public DPAPIBackupKey(DirectoryObject dsObject, DirectorySecretDecryptor pek) { // Parameter validation Validator.AssertNotNull(dsObject, "dsObject"); Validator.AssertNotNull(pek, "pek"); // TODO: Test Object type // Decrypt the secret value byte[] encryptedSecret; dsObject.ReadAttribute(CommonDirectoryAttributes.CurrentValue, out encryptedSecret); this.RawKeyData = pek.DecryptSecret(encryptedSecret); // Parse DN to get key ID or pointer type: this.DistinguishedName = dsObject.DistinguishedName; var keyName = GetSecretNameFromDN(this.DistinguishedName); switch(keyName) { case null: // We could not parse the DN, so exit with Unknown as the key type this.Type = DPAPIBackupKeyType.Unknown; break; case PreferredRSAKeyPointerName: this.Type = DPAPIBackupKeyType.PreferredRSAKeyPointer; // Interpret the raw data as Guid this.KeyId = new Guid(this.RawKeyData); break; case PreferredLegacyKeyPointerName: this.Type = DPAPIBackupKeyType.PreferredLegacyKeyPointer; // Interpret the raw data as Guid this.KeyId = new Guid(this.RawKeyData); break; default: // Actual Key, so we parse its Guid and version this.KeyId = Guid.Parse(keyName); int version = BitConverter.ToInt32(this.RawKeyData, KeyVersionOffset); switch(version) { case 1: this.Type = DPAPIBackupKeyType.LegacyKey; // Cut the version out of the data this.RawKeyData = this.RawKeyData.Cut(KeyVersionSize); break; case 2: this.Type = DPAPIBackupKeyType.RSAKey; // Combine the certificate and key into PFX and replace the original decrypted data this.RawKeyData = ConvertRSASecretToPFX(this.RawKeyData); break; } break; } }
public DSAccount(DirectoryObject dsObject, DirectorySecretDecryptor pek) { // Parameter validation Validator.AssertNotNull(dsObject, "dsObject"); if (!dsObject.IsAccount) { // TODO: Exteption type throw new Exception("Not an account."); } // Guid: this.Guid = dsObject.Guid; // DN: this.DistinguishedName = dsObject.DistinguishedName; // Sid: this.Sid = dsObject.Sid; // SidHistory: dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out this.sidHistory); // DisplayName: dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out this.displayName); // Description dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out this.description); // GivenName: dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out this.givenName); // Surname: dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out this.surname); // Security Descriptor: dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out this.securityDescriptor); // AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool) dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out this.adminCount); // UAC: int?numericUac; dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out numericUac); this.UserAccountControl = (UserAccountControl)numericUac.Value; // Deleted: dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out this.isDeleted); // LastLogon: dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out this.lastLogon); // UPN: dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out this.upn); // SamAccountName: dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out this.samAccountName); // SamAccountType: // TODO: Move to DirectoryObject? int?numericAccountType; dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out numericAccountType); this.SamAccountType = (SamAccountType)numericAccountType.Value; // PrimaryGroupId int?groupId; dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out groupId); this.PrimaryGroupId = groupId.Value; if (pek == null) { // Do not continue if we do not have a decryption key return; } // NTHash: byte[] encryptedNtHash; dsObject.ReadAttribute(CommonDirectoryAttributes.NTHash, out encryptedNtHash); if (encryptedNtHash != null) { this.NTHash = pek.DecryptHash(encryptedNtHash, this.Sid.GetRid()); } // LMHash byte[] encryptedLmHash; dsObject.ReadAttribute(CommonDirectoryAttributes.LMHash, out encryptedLmHash); if (encryptedLmHash != null) { this.LMHash = pek.DecryptHash(encryptedLmHash, this.Sid.GetRid()); } // NTHashHistory: byte[] encryptedNtHashHistory; dsObject.ReadAttribute(CommonDirectoryAttributes.NTHashHistory, out encryptedNtHashHistory); if (encryptedNtHashHistory != null) { this.NTHashHistory = pek.DecryptHashHistory(encryptedNtHashHistory, this.Sid.GetRid()); } // LMHashHistory: byte[] encryptedLmHashHistory; dsObject.ReadAttribute(CommonDirectoryAttributes.LMHashHistory, out encryptedLmHashHistory); if (encryptedLmHashHistory != null) { this.LMHashHistory = pek.DecryptHashHistory(encryptedLmHashHistory, this.Sid.GetRid()); } // SupplementalCredentials: byte[] encryptedSupplementalCredentials; dsObject.ReadAttribute(CommonDirectoryAttributes.SupplementalCredentials, out encryptedSupplementalCredentials); if (encryptedSupplementalCredentials != null) { byte[] binarySupplementalCredentials = pek.DecryptSecret(encryptedSupplementalCredentials); this.SupplementalCredentials = new SupplementalCredentials(binarySupplementalCredentials); } }
