3. ADFSdump.exe
3.1. Private key νλ μ
νλ κΈ°μ
https://github.com/mandiant/ADFSDump/blob/master/ADFSDump/AD.cs
LDAP Query κ²½λ‘:
CN=ADFS, CN=Microsoft, CN=Program Data, DC=example, DC=comDirectorySearcher(entry).Filter = (LdapFilter)
DirectorySearcherλ₯Ό μ¬μ©νμ¬ ADμμ thumbnailPhoto μμ±μ΄ μλ κ°μ²΄λ₯Ό κ²μ.thumbnailPhotoλ μλ μ¬μ©μ νλ‘ν μ¬μ§μ μ μ₯νλ μμ±μ΄μ§λ§, μ΄ μ½λμμλ ADFSμ κ°μΈ ν€κ° μ μ₯λμ΄ μμ κ°λ₯μ±μ κ°μ νκ³ μ΄λ₯Ό μΆμΆνλ€.
λ‘κΉ - LDAP Query μν
[AD DS] Event ID 1644 (
LDAP Query Latency)(&(thumbnailphoto=*)(objectClass=contact)(!(cn=CryptoPolicy)))νν°κ° λνλλ€.
3.2. EncryptedPfx & Provider νλ μ
νλ κΈ°μ
https://github.com/mandiant/ADFSDump/blob/master/ADFSDump/ReadDB.cshttps://github.com/mandiant/ADFSDump/blob/master/ADFSDump/RelyingPartyTrust.cs
ReadConfigurationDb()ν¨μμμ νμ¬ OS λ²μ μ νμΈνκ³ AD FS κ΅¬μ± DBμ μ κ·Όν¨.Windows Internal Database(WID) λλ νΉμ SQL Server μΈμ€ν΄μ€(
MICROSOFT##WID)λ₯Ό μ¬μ©νμ¬ AD FS μ€μ μ 보λ₯Ό μ‘°νν¨.ServiceSettingsDataν μ΄λΈμμ μνΈνλ PFX(μΈμ¦μ ν€) λ₯Ό μ‘°ννμ¬ μΆλ ₯ν¨.Scopesν μ΄λΈμμ AD FSμ Relying Party Trust μ€μ μ μ‘°ννκ³ , κ΄λ ¨λ μ μ± μ μμ§ν¨.μ΅μ’ μ μΌλ‘
PolicyTypeμ κΈ°μ€μΌλ‘ μΈμ¦ λ° μΈκ° μ μ± μ λΆμνμ¬ μΆλ ₯ν¨.
λ‘κΉ - SQL Query μν
[AD FS] Event ID 33205 (SQL Query)
`SELECT PropertyName, PropertyValue FROM [IdentityServerPolicy].[SyncProperties] additional_information:<tsql_stack><frame nest_level = '1' database_name = 'AdfsConfigurationV4' schema_name = 'IdentityServerPolicy' object_name = 'GetSyncProperties'/></tsql_stack>
Last updated