Scribd
Upload
9 views36 pages

RDP Azure

The document discusses techniques for bypassing RDP logging and conducting Azure AD reconnaissance, emphasizing the importance of credential security and common password attacks. It highlights methods such as password spraying and the unique logging behavior of RDP with Network Layer Authentication (NLA), which can obscure failed login attempts. Additionally, it covers the capabilities of Azure AD for external reconnaissance, including user identification and group membership, while suggesting ways to enhance security through conditional access rules.

Uploaded by

onboard4d
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
9 views36 pages

RDP Azure

The document discusses techniques for bypassing RDP logging and conducting Azure AD reconnaissance, emphasizing the importance of credential security and common password attacks. It highlights methods such as password spraying and the unique logging behavior of RDP with Network Layer Authentication (NLA), which can obscure failed login attempts. Additionally, it covers the capabilities of Azure AD for external reconnaissance, including user identification and group membership, while suggesting ways to enhance security through conditional access rules.

Uploaded by

onboard4d
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

RDP Logging Bypass

&
Azure AD Recon

© Black Hills Information Security | @BHInfoSecurity


Mike Felch & Beau Bullock
Who We Are
• Mike Felch - @ustayready
• Pentest / Red team at BHIS
• Host of Tradecraft Security Weekly

• Host of CoinSec Podcast

• Beau Bullock - @dafthack


• Pentest / Red team at BHIS
• Host of Tradecraft Security Weekly

• Host of CoinSec Podcast

• Avid OWA enthusiast

© Black Hills Information Security | @BHInfoSecurity


What We’re Covering

1. RDP Logging Bypass


2. Azure AD Recon

© Black Hills Information Security | @BHInfoSecurity


RDP Logging Bypass
The curious case of
event logs with no
attribution

© Black Hills Information Security | @BHInfoSecurity


Creds 101

• Credentials are vital


• Attackers want your password
• Access leads to more access
• Creds have different values in different
situations
• Website creds typically only give access to the
user’s account (still useful)
• Active Directory credentials typically give access
to other resources in a domain
• File shares, SharePoint, Intranet sites, Email, etc…

© Black Hills Information Security | @BHInfoSecurity


Default Password Policy

• Microsoft’s Active Directory default password


policy is typically the following:
• Minimum of 8 characters
• Doesn’t include username
• Must include 3 of 4 categories:
• Uppercase letter (A..Z)
• Lowercase letter (a..z)
• Number (0..9)
• Nonalphanumeric symbol (!, $, #, %)
• Typically locks out after 5 attempts
• This password fits that requirement: Fall2018

© Black Hills Information Security | @BHInfoSecurity


Password Hacking 101
Some Common Password Attacks
• Brute forcing – Trying thousands of passwords
against one account
• Password Reuse - Using the same password on
multiple sites
• Credential Phishing – Social engineering a
target into inputting their creds into a portal
the attacker controls
• Password Spraying – What this talk is about. ☺

© Black Hills Information Security | @BHInfoSecurity


“Keyed Alike Locks”
• Passwords are like keys…

© Black Hills Information Security | @BHInfoSecurity


Winter2018 FTW
What is “Password Spraying”?
• Lockout policies prevent brute forcing
• In an AD environment we have to get around
this restriction… somehow…
• What if we try authenticating using only one
password but against all accounts?
• Thousands of failed logins
• Doesn’t meet lockout threshold for a specific user
• Might get lucky with a common password:
• SeasonYear, Company123, PasswordYear, etc…
• Wait until observation window ends, then repeat

© Black Hills Information Security | @BHInfoSecurity


Dashing Through The
S-No Access
Typical Active Directory password spraying
• DomainPasswordSpray - PowerShell script to
perform password spraying within a domain
• https://github.com/dafthack/DomainPasswordSp
ray
• Metasploit SMB_login module -
• https://www.rapid7.com/db/modules/auxiliary/s
canner/smb/smb_login
• This generates failed login events at the DC
• Had a customer who alerted
• Started thinking of new ways to evade

