/// <summary> /// Removes non-computer collection methods from specified ones for looping /// </summary> /// <returns></returns> internal static ResolvedCollectionMethod GetLoopCollectionMethods(this ResolvedCollectionMethod methods) { const ResolvedCollectionMethod computerCollectionMethods = ResolvedCollectionMethod.LocalGroups | ResolvedCollectionMethod.LoggedOn | ResolvedCollectionMethod.Session; return(methods & computerCollectionMethods); }
public static bool IsMethodSet(ResolvedCollectionMethod method) { if (method.Equals(ResolvedCollectionMethod.SessionLoop) || method.Equals(ResolvedCollectionMethod.LoggedOnLoop)) { return(_options.SessionLoopRunning); } if (_options.SessionLoopRunning) { return(false); } return((_options.ResolvedCollMethods & method) != 0); }
public ObjectProcessors(IContext context, ILogger log) { _context = context; _aclProcessor = new ACLProcessor(context.LDAPUtils); _spnProcessor = new SPNProcessors(context.LDAPUtils); _ldapPropertyProcessor = new LDAPPropertyProcessor(context.LDAPUtils); _domainTrustProcessor = new DomainTrustProcessor(context.LDAPUtils); _computerAvailability = new ComputerAvailability(context.PortScanTimeout, skipPortScan: context.Flags.SkipPortScan, skipPasswordCheck: context.Flags.SkipPasswordAgeCheck); _computerSessionProcessor = new ComputerSessionProcessor(context.LDAPUtils); _groupProcessor = new GroupProcessor(context.LDAPUtils); _containerProcessor = new ContainerProcessor(context.LDAPUtils); _gpoLocalGroupProcessor = new GPOLocalGroupProcessor(context.LDAPUtils); _methods = context.ResolvedCollectionMethods; _cancellationToken = context.CancellationTokenSource.Token; _log = log; }
internal static LdapData BuildLdapData(ResolvedCollectionMethod methods, bool excludeDc, string ldapFilter) { var filterparts = new List <string>(); var props = new List <string> { "objectsid", "distiguishedname" }; if ((methods & ResolvedCollectionMethod.Group) != 0) { filterparts.Add("(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(primarygroupid=*))"); props.AddRange(new[] { "samaccountname", "distinguishedname", "samaccounttype", "member", "cn", "primarygroupid", "dnshostname" }); } if ((methods & ResolvedCollectionMethod.LocalAdmin) != 0 || (methods & ResolvedCollectionMethod.Session) != 0 || (methods & ResolvedCollectionMethod.LoggedOn) != 0 || (methods & ResolvedCollectionMethod.RDP) != 0 || (methods & ResolvedCollectionMethod.SessionLoop) != 0 || (methods & ResolvedCollectionMethod.DCOM) != 0) { filterparts.Add("(&(sAMAccountType=805306369)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"); props.AddRange(new[] { "samaccountname", "distinguishedname", "dnshostname", "samaccounttype" }); } if ((methods & ResolvedCollectionMethod.Trusts) != 0) { filterparts.Add("(objectclass=domain)"); props.AddRange(new[] { "distinguishedname" }); } if ((methods & ResolvedCollectionMethod.ACL) != 0) { filterparts.Add("(|(samAccountType=805306368)(samAccountType=805306369)(samAccountType=268435456)(samAccountType=268435457)(samAccountType=536870912)(samAccountType=536870913)(objectClass=domain)(objectCategory=groupPolicyContainer))"); props.AddRange(new[] { "samaccountname", "distinguishedname", "dnshostname", "samaccounttype", "ntsecuritydescriptor", "displayname", "objectclass", "objectsid", "name", "ms-mcs-admpwdexpirationtime" }); } if ((methods & ResolvedCollectionMethod.ObjectProps) != 0) { filterparts.Add("(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(samaccounttype=805306368)(samaccounttype=805306369)(objectclass=domain)(objectclass=organizationalUnit)(objectcategory=groupPolicyContainer))"); props.AddRange(new[] { "samaccountname", "distinguishedname", "samaccounttype", "pwdlastset", "lastlogon", "objectsid", "sidhistory", "useraccountcontrol", "dnshostname", "operatingsystem", "operatingsystemservicepack", "serviceprincipalname", "displayname", "mail", "title", "homedirectory", "description", "admincount", "userpassword", "gpcfilesyspath", "objectclass", "msds-behavior-version", "objectguid", "name", "gpoptions", "msds-allowedToDelegateTo" }); } if ((methods & ResolvedCollectionMethod.GPOLocalGroup) != 0) { filterparts.Add("(&(objectCategory=groupPolicyContainer)(name=*)(gpcfilesyspath=*))"); props.AddRange(new[] { "displayname", "name", "gpcfilesyspath", "objectclass" }); } if ((methods & ResolvedCollectionMethod.Container) != 0) { filterparts.Add("(|(&(objectCategory=groupPolicyContainer)(name=*)(gpcfilesyspath=*))(objectcategory=organizationalUnit)(objectClass=domain))"); props.AddRange(new[] { "displayname", "name", "objectguid", "gplink", "gpoptions", "objectclass" }); } var filter = string.Join("", filterparts.ToArray()); filter = filterparts.Count == 1 ? filterparts[0] : $"(|{filter})"; if (excludeDc) { filter = $"(&({filter})(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))"; } if (ldapFilter != null) { filter = $"(&({filter})({ldapFilter}))"; } return(new LdapData { Filter = filter, Properties = props.Distinct().ToArray() }); }
internal bool ResolveCollectionMethods(ILogger logger, out ResolvedCollectionMethod resolved, out bool dconly) { var arr = CollectionMethods.Count() == 1 ? CollectionMethods.First().Split(',') : CollectionMethods.ToArray(); resolved = ResolvedCollectionMethod.None; dconly = false; foreach (var baseMethod in arr) { CollectionMethodOptions option; try { option = (CollectionMethodOptions)Enum.Parse(typeof(CollectionMethodOptions), baseMethod, true); } catch { logger.LogCritical("Failed to parse collection method {baseMethod}", baseMethod); return(false); } resolved |= option switch { CollectionMethodOptions.Group => ResolvedCollectionMethod.Group, CollectionMethodOptions.Session => ResolvedCollectionMethod.Session, CollectionMethodOptions.LoggedOn => ResolvedCollectionMethod.LoggedOn, CollectionMethodOptions.Trusts => ResolvedCollectionMethod.Trusts, CollectionMethodOptions.ACL => ResolvedCollectionMethod.ACL, CollectionMethodOptions.ObjectProps => ResolvedCollectionMethod.ObjectProps, CollectionMethodOptions.RDP => ResolvedCollectionMethod.RDP, CollectionMethodOptions.DCOM => ResolvedCollectionMethod.DCOM, CollectionMethodOptions.LocalAdmin => ResolvedCollectionMethod.LocalAdmin, CollectionMethodOptions.PSRemote => ResolvedCollectionMethod.PSRemote, CollectionMethodOptions.SPNTargets => ResolvedCollectionMethod.SPNTargets, CollectionMethodOptions.Container => ResolvedCollectionMethod.Container, CollectionMethodOptions.GPOLocalGroup => ResolvedCollectionMethod.GPOLocalGroup, CollectionMethodOptions.LocalGroup => ResolvedCollectionMethod.LocalGroups, CollectionMethodOptions.Default => ResolvedCollectionMethod.Default, CollectionMethodOptions.DCOnly => ResolvedCollectionMethod.DCOnly, CollectionMethodOptions.ComputerOnly => ResolvedCollectionMethod.ComputerOnly, CollectionMethodOptions.All => ResolvedCollectionMethod.All, CollectionMethodOptions.None => ResolvedCollectionMethod.None, _ => throw new ArgumentOutOfRangeException() }; if (option == CollectionMethodOptions.DCOnly) { dconly = true; } } if (Stealth) { var updates = new List <string>(); if ((resolved & ResolvedCollectionMethod.LoggedOn) != 0) { resolved ^= ResolvedCollectionMethod.LoggedOn; updates.Add("[-] Removed LoggedOn"); } var localGroupRemoved = false; if ((resolved & ResolvedCollectionMethod.RDP) != 0) { localGroupRemoved = true; resolved ^= ResolvedCollectionMethod.RDP; updates.Add("[-] Removed RDP Collection"); } if ((resolved & ResolvedCollectionMethod.DCOM) != 0) { localGroupRemoved = true; resolved ^= ResolvedCollectionMethod.DCOM; updates.Add("[-] Removed DCOM Collection"); } if ((resolved & ResolvedCollectionMethod.PSRemote) != 0) { localGroupRemoved = true; resolved ^= ResolvedCollectionMethod.PSRemote; updates.Add("[-] Removed PSRemote Collection"); } if ((resolved & ResolvedCollectionMethod.LocalAdmin) != 0) { localGroupRemoved = true; resolved ^= ResolvedCollectionMethod.LocalAdmin; updates.Add("[-] Removed LocalAdmin Collection"); } if (localGroupRemoved) { resolved |= ResolvedCollectionMethod.GPOLocalGroup; updates.Add("[+] Added GPOLocalGroup"); } if (updates.Count > 0) { var updateString = new StringBuilder(); updateString.AppendLine("Updated Collection Methods to Reflect Stealth Options"); foreach (var update in updates) { updateString.AppendLine(update); } logger.LogInformation("{Update}", updateString.ToString()); } } logger.LogInformation("Resolved Collection Methods: {resolved}", resolved.GetIndividualFlags()); return(true); } }