{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
From the docs: Azure Active Directory (Azure AD) Pass-through Authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.
In PTA identities are synchronized but passwords aren't like in PHS.
The authentication is validated in the on-prem AD and the communication with cloud is done by an authentication agent running in an on-prem server (it does't need to be on the on-prem DC).
- To login the user is redirected to Azure AD, where he sends the username and password
- The credentials are encrypted and set in a queue in Azure AD
- The on-prem authentication agent gathers the credentials from the queue and decrypts them. This agent is called "Pass-through authentication agent" or PTA agent.
- The agent validates the creds against the on-prem AD and sends the response back to Azure AD which, if the response is positive, completes the login of the user.
{% hint style="warning" %}
If an attacker compromises the PTA he can see the all credentials from the queue (in clear-text).
He can also validate any credentials to the AzureAD (similar attack to Skeleton key).
{% endhint %}
If you have admin access to the Azure AD Connect server with the PTA agent running, you can use the AADInternals module to insert a backdoor that will validate ALL the passwords introduced (so all passwords will be valid for authentication):
Install-AADIntPTASpy
{% hint style="info" %} If the installation fails, this is probably due to missing Microsoft Visual C++ 2015 Redistributables. {% endhint %}
It's also possible to see the clear-text passwords sent to PTA agent using the following cmdlet on the machine where the previous backdoor was installed:
Get-AADIntPTASpyLog -DecodePasswords
This backdoor will:
- Create a hidden folder
C:\PTASpy
- Copy a
PTASpy.dll
toC:\PTASpy
- Injects
PTASpy.dll
toAzureADConnectAuthenticationAgentService
process
{% hint style="info" %} When the AzureADConnectAuthenticationAgent service is restarted, PTASpy is “unloaded” and must be re-installed. {% endhint %}
{% hint style="danger" %} After getting GA privileges on the cloud, it's possible to register a new PTA agent by setting it on an attacker controlled machine. Once the agent is setup, we can repeat the previous steps to authenticate using any password and also, get the passwords in clear-text. {% endhint %}
It's possible to use Seamless SSO with PTA, which is vulnerable to other abuses. Check it in:
{% content-ref url="seamless-sso.md" %} seamless-sso.md {% endcontent-ref %}
- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta
- https://aadinternals.com/post/on-prem_admin/#pass-through-authentication
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.