Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Directory
Similar to I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Directory (20)
Recently uploaded
Recently uploaded (20)
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Directory
- 1. fox-it.com Hacking Azure AD via Active Directory Dirk-jan Mollema (@_dirkjan) I’m in your cloud… reading everyone’s email Classification: Public
- 2. fox-it.com - Lives in The Netherlands - Hacker / Red Teamer / Researcher @ Fox-IT since 2016 - Previously freelance webdeveloper - Author of several Active Directory tools - Mitm6 - Ldapdomaindump - BloodHound.py - aclpwn.py - Co-author of ntlmrelayx - Blogs on dirkjanm.io - PrivExchange - Tweets stuff on @_dirkjan Whoami Classification: Public
- 3. fox-it.com • What is Azure AD • Integrating Azure AD with Active Directory • Azure AD Administrator roles • Pwning the cloud • Privilege escalation in Azure AD • Abusing Seamless Single Sign On Contents Classification: Public
- 4. fox-it.com • Me writing PowerShell • Me writing C# Also: Classification: Public
- 5. fox-it.com • Pentest goal: Access CEO mailbox • Stored in Office 365 • MFA enforced for most accounts • CEO workstation unreachable How it all started Classification: Public
- 6. fox-it.com Office 365 Azure Active Directory Active Directory Domain admin Controls ??? ??? ??? Limited AD admin ??? ??? ??? Classification: Public
- 7. fox-it.com On-premise Research approach Cloud Active Directory Azure Active Directory Classification: Public
- 8. fox-it.com On-premise Assumption: security boundary Cloud Active Directory Azure Active Directory Security boundary Classification: Public
- 9. fox-it.com On-premise Security boundary information flow Cloud Active Directory Azure Active Directory Security boundary Flow of trusted information Classification: Public
- 10. fox-it.com • “Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service.” Azure AD Classification: Public
- 11. fox-it.com Azure AD vs Active Directory (Windows Server) Active Directory Azure Active Directory LDAP REST API’s NTLM/Kerberos OAuth/SAML/OpenID/etc Structured directory (OU tree) Flat structure GPO’s No GPO’s Super fine-tuned access controls Predefined roles Domain/forest Tenant Trusts Guests Classification: Public
- 12. fox-it.com • 3 primary methods of integration: • Password Hash Synchronization (PHS) • Pass Through Authentication (PTA) • Active Directory Federation Services (AD FS) Integrating Azure AD and Active Directory Classification: Public
- 13. fox-it.com Password hash synchronization Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs Classification: Public
- 14. fox-it.com • Utility installed on-premise • Has a high-privilege account in AD • Has also a high-privilege account in Azure AD • High value target! Azure AD connect Classification: Public
- 15. fox-it.com • If password hash sync is in use: TL;DR Compromised Azure AD connect Sync account = Compromised AD Classification: Public
- 16. fox-it.com Finding the Sync server and account Classification: Public
- 17. fox-it.com • Configuration database ADSync.mdf C:Program FilesMicrosoft Azure AD SyncData • Can be accessed as LocalDB on host or copied and browsed locally Hunting for creds in AD Sync Classification: Public
- 18. fox-it.com Extracting the configuration SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent; Classification: Public
- 20. fox-it.com • Crypto stuff is in mcrypt.dll • Mcrypt.dll contains both C# and native code • C# easy to analyze using dnSpy • Native code contains the crypto functions Encrypted configuration Classification: Public
- 21. fox-it.com SELECT instance_id, keyset_id, entropy FROM mms_server_configuration; Classification: Public
- 22. fox-it.com Create limited POC – analyze with procmon Classification: Public
- 23. fox-it.com • Locally: error • On server: works • Even with same data in registry • Suggests: Machine dependent protection DPAPI Local test VS server test Classification: Public
- 24. fox-it.com • Simple API to use: 1 line of code to securely encrypt data • Uses certificates per user or computer • Monitor calls to Crypt32.dll DPAPI Classification: Public
- 25. fox-it.com Tracking DPAPI with API Monitor Classification: Public
- 26. fox-it.com More crypto stuff Classification: Public
- 27. fox-it.com • Encryption key is encrypted with DPAPI • Decrypted version contains some blob with AES keys • Uses AES-256 in CBC mode Crypto TL;DR Classification: Public
- 28. fox-it.com • Adsync database • Encrypted data • Entropy • Instance ID • Keyset ID • Registry • Encryption Key (DPAPI protected) • DPAPI machine secrets Info needed to decrypt variables Classification: Public
