AD Connect Server Hack: Unlock Any Account Easily! #shorts

What could possibly go wrong in this setup if someone compromises that AD Connect server? Well, there are some like AD internals as an implementation for this and there's multiple ways to do it, but essentially you can patch the logon user W function and say something like, you know, if I don't care about the username, but if the password is banana, then say that the login is successful. And then you have a backdoor password and can log into whatever account you want. Um So, what could go wrong in this third variant? Well, if like to be able to do this, you need to have a few accounts and a few secrets, right? So, you need one account which is able to do that

easy sync. You need some kind of a service account which is going to be relevant soon. But the actual account that is running the service. And you need an account in Azure who is able to write the hash for users, right? It needs to be able to create users. It needs to be able to do quite a lot of interesting stuff. Because if it doesn't have that those permissions, then it's not able to sync it all the time, right? So, what happens if someone steals that sync secret? That's not a great situation, right? So, it's obviously stored on the AD Connect server. It's encrypted, but it's encrypted with DPAPI. So, if you have the service account, like if you're a

local admin, and then you can just run as that service account and you can just use unprotect to get that in clear text. You can of course also dump the actual secret and so on and then decrypt it offline.