Az - Usajili wa Kifaa

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Wakati kifaa kinapojiunga na AzureAD, object mpya huundwa kwenye AzureAD.

Wakati wa kusajili kifaa, mtumiaji anaombwa kuingia kwa akaunti yake (ikiomba MFA ikiwa inahitajika), kisha inakuomba tokeni kwa huduma ya usajili wa kifaa na kisha inaomba uthibitisho wa mwisho.

Kisha, jozi mbili za funguo za RSA zinaundwa kwenye kifaa: device key (public key) ambayo hutumwa kwa AzureAD na transport key (private key) ambayo huhifadhiwa kwenye TPM ikiwa inawezekana.

Kisha, object huundwa katika AzureAD (not in Intune) na AzureAD inarudisha kwa kifaa certificate iliyosainiwa nayo. Unaweza kuthibitisha kwamba device is AzureAD joined na kupata taarifa kuhusu certificate (kama ikiwa inalindwa na TPM).:

dsregcmd /status

Baada ya usajili wa kifaa, Primary Refresh Token inatolewa na moduli ya LSASS CloudAP na kutolewa kwa kifaa. Pamoja na PRT pia hutolewa kifunguo cha kikao kilichofichwa ili ni kifaa pekee kinaweza kukiweka wazi (using the public key of the transport key) na kinahitajika kutumia PRT.

For more information about what is a PRT check:

Az - Primary Refresh Token (PRT)

TPM - Trusted Platform Module

The TPM protects against key extraction from a powered down device (if protected by PIN) nd from extracting the private material from the OS layer.
But it doesn’t protect against sniffing the physical connection between the TPM and CPU or using the cryptograpic material in the TPM while the system is running from a process with SYSTEM rights.

If you check the following page you will see that stealing the PRT can be used to access like a the user, which is great because the PRT is located devices, so it can be stolen from them (or if not stolen abused to generate new signing keys):

Az - Primary Refresh Token (PRT)

Registering a device with SSO tokens

Ingekuwa inawezekana kwa mshambuliaji kuomba token kwa Microsoft device registration service kutoka kwa kifaa kilichoathirika na kukisajili:

# Initialize SSO flow
roadrecon auth prt-init
.\ROADtoken.exe <nonce>

# Request token with PRT with PRT cookie
roadrecon auth -r 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9 --prt-cookie <cookie>

# Custom pyhton script to register a device (check roadtx)
registerdevice.py

Which will give you a certificate you can use to ask for PRTs in the future. Therefore maintaining persistence and bypassing MFA because the original PRT token used to register the new device already had MFA permissions granted.

Tip

Note that to perform this attack you will need permissions to register new devices. Also, registering a device doesn’t mean the device will be allowed to enrol into Intune.

Caution

This attack was fixed in September 2021 as you can no longer register new devices using a SSO tokens. However, it’s still possible to register devices in a legit way (having username, password and MFA if needed). Check: roadtx.

Overwriting a device ticket

Ilikuwa inawezekana kuomba tiketi ya kifaa, kuandika upya ile ya sasa ya kifaa, na katika mchakato kuiba the PRT (hivyo hakuna haja ya kuiba kutoka TPM). For more info check this talk.

Caution

However, this was fixed.

Overwrite WHFB key

Check the original slides here

Muhtasari wa shambulio:

  • Inawezekana kuandika upya funguo ya WHFB iliyosajiliwa kutoka kwa kifaa kupitia SSO
  • Inavunja TPM protection kwani funguo inasniffed during the generation ya funguo mpya
  • Hii pia hutoa persistence

Watumiaji wanaweza kubadilisha property yao searchableDeviceKey via the Azure AD Graph, hata hivyo mshambuliaji anahitaji kuwa na kifaa katika tenant (kimesajiliwa on the fly au akiwa ameiba cert + key kutoka kwa kifaa cha legit) na a valid access token kwa AAD Graph.

Then, it’s possible to generate a new key with:

roadtx genhellokey -d <device id> -k tempkey.key

kisha PATCH taarifa za searchableDeviceKey:

Inawezekana kupata access token kutoka kwa mtumiaji kupitia device code phishing na kutumia vibaya hatua zilizo hapo awali ili kumiba ufikiaji wake. Kwa habari zaidi angalia:

Az - Primary Refresh Token (PRT)

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks