shimit: implements Golden SAML attack

by do son · Published November 27, 2017 · Updated November 4, 2024

shimit is a python tool that implements the Golden SAML attack. More information on this can be found in the following article on our blog.

1. Generate an assertion matching the parameters provided by the user. In this example, we provided the username, Amazon account ID and the desired roles (the first one will be assumed).
2. Sign the assertion with the private key file, also specified by the user.
3. Open a connection to the SP, then calling a specific AWS API AssumeRoleWithSAML.
Get an access key and a session token from AWS STS (the service that supplies temporary credentials for federated users).
Apply this session to the command line environment (using aws-cli environment variables) for the user to use with AWS cli.

Overview

In a golden SAML attack, attackers can gain access to an application (any application that supports SAML authentication) with any privileges they desire and be any user of the targeted application.

shimit allows the user to create a signed SAMLResponse object, and use it to open a session with the Service Provider. shimit now supports AWS Console as a Service Provider, more are in the works…

AWS

After generating and signing the SAMLResponse‘s assertion, shimit will call the AssumeRoleWithSAML() API in AWS. Then, the session token and key will be applied to a new session, where the user can use aws cli to perform the action using the permissions obtained using the golden SAML.

Install

Requirement

python -m pip install boto3 botocore defusedxml enum python_dateutil lxml signxml

AWS cli ( Windows or Linux)

Download

git clone https://github.com/cyberark/shimit.git

Usage:

Apply session for AWS cli

python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file
-u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012

idp – Identity Provider URL e.g. http://server.domain.com/adfs/services/trust

pk – Private key file full path (pem format)

c – Certificate file full path (pem format)

u – User and domain name e.g. domain\username (use \ or quotes in *nix)

n – Session name in AWS

r – Desired roles in AWS. Supports Multiple roles, the first one specified will be assumed.

id – AWS account id e.g. 123456789012

Save SAMLResponse to file

python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file
-u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 -o saml_response.xml

o – Output encoded SAMLResponse to a specified file path

Load SAMLResponse from file