Externally Testing Modern AD Domains - Arcticcon

Externally Testing Modern Active Directory
Domains
Karl Fosaaen

Introductions
• Who am I?
‒Karl Fosaaen
• What do I do?
‒Wear lots of hats
‒Pen Testing
‒Password Cracking
‒Social Engineering
‒Blog
‒DEF CON Swag Goon
‒Pinball Repair

Slides Overview
• Intro
• Domain Enumeration
• Authentication Endpoint Enumeration
‒ Graph API
‒ ADFS
‒ Office 365
• Microsoft Online login
• Exchange
• Skype for Business
• Pivoting to the internal network
• Attack Mitigations
• Conclusions

Intro
• Standard ExPen Process
‒ Enumeration of domain info
• Services
• Username/Email recon
‒ Exploitation of issues
• Phishing
• Web Vulnerabilities
• Weak/Default logins
‒ Pivot to internal network
‒ Escalate internally

Domain Federation Overview
Federation can mean many things
‒ Domain to Domain
‒ Domain to Microsoft
‒ Arbitrary meanings based off of forum posts

Managed Domain Overview
Diagram of (Managed) O365 federation

Federated Domain Overview
Diagram of (Federated) O365 federation

Domain Enumeration
Side Note:
• Office365 had an Authentication Bypass issue
‒ Insecure SAML assertions
‒ Affected all federated Office365 domains
‒ They called out this method in their blog post
Source:
http://www.economyofmechanism.com/office365-
authbypass.html

Domain Enumeration
• Using Microsoft Online

Domain Enumeration
• Example user check request

Domain Enumeration
• Microsoft’s Responses
‒ Federated Domain
‒ Microsoft Managed Domain

Domain Enumeration
• Grab the PowerShell script from NetSPI
• https://github.com/NetSPI/PowerShell/blob/master/Get-
FederationEndpoint.ps1

Domain Enumeration
https://blog.netspi.com/using-powershell-identify-federated-domains/
https://github.com/NetSPI/PowerShell/blob/master/Get-FederationEndpoint.ps1

Domain Enumeration
• Multiple domains at once
https://blog.netspi.com/using-powershell-identify-federated-domains/
https://github.com/NetSPI/PowerShell/blob/master/Get-FederationEndpoint.ps1

Domain Enumeration
• What’s the current exposure?
‒ 47,455 (4.7%) of the top 1 Million have
“ms=ms*” DNS records
• Personal Experience
‒ Managed/Federated/Neither
50% 40% 10%

Authentication Endpoint
Enumeration

Graph API Overview
• Using the Graph API
‒ This works for federated and managed
domains

Graph API – Credential Brute Forcing
$token = Get-GraphAPIToken -TenantName
DOMAIN_GOES_HERE
Github –
https://github.com/NetSPI/PowerShell/blob/master/Get-
GraphAPIToken.ps1
*Requires Azure AD PowerShell Modules

Graph API – Credential Brute Forcing

Graph API – User Enumeration
• Get-GraphData -Token $token -Tenant
DOMAIN_GOES_HERE -Resource users
Github –
https://github.com/NetSPI/PowerShell/blob/master/Get-
GraphAPIToken.ps1

ADFS Overview
Active Directory Federation Services (AD FS)
“is a standards-based service that allows the
secure sharing of identity information
between trusted business partners (known
as a federation) across an extranet.”
Source:
https://msdn.microsoft.com/en-us/library/bb897402.aspx

ADFS – Credential Brute Forcing
• Get-FederationEndpoint gives us the
appropriate command to run for the domain

ADFS – Credential Brute Forcing
• Invoke-ADFSSecurityTokenRequest*
Invoke-ADFSSecurityTokenRequest
-ClientCredentialType UserName
-ADFSBaseUri https://adfs.example.com/
-AppliesTo https://adfs.example.com/adfs/services/trust/13/usernamemixed
-UserName 'karl.fosaaen‘
-Password 'Winter2016‘
-Domain ‘example.com‘
-OutputType Token
-SAMLVersion 2
-IgnoreCertificateErrors
https://blogs.msdn.microsoft.com/besidethepoint/2012/10/17/request-adfs-security-
token-with-powershell/

ADFS – User Enumeration
• Go back a few slides to the GraphAPI
information

Office365 Overview
• Office365
‒Azure AD
‒Exchange
‒Skype for Business
• Credential Brute Force
• User Enumeration

Setting Up Your Test Environment
• Install the Azure AD PowerShell Module
• https://msdn.microsoft.com/en-
us/library/azure/jj151815(v=azure.98).aspx

Office365 - Credential Brute Forcing
• Get-FederationEndpoint gives us the
appropriate command to run for the domain

Office365 - Credential Brute Forcing
• Connect-msolservice – AzureAD PS Module

Office365 – User Enumeration
1. $msolcred = get-credential
2. connect-msolservice -credential $msolcred
3. Get-MsolUser -All | ft –AutoSize
• This also works for apps (Web/Thick) using
AzureAD for account management

Office365 - Exchange
• If the domain uses Office365, you can most
likely connect to Office365 Exchange with
PowerShell

Exchange – Credential Brute Forcing
$PWord = ConvertTo-SecureString -String
'Summer2016' -AsPlainText –Force
$credentials = New-Object -TypeName
"System.Management.Automation.PSCredential
" -ArgumentList "test@example.com", $PWord

