 aktif direktörü Hacking Wars. Well, we can start now. Hello everyone. I'm Batuhan Sancak. My nickname is Nulix 3D in Cyber Culture. I'm living in Turkey and an undergraduate student of management information systems at Düzey University. I'm currently working on web application security and vulnerability virtual machines in my daily life. I would prefer to meet all of you in person. But unfortunately the pandemic preventing it. Please don't forget to wear your mask. It's for sure that is very important for our health. In this presentation I will be talking about attaching methods for Azure Active Directory systems. When the prevention is over you can find the documents links I have used for you on my personal blog. Anyway. Now let's go. If you want to exploit a system you must know it well. You must understand and know. To actually is this. We need to get to know Azure and Active Directory technology. More closely. Okay. What is Azure? Azure is one of the most popular cloud services today. It has 15.4 million customers worldwide. 95% of Fortune 500 companies use Azure. If you look at it from the hacker point of view that's perfect. Don't forget. Golden rule for hacking states that too many users equal to much risk. Microsoft Azure commonly refered as Azure as a cloud computing service created by Microsoft for building. Testing, deploying and managing applications and services to Microsoft Managed Data Centers. What is Active Directory technologies? Active Directory technology is used for server and slant relationship. It's purpose is to allow users to access some information on the server side. These accesses are restricted to users. Access to some information is gain it with the permissions given to the user by the system administrator. It stores all the information in its own DB. The Active Directory technologies entered or leaves for the first time with Windows Server 2000. Well. What is Azure Active Directory and who use Azure Active Directory? Azure Active Directory is a cloud-based user access service. Azure users access external research such as Microsoft tools, the Azure portal and thousands of other sales applications. Common examples, mail, surrendering and office tools. Okay. Who uses Azure systems? Information technology means application developers and Microsoft subscribers use Azure Active Directory. And the resistance understanding roles and permissions until this chapter we have become familiar with the fundamental features of Azure technology. Now we we'll look at AsuRoyce and permissions together. You can this permission with role definition. For example Right, The highest role is the global admin role. Apart from this, there are many managerial roles. With global admin role, you can list anything. Example, you can list all applications. Active Directory Integration. The user can use the same credential on the company and the cloud. For this, the password hashes must be equal. Companies generally use password hash synchronization. Well, that is what is password hash synchronization. Password hash synchronization is one of the single methods used to accompany hybrid identity. Azure Active Directory connects, synchronize a hash of the hash of a user's password from an on-premises Active Directory instance to a cloud-based Azure Active Directory instance. You can look at the flowchart and review the steps. Azure Active Directory offers many basic security features. These make it easier to help protect your organization from attacks. By default, Azure Active Directory applies the following policies. First of all, all users to register for Azure Active Directory multi-factor authentication. Secondly, administrators to perform multi-factor authentication. Then, locking legacy authentication protocols. Finally, protecting privilege activities such as accessing the Azure portal. Protecting administrators. There are users who have more access to the system. These accounts need to be protected because of their strength. Azure Active Directory sensitive management groups require additional authentication each time they log on. These accounts are Global Administrator, SharePoint Administrator, Exchange Administrator, ETC. Conditional Access Policy. Conditional Access is used by Azure Active Directory to aggregate, signal, make decisions, and enforce organizational policies. Signals to consider when making a policy decision on conditional access are user or group membership, application, Microsoft cloud application security, IP location information, device, real-time and circulated risk detection. Azure Role-Based Access Control. Excuse me. Azure Role-Based Access Control is an authorization system built on Azure Research Manager. Provides granular access management of research in Azure. It helps you control the level of access users have. There are four main roles, owner. Who has full access, including the right to grant others access. Contributor. Who can grant access to others, can create and manage any type of Azure Research. Reader. Who can view Azure Research for user. Access Administrator bu many users access to other readers. We are familiar with Azure Technology until this part of the presentation. Let's look at the offensive side now. We will examine attack methods. We talk about your reasons. This might be the most exciting part for me. Sometimes you can get confused. You may not know where to start. The most important stage of an attack is the planning stage. You must plan the attack correctly. It would be helpful to have a roadmap. Moving in stage will lead you to success. With this image, we can follow the steps with you one by one. One of the first things we need to do is product control. Thus the company use Azure Active Directory. I left a simple screenshot and address for you. You can check by changing the company name in the address bar. Step 2. The company is using Azure Active Directory. What can we do now? Azure uses different domains for services. We can list all of them and multiply targets. A cyber security researcher named Carl Fawson, is a publishing study. His work is to manage the domain names with a script he wrote his way. You can expand the scope of your target. You can choose you