The Duo Auth Proxy was shown to be forwarding live Active Directory authentication requests, and packet capture plus a recovered RADIUS shared secret allowed the authentication exchanges to be decrypted. This exposed cleartext credentials and revealed that MFA through the Duo Auth Proxy could be abused as a mechanism for password theft rather than a defense, while user group analysis highlighted a developer account with broad development-related AD memberships. #DuoAuthProxy #RADIUS #ActiveDirectory #MFA
Keypoints
- The Duo Auth Proxy was confirmed to be proxying Active Directory authentication requests in real time.
- Log monitoring showed multiple users being sent from the proxy to the AD server at 10.10.10.10.
- A packet capture was started on the relevant interface to observe authentication traffic.
- Using the previously discovered RADIUS shared secret, the captured authentication exchanges were decrypted.
- Decryption exposed cleartext credentials for authentication requests sent through the Duo Auth Proxy.
- The assessment concluded that MFA was being abused as a mechanism for password theft instead of protecting against it.
- Group membership analysis identified a developer account with multiple development-related AD groups, suggesting possible access to tooling or privileged service interactions.
MITRE Techniques
- [T1040 ] Network Sniffing – A packet capture was performed on the relevant interface to observe authentication traffic and recover credentials [‘I started a packet capture on the relevant interface’]
- [T1557 ] Adversary-in-the-Middle – The proxying of authentication requests and decryption of exchanges enabled interception of credentials in transit [‘authentication requests were being proxied through this system in real time’; ‘authentication exchanges could be decrypted’]
- [T1552.004 ] Unsecured Credentials: Private Keys – The RADIUS shared secret was used to decrypt captured authentication traffic [‘alongside the RADIUS shared secret I discovered earlier’]
- [T1003 ] OS Credential Dumping – Cleartext credentials were obtained from decrypted authentication exchanges [‘This allowed me to see cleartext credentials for authentication requests sent through the Duo Auth Proxy’]
- [T1069.002 ] Permission Groups Discovery: Domain Groups – User group memberships were enumerated to identify potential privilege or movement paths [‘I began mapping users against their group memberships’]
Indicators of Compromise
- [IP address ] Active Directory auth destination seen in proxy logs – 10.10.10.10
- [Usernames ] Authentication events observed in logs – ADUser1, ADUser2, and other 2 users
- [Host / interface names ] Packet capture target and system context – ens192, duoproxy
- [File path ] Duo Auth Proxy log location referenced during monitoring – /opt/duoauthproxy/log/authproxy.log
- [File name / capture file ] Packet capture output written to disk – /tmp/packetcap
- [Command / directory artifact ] AD group membership query shown in the article – Get-ADPrincipalGroupMembership developer