BG - All You Need is Guest: Beyond Enumeration

good afternoon everyone and welcome back to bides Las Vegas this is the breaking ground track uh The Talk today is going to be uh our next talk is all you need is guest Beyond enumeration by Michael bargery uh before we get started a couple quick announcements we would like to thank our sponsors especially our Diamond sponsor Adobe and some of our gold sponsors prism cloud semrep and Toyota it's their support along with our other sponsors donors and volunteers that make this event possible these talks are going to be streamed live and as a courtesy to our speakers we're going to ask that you please make sure that your cell phones are on silent without further Ado

Michael [Applause] bargery okay um does it work does this work can you can you hear me all right so uh first of all thank you for staying with me I know it's kind of late in the day and because this is uh I mean it's later in the day for all of us so I think we can make it like a more more chill kind of talk so if you have questions if you have comments if you want to say that I'm wrong somewhere just just shout out during the talk okay don't don't wait for the end um what we're going to be you know before I explain any anything let me do a quick

slide based demo okay so um say you have access to an Azure active directory guest account we've all got we've all received these uh these emails where you get invited to somebody else a tenant uh and that's uh so you could it could happen because you work with them you're a contractor or something well all right um when you actually log in to to this guest account and you go to their tenant by default by default you'll you'll actually find nothing there because guest don't have access to anything uh unless unless that somebody actively gives them the access right uh and so uh what we're going to show today is this is that this is definitely not true the

tool that I'm going to release in this talk is going to produce for you with a guest account uh SQL servers Azure resources I'm not talking about enumeration here I'm talking about full down of all of the data behind all of these resources this is a true example you'll understand what's going on here at the end of this talk and so now that I hopefully uh and yeah there's also a dump um and so now that I hopefully have your attention um hi my name is Michael I am focused on security for low code no code apps which is the kind of applications that business users are building I've been doing that for about four years now there's a bunch of res

resarch I put out there so if you're interested about on this topic uh please reach out afterwards and uh I'm we're looking for more smart people to kind of focus on this area so uh reach out to me all right so before we understand kind of what's what's uh what's going on here we need to spend a brief moment understanding what guests are what is this mechan mechanism actually is uh so if you the the scenario is that well you want to you want to be able to share with someone my I I work for a small company like a 20 25 people startup and we work with very large Enterprises and so in most of the time most of the cases we

need to find a way to to collaborate on files right you need to share decks you need to share legal legal docks and so there are multiple ways in which you can share those those uh docks around one thing you can do um which is pretty obvious you can just share those files over email right uh it's kind of funny but we've all done that and so this is one one thing that you can absolutely do you can always you can also just uh trust a random website on the internet which is also something that we've that we've all done I've uh found out that you can also do this in real life so there are USB ports all around the world

you can just plug in your computer and drop whatever you'd like so you can do that as well um that's a that's that's a real thing um check out the website it's really cool so what you can also do is you can invite those guests into your tenants and that's actually what Azure guests is is all about basically the idea is that you bring people into your tenants and then uh two things happen one is that they can bring their own identities which means you don't have to worry about how they authenticate and two you are still in control and those are two significant promises to try and hold together so let's try and figure out what exactly

does that mean in order for this mechanism to actually work two things need to be uh need to hold one is that this needs to be very easy to on board every vendor every contractor they use a different thing they need to be able to get on your your tenant quickly and the second thing it it of course needs to be easy to control right because otherwise you you've just invited a guest into your tenant I mean what could happen um and so let's try and figure out these two things so the first thing excuse me can you try to bring your mic a bit higher up yeah see

that does it help in any way'll see all right so the the first thing I need to prove to you is that like getting a guest on is very easy and while I talk you can see that I'm inviting myself to a guest with a bunch of different ways to do that through Microsoft notice that all of these options to invite guests are embedded into productivity apps so you own a teams Channel or you own a SharePoint site you just want to collaborate with someone so you plug in their email and it invites them as a guest this is a decision that a business user makes not a decision that an admin makes right and so this is very easy to

achieve and actually when you look at the a tenant for any large Enterprise most of them you'll find lots of guests you can go down the very strict round of kind of cutting this and and and not using this feature but then well how do you share files we've we we've seen the other options um and so it's very easy to share gu to get guests in some in some cases it might even be too easy so again um this is this is the email that you receive as a guest actually uh in a talk in a talk last year deran showed that you can hijack guest account I talk blackhead last last year he showed that

