Karl Fosaaen, profile picture
Uploaded byKarl Fosaaen
PPTX, PDF272 views

Automating Attacks Against Office365 - BsidesPDX 2016

The document discusses methods for automating attacks on Office 365, including techniques for domain enumeration, user enumeration, credential brute forcing, and internal network pivoting. It also highlights various PowerShell scripts and tools that facilitate these attacks and outlines mitigations such as enabling dual-factor authentication and limiting federation to trusted domains. The presentation emphasizes the importance of monitoring endpoints and enforcing strong password requirements to reduce vulnerabilities.

Embed presentation

Download to read offline
Automating Attacks Against Office365 Karl Fosaaen
Introductions • Who am I? ‒Karl Fosaaen • What do I do? ‒Wear lots of hats ‒Pen Testing ‒Password Cracking ‒Social Engineering ‒Blogging ‒DEF CON Swag Goon ‒Pinball Repair
Slides Overview • Office365 Overview • Attack Overview ‒ Managed Domain Enumeration ‒ User Enumeration and Confirmation ‒ Credential Brute Forcing ‒ User Information Gathering ‒ Pivoting to the Internal Network • Attack Mitigations • Questions
Office365 Overview
ADFS Overview Office365 Overview • Word/Excel/PPT • Skype for Business • Outlook • SharePoint • OneDrive
Managed Domain Enumeration
Managed Domain Enumeration • Office365 had an Authentication Bypass issue ‒ Insecure SAML assertions ‒ Affected all federated Office365 domains ‒ They called out this method in their blog post Source: http://www.economyofmechanism.com/office365- authbypass.html
Managed Domain Enumeration • Using Microsoft Online
Managed Domain Enumeration • Example user check request
Managed Domain Enumeration • Microsoft’s Responses ‒ Federated Domain ‒ Microsoft Managed Domain
Managed Domain Enumeration Diagram of (Federated) O365 federation
Managed Domain Enumeration Diagram of (Managed) O365 federation
Managed Domain Enumeration • Let’s wrap it in a PowerShell script ‒ Federated Domain ‒ Microsoft Managed Domain https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-FederationEndpoint.ps1
Managed Domain Enumeration • Multiple domains at once https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-FederationEndpoint.ps1
User Enumeration and Confirmation
User Enumeration • We have: ‒ Some Targets/Endpoints • We need: ‒ Some users to attack • Enumerate some users for the organization off of LinkedIn • Use one of the many recon frameworks
User Confirmation • Using a federated Skype account, we can find information about other federated Skype users • Just open a chat with them
User Confirmation • Or we can just chat with these CEOs
User Confirmation • Let’s just wrap it with PowerShell instead Get-SkypeStatus -inputFile test_emails.txt | ft –AutoSize PowerSkype: https://github.com/NetSPI/PowerShell/blob/master/PowerSkype.ps1
User Confirmation
Credential Brute Forcing
Credential Brute Forcing • Get-FederationEndpoint gives us the appropriate command to run for the domain ‒ Microsoft Managed Domain
Credential Brute Forcing • Connect-msolservice – AzureAD PS Module
User Information Gathering
User Information Gathering • Not totally necessary, but it can be handy 1. $msolcred = get-credential 2. connect-msolservice -credential $msolcred 3. Get-MsolUser -All | ft –AutoSize • This also works for apps using AzureAD for account management
Enumeration of Other Domain Users • Using the Graph API
Enumeration of Other Domain Users • Using the Graph API $token = Get-GraphAPIToken -TenantName DOMAIN_GOES_HERE Get-GraphData -Token $token -Tenant DOMAIN_GOES_HERE -Resource users ‒ This works for federated and managed domains ‒ Also a work in progress • Github – https://github.com/NetSPI/PowerShell/blob/master/Get- GraphAPIToken.ps1
Enumeration of Other Domain Users • If the domain uses Office365, you can probably connect to its Exchange service with PowerShell
Enumeration of Other Domain Users • Use Exchange online Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {Get-Recipient -ResultSize unlimited} | Export-CSV c:tempemail_users.csv -NoTypeInformation
Pivoting to the Internal Network
Pivoting to the Internal Network • Send messages from Skype for Business ‒ Login with your guessed credentials • Or your own federated account ‒ People will trust their co-workers • “Can you look over this word doc for me?”
Skype Message Phishing Send-SkypeMessage -email test@example.com -message "What's your password?" Get-SkypeStatus -inputFile 'C:Emails.txt' | Select Email,Status | where Status -Match "Available" | select Email | Send-SkypeMessage … PowerSkype: https://github.com/NetSPI/PowerShell/blob/master/PowerSkype.ps1
Pivoting to the Internal Network • Malicious OneDrive Documents ‒ Can’t use macros in the online version of excel
Pivoting to the Internal Network • Malicious SharePoint Documents ‒ Same concept as OneDrive, just a different platform ‒ Backdoor a document ‒ Edit pages
Pivoting to the Internal Network • Attacking Email Accounts ‒ If Autodiscover is enabled, adding an account can be done from anywhere ‒ Email is interesting, but I’d like a shell ‒ “Malicious Outlook Rules” • Nick Landers – Silent Break Security ‒ “MAPI over HTTP and Mailrule Pwnage” • Etienne - sensepost
Pivoting to the Internal Network • Single Factor VPN Example ‒ Enumerated user emails on LinkedIn ‒ Guessed passwords against MSOnline with PowerShell ‒ Enumerated VPN interfaces ‒ Logged in with guessed credentials ‒ GPP -> Local admin on DA system ‒ DCSync • “Store passwords using reversible encryption”
Pivoting to the Internal Network • Other Routes ‒ Single Factor Services • Management Protocols • RDP • SSH • Sharepoint • Terminal Services – Web Based • Citrix • VDI • Etc.
Attack Mitigations
Attack Mitigations • Enable Dual factor authentication for external endpoints* *On all channels
Attack Mitigations • Limit federation to trusted domains • Limit exposed services surface area • Monitor your Federated and Azure endpoints • Enforce strong password requirements
Questions Questions? Karl Fosaaen @kfosaaen https://blog.netspi.com https://github.com/netspi http://www.slideshare.net/kfosaaen

More Related Content

PPTX
Externally Testing Modern AD Domains - Arcticcon
byKarl Fosaaen
 
PPTX
Pwning the Enterprise With PowerShell
byBeau Bullock
 
PDF
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
byBeau Bullock
 
PPTX
Pentest Apocalypse - SANSFIRE 2016 Edition
byBeau Bullock
 
PPTX
Offensive Python for Pentesting
byMike Felch
 
PDF
Red Team Tactics for Cracking the GSuite Perimeter
byMike Felch
 
PPTX
Pentest Apocalypse
byBeau Bullock
 
PPTX
Debugging the Web with Fiddler
byIdo Flatow
 
Externally Testing Modern AD Domains - Arcticcon
byKarl Fosaaen
 
Pwning the Enterprise With PowerShell
byBeau Bullock
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
byBeau Bullock
 
Pentest Apocalypse - SANSFIRE 2016 Edition
byBeau Bullock
 
Offensive Python for Pentesting
byMike Felch
 
Red Team Tactics for Cracking the GSuite Perimeter
byMike Felch
 
Pentest Apocalypse
byBeau Bullock
 
Debugging the Web with Fiddler
byIdo Flatow
 

What's hot

PDF
Lares from LOW to PWNED
byChris Gates
 
PPTX
Secure360 - Extracting Password from Windows
byScott Sutherland
 
PDF
Fuzzing and You: Automating Whitebox Testing
byNetSPI
 
PDF
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
byScott Sutherland
 
PDF
Mind the gap - Troopers 2016
byCasey Smith
 
PPTX
Extracting Credentials From Windows
byNetSPI
 
PDF
Attack All the Layers - What's Working in Penetration Testing
byNetSPI
 
PDF
Coding 100-session-slides
byCisco DevNet
 
PPTX
A Google Event You Won't Forget
byBeau Bullock
 
PDF
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
byChris Gates
 
PPTX
It's just Skype for Business - THOTCON
byKarl Fosaaen
 
PPTX
Red Team Apocalypse
byBeau Bullock
 
PPTX
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
byRob Fuller
 
PPTX
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...
byJason Himmelstein
 
