Example #1
0
        private List <LDAPPasswordPolicy> GetFineGrainedPolicies()
        {
            var policies     = new List <LDAPPasswordPolicy>();
            var policySearch = new DirectorySearcher(DirectoryEntry);

            policySearch.Filter = $"(objectclass=msDS-PasswordSettings)";
            policySearch.PropertiesToLoad.Add("name");
            policySearch.PropertiesToLoad.Add("msds-lockoutthreshold");
            policySearch.PropertiesToLoad.Add("msds-psoappliesto");
            policySearch.PropertiesToLoad.Add("msds-minimumpasswordlength");
            policySearch.PropertiesToLoad.Add("msds-passwordhistorylength");
            policySearch.PropertiesToLoad.Add("msds-lockoutobservationwindow");
            policySearch.PropertiesToLoad.Add("msds-lockoutduration");
            policySearch.PropertiesToLoad.Add("msds-minimumpasswordage");
            policySearch.PropertiesToLoad.Add("msds-maximumpasswordage");
            policySearch.PropertiesToLoad.Add("msds-passwordsettingsprecedence");
            policySearch.PropertiesToLoad.Add("msds-passwordcomplexityenabled");
            policySearch.PropertiesToLoad.Add("msds-passwordreversibleencryptionenabled");

            var pwdPolicies = policySearch.FindAll();

            foreach (SearchResult result in pwdPolicies)
            {
                var policy = new LDAPPasswordPolicy(result, true);
                policy.AppliesToUsers = GetPasswordPolicyUsers(policy);
                policies.Add(policy);
            }

            return(policies);
        }
Example #2
0
        private void DisplayPolicyDetails(LDAPPasswordPolicy policy)
        {
            var count = DisplayPolicyUsers(policy.Name, true);

            var lockoutDurationTs          = new TimeSpan(policy.LockoutDuration * -1);
            var lockoutObservationWindowTs = new TimeSpan(policy.LockoutObservationWindow * -1);
            var MinimumPasswordAgeTs       = new TimeSpan(policy.MinimumPasswordAge * -1);
            var MaximumPasswordAgeTs       = new TimeSpan(policy.MaximumPasswordAge * -1);

            _logger.Log($"-----------------------------------");
            _logger.Log($"Name: {policy.Name}");
            _logger.Log($"Order Precedence: {policy.PasswordPrecendence}");
            _logger.Log($"ADs Path: {policy.ADSPath}");
            _logger.Log($"Is Fine Grained? {policy.IsFineGrained}");
            if (policy.IsFineGrained)
            {
                _logger.Log($"Applied to: {policy.AppliesToUsers.Count} users");
            }
            _logger.Log($"Minimum Password Length: {policy.MinimumPasswordLength}");
            _logger.Log($"Lockout Threshold: {policy.LockoutThreshold}");
            _logger.Log($"Lockout Duration: {string.Format("{0:%d}d {0:%h}h {0:%m}m {0:%s}s", lockoutDurationTs)}");
            _logger.Log($"Lockout Observation Window: {string.Format("{0:%d}d {0:%h}h {0:%m}m {0:%s}s", lockoutObservationWindowTs)}");
            _logger.Log($"Minimum / Maximum Password Age: {string.Format("{0:%d}d {0:%h}h {0:%m}m {0:%s}s", MinimumPasswordAgeTs)} / {string.Format("{0:%d}d {0:%h}h {0:%m}m {0:%s}s", MaximumPasswordAgeTs)}");
            _logger.Log($"Password History Length: {policy.PasswordHistoryLength}");
            _logger.Log($"Applies to: {count} users");

            if (Config.SaveOutput)
            {
                var cleanPolicyName = Regex.Replace(policy.Name, "[^a-zA-Z0-9_.]+", "", RegexOptions.Compiled);
                var now             = DateTime.Now;
                var fileNameNow     = now.ToString("yyyyMddHHmm");
                var fileName        = $"policy_{cleanPolicyName}_{fileNameNow}.txt";
                var filePath        = Path.Combine(Config.OutputPath, fileName);

                var contents = string.Empty;
                var fileNow  = now.ToString("MM/dd/yyyy h:mm tt");

                contents += $"Date Captured: {fileNow}\n";
                contents += $"Name: {policy.Name}\n";
                contents += $"Order Precedence: {policy.PasswordPrecendence}\n";
                contents += $"ADs Path: {policy.ADSPath}\n";
                contents += $"Is Fine Grained? {policy.IsFineGrained}\n";
                if (policy.IsFineGrained)
                {
                    contents += $"Applied to: {policy.AppliesToUsers.Count} users\n";
                }
                contents += $"Minimum Password Length: {policy.MinimumPasswordLength}\n";
                contents += $"Lockout Threshold: {policy.LockoutThreshold}\n";
                contents += $"Lockout Duration: {string.Format("{0:%d}d {0:%h}h {0:%m}m {0:%s}s", lockoutDurationTs)}\n";
                contents += $"Lockout Observation Window: {string.Format("{0:%d}d {0:%h}h {0:%m}m {0:%s}s", lockoutObservationWindowTs)}\n";
                contents += $"Minimum / Maximum Password Age: {string.Format("{0:%d}d {0:%h}h {0:%m}m {0:%s}s", MinimumPasswordAgeTs)} / {string.Format("{0:%d}d {0:%h}h {0:%m}m {0:%s}s", MaximumPasswordAgeTs)}\n";
                contents += $"Password History Length: {policy.PasswordHistoryLength}\n";
                contents += $"Applies to: {count} users\n";