- 29. fox-it.com Dumping the info - demo Classification: Public
- 31. fox-it.com Or remotely over the network Classification: Public Credit: @agsolino for his work on impacket and secretsdump Get the database Dump DPAPI enc. Keys (registry) Dump AD Sync enc. keys (registry) Get DPAPI masterkey Decrypt all the stuff
- 32. fox-it.com DCSync with AD Sync account Classification: Public
- 33. fox-it.com Recommendation Azure AD Connect Active Directory administrative tier model: https://docs.Microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material Classification: Public
- 34. fox-it.com Azure AD – Roles and access Classification: Public
- 35. fox-it.com • RBAC Roles are only used for Azure Resource Manager • Office 365 uses administrator roles exclusively Azure AD roles Classification: Public
- 36. fox-it.com • MSOnline PowerShell module • Focusses on Office 365 • Some Office 365 specific features • AzureAD PowerShell module • General Azure AD • Different feature set Interacting with Azure AD Classification: Public
- 38. fox-it.com • Company Administrator = Global Administrator • Anyone can query role members Hunting for admins Admins only Classification: Public
- 39. fox-it.com • Most likely not all admins are synced with on-premise • Can be queried by any Azure AD user • If we are Domain Admin, can we sync an on-premise account? Cloud-only or synced Classification: Public
- 40. fox-it.com Can we sync existing users? Classification: Public
- 41. fox-it.com • Needs to have a proxy address (means the account has a mailbox) • License not required • Should not already be synced Finding potential targets Classification: Public
- 43. fox-it.com Creating a sync target Classification: Public
- 45. fox-it.com Delegate permissions for the inbox Classification: Public
- 46. fox-it.com • We created a new account • Linked it to an existing admin • Delegated ourselves mailbox permissions • Flag achieved So about that assignment Classification: Public
- 47. fox-it.com • Domain Admin is not required to create new users • Often delegated to (junior) IT admins • “Create user” privileges sufficient to take over admin accounts • Multi Factor Authentication not bypassed • Make sure all admin accounts have MFA enforced! • Prime target: emergency admin accounts not requiring MFA (recommendation from Microsoft until a few months ago) I sync we have a problem Classification: Public
- 48. fox-it.com • Reported to MSRC in June 2018 • Fixed mid October 2018 • Account sync not possible anymore for admin accounts Don’t worry it’s fixed Classification: Public
- 49. fox-it.com • MFA all the things! • If you can’t, enable monitoring (license required) Still Classification: Public
- 50. fox-it.com Role privileges and escalation Classification: Public
- 51. fox-it.com • Global/Company administrator can do anything • Limited administrator accounts • Application Administrator • Authentication Administrator • Exchange Administrator • Etc • Roles are fixed Azure AD admin roles Source: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles Classification: Public
- 52. fox-it.com • “create and manage all aspects of enterprise applications, application registrations, and application proxy settings” • What is an application? Application Administrators Classification: Public
- 53. fox-it.com • Examples: • Microsoft Graph • Azure Multi-Factor Auth Client • Azure Portal • Office 365 portal • Azure ATP • A default Office 365 Azure AD has about 200 service principals (read: applications) Everything is an application Classification: Public
- 54. fox-it.com • Applications/App registrations are applications that exist in your Azure AD • Service principals/Enterprise Applications are accounts in your Azure AD linked to either your application or a third party application. Service principals VS applications Classification: Public
- 55. fox-it.com • Two types of privileges: • Delegated permissions • Require signed-in user present to perform • Application permissions • Are assigned to the application, which can use them at any time • These privileges are assigned to the service principal • Admin approval may be needed Application privileges Classification: Public
- 58. fox-it.com • By default, any user in Azure AD can create: • New applications • Service principals for these application • That user will be the owner of the applications • Bob registers an application • Admin grants consent to the application to access data • Bob now has access to that data Problem 1 Classification: Public
- 59. fox-it.com • Step 1: Add certificate as credential to our application Example: Add certificate to service principal Classification: Public
