BSides Perth 2023: Rustla Tokens Of the Kingdom

I don't I will hand you over to Russell to talk to token to the kingdom knock in there all right hi I'm Russ I'm the principal tester in trustwave doing things like camping testing and Cloud security assessments some of my previous inventions including talking about Perth Milestone around here or app control developing challenges in wactf a few years running and talking about things like building an ID lab and might have such query language today we're going to talk about tokens within Microsoft's Cloud for that we're going to have a very quick very high level look at oauth and how it works because that's what the tokens use two of the token types explore how they how they work a bit and what they're made up of that we're going to talk about the Scopes audiences and consents because they're kind of fundamental pieces for the next bit and then we get into the interesting stuff which is uh where you might find tokens or steal tokens from the user then we'll look at what you can do with those tokens if you manage to steal them and for those bids we're going to be talking uh probably showcasing some tools and techniques to develop security researchers and a little bit of my own stuff as well and lastly we'll have a look at some ideas for detecting and preventing token replay and this stuff does relate to the stuff that Matt was talking about first thing this morning so yay that was really really convenient so tokens put very simply are issued by identity providers to clients to access Cloud resources or other things as well but in this case we're going to be the purpose of the cloud and in the Microsoft world does things like the resources like OneDrive SharePoint teams exchange Azure graph all that good stuff and so focusing on the oauth spec the two tokens that we're going to be looking at are access tokens which are used to Grant access to those bad resources and refresh tokens which are used to get you cloud of new access tokens when they expire there's a few roles in Olaf and it'd be really useful for us to have a quick look at how they map to Microsoft cloud realm or kingdoms as I really want to call them because I love Zelda um so we've got the the authorization server because your identity provider which is uh I could just say it Azure ID Microsoft wants to call it enter ID but I just it's going to take a while um but we've also got the client which is the app so things like the Outlook or teams desktop or mobile apps Azure command line that kind of thing then we've got the resource server which are the apis the underpin those services that the apps talk to so things like OneDrive or SharePoint apis graph API that kind of stuff and lastly but the resource owner which is the end user the person that's running an app who then effectively gives you know grants the app access to access their data on their behalf very high very contextual rather than technically accurate uh overview of how the overall flow works you 've got a user in this case Princess Zelda she fires up the client which in this case is the Outlook app she's not interested in her creds the creds are then sent from the client over to the authorization server or aad if all goes well with the login uh aad will send the tokens back to Outlook which will then include those as headers when it talks to the resource server which in this case might be exchange online the our access tokens that are issued by aad are typically going to be jfats these have been talked about a lot I'm not going to bore you with it a very quick look at the structure very very quick uh the header we don't care about this talk that's a bit red that includes things like hey this is JWT and here's the clash of the algorithm the signature users the payload claims that's a big chunk of blue we do care about for this talk those are the things that identify the user and talk about the scope of the token to do all that kind of stuff and lastly the signature which is effectively used to prevent homecoming with the claim which again we don't care about that's the main thing correct payload claims are basically within the token they describe to the resource server uh who the user is and what the token should be able to do there's a lot of different claims but the claims that we're going to care about are the audience which are the resources or the service uh that the token can be used for and in this case think of it like a URL like the out office 365.com that's what resource the token can interact with if you've got the issuer which is the tenant ID that the user belongs to or that issued the token the reason that you might want to care about this is because it contains like that tenant ID if you're using some tools that uh via Lieutenant ID you can just pull them straight out of the Jagger that your team to pump them in to your tools expiring which is probably very obvious but it's also pretty important that's the time in token expires at which point hopefully the resource server rejects access to the resources for that token and lastly with the scope which is basically the positions of the token has over the resource defined in the audience claim because uh client apps act on behalf of users it's really important to restrict what they can do Scopes is the way of doing that so when you when the app is set up and it requests permissions it can it can request for just what's required which is obviously what we would want so things like if you've got an app that's used to manage tasks it would have access to read my tasks but maybe not access to check your calendar or your email the other approach you can take is you can ask for the kitchen sink so everything the user can do which is the user impersonation scope and as an attacker obviously that's what we want Scopes do require consent before they can be used and that can be provided by the user for themselves or it can be provided for by the Admin from the entire tenant and you've got to be pretty familiar with uh consent prompt this is what the AED product looks like if you ever find on your mobile app it's going to ask you to access your camera and location your dog's birthday and that sort of stuff um the things we want to make note of here and obviously if you're going to be doing triaging of your apps and consent um you would want to look at the application name there's a big warning uh on the screen that it's not published by Microsoft looking at how legit this prompt looks it is a Microsoft prompt it might inherently you know result in users trusting this and thinking it is from Microsoft then you've got the permissions that are