attacking-entra-id-with-roadtools

Installation
SKILL.md

Attacking Entra ID with ROADtools

Authorized use only: ROADtools interacts with live Microsoft Entra ID (Azure AD) tenants and can register devices, mint and exchange tokens, and enumerate directory objects. Use it solely against tenants you own or are explicitly authorized in writing to test. Unauthorized access to a cloud tenant is illegal.

Overview

ROADtools (by Dirk-jan Mollema) is the de facto offensive toolkit for Microsoft Entra ID. It has two main components:

  • ROADrecon — authenticates to Entra ID, gathers the full directory into a local SQLite database via the Azure AD Graph API, and serves an Angular GUI to explore users, groups, roles, applications, service principals, conditional-access policies, and device objects offline. A plugin system exports to BloodHound and analyzes CA policies.
  • roadtx (ROADtools Token eXchange) — acquires and exchanges Entra-issued tokens across the many OAuth flows (ROPC, device code, auth-code, refresh-token exchange, app/federated app), performs device registration, and handles Primary Refresh Token (PRT) operations including PRT-based SSO and cookie minting. Its FOCI (Family of Client IDs) awareness lets a refresh token for one first-party client be redeemed for another resource.

Together they cover the Discovery phase against cloud identity: enumerate the tenant (T1087.004 Account Discovery: Cloud Account) and obtain/manipulate the tokens needed to reach Microsoft Graph, Azure Resource Manager, and other resources. ROADrecon's offline database makes recon stealthy and fast; roadtx makes token theft, PRT abuse, and cross-resource pivoting practical.

When to Use

  • During an authorized Azure / Entra ID red-team or cloud penetration test.
  • When you have a foothold credential, refresh token, or PRT and need to enumerate the tenant.
  • When you must pivot a token from one resource (e.g., Azure CLI) to another (e.g., Microsoft Graph).
  • When validating that conditional-access, device-compliance, and token controls actually constrain an attacker.
  • When mapping Entra attack paths (export to BloodHound for graph analysis).
Installs
33
GitHub Stars
24.2K
First Seen
11 days ago
attacking-entra-id-with-roadtools — mukul975/anthropic-cybersecurity-skills