I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Directory

1. fox-it.com Hacking Azure AD via Active Directory Dirk-jan Mollema (@_dirkjan) I’m in your cloud… reading everyone’s email Classification: Public

2. fox-it.com - Lives in The Netherlands - Hacker / Red Teamer / Researcher @ Fox-IT since 2016 - Previously freelance webdeveloper - Author of several Active Directory tools - Mitm6 - Ldapdomaindump - BloodHound.py - aclpwn.py - Co-author of ntlmrelayx - Blogs on dirkjanm.io - PrivExchange - Tweets stuff on @_dirkjan Whoami Classification: Public

3. fox-it.com • What is Azure AD • Integrating Azure AD with Active Directory • Azure AD Administrator roles • Pwning the cloud • Privilege escalation in Azure AD • Abusing Seamless Single Sign On Contents Classification: Public

4. fox-it.com • Me writing PowerShell • Me writing C# Also: Classification: Public

5. fox-it.com • Pentest goal: Access CEO mailbox • Stored in Office 365 • MFA enforced for most accounts • CEO workstation unreachable How it all started Classification: Public

6. fox-it.com Office 365 Azure Active Directory Active Directory Domain admin Controls ??? ??? ??? Limited AD admin ??? ??? ??? Classification: Public

7. fox-it.com On-premise Research approach Cloud Active Directory Azure Active Directory Classification: Public

8. fox-it.com On-premise Assumption: security boundary Cloud Active Directory Azure Active Directory Security boundary Classification: Public

9. fox-it.com On-premise Security boundary information flow Cloud Active Directory Azure Active Directory Security boundary Flow of trusted information Classification: Public

10. fox-it.com • “Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service.” Azure AD Classification: Public

11. fox-it.com Azure AD vs Active Directory (Windows Server) Active Directory Azure Active Directory LDAP REST API’s NTLM/Kerberos OAuth/SAML/OpenID/etc Structured directory (OU tree) Flat structure GPO’s No GPO’s Super fine-tuned access controls Predefined roles Domain/forest Tenant Trusts Guests Classification: Public

12. fox-it.com • 3 primary methods of integration: • Password Hash Synchronization (PHS) • Pass Through Authentication (PTA) • Active Directory Federation Services (AD FS) Integrating Azure AD and Active Directory Classification: Public

13. fox-it.com Password hash synchronization Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs Classification: Public

14. fox-it.com • Utility installed on-premise • Has a high-privilege account in AD • Has also a high-privilege account in Azure AD • High value target! Azure AD connect Classification: Public

15. fox-it.com • If password hash sync is in use: TL;DR Compromised Azure AD connect Sync account = Compromised AD Classification: Public

16. fox-it.com Finding the Sync server and account Classification: Public

17. fox-it.com • Configuration database ADSync.mdf C:Program FilesMicrosoft Azure AD SyncData • Can be accessed as LocalDB on host or copied and browsed locally Hunting for creds in AD Sync Classification: Public

18. fox-it.com Extracting the configuration SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent; Classification: Public

19. fox-it.com Agent configuration Classification: Public

20. fox-it.com • Crypto stuff is in mcrypt.dll • Mcrypt.dll contains both C# and native code • C# easy to analyze using dnSpy • Native code contains the crypto functions Encrypted configuration Classification: Public

21. fox-it.com SELECT instance_id, keyset_id, entropy FROM mms_server_configuration; Classification: Public

22. fox-it.com Create limited POC – analyze with procmon Classification: Public

23. fox-it.com • Locally: error • On server: works • Even with same data in registry • Suggests: Machine dependent protection  DPAPI Local test VS server test Classification: Public

24. fox-it.com • Simple API to use: 1 line of code to securely encrypt data • Uses certificates per user or computer • Monitor calls to Crypt32.dll DPAPI Classification: Public

25. fox-it.com Tracking DPAPI with API Monitor Classification: Public

26. fox-it.com More crypto stuff Classification: Public

27. fox-it.com • Encryption key is encrypted with DPAPI • Decrypted version contains some blob with AES keys • Uses AES-256 in CBC mode Crypto TL;DR Classification: Public

28. fox-it.com • Adsync database • Encrypted data • Entropy • Instance ID • Keyset ID • Registry • Encryption Key (DPAPI protected) • DPAPI machine secrets Info needed to decrypt variables Classification: Public

