I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-global…
Fox-IT just open sourced their enterprise forensics tooling dissect. This is a big project that some of the smartest people I know have worked on. It supports many filesystems and file formats, all as Python libraries. Docs: docs.dissect.tools / code: github.com/fox-it/dissect
So yes, Zerologon (CVE-2020-1472) is quite easy to exploit. Unauthenticated user to Domain Admin. This is really scary. Run exploit, DCSync with DC account and empty NT hash: you have Domain Admin and a broken DC.
Awesome find by Tom Tervoort 🙂. Patch patch patch!
It has a few more prerequisites, but I finally managed to get a #Zerologon exploit working that doesn't rely on resetting passwords to exploit. Use the printerbug to make DC1 connect to you, then with lots of magic relay that to DC2 directly to DRSUAPI to DCSync 😁
Some big personal news: last year I decided to start my own company. Today I'm making it official and announcing Outsider Security (@OutsiderSec). My focus will be on Azure AD and Active Directory security, converting my research experience into in-depth tests and advice.
New blog: A different way of abusing Zerologon. No more password reset needed: using the printer bug with Zerologon to relay to DRSUAPI and DCSync directly with ntlmrelayx: dirkjanm.io/a-different-way-…
Code: github.com/dirkjanm/CVE-2020…
New blog: Relaying Kerberos over DNS using krbrelayx and mitm6.
New method of gaining RCE on AD hosts in the same VLAN without credentials or needing NTLM, by abusing Kerberos, DNS and Active Directory Certificate Services.
Blog: dirkjanm.io/relaying-kerbero…
I've added the material from my Black Hat US talk yesterday to my blog. If you are interested in Azure AD security, love account hijacks, MFA bypass, persistence techniques and privescs, give it a read: dirkjanm.io/assets/raw/US-22…
New blog! Abusing Exchange: One API call away from Domain Admin. From any user with a mailbox to Domain Admin. Probably affects the majority of orgs using AD and Exchange. dirkjanm.io/abusing-exchange…
Just published: "Getting in the Zone: dumping Active Directory DNS using adidnsdump". Recon tool to dump DNS records in AD as any authenticated user, similar to a zone transfer.
Tool: github.com/dirkjanm/adidnsdu…
Blog: dirkjanm.io/getting-in-the-z…
Since everyone loves dumping credentials, I've put together a tool for remotely dumping Azure AD Connect credentials for my #TR19 talk. Uses only SMB and RPC calls, no code exec on the target host 😁
What a time to be alive... Install the Microsoft signed Hybrid Connection Manager on victim host, link it up with your Azure app, enjoy persistent access to the on-prem network from your Azure portal. Only needs https outbound to Azure and line of sight from victim to target host
[Blog] Office 365 was vulnerable to network attacks due to a vulnerability in Microsoft Teams. Here's a demo of an attacker obtaining access to all emails and OneDrive/SharePoint files if the victim joins an attacker controlled network. Details: dirkjanm.io/office-365-netwo…
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-global…
Short blog and POC code for CVE-2019-1040 (patched last Tuesday). Combining this vulnerability with the SpoolService bug and Kerberos delegation means: any AD user to Domain Admin; RCE on unpatched hosts; possible over Forest trusts. dirkjanm.io/exploiting-CVE-2… TL;DR: GO PATCH!
New blog: Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust
I teased this a bit during my Windows Hello talks, now found some time to write about this interesting technique. Also contains defenses and detection opportunities.
dirkjanm.io/obtaining-domain…
I wrote a small scanner utility to check if systems are vulnerable to CVE-2019-1040, the NTLM Mic vulnerability that allows for Active Directory takeover. Published here: github.com/fox-it/cve-2019-1…
Tool release: adconnectdump. Three approaches to dumping #Azure AD Connect credentials, from executing code on the host to fully over the network. For technical background, see the slides of my #TR19 talk 😃 github.com/fox-it/adconnectd…
It's been long overdue, but my part 2 blog on Active Directory forest trusts is finally here! This blog is about trust transitivity and on the finding on CVE-2020-0665 which was a trust bypass by faking a domain. Enjoy the (long) read: dirkjanm.io/active-directory…
It's been quiet for a while around bloodhound Python, however I'm happy to share that I am now maintaining the project at my personal GitHub. The latest version fixes many bugs/issues, also thanks to the many PRs that were submitted (thanks all!). github.com/dirkjanm/bloodhou…
New blog: Phishing for Primary Refresh Tokens and Windows Hello keys. This blog describes how we can use device code phishing to obtain PRTs and in some cases even add backdoor Windows Hello keys 🤯
dirkjanm.io/phishing-for-mic…
New blog: "Abusing forgotten permissions on computer objects in Active Directory".
