Dumping NTHashes from Azure AD

Azure AD stores users’ credentials, such as user names and passwords. Passwords are securely hashed using Rfc2898DeriveBytes-based PBKDF2 function. This session introduces a novel technique for exporting legacy NTHashes of both synchronised and cloud-only users from Azure AD.

Azure Active Directory (Azure AD) is Microsoft’s cloud-based Identity and Access Management (IAM) solution, used by over 90 per cent of Fortune 500 companies.

Azure AD stores users’ credentials, such as user names and passwords. When passwords are synchronised from on-prem AD to Azure AD, legacy password hashes (NTHash) are securely rehashed 1000 time using Rfc2898DeriveBytes-based PBKDF2 function. As such, NTHashes should not be available in Azure AD.

In this session, I’ll introduce a novel technique for exporting NTHashes from Azure AD. In the worst-case scenario, the technique enables a new lateral movement attack in hybrid organisations: From cloud-only admin to on-prem admin.