{"id":1917,"date":"2020-12-17T10:12:12","date_gmt":"2020-12-17T09:12:12","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1917"},"modified":"2023-12-20T21:02:51","modified_gmt":"2023-12-20T20:02:51","slug":"azure","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1917","title":{"rendered":"Azure \/ Office365"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Main con\u00adcepts:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Ten\u00adant<ul><li>The \u201cspace\u201d which an orga\u00adni\u00adza\u00adtion \u201crents\u201d. Has a&nbsp;name.<\/li><\/ul><\/li><li>Users<\/li><li>Groups<\/li><li>Appli\u00adca\u00adtions<\/li><li>Iden\u00adti\u00adty&nbsp;model<ul><li>Cloud only<ul><li>Accounts are only in for\u00adeign sys\u00adtems (\u201ccloud\u201d)<\/li><\/ul><\/li><li>Syn\u00adchro\u00adnized<ul><li>Accounts are cre\u00adat\u00aded and man\u00adaged on-premise and syn\u00adchro\u00adnized to for\u00adeign sys\u00adtems (\u201ccloud\u201d)<\/li><\/ul><\/li><li>Fed\u00ader\u00adat\u00aded<ul><li>Accounts are cre\u00adat\u00aded, man\u00adaged and authen\u00adtifi\u00adcat\u00aded on-premise; for\u00adeign sys\u00adtems (\u201ccloud\u201d) are also check\u00ading againts a on-premise system.<\/li><\/ul><\/li><\/ul><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Tools<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Non-authenticated<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Deter\u00admine <span class=\"caps\">O365<\/span> users with <a href=\"https:\/\/github.com\/gremwell\/o365enum\">o365enum.py<\/a>.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Authenticated<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Deter\u00admine users and more with <a href=\"https:\/\/github.com\/nyxgeek\/o365recon\">O365Recon<\/a>.<\/li><li><a href=\"https:\/\/github.com\/dirkjanm\/ROADtools\">ROAD\u00adlib and ROAD\u00adrecon \u2014 ROAD\u00adtools<\/a> for Azure enu\u00admer\u00ada\u00adtion and exploitation.<\/li><li><a href=\"https:\/\/github.com\/hausec\/PowerZure\">Pow\u00aderZure<\/a> is a (post-) exploita\u00adtion framework<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Azure <span class=\"caps\">AD<\/span> Connect<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Azure <span class=\"caps\">AD<\/span> Con\u00adnect inte\u00adgrat\u00aded on-premise direc\u00adto\u00adries with for\u00adeign servers (\u201ccloud\u201d).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Authentication methods<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li><strong><span class=\"caps\">PHS<\/span> Pass\u00adword Hash Syn\u00adchro\u00adniza\u00adtion<\/strong>: Pass\u00adword hash\u00ades from the on-premise sys\u00adtem are syn\u00adchro\u00adnized to the for\u00adeign sys\u00adtem (\u201ccloud\u201d).<\/li><li><strong><span class=\"caps\">PTA<\/span> Pass-through Authen\u00adti\u00adca\u00adtion<\/strong>:  Pass\u00adword hash\u00ades are only on the on-premise system.<ol><li>User tries to access service<\/li><li>Ser\u00advice redi\u00adrects User to Azure&nbsp;<span class=\"caps\">AD<\/span><\/li><li>User enters cre\u00adden\u00adtials in Azure&nbsp;<span class=\"caps\">AD<\/span><\/li><li>Azure <span class=\"caps\">AD<\/span> asks on-premise <span class=\"caps\">PTA<\/span> agents.<\/li><li><span class=\"caps\">PTA<\/span> agents asks on-premise <span class=\"caps\">AD<\/span>&nbsp;host.<\/li><li>If on-premise <span class=\"caps\">AD<\/span> hosts says \u201cok\u201d, then Azure <span class=\"caps\">AD<\/span> redi\u00adrects the user to the orig\u00adi\u00adnal service.<\/li><\/ol><\/li><li><strong><span class=\"caps\">ADFS<\/span> Fed\u00ader\u00ada\u00adtion Inte\u00adgra\u00adtion<\/strong>: Pass\u00adword hash\u00ades are man\u00adaged on-premise.<ul><li>Like Ker\u00adberos<\/li><li>Mul\u00adti\u00adple sys\u00adtems are con\u00adnect\u00aded (\u201cfed\u00ader\u00adat\u00aded\u201d) to trust each&nbsp;other.