing the Angular frontend of ROADrecon. ```bash git clone https://github.com/dirkjanm/roadtools.git pip install -e roadlib/ pip install -e roadrecon/ cd roadrecon/frontend/ npm install ``` -------------------------------- ### Device Code Flow Example Command Source: https://github.com/dirkjanm/roadtools/wiki/Using-roadlib-in-your-own-python-based-tool-to-get-tokens Example command to authenticate using the device code flow. Requires tenant ID and client ID. ```bash python roadlib_argparse_example.py --tenant your_tenant_id --client your_client_id --device-code ``` -------------------------------- ### Username and Password Authentication Example Command Source: https://github.com/dirkjanm/roadtools/wiki/Using-roadlib-in-your-own-python-based-tool-to-get-tokens Example command to authenticate using username and password. Requires username, password, tenant ID, and client ID. ```bash python roadlib_argparse_example.py --username user@example.com --password your_password --tenant your_tenant_id --client your_client_id ``` -------------------------------- ### Install roadtx from GitHub Source: https://github.com/dirkjanm/roadtools/blob/master/README.md Install the latest version of roadtx from GitHub by first installing roadlib and then roadtx. This ensures you have the most recent updates for both the tool and its underlying library. ```bash pip install roadlib/ pip install roadtx/ ``` -------------------------------- ### Install roadlib from GitHub Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Clone the repository and install roadlib in editable mode to use the latest development version. ```sh git clone https://github.com/dirkjanm/roadtools.git pip install -e roadlib/ ``` -------------------------------- ### Refresh Token Authentication Example Command Source: https://github.com/dirkjanm/roadtools/wiki/Using-roadlib-in-your-own-python-based-tool-to-get-tokens Example command to authenticate using a refresh token. Requires tenant ID, client ID, and the refresh token. ```bash python roadlib_argparse_example.py --tenant your_tenant_id --client your_client_id --refresh-token your_refresh_token ``` -------------------------------- ### Install ROADlib and ROADrecon from GitHub Source: https://github.com/dirkjanm/roadtools/blob/master/README.md Install the latest versions of ROADlib and ROADrecon from GitHub using pip. This ensures you have the most recent updates for both the tool and its underlying library. ```bash pip install roadlib/ pip install roadrecon/ ``` -------------------------------- ### Install roadlib Package Source: https://github.com/dirkjanm/roadtools/wiki/Setting-up-BrowserCore.py Install the latest version of the roadlib Python package using pip. This is a prerequisite for using BrowserCore. ```bash pip install roadlib ``` -------------------------------- ### Install ROADlib and ROADrecon in Development Mode Source: https://github.com/dirkjanm/roadtools/blob/master/README.md Install ROADlib and ROADrecon in development mode using pip. This is useful for making changes to the code and having them reflected immediately. ```bash pip install -e roadlib/ pip install -e roadrecon/ ``` -------------------------------- ### Run Flask App for Static Files Source: https://github.com/dirkjanm/roadtools/blob/master/roadoidc/README.md Start the Flask development server to generate static configuration files for hosting on Azure Blob Storage or other platforms. ```bash cd flaskapp/ flask run ``` -------------------------------- ### Start Development Server Source: https://github.com/dirkjanm/roadtools/blob/master/roadrecon/frontend/README.md Run the Angular development server to view the application locally. The app reloads automatically on source file changes. ```bash ng serve ``` -------------------------------- ### Install roadtx in Development Mode Source: https://github.com/dirkjanm/roadtools/blob/master/README.md Install roadtx in development mode using pip. This is useful for making changes to the code and having them reflected immediately. ```bash pip install -e roadtx/ ``` -------------------------------- ### Initiate Device Code Flow for Authentication Source: https://github.com/dirkjanm/roadtools/wiki/Getting-started-with-ROADrecon Starts the device code flow, which prompts for MFA if applicable. Use this when MFA is required or for interactive sign-in via a web browser. ```bash roadrecon auth --device-code To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXXX to authenticate. ``` -------------------------------- ### add_claim Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Add desired claim to authentication flow, for example CAE or MFA. ```APIDOC ## add_claim ### Description Add desired claim to authentication flow, for example CAE or MFA. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### get_pkce_challenge Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Get PKCE challenge (sha256 hash) of the generated secret. ```APIDOC ## get_pkce_challenge ### Description Get PKCE challenge (sha256 hash) of the generated secret. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### Get Tokens for Microsoft Graph using a Refresh Token Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Requests an access token for the Microsoft Graph by using an existing refresh token. The resource alias 'msgraph' is used for the Microsoft Graph. ```bash roadtx gettokens --refresh-token -r msgraph ``` -------------------------------- ### Get Tokens for AAD Graph with Username and Password Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Requests access and/or refresh tokens for the Azure AD Graph using provided username and password. Ensure the resource alias 'aadgraph' is correctly configured. ```bash roadtx gettokens -u user@iminyour.cloud -p mypassword -r aadgraph ``` -------------------------------- ### __init__ Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Initializes the authentication object with optional username, password, tenant, and client ID. ```APIDOC ## __init__ ### Description Initializes the authentication object with optional username, password, tenant, and client ID. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### List available ROADrecon plugins Source: https://github.com/dirkjanm/roadtools/wiki/Getting-started-with-ROADrecon Use this command to see all available plugins and their subcommands. It also shows basic usage information. ```bash roadrecon plugin -h ``` -------------------------------- ### Download OIDC Configuration Files Source: https://github.com/dirkjanm/roadtools/blob/master/roadoidc/README.md Use wget to download the OpenID configuration and keys JSON files generated by the Flask development server. ```bash wget http://127.0.0.1:5000/.well-known/openid-configuration -O config.json wget http://127.0.0.1:5000/keys.json -O keys.json ``` -------------------------------- ### Build Project Source: https://github.com/dirkjanm/roadtools/blob/master/roadrecon/frontend/README.md Build the Angular project for deployment. Use the --prod flag for a production-optimized build. ```bash ng build ``` ```bash ng build --prod ``` -------------------------------- ### Get TOTP Secret using roadtx Source: https://github.com/dirkjanm/roadtools/wiki/Setting-up-identities-in-a-KeePass-file-for-use-with-roadtx Use this command to test the TOTP secret extracted from KeePass. Ensure the secret is correctly configured. ```bash roadtx get otp -s secret ``` -------------------------------- ### Authenticate with a Specific Client and Resource Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Demonstrates specifying both client and resource aliases for token acquisition. Defaults are used if not specified, which can lead to 'invalid audience' errors. ```bash roadtx gettokens -u myuser@mytenant -p mypassword -c msteams -r msgraph ``` ```bash roadtx interactiveauth -c msteams -r https://graph.microsoft.com ``` -------------------------------- ### Application Authentication with Certificate (PEM) Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Authenticate as an application using a client ID, tenant ID, scope, and certificate/private key files in PEM format. Requires specifying --key-pem and --cert-pem. ```bash roadtx appauth -c 00000002-0000-0ff1-ce00-000000000000 -t iminyour.cloud -s "msgraph/.default" --key-pem certpoc.key --cert-pem certpoc.pem ``` -------------------------------- ### Angular CLI Help Source: https://github.com/dirkjanm/roadtools/blob/master/roadrecon/frontend/README.md Access help information for the Angular CLI to learn about available commands and options. ```bash ng help ``` -------------------------------- ### ROADlib Authentication with Argparse Source: https://github.com/dirkjanm/roadtools/wiki/Using-roadlib-in-your-own-python-based-tool-to-get-tokens This script sets up argument parsing for authentication using ROADlib. It initializes the Authentication class, populates the parser with authentication-related arguments, parses the command line, and retrieves tokens. ```python import argparse from roadtools.roadlib.auth import Authentication def main(): # Create the top-level parser parser = argparse.ArgumentParser(description='Example script using ROADlib for authentication') # Initialize the Authentication object auth = Authentication() # Populate the argument parser with authentication arguments auth_parser = auth.get_sub_argparse(parser) # Parse the command-line arguments args = parser.parse_args() # Parse arguments and set internal state auth.parse_args(args) # Authenticate and get tokens based on provided arguments tokens = auth.get_tokens(args) if tokens: print('Authentication successful. Tokens:') print(tokens) # Save tokens to disk auth.save_tokens(args) else: print('Authentication failed. Please check the provided arguments.') if __name__ == '__main__': main() ``` -------------------------------- ### Show options for the 'policies' plugin Source: https://github.com/dirkjanm/roadtools/wiki/Getting-started-with-ROADrecon This command displays the specific arguments and options available for the 'policies' plugin, which parses Conditional Access policies. ```bash roadrecon