                File.WriteAllText(filePath, contents);
            }
        }
Example #3
0
        public static LDAPUserInfo ClassifyUser(this LDAPUserInfo user, LDAPPasswordPolicy policy)
        {
            user.PolicyName = policy.Name;

            var now                 = DateTime.Now;
            var start               = new DateTime(1900, 01, 01);
            var badPasswordCount    = user.BadPasswordCount;
            var lockoutDurationTime = user.LockoutTime.AddTicks((policy.LockoutDuration * -1));
            var observationTime     = user.BadPasswordTime.AddTicks((policy.LockoutObservationWindow * -1));

            if ((badPasswordCount == policy.LockoutThreshold) && (observationTime > now))
            {
                user.UserState = UserState.LOCKED_OUT;
            }
            else if (badPasswordCount == (policy.LockoutThreshold - 1))
            {
                user.UserState = UserState.PENDING_LOCK_OUT;
            }

            if (observationTime < now)
            {
                user.UserState = UserState.SAFE_TO_SPRAY;
                var diff = (policy.LockoutThreshold - 1);
            }
            else if ((badPasswordCount < (policy.LockoutThreshold - 1)) && (observationTime > now))
            {
                user.UserState = UserState.SAFE_TO_SPRAY;
                var diff = (policy.LockoutThreshold - 1) - badPasswordCount;
            }

            if (lockoutDurationTime < start)
            {
                // Never locked out
            }
            if ((lockoutDurationTime > start) && (observationTime < now))
            {
                // Was locked out
            }
            if ((badPasswordCount == (policy.LockoutThreshold - 1)) && (lockoutDurationTime < start) && (observationTime < now))
            {
                // Almost locked out
            }
            if ((badPasswordCount > 0) && (badPasswordCount < (policy.LockoutThreshold - 1)) && (observationTime < now))
            {
                // Prior failed attempts
            }
            return(user);
        }
Example #4
0
        private List <string> GetPasswordPolicyUsers(LDAPPasswordPolicy policy)
        {
            _logger.Log($"[-] Retrieving users for policy: {policy.Name}");

            var users = new List <string>();

            policy.AppliesToDN.ForEach(a =>
            {
                var groupSearch      = new DirectorySearcher(DirectoryEntry);
                groupSearch.Filter   = $"(&(objectCategory=user)(memberOf={a}))";
                groupSearch.PageSize = 1000;
                groupSearch.PropertiesToLoad.Add("sAMAccountName");
                groupSearch.SearchScope = SearchScope.Subtree;

                var groupResults = groupSearch.FindAll();
                if (groupResults.Count > 0)
                {
                    for (var i = 0; i < groupResults.Count; i++)
                    {
                        var username = (string)groupResults[i].Properties["sAMAccountname"][0];
                        users.Add(username.ToLower());
                    }
                }
                else
                {
                    var userSearch      = new DirectorySearcher(DirectoryEntry);
                    userSearch.Filter   = $"(&(objectCategory=user)(distinguishedName={a}))";
                    userSearch.PageSize = 1000;
                    userSearch.PropertiesToLoad.Add("sAMAccountName");
                    userSearch.SearchScope = SearchScope.Subtree;
                    var userResults        = userSearch.FindOne();

                    if (userResults != null)
                    {
                        var username = (string)userResults.Properties["sAMAccountname"][0];
                        users.Add(username.ToLower());
                    }
                }
            });
            return(users);
        }
Example #5
0
        private LDAPPasswordPolicy GetDomainPolicy()
        {
            var searcher = new DirectorySearcher(DirectoryEntry);

            searcher.SearchScope = SearchScope.Base;
            searcher.PropertiesToLoad.Add("name");
            searcher.PropertiesToLoad.Add("msds-behavior-version");
            searcher.PropertiesToLoad.Add("lockoutduration");
            searcher.PropertiesToLoad.Add("lockoutthreshold");
            searcher.PropertiesToLoad.Add("lockoutobservationwindow");
            searcher.PropertiesToLoad.Add("minpwdlength");
            searcher.PropertiesToLoad.Add("minpwdage");
            searcher.PropertiesToLoad.Add("maxpwdage");
            searcher.PropertiesToLoad.Add("pwdhistorylength");
            searcher.PropertiesToLoad.Add("adspath");
            searcher.PropertiesToLoad.Add("pwdproperties");

            var result = searcher.FindOne();
            var policy = new LDAPPasswordPolicy(result, false);

            policy.AppliesToUsers = new List <string>();

            return(policy);
        }