Security BSides London 2019

The Keymaker - a tool for creating access tokens for Service Providers using stolen ADFS signing certificate and a private key. Although the idea and methodology been around for a while there is limited previous work related to obtaining certificates and keys and signing requests with them.

Organizations are increasingly moving into the cloud. If we can obtain ADFS signing keys we can sign our own requests to Service Providers and get unrestricted access to the services. In case of Amazon Web Services, we even can assign ourselves any role in the request. This also gives us persistence as we don’t need to be on the network if we want to access emails, SharePoint, etc.

The Keymaker is a Python server which will run locally on our machine. Instead of making a request to Identity Provider, The Keymaker will capture the forwarded request and sign it without any interaction from the Identity Provider.

I will briefly go through what ADFS is, what processes are involved in getting access tokens and why we are interested in them. I will show example of access tokens and show a small demo of the tool with couple of notes on possible mitigation.