ADFSpoof icon indicating copy to clipboard operation
ADFSpoof copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Version should be 1 .

Open pawp81 opened this issue 4 years ago • 10 comments

When running python ADFSpoof.py -b Token_sign_blob.bin DKMkey.bin dump I am getting "Version should be 1" message and script dies. I modified EncryptedPfx.py to output what the actual version is. The version is: "538976257" Probably the problem lies in the way I saved EncryptedPfx and DKMkey from ADFSDump What I did:

  1. EncryptedPfx a) I took everything between: [-] Encrypted Token Signing Key Begin and [-] Encrypted Token Signing Key End, which looks like this: AAAAAQAAAAAEEGXuqoRBIwFInUU[....]q6YTotIB2BA8v+zfmKuMDPw== b) I based64 decoded and saved the output to Token_sign_blob.bin

  2. DKM key a) I took Private Key: B7-12-96-C1-50-89-CA-54-B7-D2-ED-E5-F0-8E-24-AA-4F-27-2F-1B-2C-9E-2E-8A-43-47-42-FD-55-B0-72-CB b) I removed dashes. c) I base64 decoded it and saved the output to DKMkey.bin

Is there any other type of conversation that needs to be done?

pawp81 avatar Jan 08 '21 17:01 pawp81

@pawp81
correct way to create DKM key: a) take private key b) take hex editor and paste in the bytes ( private key without dashes) and save as DKMkey.bin

duzvik avatar Jan 11 '21 19:01 duzvik

Thank you. I see DKM key extracted from Active Directory already comes in HEX. Do you mean that DKM key should be HEX representation of actual ANSI bytes? Taking my DKM key as example and https://hexed.it/ as Hex editor example, this what I should? image

pawp81 avatar Jan 11 '21 20:01 pawp81

yes, DKMkey.bin should be HEX representation of actual ANSI bytes. In screenshot I see a lot of zeros, remove everything after 72 CB

duzvik avatar Jan 12 '21 09:01 duzvik

Hi! In my case I used 'cat DKMkey.txt | tr -d "-" | xxd -r -p > DKMkey.bin'. I think it works the same but I did not get the zeros :)

ricardojoserf avatar Jan 12 '21 13:01 ricardojoserf

Thank you I am getting closer Now I am getting: Calculated MAC did not match anticipated MAC Calculated MAC: b'H\x03\xbauF\x02\xed\x87%\x7f+\xafZ\x95\xdc\xd3\x0b\x05\x15O\x12\xf69\xc5\x9a\xb6!;\x83\xea_\x03' Expected MAC: b'\xc0\xae\x84\x8f\x0cm\x16g\x1c\x1axnV\x83\xed\x08I\x1dAv\xa5m^\x91]\xd8o\xf1\xb8\x14\x8b\x04'

What do you do with EncryptedPFX? Do you just base64 decode the output from ADFSDump? cat Token_sign_blob_ADFS2019.txt | base64 -d >Token_sign_blob_ADFS2019.bin

pawp81 avatar Jan 12 '21 19:01 pawp81

Ha! Welcome to the club! (ppl who didn't read readme :) ) Steps to fix this:

  1. pip uninstall cryptography
  2. git clone https://github.com/dmb2168/cryptography.git
  3. cd cryptography
  4. pip install -e .

Have fun!

duzvik avatar Jan 12 '21 20:01 duzvik

Thank you! It worked, though only on Linux. On Windows I am getting installation error when installing crypthography.

pawp81 avatar Jan 13 '21 16:01 pawp81

Hey! If the method does not work, This what worked for me :

  1. Create of virtual environments in python
  2. git clone https://github.com/dmb2168/cryptography.git
  3. cd cryptography
  4. pip3 install pyopenssl --upgrade -e .

0xMazen avatar May 04 '22 22:05 0xMazen

Hey @0xMazen @duzvik Please help me im also getting the same error A tool to for AD FS security tokens Created by @doughsec

Calculated MAC did not match anticipated MAC Calculated MAC: b"e\xec|[\x17?.\xffC'v(u\xaaBiw\x90\xfb\x1c\xd4H\xf7LM\x13\x87+G\x99mX" Expected MAC: b"{\xad\xa9}\x02\xfa]\xdb\xcb\x95\x15p \x1c\x9c\xed\xbcC/\xc1\xef\xc0f\xd1\x93D'\xeb\xb0\x8a\xc0\xe1"

i have tried to install this but its not being installed at git clone https://github.com/dmb2168/cryptography.git

any other version of cryptography im able to install

AmjadAlii avatar Mar 16 '24 00:03 AmjadAlii