The post is a dive into permissions that are set when you pre-create computer accounts the wrong way, why BloodHound missed those and how to abuse, fix, or monitor for this. dirkjanm.io/abusing-forgotte…
New blog up! "Abusing Azure AD SSO with the Primary Refresh Token", digging into Hybrid environments, SSO, Conditional Access policies and other Azure AD fun. New update for ROADtools, introducing ROADtoken which uses SSO to get persistent Azure AD tokens dirkjanm.io/abusing-azure-ad…
Still think machine accounts are useless when relaying? Not when you relay an Exchange server account and get instant Domain Admin :D mitm6 + ntlmrelayx = relay exchange server account -> modify domain ACL -> DCSync with #mimikatz or #impacket
New blog: Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes.
Some tips and tricks on abusing TAPs for Windows Hello persistence and NT hash recovery over Cloud Kerberos Trust. dirkjanm.io/lateral-movement…
It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates.
Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad-cs-…
Oh, and a new tool for SCEP: github.com/dirkjanm/scepreq
BloodHound 4.1 was just released and I'm happy to share that the BloodHound python ingestor is ready for the new format and edges it introduces! Via GitHub only for now, please test and let me know if there are errors 🙂 github.com/fox-it/BloodHound…
Just found an interesting lateral movement/post-ex technique in Azure AD to move between identities. It's stealthy, non-destructive, bypasses MFA, and can be used to move from cloud to on-prem in several hybrid scenarios. Now moving on to figure out all scenarios and impact😅
secretsdump(.py) slow processing your NTDS.dit? Soon not anymore! With @Schamperr's esedb parser implementation processing time of a 5GB dit file went from 45 minutes down to 1.5 minutes 😲! Code will be released as open source when fully ready 🙂
Thanks to @elad_shamir's research, network access once again means RCE against Windows hosts in that (V)LAN. Combining mitm6, ntlmrelayx and RBCD to abuse AD defaults. New blog: The worst of both worlds, Combining NTLM relaying and Kerberos Delegation: dirkjanm.io/worst-of-both-wo…
[New blog] Updating adconnectdump - a journey into DPAPI; In which I describe the process of understanding and decrypting the DPAPI encrypted credentials of Azure AD connect. This again enables dumping these credentials via only network calls (as admin). dirkjanm.io/updating-adconne…
Took me a few days, still don't know exactly how/why it works, but I now have a new-ish on-prem to cloud technique via a Seamless SSO (Kerberos) backdoor key. Some features:
- No GA needed to add key
- Invisible backdoor (no logs in AAD) 🫣
- 1st factor auth to any synced user
2 new releases today exploiting default settings in AD! First: Invoke-ACLPwn, a PowerShell script to exploit ACL paths detected by #BloodHound. Second is the ACL attack for ntlmrelayx: relaying machine accounts for DA!
Code: github.com/fox-it/Invoke-ACL…
Blog: blog.fox-it.com/2018/04/26/e…
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
This patch Tuesday brings patches for some memory corruptions I found in AD integrated DNS which could lead to RCE from Authenticated Users to SYSTEM on a Domain Controller... CVEs assigned are CVE-2020-0644, CVE-2020-761 and CVE-2020-0718. portal.msrc.microsoft.com/en…
Just uploaded the first verion of BloodHound.py, an impacket based BloodHound ingestor in Python. github.com/fox-it/BloodHound… is still in beta and not complete, so testing and feedback is welcome!
New blog and tool: Introducing ROADtools Token eXchange (roadtx) - Automating Azure AD authentication, Primary Refresh Token (ab)use and device registration.
Blog: dirkjanm.io/introducing-road…
Code: github.com/dirkjanm/ROADtool…
Some features in screenshot attached.
Few BloodHound python updates: LDAP channel binding is now supported with Kerberos auth (native) or with NTLM (custom ldap3 version). Furthermore, the BH CE collector now has its own pypi package and command. You can have both on the same system with pipx. github.com/dirkjanm/BloodHou…
Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃
I am officially announcing my first training offering "Offensive Azure AD and Hybrid AD security". It is an in-depth, hands-on training that teaches the core concepts, protocols and attack techniques of Azure AD and hybrid environments. Check: outsidersecurity.nl/training…
Did you know an Azure AD user can read the bitlocker key for any devices they own? (Provided the bitlocker key is backed up to Azure AD). The latest version of roadrecon shows bitlocker keys in the GUI. You can also see them for all devices in several roles (including read roles)
It's been a while since I posted about BloodHound .py, but lots of things have been added! Now at v0.7.0, with support for ACL collection, loggedon, DCOM/RDP and object properties. Also works with Python 3 now! Check it out on the @foxit GitHub github.com/fox-it/BloodHound…
A few weeks ago I gave a talk at @a41con on how to phish for PRTs and phishing resistant authentication methods 👀. The slides, plus a demo video on how to do this with credential phishing are now on my blog: dirkjanm.io/talks
Just got the news that my talk about Azure security has been accepted for #DEFCON 😁😁😁 super happy right now and very excited to share my latest research! 😀
Today's patch Tuesday fixes CVE-2020-0665, which is an Active Directory forest trust security bypass using Kerberos magic 🙃 if you use forests as a security boundary you may want to patch this. Advisory (though text is inaccurate): portal.msrc.microsoft.com/en…
At Def Con I presented with @_EthicalChaos_ on new Windows Hello attacks. For ex: how to use the WinHello crypto keys from a low priv session to request a PRT on a different device, bypassing TPM protection of PRTs.
Slides: dirkjanm.io/talks/
Poc: github.com/dirkjanm/ROADtool…
Seems Microsoft is finally taking a stance against NTLM relaying to LDAP, by enforcing LDAP signing and channel binding by default starting January 2020. This is a big and important change to improve AD security, especially from a network point of view!
Microsoft strongly advises customers... always a warning, especially if it involves DCs and LDAP and MS announces upcoming changes
Https://support.microsoft.co…
The recording of my #Azure AD talk at #TR19 is now online! If you want to learn about Azure AD account takeover, AD Sync password extraction, privilege escalations and SSO weaknesses, you can watch the full talk on YT: piped.video/JEIR5oGCwdg
Another blog on the Primary Refresh Token! Thx @gentilkiwi for figuring this out with me! Tl;Dr: PRT can be extracted from lsass with #mimikatz 🥝. If with TPM, session key is protected. Still possible to extract derived keys and sign your own PRT cookies. dirkjanm.io/digging-further-…
Been a long day but thanks to @gentilkiwi's awesome new mimikatz CloudAP support we managed to put together tooling that can sign arbitrary PRT cookies! Secrets from lsass + DPAPI + crypto magic + horrible C code = working POC of session key extraction.
Slides and video of my #bluehatseattle talk "A year of hacking Azure AD" are online! Contains my exploration of the unofficial "1.61-internal" version of the Azure AD graph and the resulting vulnerabilities😃
Slides: dirkjanm.io/talks/
Video: piped.video/watch?v=fpUZJxFK…
Very excited to start a personal blog! Kicking off today with the first part of my research into Active Directory Forest trusts: How does SID filtering work? dirkjanm.io/active-directory… Including techniques to pwn incorrectly configured Forest trusts ;)
New blog up: Syncing yourself to Global Administrator in Azure AD; describing a vulnerability I discovered last year in Azure AD Connect that allowed for #Azure AD/Office 365 (admin) account takeover. blog.fox-it.com/2019/06/06/s…
Since @_wald0 and @CptJesus just released #BloodHound 3.0 I've merged the v3 branch of the BloodHound python ingestor and pushed the new version to pypi. New version works with v3 syntax and contains many fixes and new features! See github.com/fox-it/BloodHound…
Microsoft released patches for #PrivExchange today!
1) Latest version won't authenticate when sending push notifications
2) Exchange privileges in AD are reduced (!), removing DACL control over the domain root object (+ others). This requires manual rerun of setup.exe /prepareAD
It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell for the heads up.
The video recording of my Black Hat talk this summer "Backdooring and Hijacking Azure AD Accounts by Abusing External Identities" made it to YouTube: piped.video/watch?v=uKDS2t9_…
New blog: Persisting on Entra ID applications and User Managed Identities with Federated Credentials.
In this blog we set up our own IdP with roadtools, allowing us to authenticate to apps and user managed identities with federated credentials 😀
dirkjanm.io/persisting-with-…
The recordings of @a41con are available! If you're interested in credential phishing, device code phishing, applying that to phish for PRTs and Windows Hello keys... Give it a watch! 😁 piped.video/tNh_sYkmurI
The ADSyncCertDump tool is now part of the adconnectdump tools and can be used to extract SP credentials from Entra ID connect hosts. I will cover that during my BH/DC talks today and Friday! Tool is heavily based on Shwmae by @_EthicalChaos_
Since we now can use Entra ID connect sync with a service principal, I thought I'd look into the new security measures. On hosts without a TPM, we can dump the cert+key. On hosts with TPM (second picture) we can use the key to create an auth assertion for roadtx to req tokens.
Slides from my @WEareTROOPERS#TR19 talk about hacking Azure AD are now online! Was so much fun presenting here 😀 recording of the talk and tools release will follow! slideshare.net/DirkjanMollem…
Received the news today that my talk "Advanced Active Directory to Entra ID lateral movement techniques" was also accepted for @defcon 🎉 hope to see everyone there!
