Az - PTA - Pass-through Authentication

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

From the docs: Azure Active Directory (Azure AD) Pass-through Authentication inaruhusu watumiaji wako kuingia kwenye programu za ndani na za wingu wakitumia nywila sawa. Kipengele hiki kinawapa watumiaji wako uzoefu bora - nywila moja kidogo ya kukumbuka, na hupunguza gharama za msaada wa IT kwa sababu watumiaji wako wana uwezekano mdogo wa kusahau jinsi ya kuingia. Wakati watumiaji wanaingia wakitumia Azure AD, kipengele hiki kinathibitisha nywila za watumiaji moja kwa moja dhidi ya Active Directory yako ya ndani.

Katika PTA identities zinahusishwa lakini nywila hazihusishwi kama katika PHS.

Uthibitishaji unathibitishwa katika AD ya ndani na mawasiliano na wingu yanafanywa na wakala wa uthibitishaji anayekimbia katika seva ya ndani (haipaswi kuwa kwenye DC ya ndani).

Authentication flow

Ili kuingia mtumiaji anapelekwa kwenye Azure AD, ambapo anatumia jina la mtumiaji na nywila
Taarifa za kuingia zinahifadhiwa kwa siri na kuwekwa kwenye foleni katika Azure AD
Wakala wa uthibitishaji wa ndani anakusanya taarifa za kuingia kutoka kwenye foleni na kuzifungua. Wakala huyu anaitwa "Pass-through authentication agent" au PTA agent.
Wakala anathibitisha taarifa dhidi ya AD ya ndani na anatumia jibu kurudi kwa Azure AD ambayo, ikiwa jibu ni chanya, inakamilisha kuingia kwa mtumiaji.

Ikiwa mshambuliaji anashawishi PTA anaweza kuona taarifa zote za kuingia kutoka kwenye foleni (katika maandishi wazi). Anaweza pia kuhakiki taarifa zozote za kuingia kwa AzureAD (shambulio linalofanana na Skeleton key).

On-Prem -> cloud

Ikiwa una ufikiaji wa admin kwa seva ya Azure AD Connect yenye wakala wa PTA akifanya kazi, unaweza kutumia moduli ya AADInternals ku ingiza nyuma ya mlango ambayo it ihakiki NYWILA ZOTE zilizowekwa (hivyo nywila zote zitakuwa halali kwa uthibitishaji):

Install-AADIntPTASpy

Ikiwa ufungaji unashindwa, hii inaweza kuwa kutokana na kukosekana kwa Microsoft Visual C++ 2015 Redistributables.

Pia inawezekana kuona nywila za wazi zinazotumwa kwa wakala wa PTA kwa kutumia cmdlet ifuatayo kwenye mashine ambapo nyuma ya mlango wa awali ilipowekwa:

Get-AADIntPTASpyLog -DecodePasswords

This backdoor will:

Create a hidden folder C:\PTASpy
Copy a PTASpy.dll to C:\PTASpy
Injects PTASpy.dll to AzureADConnectAuthenticationAgentService process

When the AzureADConnectAuthenticationAgent service is restarted, PTASpy is “unloaded” and must be re-installed.

Cloud -> On-Prem

After getting GA privileges on the cloud, it's possible to register a new PTA agent by setting it on an attacker controlled machine. Once the agent is setup, we can repeat the previous steps to authenticate using any password and also, get the passwords in clear-text.

Seamless SSO

It's possible to use Seamless SSO with PTA, which is vulnerable to other abuses. Check it in:

Az - Seamless SSO

References

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAz - PHS - Password Hash Sync NextAz - Seamless SSO

Last updated 1 month ago