Azure AD

Exploiting Password Hash Synchronisation (PHS)

# The main target is the sync account
# You can identify it using the description
$ ldapsearch -H ldap://DC01.DOMAIN.LAN:389 -D "DOMAIN\user" -w "****" -b "DC=DOMAIN,DC=LAN" '(description=*Azure*)' description

# To exploit this, need local admin or ADSync service account
# Can decrypt using C:\Program Files\Microsoft Azure AD Sync\Binn\mcrypt.dll

# The default configuration of Azure AD Connect uses a SQL Server Express database 
# but a fully deployed SQL Server can also be used. 
# In that case, the connection string from the POC must be replaced by the following:
# "Server=LocalHost;Database=ADSync;Trusted_Connection=True;".