public IResult Collect(SearchString searchstring) { _logger.Debug($"Collecting"); LDAPSearchString searchString = (LDAPSearchString)searchstring; List <ILDAPObject> ldapObjects = new List <ILDAPObject>(); var results = Searcher.GetResultEntries(searchString).ToList(); foreach (var result in results) { //If we need User if (searchString.ReturnAttributes.Contains("sAMAccountName")) { var user = User.GetUserObject(result); ldapObjects.Add(user); } else { ldapObjects.Add(new LDAPBaseObject { Attributes = ProcessAttributes(result.Attributes), DistinguishedName = result.DistinguishedName }); } } CollectResult = new LDAPResult { LDAPObjects = ldapObjects, Title = searchstring.Title }; _logger.Debug("LDAP Objects Collected"); return(CollectResult); }
public static void BuildExtendedRightsDict() { _logger.Debug("Building an Extended Rights List"); string extendedRightsDn = "CN=Extended-Rights," + Searcher.LdapInfo.ConfigDN; var rightsResult = Searcher.GetResultEntries(new LDAPSearchString { DN = extendedRightsDn, Filter = "(rightsGuid=*)", ReturnAttributes = new string[] { "rightsGuid", "cn" }, Scope = SearchScope.Subtree, //UseGlobalCatalog = true }).ToList(); foreach (var rights in rightsResult) { //Ignore duplicated rightsGuid DNS-Host-Name-Attributes & Validated-DNS-Host-Name: "72e39547-7b18-11d1-adef-00c04fd8d5cd" string rightsGuid = rights.Attributes["rightsGuid"][0].ToString().ToLower(); if (rightsGuid == "72e39547-7b18-11d1-adef-00c04fd8d5cd") { continue; } ExtendedRightsList.Add(rightsGuid, rights.Attributes["cn"][0].ToString()); } ExtendedRightsList.Add("72e39547-7b18-11d1-adef-00c04fd8d5cd", "DNS-Host-Name-Attributes & Validated-DNS-Host-Name"); ExtendedRightsList.Add("aa4e1a6d-550d-4e05-8c35-4afcb917a9fe", "ms-TPM-OwnerInformation"); ExtendedRightsList.Add("00000000-0000-0000-0000-000000000000", "All"); }
public static void GetWMIPolicies() { _logger.Debug("Collecting WMI Policies"); string wmiRootDn = "CN=SOM,CN=WMIPolicy,CN=System," + Searcher.LdapInfo.RootDN; string wmiForestDn = "CN=SOM,CN=WMIPolicy,CN=System," + Searcher.LdapInfo.ForestDN; string[] wmiDNs = (Searcher.LdapInfo.RootDN != Searcher.LdapInfo.ForestDN) ? new string[] { wmiRootDn, wmiForestDn } : new string[] { wmiRootDn }; string wmiFilter = @"(objectClass=msWMI-Som)"; string[] wmiAttrs = { "msWMI-Name", "msWMI-ID" }; foreach (var wmiDn in wmiDNs) { var resultEntries = Searcher.GetResultEntries(new LDAPSearchString { DN = wmiDn, Filter = wmiFilter, ReturnAttributes = wmiAttrs, Scope = SearchScope.Subtree }).ToList(); foreach (var entry in resultEntries) { WMIPolicies.Add(entry.Attributes["msWMI-ID"][0].ToString().ToUpper(), entry.Attributes["msWMI-Name"][0].ToString()); } } }
public static void GetAllGPOs() { GetWMIPolicies(); _logger.Debug("Collecting GPOs"); Regex filterRx = new Regex(@";(\{.+?