plugin policies -h ``` -------------------------------- ### Generate OIDC Configuration Source: https://github.com/dirkjanm/roadtools/blob/master/roadoidc/README.md Use the genconfig.py script to create the IdP certificate, private key, and configuration file. The issuer URL is a required parameter. ```bash usage: genconfig.py [-h] [--cert-pem file] [--key-pem file] -i ISSUER [-c CONFIGFILE] [-k KID] ROADoidc - minimal OpenID Connect config generator optional arguments: -h, --help show this help message and exit --cert-pem file Certificate file to store IdP cert (default: roadoidc.pem) --key-pem file Private key file to store IdP key (default: roadoidc.key) -i ISSUER, --issuer ISSUER Issuer of the federated credential - needs to be the base URL where the config is hosted -c CONFIGFILE, --configfile CONFIGFILE File to store the configuration (default: flaskapp/app_config.py) -k KID, --kid KID Key ID to use (default: SHA1 thumbprint of generated certificate ``` -------------------------------- ### Authenticate with Username and Password Source: https://github.com/dirkjanm/roadtools/wiki/Getting-started-with-ROADrecon Use this method for simple authentication when MFA is not required or enforced. It utilizes the legacy password authentication grant. ```bash roadrecon auth -u user@mytenant.onmicrosoft.com -p Passwordhere ``` -------------------------------- ### ROADrecon Usage Overview Source: https://github.com/dirkjanm/roadtools/wiki/Getting-started-with-ROADrecon Displays the main commands and subcommands available in ROADrecon. Use this to understand the basic structure and available actions. ```bash usage: roadrecon [-h] {auth,gather,dump,gui,plugin} ... ROADrecon - The Azure AD exploration tool. By @_dirkjan - dirkjanm.io To get started, use one of the subcommands. Each command has a help feature (roadrecon -h). 1. Authenticate to Azure AD roadrecon auth 2. Gather all information roadrecon gather 3. Explore the data or export it to a specific format using a plugin roadrecon gui roadrecon plugin -h ``` -------------------------------- ### Describe Access Token with roadtx describe Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Describe an access token to view its header and payload claims. The token can be read from a file, standard input, or directly from the command line. Piping the output to 'jq' is recommended for formatted output. ```bash roadtx describe < .roadtools_auth | jq . { "alg": "RS256", "kid": "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI", "nonce": "8EBrQwUJKjliF8E3nca7GJwQe2Uqq6Hde9B7xDV_zgw", "typ": "JWT", "x5t": "2ZQpJ3UpbjAYXYGaXEJl8lV0TOI" } { "acct": 0, "acr": "1", ``` -------------------------------- ### Authenticate with a Client and Refresh with a Different Client Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Shows how to authenticate initially with one client ID and then refresh the token using a different client ID, which is supported for FOCI clients. The token can be read from a file if '--refresh-token file' is used. ```bash roadtx gettokens -u user@iminyour.cloud -p mypassword -c azcli ``` ```bash roadtx gettokens --refresh-token -c msteams ``` -------------------------------- ### Application Authentication with Client Secret Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Authenticate as an application using a client ID, client secret (password), tenant ID, and a resource or scope. The client secret is passed using the -p parameter. ```bash roadtx appauth -c 75066883-c497-471e-94cc-32c1e9a174cf -p CLIENT_SECRET -t iminyour.cloud -r https://graph.microsoft.com ``` ```bash roadtx appauth -c 75066883-c497-471e-94cc-32c1e9a174cf -p CLIENT_SECRET -t iminyour.cloud -s https://graph.microsoft.com/.default ``` -------------------------------- ### Register Device with ROADtools Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Register a device in Azure AD using an access token for the device registration service. The command generates a randomized device name by default and saves the private key and certificate to .key and .pem files. ```bash roadtx device -n blogdevice Saving private key to blogdevice.key Registering device Device ID: 5f138d8b-6416-448d-89ef-9b279c419943 Saved device certificate to blogdevice.pem ``` -------------------------------- ### Application Authentication with Federated Credentials Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Authenticate as an application using federated credentials. Requires specifying client ID, tenant, scope, issuer URL, subject, and optionally key ID, certificate, and private key. ```bash roadtx rfederatedappauth -c CLIENT_ID --cert-pem roadoidc.pem --key-pem roadoidc.key --subject testappfederated -t iminyour.cloud --issuer https://roadoidcblob.blob.core.windows.net/containername -s https://graph.microsoft.com/.default --kid KEYID ``` -------------------------------- ### Authenticate using Authorization Code (Native v2) Source: https://github.com/dirkjanm/roadtools/wiki/roadlib This snippet shows how to authenticate using an authorization code with the native v2 implementation. You need to provide the authorization code, redirect URI, and optionally a client secret. Ensure the Authentication class is initialized with client ID, tenant, and scope. ```python from roadtools.roadlib.auth import Authentication # Initialize authentication auth = Authentication(client_id='client_id', tenant='tenant_id') auth.set_client_id('your_client_id') auth.set_scope('https://graph.microsoft.com/.default') # Authenticate using authorization code tokens = auth.authenticate_with_code_native_v2('authorization_code', 'redirect_uri', client_secret='client_secret') print(tokens) ``` -------------------------------- ### Authenticate with PRT (Default) Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Use the default client and resource IDs to authenticate using a PRT loaded from 'roadtx.prt'. This emulates the Web Account Manager (WAM). ```bash roadtx prtauth ``` -------------------------------- ### Authenticate using Username and Password (Native v2) Source: https://github.com/dirkjanm/roadtools/wiki/roadlib This snippet shows how to authenticate using username and password with the native v2 implementation of roadlib, which uses the scope parameter. Ensure the Authentication class is initialized with username, password, tenant, client ID, and the desired scope. ```python from roadtools.roadlib.auth import Authentication # Initialize authentication auth = Authentication(username='user@example.com', password='password', tenant='tenant_id') auth.set_client_id('your_client_id') auth.set_scope('https://graph.microsoft.com/.default') # Authenticate using username and password tokens = auth.authenticate_username_password_native_v2() print(tokens) ``` -------------------------------- ### Upload to Azure Blob Storage Source: https://github.com/dirkjanm/roadtools/blob/master/roadoidc/README.md Upload the generated configuration files to an Azure Blob Storage container using the Azure CLI. Ensure the storage account and container are publicly accessible. ```bash export RESOURCE_GROUP="roadoidc" # Change location to where you want export LOCATION="westus2" az group create --name "${RESOURCE_GROUP}" --location "${LOCATION}" export AZURE_STORAGE_ACCOUNT="yourstoragename" export AZURE_STORAGE_CONTAINER="containername" az storage account create --resource-group "${RESOURCE_GROUP}" --name "${AZURE_STORAGE_ACCOUNT}" --allow-blob-public-access true az storage container create --name "${AZURE_STORAGE_CONTAINER}" --public-access blob az storage blob upload \ --container-name "${AZURE_STORAGE_CONTAINER}" \ --file config.json \ --name .well-known/openid-configuration az storage blob upload \ --container-name "${AZURE_STORAGE_CONTAINER}" \ --file keys.json \ --name keys.json ``` -------------------------------- ### Authenticate using Device Code Flow (Native) Source: https://github.com/dirkjanm/roadtools/wiki/roadlib This snippet demonstrates how to authenticate using the device code flow with the native roadlib implementation targeting the v1 Microsoft Identity Platform. Ensure you have initialized the Authentication class with username, tenant, client ID, and resource URI. ```python from roadtools.roadlib.auth import Authentication # Initialize authentication auth = Authentication(username='user@example.com', tenant='tenant_id') auth.set_client_id('your_client_id') auth.set_resource_uri('https://graph.microsoft.com') # Authenticate using device code flow tokens = auth.authenticate_device_code_native() print(tokens) ``` -------------------------------- ### authenticate_with_desktopsso_token Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticates using a provided Desktop SSO token. It supports optional parameters for returning a reply and additional data. ```APIDOC ## authenticate_with_desktopsso_token ### Description Authenticate with Desktop SSO token. ### Method ``` authenticate_with_desktopsso_token(self, dssotoken, returnreply=False, additionaldata=None) ``` ### Parameters #### Path Parameters - **dssotoken** (string) - The Desktop SSO token for authentication. #### Optional Parameters - **returnreply** (boolean) - Whether to return a reply. - **additionaldata** (any) - Additional data to include in the authentication. ``` -------------------------------- ### Authenticate using Refresh Token (Native v2) Source: https://github.com/dirkjanm/roadtools/wiki/roadlib This snippet demonstrates how to obtain new tokens using an existing refresh token with the native v2 implementation. Initialize the Authentication class with client ID, tenant, and scope, then call the authenticate_with_refresh_native_v2 method with your refresh token. ```python from roadtools.roadlib.auth import Authentication # Initialize authentication auth = Authentication(client_id='client_id', tenant='tenant_id') auth.set_client_id('your_client_id') auth.set_scope('https://graph.microsoft.com/.default') # Authenticate using refresh token tokens = auth.authenticate_with_refresh_native_v2(refresh_token='your_refresh_token') print(tokens) ``` -------------------------------- ### Authenticate with KeePass Credentials Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Authenticate using credentials stored in a KeePass file. Specify the KeePass file path and password (or use the KPPASS environment variable). Supports MFA TOTP seeds if configured. ```bash roadtx keepassauth -c msteams -u myuser@mytenant.com -kp accounts.kdbx -kpp keepassfilepassword ``` -------------------------------- ### user_discovery Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Backwards compatibility function for user discovery. ```APIDOC ## user_discovery ### Description Backwards compatibility function for user discovery. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### Authenticate with PRT (Azure CLI) Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Use the Azure CLI client ID and request tokens for Azure Resource Manager. The resulting refresh token can be used with AzureHound. ```bash roadtx prtauth -c azcli -r azrm ``` -------------------------------- ### get_desktopsso_token Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Retrieves a Desktop SSO token. It can be obtained using plain username and password, or with a Kerberos authentication token. ```APIDOC ## get_desktopsso_token ### Description Get desktop SSO token either with plain username and password, or with a Kerberos auth token. ### Method ``` get_desktopsso_token(self, username=None, password=None, krbtoken=None) ``` ### Parameters #### Optional Parameters - **username** (string) - The username for authentication. - **password** (string) - The password for authentication. - **krbtoken** (string) - The Kerberos authentication token. ``` -------------------------------- ### Request Primary Refresh Token (PRT) Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Request a PRT using user credentials and device certificate/key. The PRT is saved to 'roadtx.prt' by default. ```bash roadtx prt -u myuser@mytenant.com -p password --key-pem blogdevice.key --cert-pem blogdevice.pem ``` -------------------------------- ### Perform Interactive Authentication Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Use for simple interactive authentication, optionally providing username and password. Any Multi-Factor Authentication (MFA) prompts must be handled manually. ```bash roadtx interactiveauth -u myuser@mytenant.com -p password ``` -------------------------------- ### build_auth_url Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Constructs an authorization URL. It requires a redirect URL and response type, with optional scope and state parameters. ```APIDOC ## build_auth_url ### Description Build authorize URL. ### Method ``` build_auth_url(self, redirurl, response_type, scope=None, state=None) ``` ### Parameters #### Path Parameters - **redirurl** (string) - The redirect URL for the authorization. - **response_type** (string) - The type of response requested. #### Optional Parameters - **scope** (string) - The scope of the authorization. - **state** (string) - The state parameter for the authorization request. ``` -------------------------------- ### authenticate_with_prt_v2 Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticates using KDF version 2 PRT. Requires the PRT and session key. ```APIDOC ## authenticate_with_prt_v2 ### Description KDF version 2 PRT auth. ### Method ``` authenticate_with_prt_v2(self, prt, sessionkey) ``` ### Parameters #### Path Parameters - **prt** (string) - The PRT (Portable Runtime) value. - **sessionkey** (string) - The session key. ``` -------------------------------- ### authenticate_as_app_native Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate with an APP id + secret (native version). ```APIDOC ## authenticate_as_app_native ### Description Authenticate with an APP id + secret (native version). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### authenticate_device_code_native Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate with device code flow (native version). ```APIDOC ## authenticate_device_code_native ### Description Authenticate with device code flow (native version). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### get_bulk_enrollment_token Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Obtains a bulk enrollment token using an access token. ```APIDOC ## get_bulk_enrollment_token ### Description Get bulk enrollment token. ### Method ``` get_bulk_enrollment_token(self, access_token) ``` ### Parameters #### Path Parameters - **access_token** (string) - The access token for obtaining the bulk enrollment token. ``` -------------------------------- ### authenticate_as_app Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate with an APP id + secret (password credentials assigned to app or service principal). ```APIDOC ## authenticate_as_app ### Description Authenticate with an APP id + secret (password credentials assigned to app or service principal). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### authenticate_as_app_native_v2 Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate with an APP id + secret (v2 native version). ```APIDOC ## authenticate_as_app_native_v2 ### Description Authenticate with an APP id + secret (v2 native version). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### authenticate_device_code_native_v2 Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate with device code flow (v2 native version). ```APIDOC ## authenticate_device_code_native_v2 ### Description Authenticate with device code flow (v2 native version). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### Generate Angular Component Source: https://github.com/dirkjanm/roadtools/blob/master/roadrecon/frontend/README.md Use the Angular CLI to generate new components or other project artifacts like directives, pipes, services, etc. ```bash ng generate component component-name ``` ```bash ng generate directive|pipe|service|class|guard|interface|enum|module ``` -------------------------------- ### Host on Azure App Service Source: https://github.com/dirkjanm/roadtools/blob/master/roadoidc/README.md Deploy the Flask application to Azure App Service using the Azure CLI. Ensure you can reach the OIDC configuration endpoint after deployment. ```bash cd flaskapp/ az webapp up -n yourappname --sku B1 --runtime PYTHON:3.10 ``` -------------------------------- ### Authenticate with PRT (Microsoft Teams) Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Use the Microsoft Teams client ID to request tokens for Microsoft Graph. ```bash roadtx prtauth -c msteams -r msgraph ``` -------------------------------- ### authenticate_device_code Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate the end-user using device auth. ```APIDOC ## authenticate_device_code ### Description Authenticate the end-user using device auth. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### Find Microsoft Graph Scopes with roadtx getscope Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Use the getscope command to find Microsoft first-party clients that have specific API permissions. The `--foci` flag can be used to filter for clients that support cross-organization refresh tokens. ```bash roadtx getscope -s https://graph.microsoft.com/mail.read ``` -------------------------------- ### authenticate_username_password_native Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate using user with username and password (native version). ```APIDOC ## authenticate_username_password_native ### Description Authenticate using user with username and password (native version). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### Use Cached Refresh Token with refreshtokento Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Use a cached refresh token from the .roadtools_auth file to obtain new tokens. Automatically uses the cached client ID. Useful for switching resources or scopes without manual parameter input. ```bash roadtx refreshtokento -r msgraph ``` ```bash roadtx refreshtokento -s https://graph.microsoft.com/.default ``` ```bash roadtx refreshtokento -c msteams -r msgraph ``` -------------------------------- ### authenticate_username_password_native_v2 Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate using user with username and password (v2 native version). ```APIDOC ## authenticate_username_password_native_v2 ### Description Authenticate using user with username and password (v2 native version). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### set_cae Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Request a Continuous Access Evaluation token. ```APIDOC ## set_cae ### Description Request a Continuous Access Evaluation token. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### authenticate_with_prt Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticates with a PRT using KDF version 1. Requires the PRT, context, and optionally a derived key or session key. ```APIDOC ## authenticate_with_prt ### Description Authenticate with a PRT and given context/derived key (KDF version 1). ### Method ``` authenticate_with_prt(self, prt, context, derived_key=None, sessionkey=None) ``` ### Parameters #### Path Parameters - **prt** (string) - The PRT (Portable Runtime) value. - **context** (string) - The context for authentication. #### Optional Parameters - **derived_key** (string) - The derived key for authentication. - **sessionkey** (string) - The session key. ``` -------------------------------- ### authenticate_with_refresh Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate with a refresh token, refreshes the refresh token and obtains an access token. ```APIDOC ## authenticate_with_refresh ### Description Authenticate with a refresh token, refreshes the refresh token and obtains an access token. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### Request PRT using Device Authentication Source: https://github.com/dirkjanm/roadtools/wiki/roadlib This snippet demonstrates how to request a Primary Refresh Token (PRT) using device authentication with username and password. It requires initializing DeviceAuthentication and loading a device certificate. ```python from roadtools.roadlib.deviceauth import DeviceAuthentication # Initialize device authentication device_auth = DeviceAuthentication() # Load device certificate device_auth.loadcert(pemfile='device_cert.pem', privkeyfile='device_key.pem') # Request a PRT using username and password prtdata = device_auth.get_prt_with_password(username='user@example.com', password='password') print(prtdata) ``` -------------------------------- ### Initialize PRT Cookie Authentication Source: https://github.com/dirkjanm/roadtools/wiki/Getting-started-with-ROADrecon Begins the Single Sign-On (SSO) flow using a Primary Refresh Token (PRT) cookie. This is useful when you have code execution on an Azure AD joined/registered device. ```bash roadrecon auth --prt-init Requested nonce from server to use with ROADtoken: AQABAAAAAAB2UyzwtQEKR7-rWbgdcBZIJ3LUNT8vP0ZW8dI8AB3zTVy1r1rTFR35qK3ds4Kfcv7FQFMTcHiL6cSofh1eODwInaebcwNsnrrQQr8n-xCFaSAA ``` -------------------------------- ### authenticate_username_password Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate using user with username and password. ```APIDOC ## authenticate_username_password ### Description Authenticate using user with username and password. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### set_force_mfa Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Force MFA during auth. ```APIDOC ## set_force_mfa ### Description Force MFA during auth. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### calculate_derived_key Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Calculates the derived key using KBKDFHMAC. Requires a session key and optionally accepts a context. ```APIDOC ## calculate_derived_key ### Description Calculate the derived key given a session key and optional context using KBKDFHMAC. ### Method ``` calculate_derived_key(self, sessionkey, context=None) ``` ### Parameters #### Path Parameters - **sessionkey** (string) - The session key. #### Optional Parameters - **context** (string) - The context for key calculation. ``` -------------------------------- ### Delete Azure AD Device Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Use this command to delete a device from Azure AD using its certificate and private key. ```bash roadtx device -a delete -c blogdevice.pem -k blogdevice.key ``` -------------------------------- ### authenticate_with_code_native Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate with a code plus optional secret in case of a non-public app (native version). ```APIDOC ## authenticate_with_code_native ### Description Authenticate with a code plus optional secret in case of a non-public app (native version). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### calculate_derived_key_v2 Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Calculates the derived key using version 2, which incorporates the JWT body. Requires session key, context, and JWT body. ```APIDOC ## calculate_derived_key_v2 ### Description Derived key calculation v2, which uses the JWT body. ### Method ``` calculate_derived_key_v2(self, sessionkey, context, jwtbody) ``` ### Parameters #### Path Parameters - **sessionkey** (string) - The session key. - **context** (string) - The context for key calculation. - **jwtbody** (string) - The JWT body. ``` -------------------------------- ### Authenticate with Access or Refresh Token Source: https://github.com/dirkjanm/roadtools/wiki/Getting-started-with-ROADrecon Allows direct authentication using an Azure AD Graph access token or refresh token. Be cautious as access tokens expire quickly (typically one hour). ```bash roadrecon auth --access-token roadrecon auth --refresh-token ``` -------------------------------- ### create_prt_cookie_kdf_ver_2 Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Constructs a KDF version 2 cookie. This function requires the PRT, session key, and an optional nonce. ```APIDOC ## create_prt_cookie_kdf_ver_2 ### Description KDF version 2 cookie construction. ### Method ``` create_prt_cookie_kdf_ver_2(self, prt, sessionkey, nonce=None) ``` ### Parameters #### Path Parameters - **prt** (string) - The PRT (Portable Runtime) value. - **sessionkey** (string) - The session key. #### Optional Parameters - **nonce** (string) - The nonce value. ``` -------------------------------- ### Enrich PRT with MFA Claim using roadtx prtenrich Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Use this command to enrich a Portable Refresh Token (PRT) with an MFA claim by requesting a special refresh token. This is useful when the initial PRT was requested without MFA. The resulting refresh token can then be used to request a PRT with MFA. ```bash roadtx prtenrich -u newlowpriv@iminyour.cloud Got refresh token. Can be used to request prt with roadtx prt -r ``` ```bash roadtx prt -r -c blogdevice.pem -k blogdevice.key ``` -------------------------------- ### authenticate_with_code Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate with a code plus optional secret in case of a non-public app. ```APIDOC ## authenticate_with_code ### Description Authenticate with a code plus optional secret in case of a non-public app. ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### Keep Browser Open for KeePass Authentication Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Authenticate using KeePass credentials and keep the browser window open to browse a specified URL. Useful for automated browsing after authentication. ```bash roadtx keepassauth -url https://myaccount.microsoft.com --keep-open -u myuser@mytenant.com -kp accounts.kdbx -kpp keepassfilepassword ``` -------------------------------- ### authenticate_with_refresh_native Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate with a refresh token plus optional secret in case of a non-public app (native version). ```APIDOC ## authenticate_with_refresh_native ### Description Authenticate with a refresh token plus optional secret in case of a non-public app (native version). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### user_discovery_v2 Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Discover whether this is a federated user (v2 endpoint). ```APIDOC ## user_discovery_v2 ### Description Discover whether this is a federated user (v2 endpoint). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### user_discovery_v1 Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Discover whether this is a federated user (v1 endpoint). ```APIDOC ## user_discovery_v1 ### Description Discover whether this is a federated user (v1 endpoint). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### Authenticate with a Stolen PRT and Session Key Source: https://github.com/dirkjanm/roadtools/wiki/Getting-started-with-ROADrecon Authenticates using a PRT and its corresponding session key, typically extracted from LSASS memory using tools like mimikatz. This method is for advanced scenarios where PRTs have been compromised. ```bash roadrecon auth --prt 0.AXQAj_KHYn9PIkOWEZVMTmYw8MfeZ7pc --prt-sessionkey 22d31fd0117cbb6a7debeb0c5cf029a7f63 ``` -------------------------------- ### authenticate_with_code_native_v2 Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate with a code plus optional secret in case of a non-public app (v2 native version). ```APIDOC ## authenticate_with_code_native_v2 ### Description Authenticate with a code plus optional secret in case of a non-public app (v2 native version). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### authenticate_with_refresh_native_v2 Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Authenticate with a refresh token plus optional secret in case of a non-public app (v2 native version). ```APIDOC ## authenticate_with_refresh_native_v2 ### Description Authenticate with a refresh token plus optional secret in case of a non-public app (v2 native version). ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (None) None #### Response Example None ``` -------------------------------- ### roadtx prtauth Usage Source: https://github.com/dirkjanm/roadtools/wiki/ROADtools-Token-eXchange-(roadtx) Displays the help message for the roadtx prtauth command, detailing optional arguments for client ID, resource, redirect URL, PRT file, and manual PRT/session key specification. ```text usage: roadtx prtauth [-h] [-c CLIENT] [-r RESOURCE] [-ru URL] [-f FILE] [--prt PRT] [--prt-sessionkey PRT_SESSIONKEY] [--tokenfile TOKENFILE] [--tokens-stdout] optional arguments: -h, --help show this help message and exit -c CLIENT, --client CLIENT Client ID to use when authenticating. -r RESOURCE, --resource RESOURCE Resource to authenticate to. Either a full URL or alias (list with roadtx listaliases) -ru URL, --redirect-url URL Custom redirect URL used when authenticating (default: ms-appx-web://Microsoft.AAD.BrokerPlugin/) -f FILE, --prt-file FILE PRT storage file (default: roadtx.prt) --prt PRT Primary Refresh Token --prt-sessionkey PRT_SESSIONKEY Primary Refresh Token session key (as hex key) --tokenfile TOKENFILE File to store the credentials (default: .roadtools_auth) --tokens-stdout Do not store tokens on disk, pipe to stdout instead ``` -------------------------------- ### Complete PRT Cookie Authentication Source: https://github.com/dirkjanm/roadtools/wiki/Getting-started-with-ROADrecon Completes the authentication process after obtaining a PRT cookie using a tool like ROADtoken. Ensure the cookie is correctly formatted. ```bash roadrecon auth --prt-cookie COOKIE_FROM_ROADTOKEN_GOES_HERE ``` -------------------------------- ### get_authority_url Source: https://github.com/dirkjanm/roadtools/wiki/roadlib Returns the authority URL for the tenant specified, or the common one if no tenant was specified. ```APIDOC ## get_authority_url ### Description Returns the authority URL for the tenant specified, or the common one if no tenant was specified. ### Parameters #### Path Parameters None #### Query Parameters - **default_tenant** (string) - Optional - The default tenant to use if none is specified. #### Request Body None ### Method None ### Endpoint None ### Request Example None ### Response #### Success Response (string) The authority URL for the tenant. #### Response Example None ```