Skip to main content

roadtools

ROADtools is a specialized framework designed for Azure AD reconnaissance, offering capabilities for authentication, data gathering, and timeline analysis within automated security workflows. It plays a critical role in identifying and mitigating security risks in cloud environments by facilitating effective data collection and analysis.

Ideal Use Cases & Fit

ROADtools excels in scenarios where organizations seek to enhance their Azure AD security posture through comprehensive reconnaissance. It's particularly effective for:

  • Authentication Operations: Validating user credentials and access permissions.
  • Data Gathering: Collecting relevant information for security assessments.
  • Timeline Analysis: Analyzing activities over time to trace potential security incidents.

This tool is not appropriate for environments outside Azure AD or for scenarios requiring real-time monitoring.

Value in Workflows

Integrating ROADtools into security workflows allows teams to streamline reconnaissance processes, enabling early identification of vulnerabilities. Its capabilities can serve both as an initial assessment tool and as part of a larger security analysis framework, enhancing the overall efficiency of cloud security efforts.

Input Data

ROADtools accepts different input formats depending on the operation:

For auth operation: JSON input with parameter keys for enhanced workflow compatibility. Supports multiple credential testing through the credentials array.

Example input:

{
    "origin": "https://portal.azure.com",
    "tenant": "12345678-abcd-1234-ef00-0123456789ab",
    "credentials": [
        "[email protected]:Password123!",
        "[email protected]:SecurePass456",
        "[email protected]:DemoPass789"
    ]
}

For other operations (gather, xlsexport, road2timeline): The expected input is the output from the previous operation in the chain: authgatherxlsexport/road2timeline.

Note: When auth outputs multiple tokens (from testing multiple credentials), an intermediate parsing script may be needed to select a specific token. Otherwise, operations can be connected sequentially and will work automatically.

Configuration

Key configurable parameters include:

  • operation: Defines the specific ROADtools operation to execute, such as authentication or data gathering.
  • username: The username utilized for authentication.
  • password: Corresponding password for the username.
  • tenant: Tenant ID for authentication; leave blank for the default tenant.
  • client: Client ID for authentication, requiring user_impersonation permissions.
  • resource: Target resource for authentication, defaulting to Azure Graph API.
  • scope: Overrides resource for authentication requests when specified.
  • as-app: Option to authenticate as an app, necessitating the password and client ID.
  • access-token: A JWT representing the access token for the session.
  • refresh-token: Token used to refresh session credentials.
  • origin: Source of refresh tokens used in Single Page Applications.
  • saml-token: SAML token collected from a Federation Server.
  • kdf-v1: Option to utilize an older key derivation function version for PRT authentication.
  • user-agent: Specifies the user agent or UA alias for token requests.