Exchange – Credential Brute Forcing
$Session = New-PSSession -ConfigurationName
Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-
liveid/ -Credential $credentials -Authentication
Basic –AllowRedirection
Import-PSSession $Session

Exchange – User Enumeration
Invoke-Command
-ConfigurationName Microsoft.Exchange
-ConnectionUri
https://outlook.office365.com/powershell-
liveid/
-Credential $Credentials
-Authentication Basic -AllowRedirection
-ScriptBlock {Get-Recipient -ResultSize
unlimited} | Export-CSV
c:tempemail_users.csv
-NoTypeInformation

Skype For Business – Overview
• Formerly Lync, now Skype for Business
• Commonly Federated with other domains
‒ Great for credential guessing, user
enumeration, and social engineering

Skype For Business – Tools
• Grab the PowerShell modules from NetSPI
• https://github.com/NetSPI/PowerShell/blob/master/Power
Skype.ps1

Skype For Business – Credential Brute Forcing
‒ Get-SkypeLoginURL
• In progress
‒ Invoke-SkypeLogin
‒ Credit to @Nyxgeek for the auth endpoints

Skype For Business – Blind User Enumeration
• Using a federated Skype account, we can
enumerate other federated Skype users
• Just open a chat with them

• Or we can just chat with these CEOs

• Blind User enumeration (email confirmation)
requires the SDK
‒ Also requires a signed in federated user
• You can use guessed credentials (autodiscover)
• or pay Microsoft for a cheap federated account
• ~$6/month

Skype For Business – Tools
• Install Skype for Business and the Lync SDK
‒ Requires Visual Studio 2010 for the easiest
install
https://www.microsoft.com/en-us/download/details.aspx?id=36824

• Let’s just wrap it with PowerShell
Get-SkypeStatus -inputFile test_emails.txt | ft -AutoSize

Demo
• Get-SkypeStatus -inputFile
"C:TempLiveAdmins.txt" | ft -AutoSize
• It helps if we run it a couple of times…

Skype4Business – Authenticated User Enumeration
• Or if it’s autodiscover enabled, you can list
the users from the Skype user’s contact list

Pivoting to the Internal
Network

Pivoting to the Internal Network – Exchange
• Attacking Email Accounts
‒ If Autodiscover is enabled, adding an account
can be done from anywhere
‒ Email is interesting, but I’d like a shell
‒ This can not be done programmatically with
PowerShell (*Easily)
‒ “Malicious Outlook Rules”
• Nick Landers – Silent Break Security
‒ “MAPI over HTTP and Mailrule Pwnage”
• Etienne - sensepost

Pivoting to the Internal Network – Skype
• Send messages from OWA or Skype for
Business
‒ Autodiscover is also handy here
‒ People will trust their co-workers
• “Can you look over this word doc for me?”

Demo
• Get-SkypeStatus -email karl.fosaaen@netspi.com
• Invoke-SendSkypeMessage
-email karl.fosaaen@netspi.com
-message "Hello from Derbycon"
• for ($i = 0; $i -lt 10; $i++){Invoke-
SendSkypeMessage -email
karl.fosaaen@netspi.com -message "Hello $i"}

Pivoting to the Internal Network – VPN
• Single Factor VPN Example
‒ Enumerated user emails on LinkedIn
‒ Guessed passwords against MSOnline with
PowerShell
‒ Enumerated VPN interfaces
‒ Logged in with guessed credentials
‒ GPP -> Local admin on DA system
‒ DCSync
• “Store passwords using reversible encryption”

Pivoting to the Internal Network – Other
• Other Routes
‒ Single Factor Services
• Management Protocols
• RDP
• SSH
• Terminal Services – Web Based
• Citrix
• VDI
• Etc.

Pivoting to the Internal Network – OneDrive
• Malicious OneDrive Documents
‒ Can’t use macros in the online version of excel

Pivoting to the Internal Network - SharePoint
• Malicious SharePoint Documents
‒ Same concept as OneDrive, just a different
platform
‒ Backdoor a document
‒ Edit pages

Attack Mitigations
• Enable Dual factor authentication for
external endpoints*
*On all channels

Attack Mitigations
• Limit federation to trusted domains
• Limit exposed services surface area
• Monitor your Federated and Azure endpoints
• Enforce strong password requirements

Conclusions
• Lots of authentication endpoints on the
Internet
• There’s always a $SEASON$YEAR password
out there
• There are several ways to pivot internally
with credentials
• MFA will help reduce your risk

Next Steps
• Yet another framework for pen testing…
‒ Enumerate all of the potential AD
authentication endpoints for a domain
• And again, AutoDiscover is handy here
‒ Include credential brute force methods for
each interface type
‒ Easy mode, autopwn, etc.
• Give it a domain, user list, and go for it
‒ Try to keep it dependency free
• Easier to use
• More portable

Questions
Questions?
Karl Fosaaen
@kfosaaen
https://blog.netspi.com
https://github.com/netspi
http://www.slideshare.net/kfosaaen

Externally Testing Modern AD Domains - Arcticcon

More Related Content

What's hot (19)

Similar to Externally Testing Modern AD Domains - Arcticcon (20)

Recently uploaded (20)

Externally Testing Modern AD Domains - Arcticcon