PPTX
Lateral Movement with PowerShell
bykieranjacobsen
 
PDF
EASE spectre meltdown_support
byJoe Slowik
 
PDF
All You Need is One - A ClickOnce Love Story - Secure360 2015
byNetSPI
 
PPTX
PowerShell for the Anxious ITPro
byJason Himmelstein
 
PPTX
How to Build Your Own Physical Pentesting Go-bag
byBeau Bullock
 
PPTX
Security Testing with Zap
bySoluto
 
Lares from LOW to PWNED
byChris Gates
 
Secure360 - Extracting Password from Windows
byScott Sutherland
 
Fuzzing and You: Automating Whitebox Testing
byNetSPI
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
byScott Sutherland
 
Mind the gap - Troopers 2016
byCasey Smith
 
Extracting Credentials From Windows
byNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
byNetSPI
 
Coding 100-session-slides
byCisco DevNet
 
A Google Event You Won't Forget
byBeau Bullock
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
byChris Gates
 
It's just Skype for Business - THOTCON
byKarl Fosaaen
 
Red Team Apocalypse
byBeau Bullock
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
byRob Fuller
 
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...
byJason Himmelstein
 
Lateral Movement with PowerShell
bykieranjacobsen
 
EASE spectre meltdown_support
byJoe Slowik
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
byNetSPI
 
PowerShell for the Anxious ITPro
byJason Himmelstein
 
How to Build Your Own Physical Pentesting Go-bag
byBeau Bullock
 
Security Testing with Zap
bySoluto
 

Similar to Automating Attacks Against Office365 - BsidesPDX 2016

PPTX
Attacking ADFS Endpoints - DerbyCon
byKarl Fosaaen
 
PDF
SharePoint Saturday New York: PowerShell for Office 365
byVlad Catrinescu
 
PDF
SCUGBE_Lowlands_Unite_2017_Protecting cloud identities
byKenny Buntinx
 
PDF
Protecting Microsoft Teams from Cyber Security Threats - a Practical Guide
byBenedek Menesi
 
PDF
O365Engage17 - Mastering power shell with office 365
byNCCOMMS
 
PDF
Azure saturday 2017 - Protecting cloud identities using ems
byRonni Pedersen
 
PDF
Gartner Security & Risk Management Summit 2018
byPaula Januszkiewicz
 
PPTX
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
byBeau Bullock
 
PPTX
Implementing and Managing Office 365
byBen Stegink
 
PPTX
Microsoft365 from a Hacker's Perspective
byBenedek Menesi
 
PDF
Managing Exchange Online using PowerShell, Tips & Tricks
byMichel de Rooij
 
PDF
Collab365: PowerShell for Office 365
byVlad Catrinescu
 
PDF
Crack the SY0-701 in 2025: Latest Security+ Exam Guide for Success
bytristinmartin966
 
PDF
Pass the CompTIA Security+ SY0-701 Exam in 2025 with Confidence – Certifiedumps
by24servicehub
 
PDF
Get Ready to Pass the Cisco 300-701 SCOR Exam with Confidence in 2025
by24servicehub
 
PDF
2025 SY0‑701 Practice Questions: Free Demo & 90‑Day Free Updates
byrl7159133
 
PDF
Advanced Domain Hacking
byUTD Computer Security Group
 
PDF
Learn how to protect against and recover from data breaches in Office 365
byAntonioMaio2
 
PDF
Top Strategies to Ace SY0-701 Exam in 2025 – Expert Study Guide
byrl7159133
 
PDF
Socially Acceptable Methods to Walk in the Front Door
byMike Felch
 
Attacking ADFS Endpoints - DerbyCon
byKarl Fosaaen
 
SharePoint Saturday New York: PowerShell for Office 365
byVlad Catrinescu
 
SCUGBE_Lowlands_Unite_2017_Protecting cloud identities
byKenny Buntinx
 
Protecting Microsoft Teams from Cyber Security Threats - a Practical Guide
byBenedek Menesi
 
O365Engage17 - Mastering power shell with office 365
byNCCOMMS
 
Azure saturday 2017 - Protecting cloud identities using ems
byRonni Pedersen
 
Gartner Security & Risk Management Summit 2018
byPaula Januszkiewicz
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
byBeau Bullock
 
