public static JObject AssessServiceGenSetting(JToken svcGenSettings)
{
JObject svcGenSettingsJObject = (JObject)svcGenSettings;
JObject assessedSvcGenSettings = new JObject();
int inc = 0;
foreach (KeyValuePair <string, JToken> svcGenSetting in svcGenSettingsJObject)
{
inc++;
int interestLevel = 3;
string serviceName = svcGenSetting.Key.Trim('"', '\\');
JArray svcSettings = (JArray)svcGenSetting.Value;
string startupType = svcSettings[0].ToString().Trim('"', '\\');
string sddl = svcSettings[1].ToString().Trim('"', '\\');
string startupString = "";
switch (startupType)
{
case "2":
startupString = "Automatic";
break;
case "3":
startupString = "Manual";
break;
case "4":
startupString = "Disabled";
break;
}
// go parse the SDDL
if (GlobalVar.OnlineChecks)
{
JObject parsedSddl = ParseSDDL.ParseSddlString(sddl, SecurableObjectType.WindowsService);
// then assess the results based on interestLevel
JObject assessedSddl = new JObject();
if (parsedSddl["Owner"] != null)
{
assessedSddl.Add("Owner", parsedSddl["Owner"].ToString());
interestLevel = 4;
}
if (parsedSddl["Group"] != null)
{
assessedSddl.Add("Group", parsedSddl["Group"].ToString());
interestLevel = 4;
}
if (parsedSddl["DACL"] != null)
{
JObject assessedDacl = new JObject();
string[] boringSidEndings = new string[]
{ "-3-0", "-5-9", "5-18", "-512", "-519", "SY", "BA", "DA", "CO", "ED", "PA", "CG", "DD", "EA", "LA", };
string[] interestingSidEndings = new string[]
{ "DU", "WD", "IU", "BU", "AN", "AU", "BG", "DC", "DG", "LG" };
foreach (JProperty ace in parsedSddl["DACL"].Children())
{
int aceInterestLevel = 0;
string trusteeSid = ace.Value["SID"].ToString();
bool boringUserPresent = false;
foreach (string boringSidEnding in boringSidEndings)
{
if (trusteeSid.EndsWith(boringSidEnding))
{
boringUserPresent = true;
break;
}
}
bool interestingUserPresent = false;
foreach (string interestingSidEnding in interestingSidEndings)
{
if (trusteeSid.EndsWith(interestingSidEnding))
{
interestingUserPresent = true;
break;
}
}
if (interestingUserPresent /* && interestingRightPresent*/)
{
aceInterestLevel = 10;
}
else if (boringUserPresent)
{
aceInterestLevel = 0;
}
if (aceInterestLevel >= GlobalVar.IntLevelToShow)
{
// pass the whole thing on
assessedSddl.Add(ace);
}
}
if (assessedDacl.HasValues)
{
assessedSddl.Add("DACL", assessedDacl);
}
;
}
if (assessedSddl.HasValues)
{
assessedSddl.AddFirst(new JProperty("Service", serviceName));
assessedSddl.Add("Startup Type", startupString);
assessedSvcGenSettings.Add(inc.ToString(), assessedSddl);
}
}
else
{
if (interestLevel >= GlobalVar.IntLevelToShow)
{
assessedSvcGenSettings.Add(serviceName, new JObject(
new JProperty("SDDL", sddl),
new JProperty("Startup Type", startupString)
));
}
}
}
if (assessedSvcGenSettings.Count <= 0)
{
return(null);
}
return(assessedSvcGenSettings);
}
public static JObject AssessRegKeys(JToken regKeys)
{
// These are actually ACLs being set on reg keys using SDDL.
// The first value is inheritance rules:
// 2= replace existing permissions on all subkeys with inheritable permissions
// 1= Do not allow permissions on this key to be replace.
// 0= Propagate inheritable permissions to all subkeys.
JObject regKeysJObject = (JObject)regKeys;
int interestLevel = 1;
JObject assessedRegKeys = new JObject();
int inc = 0;
foreach (KeyValuePair <string, JToken> regKey in regKeysJObject)
{
inc++;
interestLevel = 1;
string keyPath = regKey.Key.Trim('"');
JArray keyValues = (JArray)regKey.Value;
string inheritance = keyValues[0].ToString().Trim('"');
string sddl = keyValues[1].ToString().Trim('"');
// turn the inheritance number into a nice string.
string inheritanceString = "";
switch (inheritance)
{
case "0":
inheritanceString = "Propagate inheritable permissions to all subkeys.";
break;
case "1":
inheritanceString = "Do not allow permissions on this key to be replaced.";
break;
case "2":
inheritanceString = "Replace existing permissions on all subkeys with inheritable permissions.";
break;
}
// then assess the results based on interestLevel
JObject assessedSddl = new JObject();
// go parse the SDDL
if (GlobalVar.OnlineChecks)
{
JObject parsedSddl = ParseSDDL.ParseSddlString(sddl, SecurableObjectType.WindowsService);
if (parsedSddl["Owner"] != null)
{
assessedSddl.Add("Owner", parsedSddl["Owner"].ToString());
interestLevel = 4;
}
if (parsedSddl["Group"] != null)
{
assessedSddl.Add("Group", parsedSddl["Group"].ToString());
interestLevel = 4;
}
JObject assessedDacl = new JObject();
if (parsedSddl["DACL"] != null)
{
string[] boringSidEndings = new string[]
{ "-3-0", "-5-9", "5-18", "-512", "-519", "SY", "BA", "DA", "CO", "ED", "PA", "CG", "DD", "EA", "LA", };
string[] interestingSidEndings = new string[]
{ "DU", "WD", "IU", "BU", "AN", "AU", "BG", "DC", "DG", "LG" };
foreach (JProperty ace in parsedSddl["DACL"].Children())
{
int aceInterestLevel = 0;
string trusteeSid = ace.Value["SID"].ToString();
bool boringUserPresent = false;
foreach (string boringSidEnding in boringSidEndings)
{
if (trusteeSid.EndsWith(boringSidEnding))
{
boringUserPresent = true;
break;
}
}
bool interestingUserPresent = false;
foreach (string interestingSidEnding in interestingSidEndings)
{
if (trusteeSid.EndsWith(interestingSidEnding))
{
interestingUserPresent = true;
break;
}
}
if (interestingUserPresent /* && interestingRightPresent*/)
{
aceInterestLevel = 10;
}
else if (boringUserPresent)
{
aceInterestLevel = 0;
}
if (aceInterestLevel >= GlobalVar.IntLevelToShow)
{
// pass the whole thing on
assessedSddl.Add(ace);
}
}
if (assessedDacl.HasValues)
{
assessedSddl.Add("DACL", assessedDacl);
}
;
}
}
if (interestLevel >= GlobalVar.IntLevelToShow)
{
if (assessedSddl.HasValues)
{
assessedSddl.AddFirst(new JProperty("RegKey", keyPath));
assessedSddl.Add("Inheritance", inheritanceString);
assessedRegKeys.Add(inc.ToString(), assessedSddl);
}
}
}
if (assessedRegKeys.Count <= 0)
{
return(null);
}
return(assessedRegKeys);
}
public static JObject GetDomainGpos()
{
try
{
DirectoryEntry rootDse = new DirectoryEntry();
DirectoryEntry root = new DirectoryEntry();
DirectoryEntry rootExtRightsContext = new DirectoryEntry();
if (GlobalVar.UserDefinedDomainDn != null)
{
rootDse = new DirectoryEntry(("LDAP://" + GlobalVar.UserDefinedDomain + "/rootDSE"), GlobalVar.UserDefinedUsername, GlobalVar.UserDefinedPassword);
root = new DirectoryEntry(("GC://" + rootDse.Properties["defaultNamingContext"].Value),
GlobalVar.UserDefinedUsername, GlobalVar.UserDefinedPassword);
string schemaContextString = rootDse.Properties["schemaNamingContext"].Value.ToString();
rootExtRightsContext =
new DirectoryEntry("LDAP://" + schemaContextString.Replace("Schema", "Extended-Rights"),
GlobalVar.UserDefinedUsername, GlobalVar.UserDefinedPassword);
}
else
{
rootDse = new DirectoryEntry("LDAP://rootDSE");
root = new DirectoryEntry("GC://" + rootDse.Properties["defaultNamingContext"].Value);
string schemaContextString = rootDse.Properties["schemaNamingContext"].Value.ToString();
rootExtRightsContext =
new DirectoryEntry("LDAP://" + schemaContextString.Replace("Schema", "Extended-Rights"));
}
// make a searcher to find GPOs
DirectorySearcher gpoSearcher = new DirectorySearcher(root)
{
Filter = "(objectClass=groupPolicyContainer)",
SecurityMasks = SecurityMasks.Dacl | SecurityMasks.Owner
};
SearchResultCollection gpoSearchResults = gpoSearcher.FindAll();
// stolen from prashant - grabbing guids for extended rights
Dictionary <string, string> guidDict = new Dictionary <string, string>();
guidDict.Add("00000000-0000-0000-0000-000000000000", "All");
// and again where we grab all the Extended Rights
DirectorySearcher rightsSearcher = new DirectorySearcher(rootExtRightsContext)
{
Filter = "(objectClass=controlAccessRight)",
PropertiesToLoad = { "name", "rightsGUID" }
};
SearchResultCollection extRightsResultCollection = rightsSearcher.FindAll();
foreach (SearchResult extRightsResult in extRightsResultCollection)
{
string extRightGuidString = extRightsResult.Properties["rightsguid"][0].ToString();
string extRightNameString = extRightsResult.Properties["name"][0].ToString();
// for some reason we hit a single duplicate in this lot. nfi what that's about. TODO - figure that out.
