/// <exception cref="System.IO.IOException"></exception> internal static void ResolveSids0(string authorityServerName, NtlmPasswordAuthentication auth, Sid[] sids) { DcerpcHandle handle = null; LsaPolicyHandle policyHandle = null; lock (SidCache) { try { handle = DcerpcHandle.GetHandle("ncacn_np:" + authorityServerName + "[\\PIPE\\lsarpc]" , auth); string server = authorityServerName; int dot = server.IndexOf('.'); if (dot > 0 && char.IsDigit(server[0]) == false) { server = Runtime.Substring(server, 0, dot); } policyHandle = new LsaPolicyHandle(handle, "\\\\" + server, unchecked (0x00000800)); ResolveSids(handle, policyHandle, sids); } finally { if (handle != null) { if (policyHandle != null) { policyHandle.Close(); } handle.Close(); } } } }
/// <exception cref="System.IO.IOException"></exception> public SamrAliasHandle(DcerpcHandle handle, SamrDomainHandle domainHandle, int access , int rid) { MsrpcSamrOpenAlias rpc = new MsrpcSamrOpenAlias(domainHandle, access, rid, this); handle.Sendrecv(rpc); if (rpc.Retval != 0) { throw new SmbException(rpc.Retval, false); } }
/// <exception cref="System.IO.IOException"></exception> public SamrDomainHandle(DcerpcHandle handle, SamrPolicyHandle policyHandle, int access , Rpc.SidT sid) { MsrpcSamrOpenDomain rpc = new MsrpcSamrOpenDomain(policyHandle, access, sid, this ); handle.Sendrecv(rpc); if (rpc.Retval != 0) { throw new SmbException(rpc.Retval, false); } }
/// <exception cref="System.IO.IOException"></exception> public LsaPolicyHandle(DcerpcHandle handle, string server, int access) { if (server == null) { server = "\\\\"; } MsrpcLsarOpenPolicy2 rpc = new MsrpcLsarOpenPolicy2(server, access, this); handle.Sendrecv(rpc); if (rpc.Retval != 0) { throw new SmbException(rpc.Retval, false); } }
/// <exception cref="System.IO.IOException"></exception> public virtual Sid[] GetGroupMemberSids(string authorityServerName, NtlmPasswordAuthentication auth, int flags) { if (Type != SidTypeDomGrp && Type != SidTypeAlias) { return(new Sid[0]); } DcerpcHandle handle = null; SamrPolicyHandle policyHandle = null; SamrDomainHandle domainHandle = null; Sid domsid = GetDomainSid(); lock (SidCache) { try { handle = DcerpcHandle.GetHandle("ncacn_np:" + authorityServerName + "[\\PIPE\\samr]", auth); policyHandle = new SamrPolicyHandle(handle, authorityServerName, unchecked (0x00000030)); domainHandle = new SamrDomainHandle(handle, policyHandle, unchecked (0x00000200), domsid); return(GetGroupMemberSids0(handle, domainHandle, domsid, GetRid(), flags)); } finally { if (handle != null) { if (policyHandle != null) { if (domainHandle != null) { domainHandle.Close(); } policyHandle.Close(); } handle.Close(); } } } }
public bool doPsexec(String binPath, NtlmPasswordAuthentication auth, String cmd) { Random rnd = new Random(); int randInt = rnd.Next(1, 10000000); String host = "127.0.0.1"; DcerpcHandle handle = DcerpcHandle.GetHandle("ncacn_np:" + host + "[\\pipe\\svcctl]", auth); // Open the SCManager on the remote machine and get a handle // for that open instance (scManagerHandle). Rpc.PolicyHandle scManagerHandle = new Rpc.PolicyHandle(); svcctl.OpenSCManager openSCManagerRpc = new svcctl.OpenSCManager("\\\\" + host, null, (0x000F0000 | 0x0001 | 0x0002 | 0x0004 | 0x0008 | 0x0010 | 0x0020), scManagerHandle); handle.Sendrecv(openSCManagerRpc); if (openSCManagerRpc.retval != 0) { throw new SmbException(openSCManagerRpc.retval, true); } Rpc.PolicyHandle svcHandle = new Rpc.PolicyHandle(); svcctl.OpenService openServiceRpc = new svcctl.OpenService(scManagerHandle, "GetShell" + randInt, svcctl.SC_MANAGER_ALL_ACCESS, svcHandle); handle.Sendrecv(openServiceRpc); // If the service didn't exist, create it. if (openServiceRpc.retval == 1060) { // Create