コード例 #1
0
ファイル: Extensions.cs プロジェクト: BloodHoundAD/SharpHound 
        /// <summary>
        /// Removes non-computer collection methods from specified ones for looping
        /// </summary>
        /// <returns></returns>
        internal static ResolvedCollectionMethod GetLoopCollectionMethods(this ResolvedCollectionMethod methods)
        {
            const ResolvedCollectionMethod computerCollectionMethods = ResolvedCollectionMethod.LocalGroups | ResolvedCollectionMethod.LoggedOn |
                                                                       ResolvedCollectionMethod.Session;

            return(methods & computerCollectionMethods);
        }
コード例 #2
0
        public static bool IsMethodSet(ResolvedCollectionMethod method)
        {
            if (method.Equals(ResolvedCollectionMethod.SessionLoop) ||
                method.Equals(ResolvedCollectionMethod.LoggedOnLoop))
            {
                return(_options.SessionLoopRunning);
            }

            if (_options.SessionLoopRunning)
            {
                return(false);
            }

            return((_options.ResolvedCollMethods & method) != 0);
        }
コード例 #3
0
 public ObjectProcessors(IContext context, ILogger log)
 {
     _context                  = context;
     _aclProcessor             = new ACLProcessor(context.LDAPUtils);
     _spnProcessor             = new SPNProcessors(context.LDAPUtils);
     _ldapPropertyProcessor    = new LDAPPropertyProcessor(context.LDAPUtils);
     _domainTrustProcessor     = new DomainTrustProcessor(context.LDAPUtils);
     _computerAvailability     = new ComputerAvailability(context.PortScanTimeout, skipPortScan: context.Flags.SkipPortScan, skipPasswordCheck: context.Flags.SkipPasswordAgeCheck);
     _computerSessionProcessor = new ComputerSessionProcessor(context.LDAPUtils);
     _groupProcessor           = new GroupProcessor(context.LDAPUtils);
     _containerProcessor       = new ContainerProcessor(context.LDAPUtils);
     _gpoLocalGroupProcessor   = new GPOLocalGroupProcessor(context.LDAPUtils);
     _methods                  = context.ResolvedCollectionMethods;
     _cancellationToken        = context.CancellationTokenSource.Token;
     _log = log;
 }
コード例 #4
0
ファイル: LdapFilter.cs プロジェクト: munsy/SharpHound 
        internal static LdapData BuildLdapData(ResolvedCollectionMethod methods, bool excludeDc, string ldapFilter)
        {
            var filterparts = new List <string>();
            var props       = new List <string> {
                "objectsid", "distiguishedname"
            };

            if ((methods & ResolvedCollectionMethod.Group) != 0)
            {
                filterparts.Add("(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(primarygroupid=*))");
                props.AddRange(new[]
                {
                    "samaccountname", "distinguishedname", "samaccounttype", "member", "cn", "primarygroupid", "dnshostname"
                });
            }

            if ((methods & ResolvedCollectionMethod.LocalAdmin) != 0 ||
                (methods & ResolvedCollectionMethod.Session) != 0 ||
                (methods & ResolvedCollectionMethod.LoggedOn) != 0 ||
                (methods & ResolvedCollectionMethod.RDP) != 0 ||
                (methods & ResolvedCollectionMethod.SessionLoop) != 0 ||
                (methods & ResolvedCollectionMethod.DCOM) != 0)
            {
                filterparts.Add("(&(sAMAccountType=805306369)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))");
                props.AddRange(new[]
                {
                    "samaccountname", "distinguishedname", "dnshostname", "samaccounttype"
                });
            }

            if ((methods & ResolvedCollectionMethod.Trusts) != 0)
            {
                filterparts.Add("(objectclass=domain)");
                props.AddRange(new[]
                {
                    "distinguishedname"
                });
            }

            if ((methods & ResolvedCollectionMethod.ACL) != 0)
            {
                filterparts.Add("(|(samAccountType=805306368)(samAccountType=805306369)(samAccountType=268435456)(samAccountType=268435457)(samAccountType=536870912)(samAccountType=536870913)(objectClass=domain)(objectCategory=groupPolicyContainer))");
                props.AddRange(new[]
                {
                    "samaccountname", "distinguishedname", "dnshostname", "samaccounttype", "ntsecuritydescriptor", "displayname", "objectclass", "objectsid", "name", "ms-mcs-admpwdexpirationtime"
                });
            }

            if ((methods & ResolvedCollectionMethod.ObjectProps) != 0)
            {
                filterparts.Add("(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913)(samaccounttype=805306368)(samaccounttype=805306369)(objectclass=domain)(objectclass=organizationalUnit)(objectcategory=groupPolicyContainer))");
                props.AddRange(new[]
                {
                    "samaccountname", "distinguishedname", "samaccounttype", "pwdlastset", "lastlogon", "objectsid",
                    "sidhistory", "useraccountcontrol", "dnshostname", "operatingsystem",
                    "operatingsystemservicepack", "serviceprincipalname", "displayname", "mail", "title",
                    "homedirectory", "description", "admincount", "userpassword", "gpcfilesyspath", "objectclass",
                    "msds-behavior-version", "objectguid", "name", "gpoptions", "msds-allowedToDelegateTo"
                });
            }

            if ((methods & ResolvedCollectionMethod.GPOLocalGroup) != 0)
            {
                filterparts.Add("(&(objectCategory=groupPolicyContainer)(name=*)(gpcfilesyspath=*))");
                props.AddRange(new[]
                {
                    "displayname", "name", "gpcfilesyspath", "objectclass"
                });
            }

