public GraphObjectReference ExportData(List <string> UsersToInvestigate) { ADDomainInfo domainInfo = null; IRelationFactory relationFactory = null; GraphObjectReference objectReference = null; DisplayAdvancement("Getting domain information (" + Server + ")"); using (ADWebService adws = new ADWebService(Server, Port, Credential)) { domainInfo = GetDomainInformation(adws); Storage.Initialize(domainInfo); Trace.WriteLine("Creating new relation factory"); relationFactory = new RelationFactory(Storage, domainInfo); relationFactory.Initialize(adws); DisplayAdvancement("Exporting objects from Active Directory"); objectReference = new GraphObjectReference(domainInfo); ExportReportData(adws, domainInfo, relationFactory, Storage, objectReference, UsersToInvestigate); } DisplayAdvancement("Inserting relations between nodes in the database"); Trace.WriteLine("Inserting relations on hold"); Storage.InsertRelationOnHold(); Trace.WriteLine("Add trusted domains"); AddTrustedDomains(Storage); Trace.WriteLine("Done"); DisplayAdvancement("Export completed"); DisplayAdvancement("Doing the analysis"); return(objectReference); }
private void ExportSIDData(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, List <string> sids) { WorkOnReturnedObjectByADWS callback = (ADItem aditem) => { relationFactory.AnalyzeADObject(aditem); }; foreach (string sid in sids) { adws.Enumerate(domainInfo.DefaultNamingContext, "(objectSid=" + ADConnection.EncodeSidToString(sid) + ")", properties.ToArray(), callback); } }
private void ExportCNData(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, List <string> cns) { WorkOnReturnedObjectByADWS callback = (ADItem aditem) => { relationFactory.AnalyzeADObject(aditem); }; foreach (string cn in cns) { adws.Enumerate(domainInfo.DefaultNamingContext, "(distinguishedName=" + ADConnection.EscapeLDAP(cn) + ")", properties.ToArray(), callback); } }
private void ExportReportData(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, IDataStorage storage, GraphObjectReference objectReference, List <string> UsersToInvestigate) { ADItem aditem = null; foreach (var typology in objectReference.Objects.Keys) { var toDelete = new List <GraphSingleObject>(); foreach (var obj in objectReference.Objects[typology]) { DisplayAdvancement("Working on " + obj.Description); aditem = Search(adws, domainInfo, obj.Name); if (aditem != null) { relationFactory.AnalyzeADObject(aditem); } else { Trace.WriteLine("Unable to find the user: "******"Working on " + user); aditem = Search(adws, domainInfo, user); if (aditem != null) { string userKey = user; if (aditem.ObjectSid != null) { userKey = aditem.ObjectSid.Value; } objectReference.Objects[Data.CompromiseGraphDataTypology.UserDefined].Add(new GraphSingleObject(userKey, user)); relationFactory.AnalyzeADObject(aditem); } else { Trace.WriteLine("Unable to find the user: " + user); } } AnalyzeMissingObjets(adws, domainInfo, relationFactory, storage); }
private void ExportFilesData(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, List <string> files) { if (Credential != null) { using (WindowsIdentity identity = NativeMethods.GetWindowsIdentityForUser(Credential, domainInfo.DnsHostName)) using (var context = identity.Impersonate()) { ExportFilesDataWithImpersonation(adws, domainInfo, relationFactory, files); context.Undo(); } } else { ExportFilesDataWithImpersonation(adws, domainInfo, relationFactory, files); } }
public GraphObjectReference ExportData(List <string> UsersToInvestigate) { GraphObjectReference objectReference = null; DisplayAdvancement("- Initialize"); Storage.Initialize(domainInfo); Trace.WriteLine("- Creating new relation factory"); RelationFactory = new RelationFactory(Storage, domainInfo); RelationFactory.Initialize(adws); DisplayAdvancement("- Searching for critical and infrastructure objects"); objectReference = new GraphObjectReference(domainInfo); BuildDirectDelegationData(); ExportReportData(objectReference, UsersToInvestigate); DisplayAdvancement("- Completing object collection"); Trace.WriteLine("Inserting relations on hold"); Storage.InsertRelationOnHold(); Trace.WriteLine("Done"); DisplayAdvancement("- Export completed"); return(objectReference); }
int AnalyzeMissingObjets(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, IDataStorage Storage) { int num = 0; while (true) { List <string> cns = Storage.GetCNToInvestigate(); if (cns.Count > 0) { num += cns.Count; ExportCNData(adws, domainInfo, relationFactory, cns); } List <string> sids = Storage.GetSIDToInvestigate(); if (sids.Count > 0) { num += sids.Count; ExportSIDData(adws, domainInfo, relationFactory, sids); } List <int> primaryGroupId = Storage.GetPrimaryGroupIDToInvestigate(); if (primaryGroupId.Count > 0) { num += primaryGroupId.Count; ExportPrimaryGroupData(adws, domainInfo, relationFactory, primaryGroupId); } List <string> files = Storage.GetFilesToInvestigate(); if (files.Count > 0) { num += files.Count; ExportFilesData(adws, domainInfo, relationFactory, files); } if (cns.Count == 0 && sids.Count == 0 && primaryGroupId.Count == 0 && files.Count == 0) { return(num); } } }
private void ExportFilesDataWithImpersonation(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, List <string> files) { // insert relation related to the files already seen. // add subdirectory / sub file is the permission is not inherited BlockingQueue <string> queue = new BlockingQueue <string>(200); int numberOfThread = 20; Thread[] threads = new Thread[numberOfThread]; try { ThreadStart threadFunction = () => { for (; ;) { string fileName = null; if (!queue.Dequeue(out fileName)) { break; } // function is safe and will never trigger an exception relationFactory.AnalyzeFile(fileName); } Trace.WriteLine("Consumer quitting"); }; // Consumers for (int i = 0; i < numberOfThread; i++) { threads[i] = new Thread(threadFunction); threads[i].Start(); } // do it in parallele (else time *6 !) foreach (string file in files) { queue.Enqueue(file); } queue.Quit(); Trace.WriteLine("insert file completed. Waiting for worker thread to complete"); for (int i = 0; i < numberOfThread; i++) { threads[i].Join(); } Trace.WriteLine("Done insert file"); } finally { queue.Quit(); for (int i = 0; i < numberOfThread; i++) { if (threads[i] != null) { if (threads[i].ThreadState == System.Threading.ThreadState.Running) { threads[i].Abort(); } } } } }
private void ExportPrimaryGroupData(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, List <int> primaryGroupIDs) { WorkOnReturnedObjectByADWS callback = (ADItem aditem) => { relationFactory.AnalyzeADObject(aditem); }; foreach (int id in primaryGroupIDs) { adws.Enumerate(domainInfo.DefaultNamingContext, "(primaryGroupID=" + id + ")", properties.ToArray(), callback); } }