public async Task LDAPPropertyProcessor_ReadComputerProperties_TestBadPaths() { var mock = new MockSearchResultEntry("CN\u003dWIN10,OU\u003dTestOU,DC\u003dtestlab,DC\u003dlocal", new Dictionary <string, object> { { "description", "Test" }, { "useraccountcontrol", "abc" }, { "lastlogon", "132673011142753043" }, { "lastlogontimestamp", "132670318095676525" }, { "operatingsystem", "Windows 10 Enterprise" }, { "admincount", "c" }, { "sidhistory", new[] { Array.Empty <byte>() } }, { "msds-allowedToDelegateTo", new[] { "ldap/PRIMARY.testlab.local/testlab.local", "ldap/PRIMARY.testlab.local", "ldap/PRIMARY" } }, { "pwdlastset", "132131667346106691" }, { "serviceprincipalname", new[] { "WSMAN/WIN10", "WSMAN/WIN10.testlab.local", "RestrictedKrbHost/WIN10", "HOST/WIN10", "RestrictedKrbHost/WIN10.testlab.local", "HOST/WIN10.testlab.local" } } }, "S-1-5-21-3130019616-2776909439-2417379446-1101", Label.Computer); var processor = new LDAPPropertyProcessor(new MockLDAPUtils()); var test = await processor.ReadComputerProperties(mock); var props = test.Props; var keys = props.Keys; Assert.Contains("unconstraineddelegation", keys); Assert.Contains("enabled", keys); Assert.Contains("trustedtoauth", keys); Assert.False((bool)props["unconstraineddelegation"]); Assert.True((bool)props["enabled"]); Assert.False((bool)props["trustedtoauth"]); Assert.Contains("sidhistory", keys); Assert.Empty(props["sidhistory"] as string[]); }
private async Task <Computer> ProcessComputerObject(ISearchResultEntry entry, ResolvedSearchResult resolvedSearchResult, Channel <CSVComputerStatus> compStatusChannel) { var ret = new Computer { ObjectIdentifier = resolvedSearchResult.ObjectId }; ret.Properties.Add("domain", resolvedSearchResult.Domain); ret.Properties.Add("name", resolvedSearchResult.DisplayName); ret.Properties.Add("distinguishedname", entry.DistinguishedName.ToUpper()); ret.Properties.Add("domainsid", resolvedSearchResult.DomainSid); ret.Properties.Add("highvalue", false); ret.Properties.Add("samaccountname", entry.GetProperty(LDAPProperties.SAMAccountName)); var hasLaps = entry.HasLAPS(); ret.Properties.Add("haslaps", hasLaps); if ((_methods & ResolvedCollectionMethod.ACL) != 0) { ret.Aces = _aclProcessor.ProcessACL(resolvedSearchResult, entry).ToArray(); ret.IsACLProtected = _aclProcessor.IsACLProtected(entry); } if ((_methods & ResolvedCollectionMethod.Group) != 0) { var pg = entry.GetProperty(LDAPProperties.PrimaryGroupID); ret.PrimaryGroupSID = GroupProcessor.GetPrimaryGroupInfo(pg, resolvedSearchResult.ObjectId); } if ((_methods & ResolvedCollectionMethod.ObjectProps) != 0) { var computerProps = await _ldapPropertyProcessor.ReadComputerProperties(entry); ret.Properties = ContextUtils.Merge(ret.Properties, computerProps.Props); if (_context.Flags.CollectAllProperties) { ret.Properties = ContextUtils.Merge(_ldapPropertyProcessor.ParseAllProperties(entry), ret.Properties); } ret.AllowedToDelegate = computerProps.AllowedToDelegate; ret.AllowedToAct = computerProps.AllowedToAct; ret.HasSIDHistory = computerProps.SidHistory; } if (!