Some big personal news: last year I decided to start my own company. Today I'm making it official and announcing Outsider Security (
@OutsiderSec
). My focus will be on Azure AD and Active Directory security, converting my research experience into in-depth tests and advice.
Fox-IT just open sourced their enterprise forensics tooling dissect. This is a big project that some of the smartest people I know have worked on. It supports many filesystems and file formats, all as Python libraries. Docs: / code:
So yes, Zerologon (CVE-2020-1472) is quite easy to exploit. Unauthenticated user to Domain Admin. This is really scary. Run exploit, DCSync with DC account and empty NT hash: you have Domain Admin and a broken DC.
Awesome find by Tom Tervoort 🙂. Patch patch patch!
It has a few more prerequisites, but I finally managed to get a
#Zerologon
exploit working that doesn't rely on resetting passwords to exploit. Use the printerbug to make DC1 connect to you, then with lots of magic relay that to DC2 directly to DRSUAPI to DCSync 😁
New blog: A different way of abusing Zerologon. No more password reset needed: using the printer bug with Zerologon to relay to DRSUAPI and DCSync directly with ntlmrelayx:
Code:
New blog: Relaying Kerberos over DNS using krbrelayx and mitm6.
New method of gaining RCE on AD hosts in the same VLAN without credentials or needing NTLM, by abusing Kerberos, DNS and Active Directory Certificate Services.
Blog:
I've added the material from my Black Hat US talk yesterday to my blog. If you are interested in Azure AD security, love account hijacks, MFA bypass, persistence techniques and privescs, give it a read:
New blog! Abusing Exchange: One API call away from Domain Admin. From any user with a mailbox to Domain Admin. Probably affects the majority of orgs using AD and Exchange.
Just published: "Getting in the Zone: dumping Active Directory DNS using adidnsdump". Recon tool to dump DNS records in AD as any authenticated user, similar to a zone transfer.
Tool:
Blog:
Since everyone loves dumping credentials, I've put together a tool for remotely dumping Azure AD Connect credentials for my
#TR19
talk. Uses only SMB and RPC calls, no code exec on the target host 😁
What a time to be alive... Install the Microsoft signed Hybrid Connection Manager on victim host, link it up with your Azure app, enjoy persistent access to the on-prem network from your Azure portal. Only needs https outbound to Azure and line of sight from victim to target host
[Blog] Office 365 was vulnerable to network attacks due to a vulnerability in Microsoft Teams. Here's a demo of an attacker obtaining access to all emails and OneDrive/SharePoint files if the victim joins an attacker controlled network. Details:
Short blog and POC code for CVE-2019-1040 (patched last Tuesday). Combining this vulnerability with the SpoolService bug and Kerberos delegation means: any AD user to Domain Admin; RCE on unpatched hosts; possible over Forest trusts. TL;DR: GO PATCH!
New blog: Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust
I teased this a bit during my Windows Hello talks, now found some time to write about this interesting technique. Also contains defenses and detection opportunities.
I wrote a small scanner utility to check if systems are vulnerable to CVE-2019-1040, the NTLM Mic vulnerability that allows for Active Directory takeover. Published here:
Tool release: adconnectdump. Three approaches to dumping
#Azure
AD Connect credentials, from executing code on the host to fully over the network. For technical background, see the slides of my
#TR19
talk 😃
It's been long overdue, but my part 2 blog on Active Directory forest trusts is finally here! This blog is about trust transitivity and on the finding on CVE-2020-0665 which was a trust bypass by faking a domain. Enjoy the (long) read:
It's been quiet for a while around bloodhound Python, however I'm happy to share that I am now maintaining the project at my personal GitHub. The latest version fixes many bugs/issues, also thanks to the many PRs that were submitted (thanks all!).
New blog: Phishing for Primary Refresh Tokens and Windows Hello keys. This blog describes how we can use device code phishing to obtain PRTs and in some cases even add backdoor Windows Hello keys 🤯
New blog: "Abusing forgotten permissions on computer objects in Active Directory".
The post is a dive into permissions that are set when you pre-create computer accounts the wrong way, why BloodHound missed those and how to abuse, fix, or monitor for this.
New cool blog by my
@FoxIT
colleague Rindert: Command and control over LDAP attributes. Running Cobalt strike over LDAP as a control channel to bypass network restrictions.
