public IResult Collect(SearchString searchstring)
{
_logger.Debug($"Collecting");
LDAPSearchString searchString = (LDAPSearchString)searchstring;
List <ILDAPObject> ldapObjects = new List <ILDAPObject>();
var results = Searcher.GetResultEntries(searchString).ToList();
foreach (var result in results)
{
//If we need User
if (searchString.ReturnAttributes.Contains("sAMAccountName"))
{
var user = User.GetUserObject(result);
ldapObjects.Add(user);
}
else
{
ldapObjects.Add(new LDAPBaseObject {
Attributes = ProcessAttributes(result.Attributes), DistinguishedName = result.DistinguishedName
});
}
}
CollectResult = new LDAPResult {
LDAPObjects = ldapObjects, Title = searchstring.Title
};
_logger.Debug("LDAP Objects Collected");
return(CollectResult);
}
public static void BuildExtendedRightsDict()
{
_logger.Debug("Building an Extended Rights List");
string extendedRightsDn = "CN=Extended-Rights," + Searcher.LdapInfo.ConfigDN;
var rightsResult = Searcher.GetResultEntries(new LDAPSearchString
{
DN = extendedRightsDn,
Filter = "(rightsGuid=*)",
ReturnAttributes = new string[] { "rightsGuid", "cn" },
Scope = SearchScope.Subtree,
//UseGlobalCatalog = true
}).ToList();
foreach (var rights in rightsResult)
{
//Ignore duplicated rightsGuid DNS-Host-Name-Attributes & Validated-DNS-Host-Name: "72e39547-7b18-11d1-adef-00c04fd8d5cd"
string rightsGuid = rights.Attributes["rightsGuid"][0].ToString().ToLower();
if (rightsGuid == "72e39547-7b18-11d1-adef-00c04fd8d5cd")
{
continue;
}
ExtendedRightsList.Add(rightsGuid, rights.Attributes["cn"][0].ToString());
}
ExtendedRightsList.Add("72e39547-7b18-11d1-adef-00c04fd8d5cd", "DNS-Host-Name-Attributes & Validated-DNS-Host-Name");
ExtendedRightsList.Add("aa4e1a6d-550d-4e05-8c35-4afcb917a9fe", "ms-TPM-OwnerInformation");
ExtendedRightsList.Add("00000000-0000-0000-0000-000000000000", "All");
}
public static void GetWMIPolicies()
{
_logger.Debug("Collecting WMI Policies");
string wmiRootDn = "CN=SOM,CN=WMIPolicy,CN=System," + Searcher.LdapInfo.RootDN;
string wmiForestDn = "CN=SOM,CN=WMIPolicy,CN=System," + Searcher.LdapInfo.ForestDN;
string[] wmiDNs = (Searcher.LdapInfo.RootDN != Searcher.LdapInfo.ForestDN) ? new string[] { wmiRootDn, wmiForestDn } : new string[] { wmiRootDn };
string wmiFilter = @"(objectClass=msWMI-Som)";
string[] wmiAttrs = { "msWMI-Name", "msWMI-ID" };
foreach (var wmiDn in wmiDNs)
{
var resultEntries = Searcher.GetResultEntries(new LDAPSearchString {
DN = wmiDn, Filter = wmiFilter, ReturnAttributes = wmiAttrs, Scope = SearchScope.Subtree
}).ToList();
foreach (var entry in resultEntries)
{
WMIPolicies.Add(entry.Attributes["msWMI-ID"][0].ToString().ToUpper(), entry.Attributes["msWMI-Name"][0].ToString());
}
}
}
public static void GetAllGPOs()
{
GetWMIPolicies();
_logger.Debug("Collecting GPOs");
Regex filterRx = new Regex(@";(\{.+?\});", RegexOptions.Compiled);
string gpoRootDN = "CN=Policies,CN=System," + Searcher.LdapInfo.RootDN;//"CN=System," + rootDn;
string gpoForestDN = "CN=Policies,CN=System," + Searcher.LdapInfo.ForestDN;
string[] gpoDNs = (Searcher.LdapInfo.RootDN != Searcher.LdapInfo.ForestDN) ? new string[] { gpoRootDN, gpoForestDN } : new string[] { gpoRootDN };
string gpoFilter = @"(objectCategory=groupPolicyContainer)";
string[] gpoAttrs = { "displayName", "cn", "gPCWQLFilter", "nTSecurityDescriptor" };