you can hijack guest accounts guest invites that were not redeemed and then redeem them yourself with any email address that you'd like this was actually fixed but this is a kind of a this was a a pretty cool thing because any user in the organization could just query open uh Open tickets and then just grab them and so it's very easy to get to guess guest I think that's kind of pretty pretty established the second thing that I need to prove to you is that it's uh still easy to control it's easy for it and security to control and so let's see that part and so in order to do that we need to understand how

does asual active directory guest actually work and so on the vendor side partner side you could be using any any any type of identity provider you could be using another a account but you can just you can use a Google Suite or OCTA or whatever you'd like and so the way it works is that it creates a link between those two directories and so you get authenticated with your home tenant and your guest tenant just trust that authentication um and the the cool thing about it is that because it's done this way all of the security controls that Microsoft provides for you apply so if you have uh conditional access MFA enforced whatever you'd like this all

get enforced automatically on guests which is awesome right this is a a really cool mechanism um and so one thing that we need to understand though is that well in order to give somebody guest access we we want security controls right because otherwise you you've just invited somebody into your tenant and they can do whatever they like in order to get security controls we need to have an aad account because otherwise we can't apply the security mechanisms that we already have as an Enterprise and so in order to have that account we need to Grant access to a which actually grants full access to your tenant so what's what's actually happening here um so The crucial piece

is that you don't get full access you get access that's denied by default you get access that gives you access to nothing basically so if I invited you through teams you'll only you'll only get access to that specific team uh Channel or at least that's what it should that's what should happen so a quick recap here guests are first of all very very very easy to guest we should we should assume that a compromise in a guest account within our tenant is is easy uh a control Supply a security control Supply which is great and access should be denied by default and now when I've talked so much good things about this mechanism uh let's see

what happens in practice uh because in practice as we know things are a bit a bit more a bit dirtier and so um first of all there are so okay so let's start by kind of just inviting some a guest around and every time you see this icon on the bottom right corner that's kind of the the uh the user the legitim imate user that's that's doing something and you'll see in a in a moment an a different icon for for a hacker just because I'm going to move between users a lot um and so I'm in teams I'm going to kind of just invite somebody I'm going to invite a hacker in because why not uh that's my

hacker account here and then uh once I invite that inv that that guest I click on that and and that guest is invited and they will get the that email that we that we saw earlier from the hacker perspective and you can see the hacker icon here um I'm I'm just lo I just log into my account and then I need to allow this tenant to get access uh kind of to basic information about my profile and I'll do that zenity demo is kind of the the the thing that I'm hacking uh and again I get to this to this uh portal which is empty because it's showing me all of the apps that I have access to which is

actually none okay um and so there's there are two things that we already know how to do and if you've Googled it before you would have found it before this talk one is fishing through teams once you get invited through uh into into a guest into a tenant as a guest then you can do fishing through the internal teams uh of of that organization which is actually pretty nice because it it adds some uh believability into to your fishing attempt the other thing that you can do is is Recon on on the directory so you can actually find there's some sophisticated ways in which you can find a list of users within within that organization a even though you are not

allowed to directly enumerate the users if you if you want uh to look at it there's a there's a nice link there that it will it will share everything about it um and so this is the state-ofthe-art for guest exploitation but of course we want more right we want access to resources and so this is the point in the talk where um I'm basically suggesting that if you don't want to have a responsibility when you go back uh to work then then this is the time to leave because right now I'm going to show uh how this is completely uh how how the reality differs from from your expectations any takers all right so what I'm going to do

right now is just uh virtually click on that link so when I click on that link I get invited to something I I get into something called powerups uh which is the local nood platform for for Microsoft which is built into office uh and the first thing that you'll see here is that uh well I get I get some sort of an error U which is telling me basically you're trying to reach an environment which does not belong to your tenant this is because the link that I've uh set earlier is is in the in the guest tenant right not my home tenant and so I click on this go to homepage and I get

to my homepage and now I'm in power in powerups but you can see here that I'm in my own tenant ponosa which is the the hackers uh tenant and so now I need to to be able to switch to the guest tenant um that's pretty easy you just kind of you go to switch directory and now I'm I'm in I'm in the right I'm going to move to the right tant right so you can move to any any one of the tenants that that you have access to again um when you get access as a guest to somebody else's scopo this is just waiting for you all right and so once you do that then you get to where I actually sent

