public DPAPIBackupKey(DirectoryObject dsObject, DirectorySecretDecryptor pek)
{
// Parameter validation
Validator.AssertNotNull(dsObject, "dsObject");
Validator.AssertNotNull(pek, "pek");
// TODO: Test Object type
// Decrypt the secret value
byte[] encryptedSecret;
dsObject.ReadAttribute(CommonDirectoryAttributes.CurrentValue, out encryptedSecret);
this.RawKeyData = pek.DecryptSecret(encryptedSecret);
// Parse DN to get key ID or pointer type:
this.DistinguishedName = dsObject.DistinguishedName;
var keyName = GetSecretNameFromDN(this.DistinguishedName);
switch(keyName)
{
case null:
// We could not parse the DN, so exit with Unknown as the key type
this.Type = DPAPIBackupKeyType.Unknown;
break;
case PreferredRSAKeyPointerName:
this.Type = DPAPIBackupKeyType.PreferredRSAKeyPointer;
// Interpret the raw data as Guid
this.KeyId = new Guid(this.RawKeyData);
break;
case PreferredLegacyKeyPointerName:
this.Type = DPAPIBackupKeyType.PreferredLegacyKeyPointer;
// Interpret the raw data as Guid
this.KeyId = new Guid(this.RawKeyData);
break;
default:
// Actual Key, so we parse its Guid and version
this.KeyId = Guid.Parse(keyName);
int version = BitConverter.ToInt32(this.RawKeyData, KeyVersionOffset);
switch(version)
{
case 1:
this.Type = DPAPIBackupKeyType.LegacyKey;
// Cut the version out of the data
this.RawKeyData = this.RawKeyData.Cut(KeyVersionSize);
break;
case 2:
this.Type = DPAPIBackupKeyType.RSAKey;
// Combine the certificate and key into PFX and replace the original decrypted data
this.RawKeyData = ConvertRSASecretToPFX(this.RawKeyData);
break;
}
break;
}
}
public DSAccount(DirectoryObject dsObject, DirectorySecretDecryptor pek)
{
// Parameter validation
Validator.AssertNotNull(dsObject, "dsObject");
if (!dsObject.IsAccount)
{
// TODO: Exteption type
throw new Exception("Not an account.");
}
// Guid:
this.Guid = dsObject.Guid;
// DN:
this.DistinguishedName = dsObject.DistinguishedName;
// Sid:
this.Sid = dsObject.Sid;
// SidHistory:
dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out this.sidHistory);
// DisplayName:
dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out this.displayName);
// Description
dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out this.description);
// GivenName:
dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out this.givenName);
// Surname:
dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out this.surname);
// Security Descriptor:
dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out this.securityDescriptor);
// AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool)
dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out this.adminCount);
// UAC:
int?numericUac;
dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out numericUac);
this.UserAccountControl = (UserAccountControl)numericUac.Value;
// Deleted:
dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out this.isDeleted);
// LastLogon:
dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out this.lastLogon);
// UPN:
dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out this.upn);
// SamAccountName:
dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out this.samAccountName);
// SamAccountType:
// TODO: Move to DirectoryObject?
int?numericAccountType;
dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out numericAccountType);
this.SamAccountType = (SamAccountType)numericAccountType.Value;
// PrimaryGroupId
int?groupId;
dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out groupId);
this.PrimaryGroupId = groupId.Value;
if (pek == null)
{
// Do not continue if we do not have a decryption key
return;
}
// NTHash:
byte[] encryptedNtHash;
dsObject.ReadAttribute(CommonDirectoryAttributes.NTHash, out encryptedNtHash);
if (encryptedNtHash != null)
{
this.NTHash = pek.DecryptHash(encryptedNtHash, this.Sid.GetRid());
}
// LMHash
byte[] encryptedLmHash;
dsObject.ReadAttribute(CommonDirectoryAttributes.LMHash, out encryptedLmHash);
if (encryptedLmHash != null)
{
this.LMHash = pek.DecryptHash(encryptedLmHash, this.Sid.GetRid());
}
// NTHashHistory:
byte[] encryptedNtHashHistory;
dsObject.ReadAttribute(CommonDirectoryAttributes.NTHashHistory, out encryptedNtHashHistory);
if (encryptedNtHashHistory != null)
{
this.NTHashHistory = pek.DecryptHashHistory(encryptedNtHashHistory, this.Sid.GetRid());
}
// LMHashHistory:
byte[] encryptedLmHashHistory;
dsObject.ReadAttribute(CommonDirectoryAttributes.LMHashHistory, out encryptedLmHashHistory);
if (encryptedLmHashHistory != null)
{
this.LMHashHistory = pek.DecryptHashHistory(encryptedLmHashHistory, this.Sid.GetRid());
}
// SupplementalCredentials:
byte[] encryptedSupplementalCredentials;
dsObject.ReadAttribute(CommonDirectoryAttributes.SupplementalCredentials, out encryptedSupplementalCredentials);
if (encryptedSupplementalCredentials != null)
{
byte[] binarySupplementalCredentials = pek.DecryptSecret(encryptedSupplementalCredentials);
this.SupplementalCredentials = new SupplementalCredentials(binarySupplementalCredentials);
}
}
protected void LoadAccountInfo(DirectoryObject dsObject)
{
// Guid:
this.Guid = dsObject.Guid;
// DN:
this.DistinguishedName = dsObject.DistinguishedName;
// Sid:
this.Sid = dsObject.Sid;
// SidHistory:
dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out this.sidHistory);
// DisplayName:
dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out this.displayName);
// Description
dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out this.description);
// GivenName:
dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out this.givenName);
// Surname:
dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out this.surname);
// Security Descriptor:
dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out this.securityDescriptor);
// AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool)
dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out this.adminCount);
// Service Principal Name(s)
dsObject.ReadAttribute(CommonDirectoryAttributes.ServicePrincipalName, out this.spn);
// UAC:
int?numericUac;
dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out numericUac);
this.UserAccountControl = (UserAccountControl)numericUac.Value;
// Deleted:
dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out this.isDeleted);
// LastLogon:
dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out this.lastLogon);
// UPN:
dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out this.upn);
// SamAccountName:
dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out this.samAccountName);
// SamAccountType:
int?numericAccountType;
dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out numericAccountType);
this.SamAccountType = (SamAccountType)numericAccountType.Value;
// PrimaryGroupId
int?groupId;
dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out groupId);
this.PrimaryGroupId = groupId.Value;
}
protected void LoadAccountInfo(DirectoryObject dsObject, string netBIOSDomainName)
{
// Guid:
this.Guid = dsObject.Guid;
// DN:
this.DistinguishedName = dsObject.DistinguishedName;
// Sid:
this.Sid = dsObject.Sid;
// SidHistory:
dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out SecurityIdentifier[] sidHistory);
this.SidHistory = sidHistory;
// DisplayName:
dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out string displayName);
this.DisplayName = displayName;
// Description
dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out string description);
this.Description = description;
// GivenName:
dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out string givenName);
this.GivenName = givenName;
// Surname:
dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out string surname);
this.Surname = surname;
// Security Descriptor:
dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out RawSecurityDescriptor securityDescriptor);
this.SecurityDescriptor = securityDescriptor;
// AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool)
dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out bool adminCount);
this.AdminCount = adminCount;
// Service Principal Name(s)
dsObject.ReadAttribute(CommonDirectoryAttributes.ServicePrincipalName, out string[] spn);
this.ServicePrincipalName = spn;
// UAC:
dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out int?numericUac);
this.UserAccountControl = (UserAccountControl)numericUac.Value;
// Deleted:
dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out bool isDeleted);
this.Deleted = isDeleted;
// LastLogon:
dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out DateTime? lastLogon);
this.LastLogon = lastLogon;
dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogonTimestamp, out DateTime? lastLogonTimestamp);
this.LastLogonTimestamp = lastLogonTimestamp;
// UPN:
dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out string upn);
this.UserPrincipalName = upn;
// SamAccountName + LogonName:
dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out string samAccountName);
this.SamAccountName = samAccountName;
this.LogonName = new NTAccount(netBIOSDomainName, samAccountName).Value;
// SamAccountType:
dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out int?numericAccountType);
this.SamAccountType = (SamAccountType)numericAccountType.Value;
// PrimaryGroupId
dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out int?groupId);
this.PrimaryGroupId = groupId.Value;
// SuportedEncryptionTypes
dsObject.ReadAttribute(CommonDirectoryAttributes.SupportedEncryptionTypes, out int?numericSupportedEncryptionTypes);
// Note: The value is store as int in the DB, but the documentation says that it is an unsigned int
this.SupportedEncryptionTypes = (SupportedEncryptionTypes?)numericSupportedEncryptionTypes;
}
protected void LoadAccountInfo(DirectoryObject dsObject, string netBIOSDomainName)
{
// Guid:
this.Guid = dsObject.Guid;
// DN:
this.DistinguishedName = dsObject.DistinguishedName;
// Sid:
this.Sid = dsObject.Sid;
// SidHistory:
dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out SecurityIdentifier[] sidHistory);
this.SidHistory = sidHistory;
// DisplayName:
dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out string displayName);
this.DisplayName = displayName;
// Description
dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out string description);
this.Description = description;
// GivenName:
dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out string givenName);
this.GivenName = givenName;