//string extrightsDn = "CN=Extended-Rights,CN=Configuration," + forestDn;
try
{
foreach (string gpodn in gpoDNs)
{
_logger.Debug($"Enumerateing GPOs in {gpodn}");
var gpoEntries = Searcher.GetResultEntries(new LDAPSearchString {
DN = gpodn, Filter = gpoFilter, ReturnAttributes = gpoAttrs, Scope = SearchScope.Subtree
}).ToList();
foreach (var entry in gpoEntries)
{
string dn = entry.Attributes["cn"][0].ToString().ToUpper();
string displayname = entry.Attributes["displayName"][0].ToString().ToUpper();
//WMI Filtering
if (entry.Attributes.Contains("gPCWQLFilter"))
{
string filterAttr = entry.Attributes["gPCWQLFilter"][0].ToString();
//Could be empty " "
if (filterAttr.Length > 2)
{
Match filterM = filterRx.Match(filterAttr);
string filter = filterM.Groups[1].ToString();
string wmiName = WMIPolicies[filter];
displayname += " [EvaluateWMIPolicy: " + wmiName + " - " + filter + "]";
}
}
if (!GroupPolicies.ContainsKey(dn))
{
GroupPolicies.Add(dn, displayname);
}
}
}
}
catch (Exception e)
{
_logger.Error(e.Message);
}
}
public static void BuildSchemaDict()
{
_logger.Debug("Building an Schema List");
var rightsResult = Searcher.GetResultEntries(new LDAPSearchString
{
DN = Searcher.LdapInfo.SchemaDN,
Filter = "(schemaIDGUID=*)",
ReturnAttributes = new string[] { "schemaIDGUID", "cn" },
Scope = SearchScope.OneLevel,
//UseGlobalCatalog = true
}).ToList();
foreach (var rights in rightsResult)
{
string schemaGUID = Helper.GetStringFromByte((byte[])rights.Attributes["schemaIDGUID"][0]).ToLower();
SchemaList.Add(schemaGUID, rights.Attributes["cn"][0].ToString());
}
SchemaList.Add("00000000-0000-0000-0000-000000000000", "All properties");
// Active Directory includes predefined property sets:
// https://docs.microsoft.com/en-us/windows/desktop/adschema/property-sets
var predefinedProp = new Dictionary <string, string>();
predefinedProp.Add("72e39547-7b18-11d1-adef-00c04fd8d5cd", "DNS Host Name Attributes");
predefinedProp.Add("b8119fd0-04f6-4762-ab7a-4986c76b3f9a", "Other Domain Parameters");
predefinedProp.Add("c7407360-20bf-11d0-a768-00aa006e0529", "Domain Password and Lockout Policies");
predefinedProp.Add("e45795b2-9455-11d1-aebd-0000f80367c1", "Phone and Mail Options");
predefinedProp.Add("59ba2f42-79a2-11d0-9020-00c04fc2d3cf", "General Information");
predefinedProp.Add("bc0ac240-79a9-11d0-9020-00c04fc2d4cf", "Group Membership");
predefinedProp.Add("ffa6f046-ca4b-4feb-b40d-04dfee722543", "MS-TS-GatewayAccess");
predefinedProp.Add("77b5b886-944a-11d1-aebd-0000f80367c1", "Personal Information");
predefinedProp.Add("91e647de-d96f-4b70-9557-d63ff4f3ccd8", "Private Information");
predefinedProp.Add("e48d0154-bcf8-11d1-8702-00c04fb96050", "Public Information");
predefinedProp.Add("5805bc62-bdc9-4428-a5e2-856a0f4c185e", "Terminal Server License Server");
predefinedProp.Add("4c164200-20c0-11d0-a768-00aa006e0529", "Account Restrictions");
predefinedProp.Add("5f202010-79a5-11d0-9020-00c04fc2d4cf", "Logon Information");
predefinedProp.Add("e45795b3-9455-11d1-aebd-0000f80367c1", "Web Information");
predefinedProp.Add("9b026da6-0d3c-465c-8bee-5199d7165cba", "DS-Validated-Write-Computer");
predefinedProp.Add("037088f8-0ae1-11d2-b422-00a0c968f939", "RAS-Information");
foreach (var prop in predefinedProp)
{
if (!SchemaList.ContainsKey(prop.Key))
{
SchemaList.Add(prop.Key, prop.Value);
}
}
}
public static async Task <List <CertificateTemplate> > GetInterestingCertTemplatesAsync()
{
var certTemplateList = Searcher.GetResultEntries(new LDAPSearchString
{
DN = "CN=Certificate Templates,CN=Public Key Services,CN=Services," + Searcher.LdapInfo.ConfigDN,
Filter = @"(objectCategory=pKICertificateTemplate)",
Scope = SearchScope.Subtree
}).ToList();
List <Task <CertificateTemplate> > tasks = new List <Task <CertificateTemplate> >();
foreach (var certTemplate in certTemplateList)
{
tasks.Add(Task.Run(() => CertificateTemplate.GetInterestingCertTemplates(certTemplate)));
}
var CTTasks = (await Task.WhenAll(tasks)).ToList();
return(CTTasks);
}
public static async Task <List <ADCS> > GetADCSAsync()
{
string csFilter = @"(objectCategory=pKIEnrollmentService)";
string csDn = "CN=Enrollment Services,CN=Public Key Services,CN=Services," + Searcher.LdapInfo.ConfigDN;
List <Task <ADCS> > tasks = new List <Task <ADCS> >();
var csEntries = Searcher.GetResultEntries(new LDAPSearchString {
DN = csDn,
Filter = csFilter,
Scope = SearchScope.Subtree
}).ToList();
foreach (SearchResultEntry csEntry in csEntries)
{
tasks.Add(Task.Run(() => ADCS.GetADCS(csEntry)));
}
var caList = (await Task.WhenAll(tasks)).ToList();
return(caList);
}
//Retrieve IP from LDAP dnsRecord only
public static Dictionary <string, Dictionary <string, string> > GetDNS(bool searchForest = false)
{
Dictionary <string, Dictionary <string, string> > dnsDict = new Dictionary <string, Dictionary <string, string> >();
string dDnsDn = "DC=DomainDnsZones," + Searcher.LdapInfo.RootDN;//not searching from "CN=MicrosoftDNS,DC=DomainDnsZones,";
string fDnsDn = "DC=ForestDnsZones," + Searcher.LdapInfo.ForestDN;
string queryZones = @"(&(objectClass=dnsZone)(!(DC=*arpa))(!(DC=RootDNSServers)))";
string[] dnsZoneAttrs = { "name" };
var dnsZoneSearchResult = searchForest ?
Searcher.GetResultEntries(new LDAPSearchString
{
DN = fDnsDn,
Filter = queryZones,
ReturnAttributes = dnsZoneAttrs,
Scope = SearchScope.Subtree
}).ToList()
:
Searcher.GetResultEntries(new LDAPSearchString
{
DN = dDnsDn,
Filter = queryZones,
ReturnAttributes = dnsZoneAttrs,
Scope = SearchScope.Subtree
}).ToList();
//excluding objects that have been removed
string queryRecord = @"(&(objectClass=*)(!(DC=@))(!(DC=*DnsZones))(!(DC=*arpa))(!(DC=_*))(!dNSTombstoned=TRUE))";
string[] dnsAttrs = { "dnsRecord" };
byte[] dnsByte = null;
string ip = null;
string hostname = null;
foreach (var dnsZone in dnsZoneSearchResult)
{
Dictionary <string, string> dnsRecordDict = new Dictionary <string, string>();
var dnsResponse = Searcher.GetResultEntries(new LDAPSearchString
{
DN = dnsZone.DistinguishedName,
Filter = queryRecord,
Scope = SearchScope.OneLevel,
ReturnAttributes = dnsAttrs
}).ToList();
foreach (var dnsResult in dnsResponse)
{
//If have permission to view the record
if (dnsResult.Attributes.Contains("dnsRecord"))
{
dnsByte = ((byte[])dnsResult.Attributes["dnsRecord"][0]);
ip = ResolveDNSRecord(dnsByte);
if (ip == string.Empty || ip == null)
{
continue;
}
hostname = dnsResult.DistinguishedName;
if (!dnsRecordDict.ContainsKey(hostname.ToUpper()))
{
dnsRecordDict.Add(hostname.ToUpper(), ip);
}
}
}
if (!dnsDict.ContainsKey(dnsZone.DistinguishedName.ToUpper()))
{
dnsDict.Add(dnsZone.DistinguishedName.ToUpper(), dnsRecordDict);
}
}
return(dnsDict);
}
//Get DACL for LAPS
public static List <DACL> GetLAPSACL()
{
logger.Debug("Getting ACLs for LAPS");
var laspDACLList = new List <DACL>();
var lapsACEs = new Dictionary <string, List <string> >();
var lapsResults = Searcher.GetResultEntries(new LDAPSearchString {
DN = Searcher.LdapInfo.TargetSearchBase,
Filter = "(ms-Mcs-AdmPwdExpirationTime=*)",
Scope = SearchScope.Subtree
}).ToList();
if (lapsResults == null || lapsResults.Count == 0)
{
logger.Debug("No LAPS enabled machine can be found");
return(null);
}
Regex ous = new Regex(@",(CN=.*|OU=.*)", RegexOptions.Compiled);
//Only target the first degree OU
var lapsOUs = lapsResults.Select(entry => ous.Match(entry.DistinguishedName).Groups[1].Value).Distinct().ToList();
Regex rights = new Regex(@"(.*Read.*)", RegexOptions.Compiled);
foreach (string targetDn in lapsOUs)
{
var rules = GetAuthorizationRules(targetDn, out string ownerSID);
foreach (ActiveDirectoryAccessRule rule in rules)
{
string sid = rule.IdentityReference.ToString();
string adRights = rule.ActiveDirectoryRights.ToString();
string objectType = rule.ObjectType.ToString();
//{2537B2BE-3CE2-459E-A86A-B7949C1D361C}: ms-Mcs-AdmPwd
if (rights.IsMatch(adRights) &&
objectType.ToUpper() == "2537B2BE-3CE2-459E-A86A-B7949C1D361C")
{
string IR = Helper.SIDNameSID(sid);
string userRights = $"ms-Mcs-AdmPwd ({adRights})";
if (lapsACEs.ContainsKey(IR))
{
lapsACEs[IR].Add(userRights);
}
else
{
lapsACEs.Add(IR, new List <string> {
userRights
});
}
}
}
string owner = Helper.SIDNameSID(ownerSID);
if (lapsACEs.ContainsKey(owner))
{
lapsACEs[owner].Add("Owner");
}
else
{
lapsACEs.Add(owner, new List <string> {
"Owner"
});
}
laspDACLList.Add(new DACL {
ObjectName = targetDn, ACEs = lapsACEs
});
}
return(laspDACLList);
}
public static List <DACL> ACLScan(string user, List <string> groupSIDs)
{
if (user == null)
{
return(null);
}
var ACLList = new List <DACL>();
//1. Locate the user
var targetEntry = Searcher.GetResultEntry(new LDAPSearchString
{
DN = Searcher.LdapInfo.TargetSearchBase,
Filter = $"(sAMAccountName={user})",
Scope = SearchScope.Subtree
});
if (targetEntry == null)
{
return(null);
}
var targetSid = new SecurityIdentifier((byte[])targetEntry.Attributes["objectsid"][0], 0).ToString();
//2. Get user nested group sid
groupSIDs.Add(targetSid);
//Iterate all objects
var partitions = new string[] { Searcher.LdapInfo.RootDN, Searcher.LdapInfo.ConfigDN, Searcher.LdapInfo.SchemaDN };
if (Searcher.LdapInfo.TargetSearchBase != Searcher.LdapInfo.RootDN)
{
var allObjects = Searcher.GetResultEntries(new LDAPSearchString
{
DN = Searcher.LdapInfo.TargetSearchBase,
Filter = "(ObjectCategory=*)",
Scope = SearchScope.Subtree
});
foreach (var obj in allObjects)
{
var acl = GetMyInterestingACLOnObject(obj.DistinguishedName, groupSIDs);
if (acl != null)
{
ACLList.Add(acl);
}
}
}
else
{
foreach (var partition in partitions)
{
var allObjects = Searcher.GetResultEntries(new LDAPSearchString
{
DN = partition,
Filter = "(ObjectCategory=*)",
Scope = SearchScope.Subtree
});
foreach (var obj in allObjects)
{
var acl = GetMyInterestingACLOnObject(obj.DistinguishedName, groupSIDs);
if (acl != null)
{
ACLList.Add(acl);
}
}
}
}
return(ACLList);
}