you with this link which is a screen called uh connections and you can see that these connections have uh asual connection connections for SQL servers you can see their names um and for some reason as a guest I'm able to see all of them and so let's try and figure out um what the hell is this why does this exist and uh and why do we have access into it and so let's examine one of them this is a Azure file storage and it uh it's called something like uh J reading customer data all right so first of all you can see this little menu here two interesting things so one is uh details well we'll we'll

we'll see that in a moment but the other is share so there's a share button here on connection to Azure file storage let's look at that share button all right so this uh uh file storage connection is apparently shared with three different entities the first thing is shared with Org the second thing is shared with with Jamie this is probably the Jamie that created this connection and the third thing here is Jamie uh and you can almost barely see that this is a an Outlook account a personal account and you can see the different permissions that each of them have and so this is the root cause issue of why we're seeing this connection right now

okay so Jamie has has created this connection and has shared this with everyone and actually what's going on here is that this connection is a wrapper around credentials it can be an ool token a refresh token or so Jam's own refresh token her own Identity or it could be like a username password or a client secret or whatever you'd like and then you can just take this wrapper and share it with everyone everyone means your entire a guest your entire a tenant you can also share this with the groups with spe specific individuals with your own Outlook account whatever just just kind of be productive um and so this this works and this kind of this is

pretty cool let's try and figure out what this connection actually is why why does this exist and so going back to this details and now I can see a bunch of information about this connection I can see that indeed it was created it is owned by Jamie reading and trying to figure out who Jamie is uh I can see that Jamie is a customer service representative that works in in sales offs So Jamie is a business user So Jamie made made the decision which was a bad decision to share this connection around and we'll see in a moment that this is uh this is a common mistake to make because the the platforms just make it

very easy for you to to actually do it um and so before we move forward with this talk I'm not sure how many of you are familiar with low noode and so I need to explain to you why is this happening why does why why is it believable that somebody from the business would create a connection to Azure and share it with the dialogue so here's the reason yeah okay so you won't get the video but here's the reason basically um lood nood is is putting power in the hands of business users to build their own applications and automations on top of business data what this uh video actually shows is that right now they've

integrated the chat GPT into into their platform so you can just uh kind of ask them ask CH GPD to create an app for you and it would create a table on a database and share it with everyone and create the different and create the columns and create the actual app and so this is something that business users are actually using to solve their own on business problems and when they do it they do it on on business data of course and so as a business user you mostly don't have access to service accounts right you do have access to your own credentials so why not wrap them around with a thing called connections and

share them share your refresh tokens with whoever wants it um and so this is the way that this typically works and one of the things that is important for you to understand that this is a big issue is just understand the scale of this thing and so here's what I did here

um okay this is a slide showing um right now a single number uh 5 million that's the number of uh of developers using net today according to Microsoft all right um a pretty big number how many developers do you think are using this uh like business developers are using this Loco NOCO tool in order to build their own applic just have a number in your head something that that fits with your model of the world where if you look at uh where we focus more of our attention is on applications that those people are building right people that are building it with code and so I I actually went through Microsoft ear earning reports for the kind of for the few uh years

back and they mentioned the numbers here and there so here are the here are the numbers from the from the from the reports according to the uh small kind of linear regression I did here there are about eight million developers today and so I'm sure that most of the people in this room have either never heard of this before or didn't dedicate a lot of their career to try and solve this problem uh this is actually kind of becoming huge huge within the top organizations in the world so we need to start dedicating our time here um and so now that we understand that this thing is happening happening is happening in every major or really every major or out

there because just show me a an a large Enterprise that's not a Microsoft chop let's uh figure out how do we get from those connections to actually doing something with them um and so in this in this part right now I'm just going to take you through the rabbit hole of how do we get to this so we we were able to see these connections that's fine but now we want to automate things we want to D damp the data behind this we want to make this into something that we can use as hackers and so let's try to figure out how that works just before we Sorry apologies just before we get uh into the next phase here uh we do a

thing called outrageous speaker requests here at bides every year uh when someone submits a talk they there's a field right at the very end that says any outrageous requests and a lot of times they throw something in there at 2: in the morning and forget about it uh the request that we have from you was to help you find more hacker friends I think is the the actual thing so first off I want to make sure uh is this you yeah okay so I'm going to ask everybody in the audience if you if you can uh if you are on Twitter uh and this one's you as well yep okay so I I'm going to