© Black Hills Information Security | @BHInfoSecurity


Failed Login Alerting
Access Denied: You’ve failed to meet the minimum meme threshold
• Customers have vastly different alerting setups
• Some log pretty much everything they can…
• … others log nothing
• Password attack detections have been hit or
miss…
• Password spraying
• 1 attempt per user within observation window
• Doesn’t lock out accounts & usually results in a
low number of failed logins per account

© Black Hills Information Security | @BHInfoSecurity


Blue Team Game on Par
Classic domain spraying...
• Standard authentication failures to an
Active Directory domain should generate
failed login events at the DC
• Had a customer who alerted
• Started thinking of new ways to evade
• What are some other protocols you can
authenticate to that are tied to AD?

© Black Hills Information Security | @BHInfoSecurity


Evading Failed Login
Detection
OWA spraying...
• One possibility is OWA
• MailSniper –
• https://github.com/dafthack/MailSniper
• Failed logins look a bit differently against
OWA than they do against an SMB share,
or domain auth
• Many of our customers have seen us use or
talk about MailSniper and have adjusted
their logs accordingly.
• Where else could we try authenticating?
© Black Hills Information Security | @BHInfoSecurity
Evading Failed Login
Detection
RDP spraying?
• What about RDP?
• Tested out xFreeRDP from Linux against a
Windows Server
• To our surprise the failed login event did not
contain the source IP address…
• Hostname was in the log… but xFreeRDP has
an option to set the client hostname (wat?)
• Set out to write a spraying tool for RDP

© Black Hills Information Security | @BHInfoSecurity


NLA FTW

• Why was there no IP in the log?


• It turns out RDP w/ NLA (Network Layer Authentication) doesn’t log
source IP in the security log
• NLA pre-authenticates prior to RDP access
• Causes Logon type 3 (Network) instead of 10 (RemoteInteractive)
• Allegedly there is supposed to be a log with the IP located here:
Applications and Services Logs > Microsoft > Windows >
RemoteDesktopServices-RdpCoreTS > Operational (Event ID 140)

© Black Hills Information Security | @BHInfoSecurity


What log?
Remember this is an “Applications and Services Log”... not “Security”
• This is what a failed RDP using NLA should look like:

• …But authenticating via NLA doesn’t <ALWAYS> generate this log…


Because this alert is very, VERY misleading.
• It turns out this alert only fires when the USER is invalid.
• Valid user + invalid password = No eventID 140 log
© Black Hills Information Security | @BHInfoSecurity
DEMO:
RDPSpray PoC

© Black Hills Information Security | @BHInfoSecurity


What’s next?

• Here are some items on my “todo” list with


this:
• Build a standalone tool to do this from
Windows
• Add functionality to quickly find servers with
NLA enabled for RDP

© Black Hills Information Security | @BHInfoSecurity


How do I detect/stop this?

• Windows Server 2016 logs the IP


• For other versions:
• Correlate the Applications and Services logs
with the Security logs
• See: http://purerds.org/remote-desktop-
security/auditing-remote-desktop-services-logon-
failures-1/
• It might be worth looking at firewall logs for
alerting on access to port 3389 multiple times
from the same system

© Black Hills Information Security | @BHInfoSecurity


Azure AD Recon
The mysterious Azure
Active Directory sync

© Black Hills Information Security | @BHInfoSecurity


External Active Directory
What if I told you, in most circumstances...
• Low-privileged creds are gold
• Almost as good as ADExplorer internally
• Can create guest users & MFA devices
• Profile & target an organization quickly
• Probably completely under the radar
• *Externally*

© Black Hills Information Security | @BHInfoSecurity


First, A Quick Glimpse

DirSync On-Prem: Azure AD Connect sync engine


Azure AD Sync Azure: Azure AD Connect sync service
+ Forefront Identity Manager
Azure AD Connect

© Black Hills Information Security | @BHInfoSecurity

http://www.windowstricks.in/2015/06/difference-between-dirsync-azure-ad-sync-and-azure-ad-connect.html
Azure Password Hashing