\});", RegexOptions.Compiled); string gpoRootDN = "CN=Policies,CN=System," + Searcher.LdapInfo.RootDN;//"CN=System," + rootDn; string gpoForestDN = "CN=Policies,CN=System," + Searcher.LdapInfo.ForestDN; string[] gpoDNs = (Searcher.LdapInfo.RootDN != Searcher.LdapInfo.ForestDN) ? new string[] { gpoRootDN, gpoForestDN } : new string[] { gpoRootDN }; string gpoFilter = @"(objectCategory=groupPolicyContainer)"; string[] gpoAttrs = { "displayName", "cn", "gPCWQLFilter", "nTSecurityDescriptor" }; //string extrightsDn = "CN=Extended-Rights,CN=Configuration," + forestDn; try { foreach (string gpodn in gpoDNs) { _logger.Debug($"Enumerateing GPOs in {gpodn}"); var gpoEntries = Searcher.GetResultEntries(new LDAPSearchString { DN = gpodn, Filter = gpoFilter, ReturnAttributes = gpoAttrs, Scope = SearchScope.Subtree }).ToList(); foreach (var entry in gpoEntries) { string dn = entry.Attributes["cn"][0].ToString().ToUpper(); string displayname = entry.Attributes["displayName"][0].ToString().ToUpper(); //WMI Filtering if (entry.Attributes.Contains("gPCWQLFilter")) { string filterAttr = entry.Attributes["gPCWQLFilter"][0].ToString(); //Could be empty " " if (filterAttr.Length > 2) { Match filterM = filterRx.Match(filterAttr); string filter = filterM.Groups[1].ToString(); string wmiName = WMIPolicies[filter]; displayname += " [EvaluateWMIPolicy: " + wmiName + " - " + filter + "]"; } } if (!GroupPolicies.ContainsKey(dn)) { GroupPolicies.Add(dn, displayname); } } } } catch (Exception e) { _logger.Error(e.Message); } }
public static void BuildSchemaDict() { _logger.Debug("Building an Schema List"); var rightsResult = Searcher.GetResultEntries(new LDAPSearchString { DN = Searcher.LdapInfo.SchemaDN, Filter = "(schemaIDGUID=*)", ReturnAttributes = new string[] { "schemaIDGUID", "cn" }, Scope = SearchScope.OneLevel, //UseGlobalCatalog = true }).ToList(); foreach (var rights in rightsResult) { string schemaGUID = Helper.GetStringFromByte((byte[])rights.Attributes["schemaIDGUID"][0]).ToLower(); SchemaList.Add(schemaGUID, rights.Attributes["cn"][0].ToString()); } SchemaList.Add("00000000-0000-0000-0000-000000000000", "All properties"); // Active Directory includes predefined property sets: // https://docs.microsoft.com/en-us/windows/desktop/adschema/property-sets var predefinedProp = new Dictionary <string, string>(); predefinedProp.Add("72e39547-7b18-11d1-adef-00c04fd8d5cd", "DNS Host Name Attributes"); predefinedProp.Add("b8119fd0-04f6-4762-ab7a-4986c76b3f9a", "Other Domain Parameters"); predefinedProp.Add("c7407360-20bf-11d0-a768-00aa006e0529", "Domain Password and Lockout Policies"); predefinedProp.Add("e45795b2-9455-11d1-aebd-0000f80367c1", "Phone and Mail Options"); predefinedProp.Add("59ba2f42-79a2-11d0-9020-00c04fc2d3cf", "General Information"); predefinedProp.Add("bc0ac240-79a9-11d0-9020-00c04fc2d4cf", "Group Membership"); predefinedProp.Add("ffa6f046-ca4b-4feb-b40d-04dfee722543", "MS-TS-GatewayAccess"); predefinedProp.Add("77b5b886-944a-11d1-aebd-0000f80367c1", "Personal Information"); predefinedProp.Add("91e647de-d96f-4b70-9557-d63ff4f3ccd8", "Private Information"); predefinedProp.Add("e48d0154-bcf8-11d1-8702-00c04fb96050", "Public Information"); predefinedProp.Add("5805bc62-bdc9-4428-a5e2-856a0f4c185e", "Terminal Server License Server"); predefinedProp.Add("4c164200-20c0-11d0-a768-00aa006e0529", "Account Restrictions"); predefinedProp.Add("5f202010-79a5-11d0-9020-00c04fc2d4cf", "Logon Information"); predefinedProp.Add("e45795b3-9455-11d1-aebd-0000f80367c1", "Web Information"); predefinedProp.Add("9b026da6-0d3c-465c-8bee-5199d7165cba", "DS-Validated-Write-Computer"); predefinedProp.Add("037088f8-0ae1-11d2-b422-00a0c968f939", "RAS-Information"); foreach (var prop in predefinedProp) { if (!SchemaList.ContainsKey(prop.Key)) { SchemaList.Add(prop.Key, prop.Value); } } }