MBG and I'm going to follow him and I'm going to go to uh LinkedIn uh where uh we have and I'm sorry how do you pronounce your last name barg bargary okay uh Michael bargary and I'm going to add him and I encourage everyone here pull out your phones and do the same thing right now help me help me fill this outrageous speaker request Che have a good day thank you actually there are so many avenues for research here and we are so little there's so the group of people that is focused on this area is so small if you're interested in like a an interesting Challenge and just banging your heads against the world with this

just reach out to me there are plenty of things we can we can collaborate on all right so now uh let's do some hacking um first of all I want and again I'm authenticated as as the guest here and I'm looking at at the specific connection let's try to figure out what information lies behind this Azure file storage thing and so I'm going through the there's a tab here called applications that use this connection and so let's just try to uh log into that application customer Insight something all right uh this takes me to a page which gives me some information about this app and then there's this link and by the way you'll notice that

this link is a Microsoft link inside of the Microsoft own domain and in Defcon last year what I showed was that you can create a fishing app that would be hosted by Microsoft in this and this link and supports SSO and everything is kind of nice and believable so check that out if you're interested um and so when I click on this app I get this kind of thing that's stopping me that's not allowing me to actually view this app and if you look um kind of open this up and if you look closely this is telling me uh that I don't have a license and so this this makes sense right uh I I'm a guest I

don't have a by by default I don't I'm not supposed to be able to do anything and so the clue to to understand how do we circumvent this is the sentence above here so I'll read it out you don't have the correct plan to access this app ask your admin for one or ask the admin at your at the organization in which you're a guest can you guess what I'm what I'm going to do to bypass this so I need a license I don't have a license in the guest tenant what would happen if I have a a license in my own tenant n that that that shouldn't work right okay let's try uh here's um like a

developer plan I can get for free but for Microsoft um I'll just say hey can I get license for this hacker account uh and they'll say yeah of course uh here's a license and now of course I'm in because why not if you have a license in one tenant then it applies to another tenant uh that's great and now after this thing loads uh then I get to this screen which is telling me something very weird uh that this app is not compliant with the latest data prevention policies or right uh and you can see here something about uh a policy name deny Azure file storage DLP inside of this powerups thing inside of this low code thing that's kind of

weird um and so let's try so I was able to circumvent the license issue but now I'm blocked by a DLP and so Microsoft is actually integrated something they call DLP data loss policies inside uh inside of this uh uh PowerUp thing inside of this locco no thing which is great right we have business users that are building applications we are worried about data moving out of our tenant let's have a DLP built in this is a great idea so let's use this great idea again I'm logged in as the as the uh as the user that's kind of The Trusted user that user that's fine and I'm going to create a DLP policy to find Social Security

numbers within my tenant uh it's going to be awesome I'm going to choose um connectors all right so I need to choose a connector I'm going to choose the SharePoint connector something about it not being blockable um I'm kind of stuck I'm not not really sure I'm not sure if if you kind of what would you do next in this screen like H how do I move forward with applying this DLP policy so actually the thing here is that um this is not DLP this is not DLP in the sense that you think about DLP this is a an allow list deny list for connectors connectors mean connector to SharePoint like SharePoint as a whole

everybody's SharePoint every site every tenant whatever you'd like every one drive for business some connectors are not blockable at all so you cannot block a SharePoint but you can block I don't know SQL server for example this is definitely not DLP in the sense that we think about as security people so it needs to be kind of clear here and the second thing that's interesting is that this DLP is actually full of holes and one of my uh Hobbies is is to try and figure out all of the different holes within this DLP currently I I I know of five and so uh here are here's kind of here's one of them and another one and

another one and another one and another one these are all just ways in which you you create a sophisticated DLP policy that buys bypasses itself this is all uh completely public admittedly there are some Advanced features in this DP policy you can do kind of endpoint filtering but it also only works in uh uh in compile mode rather than runtime so not a secur not a security mechanism this would this might prevent users from making mistakes this would definitely not prevent a hacker from doing something within your org but having said all of that I mean we are still blocked right we are still blocked by this thing right now uh and we need to

circumvent that and um I'm going to be honest with you I I have a way to I have a way forward but unfortunately I won't be able to share uh that that bit that bit right now because Microsoft asked me not to uh and so they're going they're going to they're going to fix it uh which is great and so after they fix it I'm going to put the information there in the link uh but until then let's just kind of let's forget about it um all right so forgetting about it I cannot I I was not able to um to actually get something from Azure file storage let's just take another connection here here's a SQL