to have devastating effect. The upper right here is to get a valid email from the target system. Crapper can be used for this process. Crapper is a Python tool used to authenticate emails of office tenants. It takes a single email or an email list as input. The basic action, the tool does is password to office tool. Same office send if request without looking for if exist result. If it is a valid account, it will return null. It will return one if not valid. We will launch a spray effect with the information we collect. We found out that the system is using Azure. We scan different domains together information. We examine social media accounts to access the necessary mailing list. Linked in LTC. We gather all the findings together. In this step, we will use the spray attack. This method may sound simple. It might sound funny. I'm aware. But basic passwords are everywhere. Is not it? If human exist, there is no complete system security. The main sniper tool was used in this attack. I brought the guitar link for you. It's a nice tool. I recommend. Up to this point, we talked about a few techniques with steps. Now we will continue with different techniques. Spn Scanning. Do you want to explore service in Active Directory environment? My suggestions for you is Spn Scanning. With Spn Scanning, you can discover service in the Active Directory environment. Alright. Why Spn? First, it's too easy to check service ports with Spn Scanning. Because it does not need connection to all IP addresses. Spn Scanning performs service discovery with LDAP queries to a domain controller. Spn is part of the Kerberus ticket behavior. This makes it difficult to detect. Spn is a good option for the discovery page. DC Shadow. On January 24th, 2018, Benjamin Delphi and Vincent Lee Tubes, two security researchers, have released during a security conference a new attack technique against Active Directory infrastructure. Namelye, DC Shadow. DC Shadow attack is a feature available in the Mimicats LS Dam module and it is a post-exploitation attack. The purpose of this attack is to create a fake Active Directory domain controller in the system and destroy other domains in the same Active Directory. It is to inject attacker-based Active Directory object into domain controllers. While performing this attack, the attacker, it must have violated an account with permission such as Active Directory Administrator rights or the QRBTGT account password hash. In this way, the attacker can register a fake Active Directory on the Active Directory configuration for later access. Ok Tapirtya mol verified. So you could see user-assistedent dreams and can modify the demo access control to create a vector. Sosyal bir şey yapıyoruz, bir zaman daha geçen bir bir zaman yapacağız. Tamam, Bektor Azur aktiv direktörü. Hala söylüyorum ki we will talk about different methods in a limited time. Eğer ataklarının başarısını başarısını yapabilirsiniz. Bu çok kolay. Bir kez daha bir doldurmak istiyorsanız, sistemi geri döndüğünüzde, o zaman, evet. Söğüt sistemleri azır. Bu azır sistemleri çok azır. İçimde, ikinci konusunda birkaç prinsübüklü yapıyorum. Kondinasyon alışveriş polislerle bahsediyoruz. Sadece portalsak, bilgisayar, bilgisayar ve bilgisayar. Büyük alakalı bir politik olarak yerlendirilmiş bir yer. Bu periç ile vermek için birilingitli bir sefer ifade edilebilir. Bu polis craziscesi maalesef yarına kaybetten exatamente�냐고 bu polis Revan'a yaklaşan alakalı bir iğne 300 tane bir iğne 300 tane bir iğne bir iğne 300 tane bir iğne 300 tane bir iğne'i Azure Active Directory. We will use service principles for the backdoor at this stage. We will assign IDs to them. We will list the applications with the Get Azure AD application command. And list the linker service with Get Azure Active Directory service principle command. With Azure, regular users can create and register applications. But they must be authorised by global admin or application admin for authorised privilege. If rights are violated by these, authorise. Authorise the attack may continue. Then the relevant users credentials can be added. Permissions can be listed again with the Get Azure command. You can now connect to the Azure Active Directory with this user. The important thing here is to be an application manager even for a short time. If you give all permissions for the application to the normal user, you can do everything with the normal user. OK, Skeleton K. Skeleton K allows an attacker to authenticate as any domain user on the network using a master password. You can access it with MISC Skeleton in Mimikets. Windows validation. Windows uses two different methods for authentication on the network. One, NTLM, two, Kerberos. These authentication packets contain DLS. They are loaded into the local-local-security-authorised-subsystem-service. Process and slant processes. Authentication with Skeleton K. The Skeleton K attack changes both authentication users. It injects itself into LSASS during NTLM authentication. In the domain creates a master password for an account. Any domain user can use the Skeleton K password to login. Besides, the real users will be able to login with their original passwords. Kerberos encryption will be reduced to an algorithm where salting cannot be used. Skeleton K with hash from Active Directory, the hash will be swept. The master password, hash injected into LSASS will be compared to the Skeleton K hash instead of the same DB. So the authentication, it will be successful. The master password hash will always be verified on the server side with the hash we change in the Active Directory. Domain admin privilege are located for this attack to a curve. Okay, SSO, single sync on. Yes. What is Azure Active Directory seamless single sync on? Single sync on technology is used for automatic login. User slog in automatically with their corporate device within the corporate network. A nice convenience for daily use. Users sometimes don't even need a username. But is this a good option? Maybe sometimes. If the user wants to connect to Azure, the system provides the ticket to the user. When using the single sync on feature, it is encrypted with the password of a computer account name Azure AD