            if ((methods & ResolvedCollectionMethod.Container) != 0)
            {
                filterparts.Add("(|(&(objectCategory=groupPolicyContainer)(name=*)(gpcfilesyspath=*))(objectcategory=organizationalUnit)(objectClass=domain))");
                props.AddRange(new[]
                {
                    "displayname", "name", "objectguid", "gplink", "gpoptions", "objectclass"
                });
            }

            var filter = string.Join("", filterparts.ToArray());

            filter = filterparts.Count == 1 ? filterparts[0] : $"(|{filter})";


            if (excludeDc)
            {
                filter = $"(&({filter})(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))";
            }

            if (ldapFilter != null)
            {
                filter = $"(&({filter})({ldapFilter}))";
            }

            return(new LdapData
            {
                Filter = filter,
                Properties = props.Distinct().ToArray()
            });
        }
コード例 #5
0
        internal bool ResolveCollectionMethods(ILogger logger, out ResolvedCollectionMethod resolved, out bool dconly)
        {
            var arr = CollectionMethods.Count() == 1
                ? CollectionMethods.First().Split(',')
                : CollectionMethods.ToArray();

            resolved = ResolvedCollectionMethod.None;
            dconly   = false;

            foreach (var baseMethod in arr)
            {
                CollectionMethodOptions option;
                try
                {
                    option = (CollectionMethodOptions)Enum.Parse(typeof(CollectionMethodOptions), baseMethod, true);
                }
                catch
                {
                    logger.LogCritical("Failed to parse collection method {baseMethod}", baseMethod);
                    return(false);
                }

                resolved |= option switch
                {
                    CollectionMethodOptions.Group => ResolvedCollectionMethod.Group,
                    CollectionMethodOptions.Session => ResolvedCollectionMethod.Session,
                    CollectionMethodOptions.LoggedOn => ResolvedCollectionMethod.LoggedOn,
                    CollectionMethodOptions.Trusts => ResolvedCollectionMethod.Trusts,
                    CollectionMethodOptions.ACL => ResolvedCollectionMethod.ACL,
                    CollectionMethodOptions.ObjectProps => ResolvedCollectionMethod.ObjectProps,
                    CollectionMethodOptions.RDP => ResolvedCollectionMethod.RDP,
                    CollectionMethodOptions.DCOM => ResolvedCollectionMethod.DCOM,
                    CollectionMethodOptions.LocalAdmin => ResolvedCollectionMethod.LocalAdmin,
                    CollectionMethodOptions.PSRemote => ResolvedCollectionMethod.PSRemote,
                    CollectionMethodOptions.SPNTargets => ResolvedCollectionMethod.SPNTargets,
                    CollectionMethodOptions.Container => ResolvedCollectionMethod.Container,
                    CollectionMethodOptions.GPOLocalGroup => ResolvedCollectionMethod.GPOLocalGroup,
                    CollectionMethodOptions.LocalGroup => ResolvedCollectionMethod.LocalGroups,
                    CollectionMethodOptions.Default => ResolvedCollectionMethod.Default,
                    CollectionMethodOptions.DCOnly => ResolvedCollectionMethod.DCOnly,
                    CollectionMethodOptions.ComputerOnly => ResolvedCollectionMethod.ComputerOnly,
                    CollectionMethodOptions.All => ResolvedCollectionMethod.All,
                    CollectionMethodOptions.None => ResolvedCollectionMethod.None,
                    _ => throw new ArgumentOutOfRangeException()
                };

                if (option == CollectionMethodOptions.DCOnly)
                {
                    dconly = true;
                }
            }

            if (Stealth)
            {
                var updates = new List <string>();
                if ((resolved & ResolvedCollectionMethod.LoggedOn) != 0)
                {
                    resolved ^= ResolvedCollectionMethod.LoggedOn;
                    updates.Add("[-] Removed LoggedOn");
                }

                var localGroupRemoved = false;
                if ((resolved & ResolvedCollectionMethod.RDP) != 0)
                {
                    localGroupRemoved = true;
                    resolved         ^= ResolvedCollectionMethod.RDP;
                    updates.Add("[-] Removed RDP Collection");
                }

                if ((resolved & ResolvedCollectionMethod.DCOM) != 0)
                {
                    localGroupRemoved = true;
                    resolved         ^= ResolvedCollectionMethod.DCOM;
                    updates.Add("[-] Removed DCOM Collection");
                }

                if ((resolved & ResolvedCollectionMethod.PSRemote) != 0)
                {
                    localGroupRemoved = true;
                    resolved         ^= ResolvedCollectionMethod.PSRemote;
                    updates.Add("[-] Removed PSRemote Collection");
                }

                if ((resolved & ResolvedCollectionMethod.LocalAdmin) != 0)
                {
                    localGroupRemoved = true;
                    resolved         ^= ResolvedCollectionMethod.LocalAdmin;
                    updates.Add("[-] Removed LocalAdmin Collection");
                }

                if (localGroupRemoved)
                {
                    resolved |= ResolvedCollectionMethod.GPOLocalGroup;
                    updates.Add("[+] Added GPOLocalGroup");
                }

                if (updates.Count > 0)
                {
                    var updateString = new StringBuilder();
                    updateString.AppendLine("Updated Collection Methods to Reflect Stealth Options");
                    foreach (var update in updates)
                    {
                        updateString.AppendLine(update);
                    }
                    logger.LogInformation("{Update}", updateString.ToString());
                }
            }

            logger.LogInformation("Resolved Collection Methods: {resolved}", resolved.GetIndividualFlags());
            return(true);
        }
    }