being requested which you can click on the drop down to get even more information and lastly you can cancel or it's everything set if you click on cancel the app won't work as a intended to because you've kind of stopped from being able to access into the figure things to do consent can be abused using illicit and safe brand attacks which is basically where an attacker has their own Azure tent that they control they create app registration within it they tell it what age missions they want which is basically the position missions that they're requesting to have of the victim if you even go there with it they give the the attacker sends the link to a user probably through phishing if the user logs in consents to that then the attacker gets their the ability to you know get tokens for them and access things at the tokens for basically what they've requested issues they've got fairly good control of what they should be getting back which we're going to take a look at using 365 Steeler cool that is working yes it is all right I've already um registered the app and punched in the creds so now when we run up we just get the fishing link we're going to give that to link who's already logged in and uh he's going to browse that link but it says it needs the admin approval he doesn't actually have the ability to concept of this for some reason um it says the app's risky and that's all they can do so he's going to be a good guy and raise the service ticket with Princess Zelda who does have admin privileges Zelda can browse the app say the commission problems and see that the permissions are being requested and read your mail is considered a high impact privilege obviously you wouldn't want to use a giving good consent for an attacker to do that so Zelda can accept the consent on behalf of everyone which is the teleport admin plus you can do nothing and start the triage process so coming over I've set up a second app registration as the attacker without it's all the same stuff uh it just doesn't have that read mail permission so this is a much lower impact privileges foreign [Music] cool I'm gonna give that to link I'm just going to click on it again cool now you can actually see and can set the permissions because we're asking for a lot less privileged access it is link you can see the permissions there he doesn't have a problem with it reading his user profile or apparently anyone else's and we should get an authorization code back which when come up with the app registration details you could use to get tokens and uh 365 is similar to do all that store them with disk it also does a lot of stuff as well like enumerating a user and whatnot as well some other ways that you might be able to to get uh you know tokens is probably pretty obviously through a compromised workstation like if you've got a user a shell of users workstation or a beacon or whatnot you might go to pull out session cookies but if you've got a M365 apps like our friend toolman does here tool and is clicking around the various bits and pieces in teams which is making requests to different resources which is populating tokens in memory as little does Tallman know we've got a matoka and a shell on his machine I'm going to run the big object file loader to load them to use it later I'm going to grab the process IDs for word and teams I'm going to pass those to the office token and speak and I'll get file written by trust insect which is going to dump the the process grab and scrap the perk for tokens so all we need to do is pass the process ID this first one is teams and a whole bunch of access tokens and to give you an idea for scale that's one token we can do the same for word just as easily just change the process ID cool all right some other places it might be a little less obvious are web apps a lot of apps these days talk with uh M365 or graph services and some of those like to store tokens or local storage so if you're an attacker you've got cross-site scripting you might be able to ex-fill the tokens to use them this is actually what inspired the talk for me um I was doing a web app test for a client I found cross-site scripting and the the tokens for various M365 Services were stored in local storage um so I tried using Bloodhound bar to play with the tokens pull them out do various things with them and it didn't work I've got a bunch of Errors I didn't need to look at that any further because there was this really weird thing wrong within the app that meant I could do similar things anyway but I picked it up a couple of months ago by using the Microsoft's JavaScript type oauth login flow demo app which does very different things but storage and so what I found was that the only issue I had at the time was if I added An Origin header it would have at least let the request go through the next the next part that still didn't work for me in my environment and I think the reason for that I didn't have the the permissions it said as much the the requests permissions I was requesting the admin had to consent to because the app didn't have access to do that it hadn't been consented to me yet but I would imagine in a larger environment with an actual usable app you might be able to do more things with it but I didn't get a chance to go back and check that this is a well-documented design decision by Microsoft that reason that their story The locals can type in the local storage is obviously user experience with the SPO um but they have already reduced three fresh tokens down for 90 days down to one day just for the SBA type um so the like those tokens aren't around for anyone here as well if all those fails fishing might be pretty useful but with Zach Grant which you would fish you you've also got things like attacker in the Middle with evil gimmicks and that kind of thing to do some token theft and there's also device code fishing pretty familiar with advice codes if you've tried to set up your smart TV to access to streaming services you get like a six digit code on your screen and the URL to browse to you do that on a phone or a device it's got a keyboard but easy to log in with but if you were to do this with setting up the user like a fish with a URL and a code to enter and a convincing pretext if they browse the URL enter the code login then you'll get their token and simply do things instead look at using tactics great import the Powershell what do we and run the get the zero token command specify graph so we get a graph token back that's sped out the user code there I'm going to give that to toolin who is logged in tool and knows the complete links in a phishing email so it's going to browse