<\/li><li>Users can get authen\u00adti\u00adca\u00adtion from on-premise servers, ser\u00advices trust these <em>claims<\/em> and only per\u00adform authorization.<\/li><\/ul><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><span class=\"caps\">SSO<\/span> Seam\u00adless Sin\u00adgle Sign-On<\/strong> is an addi\u00adtion\u00adal method, which can be com\u00adbined with <span class=\"caps\">PHS<\/span> or <span class=\"caps\">PTA<\/span> for an addi\u00adtion\u00adal (Ker\u00adberos-style) authen\u00adti\u00adca\u00adtion from an on-premise source. In this case, Azure <span class=\"caps\">AD<\/span> returns a Chal\u00adlenge for a Ker\u00adberos tick\u00adet, which the client needs to get from a local <span class=\"caps\">AD<\/span> and sends the response back so that Azure <span class=\"caps\">AD<\/span> grants access to the ini\u00adtial service.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Attacking <span class=\"caps\">PHS<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">With the Pow\u00ader\u00adShell <span class=\"caps\">AD<\/span> Mod\u00adule, get details about accounts:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-ADUser -filter 'name -like \"Msol*\"' -Properties Description<\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Hook auth APIs http:\/\/easyhook.github.io\/<\/li><li>Inject this https:\/\/github.com\/fdiskyou\/injectAllTheThings<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This can&nbsp;add<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>a skele\u00adton&nbsp;Key<\/li><li>and log all users and pass\u00adwords it&nbsp;see.<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>The role <em>Glob\u00adal Admin\u00adis\u00adtra\u00adtor<\/em> is the equiv\u00ada\u00adlent to the domain admin.<\/li><li>Check if an orga\u00adni\u00adza\u00adtion uses&nbsp;Azure:<ul><li>For each ten\u00adant, a domain is cre\u00adat\u00aded: $tenant.onmicrosoft.com.<ul><li>By check\u00ading the <span class=\"caps\">DNS<\/span>, an attack\u00ader can guess if an orga\u00adni\u00adza\u00adtion has an account there.<\/li><\/ul><\/li><li>Check\u00ading the fol\u00adlow\u00ading url with a garbage mail\u00adbox name and a domain from the tar\u00adget organization:<\/li><li>https:\/\/login.microsoftonline.com\/getuserrealm.srf?login=blabla@$<span class=\"caps\">DOMAINNAME<\/span><span class=\"amp\">&amp;<\/span>xml=1<\/li><\/ul><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Main con\u00adcepts: Ten\u00adant The \u201cspace\u201d which an orga\u00adni\u00adza\u00adtion \u201crents\u201d. Has a&nbsp;name. Users Groups Appli\u00adca\u00adtions Iden\u00adti\u00adty&nbsp;mod\u00adel&nbsp; Cloud only Accounts are only in for\u00adeign sys\u00adtems (\u201ccloud\u201d) Syn\u00adchro\u00adnized Accounts are cre\u00adat\u00aded and man\u00adaged on-premise and syn\u00adchro\u00adnized to for\u00adeign sys\u00adtems (\u201ccloud\u201d) Fed\u00ader\u00adat\u00aded Accounts are cre\u00adat\u00aded, man\u00adaged and authen\u00adtifi\u00adcat\u00aded on-premise; for\u00adeign sys\u00adtems (\u201ccloud\u201d) are also check\u00ading againts a on-premise system.&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[477],"tags":[303,304],"class_list":["post-1917","post","type-post","status-publish","format-standard","hentry","category-software","tag-azure","tag-cloud"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1917","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1917"}],"version-history":[{"count":10,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1917\/revisions"}],"predecessor-version":[{"id":1943,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1917\/revisions\/1943"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1917"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1917"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1917"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}