public async Task ComputerSessionProcessor_ReadUserSessions_ResolvesLocalHostEquivalent()
{
var mockNativeMethods = new Mock <NativeMethods>();
var apiResult = new NativeMethods.SESSION_INFO_10[]
{
new()
{
sesi10_username = "******",
sesi10_cname = "\\\\127.0.0.1"
}
};
mockNativeMethods.Setup(x => x.CallNetSessionEnum(It.IsAny <string>())).Returns(apiResult);
var expected = new Session[]
{
new()
{
ComputerSID = _computerSid,
UserSID = "S-1-5-21-3130019616-2776909439-2417379446-2116"
}
};
var processor = new ComputerSessionProcessor(new MockLDAPUtils(), "dfm", mockNativeMethods.Object);
var result = await processor.ReadUserSessions("win10", _computerSid, _computerDomain);
Assert.True(result.Collected);
Assert.Equal(expected, result.Results);
}
public async Task ComputerSessionProcessor_ReadUserSessions_FilteringWorks()
{
var mockNativeMethods = new Mock <NativeMethods>();
var apiResult = new NativeMethods.SESSION_INFO_10[]
{
new()
{
sesi10_username = "******",
sesi10_cname = "\\\\192.168.92.110"
},
new()
{
sesi10_cname = "",
sesi10_username = "******"
},
new()
{
sesi10_username = "******",
sesi10_cname = "\\\\192.168.92.110"
}
};
mockNativeMethods.Setup(x => x.CallNetSessionEnum(It.IsAny <string>())).Returns(apiResult);
var processor = new ComputerSessionProcessor(new MockLDAPUtils(), "dfm", mockNativeMethods.Object);
var result = await processor.ReadUserSessions("win10", _computerSid, _computerDomain);
Assert.True(result.Collected);
Assert.Empty(result.Results);
}
public async Task ComputerSessionProcessor_ReadUserSessions_MultipleMatches_AddsAll()
{
var mockNativeMethods = new Mock <NativeMethods>();
var apiResult = new NativeMethods.SESSION_INFO_10[]
{
new()
{
sesi10_username = "******",
sesi10_cname = "\\\\127.0.0.1"
}
};
mockNativeMethods.Setup(x => x.CallNetSessionEnum(It.IsAny <string>())).Returns(apiResult);
var expected = new Session[]
{
new()
{
ComputerSID = _computerSid,
UserSID = "S-1-5-21-3130019616-2776909439-2417379446-500"
},
new()
{
ComputerSID = _computerSid,
UserSID = "S-1-5-21-3084884204-958224920-2707782874-500"
}
};
var processor = new ComputerSessionProcessor(new MockLDAPUtils(), "dfm", mockNativeMethods.Object);
var result = await processor.ReadUserSessions("win10", _computerSid, _computerDomain);
Assert.True(result.Collected);
Assert.Equal(expected, result.Results);
}
public async Task ComputerSessionProcessor_ReadUserSessions_ComputerAccessDenied_ExceptionCaught()
{
var mockNativeMethods = new Mock <NativeMethods>();
//mockNativeMethods.Setup(x => x.CallSamConnect(ref It.Ref<NativeMethods.UNICODE_STRING>.IsAny, out It.Ref<IntPtr>.IsAny, It.IsAny<NativeMethods.SamAccessMasks>(), ref It.Ref<NativeMethods.OBJECT_ATTRIBUTES>.IsAny)).Returns(NativeMethods.NtStatus.StatusAccessDenied);
var ex = new APIException
{
Status = NativeMethods.NERR.ERROR_ACCESS_DENIED.ToString()
};
mockNativeMethods.Setup(x => x.CallNetSessionEnum(It.IsAny <string>())).Throws(ex);
var processor = new ComputerSessionProcessor(new MockLDAPUtils(), "dfm", mockNativeMethods.Object);
var test = await processor.ReadUserSessions("test", "test", "test");
Assert.False(test.Collected);
Assert.Equal(NativeMethods.NERR.ERROR_ACCESS_DENIED.ToString(), test.FailureReason);
}
private async Task <Computer> ProcessComputerObject(ISearchResultEntry entry,
ResolvedSearchResult resolvedSearchResult, Channel <CSVComputerStatus> compStatusChannel)
{
var ret = new Computer
{
ObjectIdentifier = resolvedSearchResult.ObjectId
};
ret.Properties.Add("domain", resolvedSearchResult.Domain);
ret.Properties.Add("name", resolvedSearchResult.DisplayName);
ret.Properties.Add("distinguishedname", entry.DistinguishedName.ToUpper());
ret.Properties.Add("domainsid", resolvedSearchResult.DomainSid);
ret.Properties.Add("highvalue", false);
ret.Properties.Add("samaccountname", entry.GetProperty(LDAPProperties.SAMAccountName));
var hasLaps = entry.HasLAPS();
ret.Properties.Add("haslaps", hasLaps);
if ((_methods & ResolvedCollectionMethod.ACL) != 0)
{
ret.Aces = _aclProcessor.ProcessACL(resolvedSearchResult, entry).ToArray();
ret.IsACLProtected = _aclProcessor.IsACLProtected(entry);
}
if ((_methods & ResolvedCollectionMethod.Group) != 0)
{
var pg = entry.GetProperty(LDAPProperties.PrimaryGroupID);
ret.PrimaryGroupSID = GroupProcessor.GetPrimaryGroupInfo(pg, resolvedSearchResult.ObjectId);
}
if ((_methods & ResolvedCollectionMethod.ObjectProps) != 0)
{
var computerProps = await _ldapPropertyProcessor.ReadComputerProperties(entry);
ret.Properties = ContextUtils.Merge(ret.Properties, computerProps.Props);
if (_context.Flags.CollectAllProperties)
{
ret.Properties = ContextUtils.Merge(_ldapPropertyProcessor.ParseAllProperties(entry),
ret.Properties);
}
ret.AllowedToDelegate = computerProps.AllowedToDelegate;
ret.AllowedToAct = computerProps.AllowedToAct;
ret.HasSIDHistory = computerProps.SidHistory;
}
if (!_methods.IsComputerCollectionSet())
{
return(ret);
}
var apiName = _context.RealDNSName != null
? entry.GetDNSName(_context.RealDNSName)
: resolvedSearchResult.DisplayName;
var availability = await _computerAvailability.IsComputerAvailable(resolvedSearchResult, entry);
if (!availability.Connectable)
{
await compStatusChannel.Writer.WriteAsync(availability.GetCSVStatus(resolvedSearchResult.DisplayName),
_cancellationToken);
return(ret);
}
var samAccountName = entry.GetProperty(LDAPProperties.SAMAccountName)?.TrimEnd('$');
if ((_methods & ResolvedCollectionMethod.Session) != 0)
{
var sessionResult = await _computerSessionProcessor.ReadUserSessions(apiName,
resolvedSearchResult.ObjectId, resolvedSearchResult.Domain);
ret.Sessions = sessionResult;
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = sessionResult.Collected ? StatusSuccess : sessionResult.FailureReason,
Task = "NetSessionEnum",
ComputerName = resolvedSearchResult.DisplayName
}, _cancellationToken);
}
}
if ((_methods & ResolvedCollectionMethod.LoggedOn) != 0)
{
var privSessionResult = _computerSessionProcessor.ReadUserSessionsPrivileged(apiName,
samAccountName, resolvedSearchResult.ObjectId);
ret.PrivilegedSessions = privSessionResult;
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = privSessionResult.Collected ? StatusSuccess : privSessionResult.FailureReason,
Task = "NetWkstaUserEnum",
ComputerName = resolvedSearchResult.DisplayName
}, _cancellationToken);
}
var registrySessionResult = _computerSessionProcessor.ReadUserSessionsRegistry(apiName,
resolvedSearchResult.Domain, resolvedSearchResult.ObjectId);
ret.RegistrySessions = registrySessionResult;
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = privSessionResult.Collected ? StatusSuccess : privSessionResult.FailureReason,
Task = "RegistrySessions",
ComputerName = resolvedSearchResult.DisplayName
}, _cancellationToken);
}
}
if (!_methods.IsLocalGroupCollectionSet())
{
return(ret);
}
try
{
using var server = new SAMRPCServer(resolvedSearchResult.DisplayName, samAccountName,
resolvedSearchResult.ObjectId, resolvedSearchResult.Domain);
if ((_methods & ResolvedCollectionMethod.LocalAdmin) != 0)
{
ret.LocalAdmins = server.GetLocalGroupMembers((int)LocalGroupRids.Administrators);
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = ret.LocalAdmins.Collected ? StatusSuccess : ret.LocalAdmins.FailureReason,
Task = "AdminLocalGroup",
ComputerName = resolvedSearchResult.DisplayName
}, _cancellationToken);
}
}
if ((_methods & ResolvedCollectionMethod.DCOM) != 0)
{
ret.DcomUsers = server.GetLocalGroupMembers((int)LocalGroupRids.DcomUsers);
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = ret.DcomUsers.Collected ? StatusSuccess : ret.DcomUsers.FailureReason,
Task = "DCOMLocalGroup",
ComputerName = resolvedSearchResult.DisplayName
}, _cancellationToken);
}
}
if ((_methods & ResolvedCollectionMethod.PSRemote) != 0)
{
ret.PSRemoteUsers = server.GetLocalGroupMembers((int)LocalGroupRids.PSRemote);
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = ret.PSRemoteUsers.Collected ? StatusSuccess : ret.PSRemoteUsers.FailureReason,
Task = "PSRemoteLocalGroup",
ComputerName = resolvedSearchResult.DisplayName
}, _cancellationToken);
}
}
if ((_methods & ResolvedCollectionMethod.RDP) != 0)
{
ret.RemoteDesktopUsers = server.GetLocalGroupMembers((int)LocalGroupRids.RemoteDesktopUsers);
if (_context.Flags.DumpComputerStatus)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = ret.RemoteDesktopUsers.Collected
? StatusSuccess
: ret.RemoteDesktopUsers.FailureReason,
Task = "RDPLocalGroup",
ComputerName = resolvedSearchResult.DisplayName
});
}
}
}
catch (Exception e)
{
await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus
{
Status = e.ToString(),
ComputerName = resolvedSearchResult.DisplayName,
Task = "SAMRPCServerInit"
}, _cancellationToken);
ret.DcomUsers = new LocalGroupAPIResult
{
Collected = false,
FailureReason = "SAMRPCServerInit Failed"
};
ret.PSRemoteUsers = new LocalGroupAPIResult
{
Collected = false,
FailureReason = "SAMRPCServerInit Failed"
};
ret.LocalAdmins = new LocalGroupAPIResult
{
Collected = false,
FailureReason = "SAMRPCServerInit Failed"
};
ret.RemoteDesktopUsers = new LocalGroupAPIResult
{
Collected = false,
FailureReason = "SAMRPCServerInit Failed"
};
}
return(ret);
}