public static async IAsyncEnumerable <TypedPrincipal> GetContainerChildObjects(SearchResultEntry entry)
{
var filter = new LDAPFilter().AddComputers().AddUsers().AddGroups().AddOUs().AddContainers();
foreach (var childEntry in LDAPUtils.QueryLDAP(filter.GetFilter(), SearchScope.OneLevel,
CommonProperties.ObjectID, Helpers.DistinguishedNameToDomain(entry.DistinguishedName), adsPath: entry.DistinguishedName))
{
var dn = childEntry.DistinguishedName.ToUpper();
if (dn.Contains("CN=SYSTEM") || dn.Contains("CN=POLICIES") || dn.Contains("CN=PROGRAM DATA"))
{
continue;
}
var id = childEntry.GetObjectIdentifier();
if (id == null)
{
continue;
}
var res = LDAPUtils.ResolveIDAndType(id, Helpers.DistinguishedNameToDomain(childEntry.DistinguishedName));
if (res == null)
{
continue;
}
yield return(res);
}
}
/// <summary>
/// Finds all immediate child objects of a container.
/// </summary>
/// <param name="distinguishedName"></param>
/// <param name="containerName"></param>
/// <returns></returns>
public IEnumerable <TypedPrincipal> GetContainerChildObjects(string distinguishedName, string containerName = "")
{
var filter = new LDAPFilter().AddComputers().AddUsers().AddGroups().AddOUs().AddContainers();
foreach (var childEntry in _utils.QueryLDAP(filter.GetFilter(), SearchScope.OneLevel,
CommonProperties.ObjectID, Helpers.DistinguishedNameToDomain(distinguishedName),
adsPath: distinguishedName))
{
var dn = childEntry.DistinguishedName;
if (IsDistinguishedNameFiltered(dn))
{
_log.LogTrace("Skipping filtered child {Child} for {Container}", dn, containerName);
continue;
}
var id = childEntry.GetObjectIdentifier();
if (id == null)
{
_log.LogTrace("Got null ID for {ChildDN} under {Container}", childEntry.DistinguishedName,
containerName);
continue;
}
var res = _utils.ResolveIDAndType(id, Helpers.DistinguishedNameToDomain(dn));
if (res == null)
{
_log.LogTrace("Failed to resolve principal for {ID}", id);
continue;
}
yield return(res);
}
}
/// <summary>
/// Finds stealth targets using ldap properties.
/// </summary>
/// <returns></returns>
private async Task <Dictionary <string, ISearchResultEntry> > FindPathTargetSids()
{
var paths = new ConcurrentDictionary <string, byte>();
var sids = new Dictionary <string, ISearchResultEntry>();
var query = new LDAPFilter();
query.AddComputers("(|(homedirectory=*)(scriptpath=*)(profilepath=*))");
foreach (var domain in Context.Domains)
{
//Request user objects with the "homedirectory", "scriptpath", or "profilepath" attributes
Parallel.ForEach(Context.LDAPUtils.QueryLDAP(
query.GetFilter(),
SearchScope.Subtree,
new[] { "homedirectory", "scriptpath", "profilepath" }, domain), searchResult =>
{
//Grab any properties that exist, filter out null values
var poss = new[]
{
searchResult.GetProperty("homedirectory"), searchResult.GetProperty("scriptpath"),
searchResult.GetProperty("profilepath")
}.Where(s => s != null);
// Loop over each possibility, and grab the hostname from the path, adding it to a list
foreach (var s in poss)
{
var split = s.Split('\\');
if (!(split.Length >= 3))
{
continue;
}
var path = split[2];
paths.TryAdd(path, new byte());
}
});
}
// Loop over the paths we grabbed, and resolve them to sids.
foreach (var path in paths.Keys)
{
var sid = await Context.LDAPUtils.ResolveHostToSid(path, Context.DomainName);
if (sid != null && sid.StartsWith("S-1-5"))
{
var searchResult = Context.LDAPUtils.QueryLDAP(CommonFilters.SpecificSID(sid),
SearchScope.Subtree, _props.ToArray());
sids.Add(sid, searchResult.FirstOrDefault());
}
}
//Return all the sids corresponding to objects
return(sids);
}
public void LDAPFilter_GroupFilter_ExtraFilter_FilterCorrect()
{
var test = new LDAPFilter();
test.AddGroups("objectclass=*");
var filter = test.GetFilter();
_testOutputHelper.WriteLine(filter);
Assert.Equal(
"(&(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913))(objectclass=*))",
filter);
}
/// <summary>
/// Produces stealth LDAP targets
/// </summary>
/// <returns></returns>
public override async Task Produce()
{
var cancellationToken = Context.CancellationTokenSource.Token;
//If we haven't generated our stealth targets, we'll build it now
if (!_stealthTargetsBuilt)
{
BuildStealthTargets();
}
//OutputTasks.StartOutputTimer(context);
//Output our stealth targets to the queue
foreach (var searchResult in Context.LDAPUtils.QueryLDAP(_query.GetFilter(), SearchScope.Subtree,
_props.ToArray(), cancellationToken,
Context.DomainName, adsPath: Context.SearchBase))
{
await Channel.Writer.WriteAsync(searchResult, cancellationToken);
}
}