Implementing and Managing Office 365
byBen Stegink
 
Microsoft365 from a Hacker's Perspective
byBenedek Menesi
 
Managing Exchange Online using PowerShell, Tips & Tricks
byMichel de Rooij
 
Collab365: PowerShell for Office 365
byVlad Catrinescu
 
Crack the SY0-701 in 2025: Latest Security+ Exam Guide for Success
bytristinmartin966
 
Pass the CompTIA Security+ SY0-701 Exam in 2025 with Confidence – Certifiedumps
by24servicehub
 
Get Ready to Pass the Cisco 300-701 SCOR Exam with Confidence in 2025
by24servicehub
 
2025 SY0‑701 Practice Questions: Free Demo & 90‑Day Free Updates
byrl7159133
 
Advanced Domain Hacking
byUTD Computer Security Group
 
Learn how to protect against and recover from data breaches in Office 365
byAntonioMaio2
 
Top Strategies to Ace SY0-701 Exam in 2025 – Expert Study Guide
byrl7159133
 
Socially Acceptable Methods to Walk in the Front Door
byMike Felch
 

Recently uploaded

PPTX
Introduction to Multi-dimentional array.pptx
byOmar Fernandez
 
PPTX
A QUIZ ABOUT THE HISTORY OF MICROSOFT WORD
byzoenadiajara1
 
PPTX
How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx
bynaloskihristo
 
PDF
diznijevi junaci na paradi panini album.pdf
byStefanFilipovic9
 
PDF
WAN-IFRA World Press Trends 2025-26 key insights
byDamian Radcliffe
 
PPTX
Social media app presentation snapgram.pptx
byrayessafa21
 
PPTX
Analysis Intelligence in Cyber Protection.pptx
byOmar Fernandez
 
PDF
GTI Solution Overview.pdf useful for security solution
by33fastfast
 
Introduction to Multi-dimentional array.pptx
byOmar Fernandez
 
A QUIZ ABOUT THE HISTORY OF MICROSOFT WORD
byzoenadiajara1
 
How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx
bynaloskihristo
 
diznijevi junaci na paradi panini album.pdf
byStefanFilipovic9
 
WAN-IFRA World Press Trends 2025-26 key insights
byDamian Radcliffe
 
Social media app presentation snapgram.pptx
byrayessafa21
 
Analysis Intelligence in Cyber Protection.pptx
byOmar Fernandez
 
GTI Solution Overview.pdf useful for security solution
by33fastfast
 

Automating Attacks Against Office365 - BsidesPDX 2016

  • 1.
    Automating Attacks AgainstOffice365 Karl Fosaaen
  • 2.
    Introductions • Who amI? ‒Karl Fosaaen • What do I do? ‒Wear lots of hats ‒Pen Testing ‒Password Cracking ‒Social Engineering ‒Blogging ‒DEF CON Swag Goon ‒Pinball Repair
  • 3.
    Slides Overview • Office365Overview • Attack Overview ‒ Managed Domain Enumeration ‒ User Enumeration and Confirmation ‒ Credential Brute Forcing ‒ User Information Gathering ‒ Pivoting to the Internal Network • Attack Mitigations • Questions
  • 4.
  • 5.
    ADFS Overview Office365 Overview •Word/Excel/PPT • Skype for Business • Outlook • SharePoint • OneDrive
  • 6.
  • 7.
    Managed Domain Enumeration •Office365 had an Authentication Bypass issue ‒ Insecure SAML assertions ‒ Affected all federated Office365 domains ‒ They called out this method in their blog post Source: http://www.economyofmechanism.com/office365- authbypass.html
  • 8.
    Managed Domain Enumeration •Using Microsoft Online
  • 9.
    Managed Domain Enumeration •Example user check request
  • 10.
    Managed Domain Enumeration •Microsoft’s Responses ‒ Federated Domain ‒ Microsoft Managed Domain
  • 11.
    Managed Domain Enumeration Diagramof (Federated) O365 federation
  • 12.
    Managed Domain Enumeration Diagramof (Managed) O365 federation
  • 13.
    Managed Domain Enumeration •Let’s wrap it in a PowerShell script ‒ Federated Domain ‒ Microsoft Managed Domain https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-FederationEndpoint.ps1
  • 14.
    Managed Domain Enumeration •Multiple domains at once https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-FederationEndpoint.ps1
  • 15.
  • 16.