public static async Task <List <CertificateTemplate> > GetInterestingCertTemplatesAsync() { var certTemplateList = Searcher.GetResultEntries(new LDAPSearchString { DN = "CN=Certificate Templates,CN=Public Key Services,CN=Services," + Searcher.LdapInfo.ConfigDN, Filter = @"(objectCategory=pKICertificateTemplate)", Scope = SearchScope.Subtree }).ToList(); List <Task <CertificateTemplate> > tasks = new List <Task <CertificateTemplate> >(); foreach (var certTemplate in certTemplateList) { tasks.Add(Task.Run(() => CertificateTemplate.GetInterestingCertTemplates(certTemplate))); } var CTTasks = (await Task.WhenAll(tasks)).ToList(); return(CTTasks); }
public static async Task <List <ADCS> > GetADCSAsync() { string csFilter = @"(objectCategory=pKIEnrollmentService)"; string csDn = "CN=Enrollment Services,CN=Public Key Services,CN=Services," + Searcher.LdapInfo.ConfigDN; List <Task <ADCS> > tasks = new List <Task <ADCS> >(); var csEntries = Searcher.GetResultEntries(new LDAPSearchString { DN = csDn, Filter = csFilter, Scope = SearchScope.Subtree }).ToList(); foreach (SearchResultEntry csEntry in csEntries) { tasks.Add(Task.Run(() => ADCS.GetADCS(csEntry))); } var caList = (await Task.WhenAll(tasks)).ToList(); return(caList); }
//Retrieve IP from LDAP dnsRecord only public static Dictionary <string, Dictionary <string, string> > GetDNS(bool searchForest = false) { Dictionary <string, Dictionary <string, string> > dnsDict = new Dictionary <string, Dictionary <string, string> >(); string dDnsDn = "DC=DomainDnsZones," + Searcher.LdapInfo.RootDN;//not searching from "CN=MicrosoftDNS,DC=DomainDnsZones,"; string fDnsDn = "DC=ForestDnsZones," + Searcher.LdapInfo.ForestDN; string queryZones = @"(&(objectClass=dnsZone)(!(DC=*arpa))(!(DC=RootDNSServers)))"; string[] dnsZoneAttrs = { "name" }; var dnsZoneSearchResult = searchForest ? Searcher.GetResultEntries(new LDAPSearchString { DN = fDnsDn, Filter = queryZones, ReturnAttributes = dnsZoneAttrs, Scope = SearchScope.Subtree }).ToList() : Searcher.GetResultEntries(new LDAPSearchString { DN = dDnsDn, Filter = queryZones, ReturnAttributes = dnsZoneAttrs, Scope = SearchScope.Subtree }).ToList(); //excluding objects that have been removed string queryRecord = @"(&(objectClass=*)(!(DC=@))(!(DC=*DnsZones))(!(DC=*arpa))(!(DC=_*))(!dNSTombstoned=TRUE))"; string[] dnsAttrs = { "dnsRecord" }; byte[] dnsByte = null; string ip = null; string hostname = null; foreach (var dnsZone in dnsZoneSearchResult) { Dictionary <string, string> dnsRecordDict = new Dictionary <string, string>(); var dnsResponse = Searcher.GetResultEntries(new LDAPSearchString { DN = dnsZone.DistinguishedName, Filter = queryRecord, Scope = SearchScope.OneLevel, ReturnAttributes = dnsAttrs }).ToList(); foreach (var dnsResult in dnsResponse) { //If have permission to view the record if (dnsResult.Attributes.Contains("dnsRecord")) { dnsByte = ((byte[])dnsResult.Attributes["dnsRecord"][0]); ip = ResolveDNSRecord(dnsByte); if (ip == string.Empty || ip == null) { continue; } hostname = dnsResult.DistinguishedName; if (!dnsRecordDict.ContainsKey(hostname.ToUpper())) { dnsRecordDict.Add(hostname.ToUpper(), ip); } } } if (!dnsDict.ContainsKey(dnsZone.DistinguishedName.ToUpper())) { dnsDict.Add(dnsZone.DistinguishedName.ToUpper(), dnsRecordDict); } } return(dnsDict); }