a new service. svcHandle = new Rpc.PolicyHandle(); //code 272 is for an interactive, own process service this was originally svcctl.SC_TYPE_SERVICE_WIN32_OWN_PROCESS svcctl.CreateServiceW createServiceWRpc = new svcctl.CreateServiceW( scManagerHandle, "GetShell" + randInt, "GetShell" + randInt, svcctl.SC_MANAGER_ALL_ACCESS, 272, svcctl.SC_START_TYPE_SERVICE_DEMAND_START, svcctl.SC_SERVICE_ERROR_NORMAL, cmd, null, null, null, 0, null, null, 0, svcHandle); handle.Sendrecv(createServiceWRpc); if (createServiceWRpc.retval != 0) { throw new SmbException(createServiceWRpc.retval, true); } } svcctl.StartService startServiceRpc = new svcctl.StartService(svcHandle, 0, new String[0]); handle.Sendrecv(startServiceRpc); return(true); }
/// <exception cref="System.IO.IOException"></exception> internal static void ResolveSids(DcerpcHandle handle, LsaPolicyHandle policyHandle , Sid[] sids) { MsrpcLookupSids rpc = new MsrpcLookupSids(policyHandle, sids); handle.Sendrecv(rpc); switch (rpc.Retval) { case 0: case NtStatus.NtStatusNoneMapped: case unchecked (0x00000107): { // NT_STATUS_SOME_NOT_MAPPED break; } default: { throw new SmbException(rpc.Retval, false); } } for (int si = 0; si < sids.Length; si++) { sids[si].Type = rpc.Names.Names[si].SidType; sids[si].DomainName = null; switch (sids[si].Type) { case SidTypeUser: case SidTypeDomGrp: case SidTypeDomain: case SidTypeAlias: case SidTypeWknGrp: { int sidIndex = rpc.Names.Names[si].SidIndex; Rpc.Unicode_string ustr = rpc.Domains.Domains[sidIndex].Name; sids[si].DomainName = (new UnicodeString(ustr, false)).ToString(); break; } } sids[si].AcctName = (new UnicodeString(rpc.Names.Names[si].Name, false)).ToString (); sids[si].OriginServer = null; sids[si].OriginAuth = null; } }
/// <exception cref="System.IO.IOException"></exception> internal static Sid[] GetGroupMemberSids0(DcerpcHandle handle, SamrDomainHandle domainHandle, Sid domsid, int rid, int flags) { SamrAliasHandle aliasHandle = null; Lsarpc.LsarSidArray sidarray = new Lsarpc.LsarSidArray(); MsrpcGetMembersInAlias rpc = null; try { aliasHandle = new SamrAliasHandle(handle, domainHandle, unchecked (0x0002000c), rid); rpc = new MsrpcGetMembersInAlias(aliasHandle, sidarray); handle.Sendrecv(rpc); if (rpc.Retval != 0) { throw new SmbException(rpc.Retval, false); } Sid[] sids = new Sid[rpc.Sids.NumSids]; string originServer = handle.GetServer(); NtlmPasswordAuthentication originAuth = (NtlmPasswordAuthentication)handle.GetPrincipal(); for (int i = 0; i < sids.Length; i++) { sids[i] = new Sid(rpc.Sids.Sids[i].Sid, 0, null, null, false); sids[i].OriginServer = originServer; sids[i].OriginAuth = originAuth; } if (sids.Length > 0 && (flags & SidFlagResolveSids) != 0) { ResolveSids(originServer, originAuth, sids); } return(sids); } finally { if (aliasHandle != null) { aliasHandle.Close(); } } }
/// <exception cref="System.IO.IOException"></exception> public static Sid GetServerSid(string server, NtlmPasswordAuthentication auth) { DcerpcHandle handle = null; LsaPolicyHandle policyHandle = null; Lsarpc.LsarDomainInfo info = new Lsarpc.LsarDomainInfo(); MsrpcQueryInformationPolicy rpc; lock (SidCache) { try { handle = DcerpcHandle.GetHandle("ncacn_np:" + server + "[\\PIPE\\lsarpc]", auth); // NetApp doesn't like the 'generic' access mask values policyHandle = new LsaPolicyHandle(handle, null, unchecked (0x00000001)); rpc = new MsrpcQueryInformationPolicy(policyHandle, Lsarpc.PolicyInfoAccountDomain, info); handle.Sendrecv(rpc); if (rpc.Retval != 0) { throw new SmbException(rpc.Retval, false); } return(new Sid(info.Sid, SidTypeDomain, (new UnicodeString(info.Name, false)).ToString(), null, false)); } finally { if (handle != null) { if (policyHandle != null) { policyHandle.Close(); } handle.Close(); } } } }