Blog:
Tool:
Still think machine accounts are useless when relaying? Not when you relay an Exchange server account and get instant Domain Admin :D mitm6 + ntlmrelayx = relay exchange server account -> modify domain ACL -> DCSync with
#mimikatz
or
#impacket
New blog up! "Abusing Azure AD SSO with the Primary Refresh Token", digging into Hybrid environments, SSO, Conditional Access policies and other Azure AD fun. New update for ROADtools, introducing ROADtoken which uses SSO to get persistent Azure AD tokens
New blog: Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes.
Some tips and tricks on abusing TAPs for Windows Hello persistence and NT hash recovery over Cloud Kerberos Trust.
BloodHound 4.1 was just released and I'm happy to share that the BloodHound python ingestor is ready for the new format and edges it introduces! Via GitHub only for now, please test and let me know if there are errors 🙂
Just found an interesting lateral movement/post-ex technique in Azure AD to move between identities. It's stealthy, non-destructive, bypasses MFA, and can be used to move from cloud to on-prem in several hybrid scenarios. Now moving on to figure out all scenarios and impact😅
secretsdump(.py) slow processing your NTDS.dit? Soon not anymore! With
@Schamperr
's esedb parser implementation processing time of a 5GB dit file went from 45 minutes down to 1.5 minutes 😲! Code will be released as open source when fully ready 🙂
Content of my
#RomHack2021
talk "Breaking Azure AD joined endpoints in Zero Trust environments" is up!
Video:
Slides (pdf):
As usual all the links to my talk materials are also on
Thanks to
@elad_shamir
's research, network access once again means RCE against Windows hosts in that (V)LAN. Combining mitm6, ntlmrelayx and RBCD to abuse AD defaults. New blog: The worst of both worlds, Combining NTLM relaying and Kerberos Delegation:
[New blog] Updating adconnectdump - a journey into DPAPI; In which I describe the process of understanding and decrypting the DPAPI encrypted credentials of Azure AD connect. This again enables dumping these credentials via only network calls (as admin).
Took me a few days, still don't know exactly how/why it works, but I now have a new-ish on-prem to cloud technique via a Seamless SSO (Kerberos) backdoor key. Some features:
- No GA needed to add key
- Invisible backdoor (no logs in AAD) 🫣
- 1st factor auth to any synced user
2 new releases today exploiting default settings in AD! First: Invoke-ACLPwn, a PowerShell script to exploit ACL paths detected by
#BloodHound
. Second is the ACL attack for ntlmrelayx: relaying machine accounts for DA!
Code:
Blog:
This patch Tuesday brings patches for some memory corruptions I found in AD integrated DNS which could lead to RCE from Authenticated Users to SYSTEM on a Domain Controller... CVEs assigned are CVE-2020-0644, CVE-2020-761 and CVE-2020-0718.
Just uploaded the first verion of , an impacket based BloodHound ingestor in Python. is still in beta and not complete, so testing and feedback is welcome!
Thanks to everyone who attended the live stream! My Azure AD framework ROADtools is now available. Includes the ROADrecon exploration tool.
Blog + stream recording:
Code:
New blog and tool: Introducing ROADtools Token eXchange (roadtx) - Automating Azure AD authentication, Primary Refresh Token (ab)use and device registration.
Blog:
Code:
Some features in screenshot attached.
Thanks all for attending my
#DEFCON
talk! Humbling to see such a full room even on Sunday. Slides and demo videos are online at the media server.
Slides:
Demo vids:
I am officially announcing my first training offering "Offensive Azure AD and Hybrid AD security". It is an in-depth, hands-on training that teaches the core concepts, protocols and attack techniques of Azure AD and hybrid environments. Check:
Did you know an Azure AD user can read the bitlocker key for any devices they own? (Provided the bitlocker key is backed up to Azure AD). The latest version of roadrecon shows bitlocker keys in the GUI. You can also see them for all devices in several roles (including read roles)
It's been a while since I posted about BloodHound .py, but lots of things have been added! Now at v0.7.0, with support for ACL collection, loggedon, DCOM/RDP and object properties. Also works with Python 3 now! Check it out on the
@foxit
GitHub
Just got the news that my talk about Azure security has been accepted for
#DEFCON
😁😁😁 super happy right now and very excited to share my latest research! 😀
Today's patch Tuesday fixes CVE-2020-0665, which is an Active Directory forest trust security bypass using Kerberos magic 🙃 if you use forests as a security boundary you may want to patch this. Advisory (though text is inaccurate):
Seems Microsoft is finally taking a stance against NTLM relaying to LDAP, by enforcing LDAP signing and channel binding by default starting January 2020. This is a big and important change to improve AD security, especially from a network point of view!