29. fox-it.com Dumping the info - demo Classification: Public

30. fox-it.com Classification: Public

31. fox-it.com Or remotely over the network Classification: Public Credit: @agsolino for his work on impacket and secretsdump Get the database Dump DPAPI enc. Keys (registry) Dump AD Sync enc. keys (registry) Get DPAPI masterkey Decrypt all the stuff

32. fox-it.com DCSync with AD Sync account Classification: Public

33. fox-it.com Recommendation Azure AD Connect Active Directory administrative tier model: https://docs.Microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material Classification: Public

34. fox-it.com Azure AD – Roles and access Classification: Public

35. fox-it.com • RBAC Roles are only used for Azure Resource Manager • Office 365 uses administrator roles exclusively Azure AD roles Classification: Public

36. fox-it.com • MSOnline PowerShell module • Focusses on Office 365 • Some Office 365 specific features • AzureAD PowerShell module • General Azure AD • Different feature set Interacting with Azure AD Classification: Public

37. fox-it.com Module differences Classification: Public

38. fox-it.com • Company Administrator = Global Administrator • Anyone can query role members Hunting for admins Admins only Classification: Public

39. fox-it.com • Most likely not all admins are synced with on-premise • Can be queried by any Azure AD user • If we are Domain Admin, can we sync an on-premise account? Cloud-only or synced Classification: Public

40. fox-it.com Can we sync existing users? Classification: Public

41. fox-it.com • Needs to have a proxy address (means the account has a mailbox) • License not required • Should not already be synced Finding potential targets Classification: Public

43. fox-it.com Creating a sync target Classification: Public

45. fox-it.com Delegate permissions for the inbox Classification: Public

46. fox-it.com • We created a new account • Linked it to an existing admin • Delegated ourselves mailbox permissions • Flag achieved  So about that assignment Classification: Public

47. fox-it.com • Domain Admin is not required to create new users • Often delegated to (junior) IT admins • “Create user” privileges sufficient to take over admin accounts • Multi Factor Authentication not bypassed • Make sure all admin accounts have MFA enforced! • Prime target: emergency admin accounts not requiring MFA (recommendation from Microsoft until a few months ago) I sync we have a problem Classification: Public

48. fox-it.com • Reported to MSRC in June 2018 • Fixed mid October 2018 • Account sync not possible anymore for admin accounts Don’t worry it’s fixed Classification: Public

49. fox-it.com • MFA all the things! • If you can’t, enable monitoring (license required) Still Classification: Public

50. fox-it.com Role privileges and escalation Classification: Public

51. fox-it.com • Global/Company administrator can do anything • Limited administrator accounts • Application Administrator • Authentication Administrator • Exchange Administrator • Etc • Roles are fixed Azure AD admin roles Source: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles Classification: Public

52. fox-it.com • “create and manage all aspects of enterprise applications, application registrations, and application proxy settings” • What is an application? Application Administrators Classification: Public

53. fox-it.com • Examples: • Microsoft Graph • Azure Multi-Factor Auth Client • Azure Portal • Office 365 portal • Azure ATP • A default Office 365 Azure AD has about 200 service principals (read: applications) Everything is an application Classification: Public

54. fox-it.com • Applications/App registrations are applications that exist in your Azure AD • Service principals/Enterprise Applications are accounts in your Azure AD linked to either your application or a third party application. Service principals VS applications Classification: Public

55. fox-it.com • Two types of privileges: • Delegated permissions • Require signed-in user present to perform • Application permissions • Are assigned to the application, which can use them at any time • These privileges are assigned to the service principal • Admin approval may be needed Application privileges Classification: Public

56. fox-it.com Example: Application permissions Classification: Public

57. fox-it.com Service principal permissions Classification: Public

58. fox-it.com • By default, any user in Azure AD can create: • New applications • Service principals for these application • That user will be the owner of the applications • Bob registers an application • Admin grants consent to the application to access data • Bob now has access to that data Problem 1 Classification: Public

59. fox-it.com • Step 1: Add certificate as credential to our application Example: Add certificate to service principal Classification: Public

60. fox-it.com • Step 2: Connect as service principal Example (2) Classification: Public

