Undetected Azure AD Bruteforce Attack

In late June 2021, Secureworks Counter Threat Unit researchers discovered a flaw in the protocol used by the Azure Active Directory Seamless Single Sign-On feature. This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant.

PoC:
https://github.com/treebuilder/aad-sso-enum-brute-spray

Research:
https://www.secureworks.com/research/undetected-azure-active-directory-brute-force-attacks

#sso #azure #ad #bruteforce #research

⚙️ Determining AD domain name via NTLM Auth

If you have nmap (http-ntlm-info) unable to determine the FQND of an Active Directory domain via OWA, for example due to Citrix NetScaler or other SSO solutions, do it manually!

1) curl -Isk -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' https://autodiscover.exmaple.com/ews

2) echo 'TlRMTVNTUAACAAAADAAMAD...' | python2 ./ntlmdecoder.py

One-Liner function for bashrc\zshrc\etc-rc:

ntlm_decode() { curl -Isk -X POST -H 'Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKANc6AAAADw==' -H 'Content-Length: 0' "$1" | awk -F 'NTLM ' '/WWW-Authenticate: NTLM/ {print $2}' | python2 "$(locate ntlmdecoder.py)"; }

Source:
ntlmdecoder.py

#ntlm #auth #sso #tricks #pentest