public override void Run(Dictionary <String, Parameter> RunParams) { Domain.DomainSearcher domainSearcher = new Domain.DomainSearcher(); List <string> Computers = null; if (RunParams.TryGetValue("ComputerName", out Parameter computername)) { Computers = computername.Value; } List <Domain.DomainObject> domainComputers = domainSearcher.GetDomainComputers(Computers); foreach (Domain.DomainObject computer in domainComputers) { Printing.TableHeader("Property", "Value"); Printing.TableItem("Name", computer.name); Printing.TableItem("DistinguishedName", computer.distinguishedname); if (computer.serviceprincipalname.Length > 0) { string[] SPNs = computer.serviceprincipalname.Split(' '); foreach (string spn in SPNs) { Printing.TableItem("Service Principal Name", spn.TrimEnd(',')); } } } }
public static string Execute() { try { var scHandle = IntPtr.Zero; Domain.DomainSearcher searcher = new Domain.DomainSearcher(); List <Domain.DomainObject> computerList = searcher.GetDomainComputers(); List <string> adminFound = new List <string>(); foreach (Domain.DomainObject computer in computerList) { string computerName = computer.name; scHandle = Win32.Advapi32.OpenSCManager(computerName, null, Win32.Advapi32.SCM_ACCESS.SC_MANAGER_ALL_ACCESS); if (scHandle.ToInt32() != 0) { adminFound.Add(computer.distinguishedname); } Win32.Advapi32.CloseServiceHandle(scHandle); } if (adminFound.Count() == 0) { return("No admin access found."); } else { string result = string.Join(",", adminFound.ToArray()); return(result); } } catch (Exception e) { return(e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace); } }
public override void Run(Dictionary <String, Parameter> RunParams) { Domain.DomainSearcher domainSearcher = new Domain.DomainSearcher(); List <string> Groups = null; if (RunParams.TryGetValue("GroupName", out Parameter groupname)) { Groups = groupname.Value; } List <Domain.DomainObject> domainGroups = domainSearcher.GetDomainGroups(Groups); foreach (Domain.DomainObject group in domainGroups) { string adminCount; if (group.admincount != null) { adminCount = group.admincount; } else { adminCount = "[NOT SET]"; } Printing.TableHeader("Property", "Value"); Printing.TableItem("SamAccountName", group.samaccountname); Printing.TableItem("Description", group.description); Printing.TableItem("DistinguishedName", group.distinguishedname); Printing.TableItem("AdminCount", adminCount); } }
public void TestKerberoast() { List <Domain.SPNTicket> tickets = new Domain.DomainSearcher().Kerberoast(); foreach (Domain.SPNTicket ticket in tickets) { Assert.AreEqual(Environment.UserDomainName, ticket.UserDomain); } }
public void TestGetComputers() { Domain.DomainSearcher searcher = new Domain.DomainSearcher(); IList <Domain.DomainObject> computers = searcher.GetDomainComputers(); foreach (Domain.DomainObject computer in computers) { Assert.IsTrue(computer.distinguishedname.ToLower().Contains(Environment.UserDomainName.ToLower())); } }
public void TestGetGroups() { Domain.DomainSearcher searcher = new Domain.DomainSearcher(); IList <Domain.DomainObject> groups = searcher.GetDomainGroups(); foreach (Domain.DomainObject group in groups) { Assert.IsTrue(group.distinguishedname.ToLower().Contains(Environment.UserDomainName.ToLower())); } }
public void TestGetUsers() { Domain.DomainSearcher searcher = new Domain.DomainSearcher(); IList <Domain.DomainObject> users = searcher.GetDomainUsers(); foreach (Domain.DomainObject user in users) { Assert.IsTrue(user.distinguishedname.ToLower().Contains(Environment.UserDomainName.ToLower())); } Assert.AreEqual(1, users.Where(U => U.samaccountname == "krbtgt").ToList().Count()); }
public static void GetKerberoast(string[] computername) { try { List <Domain.SPNTicket> list = new Domain.DomainSearcher().Kerberoast(); foreach (Domain.SPNTicket itemobject in list) { itemobject.GetFormattedHash(Domain.SPNTicket.HashFormat.Hashcat); } } catch (Exception e) { Console.WriteLine("GetDomainComputers error : " + e.Message + Environment.NewLine + e.StackTrace); } }
public static void GetDomainComputers(string[] computername) { try { List <Domain.DomainObject> list = new Domain.DomainSearcher().GetDomainComputers(); foreach (Domain.DomainObject itemobject in list) { itemobject.ToString(); } } catch (Exception e) { Console.WriteLine("GetDomainComputers error : " + e.Message + Environment.NewLine + e.StackTrace); } }
public override void Run(Dictionary <String, Parameter> RunParams) { Domain.DomainSearcher domainSearcher = new Domain.DomainSearcher(); List <string> usernames = null; if (RunParams.TryGetValue("UserName", out Parameter username)) { usernames = username.Value; } List <Domain.DomainObject> domainUsers = domainSearcher.GetDomainUsers(usernames); foreach (Domain.DomainObject user in domainUsers) { string description; string adminCount; if (user.description != null) { description = user.description; } else { description = "[NO DESCRIPTION]"; } if (user.admincount != null) { adminCount = user.admincount; } else { adminCount = "[NOT SET]"; } Printing.TableHeader("Property", "Value"); Printing.TableItem("SamAccountName", user.samaccountname); Printing.TableItem("Description", description); Printing.TableItem("DistinguishedName", user.distinguishedname); Printing.TableItem("AdminCount", adminCount); Printing.TableItem("MemberOf", user.memberof); Printing.TableItem("Password Last Set", user.pwdlastset.ToString()); Printing.TableItem("Last Logon", user.lastlogon.ToString()); Printing.TableItem("Bad Password Count", user.badpwdcount); Printing.TableItem("Last Bad Password", user.badpasswordtime.ToString()); } }
static void GetDomainAdministrators() { //checks the domain for users with domain administrator rights or higher //checks wether those users have sessions on any host of the domain Console.WriteLine("[*] Enumerating Administrators"); Domain.DomainSearcher searcher = new Domain.DomainSearcher(); IList <Domain.DomainObject> users = searcher.GetDomainUsers(null); sw.WriteLine("Domain Administrators:"); //List of logged in Users of a System foreach (Domain.DomainObject user in users) { if ((user.admincount == "1" && !(user.name.Contains("$")) && !(user.name.Contains("krbtgt")))) { Console.WriteLine("[+] Found Domain Administrator: " + user.name.ToString()); sw.WriteLine("\\item " + user.name.ToString()); SharpSploit.Enumeration.Domain.DomainSearcher usersearcher = new SharpSploit.Enumeration.Domain.DomainSearcher(); List <SharpSploit.Enumeration.Domain.DomainObject> c = usersearcher.GetDomainComputers(); foreach (SharpSploit.Enumeration.Domain.DomainObject val in c) { List <Net.LoggedOnUser> AdministratorSessions = Net.GetNetLoggedOnUsers(new List <string> { val.name }); foreach (var b in AdministratorSessions) { if ((!(b.UserName.Contains("$")) && b.UserName == user.name)) { Console.WriteLine("[+] Found session on " + b.ComputerName + " for: " + b.UserName); sw.WriteLine("[+] Found session on " + b.ComputerName + " for: " + b.UserName); } } } } } }
public override void Run(Dictionary <String, Parameter> RunParams) { Domain.DomainSearcher domainSearcher = new Domain.DomainSearcher(); List <string> Usernames = null; string LDAPFilter = null; if (RunParams.TryGetValue("UserName", out Parameter username)) { Usernames = username.Value; } if (RunParams.TryGetValue("LDAPFilter", out Parameter ldapfilter)) { LDAPFilter = ldapfilter.Value[0]; } List <Domain.SPNTicket> sPNTickets = domainSearcher.Kerberoast(Usernames, LDAPFilter); foreach (Domain.SPNTicket spnTicket in sPNTickets) { Printing.CmdOutput(spnTicket.ToString()); } }
public static void GetDomainUsers(string[] Identity) { try { if (string.IsNullOrEmpty(Identity[0])) { List <Domain.DomainObject> list = new Domain.DomainSearcher().GetDomainUsers(); foreach (Domain.DomainObject itemobject in list) { itemobject.ToString(); } } else { new Domain.DomainSearcher().GetDomainUsers(new List <string>(new string[] { Identity[0] })).ToString(); } } catch (Exception e) { Console.WriteLine("GetDomainUsers error : " + e.Message + Environment.NewLine + e.StackTrace); } }