storage uh called Enterprise customers sounds nice so again go into details applications using disconnections I see a bunch of applications uh I click on one of those applications and this time I actually got into the app and the first thing that I see when I go into the app is this screen that is telling me hey I'm going to use this SQL Connection in this app by the way again think about like regular applications you tend to see like an O of consent form something like that this is not it this is I'm going to use this connection which some somebody else has has already shared with you and I'm going to use it in this app and it's

not limited by permissions because it's whatever you gave the uh the token initially all right so I'm going to going to go to this app and now I can actually finally see data this is the SQL Server data behind this connection that this app is actually fetching so you can see information about uh customers right this is just like a a list of users and then for each one of those users I can click on a user and I can see information about that user including social security number of course this is all generated by by chpt so uh thank you open a ey for that um and now we wna understand how we can

kind of fetch this data in a more uh I don't know robust way and so just looking at the requests that that this thing is actually sending you can see that all of this information is been fetched uh through this request and looking at the at that request I can see two things so one not sure if that's going to work so right here I'm going to something called Azure apim we'll see that in a moment and here inside of this request URL you can see this long URL which has something with the Enterprise customers table all right we we'll try to figure out figure out what that means in in a moment uh but just to show you

that yeah all right um so again what I'm going to do is just copy this this uh uh request and then just replay it and I get all of the all of the information right and so this is just what the app is doing this is not the entire data behind behind this SQL Server so let's try and figure out what's actually going on here this is uh PowerUp is actually using this endpoint Azure a a.net to fetch the uh information behind that connection actually any any uh operation that this app would like to do with this connection it will do through this Azure apim instance okay so let's let's try to f figure out this URL it starts with

Azure APM that's just an Azure API Gateway uh that's hosted in Azure um and all right after that it goes to SQL and then an ID for for this specific connection if you use the same thing in your powerups instance then you'll get the same URL but just a different ID uh you'll probably not be in Europe but well uh and then after the SQL I get I um I I need to choose choose the data set this is because if you authenticate to SQL with your oof token then you have actually access to multiple SQL uh SQL servers because this is uh using your own kind of azure manage identity um and so you can see that I'm choosing the

customer insights database uh and The Specific Enterprise customers data a database so a server and a database and then uh there's a request here to tabl and let me just fix the URL here so tables the name of the table items all right so this is actually just an interface to query the SQL Server um and so let's back up for a moment and now I need to tell you what the hell is is is this thing um the way that powerups work but actually uh this is this is kind of Microsoft focused but all local no most local NOCO platforms work this way because they need to be able to impersonate business users because business users need to be able

to create apps with their own credentials and so so here's how it works on the left side you have the app and on the right side you have the API that it would like to call and now there's there's this Azure API management thing that uh the app will go up to Azure API man the the app doesn't have your credentials it it has the ID for that app and it goes out out to Azure API management and it says Hey on this app please uh provide me access to to that specific request through uh through that API and now note that as a user you can share your credentials with other users you can also share your

credentials with an app right or an automation that runs on the back on the background without without you actually being there all right so what actually happens here is that they have built a token storage that is uh managed inside of this Azure API management instance and the tokens get injected every time you uh you you reach out with the request and then they clean them out on on the way back all right so this is how it works and it works like that in with with most with most of the platforms and so let's try and take a look uh and so again this this this thing is going to allow us we've seen I

mean we've seen one request but this thing is going to allow us much more than that so what we have up until now is the ability to well we we went to the UI we copied that the request now we can Replay that request that's fine but can we actually generate the request without going through the manual processes can we automate this entire thing in order to do that um we need to be able to make this request in order to make this request you need the token so just let's figure out what this token actually grants us so opening out the JW token shows that I'm I get an audience of API Hub azure.com this is actually an

internal thing Microsoft created on top of API management that does this entire uh like token exchange thing and so what I need is a token with a uh with the right permissions to to query this API um and the question and that's that's the next question we need to answer and so in order to do that first remember that I can generate tokens right this is my user it's not that's not that's not the problem I need to generate the token with the right resource with the right client I need to actually allow me to fetch information from this internal API and so uh I'm going to use this snippet which is just like using a common python libraries to

to generate this token and now I just need to find the right client I did it would allow me to get this resource if I try to use a built-in Client app a public Client app again this needs to be in the in the guest tenant right so I cannot just create an app there so if I if I try to use a public Client app uh it doesn't work because the app needs to be pre consented to have that uh to have permissions to that resource um if I try to use my own up in the in the home tenant and make it a a multi-tenant app then it also doesn't work because I

