public void GetWellKnownPrincipal_PassingTestSid__ReturnsValidTypedPrincipal()
{
TypedPrincipal typedPrincipal;
bool result = WellKnownPrincipal.GetWellKnownPrincipal("S-1-0-0", out typedPrincipal);
Assert.True(result);
Assert.Equal(Label.User, typedPrincipal.ObjectType);
}
public void GetKnownPrincipal_PassingKnownIds_MatchesNameAndLabel()
{
foreach (var p in GetWellKnownPrincipals())
{
var result = WellKnownPrincipal.GetWellKnownPrincipal(p.sid, out var typedPrincipal);
Assert.True(result);
Assert.Equal(p.label, typedPrincipal.ObjectType);
}
}
/// <summary>
/// Determines whether this is a wellknown group of <paramref name="wellKnown"/> type.
/// </summary>
/// <param name="wellKnown">Type of wellknown pricipal to check.</param>
/// <returns><c>true</c> if the group is of questioned wellknown type.</returns>
public override bool IsWellKnownPrincipal(WellKnownPrincipal wellKnown)
{
switch (wellKnown)
{
case WellKnownPrincipal.All:
return(groupPrincipal.Sid.IsWellKnown(WellKnownSidType.WorldSid));
case WellKnownPrincipal.Authenticated:
return(groupPrincipal.Sid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid));
}
return(false);
}
/// <summary>
/// Extension method to determine the BloodHound type of a SearchResultEntry using LDAP properties
/// Requires ldap properties objectsid, samaccounttype, objectclass
/// </summary>
/// <param name="entry"></param>
/// <returns></returns>
public static Label GetLabel(this SearchResultEntry entry)
{
//Test if we have the msds-groupmsamembership property first. We want to override this as a user object
if (entry.GetPropertyAsBytes("msds-groupmsamembership") != null)
{
return(Label.User);
}
var objectId = entry.GetObjectIdentifier();
if (objectId.StartsWith("S-1") && WellKnownPrincipal.GetWellKnownPrincipal(objectId, out var commonPrincipal))
{
return(commonPrincipal.ObjectType);
}
var objectType = Label.Unknown;
var samAccountType = entry.GetProperty("samaccounttype");
//Its not a common principal. Lets use properties to figure out what it actually is
if (samAccountType != null)
{
objectType = Helpers.SamAccountTypeToType(samAccountType);
}
else
{
var objectClasses = entry.GetPropertyAsArray("objectClass");
if (objectClasses == null)
{
objectType = Label.Unknown;
}
else if (objectClasses.Contains("groupPolicyContainer"))
{
objectType = Label.GPO;
}
else if (objectClasses.Contains("organizationalUnit"))
{
objectType = Label.OU;
}
else if (objectClasses.Contains("domain"))
{
objectType = Label.Domain;
}
else if (objectClasses.Contains("container"))
{
objectType = Label.Container;
}
}
return(objectType);
}
/// <summary>
/// Checks whether this user is of well-known type.
/// </summary>
/// <param name="wellknownPrincipal">Type to check.</param>
/// <returns><c>true</c> if the user is of specified well-known type.</returns>
public bool IsWellKnownPrincipal(WellKnownPrincipal wellknownPrincipal)
{
return((wellknownPrincipal == WellKnownPrincipal.Unauthenticated) && (Name == "Anonymous"));
}
public Task <IPrincipalAsync> ResolveWellKnownPrincipalAsync(WellKnownPrincipal wellKnownPrincipal)
{
throw new NotImplementedException();
}
public abstract bool IsWellKnownPrincipal(WellKnownPrincipal wellknownPrincipal);
internal LocalGroupResult GetGroupMembers(LocalGroupRids rid)
{
var result = new LocalGroupResult();
var status = SamOpenAlias(_domainHandle, AliasOpenFlags.ListMembers, (int)rid, out var aliasHandle);
if (status != NativeMethods.NtStatus.StatusSuccess)
{
SamCloseHandle(aliasHandle);
result.FailureReason = $"SamOpenAlias returned {status.ToString()}";
return(result);
}
status = SamGetMembersInAlias(aliasHandle, out var members, out var count);
SamCloseHandle(aliasHandle);
if (status != NativeMethods.NtStatus.StatusSuccess)
{
SamFreeMemory(members);
result.FailureReason = $"SamGetMembersInAlias returned {status.ToString()}";
return(result);
}
Logging.Debug($"API call returned count of {count} ");
if (count == 0)
{
SamFreeMemory(members);
result.Collected = true;
return(result);
}
var sids = new List <string>();
for (var i = 0; i < count; i++)
{
try
{
var intptr = Marshal.ReadIntPtr(members, Marshal.SizeOf(typeof(IntPtr)) * i);
var sid = new SecurityIdentifier(intptr).Value;
sids.Add(sid);
}
catch (Exception e)
{
Logging.Debug($"Exception converting sid: {e}");
}
}
SamFreeMemory(members);
var machineSid = GetMachineSid();
Logging.Debug($"Resolved machine sid to {machineSid}");
var converted = sids.Select(x =>
{
Logging.Debug(x);
//Filter out machine accounts, service accounts, iis app pool accounts, window manager, font driver
if (x.StartsWith(machineSid) || x.StartsWith("S-1-5-80") || x.StartsWith("S-1-5-82") || x.StartsWith("S-1-5-90") || x.StartsWith("S-1-5-96"))
{
return(null);
}
if (_filteredSids.Contains(x))
{
return(null);
}
x = WellKnownPrincipal.TryConvert(x, _computerDomain);
return(x.StartsWith("S-1-5-21") ? x : null);
}).Where(x => x != null);
result.Collected = true;
result.Members = converted.ToArray();
return(result);
}
/// <summary>
/// Retrieves user or group which correspond to a well known principal
/// (defined in <see cref="WellKnownPrincipal"/>.)
/// </summary>
/// <param name="wellKnownPrincipal">Well known principal type.</param>
/// <returns>Instance of corresponding user/group or <c>null</c> if corresponding user/group
/// is not supported.</returns>
public async Task <IPrincipalAsync> ResolveWellKnownPrincipalAsync(WellKnownPrincipal wellKnownPrincipal)
{
return(null);
}
/// <summary>
/// Checks whether this user is of well-known type.
/// </summary>
/// <param name="wellknownPrincipal">Type to check.</param>
/// <returns><c>true</c> if the user is of specified well-known type.</returns>
public override bool IsWellKnownPrincipal(WellKnownPrincipal wellknownPrincipal)
{
return(wellknownPrincipal == WellKnownPrincipal.Unauthenticated &&
Context.AnonymousUser != null &&
Sid.Value == Context.AnonymousUser.User.Value);
}
