1 of 23

神の目：

Entra ID 的情報狩獵之術

CyCraft Proprietary and Confidential Information

2 of 23

WHOAMI

2

本名/常用暱稱：葉東逸 Kazma
奧義智慧科技現任實習生
財團法人電信技術中心前資安組實習生
成大資安社創辦人/社長
TSC 創辦人/總召
Pwner / Reverser @ B33F 50μP
2024 AIS3 專題評審/助教/Junior 助教
2024 HITCON CTF 臺灣代表隊擔任大 PM
第八屆臺灣好厲駭表現優異獎 (導師 Allen Own)
專長＆興趣：Pwn、Reverse、Symbolic Execution、Fuzzing、IOT、PT

@kazma.tw

CyCraft Proprietary and Confidential Information

3 of 23

AGENDA

INTRODUCTION
ADFS
FEDERATION vs ADFS
SEAMLESS SSO
SCAN RESULT
METHODOLOGY
DISSCUTION
FUTURE WORK
REFERENCES

3

CyCraft Proprietary and Confidential Information

4 of 23

INTRODUCTION - INTERN

4

CyCraft Proprietary and Confidential Information

5 of 23

INTRODUCTION - PRESENTATION

A script for regularly scanning the Entra ID information of listed and OTC companies in Taiwan.
Azure AD -> Entra ID
Dr. Nestori Syynimaa

5

CyCraft Proprietary and Confidential Information

6 of 23

Active Directory Federation Services

6

Source: What Is Active Directory Federation Services (ADFS)?

CyCraft Proprietary and Confidential Information

7 of 23

7

Source: What Is Active Directory Federation Services (ADFS)?

CyCraft Proprietary and Confidential Information

8 of 23

8

Source: What Is Active Directory Federation Services (ADFS)?

CyCraft Proprietary and Confidential Information

9 of 23

9

Source: What Is Active Directory Federation Services (ADFS)?

CyCraft Proprietary and Confidential Information

10 of 23

FEDERATION vs ADFS

ADFS is included within the broader framework of federation. However, a key distinction is that ADFS is typically self-hosted, providing authentication services within an organization’s own infrastructure, whereas other federation services may rely on third-party authentication providers.�

10

CyCraft Proprietary and Confidential Information

11 of 23

Seamless SSO (DesktopSSO)

Microsoft Entra seamless single sign-on (Microsoft Entra seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network.

When enabled, users don't need to type in their passwords to sign in to Microsoft Entra ID, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.

11

CyCraft Proprietary and Confidential Information

12 of 23

12

Source: Microsoft Entra seamless single sign-on

CyCraft Proprietary and Confidential Information

13 of 23

SCAN RESULT

url source: TWSE MOPS - 公開資訊觀測站- 臺灣證券交易所

13

Total URLs	Tenant ID	Federated	DesktopSSO
1852	1411 (76%)	14 (1%)	109 (8%)

Administrator	Admin	SysAdmin	Renamed_�Admin	Root	TestAdmin	BackupAdmin	Service�Account
4	11	10	2	4	2	2	5

CyCraft Proprietary and Confidential Information

14 of 23

METHODOLOGY

14

CyCraft Proprietary and Confidential Information

15 of 23

15

CyCraft Proprietary and Confidential Information

16 of 23

16

CyCraft Proprietary and Confidential Information

17 of 23

17

CyCraft Proprietary and Confidential Information

18 of 23

18

CyCraft Proprietary and Confidential Information

19 of 23

DISSCUTION

19

Federated (ADFS)

Local Infrastructure May Be Targeted

DesktopSSO Enabled

Bridging on-premise infra to cloud resources

Possible High-Privilege Account Exist

Password Spray Attack
Brute Force

CyCraft Proprietary and Confidential Information

20 of 23

FUTURE WORK

處理限流問題，使數據更加準確
把每間公司相關的 domains 都記錄到 CSV 讓資訊更完整

20

CyCraft Proprietary and Confidential Information

21 of 23

REFERENCES

21

CyCraft Proprietary and Confidential Information

22 of 23

SUMMARY

感謝 Mentor John & CK & Interns
AD & AAD 相關的知識
研究方式和細節
繼續多多指教！

22

CyCraft Proprietary and Confidential Information

23 of 23

Thanks!

linktr.re/kazma.tw

linktr.re/NCKUCTF

CyCraft Proprietary and Confidential Information