public static JObject AssessServiceGenSetting(JToken svcGenSettings) { JObject svcGenSettingsJObject = (JObject)svcGenSettings; JObject assessedSvcGenSettings = new JObject(); int inc = 0; foreach (KeyValuePair <string, JToken> svcGenSetting in svcGenSettingsJObject) { inc++; int interestLevel = 3; string serviceName = svcGenSetting.Key.Trim('"', '\\'); JArray svcSettings = (JArray)svcGenSetting.Value; string startupType = svcSettings[0].ToString().Trim('"', '\\'); string sddl = svcSettings[1].ToString().Trim('"', '\\'); string startupString = ""; switch (startupType) { case "2": startupString = "Automatic"; break; case "3": startupString = "Manual"; break; case "4": startupString = "Disabled"; break; } // go parse the SDDL if (GlobalVar.OnlineChecks) { JObject parsedSddl = ParseSDDL.ParseSddlString(sddl, SecurableObjectType.WindowsService); // then assess the results based on interestLevel JObject assessedSddl = new JObject(); if (parsedSddl["Owner"] != null) { assessedSddl.Add("Owner", parsedSddl["Owner"].ToString()); interestLevel = 4; } if (parsedSddl["Group"] != null) { assessedSddl.Add("Group", parsedSddl["Group"].ToString()); interestLevel = 4; } if (parsedSddl["DACL"] != null) { JObject assessedDacl = new JObject(); string[] boringSidEndings = new string[] { "-3-0", "-5-9", "5-18", "-512", "-519", "SY", "BA", "DA", "CO", "ED", "PA", "CG", "DD", "EA", "LA", }; string[] interestingSidEndings = new string[] { "DU", "WD", "IU", "BU", "AN", "AU", "BG", "DC", "DG", "LG" }; foreach (JProperty ace in parsedSddl["DACL"].Children()) { int aceInterestLevel = 0; string trusteeSid = ace.Value["SID"].ToString(); bool boringUserPresent = false; foreach (string boringSidEnding in boringSidEndings) { if (trusteeSid.EndsWith(boringSidEnding)) { boringUserPresent = true; break; } } bool interestingUserPresent = false; foreach (string interestingSidEnding in interestingSidEndings) { if (trusteeSid.EndsWith(interestingSidEnding)) { interestingUserPresent = true; break; } } if (interestingUserPresent /* && interestingRightPresent*/) { aceInterestLevel = 10; } else if (boringUserPresent) { aceInterestLevel = 0; } if (aceInterestLevel >= GlobalVar.IntLevelToShow) { // pass the whole thing on assessedSddl.Add(ace); } } if (assessedDacl.HasValues) { assessedSddl.Add("DACL", assessedDacl); } ; } if (assessedSddl.HasValues) { assessedSddl.AddFirst(new JProperty("Service", serviceName)); assessedSddl.Add("Startup Type", startupString); assessedSvcGenSettings.Add(inc.ToString(), assessedSddl); } } else { if (interestLevel >= GlobalVar.IntLevelToShow) { assessedSvcGenSettings.Add(serviceName, new JObject( new JProperty("SDDL", sddl), new JProperty("Startup Type", startupString) )); } } } if (assessedSvcGenSettings.Count <= 0) { return(null); } return(assessedSvcGenSettings); }
public static JObject AssessRegKeys(JToken regKeys) { // These are actually ACLs being set on reg keys using SDDL. // The first value is inheritance rules: // 2= replace existing permissions on all subkeys with inheritable permissions // 1= Do not allow permissions on this key to be replace. // 0= Propagate inheritable permissions to all subkeys. JObject regKeysJObject = (JObject)regKeys; int interestLevel = 1; JObject assessedRegKeys = new JObject(); int inc = 0; foreach (KeyValuePair <string, JToken> regKey in regKeysJObject) { inc++; interestLevel = 1; string keyPath = regKey.Key.Trim('"'); JArray keyValues = (JArray)regKey.Value; string inheritance = keyValues[0].ToString().Trim('"'); string sddl = keyValues[1].ToString().Trim('"'); // turn the inheritance number into a nice string. string inheritanceString = ""; switch (inheritance) { case "0": inheritanceString = "Propagate inheritable permissions to all subkeys."; break; case "1": inheritanceString = "Do not allow permissions on this key to be replaced."; break; case "2": inheritanceString = "Replace existing permissions on all subkeys with inheritable permissions."; break; } // then assess the results based on interestLevel JObject assessedSddl = new JObject(); // go parse the SDDL if (GlobalVar.OnlineChecks) { JObject