// Surname:
dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out string surname);
this.Surname = surname;
// Security Descriptor:
dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out RawSecurityDescriptor securityDescriptor);
this.SecurityDescriptor = securityDescriptor;
// AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool)
dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out bool adminCount);
this.AdminCount = adminCount;
// Service Principal Name(s)
dsObject.ReadAttribute(CommonDirectoryAttributes.ServicePrincipalName, out string[] spn);
this.ServicePrincipalName = spn;
// UAC:
dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out int?numericUac);
this.UserAccountControl = (UserAccountControl)numericUac.Value;
// Deleted:
dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out bool isDeleted);
this.Deleted = isDeleted;
// LastLogon:
dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out DateTime? lastLogon);
this.LastLogon = lastLogon;
// lastLogon is not replicated, lastLogonTimestamp is but it's not as accurate, so if we can't find lastLogon, try using lastLogonTimestamp instead
if (null == lastLogon)
{
dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogonTimestamp, out DateTime? lastLogonTimestamp);
this.LastLogon = lastLogonTimestamp;
}
// UPN:
dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out string upn);
this.UserPrincipalName = upn;
// SamAccountName + LogonName:
dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out string samAccountName);
this.SamAccountName = samAccountName;
this.LogonName = new NTAccount(netBIOSDomainName, samAccountName).Value;
// SamAccountType:
dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out int?numericAccountType);
this.SamAccountType = (SamAccountType)numericAccountType.Value;
// PrimaryGroupId
dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out int?groupId);
this.PrimaryGroupId = groupId.Value;
}
public DSAccount(DirectoryObject dsObject, DirectorySecretDecryptor pek)
{
// Parameter validation
Validator.AssertNotNull(dsObject, "dsObject");
if(!dsObject.IsAccount)
{
// TODO: Exteption type
throw new Exception("Not an account.");
}
// Guid:
this.Guid = dsObject.Guid;
// DN:
this.DistinguishedName = dsObject.DistinguishedName;
// Sid:
this.Sid = dsObject.Sid;
// SidHistory:
dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out this.sidHistory);
// DisplayName:
dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out this.displayName);
// Description
dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out this.description);
// GivenName:
dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out this.givenName);
// Surname:
dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out this.surname);
// Enabled:
// TODO: Move to DirectoryObject?
int? numericUac;
dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out numericUac);
UserAccountControl uac = (UserAccountControl)numericUac.Value;
this.Enabled = !uac.HasFlag(UserAccountControl.Disabled);
// Deleted:
dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out this.isDeleted);
// LastLogon:
dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out this.lastLogon);
// UPN:
dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out this.upn);
// SamAccountName:
dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out this.samAccountName);
// SamAccountType:
// TODO: Move to DirectoryObject?
int? numericAccountType;
dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out numericAccountType);
this.SamAccountType = (SamAccountType)numericAccountType.Value;
// PrimaryGroupId
int? groupId;
dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out groupId);
this.PrimaryGroupId = groupId.Value;
if(pek == null)
{
// Do not continue if we do not have a decryption key
return;
}
// NTHash:
byte[] encryptedNtHash;
dsObject.ReadAttribute(CommonDirectoryAttributes.NTHash, out encryptedNtHash);
if(encryptedNtHash != null)
{
this.NTHash = pek.DecryptHash(encryptedNtHash, this.Sid.GetRid());
}
// LMHash
byte[] encryptedLmHash;
dsObject.ReadAttribute(CommonDirectoryAttributes.LMHash, out encryptedLmHash);
if (encryptedLmHash != null)
{
this.LMHash = pek.DecryptHash(encryptedLmHash, this.Sid.GetRid());
}
// NTHashHistory:
byte[] encryptedNtHashHistory;
dsObject.ReadAttribute(CommonDirectoryAttributes.NTHashHistory, out encryptedNtHashHistory);
if (encryptedNtHashHistory != null)
{
this.NTHashHistory = pek.DecryptHashHistory(encryptedNtHashHistory, this.Sid.GetRid());
}
// LMHashHistory:
byte[] encryptedLmHashHistory;
dsObject.ReadAttribute(CommonDirectoryAttributes.LMHashHistory, out encryptedLmHashHistory);
if (encryptedLmHashHistory != null)
{
this.LMHashHistory = pek.DecryptHashHistory(encryptedLmHashHistory, this.Sid.GetRid());
}
// SupplementalCredentials:
byte[] encryptedSupplementalCredentials;
dsObject.ReadAttribute(CommonDirectoryAttributes.SupplementalCredentials, out encryptedSupplementalCredentials);
if (encryptedSupplementalCredentials != null)
{
byte[] binarySupplementalCredentials = pek.DecryptSecret(encryptedSupplementalCredentials);
this.SupplementalCredentials = new SupplementalCredentials(binarySupplementalCredentials);
}
}