61. fox-it.com With user context Classification: Public

62. fox-it.com With application context Classification: Public

63. fox-it.com • Log shows actions were performed by application Logging? Classification: Public

64. fox-it.com • “Application administrators” can manage all applications and service principals • Two (default) service principals have “Directory.ReadWrite.All” • By adding a credential to an application, the Application Administrator escalates their privileges Problem 2 Classification: Public

65. fox-it.com Previously Classification: Public

66. fox-it.com Python POC code to connect Classification: Public

67. fox-it.com • Reported to MSRC in August 2018 • Confirmed fixed in December • Current behaviour: Fix timeline Classification: Public

68. fox-it.com Behaviour is now documented Classification: Public

69. fox-it.com • Global Admins can still assign privileges to applications • Possibility for backdooring accounts • Service Principal accounts do not require MFA • Credentials assigned to Microsoft apps are not visible in the Azure Portal • Custom applications with high privileges still at risk Remaining risks Classification: Public

70. fox-it.com Azure Resource manager also affected Classification: Public

71. fox-it.com • RBAC roles can be assigned to service principals • These can be managed by Application Administrators • Also by the on-premise sync account • High privilege applications might need an account • Example: Terraform Azure RBAC Classification: Public

72. fox-it.com Anyone with control over Service Principals can assign credentials to them and potentially escalate privileges. TL;DR Classification: Public

73. fox-it.com Seamless Single Sign On aka: let’s port all of Kerberos’ weaknesses to Azure Classification: Public

74. fox-it.com SSO Flow (simplified) 1. Log in request Active Directory 2 .Request Service Ticket for AAD Azure Active Directory Classification: Public

75. fox-it.com SSO Flow 2 (simplified) Active Directory 3. Reply with service ticket 4. Log in with service ticket Azure Active Directory Classification: Public

76. fox-it.com • Active Directory stores a computer account: AZUREADSSOACC$ • Password is shared with Azure AD • Service ticket is encrypted with this password, contains user SID • Azure AD decrypts ticket, looks up user by SID in Azure AD • Logged in Technical things Classification: Public

77. fox-it.com • If Active Directory is compromised, attackers can dump hashes and create fake Service Tickets • Called Silver Tickets • Can be used to log in as any user in Azure AD (if no MFA) • Well-known Kerberos risk Compromised Active Directory Source: https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/ Classification: Public

78. fox-it.com • Kerberos has the concept of “delegation” • Delegation means trusting applications to impersonate other users • If configured incorrectly, applications can impersonate any user • 3 forms of delegation: • Unconstrained: very dangerous, avoid using • Constrained: has to be specifically configured, unlikely attack vector for Azure AD • Resource based constrained: Recently being researched What about delegation Classification: Public

79. fox-it.com • Delegation is configured on the target object • The AZUREADSSOACC$ account is a computer account • No special protections • Anyone that can manage computer accounts in the container or OU this account is in can configure it • Likely many admins in larger orgs have this access Resource based constrained delegation Credits: @elad_shamir, @harmj0y and @gentilkiwi for their research on this topic Classification: Public

80. fox-it.com Demo Classification: Public

81. fox-it.com Getting a ticket for Vince Classification: Public

82. fox-it.com Log in on Azure Classification: Public

84. fox-it.com Insert ticket here Classification: Public

85. fox-it.com Logged in  Classification: Public

86. fox-it.com Anyone who can edit properties* of the AZUREADSSOACC$ account, can impersonate any user in Azure AD using Kerberos (if no MFA) TL;DR *and has control over at least one account with a Service Principal Name set Classification: Public

87. fox-it.com In BloodHound 2.1 Classification: Public

88. fox-it.com • Reported to MSRC January 2019 • Conclusion: Won’t fix for now, but looking into hardening measures for the future Disclosure timeline Classification: Public

89. fox-it.com Conclusions Classification: Public

90. fox-it.com • MFA all the things • Be careful with MFA exclusions on IP basis (guest network?) • Protect your Azure AD Sync servers like domain controllers • Audit your Service Principals, their access and their owners • Using SSO weakens security, protect the SSO account Conclusions Classification: Public

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Directory

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Directory

Recommended

More Related Content

What's hot

What's hot(20)

Similar to I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Directory

Similar to I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Directory(20)

Recently uploaded

Recently uploaded(20)

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Directory