The recording of my
#Azure
AD talk at
#TR19
is now online! If you want to learn about Azure AD account takeover, AD Sync password extraction, privilege escalations and SSO weaknesses, you can watch the full talk on YT:
Another blog on the Primary Refresh Token! Thx
@gentilkiwi
for figuring this out with me! Tl;Dr: PRT can be extracted from lsass with
#mimikatz
🥝. If with TPM, session key is protected. Still possible to extract derived keys and sign your own PRT cookies.
Been a long day but thanks to
@gentilkiwi
's awesome new mimikatz CloudAP support we managed to put together tooling that can sign arbitrary PRT cookies! Secrets from lsass + DPAPI + crypto magic + horrible C code = working POC of session key extraction.
Slides and video of my
#bluehatseattle
talk "A year of hacking Azure AD" are online! Contains my exploration of the unofficial "1.61-internal" version of the Azure AD graph and the resulting vulnerabilities😃
Slides:
Video:
New blog up: Syncing yourself to Global Administrator in Azure AD; describing a vulnerability I discovered last year in Azure AD Connect that allowed for
#Azure
AD/Office 365 (admin) account takeover.
Since
@_wald0
and
@CptJesus
just released
#BloodHound
3.0 I've merged the v3 branch of the BloodHound python ingestor and pushed the new version to pypi. New version works with v3 syntax and contains many fixes and new features! See
Very excited to start a personal blog! Kicking off today with the first part of my research into Active Directory Forest trusts: How does SID filtering work? Including techniques to pwn incorrectly configured Forest trusts ;)
Microsoft released patches for
#PrivExchange
today!
1) Latest version won't authenticate when sending push notifications
2) Exchange privileges in AD are reduced (!), removing DACL control over the domain root object (+ others). This requires manual rerun of setup.exe /prepareAD
Slides from my
@WEareTROOPERS
#TR19
talk about hacking Azure AD are now online! Was so much fun presenting here 😀 recording of the talk and tools release will follow!
In other news, more than 4 years after I reported this, Microsoft finally removed the ability to modify conditional access policies via the Azure AD Graph. 🎉 Before this change, the AD connect sync account could change/remove all policies, defeating MFA reqs via CA.
In other training news, I've been notified that my Azure AD security training has been accepted for Black Hat USA in Las Vegas this summer 🥳 Looking forward to see everyone in Vegas again! 😁
The python BloodHound ingestor was updated to support GPO/OU/container collection. Thanks to
@_zblurx
for the PR. The python version is now functionally equivalent to the official C# version for DCOnly collection. Also thanks to
@itm4n
who added registry based session enum 🔥
As promised, here is
@donnymaasland
's blog about bypassing McAfee's password and admin check which lets you export and import the configuration. This allows viewing exclusions, adding your own or changing the protection password.
👀 looks like Microsoft started with rolling out the Conditional Access features for controlling device code flow auth that I mentioned in my last blog . Seems to be in preview, not in all tenants yet.
🥳 super excited that I'll be back in Vegas this summer, presenting for the first time at Black Hat US
#BHUSA
! I'll give a talk about my latest research on hijacking and backdooring accounts via external identities in Azure AD 😁.
v0.4.0 of is now up! Major rewrite and cross domain support now make it support all of SharpHounds default collection. Also removed the beta labels since it has been tested without issues on several networks. Get it at or PyPi.
Because Microsoft quietly removed the possibility to sign in using the Primary Refresh Token (Azure AD SSO) without a nonce, I've slightly altered the flow with ROADrecon and ROADtoken to request a nonce first. Blog also updated:
New BloodHound version 4.2 means new BloodHound[.]py version 😀 BloodHound python v1.4.0 is now live, compatible with the latest BloodHound version. It includes the research from my last blog as a new edge "WriteAccountRestrictions", which also got added to SharpHound ❤️
During my DC27 and TR19 talks I talked about App Admins (and Sync accounts) escalating privileges in
#AzureAD
by taking over service principals. I thought this was fixed for default
#Office365
apps. Turns out isn't and considered by design. Here's a blog:
I've been putting this off for a long time, but finally decided to give it a go: AD FS and federated domains in Azure AD. With some results, mostly thanks to
@doughsec
. Coming soon to ROADtools: SAML token crafting and AD FS spoofing😁
Small update to roadtx, with thanks to
@Flangvik
for the idea: you can now do the interactive authentication with a "borrowed" ESTSAUTHPERSISTENT cookie from a browser, to get tokens or have an authenticated browser session.