Since we now can use Entra ID connect sync with a service principal, I thought I'd look into the new security measures. On hosts without a TPM, we can dump the cert+key. On hosts with TPM (second picture) we can use the key to create an auth assertion for roadtx to req tokens.
In other news, more than 4 years after I reported this, Microsoft finally removed the ability to modify conditional access policies via the Azure AD Graph. 🎉 Before this change, the AD connect sync account could change/remove all policies, defeating MFA reqs via CA.
Off to a good start in the new year (Part 2). I was awarded the Microsoft MVP status a few days ago for my community contributions in the Microsoft security space. Super grateful for everyone who helped along the way to get me there! ❤️
The python BloodHound ingestor was updated to support GPO/OU/container collection. Thanks to @_zblurx for the PR. The python version is now functionally equivalent to the official C# version for DCOnly collection. Also thanks to @itm4n who added registry based session enum 🔥
In other training news, I've been notified that my Azure AD security training has been accepted for Black Hat USA in Las Vegas this summer 🥳 Looking forward to see everyone in Vegas again! 😁
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/
As promised, here is @donnymaasland's blog about bypassing McAfee's password and admin check which lets you export and import the configuration. This allows viewing exclusions, adding your own or changing the protection password. dmaasland.github.io/posts/mc…
🥳 super excited that I'll be back in Vegas this summer, presenting for the first time at Black Hat US #BHUSA! I'll give a talk about my latest research on hijacking and backdooring accounts via external identities in Azure AD 😁. blackhat.com/us-22/briefings…
👀 looks like Microsoft started with rolling out the Conditional Access features for controlling device code flow auth that I mentioned in my last blog dirkjanm.io/phishing-for-mic…. Seems to be in preview, not in all tenants yet.
New #powershell tool to phish for user credentials using existing applications as a (realistic) cover: blog.fox-it.com/2018/08/14/p… Includes Cobalt Strike script 😀
Just pushed v1.0.4 of the Python BloodHound ingestor to pypi, containing various bugfixes. Thanks for the bug reports everyone!
github.com/fox-it/BloodHound…
Since several people already asked: the slides from @fabian_bader and myself for @WEareTROOPERS are available! "Finding Entra ID CA bypasses-the structured way". We talked about FOCI, BroCI, CA bypasses, scopes and getting tons of tokens. Check it at dirkjanm.io/talks/
v0.4.0 of BloodHound.py is now up! Major rewrite and cross domain support now make it support all of SharpHounds default collection. Also removed the beta labels since it has been tested without issues on several networks. Get it at github.com/fox-it/BloodHound… or PyPi.
Because Microsoft quietly removed the possibility to sign in using the Primary Refresh Token (Azure AD SSO) without a nonce, I've slightly altered the flow with ROADrecon and ROADtoken to request a nonce first. Blog also updated: dirkjanm.io/abusing-azure-ad…
🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability
It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷♂️
Read Here - akamai.com/blog/security-res…
New BloodHound version 4.2 means new BloodHound[.]py version 😀 BloodHound python v1.4.0 is now live, compatible with the latest BloodHound version. It includes the research from my last blog as a new edge "WriteAccountRestrictions", which also got added to SharpHound ❤️
I've been putting this off for a long time, but finally decided to give it a go: AD FS and federated domains in Azure AD. With some results, mostly thanks to @doughsec. Coming soon to ROADtools: SAML token crafting and AD FS spoofing😁
New blog post up with @FSDominguez: Listening on port 445 on Windows and remote NTLM relaying through tunnels with ntlmrelayx and meterpreter. diablohorn.com/2018/08/25/re…
During my DC27 and TR19 talks I talked about App Admins (and Sync accounts) escalating privileges in #AzureAD by taking over service principals. I thought this was fixed for default #Office365 apps. Turns out isn't and considered by design. Here's a blog: dirkjanm.io/azure-ad-privile…
Small update to roadtx, with thanks to @Flangvik for the idea: you can now do the interactive authentication with a "borrowed" ESTSAUTHPERSISTENT cookie from a browser, to get tokens or have an authenticated browser session.
There's a lot going around about analyzing Azure AD environments for compromise and risky/rogue permissions lately. Most focus on logs, but if there are no (more) logs or you just want to review AAD as a blue teamer, here is how ROADrecon (github.com/dirkjanm/ROADtool…) can help:
I've made some major improvements to data gathering with ROADrecon in larger tenants. Data collection is now much faster, uses automatic throttling and retries requests when throttled by AAD Graph. Would love if people can give it a try in larger tenants. github.com/dirkjanm/ROADtool…