    User Enumeration • Wehave: ‒ Some Targets/Endpoints • We need: ‒ Some users to attack • Enumerate some users for the organization off of LinkedIn • Use one of the many recon frameworks
  • 17.
    User Confirmation • Usinga federated Skype account, we can find information about other federated Skype users • Just open a chat with them
  • 18.
    User Confirmation • Orwe can just chat with these CEOs
  • 19.
    User Confirmation • Let’sjust wrap it with PowerShell instead Get-SkypeStatus -inputFile test_emails.txt | ft –AutoSize PowerSkype: https://github.com/NetSPI/PowerShell/blob/master/PowerSkype.ps1
  • 20.
  • 21.
  • 22.
    Credential Brute Forcing •Get-FederationEndpoint gives us the appropriate command to run for the domain ‒ Microsoft Managed Domain
  • 23.
    Credential Brute Forcing •Connect-msolservice – AzureAD PS Module
  • 24.
  • 25.
    User Information Gathering •Not totally necessary, but it can be handy 1. $msolcred = get-credential 2. connect-msolservice -credential $msolcred 3. Get-MsolUser -All | ft –AutoSize • This also works for apps using AzureAD for account management
  • 26.
    Enumeration of OtherDomain Users • Using the Graph API
  • 27.
    Enumeration of OtherDomain Users • Using the Graph API $token = Get-GraphAPIToken -TenantName DOMAIN_GOES_HERE Get-GraphData -Token $token -Tenant DOMAIN_GOES_HERE -Resource users ‒ This works for federated and managed domains ‒ Also a work in progress • Github – https://github.com/NetSPI/PowerShell/blob/master/Get- GraphAPIToken.ps1
  • 28.
    Enumeration of OtherDomain Users • If the domain uses Office365, you can probably connect to its Exchange service with PowerShell
  • 29.
    Enumeration of OtherDomain Users • Use Exchange online Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {Get-Recipient -ResultSize unlimited} | Export-CSV c:tempemail_users.csv -NoTypeInformation
  • 30.
    Pivoting to theInternal Network
  • 31.
    Pivoting to theInternal Network • Send messages from Skype for Business ‒ Login with your guessed credentials • Or your own federated account ‒ People will trust their co-workers • “Can you look over this word doc for me?”
  • 32.
    Skype Message Phishing Send-SkypeMessage -emailtest@example.com -message "What's your password?" Get-SkypeStatus -inputFile 'C:Emails.txt' | Select Email,Status | where Status -Match "Available" | select Email | Send-SkypeMessage … PowerSkype: https://github.com/NetSPI/PowerShell/blob/master/PowerSkype.ps1
  • 33.
    Pivoting to theInternal Network • Malicious OneDrive Documents ‒ Can’t use macros in the online version of excel
  • 34.
    Pivoting to theInternal Network • Malicious SharePoint Documents ‒ Same concept as OneDrive, just a different platform ‒ Backdoor a document ‒ Edit pages
  • 35.
    Pivoting to theInternal Network • Attacking Email Accounts ‒ If Autodiscover is enabled, adding an account can be done from anywhere ‒ Email is interesting, but I’d like a shell ‒ “Malicious Outlook Rules” • Nick Landers – Silent Break Security ‒ “MAPI over HTTP and Mailrule Pwnage” • Etienne - sensepost
  • 36.
    Pivoting to theInternal Network • Single Factor VPN Example ‒ Enumerated user emails on LinkedIn ‒ Guessed passwords against MSOnline with PowerShell ‒ Enumerated VPN interfaces ‒ Logged in with guessed credentials ‒ GPP -> Local admin on DA system ‒ DCSync • “Store passwords using reversible encryption”
  • 37.
    Pivoting to theInternal Network • Other Routes ‒ Single Factor Services • Management Protocols • RDP • SSH • Sharepoint • Terminal Services – Web Based • Citrix • VDI • Etc.
  • 38.
  • 39.
    Attack Mitigations • EnableDual factor authentication for external endpoints* *On all channels
  • 40.
    Attack Mitigations • Limitfederation to trusted domains • Limit exposed services surface area • Monitor your Federated and Azure endpoints • Enforce strong password requirements
  • 41.