public void GetWellKnownPrincipal_PassingTestSid__ReturnsValidTypedPrincipal() { TypedPrincipal typedPrincipal; bool result = WellKnownPrincipal.GetWellKnownPrincipal("S-1-0-0", out typedPrincipal); Assert.True(result); Assert.Equal(Label.User, typedPrincipal.ObjectType); }
public void GetKnownPrincipal_PassingKnownIds_MatchesNameAndLabel() { foreach (var p in GetWellKnownPrincipals()) { var result = WellKnownPrincipal.GetWellKnownPrincipal(p.sid, out var typedPrincipal); Assert.True(result); Assert.Equal(p.label, typedPrincipal.ObjectType); } }
/// <summary> /// Determines whether this is a wellknown group of <paramref name="wellKnown"/> type. /// </summary> /// <param name="wellKnown">Type of wellknown pricipal to check.</param> /// <returns><c>true</c> if the group is of questioned wellknown type.</returns> public override bool IsWellKnownPrincipal(WellKnownPrincipal wellKnown) { switch (wellKnown) { case WellKnownPrincipal.All: return(groupPrincipal.Sid.IsWellKnown(WellKnownSidType.WorldSid)); case WellKnownPrincipal.Authenticated: return(groupPrincipal.Sid.IsWellKnown(WellKnownSidType.AuthenticatedUserSid)); } return(false); }
/// <summary> /// Extension method to determine the BloodHound type of a SearchResultEntry using LDAP properties /// Requires ldap properties objectsid, samaccounttype, objectclass /// </summary> /// <param name="entry"></param> /// <returns></returns> public static Label GetLabel(this SearchResultEntry entry) { //Test if we have the msds-groupmsamembership property first. We want to override this as a user object if (entry.GetPropertyAsBytes("msds-groupmsamembership") != null) { return(Label.User); } var objectId = entry.GetObjectIdentifier(); if (objectId.StartsWith("S-1") && WellKnownPrincipal.GetWellKnownPrincipal(objectId, out var commonPrincipal)) { return(commonPrincipal.ObjectType); } var objectType = Label.Unknown; var samAccountType = entry.GetProperty("samaccounttype"); //Its not a common principal. Lets use properties to figure out what it actually is if (samAccountType != null) { objectType = Helpers.SamAccountTypeToType(samAccountType); } else { var objectClasses = entry.GetPropertyAsArray("objectClass"); if (objectClasses == null) { objectType = Label.Unknown; } else if (objectClasses.Contains("groupPolicyContainer")) { objectType = Label.GPO; } else if (objectClasses.Contains("organizationalUnit")) { objectType = Label.OU; } else if (objectClasses.Contains("domain")) { objectType = Label.Domain; } else if (objectClasses.Contains("container")) { objectType = Label.Container; } } return(objectType); }
/// <summary> /// Checks whether this user is of well-known type. /// </summary> /// <param name="wellknownPrincipal">Type to check.</param> /// <returns><c>true</c> if the user is of specified well-known type.</returns> public bool IsWellKnownPrincipal(WellKnownPrincipal wellknownPrincipal) { return((wellknownPrincipal == WellKnownPrincipal.Unauthenticated) && (Name == "Anonymous")); }
public Task <IPrincipalAsync> ResolveWellKnownPrincipalAsync(WellKnownPrincipal wellKnownPrincipal) { throw new NotImplementedException(); }
public abstract bool IsWellKnownPrincipal(WellKnownPrincipal wellknownPrincipal);
internal LocalGroupResult GetGroupMembers(LocalGroupRids rid) { var result = new LocalGroupResult(); var status = SamOpenAlias(_domainHandle, AliasOpenFlags.ListMembers, (int)rid, out var aliasHandle); if (status != NativeMethods.NtStatus.StatusSuccess) { SamCloseHandle(aliasHandle); result.FailureReason = $"SamOpenAlias returned {status.ToString()}"; return(result); } status = SamGetMembersInAlias(aliasHandle, out var members, out var count); SamCloseHandle(aliasHandle); if (status != NativeMethods.NtStatus.StatusSuccess) { SamFreeMemory(members); result.FailureReason = $"SamGetMembersInAlias returned {status.ToString()}"; return(result); } Logging.Debug($"API call returned count of {count} "); if (count == 0) { SamFreeMemory(members); result.Collected = true; return(result); } var sids = new List <string>(); for (var i = 0; i < count; i++) { try { var intptr = Marshal.ReadIntPtr(members, Marshal.SizeOf(typeof(IntPtr)) * i); var sid = new SecurityIdentifier(intptr).Value; sids.Add(sid); } catch (Exception e) { Logging.Debug($"Exception converting sid: {e}"); } } SamFreeMemory(members); var machineSid = GetMachineSid(); Logging.Debug($"Resolved machine sid to {machineSid}"); var converted = sids.Select(x => { Logging.Debug(x); //Filter out machine accounts, service accounts, iis app pool accounts, window manager, font driver if (x.StartsWith(machineSid) || x.StartsWith("S-1-5-80") || x.StartsWith("S-1-5-82") || x.StartsWith("S-1-5-90") || x.StartsWith("S-1-5-96")) { return(null); } if (_filteredSids.Contains(x)) { return(null); } x = WellKnownPrincipal.TryConvert(x, _computerDomain); return(x.StartsWith("S-1-5-21") ? x : null); }).Where(x => x != null); result.Collected = true; result.Members = converted.ToArray(); return(result); }
/// <summary> /// Retrieves user or group which correspond to a well known principal /// (defined in <see cref="WellKnownPrincipal"/>.) /// </summary> /// <param name="wellKnownPrincipal">Well known principal type.</param> /// <returns>Instance of corresponding user/group or <c>null</c> if corresponding user/group /// is not supported.</returns> public async Task <IPrincipalAsync> ResolveWellKnownPrincipalAsync(WellKnownPrincipal wellKnownPrincipal) { return(null); }
/// <summary> /// Checks whether this user is of well-known type. /// </summary> /// <param name="wellknownPrincipal">Type to check.</param> /// <returns><c>true</c> if the user is of specified well-known type.</returns> public override bool IsWellKnownPrincipal(WellKnownPrincipal wellknownPrincipal) { return(wellknownPrincipal == WellKnownPrincipal.Unauthenticated && Context.AnonymousUser != null && Sid.Value == Context.AnonymousUser.User.Value); }