BG - All You Need is Guest: Beyond Enumeration

good afternoon everyone and welcome back to bides Las Vegas this is the breaking ground track uh The Talk today is going to be uh our next talk is all you need is guest Beyond enumeration by Michael bargery uh before we get started a couple quick announcements we would like to thank our sponsors especially our Diamond sponsor Adobe and some of our gold sponsors prism cloud semrep and Toyota it's their support along with our other sponsors donors and volunteers that make this event possible these talks are going to be streamed live and as a courtesy to our speakers we're going to ask that you please make sure that your cell phones are on silent without further Ado Michael [Applause] bargery okay um does it work does this work can you can you hear me all right so uh first of all thank you for staying with me I know it's kind of late in the day and because this is uh I mean it's later in the day for all of us so I think we can make it like a more more chill kind of talk so if you have questions if you have comments if you want to say that I'm wrong somewhere just just shout out during the talk okay don't don't wait for the end um what we're going to be you know before I explain any anything let me do a quick slide based demo okay so um say you have access to an Azure active directory guest account we've all got we've all received these uh these emails where you get invited to somebody else a tenant uh and that's uh so you could it could happen because you work with them you're a contractor or something well all right um when you actually log in to to this guest account and you go to their tenant by default by default you'll you'll actually find nothing there because guest don't have access to anything uh unless unless that somebody actively gives them the access right uh and so uh what we're going to show today is this is that this is definitely not true the tool that I'm going to release in this talk is going to produce for you with a guest account uh SQL servers Azure resources I'm not talking about enumeration here I'm talking about full down of all of the data behind all of these resources this is a true example you'll understand what's going on here at the end of this talk and so now that I hopefully uh and yeah there's also a dump um and so now that I hopefully have your attention um hi my name is Michael I am focused on security for low code no code apps which is the kind of applications that business users are building I've been doing that for about four years now there's a bunch of res resarch I put out there so if you're interested about on this topic uh please reach out afterwards and uh I'm we're looking for more smart people to kind of focus on this area so uh reach out to me all right so before we understand kind of what's what's uh what's going on here we need to spend a brief moment understanding what guests are what is this mechan mechanism actually is uh so if you the the scenario is that well you want to you want to be able to share with someone my I I work for a small company like a 20 25 people startup and we work with very large Enterprises and so in most of the time most of the cases we need to find a way to to collaborate on files right you need to share decks you need to share legal legal docks and so there are multiple ways in which you can share those those uh docks around one thing you can do um which is pretty obvious you can just share those files over email right uh it's kind of funny but we've all done that and so this is one one thing that you can absolutely do you can always you can also just uh trust a random website on the internet which is also something that we've that we've all done I've uh found out that you can also do this in real life so there are USB ports all around the world you can just plug in your computer and drop whatever you'd like so you can do that as well um that's a that's that's a real thing um check out the website it's really cool so what you can also do is you can invite those guests into your tenants and that's actually what Azure guests is is all about basically the idea is that you bring people into your tenants and then uh two things happen one is that they can bring their own identities which means you don't have to worry about how they authenticate and two you are still in control and those are two significant promises to try and hold together so let's try and figure out what exactly does that mean in order for this mechanism to actually work two things need to be uh need to hold one is that this needs to be very easy to on board every vendor every contractor they use a different thing they need to be able to get on your your tenant quickly and the second thing it it of course needs to be easy to control right because otherwise you you've just invited a guest into your tenant I mean what could happen um and so let's try and figure out these two things so the first thing excuse me can you try to bring your mic a bit higher up yeah see that does it help in any way'll see all right so the the first thing I need to prove to you is that like getting a guest on is very easy and while I talk you can see that I'm inviting myself to a guest with a bunch of different ways to do that through Microsoft notice that all of these options to invite guests are embedded into productivity apps so you own a teams Channel or you own a SharePoint site you just want to collaborate with someone so you plug in their email and it invites them as a guest this is a decision that a business user makes not a decision that an admin makes right and so this is very easy to achieve and actually when you look at the a tenant for any large Enterprise most of them you'll find lots of guests you can go down the very strict round of kind of cutting this and and and not using this feature but then well how do you share files we've we we've seen the other options um and so it's very easy to share gu to get guests in some in some cases it might even be too easy so again um this is this is the email that you receive as a guest actually uh in a talk in a talk last year deran showed that you can hijack guest account I talk blackhead last last year he showed that you can hijack guest accounts guest invites that were not redeemed and then redeem them yourself with any email address that you'd like this was actually fixed but this is a kind of a this was a a pretty cool thing because any user in the organization could just query open uh Open tickets and then just grab them and so it's very easy to get to guess guest I think that's kind of pretty pretty established the second thing that I need to