- 60. fox-it.com • Step 2: Connect as service principal Example (2) Classification: Public
- 61. fox-it.com With user context Classification: Public
- 63. fox-it.com • Log shows actions were performed by application Logging? Classification: Public
- 64. fox-it.com • “Application administrators” can manage all applications and service principals • Two (default) service principals have “Directory.ReadWrite.All” • By adding a credential to an application, the Application Administrator escalates their privileges Problem 2 Classification: Public
- 66. fox-it.com Python POC code to connect Classification: Public
- 67. fox-it.com • Reported to MSRC in August 2018 • Confirmed fixed in December • Current behaviour: Fix timeline Classification: Public
- 68. fox-it.com Behaviour is now documented Classification: Public
- 69. fox-it.com • Global Admins can still assign privileges to applications • Possibility for backdooring accounts • Service Principal accounts do not require MFA • Credentials assigned to Microsoft apps are not visible in the Azure Portal • Custom applications with high privileges still at risk Remaining risks Classification: Public
- 70. fox-it.com Azure Resource manager also affected Classification: Public
- 71. fox-it.com • RBAC roles can be assigned to service principals • These can be managed by Application Administrators • Also by the on-premise sync account • High privilege applications might need an account • Example: Terraform Azure RBAC Classification: Public
- 72. fox-it.com Anyone with control over Service Principals can assign credentials to them and potentially escalate privileges. TL;DR Classification: Public
- 73. fox-it.com Seamless Single Sign On aka: let’s port all of Kerberos’ weaknesses to Azure Classification: Public
- 74. fox-it.com SSO Flow (simplified) 1. Log in request Active Directory 2 .Request Service Ticket for AAD Azure Active Directory Classification: Public
- 75. fox-it.com SSO Flow 2 (simplified) Active Directory 3. Reply with service ticket 4. Log in with service ticket Azure Active Directory Classification: Public
- 76. fox-it.com • Active Directory stores a computer account: AZUREADSSOACC$ • Password is shared with Azure AD • Service ticket is encrypted with this password, contains user SID • Azure AD decrypts ticket, looks up user by SID in Azure AD • Logged in Technical things Classification: Public
- 77. fox-it.com • If Active Directory is compromised, attackers can dump hashes and create fake Service Tickets • Called Silver Tickets • Can be used to log in as any user in Azure AD (if no MFA) • Well-known Kerberos risk Compromised Active Directory Source: https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/ Classification: Public
- 78. fox-it.com • Kerberos has the concept of “delegation” • Delegation means trusting applications to impersonate other users • If configured incorrectly, applications can impersonate any user • 3 forms of delegation: • Unconstrained: very dangerous, avoid using • Constrained: has to be specifically configured, unlikely attack vector for Azure AD • Resource based constrained: Recently being researched What about delegation Classification: Public
- 79. fox-it.com • Delegation is configured on the target object • The AZUREADSSOACC$ account is a computer account • No special protections • Anyone that can manage computer accounts in the container or OU this account is in can configure it • Likely many admins in larger orgs have this access Resource based constrained delegation Credits: @elad_shamir, @harmj0y and @gentilkiwi for their research on this topic Classification: Public
- 81. fox-it.com Getting a ticket for Vince Classification: Public
- 82. fox-it.com Log in on Azure Classification: Public
- 85. fox-it.com Logged in Classification: Public
- 86. fox-it.com Anyone who can edit properties* of the AZUREADSSOACC$ account, can impersonate any user in Azure AD using Kerberos (if no MFA) TL;DR *and has control over at least one account with a Service Principal Name set Classification: Public
- 87. fox-it.com In BloodHound 2.1 Classification: Public
- 88. fox-it.com • Reported to MSRC January 2019 • Conclusion: Won’t fix for now, but looking into hardening measures for the future Disclosure timeline Classification: Public
- 90. fox-it.com • MFA all the things • Be careful with MFA exclusions on IP basis (guest network?) • Protect your Azure AD Sync servers like domain controllers • Audit your Service Principals, their access and their owners • Using SSO weakens security, protect the SSO account Conclusions Classification: Public