try
{
guidDict.Add(extRightGuidString, extRightNameString);
}
catch (System.ArgumentException)
{
if (GlobalVar.DebugMode)
{
Utility.DebugWrite("Hit a duplicate GUID in extRightsResult");
}
}
}
// new dictionary for data from each GPO to go into
JObject gposData = new JObject();
foreach (SearchResult gpoSearchResult in gpoSearchResults)
{
// object for all data for this one gpo
JObject gpoData = new JObject();
DirectoryEntry gpoDe = gpoSearchResult.GetDirectoryEntry();
// get some useful attributes of the gpo
string gpoDispName = gpoDe.Properties["displayName"].Value.ToString();
gpoData.Add("Display Name", gpoDispName);
string gpoUid = gpoDe.Properties["name"].Value.ToString();
gpoData.Add("UID", gpoUid);
string gpoDn = gpoDe.Properties["distinguishedName"].Value.ToString();
gpoData.Add("Distinguished Name", gpoDn);
string gpoCreated = gpoDe.Properties["whenCreated"].Value.ToString();
gpoData.Add("Created", gpoCreated);
// 3= all disabled
// 2= computer configuration settings disabled
// 1= user policy disabled
// 0 = all enabled
string gpoFlags = gpoDe.Properties["flags"].Value.ToString();
string gpoEnabledStatus = "";
switch (gpoFlags)
{
case "0":
gpoEnabledStatus = "Enabled";
break;
case "1":
gpoEnabledStatus = "User Policy Disabled";
break;
case "2":
gpoEnabledStatus = "Computer Policy Disabled";
break;
case "3":
gpoEnabledStatus = "Disabled";
break;
default:
gpoEnabledStatus = "Couldn't process GPO Enabled Status. Weird.";
break;
}
gpoData.Add("GPO Status", gpoEnabledStatus);
// get the acl
ActiveDirectorySecurity gpoAcl = gpoDe.ObjectSecurity;
// // Get the owner in a really dumb way
// string gpoSddl = gpoAcl.GetSecurityDescriptorSddlForm(AccessControlSections.Owner);
// JObject parsedOwner = ParseSDDL.ParseSddlString(gpoSddl, SecurableObjectType.DirectoryServiceObject);
// string gpoOwner = parsedOwner["Owner"].ToString();
// gpoData.Add("Owner", gpoOwner);
// make a JObject to put the stuff in
JObject gpoAclJObject = new JObject();;
AccessControlSections sections = AccessControlSections.All;
string sddlString = gpoAcl.GetSecurityDescriptorSddlForm(sections);
JObject parsedSDDL = ParseSDDL.ParseSddlString(sddlString, SecurableObjectType.DirectoryServiceObject);
foreach (KeyValuePair <string, JToken> thing in parsedSDDL)
{
if (thing.Key == "Owner")
{
gpoAclJObject.Add("Owner", thing.Value.ToString());
continue;
}
if (thing.Key == "Group")
{
gpoAclJObject.Add("Group", thing.Value);
continue;
}
if (thing.Key == "DACL")
{
foreach (JProperty ace in thing.Value.Children())
{
int aceInterestLevel = 1;
bool interestingRightPresent = false;
if (ace.Value["Rights"] != null)
{
string[] intRightsArray0 = new string[]
{
"WRITE_OWNER", "CREATE_CHILD", "WRITE_PROPERTY", "WRITE_DAC", "SELF_WRITE", "CONTROL_ACCESS"
};
foreach (string right in intRightsArray0)
{
if (ace.Value["Rights"].Contains(right))
{
interestingRightPresent = true;
}
}
}
string trusteeSid = ace.Value["SID"].ToString();
string[] boringSidEndings = new string[]
{ "-3-0", "-5-9", "5-18", "-512", "-519", "SY", "BA", "DA", "CO", "ED", "PA", "CG", "DD", "EA", "LA", };
string[] interestingSidEndings = new string[]
{ "DU", "WD", "IU", "BU", "AN", "AU", "BG", "DC", "DG", "LG" };
bool boringUserPresent = false;
foreach (string boringSidEnding in boringSidEndings)
{
if (trusteeSid.EndsWith(boringSidEnding))
{
boringUserPresent = true;
break;
}
}
bool interestingUserPresent = false;
foreach (string interestingSidEnding in interestingSidEndings)
{
if (trusteeSid.EndsWith(interestingSidEnding))
{
interestingUserPresent = true;
break;
}
}
if (interestingUserPresent && interestingRightPresent)
{
aceInterestLevel = 10;
}
else if (boringUserPresent)
{
aceInterestLevel = 0;
}
if (aceInterestLevel >= GlobalVar.IntLevelToShow)
{
// pass the whole thing on
gpoAclJObject.Add(ace);
}
}
}
}
//add the JObject to our blob of data about the gpo
if (gpoAclJObject.HasValues)
{
gpoData.Add("ACLs", gpoAclJObject);
}
// then add all of the above to the big blob of data about all gpos
gposData.Add(gpoUid, gpoData);
}
return(gposData);
}
catch (Exception exception)
{
Utility.DebugWrite(exception.ToString());
Console.ReadKey();
Environment.Exit(1);
}
return(null);
}
