Forging the Keys: Inside SAMLSmith, the C# Framework for Golden & Silver SAML Attacks
SAMLSmith is a C# tool for generating custom SAML responses and implementing Silver SAML and Golden SAML attacks. It provides comprehensive functionality for security researchers and penetration testers working with SAML-based authentication systems.
Use
SAMLSmith provides four primary commands for different operational scenarios:
| Command | Purpose | Input Method |
|---|---|---|
generate |
SAML response generation | Command line parameters |
generateJSON |
SAML response generation | JSON configuration file |
generateWSJSON |
WS-Federation response generation | JSON configuration file |
generatePFX |
Certificate extraction | AD FS encrypted materials |
Commands
generate
Generate SAML responses using command line parameters:
Parameters:
--pfxPath– Path to the PFX certificate file--pfxPassword– Password for the PFX file (optional)--idpid– Identity Provider Identifier--recipient– SAML response recipient URL--subjectnameid– Subject NameID in the SAML response--audience– Audience for the SAML response--attributes– Claims/attributes in key=value,key=value format--inResponseTo– InResponseTo parameter (optional)
generateJSON
Generate SAML responses using JSON configuration files:
JSON Configuration Structure:
[pastacode lang=”markup” manual=”%7B%0A%20%20%20%20%22pfxPath%22%3A%20%22C%3A%5C%5Ccerts%5C%5Csigning.pfx%22%2C%0A%20%20%20%20%22pfxPassword%22%3A%20%22password123%22%2C%0A%20%20%20%20%22idpid%22%3A%20%22https%3A%2F%2Fsts.company.com%2Fadfs%2Fservices%2Ftrust%22%2C%0A%20%20%20%20%22recipient%22%3A%20%22https%3A%2F%2Fapp.company.com%2Fsso%2Fsaml%22%2C%0A%20%20%20%20%22subjectnameid%22%3A%20%22user%40company.com%22%2C%0A%20%20%20%20%22audience%22%3A%20%22https%3A%2F%2Fapp.company.com%22%2C%0A%20%20%20%20%22inResponseTo%22%3A%20%22optional_response_id%22%2C%0A%20%20%20%20%22attributes%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.microsoft.com%2Fidentity%2Fclaims%2Ftenantid%22%3A%20%22tenant-guid%22%2C%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.microsoft.com%2Fidentity%2Fclaims%2Fobjectidentifier%22%3A%20%22user-guid%22%2C%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.microsoft.com%2Fidentity%2Fclaims%2Fdisplayname%22%3A%20%22John%20Doe%22%2C%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Femailaddress%22%3A%20%22user%40company.com%22%2C%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fname%22%3A%20%22John%20Doe%22%0A%20%20%20%20%7D%0A%7D” message=”” highlight=”” provider=”manual”/]
generateWSJSON
Generate WS-Federation responses using JSON configuration files. Note that the attributes format differs from the SAML JSON format:
JSON Configuration Structure:
[pastacode lang=”markup” manual=”%7B%0A%20%20%20%20%22pfxPath%22%3A%20%22C%3A%5C%5Ccerts%5C%5Csigning.pfx%22%2C%0A%20%20%20%20%22pfxPassword%22%3A%20%22password123%22%2C%0A%20%20%20%20%22idpid%22%3A%20%22https%3A%2F%2Fsts.company.com%2Fadfs%2Fservices%2Ftrust%22%2C%0A%20%20%20%20%22recipient%22%3A%20%22https%3A%2F%2Fapp.company.com%2Fsso%2Fsaml%22%2C%0A%20%20%20%20%22subjectnameid%22%3A%20%22user%40company.com%22%2C%0A%20%20%20%20%22audience%22%3A%20%22https%3A%2F%2Fapp.company.com%22%2C%0A%20%20%20%20%22inResponseTo%22%3A%20%22optional_response_id%22%2C%0A%20%20%20%20%22attributes%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.microsoft.com%2Fidentity%2Fclaims%2Ftenantid%22%3A%20%22tenant-guid%22%2C%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.microsoft.com%2Fidentity%2Fclaims%2Fobjectidentifier%22%3A%20%22user-guid%22%2C%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.microsoft.com%2Fidentity%2Fclaims%2Fdisplayname%22%3A%20%22John%20Doe%22%2C%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Femailaddress%22%3A%20%22user%40company.com%22%2C%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fname%22%3A%20%22John%20Doe%22%0A%20%20%20%20%7D%0A%7D” message=”” highlight=”” provider=”manual”/]
Important: For WS-Federation, the attributes field uses a comma-separated string format rather than a JSON object structure.
generatePFX
Extract usable certificate files from AD FS encrypted materials. Given the EncryptedPFX blob from the AD FS configuration database and DKM decryption key from Active Directory, produce a usable PFX certificate file for token signing:
Parameters:
--encryptedPFXPath– Path to the EncryptedPFX blob from AD FS configuration database--dkmKeyPath– Path to the DKM decryption key from Active Directory--pfxOutputPath– Output path for the decrypted PFX certificate file
For detailed information about Silver SAML, see: Meet Silver SAML, Golden SAML In the Cloud
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