Password Sync Authentication


1. MD4 hash isn't sent, SHA256 hash of hash is 1. Requires 2nd auth if not using Seamless SSO
2. DC sends salt 2. MD4+usersalt+PBKDF2+HMAC-SHA256
3. Avoids PTH primitive for on-prem 3. Compares cloud hash with on-prem hash
4. Envelope decrypted and hash stored 4. Session created

© Black Hills Information Security | @BHInfoSecurity

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization
So, what does this mean?
With a single set of phished/sprayed credentials...
• Users: Identify Users & Read Properties
• Groups: Identify Security Groups
• Applications: Identify Attack Surfaces
• Devices: Identify Device Info for users
• Directory: Identify Domains & Partners
• Roles & Scopes: Identify All Memberships
• + more!

*Add a limited access guest account*

© Black Hills Information Security | @BHInfoSecurity

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
But first.. ADExplorer
Active Directory Browser
• View and edit AD objects
• Crazy sophisticated searches
• Create AD snapshots for offline
• Browse forests
• Nice little GUI

© Black Hills Information Security | @BHInfoSecurity

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
Internal vs External
ADExplorer (internal) Azure AD (external)
• Identify Users & Read Properties • Identify Users & Read Properties
• Identify Security Groups • Identify Security Groups
• Identify Attack Surfaces • Identify Attack Surfaces
• Identify Device Info for users vs. • Identify Device Info for users
• Identify Domains & Partners • Identify Domains & Partners
• Identify All Memberships • Identify All Memberships
• Add guest user & MFA device • Add guest user & MFA device
• Offline AD snapshots • Offline AD snapshots
• Edit AD Objects • Edit AD Objects

Look’s pretty useful to me ☺

© Black Hills Information Security | @BHInfoSecurity

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
Let’s Do It!
Azure Active Directory
• No nerd left behind!
• Browser GUI for the lazy
• Command-line tools for Linux neckbeards
• PowerShell cmdlets for Windows ninjas
• Blocked portal doesn’t mean blocked CLI/PS
• Conditional access rules cost $$$

© Black Hills Information Security | @BHInfoSecurity


AZ CLI: https://docs.microsoft.com/en-us/cli/azure/
AzureRM: https://docs.microsoft.com/en-us/powershell/azure/overview
Azure Portal
Azure Portal Users

Groups

© Black Hills Information Security | @BHInfoSecurity


Azure CLI
Azure CLI
• az login
• az ad user list
• az ad group list
• az ad group member list --group='<group name>'
• az vm list

https://docs.microsoft.com/en-us/cli/azure/

© Black Hills Information Security | @BHInfoSecurity


Azure RM
Azure RM
• Connect-AzureRmAccount
• Get-AzureRmADUser
• Get-AzureRmADGroup
• Get-AzureRmADGroupMember -GroupObjectId <group id>
• Get-AzureRmVM

https://docs.microsoft.com/en-us/powershell/azure/overview

© Black Hills Information Security | @BHInfoSecurity


DEMO:
Azure CLI PoC

© Black Hills Information Security | @BHInfoSecurity


Lock Things Down
Azure Portal Configuration

??? umm.. okay, now what?

Azure AD Conditional Access

© Black Hills Information Security | @BHInfoSecurity


Conditional Access Rules
Azure AD Controls
• Allow or Block access
• Policy driven rules
• Cloud-apps and Azure management
• Applies to all Azure management end-points
• Except Azure AD Powershell 

https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

© Black Hills Information Security | @BHInfoSecurity


Azure CLI Work-around

Phew! (Thanks Derrick Rauch)

Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false

© Black Hills Information Security | @BHInfoSecurity


END

• Twitter
• Beau - @dafthack
• Mike - @ustayready
• Black Hills Information Security
• https://www.blackhillsinfosec.com/
• Tools:
• RDPSpray PoC: https://github.com/dafthack/RDPSpray
• AZ CLI: https://docs.microsoft.com/en-us/cli/azure/
• Azure-RM: https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps

© Black Hills Information Security | @BHInfoSecurity


Slackpass.io/centralsec

© Black Hills Information Security | @BHInfoSecurity

You might also like