SSO. Single sync on and Kerberos have similar properties and including flaws. If multi-factor authentication is disabled, the user service tickets can be used for user violation. This technique is also referred as silver tickets. We need mimikets for the silver ticket attack. If we have some values, we can carry out the attack. These values are username of the user to impersonate. Target device. Domain name. And TLM page for Azure Active Directory SSO account. CID of the user to impersonate. At the end of the day you can attack like this. It will probably be successful during the attack. The important thing is that multi-factor authentication must be disabled. Sorry. At this stage, we basically talked about various attack techniques. In the next step, we will examine the measures to be taken from the perspective of a blue team and system administrator. Azure defense and deep security. Defensing deep is a security attack that can be detected by one layer. When other lawyers are not caught by a lot of control. This is an app or a basis on catching the attack. It is a ASOC Colet Castle defense. Because the lawyers are in third liners. If we talk about these layers, they have the following structure. If we talk about these layers, they have the following structure. If we talk about these layers, they have the following structure. Okay. Physical defense. First line of defense. This is where Microsoft Microsoft comes into play. Provides control and physical security of Azure data centers. Only authorized personal can access these areas. Identity and access. All existing Azure redarts are managed and controlled by Azure Active Directory. As you may remember. We talked about Azure role-based access control. Research access is controlled with role-based access control. Apart from that you can manage and control access important research with privilege identified management. Multi-factor authentication should be used. Environment. DDoS are one of the big problems faced by customers moving their applications to the cloud. Azure provides DDoS protection for this. Application traffic is monitoring every time. If an attack is detected Azure DDoS protection protection is automatically activated network. With Azure Security Center you can filter and outbound traffic with network security groups. Other than that only the necessary traffic should be allowed in the network traffic. Communication between search should be limited. Compute. Azure Security Center provides capability to detect rates such as SQL injection, RDP brute force attacks just with this we cannot provide security. We need to keep the systems we use patches and up to date application. Azure DJI DDoS ddoS dddud ddoS ddoS ddoS ddoS ddoS ddoS ddoS ddoS ddoS Cient Requests examinize IP adresi in a way that detects a possible vegetation by checking the chance in the request parameter users. Use it allows you to write fiber rules. We also need to keep sensitive application data in a secure storage. If we are developing applications, we need to integrate security into the life cycle and make it a design requirement data. Because data is important to us, important to us. We need to keep it in a secure warehouse. Authentication on access to data here. Kontrol can be achieved. Azure Active Directory security procedures. It's recommended that we do some things when editing or security operations or creating security operations for our Azure environment. One is to audit account password and authentication methods to help prevent common attack vectors. Continuous monitoring and alerting strategy, development, reservenize a potential treat. Azure Active Directory creates a common user identity for authentication and authorization for all beserges. This hybrid identity is called. If you want to achieve a hybrid identity, there are three methods you can use. The first one is password hash synchronization. And you can use password authentication and federation. Password protection. Azure Active Directory protection blocks now with passwords, their variants and organization specific weak terms. Public and private pro hybrid password list is used. It controls the cloud-based chains with the password in the company. These checks occur during password chains and password reset events. Azure Active Directory audit logs. You can access records of system activities with Azure Active Directory audit logs. Updates, applied by users in the system. Password chains, what administrators do in a directory. Change of group owners, weaving of new groups edits, ETSM. It keeps records of many stations such as events. Azure Active Directory portal provides access to three activity logs. One logins, provides information about logins and user research usage, two audits, provides information about change, applied to the tenant and updates, applied to research, such as users and group management. Provides information about the activities performed by the providing service, such as group creation in a survey now or in Ingex user on workday. Okay. Azure Active Directory multi-factor authentication. Finally, multi-factor authentication is a process in which an additional credential is requested at login. User only has a password. If the password is used, a second security must be provided despite the weakness or lack of the password. Azure Active Directory multi-factor authentication methods, work with at least two authentication methods. What is known as a general password? One, firstly, on the device, such as a phone or hardware key, secondly, what belongs to us, like fingerprint or face scan. Okay, well, throughout our work, we touch it on different concepts. We look at Azure technology. We talk about how it works. We then touch it on some of the attack techniques. Finally, we're upraft with a defensive perspective. We touch it on the basic techniques. I believe that it is technologies. I hope we agree. I'm not very good at final speaking, but I have something to say. Excuse me. I would like to thank the Cloud Village for their support during the study. Finally, you love and protect children. They are our future. Thank you for listening to me. I wish you a good day and good work. Good bye. Have a nice day.