/// <exception cref="System.IO.IOException"></exception> public SamrPolicyHandle(DcerpcHandle handle, string server, int access) { if (server == null) { server = "\\\\"; } MsrpcSamrConnect4 rpc = new MsrpcSamrConnect4(server, access, this); try { handle.Sendrecv(rpc); } catch (DcerpcException de) { if (de.GetErrorCode() != DcerpcError.DcerpcFaultOpRngError) { throw; } MsrpcSamrConnect2 rpc2 = new MsrpcSamrConnect2(server, access, this); handle.Sendrecv(rpc2); } }
/// <summary> /// This specialized method returns a Map of users and local groups for the /// target server where keys are SIDs representing an account and each value /// is an List<object> of SIDs represents the local groups that the account is /// a member of. /// </summary> /// <remarks> /// This specialized method returns a Map of users and local groups for the /// target server where keys are SIDs representing an account and each value /// is an List<object> of SIDs represents the local groups that the account is /// a member of. /// <p/> /// This method is designed to assist with computing access control for a /// given user when the target object's ACL has local groups. Local groups /// are not listed in a user's group membership (e.g. as represented by the /// tokenGroups constructed attribute retrived via LDAP). /// <p/> /// Domain groups nested inside a local group are currently not expanded. In /// this case the key (SID) type will be SID_TYPE_DOM_GRP rather than /// SID_TYPE_USER. /// </remarks> /// <param name="authorityServerName">The server from which the local groups will be queried. /// </param> /// <param name="auth">The credentials required to query groups and group members.</param> /// <param name="flags"> /// Flags that control the behavior of the operation. When all /// name associated with SIDs will be required, the SID_FLAG_RESOLVE_SIDS /// flag should be used which causes all group member SIDs to be resolved /// together in a single more efficient operation. /// </param> /// <exception cref="System.IO.IOException"></exception> internal static Hashtable GetLocalGroupsMap(string authorityServerName, NtlmPasswordAuthentication auth, int flags) { Sid domsid = GetServerSid(authorityServerName, auth); DcerpcHandle handle = null; SamrPolicyHandle policyHandle = null; SamrDomainHandle domainHandle = null; Samr.SamrSamArray sam = new Samr.SamrSamArray(); MsrpcEnumerateAliasesInDomain rpc; lock (SidCache) { try { handle = DcerpcHandle.GetHandle("ncacn_np:" + authorityServerName + "[\\PIPE\\samr]" , auth); policyHandle = new SamrPolicyHandle(handle, authorityServerName, unchecked (0x02000000)); domainHandle = new SamrDomainHandle(handle, policyHandle, unchecked (0x02000000), domsid); rpc = new MsrpcEnumerateAliasesInDomain(domainHandle, unchecked (0xFFFF), sam ); handle.Sendrecv(rpc); if (rpc.Retval != 0) { throw new SmbException(rpc.Retval, false); } Hashtable map = new Hashtable(); for (int ei = 0; ei < rpc.Sam.Count; ei++) { Samr.SamrSamEntry entry = rpc.Sam.Entries[ei]; Sid[] mems = GetGroupMemberSids0(handle, domainHandle, domsid , entry.Idx, flags); Sid groupSid = new Sid(domsid, entry.Idx); groupSid.Type = SidTypeAlias; groupSid.DomainName = domsid.GetDomainName(); groupSid.AcctName = (new UnicodeString(entry.Name, false)).ToString(); for (int mi = 0; mi < mems.Length; mi++) { List <object> groups = (List <object>)map.Get(mems[mi]); if (groups == null) { groups = new List <object>(); map.Put(mems[mi], groups); } if (!groups.Contains(groupSid)) { groups.Add(groupSid); } } } return(map); } finally { if (handle != null) { if (policyHandle != null) { if (domainHandle != null) { domainHandle.Close(); } policyHandle.Close(); } handle.Close(); } } } }