//Get DACL for LAPS public static List <DACL> GetLAPSACL() { logger.Debug("Getting ACLs for LAPS"); var laspDACLList = new List <DACL>(); var lapsACEs = new Dictionary <string, List <string> >(); var lapsResults = Searcher.GetResultEntries(new LDAPSearchString { DN = Searcher.LdapInfo.TargetSearchBase, Filter = "(ms-Mcs-AdmPwdExpirationTime=*)", Scope = SearchScope.Subtree }).ToList(); if (lapsResults == null || lapsResults.Count == 0) { logger.Debug("No LAPS enabled machine can be found"); return(null); } Regex ous = new Regex(@",(CN=.*|OU=.*)", RegexOptions.Compiled); //Only target the first degree OU var lapsOUs = lapsResults.Select(entry => ous.Match(entry.DistinguishedName).Groups[1].Value).Distinct().ToList(); Regex rights = new Regex(@"(.*Read.*)", RegexOptions.Compiled); foreach (string targetDn in lapsOUs) { var rules = GetAuthorizationRules(targetDn, out string ownerSID); foreach (ActiveDirectoryAccessRule rule in rules) { string sid = rule.IdentityReference.ToString(); string adRights = rule.ActiveDirectoryRights.ToString(); string objectType = rule.ObjectType.ToString(); //{2537B2BE-3CE2-459E-A86A-B7949C1D361C}: ms-Mcs-AdmPwd if (rights.IsMatch(adRights) && objectType.ToUpper() == "2537B2BE-3CE2-459E-A86A-B7949C1D361C") { string IR = Helper.SIDNameSID(sid); string userRights = $"ms-Mcs-AdmPwd ({adRights})"; if (lapsACEs.ContainsKey(IR)) { lapsACEs[IR].Add(userRights); } else { lapsACEs.Add(IR, new List <string> { userRights }); } } } string owner = Helper.SIDNameSID(ownerSID); if (lapsACEs.ContainsKey(owner)) { lapsACEs[owner].Add("Owner"); } else { lapsACEs.Add(owner, new List <string> { "Owner" }); } laspDACLList.Add(new DACL { ObjectName = targetDn, ACEs = lapsACEs }); } return(laspDACLList); }
public static List <DACL> ACLScan(string user, List <string> groupSIDs) { if (user == null) { return(null); } var ACLList = new List <DACL>(); //1. Locate the user var targetEntry = Searcher.GetResultEntry(new LDAPSearchString { DN = Searcher.LdapInfo.TargetSearchBase, Filter = $"(sAMAccountName={user})", Scope = SearchScope.Subtree }); if (targetEntry == null) { return(null); } var targetSid = new SecurityIdentifier((byte[])targetEntry.Attributes["objectsid"][0], 0).ToString(); //2. Get user nested group sid groupSIDs.Add(targetSid); //Iterate all objects var partitions = new string[] { Searcher.LdapInfo.RootDN, Searcher.LdapInfo.ConfigDN, Searcher.LdapInfo.SchemaDN }; if (Searcher.LdapInfo.TargetSearchBase != Searcher.LdapInfo.RootDN) { var allObjects = Searcher.GetResultEntries(new LDAPSearchString { DN = Searcher.LdapInfo.TargetSearchBase, Filter = "(ObjectCategory=*)", Scope = SearchScope.Subtree }); foreach (var obj in allObjects) { var acl = GetMyInterestingACLOnObject(obj.DistinguishedName, groupSIDs); if (acl != null) { ACLList.Add(acl); } } } else { foreach (var partition in partitions) { var allObjects = Searcher.GetResultEntries(new LDAPSearchString { DN = partition, Filter = "(ObjectCategory=*)", Scope = SearchScope.Subtree }); foreach (var obj in allObjects) { var acl = GetMyInterestingACLOnObject(obj.DistinguishedName, groupSIDs); if (acl != null) { ACLList.Add(acl); } } } } return(ACLList); }