Пример #1
0
        private static void PrintLogonEvents()
        {
            try
            {
                var lastDays = 10;
                Beaprint.MainPrint($"Printing Account Logon Events (4624) for the last {lastDays} days.\n");

                if (!MyUtils.IsHighIntegrity())
                {
                    Beaprint.NoColorPrint("      You must be an administrator to run this check");
                    return;
                }

                var logonInfos = Logon.GetLogonInfos(lastDays);

                foreach (var info in logonInfos.LogonEventInfos)
                {
                    Beaprint.BadPrint($"  Subject User Name            :       {info.SubjectUserName}\n" +
                                      $"  Subject Domain Name          :       {info.SubjectDomainName}\n" +
                                      $"  Created (Utc)                :       {info.CreatedAtUtc}\n" +
                                      $"  IP Address                   :       {info.IpAddress}\n" +
                                      $"  Authentication Package       :       {info.AuthenticationPackage}\n" +
                                      $"  Lm Package                   :       {info.LmPackage}\n" +
                                      $"  Logon Type                   :       {info.LogonType}\n" +
                                      $"  Target User Name             :       {info.TargetUserName}\n" +
                                      $"  Target Domain Name           :       {info.TargetDomainName}\n" +
                                      $"  Target Outbound User Name    :       {info.TargetOutboundUserName}\n" +
                                      $"  Target Outbound Domain Name  :       {info.TargetOutboundDomainName}\n");

                    Beaprint.PrintLineSeparator();
                }

                if (logonInfos.NTLMv1LoggedUsersSet.Count > 0 || logonInfos.NTLMv2LoggedUsersSet.Count > 0)
                {
                    Beaprint.BadPrint("  NTLM relay might be possible - other users authenticate to this machine using NTLM!");
                }

                if (logonInfos.NTLMv1LoggedUsersSet.Count > 0)
                {
                    Beaprint.BadPrint("  Accounts authenticate to this machine using NTLM v1!");
                    Beaprint.BadPrint("  You can obtain these accounts' **NTLM** hashes by sniffing NTLM challenge/responses and then crack them!");
                    Beaprint.BadPrint("  NTLM v1 authentication is broken!\n");

                    PrintUsers(logonInfos.NTLMv1LoggedUsersSet);
                }

                if (logonInfos.NTLMv2LoggedUsersSet.Count > 0)
                {
                    Beaprint.BadPrint("\n  Accounts authenticate to this machine using NTLM v2!");
                    Beaprint.BadPrint("  You can obtain NetNTLMv2 for these accounts by sniffing NTLM challenge/responses.");
                    Beaprint.BadPrint("  You can then try and crack their passwords.\n");

                    PrintUsers(logonInfos.NTLMv2LoggedUsersSet);
                }

                if (logonInfos.KerberosLoggedUsersSet.Count > 0)
                {
                    Beaprint.BadPrint("\n  The following users have authenticated to this machine using Kerberos.\n");
                    PrintUsers(logonInfos.KerberosLoggedUsersSet);
                }
            }
            catch (Exception ex)
            {
                Beaprint.PrintException(ex.Message);
            }
        }