prove to you is that it's uh still easy to control it's easy for it and security to control and so let's see that part and so in order to do that we need to understand how does asual active directory guest actually work and so on the vendor side partner side you could be using any any any type of identity provider you could be using another a account but you can just you can use a Google Suite or OCTA or whatever you'd like and so the way it works is that it creates a link between those two directories and so you get authenticated with your home tenant and your guest tenant just trust that authentication um and the the cool thing about it is that because it's done this way all of the security controls that Microsoft provides for you apply so if you have uh conditional access MFA enforced whatever you'd like this all get enforced automatically on guests which is awesome right this is a a really cool mechanism um and so one thing that we need to understand though is that well in order to give somebody guest access we we want security controls right because otherwise you you've just invited somebody into your tenant and they can do whatever they like in order to get security controls we need to have an aad account because otherwise we can't apply the security mechanisms that we already have as an Enterprise and so in order to have that account we need to Grant access to a which actually grants full access to your tenant so what's what's actually happening here um so The crucial piece is that you don't get full access you get access that's denied by default you get access that gives you access to nothing basically so if I invited you through teams you'll only you'll only get access to that specific team uh Channel or at least that's what it should that's what should happen so a quick recap here guests are first of all very very very easy to guest we should we should assume that a compromise in a guest account within our tenant is is easy uh a control Supply a security control Supply which is great and access should be denied by default and now when I've talked so much good things about this mechanism uh let's see what happens in practice uh because in practice as we know things are a bit a bit more a bit dirtier and so um first of all there are so okay so let's start by kind of just inviting some a guest around and every time you see this icon on the bottom right corner that's kind of the the uh the user the legitim imate user that's that's doing something and you'll see in a in a moment an a different icon for for a hacker just because I'm going to move between users a lot um and so I'm in teams I'm going to kind of just invite somebody I'm going to invite a hacker in because why not uh that's my hacker account here and then uh once I invite that inv that that guest I click on that and and that guest is invited and they will get the that email that we that we saw earlier from the hacker perspective and you can see the hacker icon here um I'm I'm just lo I just log into my account and then I need to allow this tenant to get access uh kind of to basic information about my profile and I'll do that zenity demo is kind of the the the thing that I'm hacking uh and again I get to this to this uh portal which is empty because it's showing me all of the apps that I have access to which is actually none okay um and so there's there are two things that we already know how to do and if you've Googled it before you would have found it before this talk one is fishing through teams once you get invited through uh into into a guest into a tenant as a guest then you can do fishing through the internal teams uh of of that organization which is actually pretty nice because it it adds some uh believability into to your fishing attempt the other thing that you can do is is Recon on on the directory so you can actually find there's some sophisticated ways in which you can find a list of users within within that organization a even though you are not allowed to directly enumerate the users if you if you want uh to look at it there's a there's a nice link there that it will it will share everything about it um and so this is the state-ofthe-art for guest exploitation but of course we want more right we want access to resources and so this is the point in the talk where um I'm basically suggesting that if you don't want to have a responsibility when you go back uh to work then then this is the time to leave because right now I'm going to show uh how this is completely uh how how the reality differs from from your expectations any takers all right so what I'm going to do right now is just uh virtually click on that link so when I click on that link I get invited to something I I get into something called powerups uh which is the local nood platform for for Microsoft which is built into office uh and the first thing that you'll see here is that uh well I get I get some sort of an error U which is telling me basically you're trying to reach an environment which does not belong to your tenant this is because the link that I've uh set earlier is is in the in the guest tenant right not my home tenant and so I click on this go to homepage and I get to my homepage and now I'm in power in powerups but you can see here that I'm in my own tenant ponosa which is the the hackers uh tenant and so now I need to to be able to switch to the guest tenant um that's pretty easy you just kind of you go to switch directory and now I'm I'm in I'm in the right I'm going to move to the right tant right so you can move to any any one of the tenants that that you have access to again um when you get access as a guest to somebody else's scopo this is just waiting for you all right and so once you do that then you get to where I actually sent you with this link which is a screen called uh connections and you can see that these connections have uh asual connection connections for SQL servers you can see their names um and for some reason as a guest I'm able to see all of them and so let's try and figure out um what the hell is this why does this exist and uh and why do we have access into it and so let's examine one of them this is a Azure file storage and it uh it's called something like uh J reading customer data all right so first of all you can see this little menu here two interesting things so one is uh details well we'll we'll we'll see that in a moment but the other is share so there's a share button here on connection to Azure file storage let's look at that share button all right so this uh uh file storage connection is apparently shared with three different entities the first thing is shared with Org