akde/infosec

Information security is ultimately about managing risk

Azure / Office365

,

Main con­cepts:

  • Ten­ant
    • The “space” which an orga­ni­za­tion “rents”. Has a name.
  • Users
  • Groups
  • Appli­ca­tions
  • Iden­ti­ty model
    • Cloud only
      • Accounts are only in for­eign sys­tems (“cloud”)
    • Syn­chro­nized
      • Accounts are cre­at­ed and man­aged on-premise and syn­chro­nized to for­eign sys­tems (“cloud”)
    • Fed­er­at­ed
      • Accounts are cre­at­ed, man­aged and authen­tifi­cat­ed on-premise; for­eign sys­tems (“cloud”) are also check­ing againts a on-premise system.

Tools

Non-authenticated

Authenticated

Azure AD Connect

Azure AD Con­nect inte­grat­ed on-premise direc­to­ries with for­eign servers (“cloud”).

Authentication methods

  • PHS Pass­word Hash Syn­chro­niza­tion: Pass­word hash­es from the on-premise sys­tem are syn­chro­nized to the for­eign sys­tem (“cloud”).
  • PTA Pass-through Authen­ti­ca­tion: Pass­word hash­es are only on the on-premise system.
    1. User tries to access service
    2. Ser­vice redi­rects User to Azure AD
    3. User enters cre­den­tials in Azure AD
    4. Azure AD asks on-premise PTA agents.
    5. PTA agents asks on-premise AD host.
    6. If on-premise AD hosts says “ok”, then Azure AD redi­rects the user to the orig­i­nal service.
  • ADFS Fed­er­a­tion Inte­gra­tion: Pass­word hash­es are man­aged on-premise.
    • Like Ker­beros
    • Mul­ti­ple sys­tems are con­nect­ed (“fed­er­at­ed”) to trust each other.
    • Users can get authen­ti­ca­tion from on-premise servers, ser­vices trust these claims and only per­form authorization.

SSO Seam­less Sin­gle Sign-On is an addi­tion­al method, which can be com­bined with PHS or PTA for an addi­tion­al (Ker­beros-style) authen­ti­ca­tion from an on-premise source. In this case, Azure AD returns a Chal­lenge for a Ker­beros tick­et, which the client needs to get from a local AD and sends the response back so that Azure AD grants access to the ini­tial service.

Attacking PHS

With the Pow­er­Shell AD Mod­ule, get details about accounts:

Get-ADUser -filter 'name -like "Msol*"' -Properties Description
  • Hook auth APIs http://easyhook.github.io/
  • Inject this https://github.com/fdiskyou/injectAllTheThings

This can add

  1. a skele­ton Key
  2. and log all users and pass­words it see.

Notes

  • The role Glob­al Admin­is­tra­tor is the equiv­a­lent to the domain admin.
  • Check if an orga­ni­za­tion uses Azure:
    • For each ten­ant, a domain is cre­at­ed: $tenant.onmicrosoft.com.
      • By check­ing the DNS, an attack­er can guess if an orga­ni­za­tion has an account there.
    • Check­ing the fol­low­ing url with a garbage mail­box name and a domain from the tar­get organization:
    • https://login.microsoftonline.com/getuserrealm.srf?login=blabla@$DOMAINNAME&xml=1

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';