There's a lot going around about analyzing Azure AD environments for compromise and risky/rogue permissions lately. Most focus on logs, but if there are no (more) logs or you just want to review AAD as a blue teamer, here is how ROADrecon () can help:
I've made some major improvements to data gathering with ROADrecon in larger tenants. Data collection is now much faster, uses automatic throttling and retries requests when throttled by AAD Graph. Would love if people can give it a try in larger tenants.
Always wanted to find out which Microsoft first-party app has the right pre-approved scope for what you need? roadtx now has a "getscope" utility, which lists the clients with the desired scope. Useful if you want to access API data without admin approval.
In my Black Hat talk I referenced a guest account hijack that is very hard to identify after the fact. For blue teamers here, I've made a KQL query available for hunting this abuse in Azure AD audit logs. It should be possible it identify historical abuse:
Too bad for the hours I spent writing this in C, but I did finally figure out how to do the Primary Refresh Token key derivation in Python. This means you can now use the session key from Mimikatz directly in roadlib/roadrecon! Only with version on GitHub
The number of times people have simply clicked "Approve" for us when we ran into Azure AD MFA is surprisingly high. It really makes me wonder if MFA via push notifications is such a good idea at all security wise.
Working on some tooling, and managed to get PRT injection during browser sign-in working with Selenium. If you steal a PRT from a hybrid/compliant device, you can use this to "upgrade" the sign-in of other users, to comply with conditional access policies requiring this status.
With a few small modifications
@MDSecLabs
' Office 365 attack toolkit works with ROADtools tokens. This makes it a nice GUI for API tokens obtained with SSO abuse or via other means. cc
@0x09AL
If you're playing with Kerberos and want to view the encrypted parts in Wireshark you can do so with a keytab file. Since impacket was missing structures for this I added a script to my forest trust tools repo which easily allows adding multiple keys:
Because nobody likes waiting, my
@foxit
colleague Matthijs wrote a python based BloodHound data loader for neo4j, which is a factor 3-5 times faster than the UI:
I've probably spent way too much time on this but it's getting near the point I want it to be for first release. Explore Azure AD with
#ROADtools
. Now I "just" have to transfer the things I wanted to put in a talk into a blog and make it release ready... Soon(-ish)!
The slides and recording from my
@NorthSec_io
talk (Windows) Hello from the other side are available at
I've also released a new version of roadtx that supports the AAD Windows Hello key provisioning process and authentication to get PRTs 🙂
📢 In the last weeks, Microsoft has patched several major flaws in Windows Hello for Business and Azure AD. In short, it was possible to: Provision new WHFB keys without MFA or via SSO tokens, and move laterally by registering keys on other users, if done from a privileged role.
I'll be revisiting the details of my AD forest trust bypass that was patched last year. If you're into obscure Kerberos details, this may interest you 🙃 my aim is to also drop the tools and blog around this date!
This free Webcast provides technical details on how Kerberos works over forest trusts and how the security boundary is normally enforced, accompanied by a proof-of-concept and a demonstration of abusing the vulnerability. June 3 at 11am PST. Register here:
New major roadrecon release is out! This release adds supports for:
- Eligible AAD admin roles (PIM)
- Scoped and custom roles
- Administrative Units
All now in the GUI and readable by any member user in the tenant (yes including eligible roles)😀
I remember being here last year and thinking how cool it would be to be mentioned here... And now I am! A lot of growth in just a year, thanks to everyone who motivated, inspired, shared and supported my research! Goal for next year: higher than
#68
😁
Curious about the (in)security of Windows Hello for Business? Want to know how you could add new WHFB keys without MFA and move laterally with them? The recording of my talk about this topic at Troopers 23 is now online!
This Tuesday, Microsoft rolled out patches for a Windows Hello for Business vulnerability that I found. It's tracked as CVE-2023-36871. I don't know if/when I'll give a talk about this, but essentially this defeated the TPM protection of WHFB keys
Here's a demo of the MFA bypass, which I particularly love because it could all be done in the GUI, no need to do any lower level operations (original at )
Excited for my talk tomorrow at the (free!)
@WWHackinFest
Cloud pentesting roundup! Giving a talk about Azure AD Conditional Access policies. Slides still need some work but I have a logo 😁 Tomorrow Dec 10th at 2pm eastern / 18:00 CET! More details: