public override void Run(Dictionary <String, Parameter> RunParams)
{
Domain.DomainSearcher domainSearcher = new Domain.DomainSearcher();
List <string> Computers = null;
if (RunParams.TryGetValue("ComputerName", out Parameter computername))
{
Computers = computername.Value;
}
List <Domain.DomainObject> domainComputers = domainSearcher.GetDomainComputers(Computers);
foreach (Domain.DomainObject computer in domainComputers)
{
Printing.TableHeader("Property", "Value");
Printing.TableItem("Name", computer.name);
Printing.TableItem("DistinguishedName", computer.distinguishedname);
if (computer.serviceprincipalname.Length > 0)
{
string[] SPNs = computer.serviceprincipalname.Split(' ');
foreach (string spn in SPNs)
{
Printing.TableItem("Service Principal Name", spn.TrimEnd(','));
}
}
}
}
public static string Execute()
{
try
{
var scHandle = IntPtr.Zero;
Domain.DomainSearcher searcher = new Domain.DomainSearcher();
List <Domain.DomainObject> computerList = searcher.GetDomainComputers();
List <string> adminFound = new List <string>();
foreach (Domain.DomainObject computer in computerList)
{
string computerName = computer.name;
scHandle = Win32.Advapi32.OpenSCManager(computerName, null, Win32.Advapi32.SCM_ACCESS.SC_MANAGER_ALL_ACCESS);
if (scHandle.ToInt32() != 0)
{
adminFound.Add(computer.distinguishedname);
}
Win32.Advapi32.CloseServiceHandle(scHandle);
}
if (adminFound.Count() == 0)
{
return("No admin access found.");
}
else
{
string result = string.Join(",", adminFound.ToArray());
return(result);
}
}
catch (Exception e) { return(e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace); }
}
public override void Run(Dictionary <String, Parameter> RunParams)
{
Domain.DomainSearcher domainSearcher = new Domain.DomainSearcher();
List <string> Groups = null;
if (RunParams.TryGetValue("GroupName", out Parameter groupname))
{
Groups = groupname.Value;
}
List <Domain.DomainObject> domainGroups = domainSearcher.GetDomainGroups(Groups);
foreach (Domain.DomainObject group in domainGroups)
{
string adminCount;
if (group.admincount != null)
{
adminCount = group.admincount;
}
else
{
adminCount = "[NOT SET]";
}
Printing.TableHeader("Property", "Value");
Printing.TableItem("SamAccountName", group.samaccountname);
Printing.TableItem("Description", group.description);
Printing.TableItem("DistinguishedName", group.distinguishedname);
Printing.TableItem("AdminCount", adminCount);
}
}
public void TestKerberoast()
{
List <Domain.SPNTicket> tickets = new Domain.DomainSearcher().Kerberoast();
foreach (Domain.SPNTicket ticket in tickets)
{
Assert.AreEqual(Environment.UserDomainName, ticket.UserDomain);
}
}
public void TestGetComputers()
{
Domain.DomainSearcher searcher = new Domain.DomainSearcher();
IList <Domain.DomainObject> computers = searcher.GetDomainComputers();
foreach (Domain.DomainObject computer in computers)
{
Assert.IsTrue(computer.distinguishedname.ToLower().Contains(Environment.UserDomainName.ToLower()));
}
}
public void TestGetGroups()
{
Domain.DomainSearcher searcher = new Domain.DomainSearcher();
IList <Domain.DomainObject> groups = searcher.GetDomainGroups();
foreach (Domain.DomainObject group in groups)
{
Assert.IsTrue(group.distinguishedname.ToLower().Contains(Environment.UserDomainName.ToLower()));
}
}
public void TestGetUsers()
{
Domain.DomainSearcher searcher = new Domain.DomainSearcher();
IList <Domain.DomainObject> users = searcher.GetDomainUsers();
foreach (Domain.DomainObject user in users)
{
Assert.IsTrue(user.distinguishedname.ToLower().Contains(Environment.UserDomainName.ToLower()));
}
Assert.AreEqual(1, users.Where(U => U.samaccountname == "krbtgt").ToList().Count());
}
public static void GetKerberoast(string[] computername)
{
try
{
List <Domain.SPNTicket> list = new Domain.DomainSearcher().Kerberoast();
foreach (Domain.SPNTicket itemobject in list)
{
itemobject.GetFormattedHash(Domain.SPNTicket.HashFormat.Hashcat);
}
}
catch (Exception e)
{
Console.WriteLine("GetDomainComputers error : " + e.Message + Environment.NewLine + e.StackTrace);
}
}
public static void GetDomainComputers(string[] computername)
{
try
{
List <Domain.DomainObject> list = new Domain.DomainSearcher().GetDomainComputers();
foreach (Domain.DomainObject itemobject in list)
{
itemobject.ToString();
}
}
catch (Exception e)
{
Console.WriteLine("GetDomainComputers error : " + e.Message + Environment.NewLine + e.StackTrace);
}
}
public override void Run(Dictionary <String, Parameter> RunParams)
{
Domain.DomainSearcher domainSearcher = new Domain.DomainSearcher();
List <string> usernames = null;
if (RunParams.TryGetValue("UserName", out Parameter username))
{
usernames = username.Value;
}
List <Domain.DomainObject> domainUsers = domainSearcher.GetDomainUsers(usernames);
foreach (Domain.DomainObject user in domainUsers)
{
string description;
string adminCount;
if (user.description != null)
{
description = user.description;
}
else
{
description = "[NO DESCRIPTION]";
}
if (user.admincount != null)
{
adminCount = user.admincount;
}
else
{
adminCount = "[NOT SET]";
}
Printing.TableHeader("Property", "Value");
Printing.TableItem("SamAccountName", user.samaccountname);
Printing.TableItem("Description", description);
Printing.TableItem("DistinguishedName", user.distinguishedname);
Printing.TableItem("AdminCount", adminCount);
Printing.TableItem("MemberOf", user.memberof);
Printing.TableItem("Password Last Set", user.pwdlastset.ToString());
Printing.TableItem("Last Logon", user.lastlogon.ToString());
Printing.TableItem("Bad Password Count", user.badpwdcount);
Printing.TableItem("Last Bad Password", user.badpasswordtime.ToString());
}
}
static void GetDomainAdministrators()
{
//checks the domain for users with domain administrator rights or higher
//checks wether those users have sessions on any host of the domain
Console.WriteLine("[*] Enumerating Administrators");
Domain.DomainSearcher searcher = new Domain.DomainSearcher();
IList <Domain.DomainObject> users = searcher.GetDomainUsers(null);
sw.WriteLine("Domain Administrators:");
//List of logged in Users of a System
foreach (Domain.DomainObject user in users)
{
if ((user.admincount == "1" && !(user.name.Contains("$")) && !(user.name.Contains("krbtgt"))))
{
Console.WriteLine("[+] Found Domain Administrator: " + user.name.ToString());
sw.WriteLine("\\item " + user.name.ToString());
SharpSploit.Enumeration.Domain.DomainSearcher usersearcher = new SharpSploit.Enumeration.Domain.DomainSearcher();
List <SharpSploit.Enumeration.Domain.DomainObject> c = usersearcher.GetDomainComputers();
foreach (SharpSploit.Enumeration.Domain.DomainObject val in c)
{
List <Net.LoggedOnUser> AdministratorSessions = Net.GetNetLoggedOnUsers(new List <string> {
val.name
});
foreach (var b in AdministratorSessions)
{
if ((!(b.UserName.Contains("$")) && b.UserName == user.name))
{
Console.WriteLine("[+] Found session on " + b.ComputerName + " for: " + b.UserName);
sw.WriteLine("[+] Found session on " + b.ComputerName + " for: " + b.UserName);
}
}
}
}
}
}
public override void Run(Dictionary <String, Parameter> RunParams)
{
Domain.DomainSearcher domainSearcher = new Domain.DomainSearcher();
List <string> Usernames = null;
string LDAPFilter = null;
if (RunParams.TryGetValue("UserName", out Parameter username))
{
Usernames = username.Value;
}
if (RunParams.TryGetValue("LDAPFilter", out Parameter ldapfilter))
{
LDAPFilter = ldapfilter.Value[0];
}
List <Domain.SPNTicket> sPNTickets = domainSearcher.Kerberoast(Usernames, LDAPFilter);
foreach (Domain.SPNTicket spnTicket in sPNTickets)
{
Printing.CmdOutput(spnTicket.ToString());
}
}
public static void GetDomainUsers(string[] Identity)
{
try
{
if (string.IsNullOrEmpty(Identity[0]))
{
List <Domain.DomainObject> list = new Domain.DomainSearcher().GetDomainUsers();
foreach (Domain.DomainObject itemobject in list)
{
itemobject.ToString();
}
}
else
{
new Domain.DomainSearcher().GetDomainUsers(new List <string>(new string[] { Identity[0] })).ToString();
}
}
catch (Exception e)
{
Console.WriteLine("GetDomainUsers error : " + e.Message + Environment.NewLine + e.StackTrace);
}
}
