Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ADFS module always reports success despite invalid credentials #72

Open
Anthirian opened this issue Dec 11, 2023 · 3 comments
Open

ADFS module always reports success despite invalid credentials #72

Anthirian opened this issue Dec 11, 2023 · 3 comments

Comments

@Anthirian
Copy link

Anthirian commented Dec 11, 2023

I'm attempting to spray an ADFS endpoint with a list of email addresses validated using OneDriveEnum. I've tried specifying the URL according to the instructions, but also as https://federation.target.com/adfs/ls/. Neither worked. As soon as CredMaster starts spraying I'm seeing success notifications roll in, but there isn't a single one that fails, which I find highly unlikely.

$ python3 credmaster.py --config configuration.json --url https://federation.target.com
[2023-12-11 09:53:35.061] Execution started at: 2023-12-11 09:53:35.061807
[2023-12-11 09:53:35.063] Batching requests enabled: 50 requests per thread, 10s of delay between each batch.
[2023-12-11 09:53:35.063] Creating 10 API Gateways for https://federation.target.com
[2023-12-11 09:53:36.131] Created API - Region: eu-west-1 ID: (hzc7rs5re9) - https://hzc7rs5re9.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:53:47.250] Created API - Region: eu-west-1 ID: (cnlski5omb) - https://cnlski5omb.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:53:48.677] Created API - Region: eu-west-1 ID: (zzcyzo4ci0) - https://zzcyzo4ci0.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:53:51.942] Created API - Region: eu-west-1 ID: (b6tfrj15q6) - https://b6tfrj15q6.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:53:57.797] Created API - Region: eu-west-1 ID: (61qkfoezpb) - https://61qkfoezpb.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:54:15.671] Created API - Region: eu-west-1 ID: (rx80pcn3ri) - https://rx80pcn3ri.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:54:17.305] Created API - Region: eu-west-1 ID: (slapzy6pi2) - https://slapzy6pi2.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:54:19.128] Created API - Region: eu-west-1 ID: (nk7uzgnya1) - https://nk7uzgnya1.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:54:22.711] Created API - Region: eu-west-1 ID: (zxnfo6zr0h) - https://zxnfo6zr0h.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:54:25.149] Created API - Region: eu-west-1 ID: (vb9dmv76yj) - https://vb9dmv76yj.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:54:25.546] Testconnect: Connection success, continuing
[2023-12-11 09:54:25.547] Total Regions Available: 15
[2023-12-11 09:54:25.547] Total API Gateways: 10
[2023-12-11 09:54:25.547] Starting Spray...
[2023-12-11 09:54:26.306] Loading credentials from emails_target.com_20231130.txt with password Wachtwoord2023!
[2023-12-11 09:54:28.873] eu-west-1: [+] SUCCESS: => [email protected]:Wachtwoord2023!
[2023-12-11 09:54:28.885] eu-west-1: [+] SUCCESS: => [email protected]:Wachtwoord2023!
[2023-12-11 09:54:29.166] eu-west-1: [+] SUCCESS: => [email protected]:Wachtwoord2023!
[2023-12-11 09:54:29.327] eu-west-1: [+] SUCCESS: => [email protected]:Wachtwoord2023!
[2023-12-11 09:54:29.334] eu-west-1: [+] SUCCESS: => [email protected]:Wachtwoord2023!
[2023-12-11 09:54:29.783] eu-west-1: [+] SUCCESS: => [email protected]:Wachtwoord2023!
[2023-12-11 09:54:30.332] eu-west-1: [+] SUCCESS: => [email protected]:Wachtwoord2023!
[2023-12-11 09:54:30.846] eu-west-1: [+] SUCCESS: => [email protected]:Wachtwoord2023!
[2023-12-11 09:54:30.856] eu-west-1: [+] SUCCESS: => [email protected]:Wachtwoord2023!
[2023-12-11 09:54:31.805] eu-west-1: [+] SUCCESS: => [email protected]:Wachtwoord2023!
^C
[2023-12-11 09:54:31.887] KeyboardInterrupt detected, cleaning up APIs
[2023-12-11 09:54:31.887] Finishing active requests

Please let me know if you need any further information.

@Anthirian Anthirian changed the title ADFS module always reports success` ADFS module always reports success despite invalid credentials Dec 11, 2023
@knavesec
Copy link
Owner

knavesec commented Mar 19, 2024

Gathering information to troubleshoot this (apologies since it's 3 mo later), do you know if there was anything non standard about the ADFS install? Was it using certificate auth? Unfortunately just with the information presented in this issue I can't do much to troubleshoot since the ADFS plugin will simply return true if there is a 302 redirect

@Anthirian
Copy link
Author

Thanks for getting back to me on this. I'm not sure about special configurations actually, and my engagement has ended already. I might be able to gather more information if my client permits testing further. If so, what further information would help troubleshoot the issue? Is there a debug option I can use?

@knavesec
Copy link
Owner

Unfortunately there's not really a good debug option. Really the best bet would be having valid creds and being able to compare/contrast the requests, but that's not supremely helpful in this case. If you have the options, a look at the requests/responses would be our best bet. It's also possible there is an extra 302 that's triggering it or something similar, but may be an edge case type of thing. I'll leave this up for a few months if you can't sort it out to see if any others have the same issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants