public static bool AddMultiValue(this Cursor cursor, Columnid columnId, SecurityIdentifier[] valuesToAdd)
{
//NOTE: Must be in transaction and record must be in editing state.
var binarySidHistory = valuesToAdd.Select(sid => sid.GetBinaryForm(true));
// TODO: Create method , bool[][]?
return(cursor.AddMultiValue(columnId, binarySidHistory, HashEqualityComparer.GetInstance()));
}
private void TestComputerDefaultPassword()
{
string defaultPassword = this.Account.SamAccountName.TrimEnd('$').ToLower();
byte[] defaultHash = NTHash.ComputeHash(defaultPassword);
if (HashEqualityComparer.GetInstance().Equals(this.Account.NTHash, defaultHash))
{
// The computer has the default password.
this.result.DefaultComputerPassword.Add(this.Account.LogonName);
}
}
public void TwoHashes_WithSameData_AreSame()
{
var inputX = new byte[] { 0, 1, 2, 3, 4 };
var inputY = new byte[] { 0, 1, 2, 3, 4 };
var equalityComparer = new HashEqualityComparer();
var x = Mock.Of <IHash>(m => m.Bytes == inputX);
var y = Mock.Of <IHash>(m => m.Bytes == inputY);
Assert.IsTrue(equalityComparer.Equals(x, y));
}
public void TwoHashes_WithDifferentData_AreDifferent()
{
var inputX = new byte[] { 0, 1, 2, 3, 4 };
var inputY = new byte[] { 1, 2, 3, 4, 5 };
var equalityComparer = new HashEqualityComparer();
var x = Mock.Of <IHash>(m => m.Bytes == inputX);
var y = Mock.Of <IHash>(m => m.Bytes == inputY);
Assert.IsFalse(equalityComparer.Equals(x, y));
}
/// <summary>
/// Re-encrypts the PEK list using a new boot key.
/// </summary>
/// <param name="oldBootKey">Current boot key, using which the PEK list is encrypted.</param>
/// <param name="newBootKey">New boot key using which to encrypt the PEK list.</param>
public void ChangeBootKey(byte[] oldBootKey, byte[] newBootKey)
{
// Validate
Validator.AssertLength(oldBootKey, BootKeyRetriever.BootKeyLength, "oldBootKey");
if (newBootKey != null)
{
// This value is optional. No encryption is used when blank key is provided.
Validator.AssertLength(newBootKey, BootKeyRetriever.BootKeyLength, "newBootKey");
}
if (HashEqualityComparer.GetInstance().Equals(oldBootKey, newBootKey))
{
// Both keys are the same so no change is required.
return;
}
if (!this.context.DomainController.DomainNamingContextDNT.HasValue)
{
// The domain object must exist
throw new DirectoryObjectNotFoundException("domain");
}
// Execute
using (var transaction = this.context.BeginTransaction())
{
// Retrieve and decrypt
var domain = this.FindObject(this.context.DomainController.DomainNamingContextDNT.Value);
byte[] encryptedPEK;
domain.ReadAttribute(CommonDirectoryAttributes.PEKList, out encryptedPEK);
var pekList = new DataStoreSecretDecryptor(encryptedPEK, oldBootKey);
// Encrypt with the new boot key (if blank, plain encoding is done instead)
byte[] binaryPekList = pekList.ToByteArray(newBootKey);
// Save the new value
this.dataTableCursor.BeginEditForUpdate();
bool hasChanged = domain.SetAttribute(CommonDirectoryAttributes.PEKList, binaryPekList);
this.CommitAttributeUpdate(domain, CommonDirectoryAttributes.PEKList, transaction, hasChanged, true);
}
}
/// <summary>
/// Constructor
/// </summary>
protected KeyConfigurationBase(ICountConfiguration <TCount> configuration, bool createValueFilter = true) :
base(createValueFilter)
{
_countConfiguration = configuration;
_getId = GetIdImpl;
_idHash = id =>
{
var res = BitConverter.ToInt32(_murmurHash.Hash(BitConverter.GetBytes(id)), 0);
return(res == 0 ? 1 : res);
};
_hashes = (hash, hashCount) => ComputeHash(hash, BitConverter.ToInt32(_murmurHash.Hash(BitConverter.GetBytes(hash), 912345678), 0), hashCount, 1);
//the hashSum value is an identity hash.
_entityHash = e => IdHash(GetId(e));
_isPure = (d, p) => CountConfiguration.IsPure(d.Counts[p]) &&
HashEqualityComparer.Equals(d.HashSumProvider[p], IdHash(d.IdSumProvider[p]));
_idAdd = _idRemove = (id1, id2) => id1 ^ id2;
_idIntersect = (id1, id2) => id1 & id2;
_hashIdentity = 0;
_idIdentity = 0L;
_hashAdd = _hashRemove = (h1, h2) => h1 ^ h2;
_hashIntersect = (h1, h2) => h1 & h2;
_idEqualityComparer = EqualityComparer <long> .Default;
_hashEqualityComparer = EqualityComparer <int> .Default;
}
protected override void ProcessRecord()
{
if (this.Account.Enabled == false && !this.IncludeDisabledAccounts.IsPresent)
{
// The account is disabled and should be skipped.
string message = String.Format("Skipping account {0}, because it is disabled.", this.Account.LogonName);
this.WriteVerbose(message);
return;
}
// Verbose message
string message2 = String.Format("Processing account {0}...", this.Account.LogonName);
this.WriteVerbose(message2);
if (this.Account.UserAccountControl.HasFlag(UserAccountControl.PasswordNeverExpires))
{
// The account has a non-expiring password.
this.result.PasswordNeverExpires.Add(this.Account.LogonName);
}
if (this.Account.UserAccountControl.HasFlag(UserAccountControl.UseDesKeyOnly))
{
// Only DES kerberos encryption type is used with this account.
this.result.DESEncryptionOnly.Add(this.Account.LogonName);
}
if (this.Account.AdminCount && !this.Account.UserAccountControl.HasFlag(UserAccountControl.NotDelegated))
{
// This administrative account can be delegated.
this.result.DelegatableAdmins.Add(this.Account.LogonName);
}
if (this.Account.UserAccountControl.HasFlag(UserAccountControl.PasswordNotRequired))
{
// The account's password is not required.
this.result.PasswordNotRequired.Add(this.Account.LogonName);
}
if (this.Account.UserAccountControl.HasFlag(UserAccountControl.PreAuthNotRequired))
{
// Pre-authentication is not required for this account account.
this.result.PreAuthNotRequired.Add(this.Account.LogonName);
}
if (this.Account.SamAccountType == SamAccountType.User && this.Account.ServicePrincipalName?.Length > 0 && !this.Account.SupportsKerberosAESEncryption)
{
// This is a kerberoastable user/service account, because it has a SPN configured, but has Kerberos AES encryption support disabled.
this.result.Kerberoastable.Add(this.Account.LogonName);
}
if (this.Account.SupplementalCredentials != null)
{
if (this.Account.SupplementalCredentials.ClearText != null)
{
// Account has ClearText password (stored using reversible encryption)
this.result.ClearTextPassword.Add(this.Account.LogonName);
}
if (this.Account.UserAccountControl.HasFlag(UserAccountControl.SmartCardRequired))
{
// Smart card user
if (this.Account.SupplementalCredentials.Kerberos != null)
{
// Accounts that require smart card authentication should have an empty supplemental credentials data structure.
this.result.SmartCardUsersWithPassword.Add(this.Account.LogonName);
}
}
else
{
// Not a smart card user
if (this.Account.SupplementalCredentials.KerberosNew == null)
{
// Account is missing the AES kerberos keys. This is only OK if smart card auth is enforced for this account.
this.result.AESKeysMissing.Add(this.Account.LogonName);
}
}
}
if (this.Account.LMHash != null)
{
// Account has the LM hash present.
this.result.LMHash.Add(this.Account.LogonName);
}
if (this.Account.NTHash == null)
{
// The account has no password.
this.result.EmptyPassword.Add(this.Account.LogonName);
// All the remaining tests are based on NT hash, so we can skip them.
return;
}
if (HashEqualityComparer.GetInstance().Equals(this.Account.NTHash, NTHash.Empty))
{
// The account has an empty password.
this.result.EmptyPassword.Add(this.Account.LogonName);
// Skip the remaining tests, because they only make sense for non-empty passwords.
return;
}
if (this.Account.SamAccountType == SamAccountType.Computer)
{
// Check if the computer has a default password.
this.TestComputerDefaultPassword();
}
else
{
// Computer accounts typically have random passwords, so we only perform the following tests for other account types like User or Trust.
this.LookupAccountNTHashInSortedFile();
if (this.hashToAccountMap != null)
{
// Add the current account's NT hash to the map for further processing.
this.AddAccountToHashMap();
}
}
}
protected override void BeginProcessing()
{
// Test the optional file path in advance to throw an early error.
this.ResolveFilePath(this.WeakPasswordHashesFile);
this.ResolveFilePath(this.WeakPasswordsFile);
// Open the sorted weak password hashes file, as we will be searching it on-the-fly.
string sortedHashesFile = this.ResolveFilePath(this.WeakPasswordHashesSortedFile);
if (sortedHashesFile != null)
{
this.sortedHashFileSearcher = new SortedFileSearcher(sortedHashesFile);
}
if (this.ShouldTestWeakPasswordsInMemory || !this.SkipDuplicatePasswordTest.IsPresent)
{
// We need to cache NT hashes of all accounts for the Duplicate and Weak Password Tests.
this.hashToAccountMap = new Dictionary <byte[], SortedSet <string> >(PasswordDictionaryInitialCapacity, HashEqualityComparer.GetInstance());
}
// Initialize the test results.
this.result = new PasswordQualityTestResult();
}
public static bool SetValue(this Cursor cursor, Columnid columnId, byte[] newValue)
{
return(cursor.SetValue(columnId, newValue, HashEqualityComparer.GetInstance()));
}
/// <summary>
/// Returns a list of list of strings - each entry in the outer list contains a list of filenames of files with the same contents.
/// </summary>
/// <param name="startingDirectory">The directory in which to start searching</param>
/// <param name="errors">A list into which to insert errors</param>
/// <returns>A list of list of files whose contents are the same</returns>
public List <List <string> > GetDups(string startingDirectory, out List <string> errors)
{
_errors = new List <string>();
var hashingEngines = _parallel ? Enumerable.Range(0, Environment.ProcessorCount).Select(x => Task.Run(() => HashEngine())).ToList() : null;
var stack = new Stack <string>();
stack.Push(startingDirectory);
while (stack.Any())
{
var dir = stack.Pop();
foreach (var file in Directory.GetFiles(dir))
{
var finfo = new FileInfo(file);
if (!_lengthToFilenames.TryGetValue(finfo.Length, out var fileList))
{
fileList = new List <FilenameAndHash>();
_lengthToFilenames.Add(finfo.Length, fileList);
}
fileList.Add(new FilenameAndHash {
Filename = file
});
// only compute the SHA-1 for the file if this is the second or subsequent file with this particular length.
// If this is the second file we also need to compute the SHA-1 for the first file:
if (fileList.Count > 1)
{
if (fileList.Count == 2)
{
_hashQueue.Add(fileList.First());
}
_hashQueue.Add(fileList.Last());
}
}
foreach (var subDir in Directory.GetDirectories(dir))
{
stack.Push(subDir);
}
}
_hashQueue.CompleteAdding();
Task.WaitAll(hashingEngines.ToArray());
var sha1Comparer = new HashEqualityComparer();
var duplicateEntriesByLength = _lengthToFilenames.Where(x => x.Value.Count > 1);
// transform the length dictionary into an IEnumerable<ILookup<byte[]...note that we lose the dictionary key as
// we are no longer interested in the length of the file. Also note that we check if a file actually **has** a computed
// hash as it may not due to our inability to open it:
var shaLookups = duplicateEntriesByLength.Select(x => x.Value.Where(y => y.HasComputedHash).ToLookup(z => z.Sha1, sha1Comparer));
// transform each lookup into a list of lists (each "bucket in the lookup becomes a list) - so we then
// we flatten the entire result to a list-of-lists - we could have done this with SelectMany:
var dups = (from lookup in shaLookups // each entry is a lookup "bucketed" by SHA1
from lubucket in lookup // take each bucket where the number of items in the bucket is greater than 1
where lubucket.Count() > 1
let fileList = (from file in lubucket select file.Filename).ToList() // get all the items from the bucket, but we want ONLY THE FILENAME for each item
select fileList).ToList();
errors = _errors;
return(dups);
}
protected override void BeginProcessing()
{
// Test the optional file path in advance to throw an early error.
this.ResolveFilePath(this.WeakPasswordHashesFile);
this.ResolveFilePath(this.WeakPasswordsFile);
if (this.ShouldTestWeakPasswords || !this.SkipDuplicatePasswordTest.IsPresent)
{
// We need to cache NT hashes of all accounts for the Duplicate and Weak Password Tests.
this.hashToAccountMap = new Dictionary <byte[], SortedSet <string> >(PasswordDictionaryInitialCapacity, HashEqualityComparer.GetInstance());
}
// Initialize the test results.
this.result = new PasswordQualityTestResult();
}
private bool processRecords()
{
foreach (DSAccount acc in accs)
{
if (acc.UserAccountControl.HasFlag(UserAccountControl.PasswordNeverExpires))
{
accFindings["Password Never Expires"].Add(acc);
}
if (acc.UserAccountControl.HasFlag(UserAccountControl.UseDesKeyOnly))
{
accFindings["Only DES Kerberos Encryption Used"].Add(acc);
}
if (acc.AdminCount && !acc.UserAccountControl.HasFlag(UserAccountControl.NotDelegated))
{
accFindings["Admin Account can be Delegated"].Add(acc);
}
if (acc.UserAccountControl.HasFlag(UserAccountControl.PasswordNotRequired))
{
accFindings["Password not Required"].Add(acc);
}
if (acc.UserAccountControl.HasFlag(UserAccountControl.PreAuthNotRequired))
{
accFindings["Pre-authentication not Required"].Add(acc);
}
if (acc.SupplementalCredentials != null)
{
if (acc.SupplementalCredentials.ClearText != null)
{
string cleartext = acc.SupplementalCredentials.ClearText;
accFindings["Password Stored in Cleartext"].Add(acc);
}
if (acc.SupplementalCredentials.KerberosNew == null)
{
accFindings["Account is Missing AES Kerberos Keys"].Add(acc);
}
}
if (acc.LMHash != null)
{
accFindings["Account has LM Hash"].Add(acc);
}
if (acc.NTHash == null)
{
accFindings["Account has no Password"].Add(acc);
}
if (HashEqualityComparer.GetInstance().Equals(acc.NTHash, NTHash.Empty))
{
accFindings["Account has an Empty Password"].Add(acc);
}
if (acc.SamAccountType == SamAccountType.Computer)
{
//check for default comp creds
}
string currHash = acc.NTHash.ToHex();
if (currHash != null && currHash.Length > 0)
{
if (!hashDict.ContainsKey(currHash))
{
hashDict.Add(currHash, new List <DSAccount>());
}
hashDict[currHash].Add(acc);
}
}
return(true);
}
protected override void ProcessRecord()
{
if (this.Account.Enabled == false && !this.IncludeDisabledAccounts.IsPresent)
{
// The account is disabled and should be skipped.
