ADFS module always reports success despite invalid credentials

[Anthirian]

I'm attempting to spray an ADFS endpoint with a list of email addresses validated using OneDriveEnum. I've tried specifying the URL according to the instructions, but also as https://federation.target.com/adfs/ls/. Neither worked. As soon as CredMaster starts spraying I'm seeing success notifications roll in, but there isn't a single one that fails, which I find highly unlikely.

$ python3 credmaster.py --config configuration.json --url https://federation.target.com
[2023-12-11 09:53:35.061] Execution started at: 2023-12-11 09:53:35.061807
[2023-12-11 09:53:35.063] Batching requests enabled: 50 requests per thread, 10s of delay between each batch.
[2023-12-11 09:53:35.063] Creating 10 API Gateways for https://federation.target.com
[2023-12-11 09:53:36.131] Created API - Region: eu-west-1 ID: (hzc7rs5re9) - https://hzc7rs5re9.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:53:47.250] Created API - Region: eu-west-1 ID: (cnlski5omb) - https://cnlski5omb.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:53:48.677] Created API - Region: eu-west-1 ID: (zzcyzo4ci0) - https://zzcyzo4ci0.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:53:51.942] Created API - Region: eu-west-1 ID: (b6tfrj15q6) - https://b6tfrj15q6.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:53:57.797] Created API - Region: eu-west-1 ID: (61qkfoezpb) - https://61qkfoezpb.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:54:15.671] Created API - Region: eu-west-1 ID: (rx80pcn3ri) - https://rx80pcn3ri.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:54:17.305] Created API - Region: eu-west-1 ID: (slapzy6pi2) - https://slapzy6pi2.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:54:19.128] Created API - Region: eu-west-1 ID: (nk7uzgnya1) - https://nk7uzgnya1.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:54:22.711] Created API - Region: eu-west-1 ID: (zxnfo6zr0h) - https://zxnfo6zr0h.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:54:25.149] Created API - Region: eu-west-1 ID: (vb9dmv76yj) - https://vb9dmv76yj.execute-api.eu-west-1.amazonaws.com/fireprox/ => https://federation.target.com
[2023-12-11 09:54:25.546] Testconnect: Connection success, continuing
[2023-12-11 09:54:25.547] Total Regions Available: 15
[2023-12-11 09:54:25.547] Total API Gateways: 10
[2023-12-11 09:54:25.547] Starting Spray...
[2023-12-11 09:54:26.306] Loading credentials from emails_target.com_20231130.txt with password Wachtwoord2023!
[2023-12-11 09:54:28.873] eu-west-1: [+] SUCCESS: => a.name@target.com:Wachtwoord2023!
[2023-12-11 09:54:28.885] eu-west-1: [+] SUCCESS: => b.name@target.com:Wachtwoord2023!
[2023-12-11 09:54:29.166] eu-west-1: [+] SUCCESS: => c.name@target.com:Wachtwoord2023!
[2023-12-11 09:54:29.327] eu-west-1: [+] SUCCESS: => d.name@target.com:Wachtwoord2023!
[2023-12-11 09:54:29.334] eu-west-1: [+] SUCCESS: => e.name@target.com:Wachtwoord2023!
[2023-12-11 09:54:29.783] eu-west-1: [+] SUCCESS: => f.name@target.com:Wachtwoord2023!
[2023-12-11 09:54:30.332] eu-west-1: [+] SUCCESS: => g.name@target.com:Wachtwoord2023!
[2023-12-11 09:54:30.846] eu-west-1: [+] SUCCESS: => h.name@target.com:Wachtwoord2023!
[2023-12-11 09:54:30.856] eu-west-1: [+] SUCCESS: => i.name@target.com:Wachtwoord2023!
[2023-12-11 09:54:31.805] eu-west-1: [+] SUCCESS: => j.name@target.com:Wachtwoord2023!
^C
[2023-12-11 09:54:31.887] KeyboardInterrupt detected, cleaning up APIs
[2023-12-11 09:54:31.887] Finishing active requests

Please let me know if you need any further information.

[knavesec]

Gathering information to troubleshoot this (apologies since it's 3 mo later), do you know if there was anything non standard about the ADFS install? Was it using certificate auth? Unfortunately just with the information presented in this issue I can't do much to troubleshoot since the ADFS plugin will simply return true if there is a 302 redirect

[Anthirian]

Thanks for getting back to me on this. I'm not sure about special configurations actually, and my engagement has ended already. I might be able to gather more information if my client permits testing further. If so, what further information would help troubleshoot the issue? Is there a debug option I can use?

[knavesec]

Unfortunately there's not really a good debug option. Really the best bet would be having valid creds and being able to compare/contrast the requests, but that's not supremely helpful in this case. If you have the options, a look at the requests/responses would be our best bet. It's also possible there is an extra 302 that's triggering it or something similar, but may be an edge case type of thing. I'll leave this up for a few months if you can't sort it out to see if any others have the same issue