Cookie replay client for testing Azure AD Identity Protection
I made this client to test various features of Azure AD Identity Protection.
Example
Unfamiliar sign-in properties can be detected on both interactive and non-interactive sign-ins. When this detection is detected on non-interactive sign-ins, it deserves increased scrutiny due to the risk of token replay attacks.
This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens.
As the licenses says, 0% Liability 0% Warranty
What does it do?
Uses the ESTSAUTH cookie for non device-SSO flow (Device SSO cookies require different attributes in the requests)
- Sends mail to user
- Gets user mail settings
- Tries to list user Azure Subscriptions
- Uploads random data from randomuser.me/api to onedrive
prereqs
-
Azure Cloud Shell opened in BASH
-
Run setup
curl -o- https://raw.githubusercontent.com/jsa2/aadcookiespoof/main/remote.sh | bash
Spoofing
From any browser, copy the FIRST occurence of ESTSAUTH cookie with fresh sign-in (use inPrivate browser to ensure no device flows are used)
Run following in bash to create the template
- paste the cookie contents to command
echo '[
{
"user":"mega",
"cookie":"ESTSAUTH=0.AU8Aob9...."
}
]' > cookies.json
Spoof
RUN
cd aadcookiespoof
node manual.js