// TODO: Move to resources.
string message = String.Format("Skipping account {0}, because it is disabled.", this.Account.SamAccountName);
this.WriteVerbose(message);
return;
}
// Verbose message
// TODO: Move to resources.
string message2 = String.Format("Processing account {0}...", this.Account.SamAccountName);
this.WriteVerbose(message2);
if (this.Account.UserAccountControl.HasFlag(UserAccountControl.PasswordNeverExpires))
{
// The account has a non-expiring password.
this.result.PasswordNeverExpires.Add(this.Account.SamAccountName);
}
if (this.Account.UserAccountControl.HasFlag(UserAccountControl.UseDesKeyOnly))
{
// Only DES kerbero encryption type is used with this account.
this.result.DESEncryptionOnly.Add(this.Account.SamAccountName);
}
if (this.Account.AdminCount && !this.Account.UserAccountControl.HasFlag(UserAccountControl.NotDelegated))
{
// This administrative account can be delegated.
this.result.DelegatableAdmins.Add(this.Account.SamAccountName);
}
if (this.Account.UserAccountControl.HasFlag(UserAccountControl.PasswordNotRequired))
{
// The account's password is not required.
this.result.PasswordNotRequired.Add(this.Account.SamAccountName);
}
if (this.Account.UserAccountControl.HasFlag(UserAccountControl.PreAuthNotRequired))
{
// Pre-authentication is not required for this account account.
this.result.PreAuthNotRequired.Add(this.Account.SamAccountName);
}
if (this.Account.SupplementalCredentials != null)
{
if (this.Account.SupplementalCredentials.ClearText != null)
{
// Account has ClearText password (stored using reversible encryption)
// Only reveal the password if explicitly asked to do so.
string outputPassword = this.ShowPlainTextPasswords.IsPresent ? this.Account.SupplementalCredentials.ClearText : String.Empty;
this.result.ClearTextPassword.Add(this.Account.SamAccountName, outputPassword);
}
if (this.Account.SupplementalCredentials.KerberosNew == null && !this.Account.UserAccountControl.HasFlag(UserAccountControl.SmartCardRequired))
{
// Account is missing the AES kerberos keys. This is only OK if smart card auth is enforced for this account.
this.result.AESKeysMissing.Add(this.Account.SamAccountName);
}
}
if (this.Account.LMHash != null)
{
// Account has the LM hash present.
this.result.LMHash.Add(this.Account.SamAccountName);
}
if (this.Account.NTHash == null)
{
// The account has no password.
this.result.EmptyPassword.Add(this.Account.SamAccountName);
// All the remaining tests are based on NT hash, so we can skip them.
return;
}
if (HashEqualityComparer.GetInstance().Equals(this.Account.NTHash, NTHash.Empty))
{
// The account has an empty password.
this.result.EmptyPassword.Add(this.Account.SamAccountName);
// Skip the remaining tests, because they only make sense for non-empty passwords.
return;
}
if (this.Account.SamAccountType == SamAccountType.Computer)
{
// Check if the computer has a default password.
this.TestComputerDefaultPassword();
}
if (this.WeakPasswordHashes != null)
{
// Check if the account has a weak password.
this.TestWeakHashes();
}
if (!this.SkipDuplicatePasswordTest.IsPresent)
{
// Find password duplicates
this.TestDuplicateHash();
}
}
protected override void BeginProcessing()
{
// Perform some initialization.
if (!this.SkipDuplicatePasswordTest.IsPresent)
{
this.duplicatePasswordDictionary = new Dictionary <byte[], StringCollection>(PasswordDictionaryInitialCapacity, HashEqualityComparer.GetInstance());
}
this.result = new PasswordQualityTestResult();
}
protected override void BeginProcessing()
{
this.hashDictionary = new Dictionary <byte[], string>(HashEqualityComparer.GetInstance());
}
