Tag: Metasploit Module

New Metasploit Module: Azure AD Login Scanner
Summary

In June of 2021, Secureworks Counter Threat Unit (CTU) discovered that the protocol used by Azure Active Directory (AD) Seamless Single Sign-On (SSO) allows for brute-forcing usernames and passwords without generating log events on the targeted tenant. In addition to brute-forcing credential pairs, the Azure endpoint returns error codes that allow for username enumeration. This post details the vulnerable endpoint, and how it can be exploited to brute-force usernames and passwords in a succinct Metasploit module.

Vulnerability Description

In addition to the normal Azure AD authentication workflow for SSO, which utilizes Kerberos, the usernamemixed endpoint of Autologon accepts single-factor authentication. Authentication attempts to this endpoint are in XML, as shown here:

The Autologon endpoint takes these credentials and sends them to Azure AD to authenticate the user. If the credentials are valid, the authentication is successful, and the Autologon endpoint responds with XML containing a DesktopSsoToken, which is used to further connect and authenticate with Azure AD. When a successful logon occurs, Azure AD properly logs the event.

However, on authentication attempts that are unsuccessful, the authentication attempt does not get logged by the tenant. If the credentials are invalid, the Autologon endpoint responds with XML containing a specific error code for the authentication attempt, as shown here:

The error code provided in this response can be further used to determine valid usernames, whether MFA is needed, if the user has no password in Azure AD, and more. The error codes used in the Metasploit module I developed are shown below:

Metasploit Module

The Metasploit module (auxiliary/scanner/http/azure_ad_login) can enumerate usernames or brute-force username/password pairs based on the responses from the Autologon endpoint described above. If you have a target tenant using Azure AD SSO and usernames/passwords to validate, you can use this module by setting the following variables:
- DOMAIN – The target tenant’s domain (e.g., bionicle.dev)
- USERNAME or USER_FILE – A single username to test or a file containing usernames (one per line)
- PASSWORD or PASS_FILE – A single password or a file containing passwords (one per line)
When you run the module, every username/password pair is tested using the authentication XML request shown above to validate the pairing. When a valid username/password pairing is found, the DesktopSsoToken is also displayed to the user, as shown here:

Remediation and Protection

As of the writing of this post, there is no direct remediation to this vulnerability if your organization is using Azure AD with Single Sign-On. Microsoft has deemed this part of the normal workflow, and thus there are no known plans to remediate the endpoint. From a defender’s point of view, this vulnerability is particularly difficult to defend against due to the lack of logs from invalid login attempts. Raxis recommends the following to help defend against this vulnerability:
- Ensure users set strong passwords in Active Directory by having a strong password policy.
- Enable Multi-Factor Authentication on all services that may use AD credentials in case a valid username/password pair is discovered.
- Consider setting a Smart Lockout policy in Azure that will lock out accounts targeted by brute-force attacks. This won’t help with password spraying, but will for single user brute-forcing.
- Monitor for unusual successful logins from users (e.g. unusual locations).
- Educate users about password hygiene so that they can learn to set strong passwords that won’t be caught by password spraying attacks.
Metasploit Module Details
- Module Code: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/azure_ad_login.rb
- Module Documentation: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/azure_ad_login.md
- Original Pull Request: https://github.com/rapid7/metasploit-framework/pull/15755
References
- https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/
- https://github.com/treebuilder/aad-sso-enum-brute-spray
November 23, 2021
Meet the Team: Matt Mathur, Lead Penetration Tester

Hi, I’m Matt Mathur. A few days ago, I did an interview with Jim, our marketing guru. The idea is to introduce you to Raxis through the eyes of our team, how we found our way to this profession, and to help you understand what drives our passion for penetration testing. Read on to learn more about my personal story, and if you’re interested in joining our team, check out our careers page and see if you might be a good fit.

Jim: Tell me a little about your background. How long have you been with Raxis?

Matt: I grew up on Long Island in New York and got my B.S. in Computer Science from Northeastern University in Boston. I now live in Philadelphia with my fiancée Natasha, who’s finishing up medical school. I joined the Raxis team last November after working on building some automated attack tools to assist in cybersecurity testing and training.

Jim: How did you come to focus on cybersecurity?

Matt: Well, I had some experience as a software engineer, in malware research and other security research before turning towards offensive security. I liked all those things, but the idea of offensive security – of using our hacking ability to help companies become more secure is really what excites me.

Jim: Helping people seems to be a theme in your career and in your personal life. Is that right?

Matt: Yeah, I think that’s really what led me to cybersecurity in the first place, helping people protect their users and important data. Outside of that, I try to volunteer at organizations such as Black Girls Hack and Women’s Society of Cyberjutsu to help empower people to succeed in cybersecurity. I’m also just inspired by Natasha, who is helping people every day.

Jim: How does working on the Raxis team fit into that mix?

Matt: When we help companies remediate vulnerabilities, we’re helping them secure their users, data, and company. The team is passionate about this, and about helping other security researchers by sharing knowledge with the community.

Jim: Help our readers and me understand what you mean by that.

Matt: The Raxis team is fully remote, and we’re constantly updating each other on the newest attacks, tools, and vulnerabilities. On top of that, we’re encouraged to publish our findings, tools, and techniques to help others in the community remediate them too.

Jim: Do you have an example?

Matt: Sure, I recently published a Metasploit Module based on a new vulnerability I discovered in Microsoft’s Remote Desktop Web Access application. This module helps people detect the vulnerability, and Raxis not only gave me the time to work on this, but also actively encouraged it. The team celebrates these things, and the same is true for team members who earn new certifications, find creative ways to breach a customer’s network, or develop other tools.

Jim: You’ve talked about a lot of advantages to being part of the Raxis team. What’s your favorite part of the job?

Matt: Outside of being able to use offensive security to help people, I like being challenged while learning new things. Outside Raxis, I like to play strategic games like MtG, go hiking and biking, and improve my cooking and baking. These are varied, but it’s nice to get outside my cybersecurity headspace.

With that said, my favorite part about the job is that it’s an ongoing challenge. We work with clients in various industries with vastly different networks, applications, and security postures. Even very similar companies can have entirely different tech stacks, so there’s constantly room to learn.

August 6, 2021
Remediating Account Enumeration Vulnerabilities

In this video, I explain a little about account enumeration vulnerabilities, why it is important to protect against them as well as discuss the three most common types of account enumeration we find during Raxis penetration tests.

Account enumeration is a common vulnerability that allows an attacker who has acquired a list of valid usernames, IDs, or email addresses to verify whether or not a user exists in a system. User privacy alone is a good reason to remediate this issue, but hackers can use this information to craft phishing or spear-phishing attacks or to help brute-force their way into your network.

As the video demonstrates, the best defense against account enumeration is consistency. Make sure your login and password reset responses are the same so you don’t inadvertently provide valuable information to a malicious actor. The same goes for timing: Make sure there is no difference between valid and invalid log-in attempts.

Raxis is ready to help make sure you are as secure as possible. We will treat your network just like a hacker — only better — because we won’t actually cause any harm, and we’ll tell you where the cracks are and show you how to fix them.

If you’re ready for our team to put your system to the test, contact us today.

April 9, 2021