_methods.IsComputerCollectionSet()) { return(ret); } var apiName = _context.RealDNSName != null ? entry.GetDNSName(_context.RealDNSName) : resolvedSearchResult.DisplayName; var availability = await _computerAvailability.IsComputerAvailable(resolvedSearchResult, entry); if (!availability.Connectable) { await compStatusChannel.Writer.WriteAsync(availability.GetCSVStatus(resolvedSearchResult.DisplayName), _cancellationToken); return(ret); } var samAccountName = entry.GetProperty(LDAPProperties.SAMAccountName)?.TrimEnd('$'); if ((_methods & ResolvedCollectionMethod.Session) != 0) { var sessionResult = await _computerSessionProcessor.ReadUserSessions(apiName, resolvedSearchResult.ObjectId, resolvedSearchResult.Domain); ret.Sessions = sessionResult; if (_context.Flags.DumpComputerStatus) { await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus { Status = sessionResult.Collected ? StatusSuccess : sessionResult.FailureReason, Task = "NetSessionEnum", ComputerName = resolvedSearchResult.DisplayName }, _cancellationToken); } } if ((_methods & ResolvedCollectionMethod.LoggedOn) != 0) { var privSessionResult = _computerSessionProcessor.ReadUserSessionsPrivileged(apiName, samAccountName, resolvedSearchResult.ObjectId); ret.PrivilegedSessions = privSessionResult; if (_context.Flags.DumpComputerStatus) { await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus { Status = privSessionResult.Collected ? StatusSuccess : privSessionResult.FailureReason, Task = "NetWkstaUserEnum", ComputerName = resolvedSearchResult.DisplayName }, _cancellationToken); } var registrySessionResult = _computerSessionProcessor.ReadUserSessionsRegistry(apiName, resolvedSearchResult.Domain, resolvedSearchResult.ObjectId); ret.RegistrySessions = registrySessionResult; if (_context.Flags.DumpComputerStatus) { await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus { Status = privSessionResult.Collected ? StatusSuccess : privSessionResult.FailureReason, Task = "RegistrySessions", ComputerName = resolvedSearchResult.DisplayName }, _cancellationToken); } } if (!_methods.IsLocalGroupCollectionSet()) { return(ret); } try { using var server = new SAMRPCServer(resolvedSearchResult.DisplayName, samAccountName, resolvedSearchResult.ObjectId, resolvedSearchResult.Domain); if ((_methods & ResolvedCollectionMethod.LocalAdmin) != 0) { ret.LocalAdmins = server.GetLocalGroupMembers((int)LocalGroupRids.Administrators); if (_context.Flags.DumpComputerStatus) { await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus { Status = ret.LocalAdmins.Collected ? StatusSuccess : ret.LocalAdmins.FailureReason, Task = "AdminLocalGroup", ComputerName = resolvedSearchResult.DisplayName }, _cancellationToken); } } if ((_methods & ResolvedCollectionMethod.DCOM) != 0) { ret.DcomUsers = server.GetLocalGroupMembers((int)LocalGroupRids.DcomUsers); if (_context.Flags.DumpComputerStatus) { await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus { Status = ret.DcomUsers.Collected ? StatusSuccess : ret.DcomUsers.FailureReason, Task = "DCOMLocalGroup", ComputerName = resolvedSearchResult.DisplayName }, _cancellationToken); } } if ((_methods & ResolvedCollectionMethod.PSRemote) != 0) { ret.PSRemoteUsers = server.GetLocalGroupMembers((int)LocalGroupRids.PSRemote); if (_context.Flags.DumpComputerStatus) { await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus { Status = ret.PSRemoteUsers.Collected ? StatusSuccess : ret.PSRemoteUsers.FailureReason, Task = "PSRemoteLocalGroup", ComputerName = resolvedSearchResult.DisplayName }, _cancellationToken); } } if ((_methods & ResolvedCollectionMethod.RDP) != 0) { ret.RemoteDesktopUsers = server.GetLocalGroupMembers((int)LocalGroupRids.RemoteDesktopUsers); if (_context.Flags.DumpComputerStatus) { await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus { Status = ret.RemoteDesktopUsers.Collected ? StatusSuccess : ret.RemoteDesktopUsers.FailureReason, Task = "RDPLocalGroup", ComputerName = resolvedSearchResult.DisplayName }); } } } catch (Exception e) { await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus { Status = e.ToString(), ComputerName = resolvedSearchResult.DisplayName, Task = "SAMRPCServerInit" }, _cancellationToken); ret.DcomUsers = new LocalGroupAPIResult { Collected = false, FailureReason = "SAMRPCServerInit Failed" }; ret.PSRemoteUsers = new LocalGroupAPIResult { Collected = false, FailureReason = "SAMRPCServerInit Failed" }; ret.LocalAdmins = new LocalGroupAPIResult { Collected = false, FailureReason = "SAMRPCServerInit Failed" }; ret.RemoteDesktopUsers = new LocalGroupAPIResult { Collected = false, FailureReason = "SAMRPCServerInit Failed" }; } return(ret); }
public async Task LDAPPropertyProcessor_ReadComputerProperties_HappyPath() { //TODO: Add coverage for allowedtoact var mock = new MockSearchResultEntry("CN\u003dWIN10,OU\u003dTestOU,DC\u003dtestlab,DC\u003dlocal", new Dictionary <string, object> { { "description", "Test" }, { "useraccountcontrol", 0x1001000.ToString() }, { "lastlogon", "132673011142753043" }, { "lastlogontimestamp", "132670318095676525" }, { "operatingsystem", "Windows 10 Enterprise" }, { "operatingsystemservicepack", "1607" }, { "admincount", "c" }, { "sidhistory", new[] { Helpers.B64ToBytes("AQUAAAAAAAUVAAAAIE+Qun9GhKV2SBaQUQQAAA==") } }, { "msds-allowedtodelegateto", new[] { "ldap/PRIMARY.testlab.local/testlab.local", "ldap/PRIMARY.testlab.local", "ldap/PRIMARY" } }, { "pwdlastset", "132131667346106691" }, { "serviceprincipalname", new[] { "WSMAN/WIN10", "WSMAN/WIN10.testlab.local", "RestrictedKrbHost/WIN10", "HOST/WIN10", "RestrictedKrbHost/WIN10.testlab.local", "HOST/WIN10.testlab.local" } } }, "S-1-5-21-3130019616-2776909439-2417379446-1101", Label.Computer); var processor = new LDAPPropertyProcessor(new MockLDAPUtils()); var test = await processor.ReadComputerProperties(mock); var props = test.Props; var keys = props.Keys; //UAC Assert.Contains("enabled", keys); Assert.Contains("unconstraineddelegation", keys); Assert.Contains("lastlogon", keys); Assert.Contains("lastlogontimestamp", keys); Assert.Contains("pwdlastset", keys); Assert.True((bool)props["enabled"]); Assert.False((bool)props["unconstraineddelegation"]); Assert.Contains("lastlogon", keys); Assert.Equal(1622827514, (long)props["lastlogon"]); Assert.Contains("lastlogontimestamp", keys); Assert.Equal(1622558209, (long)props["lastlogontimestamp"]); Assert.Contains("pwdlastset", keys); Assert.Equal(1568693134, (long)props["pwdlastset"]); //AllowedToDelegate Assert.Single(test.AllowedToDelegate); Assert.Contains(new TypedPrincipal { ObjectIdentifier = "S-1-5-21-3130019616-2776909439-2417379446-1001", ObjectType = Label.Computer }, test.AllowedToDelegate); //Other Stuff Assert.Contains("serviceprincipalnames", keys); Assert.Equal(6, (props["serviceprincipalnames"] as string[]).Length); Assert.Contains("operatingsystem", keys); Assert.Equal("Windows 10 Enterprise 1607", props["operatingsystem"] as string); Assert.Contains("description", keys); Assert.Equal("Test", props["description"] as string); //SidHistory Assert.Contains("sidhistory", keys); var sh = props["sidhistory"] as string[]; Assert.Single(sh); Assert.Contains("S-1-5-21-3130019616-2776909439-2417379446-1105", sh); Assert.Single(test.SidHistory); Assert.Contains(new TypedPrincipal { ObjectIdentifier = "S-1-5-21-3130019616-2776909439-2417379446-1105", ObjectType = Label.User }, test.SidHistory); }