the second thing is shared with with Jamie this is probably the Jamie that created this connection and the third thing here is Jamie uh and you can almost barely see that this is a an Outlook account a personal account and you can see the different permissions that each of them have and so this is the root cause issue of why we're seeing this connection right now okay so Jamie has has created this connection and has shared this with everyone and actually what's going on here is that this connection is a wrapper around credentials it can be an ool token a refresh token or so Jam's own refresh token her own Identity or it could be like a username password or a client secret or whatever you'd like and then you can just take this wrapper and share it with everyone everyone means your entire a guest your entire a tenant you can also share this with the groups with spe specific individuals with your own Outlook account whatever just just kind of be productive um and so this this works and this kind of this is pretty cool let's try and figure out what this connection actually is why why does this exist and so going back to this details and now I can see a bunch of information about this connection I can see that indeed it was created it is owned by Jamie reading and trying to figure out who Jamie is uh I can see that Jamie is a customer service representative that works in in sales offs So Jamie is a business user So Jamie made made the decision which was a bad decision to share this connection around and we'll see in a moment that this is uh this is a common mistake to make because the the platforms just make it very easy for you to to actually do it um and so before we move forward with this talk I'm not sure how many of you are familiar with low noode and so I need to explain to you why is this happening why does why why is it believable that somebody from the business would create a connection to Azure and share it with the dialogue so here's the reason yeah okay so you won't get the video but here's the reason basically um lood nood is is putting power in the hands of business users to build their own applications and automations on top of business data what this uh video actually shows is that right now they've integrated the chat GPT into into their platform so you can just uh kind of ask them ask CH GPD to create an app for you and it would create a table on a database and share it with everyone and create the different and create the columns and create the actual app and so this is something that business users are actually using to solve their own on business problems and when they do it they do it on on business data of course and so as a business user you mostly don't have access to service accounts right you do have access to your own credentials so why not wrap them around with a thing called connections and share them share your refresh tokens with whoever wants it um and so this is the way that this typically works and one of the things that is important for you to understand that this is a big issue is just understand the scale of this thing and so here's what I did here um okay this is a slide showing um right now a single number uh 5 million that's the number of uh of developers using net today according to Microsoft all right um a pretty big number how many developers do you think are using this uh like business developers are using this Loco NOCO tool in order to build their own applic just have a number in your head something that that fits with your model of the world where if you look at uh where we focus more of our attention is on applications that those people are building right people that are building it with code and so I I actually went through Microsoft ear earning reports for the kind of for the few uh years back and they mentioned the numbers here and there so here are the here are the numbers from the from the from the reports according to the uh small kind of linear regression I did here there are about eight million developers today and so I'm sure that most of the people in this room have either never heard of this before or didn't dedicate a lot of their career to try and solve this problem uh this is actually kind of becoming huge huge within the top organizations in the world so we need to start dedicating our time here um and so now that we understand that this thing is happening happening is happening in every major or really every major or out there because just show me a an a large Enterprise that's not a Microsoft chop let's uh figure out how do we get from those connections to actually doing something with them um and so in this in this part right now I'm just going to take you through the rabbit hole of how do we get to this so we we were able to see these connections that's fine but now we want to automate things we want to D damp the data behind this we want to make this into something that we can use as hackers and so let's try to figure out how that works just before we Sorry apologies just before we get uh into the next phase here uh we do a thing called outrageous speaker requests here at bides every year uh when someone submits a talk they there's a field right at the very end that says any outrageous requests and a lot of times they throw something in there at 2: in the morning and forget about it uh the request that we have from you was to help you find more hacker friends I think is the the actual thing so first off I want to make sure uh is this you yeah okay so I'm going to ask everybody in the audience if you if you can uh if you are on Twitter uh and this one's you as well yep okay so I I'm going to MBG and I'm going to follow him and I'm going to go to uh LinkedIn uh where uh we have and I'm sorry how do you pronounce your last name barg bargary okay uh Michael bargary and I'm going to add him and I encourage everyone here pull out your phones and do the same thing right now help me help me fill this outrageous speaker request Che have a good day thank you actually there are so many avenues for research here and we are so little there's so the group of people that is focused on this area is so small if you're interested in like a an interesting Challenge and just banging your heads against the world with this just reach out to me there are plenty of things we can we can collaborate on all right so now uh let's do some hacking um first of all I want and again I'm authenticated as as the guest here and I'm looking at at the specific connection let's try to figure out what information lies behind this Azure file storage thing and so I'm going through the there's a tab here called applications that use thi