ADAudit Plus Exploitation Analysis — Data Encryption Analysis
0x00 Preface
The previous article "ADAudit Plus Vulnerability Debugging Environment Setup" introduced the details of setting up the vulnerability debugging environment. Through testing, it was found that some data in the database is encrypted, and this article will introduce the relevant data encryption algorithms.
0x01 Introduction
This article will cover the following content:
Location of Data Encryption
Algorithm Analysis
Algorithm Implementation
0x02 Location of Data Encryption
The test environment is consistent with that in "ADAudit Plus Vulnerability Debugging Environment Setup"
Complete command for database connection: "C:\Program Files\ManageEngine\ADAudit Plus\pgsql\bin\psql" "host=127.0.0.1 port=33307 dbname=adap user=postgres password=Stonebraker"
Example command to query encrypted passwords: SELECT * FROM public.aaapassword ORDER BY password_id ASC;
Example of returned results:
Through testing, the corresponding location on the web management page is Admin->Technicians, as shown in the following figure
Clicking Add technicians allows you to add users; here you can choose to add a custom user or a domain user
A password is required when adding a custom user, as shown below
No password is required when adding a domain user, as shown below
0x03 Algorithm Analysis
1. Encryption Algorithm Details
After analysis, the encryption algorithm details are located in com.adventnet.authentication.util->AuthUtil.class within C:\Program Files\ManageEngine\ADAudit Plus\lib\AdvAuthentication.jar
Implementation code for adding users:
Code for obtaining the encrypted Password:
Code for generating salt:
Through dynamic debugging, it was found that the default workload is 12, and an example of the generated salt format is: $2a$12$DVT1iwOoi3YwkHO6L6QSoe, as shown below
Implementation details of the specific encryption algorithm getEncryptedPassword():
Set a breakpoint here; the following conclusions are drawn through dynamic debugging:
If it is a domain user, the default password 'admin' is used as plaintext, a salt is randomly generated, the bcrypt algorithm is used, and the ciphertext is calculated via a fixed algorithm. The first 29 bytes of the ciphertext correspond to the salt used for encryption
If it is not a domain user, the user's password is used as plaintext for calculation. For example, for the default user 'admin', the actual password is used as plaintext to encrypt and obtain the ciphertext
That is to say, when querying the public.aaapassword table, we only need to take the first 29 bytes of the password field as the salt used for encryption, and there is no need to pay attention to the salt field in the public.aaapassword table
2. Distinguishing Between Domain Users and Non-Domain Users
Query command example: SELECT * FROM public.aaalogin ORDER BY login_id ASC;
Return result example:
Among them, domainname being ADAuditPlus Authentication represents a custom-added user
Here, inner join query is used to automatically filter out non-domain users and their corresponding hashes. Command example: SELECT aaalogin.login_id,aaalogin.name,aaalogin.domainname,aaapassword.password FROM public.aaalogin as aaalogin INNER JOIN public.aaapassword AS aaapassword on aaalogin.login_id=aaapassword.password_id WHERE aaalogin.domainname = 'ADAuditPlus Authentication';
Return result example:
0x04 Algorithm Implementation
Test parameters are as follows:
Known plaintext is 123456
The password entry obtained from querying the database is $2a$12$1hKeH4aM2LY4BvYpKT9Z5.p9cD453FjBAPYjp0ek94n936WRRAYme
From this, we know that the salt is the first 29 bytes of the password entry, which is $2a$12$1hKeH4aM2LY4BvYpKT9Z5.
The test code for calculating the ciphertext is as follows:
The calculation result is $2a$12$1hKeH4aM2LY4BvYpKT9Z5.p9cD453FjBAPYjp0ek94n936WRRAYme, which is consistent with the password entry obtained from the database
In conclusion, the above algorithm can be used to brute-force user passwords
0x05 Summary
This article analyzes the data encryption algorithm of ADAudit Plus, distinguishes domain users, writes implementation code, and the algorithm can be used to brute-force user passwords in subsequent steps.