Externally federated domain endpoints are an exciting target for Red Team assessments. While often overlooked, externally federated domain services can provide multiple access points to an internal network, from the internet. This talk will cover enumeration of federated domains (ADFS and AzureAD), the enumeration of federated services (Office365, Skype for Business, etc.), and attacks that you can leverage against these endpoints to gain access to an internal network. Additional PowerShell tools will be included in the talk to help you automate these attacks.
2. Introductions
• Who am I?
‒Karl Fosaaen
• What do I do?
‒Wear lots of hats
‒Pen Testing
‒Password Cracking
‒Social Engineering
‒Blog
‒DEF CON Swag Goon
‒Pinball Repair
3. Slides Overview
• Intro
• Domain Enumeration
• Authentication Endpoint Enumeration
‒ Graph API
‒ ADFS
‒ Office 365
• Microsoft Online login
• Exchange
• Skype for Business
• Pivoting to the internal network
• Attack Mitigations
• Conclusions
4. Intro
• Standard ExPen Process
‒ Enumeration of domain info
• Services
• Username/Email recon
‒ Exploitation of issues
• Phishing
• Web Vulnerabilities
• Weak/Default logins
‒ Pivot to internal network
‒ Escalate internally
9. Domain Enumeration
Side Note:
• Office365 had an Authentication Bypass issue
‒ Insecure SAML assertions
‒ Affected all federated Office365 domains
‒ They called out this method in their blog post
Source:
http://www.economyofmechanism.com/office365-
authbypass.html
15. Domain Enumeration
• Multiple domains at once
https://blog.netspi.com/using-powershell-identify-federated-domains/
https://github.com/NetSPI/PowerShell/blob/master/Get-FederationEndpoint.ps1
16. Domain Enumeration
• What’s the current exposure?
‒ 47,455 (4.7%) of the top 1 Million have
“ms=ms*” DNS records
• Personal Experience
‒ Managed/Federated/Neither
50% 40% 10%
24. ADFS Overview
Active Directory Federation Services (AD FS)
“is a standards-based service that allows the
secure sharing of identity information
between trusted business partners (known
as a federation) across an extranet.”
Source:
https://msdn.microsoft.com/en-us/library/bb897402.aspx
25. ADFS – Credential Brute Forcing
• Get-FederationEndpoint gives us the
appropriate command to run for the domain
‒ Federated Domain
30. Setting Up Your Test Environment
• Install the Azure AD PowerShell Module
• https://msdn.microsoft.com/en-
us/library/azure/jj151815(v=azure.98).aspx
31. Office365 - Credential Brute Forcing
• Get-FederationEndpoint gives us the
appropriate command to run for the domain
‒ Microsoft Managed Domain
33. Office365 – User Enumeration
1. $msolcred = get-credential
2. connect-msolservice -credential $msolcred
3. Get-MsolUser -All | ft –AutoSize
• This also works for apps (Web/Thick) using
AzureAD for account management
34. Office365 - Exchange
• If the domain uses Office365, you can most
likely connect to Office365 Exchange with
PowerShell
38. Skype For Business – Overview
• Formerly Lync, now Skype for Business
• Commonly Federated with other domains
‒ Great for credential guessing, user
enumeration, and social engineering
39. Skype For Business – Tools
• Grab the PowerShell modules from NetSPI
• https://github.com/NetSPI/PowerShell/blob/master/Power
Skype.ps1
40. Skype For Business – Credential Brute Forcing
‒ Get-SkypeLoginURL
• In progress
‒ Invoke-SkypeLogin
‒ Credit to @Nyxgeek for the auth endpoints
41. Skype For Business – Blind User Enumeration
• Using a federated Skype account, we can
enumerate other federated Skype users
• Just open a chat with them
42. Skype For Business – Blind User Enumeration
• Or we can just chat with these CEOs
43. Skype For Business – Blind User Enumeration
• Blind User enumeration (email confirmation)
requires the SDK
‒ Also requires a signed in federated user
• You can use guessed credentials (autodiscover)
• or pay Microsoft for a cheap federated account
• ~$6/month
44. Skype For Business – Tools
• Install Skype for Business and the Lync SDK
‒ Requires Visual Studio 2010 for the easiest
install
https://www.microsoft.com/en-us/download/details.aspx?id=36824
45. Skype For Business – Blind User Enumeration
• Let’s just wrap it with PowerShell
Get-SkypeStatus -inputFile test_emails.txt | ft -AutoSize
47. Skype For Business – Blind User Enumeration
Demo
• Get-SkypeStatus -inputFile
"C:TempLiveAdmins.txt" | ft -AutoSize
• It helps if we run it a couple of times…
51. Pivoting to the Internal Network – Exchange
• Attacking Email Accounts
‒ If Autodiscover is enabled, adding an account
can be done from anywhere
‒ Email is interesting, but I’d like a shell
‒ This can not be done programmatically with
PowerShell (*Easily)
‒ “Malicious Outlook Rules”
• Nick Landers – Silent Break Security
‒ “MAPI over HTTP and Mailrule Pwnage”
• Etienne - sensepost
52. Pivoting to the Internal Network – Skype
• Send messages from OWA or Skype for
Business
‒ Autodiscover is also handy here
‒ People will trust their co-workers
• “Can you look over this word doc for me?”
53. Pivoting to the Internal Network – Skype
Demo
• Get-SkypeStatus -email karl.fosaaen@netspi.com
• Invoke-SendSkypeMessage
-email karl.fosaaen@netspi.com
-message "Hello from Derbycon"
• for ($i = 0; $i -lt 10; $i++){Invoke-
SendSkypeMessage -email
karl.fosaaen@netspi.com -message "Hello $i"}
56. Pivoting to the Internal Network – VPN
• Single Factor VPN Example
‒ Enumerated user emails on LinkedIn
‒ Guessed passwords against MSOnline with
PowerShell
‒ Enumerated VPN interfaces
‒ Logged in with guessed credentials
‒ GPP -> Local admin on DA system
‒ DCSync
• “Store passwords using reversible encryption”
57. Pivoting to the Internal Network – Other
• Other Routes
‒ Single Factor Services
• Management Protocols
• RDP
• SSH
• Terminal Services – Web Based
• Citrix
• VDI
• Etc.
58. Pivoting to the Internal Network – OneDrive
• Malicious OneDrive Documents
‒ Can’t use macros in the online version of excel
59. Pivoting to the Internal Network - SharePoint
• Malicious SharePoint Documents
‒ Same concept as OneDrive, just a different
platform
‒ Backdoor a document
‒ Edit pages
64. Conclusions
• Lots of authentication endpoints on the
Internet
• There’s always a $SEASON$YEAR password
out there
• There are several ways to pivot internally
with credentials
• MFA will help reduce your risk
65. Next Steps
• Yet another framework for pen testing…
‒ Enumerate all of the potential AD
authentication endpoints for a domain
• And again, AutoDiscover is handy here
‒ Include credential brute force methods for
each interface type
‒ Easy mode, autopwn, etc.
• Give it a domain, user list, and go for it
‒ Try to keep it dependency free
• Easier to use
• More portable