parsedSddl = ParseSDDL.ParseSddlString(sddl, SecurableObjectType.WindowsService); if (parsedSddl["Owner"] != null) { assessedSddl.Add("Owner", parsedSddl["Owner"].ToString()); interestLevel = 4; } if (parsedSddl["Group"] != null) { assessedSddl.Add("Group", parsedSddl["Group"].ToString()); interestLevel = 4; } JObject assessedDacl = new JObject(); if (parsedSddl["DACL"] != null) { string[] boringSidEndings = new string[] { "-3-0", "-5-9", "5-18", "-512", "-519", "SY", "BA", "DA", "CO", "ED", "PA", "CG", "DD", "EA", "LA", }; string[] interestingSidEndings = new string[] { "DU", "WD", "IU", "BU", "AN", "AU", "BG", "DC", "DG", "LG" }; foreach (JProperty ace in parsedSddl["DACL"].Children()) { int aceInterestLevel = 0; string trusteeSid = ace.Value["SID"].ToString(); bool boringUserPresent = false; foreach (string boringSidEnding in boringSidEndings) { if (trusteeSid.EndsWith(boringSidEnding)) { boringUserPresent = true; break; } } bool interestingUserPresent = false; foreach (string interestingSidEnding in interestingSidEndings) { if (trusteeSid.EndsWith(interestingSidEnding)) { interestingUserPresent = true; break; } } if (interestingUserPresent /* && interestingRightPresent*/) { aceInterestLevel = 10; } else if (boringUserPresent) { aceInterestLevel = 0; } if (aceInterestLevel >= GlobalVar.IntLevelToShow) { // pass the whole thing on assessedSddl.Add(ace); } } if (assessedDacl.HasValues) { assessedSddl.Add("DACL", assessedDacl); } ; } } if (interestLevel >= GlobalVar.IntLevelToShow) { if (assessedSddl.HasValues) { assessedSddl.AddFirst(new JProperty("RegKey", keyPath)); assessedSddl.Add("Inheritance", inheritanceString); assessedRegKeys.Add(inc.ToString(), assessedSddl); } } } if (assessedRegKeys.Count <= 0) { return(null); } return(assessedRegKeys); }
public static JObject GetDomainGpos() { try { DirectoryEntry rootDse = new DirectoryEntry(); DirectoryEntry root = new DirectoryEntry(); DirectoryEntry rootExtRightsContext = new DirectoryEntry(); if (GlobalVar.UserDefinedDomainDn != null) { rootDse = new DirectoryEntry(("LDAP://" + GlobalVar.UserDefinedDomain + "/rootDSE"), GlobalVar.UserDefinedUsername, GlobalVar.UserDefinedPassword); root = new DirectoryEntry(("GC://" + rootDse.Properties["defaultNamingContext"].Value), GlobalVar.UserDefinedUsername, GlobalVar.UserDefinedPassword); string schemaContextString = rootDse.Properties["schemaNamingContext"].Value.ToString(); rootExtRightsContext = new DirectoryEntry("LDAP://" + schemaContextString.Replace("Schema", "Extended-Rights"), GlobalVar.UserDefinedUsername, GlobalVar.UserDefinedPassword); } else { rootDse = new DirectoryEntry("LDAP://rootDSE"); root = new DirectoryEntry("GC://" + rootDse.Properties["defaultNamingContext"].Value); string schemaContextString = rootDse.Properties["schemaNamingContext"].Value.ToString(); rootExtRightsContext = new DirectoryEntry("LDAP://" + schemaContextString.Replace("Schema", "Extended-Rights")); } // make a searcher to find GPOs DirectorySearcher gpoSearcher = new DirectorySearcher(root) { Filter = "(objectClass=groupPolicyContainer)", SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Owner }; SearchResultCollection gpoSearchResults = gpoSearcher.FindAll(); // stolen from prashant - grabbing guids for extended rights Dictionary <string, string> guidDict = new Dictionary <string, string>(); guidDict.Add("00000000-0000-0000-0000-000000000000", "All"); // and again where we grab all the Extended Rights DirectorySearcher rightsSearcher = new DirectorySearcher(rootExtRightsContext) { Filter = "(objectClass=controlAccessRight)", PropertiesToLoad = { "name", "rightsGUID" } }; SearchResultCollection extRightsResultCollection = rightsSearcher.FindAll(); foreach (SearchResult extRightsResult in extRightsResultCollection) { string extRightGuidString = extRightsResult.Properties["rightsguid"][0].ToString(); string extRightNameString = extRightsResult.Properties["name"][0].ToString(); // for some reason we hit a single duplicate in this lot. nfi what that's about. TODO - figure that out. try { guidDict.Add(extRightGuidString, extRightNameString); } catch (System.ArgumentException) { if (GlobalVar.DebugMode) { Utility.DebugWrite("Hit a duplicate GUID in extRightsResult"); } } } // new dictionary for data from each GPO to go into JObject gposData = new JObject(); foreach (SearchResult gpoSearchResult in gpoSearchResults) { // object for all data for this one gpo JObject gpoData = new JObject(); DirectoryEntry gpoDe = gpoSearchResult.GetDirectoryEntry(); // get some useful attributes of the gpo string gpoDispName = gpoDe.Properties["displayName"].Value.ToString(); gpoData.Add("Display Name", gpoDispName); string gpoUid = gpoDe.Properties["name"].Value.ToString(); gpoData.Add("UID", gpoUid); string gpoDn = gpoDe.Properties["distinguishedName"].Value.ToString(); gpoData.Add("Distinguished Name", gpoDn); string gpoCreated = gpoDe.Properties["whenCreated"].Value.ToString(); gpoData.Add("Created", gpoCreated); // 3= all disabled // 2= computer configuration settings disabled // 1= user policy disabled // 0 = all enabled string gpoFlags = gpoDe.Properties["flags"].Value.ToString(); string gpoEnabledStatus = ""; switch (gpoFlags) { case "0": gpoEnabledStatus = "Enabled"; break; case "1": gpoEnabledStatus = "User Policy Disabled"; break; case "2": gpoEnabledStatus = "Computer Policy Disabled"; break; case "3": gpoEnabledStatus = "Disabled"; break; default: gpoEnabledStatus = "Couldn't process GPO Enabled Status. Weird."; break; } gpoData.Add("GPO Status", gpoEnabledStatus); // get the acl ActiveDirectorySecurity gpoAcl = gpoDe.ObjectSecurity; // // Get the owner in a really dumb way // string gpoSddl = gpoAcl.GetSecurityDescriptorSddlForm(AccessControlSections.Owner); // JObject parsedOwner = ParseSDDL.ParseSddlString(gpoSddl, SecurableObjectType.DirectoryServiceObject); // string gpoOwner = parsedOwner["Owner"].ToString(); // gpoData.Add("Owner", gpoOwner); // make a JObject to put the stuff in JObject gpoAclJObject = new JObject();; AccessControlSections sections = AccessControlSections.All; string sddlString = gpoAcl.GetSecurityDescriptorSddlForm(sections); JObject parsedSDDL = ParseSDDL.ParseSddlString(sddlString, SecurableObjectType.DirectoryServiceObject); foreach (KeyValuePair <string, JToken> thing in parsedSDDL) { if (thing.Key == "Owner") { gpoAclJObject.Add("Owner", thing.Value.ToString()); continue; } if (thing.Key == "Group") { gpoAclJObject.Add("Group", thing.Value); continue; } if (thing.Key == "DACL") { foreach (JProperty ace in thing.Value.Children()) { int aceInterestLevel = 1; bool interestingRightPresent = false; if (ace.Value["Rights"] != null) { string[] intRightsArray0 = new string[] { "WRITE_OWNER", "CREATE_CHILD", "WRITE_PROPERTY", "WRITE_DAC", "SELF_WRITE", "CONTROL_ACCESS" }; foreach (string right in intRightsArray0) { if (ace.Value["Rights"].Contains(right)) { interestingRightPresent = true; } } } string trusteeSid = ace.Value["SID"].ToString(); string[] boringSidEndings = new string[] { "-3-0", "-5-9", "5-18", "-512", "-519", "SY", "BA", "DA", "CO", "ED", "PA", "CG", "DD", "EA", "LA", }; string[] interestingSidEndings = new string[] { "DU", "WD", "IU", "BU", "AN", "AU", "BG", "DC", "DG", "LG" }; bool boringUserPresent = false; foreach (string boringSidEnding in boringSidEndings) { if (trusteeSid.EndsWith(boringSidEnding)) { boringUserPresent = true; break; } } bool interestingUserPresent = false; foreach (string interestingSidEnding in interestingSidEndings) { if (trusteeSid.EndsWith(interestingSidEnding)) { interestingUserPresent = true; break; } } if (interestingUserPresent && interestingRightPresent) { aceInterestLevel = 10; } else if (boringUserPresent) { aceInterestLevel = 0; } if (aceInterestLevel >= GlobalVar.IntLevelToShow) { // pass the whole thing on gpoAclJObject.Add(ace); } } } } //add the JObject to our blob of data about the gpo if (gpoAclJObject.HasValues) { gpoData.Add("ACLs", gpoAclJObject); } // then add all of the above to the big blob of data about all gpos gposData.Add(gpoUid, gpoData); } return(gposData); } catch (Exception exception) { Utility.DebugWrite(exception.ToString()); Console.ReadKey(); Environment.Exit(1); } return(null); }