public GraphObjectReference ExportData(List <string> UsersToInvestigate)
{
ADDomainInfo domainInfo = null;
IRelationFactory relationFactory = null;
GraphObjectReference objectReference = null;
DisplayAdvancement("Getting domain information (" + Server + ")");
using (ADWebService adws = new ADWebService(Server, Port, Credential))
{
domainInfo = GetDomainInformation(adws);
Storage.Initialize(domainInfo);
Trace.WriteLine("Creating new relation factory");
relationFactory = new RelationFactory(Storage, domainInfo);
relationFactory.Initialize(adws);
DisplayAdvancement("Exporting objects from Active Directory");
objectReference = new GraphObjectReference(domainInfo);
ExportReportData(adws, domainInfo, relationFactory, Storage, objectReference, UsersToInvestigate);
}
DisplayAdvancement("Inserting relations between nodes in the database");
Trace.WriteLine("Inserting relations on hold");
Storage.InsertRelationOnHold();
Trace.WriteLine("Add trusted domains");
AddTrustedDomains(Storage);
Trace.WriteLine("Done");
DisplayAdvancement("Export completed");
DisplayAdvancement("Doing the analysis");
return(objectReference);
}
private void ExportSIDData(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, List <string> sids)
{
WorkOnReturnedObjectByADWS callback =
(ADItem aditem) =>
{
relationFactory.AnalyzeADObject(aditem);
};
foreach (string sid in sids)
{
adws.Enumerate(domainInfo.DefaultNamingContext,
"(objectSid=" + ADConnection.EncodeSidToString(sid) + ")",
properties.ToArray(), callback);
}
}
private void ExportCNData(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, List <string> cns)
{
WorkOnReturnedObjectByADWS callback =
(ADItem aditem) =>
{
relationFactory.AnalyzeADObject(aditem);
};
foreach (string cn in cns)
{
adws.Enumerate(domainInfo.DefaultNamingContext,
"(distinguishedName=" + ADConnection.EscapeLDAP(cn) + ")",
properties.ToArray(), callback);
}
}
private void ExportReportData(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, IDataStorage storage, GraphObjectReference objectReference, List <string> UsersToInvestigate)
{
ADItem aditem = null;
foreach (var typology in objectReference.Objects.Keys)
{
var toDelete = new List <GraphSingleObject>();
foreach (var obj in objectReference.Objects[typology])
{
DisplayAdvancement("Working on " + obj.Description);
aditem = Search(adws, domainInfo, obj.Name);
if (aditem != null)
{
relationFactory.AnalyzeADObject(aditem);
}
else
{
Trace.WriteLine("Unable to find the user: "******"Working on " + user);
aditem = Search(adws, domainInfo, user);
if (aditem != null)
{
string userKey = user;
if (aditem.ObjectSid != null)
{
userKey = aditem.ObjectSid.Value;
}
objectReference.Objects[Data.CompromiseGraphDataTypology.UserDefined].Add(new GraphSingleObject(userKey, user));
relationFactory.AnalyzeADObject(aditem);
}
else
{
Trace.WriteLine("Unable to find the user: " + user);
}
}
AnalyzeMissingObjets(adws, domainInfo, relationFactory, storage);
}
private void ExportFilesData(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, List <string> files)
{
if (Credential != null)
{
using (WindowsIdentity identity = NativeMethods.GetWindowsIdentityForUser(Credential, domainInfo.DnsHostName))
using (var context = identity.Impersonate())
{
ExportFilesDataWithImpersonation(adws, domainInfo, relationFactory, files);
context.Undo();
}
}
else
{
ExportFilesDataWithImpersonation(adws, domainInfo, relationFactory, files);
}
}
public GraphObjectReference ExportData(List <string> UsersToInvestigate)
{
GraphObjectReference objectReference = null;
DisplayAdvancement("- Initialize");
Storage.Initialize(domainInfo);
Trace.WriteLine("- Creating new relation factory");
RelationFactory = new RelationFactory(Storage, domainInfo);
RelationFactory.Initialize(adws);
DisplayAdvancement("- Searching for critical and infrastructure objects");
objectReference = new GraphObjectReference(domainInfo);
BuildDirectDelegationData();
ExportReportData(objectReference, UsersToInvestigate);
DisplayAdvancement("- Completing object collection");
Trace.WriteLine("Inserting relations on hold");
Storage.InsertRelationOnHold();
Trace.WriteLine("Done");
DisplayAdvancement("- Export completed");
return(objectReference);
}
int AnalyzeMissingObjets(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, IDataStorage Storage)
{
int num = 0;
while (true)
{
List <string> cns = Storage.GetCNToInvestigate();
if (cns.Count > 0)
{
num += cns.Count;
ExportCNData(adws, domainInfo, relationFactory, cns);
}
List <string> sids = Storage.GetSIDToInvestigate();
if (sids.Count > 0)
{
num += sids.Count;
ExportSIDData(adws, domainInfo, relationFactory, sids);
}
List <int> primaryGroupId = Storage.GetPrimaryGroupIDToInvestigate();
if (primaryGroupId.Count > 0)
{
num += primaryGroupId.Count;
ExportPrimaryGroupData(adws, domainInfo, relationFactory, primaryGroupId);
}
List <string> files = Storage.GetFilesToInvestigate();
if (files.Count > 0)
{
num += files.Count;
ExportFilesData(adws, domainInfo, relationFactory, files);
}
if (cns.Count == 0 && sids.Count == 0 && primaryGroupId.Count == 0 && files.Count == 0)
{
return(num);
}
}
}
private void ExportFilesDataWithImpersonation(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, List <string> files)
{
// insert relation related to the files already seen.
// add subdirectory / sub file is the permission is not inherited
BlockingQueue <string> queue = new BlockingQueue <string>(200);
int numberOfThread = 20;
Thread[] threads = new Thread[numberOfThread];
try
{
ThreadStart threadFunction = () =>
{
for (; ;)
{
string fileName = null;
if (!queue.Dequeue(out fileName))
{
break;
}
// function is safe and will never trigger an exception
relationFactory.AnalyzeFile(fileName);
}
Trace.WriteLine("Consumer quitting");
};
// Consumers
for (int i = 0; i < numberOfThread; i++)
{
threads[i] = new Thread(threadFunction);
threads[i].Start();
}
// do it in parallele (else time *6 !)
foreach (string file in files)
{
queue.Enqueue(file);
}
queue.Quit();
Trace.WriteLine("insert file completed. Waiting for worker thread to complete");
for (int i = 0; i < numberOfThread; i++)
{
threads[i].Join();
}
Trace.WriteLine("Done insert file");
}
finally
{
queue.Quit();
for (int i = 0; i < numberOfThread; i++)
{
if (threads[i] != null)
{
if (threads[i].ThreadState == System.Threading.ThreadState.Running)
{
threads[i].Abort();
}
}
}
}
}
private void ExportPrimaryGroupData(ADWebService adws, ADDomainInfo domainInfo, IRelationFactory relationFactory, List <int> primaryGroupIDs)
{
WorkOnReturnedObjectByADWS callback =
(ADItem aditem) =>
{
relationFactory.AnalyzeADObject(aditem);
};
foreach (int id in primaryGroupIDs)
{
adws.Enumerate(domainInfo.DefaultNamingContext,
"(primaryGroupID=" + id + ")",
properties.ToArray(), callback);
}
}
