Example #1
0
        public void GetACL(string targetDn = null)
        {
            IDisplay   displayer = new DisplayDACL();
            DACLResult result    = new DACLResult();

            if (targetDn == null)
            {
                displayer.DisplayTitle("Interesting ACL on the Domain Object");
                var domainAcl = DACL.GetInterestingACLOnObject(Searcher.LdapInfo.RootDN);
                result.Result = new List <DACL> {
                    domainAcl
                };
                displayer.DisplayResult(result);

                displayer.DisplayTitle("Interesting ACL on Group Policy Objects");
                var gposDN = GPO.GetAllGPODNList();
                result.Result = AsyncCollection.GetInterestingACLAsync(gposDN).Result;
                displayer.DisplayResult(result);

                displayer.DisplayTitle("LAPS Password View Access");
                result.Result = DACL.GetLAPSACL();
                displayer.DisplayResult(result);
            }
            else
            {
                displayer.DisplayTitle($"DACL on {targetDn.ToUpper()}");
                result.Result = new List <DACL> {
                    DACL.GetACLOnObject(targetDn)
                };
                displayer.DisplayResult(result);
            }
        }
Example #2
0
        public static async Task <List <DACL> > GetACLAsync(List <string> targetDnList)
        {
            var tasks = new List <Task <DACL> >();

            foreach (string targetDn in targetDnList)
            {
                tasks.Add(Task.Run(() => DACL.GetACLOnObject(targetDn)));
            }

            var aclList = (await Task.WhenAll(tasks)).ToList();

            return(aclList);
        }
Example #3
0
        public bool IsDeniedPolicy(string sAMAccountName, string gpoDn)
        {
            _logger.Debug($"Checking if ({gpoDn}) is denied by security filtering");

            var rules = DACL.GetAuthorizationRules(gpoDn, out _);

            bool isDenied = true;

            foreach (ActiveDirectoryAccessRule rule in rules)
            {
                //Security Filtering
                //Apply-Group-Policy: edacfd8f-ffb3-11d1-b41d-00a0c968f939
                if ((rule.ActiveDirectoryRights.ToString().ToLower() == "extendedright") &&
                    (rule.ObjectType.ToString().ToUpper() == "EDACFD8F-FFB3-11D1-B41D-00A0C968F939"))
                {
                    string groupSID = rule.IdentityReference.Translate(typeof(SecurityIdentifier)).ToString().ToUpper();

                    try
                    {
                        //If the target GPO applys to the current user's security groups
                        var userNestedGSID = CollectNestedGroupMembership.UserSIDNameDictionary[sAMAccountName.ToUpper()];

                        if (userNestedGSID.ContainsKey(groupSID))
                        {
                            isDenied = false;
                        }
                    }
                    catch (Exception e)
                    {
                        _logger.Error(e.Message);
                    }
                }
            }

            string deny = isDenied ? string.Empty : " not";

            _logger.Debug($"({gpoDn}) is{deny} denied");
            return(isDenied);
        }
Example #4
0
        public void InvokeACLScan(string user)
        {
            if (user == null)
            {
                return;
            }
            var displayer = new DisplayDACL();

            displayer.DisplayTitle($"Interesting ACL for {user.ToUpper()}");
            DACLResult result = new DACLResult();

            var groups = new CollectNestedGroupMembership();

            groups.Collect(new NestedGMSearchString {
                SAMAccountName = user
            });
            var groupSIDs = CollectNestedGroupMembership.UserSIDNameDictionary[user.ToUpper()].Keys.ToList();

            result.Result = DACL.ACLScan(user, groupSIDs);

            displayer.DisplayResult(result);
        }