to microsoft.com device login punch the code yes Simon tooling please let me in yes click on continue and shortly after we should get access to refresh tokens so this uh this token is scope for the model sorry is the audience is the graph and the scope for this token is user impersonation so we can do anything the tooling can do with graph which is quite a lot what can you do with them uh it depends on really two things um the scope which we've just kind of alluded to you might not have a user impersonation scope it might be something less uh and the audience that it's scoped to if you can interact with graph you can probably do quite a bit depending on what the scope is but generally speaking these tokens are going to give you some kind of access to one of the many uh apis or resources within M365 or Azure so things like teams OneDrive Outlook graph zero ad those things might all be possible to interact with the other thing you can do if you've got a refresh token you might be able to get a new access token to provide access and probably the most interesting I think is you can use the refresh token to get access tokens for a different resource so going from maybe Microsoft graph to Outlook still within token tactics we're going to run the refresh to our token commands punishment and we get an access token and refresh token back we're going to save that to disk I'm going to run team filtration which is like a parcelain spraying and post X tool um and then we're going to tell it where the file the tokens are and telephone output directory it's going to run we're going to run the external module just found three emails and we're going to browse the gifs now it's three HTML files which type emailed to me and yeah so we've got access to the user's mailbox similarly use graph to go to a teams token uh again using Target tactics uh so one cool thing about token tactics is it will store the output of code so the output tokens to a variable you can import the aad internals Powershell module which I know Matt mentioned earlier and we're going to run the a get a 80 in teams messages we're going to specify the variable the object for the access token and we're just going to pull out the content of display though to make it more readable and we've got messages from toolin thank you so there might be some gaps in your tools or you might want to try to do things that you would otherwise be able to do because there's no tooling to do it but these are all just apis so curl python Powershell whatever your poison to make web requests can do it as a proof of concept I banged together a python script which interacts with OneDrive I use Microsoft's documentation to work out what the endpoint names were there's a bit more fluff in the script obviously but the two requests which are obviously at the heart of this are on the screen the first one is going to interact and search the user's OneDrive for a query that you specify and this and it's going to save those to a variable you know things like file name and Item ID and the second request is going to download a file via the item ID to disk from your users one right which we'll check out nothing on the desktop except for the python script on that what's all hard-coded we're searching for haiku if you've had a Keen Eye you might have seen that by clicking around teams get 200 responses we get a file name and an item idmac awesome we found some results I've spat out for just a demonstration purposes the URL is going to Target and we get a response code of 200 back awesome no weird quirky errors about janky python code and we have a file or disk awesome cool can you open that up and put a really weird Haiku that was totally written by chat GPT okay um M365 services are cool but depending on uh the scope and audience and token because of your token as you might have guessed by now um we could potentially interact with Azure workloads it doesn't just depend on that like obviously you've got the scope the right positions to do things and you've got the audience being an API that can interact with Azure you can do things but it also depends on whether you've got access to any subscriptions because workloads and resources run within subscriptions if you don't have any of those though you might still be able to interact with aad pull out users groups add registrations that kind of thing I don't have a subscription in my tenants so I'm going to check out azua hound and just uh query High a date to specify the tenant name app or Jason vile just give it the refresh code and the graph is token that we stole and uh it's gonna run it's almost finished we're gonna ingest that there's a shiny new Bloodhound Community initials okay that's done through the magic and video editing time travel that's done immediately it says complete we're going to go and check the database there's objects the database now awesome we're going to search to see if link has access to global admin cool something's showing up we're trying to make it a bit more readable my first time using Bloodhound Community Edition a little bit different um but yeah leak has privilege role admin which means you can grant access to a global admin which to himself sucks the attacker I'd love to have a video to demo this but I hit problems uh specifically I'm going to add a requests when running Powers you are I quickly uh toggled over to Microsoft Powershell as you are got a different error which I just didn't have the energy to go into so I looked at the source code to see what the requests was doing um and compared that against Microsoft's documentation and found that the endpoints were just a little bit different uh so I excitedly proxied the requests through Perth uh changed it at the endpoint and got a different error because I didn't bothering the post body which there is also the data type being specifying once I did that I've got a 201 response which is awesome and then check within the Instagram model as well and Link did have Global admin I've also raised the pull request for that to fix the powers on the thing as well hopefully that gets solid enough about uh about token theft and whatnot um some ideas that I had and playing around with the tenant by fix um was uh was you know looking at uh refresh tokens they do show up as non-interactive user signings so you can do your logs they do show up there um aad identity protection has an enormous token detection um which would also be good but it didn't work for me I suspect my demo 10 it didn't have enough traffic in it to Baseline normal and not normal um your mileage may vary in terms of preventing uh refresh token theft I had the