can't even ask for that permission so if you'll go to the app and you'll try to ask for the right API permissions to quer API Hub you won't find it there because it's an internal API right they they didn't they didn't expose it to everybody and so we're kind of stuck uh we are able to we were able to uh to copy and then replay that request through the browser but that's that means we can do manual things that's fine that's not like a a wides scale exfiltration thing and so let's try and figure out how do we get to that token and before that I'm going to do a very quick recap so we got access to an

account which is outside of the outside of our corporate uh we got we got a guest account we find a bunch of credentials on this thing called powerups Which business users are building and then sharing those connections with everybody we try to get access we were blocked by license so we just got a license we were blocked by DLP and then I did a bunch of hand waving and we'll move forward and uh we were blocked by a programmatic by being able to program get programmatic access to API Hub and that's the last thing that's stopping us from getting access to those credentials and so we need an a app that is able to do a few things one it needs to be own

by default because this needs to be already available in the tenant which I cannot change it needs to be pre-approved to query this API Hub thing and it needs to be a public client because I need to be able to generate tokens if it's a confidential client that I need certificate in order to generate tokens that then then I won't have that certificate and so let's try to get that um we already know of one app that is able to generate those tokens and that's of course powerups portal right because that's that's where we found this token uh but the and so this is on by default every tenant would have powerups uh it's pre-approved to

query API Hub but unfortunately it's a it's not a public client application they've done their job well here so it's a confidential app uh you can just generate tokens on its behalf uh and so what can we do in order to circumvent this thing we can use this very clever piece of re research I'm not sure how many of you are aware if not I really recommend you you go out and read this basically um think about what happens when you log into one micros moft app like teams and then you move to another Microsoft apps like Outlook and you don't get re authenticated right something something happens there these are different apps in different domains different tokens if

you look at the tokens you'll see different tokens so the way that work that this works is that there's undocumented behavior on the aad side that allows you to exchange one refresh token with one client ID and one resource permission with another refresh token with another other another client ID and another refresh token and and another resource and this works throughout the entire the entire Microsoft Suite of products so there are I think we'll see in a moment a list but something like 20 different uh client IDs which you can just exchange the tokens between them uh seemingly without without seamlessly without the user knowing so if you get a refresh token to one of them you actually got all of them

this also allows you in some cases to buy to us things like MFA but check out this research it's really cool and so this is going to help us because because if we look at those client IDs this is the list of the client IDs that are currently public that we that we've already identified as a community you'll find two things that are really helpful here one is powerups which is actually uh helpful right this is what we need and the other is a Microsoft Azure CLI which is of course something I can very easily generate tokens for all right so now you can see the solution right I'm going to I'm going to authenticate to

Azure CLI with permissions to do something with azure I just query the Azure graph the Microsoft graph or something and then I'm just going to exchange that token for an API Hub token because powerups can can get uh access to this API Hub token so this is exactly what what I'm going to do and this is how this screenshot actually shows how it looks like to use the tool that I'm going to drop in a second um which allows you to again this is this is this is what your what you uh the permissions that you need to provide right you authenticate to Microsoft Azure CLI and then you have you get a whole bunch of

goodies from uh kind of you get different tokens that in specifically here I'm I'm looking for the API Hub token all right so now that we've solved this problem let me show you what I can do with it um this entire thing is just going to be a demo of powerp point poweron is a tool that I'm uh releasing today you can find it in GitHub already it's actually a kind of a a next version of something I put in I I uh shared in on defon last year and powerp point is is going to allow you to do everything I I explained so far and actually much more uh so PowerPoint has different modules uh the dump model which we're

going to talk about right now um there are also three moduls I'm not going to talk about uh creating a back door uh which is actually a back door that persists through even if you delete the user uh fishing campaigns inside of an or no Cod malware which is a reference to kind of a uh the talk I gave it last at at Defcon last year um check this out this is a kind of this people are doing really really cool things with this already and so we're going to focus on this part and so what I'm going to do is just run a PowerPoint dump and I'm going to and this is the ID for the guest

tenant um and then it's going to wait kind of think for a second it's going to acquire a token first of all to powerups and with that token to powerups I'm I'm I'm going to go to kind of device login of course you can use that token that you got from somewhere else uh uh whatever you'd like um I'm going to authenticate right I'm authenticated as as as the hacker user okay and now it's going to uh first of all enumerate all of the different resources that I have access to I showed you connections credentials but actually I have access to much more we'll see that in a moment um and so I started with the token to powerups uh I through

the token to powerups I was able to identify six application that are available for me as a guest to use and also nine credentials and now I'm going to exchange this token for an API Hub token and I'm going to use this API Hub token to actually go through each one of those credentials and dump and dump that credential um and I'm fetching some API specs for that you'll see that in a moment and so and and by the time this is finished the dump is created and now the dump is already on on your drive you can see a few things here so one is that these are all of the types of connections where I found that were that

I found that were that were shared and I'm actually generating a well you see it in a moment um there's actually the data behind those connections so here's for example the SQL Server that we saw earlier you can see the different tables that exist in this SQL server and if I look into any one of them then I see a full dump of the table um I I also have a nice little GUI for you to just kind of use and this go shows all of the different things that I was able to find in this tenant you can see that there are credentials automations and applications applications you can you can go into those applications and see what they

have automations you can uh you can actually run those automations okay you can you can and and then then those automations can do a whole bunch of different things uh clicking on credentials would show you the credentials we saw earlier in this talk so these are available here and so the first thing you can do is go to dump you go to dump you see you see all of the tables here's the data for this entire SQL Server uh with the um generated Social Security numbers um you can also kind of uh look at other other queries here the and the other thing that's interesting here is that there's a playground where we are actually

generating a Swagger UI for each one of those connections so you can actually dynamically use these things to to push whatever you'd like through these connections specifically with SQL note SQL pass through n query this allows you to just run whatever you'd like on the on the server which is kind of awesome um so and you can use the Swagger API to do that uh that's that's great um check out the tool there's plenty of more more things you can do with it uh and we're going to give a a few demos at Arsenal that cover what I've covered today but also other scenarios you can do with the same Tool uh so please check

it out all right so in the like four minutes or 3 minutes I have left okay um I need to I need to uh give you something uh all right so here's what uh first of all I'm going to say uh this has been like we've strongly collaborated with Microsoft uh throughout this entire thing they are aware of it they're trying to fix what they can fix uh they are trying to make defaults better um we have some of the mitigations that I'm just I'm going to share with you right now we've actually collaborated on on creating them um there are no in this stock what you've seen right now there are no kind of

vulnerabilities uh there's just like I don't know creative reading of the docks um and so I'm just going to share kind of brief very very briefly here I think the number one thing that we're missing is that if we think about the shared responsibility model for for example serverless we know what we need to own right but with low code with the things that business users are building we think hey that's that's probably secure the the vendor is in charge of everything that that's of course not true I I mean you don't own the code fine but you own the business logic because they are using these tools to create business logic which doesn't make

sense for example an up that impersonates its own users uh if you're interested in that part I'm going to explain a lot about a lot more about it in a talk uh tomorrow called something like a sure let business users do whatever they want um what could go wrong um and so again the shared responsibility model applied applies here as well the platforms themselves need to on their part and if you're looking at news just last week tenable found like a crucial multi-tenant vulnerabilities in this specific organization in this specific uh platform that allowed them to basically replace your code with somebody else's code and and do whatever they like uh unauthenticated uh but you as a customer

you also need to to own your part if you help if you are if you work for a large Microsoft shop or you you help a large Microsoft shop um can you answer those questions like what are your business user building who are they sharing with what is the data that they are actually using uh I think the answer is probably no uh this needs to be part of upsc uh and so we need to start carrying our own um and so now in order to protect your organization I'm going to just send out send you out in a few different directions all of the links are going to be there okay one minute okay so very quickly don't overshare

credentials that's kind of obvious right this is for developers uh there's also a project uh called the O flow code no code top 10 which would illustrate all of the different things that can go wrong when business users create applications and this is actually speaking in a language that business users can understand so you can just send them to those links and they'll hopefully understand uh what they need to do better you can Harden your environment there's secure configuration you can create you can apply to make sure that these kind of things happen Less in your environment and again go to the link this is not only configurations on the aad side you can do some

configuration on the power up side as well um you need to do uh UPC like UPC needs to hold this part there are already organizations that have created uh low code security standards low code security processes within the organization within absc scanning p uh things that business users are building putting guardrails around it uh and you should definitely hack your environment because uh other people have are already trying and so please uh use poweron um and with that and I think a minute of time uh thank [Applause] you