DEF CON Safe Mode - Sean Metcalf - Hacking The Hybrid Cloud
DEF CON Safe Mode - Sean Metcalf - Hacking The Hybrid Cloud
DEF CON Safe Mode - Sean Metcalf - Hacking The Hybrid Cloud
https://aws.amazon.com/blogs/apn/diving-deep-on-the-foundational-blocks-of-vmware-cloud-on-aws/
Sean Metcalf | @PyroTek3 | [email protected]
Compromising
On-Prem
Domain Controllers
https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
Sean Metcalf | @PyroTek3 | [email protected]
Attacking Microsoft PTA
• Managed by Azure AD Connect
• Compromise server hosting PTA (typically Azure AD
Connect server)
• Azure AD sends the clear-text password (not hashed!)
to authenticate the user.
• Inject DLL to compromise credentials used for PTA
https://blog.xpnsec.com/azuread-connect-for-redteam/
Sean Metcalf | @PyroTek3 | [email protected]
Azure AD Seamless Single Sign-On
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
Sean Metcalf | @PyroTek3 | [email protected]
Azure AD Seamless Single Sign-On
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
Sean Metcalf | @PyroTek3 | [email protected]
Attacking Azure AD Seamless Single Sign-On
• Managed by Azure AD Connect
• “Azure AD exposes a publicly available endpoint that accepts
Kerberos tickets and translates them into SAML and JWT
tokens”
• Compromise the Azure AD Seamless SSO Computer Account
password hash (“AZUREADSSOACC “)
• Generate a Silver Ticket for the user you want to
impersonate and the service ‘aadg.windows.net.nsatc.net ‘
• Inject this ticket into the local Kerberos cache
• Azure AD Seamless SSO computer account password doesn’t
change https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/
Sean Metcalf | @PyroTek3 | [email protected]
Attacking Azure AD Connect
DEF CON 25
(July 2017)
On-Prem: Acme’s Azure AD Connect
• Creating an EC2 instance with an existing instance profile (iam:PassRole and ec2:RunInstances )
• This attack would give an attacker access to the set of permissions that the instance profile/role has, which again could range from no privilege escalation to full administrator access of the AWS account.
https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py
Cloud API Keys
• Provide permanent access, often with privileged rights.
• Often provides additional authentication access method
(other than username/password)
• API keys are frequently exposed in code (Github), including
private repositories.
• Compromised API keys need to be regenerated.
https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/
Sean Metcalf | @PyroTek3 | [email protected]
On-Prem
AD
On-Prem On-Prem
AD AD
Domain Domain
Controller Controller
On-Prem On-Prem
AD AD
Domain Domain
Controller Controller
AWS EC2
Sean Metcalf | @PyroTek3 | [email protected]
Federation
Note that it’s possible that Microsoft has made changes to elements described in
this section since I performed this research and reported the issue.
https://docs.microsoft.com/en-us/azure/role-
based-access-control/built-in-roles#virtual-
machine-contributor
Sean Metcalf | @PyroTek3 | [email protected]
“… lets you manage virtual
machines, but not access to
Virtual them, and not the virtual
network or storage account
Machine they're connected to.”
Contributor
Microsoft.Compute/
virtualMachines/
runCommand/ https://docs.microsoft.com/en-us/azure/role-
based-access-control/built-in-roles#virtual-
machine-contributor
Sean Metcalf | @PyroTek3 | [email protected]
Add Attacker Controlled Account to Virtual
Machine Contributor
Monitor the Azure RBAC role “User Access Administrator” for membership
Monitor changes.
Ensure sensitive systems like Domain Controllers in Azure are isolated and
Ensure protected as much as possible.
Ideally, use a separate tenant for sensitive systems.
Sean Metcalf | @PyroTek3 | [email protected]
MSRC Reporting Timeline
• Reported to Microsoft in September 2019.
• MSRC responds in early October 2019:
“Based on [internal] conversations this appears to be By Design and the documentation is being
updated. “
• Sent MSRC additional information in mid October 2019 after a day of testing detection and
potential logging.
• MSRC responds that “most of what you have is accurate”
• Sent MSRC update in late January 2020 letting them know that I would be submitting this as part
of a larger presentation to Black Hat USA & DEF CON.(2020).
• MSRC acknowledges.
• Sent MSRC notification that I would be sharing this information in this blog.
• Documentation updated – June 2020.
• MSRC Security incident still open as of July 2020.
I was informed by Microsoft during my interactions with MSRC that they are looking into re-working this
functionality to resolve some of the shortcomings I identified.
Sean Metcalf | @PyroTek3 | [email protected]
How bad can this get?
On-Prem Federation
Azure
Datacenter Server
On-Prem
Azure
Datacenter
On-Prem
Azure
Datacenter
On-Prem
Azure
Datacenter
On-Prem
Azure
Datacenter