I Am AD FS and So Can You - Attacking Active Directory Federated Services

Explore the intricacies of Active Directory Federated Services (AD FS) and its potential vulnerabilities in this comprehensive conference talk. Delve into the building blocks of AD FS, including claims pipelines, security tokens, and assertions. Learn about identity providers, adapters, and techniques for locating AD FS proxies. Discover methods to target weak links and adapt attack strategies. Gain insights into the Windows Internal Database (WID) and techniques for locating and decrypting sensitive information. Examine tools like ADFSDump and ADFSpoof, and understand their implications. Conclude with best practices for mitigation and appropriate incident response strategies to enhance AD FS security.

Syllabus

Intro
Roadmap
Doug Bienstock - @doughsec
Austin Baker - @bakedsec
Active Directory Federated Services
Building Blocks - Claims Pipeline
Building Blocks - Security Tokens
Building Blocks - claims to assertions
Building blocks - the RP
Identity Providers and Adapters
Finding AD FS Proxies
Target the Weak Links
Adapt or die
Windows Internal Database (WID)
Locating the goods
Decrypting the SigningToken
Key Derivation
Key Decryption
ADFSDump
ADFSpoof
Best Practices and Mitigations
Responding Appropriately