protected void LoadAccountInfo(DirectoryObject dsObject) { // Guid: this.Guid = dsObject.Guid; // DN: this.DistinguishedName = dsObject.DistinguishedName; // Sid: this.Sid = dsObject.Sid; // SidHistory: dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out this.sidHistory); // DisplayName: dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out this.displayName); // Description dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out this.description); // GivenName: dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out this.givenName); // Surname: dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out this.surname); // Security Descriptor: dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out this.securityDescriptor); // AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool) dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out this.adminCount); // Service Principal Name(s) dsObject.ReadAttribute(CommonDirectoryAttributes.ServicePrincipalName, out this.spn); // UAC: int?numericUac; dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out numericUac); this.UserAccountControl = (UserAccountControl)numericUac.Value; // Deleted: dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out this.isDeleted); // LastLogon: dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out this.lastLogon); // UPN: dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out this.upn); // SamAccountName: dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out this.samAccountName); // SamAccountType: int?numericAccountType; dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out numericAccountType); this.SamAccountType = (SamAccountType)numericAccountType.Value; // PrimaryGroupId int?groupId; dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out groupId); this.PrimaryGroupId = groupId.Value; }
protected void LoadAccountInfo(DirectoryObject dsObject, string netBIOSDomainName) { // Guid: this.Guid = dsObject.Guid; // DN: this.DistinguishedName = dsObject.DistinguishedName; // Sid: this.Sid = dsObject.Sid; // SidHistory: dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out SecurityIdentifier[] sidHistory); this.SidHistory = sidHistory; // DisplayName: dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out string displayName); this.DisplayName = displayName; // Description dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out string description); this.Description = description; // GivenName: dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out string givenName); this.GivenName = givenName; // Surname: dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out string surname); this.Surname = surname; // Security Descriptor: dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out RawSecurityDescriptor securityDescriptor); this.SecurityDescriptor = securityDescriptor; // AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool) dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out bool adminCount); this.AdminCount = adminCount; // Service Principal Name(s) dsObject.ReadAttribute(CommonDirectoryAttributes.ServicePrincipalName, out string[] spn); this.ServicePrincipalName = spn; // UAC: dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out int?numericUac); this.UserAccountControl = (UserAccountControl)numericUac.Value; // Deleted: dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out bool isDeleted); this.Deleted = isDeleted; // LastLogon: dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out DateTime? lastLogon); this.LastLogon = lastLogon; dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogonTimestamp, out DateTime? lastLogonTimestamp); this.LastLogonTimestamp = lastLogonTimestamp; // UPN: dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out string upn); this.UserPrincipalName = upn; // SamAccountName + LogonName: dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out string samAccountName); this.SamAccountName = samAccountName; this.LogonName = new NTAccount(netBIOSDomainName, samAccountName).Value; // SamAccountType: dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out int?numericAccountType); this.SamAccountType = (SamAccountType)numericAccountType.Value; // PrimaryGroupId dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out int?groupId); this.PrimaryGroupId = groupId.Value; // SuportedEncryptionTypes dsObject.ReadAttribute(CommonDirectoryAttributes.SupportedEncryptionTypes, out int?numericSupportedEncryptionTypes); // Note: The value is store as int in the DB, but the documentation says that it is an unsigned int this.SupportedEncryptionTypes = (SupportedEncryptionTypes?)numericSupportedEncryptionTypes; }
protected void LoadAccountInfo(DirectoryObject dsObject, string netBIOSDomainName) { // Guid: this.Guid = dsObject.Guid; // DN: this.DistinguishedName = dsObject.DistinguishedName; // Sid: this.Sid = dsObject.Sid; // SidHistory: dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out SecurityIdentifier[] sidHistory); this.SidHistory = sidHistory; // DisplayName: dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out string displayName); this.DisplayName = displayName; // Description dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out string description); this.Description = description; // GivenName: dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out string givenName); this.GivenName = givenName; // Surname: dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out string surname); this.Surname = surname; // Security Descriptor: dsObject.ReadAttribute(CommonDirectoryAttributes.SecurityDescriptor, out RawSecurityDescriptor securityDescriptor); this.SecurityDescriptor = securityDescriptor; // AdminCount (Although the schema defines it as Int32, it can only have values 0 and 1, so we directly convert it to bool) dsObject.ReadAttribute(CommonDirectoryAttributes.AdminCount, out bool adminCount); this.AdminCount = adminCount; // Service Principal Name(s) dsObject.ReadAttribute(CommonDirectoryAttributes.ServicePrincipalName, out string[] spn); this.ServicePrincipalName = spn; // UAC: dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out int?numericUac); this.UserAccountControl = (UserAccountControl)numericUac.Value; // Deleted: dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out bool isDeleted); this.Deleted = isDeleted; // LastLogon: dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out DateTime? lastLogon); this.LastLogon = lastLogon; // lastLogon is not replicated, lastLogonTimestamp is but it's not as accurate, so if we can't find lastLogon, try using lastLogonTimestamp instead if (null == lastLogon) { dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogonTimestamp, out DateTime? lastLogonTimestamp); this.LastLogon = lastLogonTimestamp; } // UPN: dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out string upn); this.UserPrincipalName = upn; // SamAccountName + LogonName: dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out string samAccountName); this.SamAccountName = samAccountName; this.LogonName = new NTAccount(netBIOSDomainName, samAccountName).Value; // SamAccountType: dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out int?numericAccountType); this.SamAccountType = (SamAccountType)numericAccountType.Value; // PrimaryGroupId dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out int?groupId); this.PrimaryGroupId = groupId.Value; }
public DSAccount(DirectoryObject dsObject, DirectorySecretDecryptor pek) { // Parameter validation Validator.AssertNotNull(dsObject, "dsObject"); if(!dsObject.IsAccount) { // TODO: Exteption type throw new Exception("Not an account."); } // Guid: this.Guid = dsObject.Guid; // DN: this.DistinguishedName = dsObject.DistinguishedName; // Sid: this.Sid = dsObject.Sid; // SidHistory: dsObject.ReadAttribute(CommonDirectoryAttributes.SIDHistory, out this.sidHistory); // DisplayName: dsObject.ReadAttribute(CommonDirectoryAttributes.DisplayName, out this.displayName); // Description dsObject.ReadAttribute(CommonDirectoryAttributes.Description, out this.description); // GivenName: dsObject.ReadAttribute(CommonDirectoryAttributes.GivenName, out this.givenName); // Surname: dsObject.ReadAttribute(CommonDirectoryAttributes.Surname, out this.surname); // Enabled: // TODO: Move to DirectoryObject? int? numericUac; dsObject.ReadAttribute(CommonDirectoryAttributes.UserAccountControl, out numericUac); UserAccountControl uac = (UserAccountControl)numericUac.Value; this.Enabled = !uac.HasFlag(UserAccountControl.Disabled); // Deleted: dsObject.ReadAttribute(CommonDirectoryAttributes.IsDeleted, out this.isDeleted); // LastLogon: dsObject.ReadAttribute(CommonDirectoryAttributes.LastLogon, out this.lastLogon); // UPN: dsObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out this.upn); // SamAccountName: dsObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out this.samAccountName); // SamAccountType: // TODO: Move to DirectoryObject? int? numericAccountType; dsObject.ReadAttribute(CommonDirectoryAttributes.SamAccountType, out numericAccountType); this.SamAccountType = (SamAccountType)numericAccountType.Value; // PrimaryGroupId int? groupId; dsObject.ReadAttribute(CommonDirectoryAttributes.PrimaryGroupId, out groupId); this.PrimaryGroupId = groupId.Value; if(pek == null) { // Do not continue if we do not have a decryption key return; } // NTHash: byte[] encryptedNtHash; dsObject.ReadAttribute(CommonDirectoryAttributes.NTHash, out encryptedNtHash); if(encryptedNtHash != null) { this.NTHash = pek.DecryptHash(encryptedNtHash, this.Sid.GetRid()); } // LMHash byte[] encryptedLmHash; dsObject.ReadAttribute(CommonDirectoryAttributes.LMHash, out encryptedLmHash); if (encryptedLmHash != null) { this.LMHash = pek.DecryptHash(encryptedLmHash, this.Sid.GetRid()); } // NTHashHistory: byte[] encryptedNtHashHistory; dsObject.ReadAttribute(CommonDirectoryAttributes.NTHashHistory, out encryptedNtHashHistory); if (encryptedNtHashHistory != null) { this.NTHashHistory = pek.DecryptHashHistory(encryptedNtHashHistory, this.Sid.GetRid()); } // LMHashHistory: byte[] encryptedLmHashHistory; dsObject.ReadAttribute(CommonDirectoryAttributes.LMHashHistory, out encryptedLmHashHistory); if (encryptedLmHashHistory != null) { this.LMHashHistory = pek.DecryptHashHistory(encryptedLmHashHistory, this.Sid.GetRid()); } // SupplementalCredentials: byte[] encryptedSupplementalCredentials; dsObject.ReadAttribute(CommonDirectoryAttributes.SupplementalCredentials, out encryptedSupplementalCredentials); if (encryptedSupplementalCredentials != null) { byte[] binarySupplementalCredentials = pek.DecryptSecret(encryptedSupplementalCredentials); this.SupplementalCredentials = new SupplementalCredentials(binarySupplementalCredentials); } }