gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-09 11:44:59 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
bb72ec46cd0213585d4f955de86afb46ece2f25c
hacktricks-cloud/pentesting-cloud/azure-security/az-device-registration.md
Carlos Polop 5ef56bb6b3 Recreating repository history for branch master
2024-12-12 19:35:48 +01:00

139 lines
8.0 KiB
Markdown
Raw Blame History

# Az - Device Registration
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Basic Information
When a device joins AzureAD a new object is created in AzureAD.
When registering a device, the **user is asked to login with his account** (asking for MFA if needed), then it request tokens for the device registration service and then ask a final confirmation prompt.
Then, two RSA keypairs are generated in the device: The **device key** (**public** key) which is sent to **AzureAD** and the **transport** key (**private** key) which is stored in TPM if possible.
Then, the **object** is generated in **AzureAD** (not in Intune) and AzureAD gives back to the device a **certificate** signed by it. You can check that the **device is AzureAD joined** and info about the **certificate** (like if it's protected by TPM).:
```bash
dsregcmd /status
```
After the device registration a **Primary Refresh Token** is requested by the LSASS CloudAP module and given to the device. With the PRT is also delivered the **session key encrypted so only the device can decrypt it** (using the public key of the transport key) and it's **needed to use the PRT.**
For more information about what is a PRT check:
{% content-ref url="az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md" %}
[az-primary-refresh-token-prt.md](az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
{% endcontent-ref %}
### TPM - Trusted Platform Module
The **TPM** **protects** against key **extraction** from a powered down device (if protected by PIN) nd from extracting the private material from the OS layer.\
But it **doesn't protect** against **sniffing** the physical connection between the TPM and CPU or **using the cryptograpic material** in the TPM while the system is running from a process with **SYSTEM** rights.
If you check the following page you will see that **stealing the PRT** can be used to access like a the **user**, which is great because the **PRT is located devices**, so it can be stolen from them (or if not stolen abused to generate new signing keys):
{% content-ref url="az-lateral-movement-cloud-on-prem/pass-the-prt.md" %}
[pass-the-prt.md](az-lateral-movement-cloud-on-prem/pass-the-prt.md)
{% endcontent-ref %}
## Registering a device with SSO tokens
It would be possible for an attacker to request a token for the Microsoft device registration service from the compromised device and register it:
```bash
# Initialize SSO flow
roadrecon auth prt-init
.\ROADtoken.exe <nonce>
# Request token with PRT with PRT cookie
roadrecon auth -r 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9 --prt-cookie <cookie>
# Custom pyhton script to register a device (check roadtx)
registerdevice.py
```
Which will give you a **certificate you can use to ask for PRTs in the future**. Therefore maintaining persistence and **bypassing MFA** because the original PRT token used to register the new device **already had MFA permissions granted**.
{% hint style="success" %}
Note that to perform this attack you will need permissions to **register new devices**. Also, registering a device doesn't mean the device will be **allowed to enrol into Intune**.
{% endhint %}
{% hint style="danger" %}
This attack was fixed in September 2021 as you can no longer register new devices using a SSO tokens. However, it's still possible to register devices in a legit way (having username, password and MFA if needed). Check: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md).
{% endhint %}
## Overwriting a device ticket
It was possible to **request a device ticket**, **overwrite** the current one of the device, and during the flow **steal the PRT** (so no need to steal it from the TPM. For more info [**check this talk**](https://youtu.be/BduCn8cLV1A).
<figure><img src="../../.gitbook/assets/image (32).png" alt=""><figcaption></figcaption></figure>
{% hint style="danger" %}
However, this was fixed.
{% endhint %}
## Overwrite WHFB key
[**Check the original slides here**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf)
Attack summary:
* It's possible to **overwrite** the **registered WHFB** key from a **device** via SSO
* It **defeats TPM protection** as the key is **sniffed during the generation** of the new key
* This also provides **persistence**
<figure><img src="../../.gitbook/assets/image (34).png" alt=""><figcaption></figcaption></figure>
Users can modify their own searchableDeviceKey property via the Azure AD Graph, however, the attacker needs to have a device in the tenant (registered on the fly or having stolen cert + key from a legit device) and a valid access token for the AAD Graph.
Then, it's possible to generate a new key with:
```bash
roadtx genhellokey -d <device id> -k tempkey.key
```
and then PATCH the information of the searchableDeviceKey:
<figure><img src="../../.gitbook/assets/image (36).png" alt=""><figcaption></figcaption></figure>
It's possible to get an access token from a user via **device code phishing** and abuse the previous steps to **steal his access**. For more information check:
{% content-ref url="az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md" %}
[az-phishing-primary-refresh-token-microsoft-entra.md](az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md)
{% endcontent-ref %}
<figure><img src="../../.gitbook/assets/image (37).png" alt=""><figcaption></figcaption></figure>
## References
* [https://youtu.be/BduCn8cLV1A](https://youtu.be/BduCn8cLV1A)
* [https://www.youtube.com/watch?v=x609c-MUZ\_g](https://www.youtube.com/watch?v=x609c-MUZ_g)
* [https://www.youtube.com/watch?v=AFay\_58QubY](https://www.youtube.com/watch?v=AFay_58QubY)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in New Issue View Git Blame Copy Permalink