/// <summary>
/// Grabs computers names from the text file specified in the options, and attempts to resolve them to LDAP objects.
/// Pushes the corresponding LDAP objects to the queue.
/// </summary>
/// <param name="queue"></param>
/// <returns></returns>
protected override async Task ProduceLdap(ITargetBlock <SearchResultEntry> queue)
{
var computerFile = Options.Instance.ComputerFile;
var token = Helpers.GetCancellationToken();
OutputTasks.StartOutputTimer();
//Open the file for reading
using (var fileStream = new StreamReader(new FileStream(computerFile, FileMode.Open, FileAccess.Read)))
{
string computer;
// Loop over each line in the file
while ((computer = fileStream.ReadLine()) != null)
{
//If the cancellation token is set, cancel enumeration
if (token.IsCancellationRequested)
{
break;
}
string sid;
if (!computer.StartsWith("S-1-5-21"))
{
//The computer isn't a SID so try to convert it to one
sid = await ResolutionHelpers.ResolveHostToSid(computer, DomainName);
}
else
{
//The computer is already a sid, so just store it off
sid = computer;
}
try
{
//Convert the sid to a hex representation and find the entry in the domain
var hexSid = Helpers.ConvertSidToHexSid(sid);
var entry = await Searcher.GetOne($"(objectsid={hexSid})", Props, SearchScope.Subtree);
if (entry == null)
{
//We couldn't find the entry for whatever reason
Console.WriteLine($"Failed to resolve {computer}");
continue;
}
//Success! Send the computer to be processed
await queue.SendAsync(entry);
}
catch
{
Console.WriteLine($"Failed to resolve {computer}");
}
}
}
queue.Complete();
}
/// <summary>
/// Finds stealth targets using ldap properties.
/// </summary>
/// <returns></returns>
private async Task <Dictionary <string, SearchResultEntry> > FindPathTargetSids()
{
var paths = new ConcurrentDictionary <string, byte>();
var sids = new Dictionary <string, SearchResultEntry>();
//Request user objects with the "homedirectory", "scriptpath", or "profilepath" attributes
Parallel.ForEach(Searcher.QueryLdap(
"(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(homedirectory=*)(scriptpath=*)(profilepath=*)))",
new[] { "homedirectory", "scriptpath", "profilepath" }, SearchScope.Subtree), (searchResult) =>
{
//Grab any properties that exist, filter out null values
var poss = new[]
{
searchResult.GetProperty("homedirectory"), searchResult.GetProperty("scriptpath"),
searchResult.GetProperty("profilepath")
}.Where(s => s != null);
// Loop over each possibility, and grab the hostname from the path, adding it to a list
foreach (var s in poss)
{
var split = s?.Split('\\');
if (!(split?.Length >= 3))
{
continue;
}
var path = split[2];
paths.TryAdd(path, new byte());
}
});
// Loop over the paths we grabbed, and resolve them to sids.
foreach (var path in paths.Keys)
{
var sid = await ResolutionHelpers.ResolveHostToSid(path, DomainName);
if (sid != null)
{
var searchResult = await Searcher.GetOne($"(objectsid={Helpers.ConvertSidToHexSid(sid)})", Props,
SearchScope.Subtree);
sids.Add(sid, searchResult);
}
}
//Return all the sids corresponding to objects
return(sids);
}
private static async Task ProcessUserSPNs(User user)
{
var servicePrincipalNames = user.SearchResult.GetPropertyAsArray("serviceprincipalname");
var domain = user.Domain;
var resolved = new List <SPNTarget>();
//Loop over the spns, and look for any that start with mssqlsvc
foreach (var spn in servicePrincipalNames.Where(x => x.StartsWith("mssqlsvc", StringComparison.OrdinalIgnoreCase)))
{
int port;
if (spn.Contains(":"))
{
var success = int.TryParse(spn.Split(':')[1], out port);
if (!success)
{
port = 1433;
}
}
else
{
port = 1433;
}
//Try to turn the host into a SID
var hostSid = await ResolutionHelpers.ResolveHostToSid(spn, domain);
if (hostSid.StartsWith("S-1-5"))
{
resolved.Add(new SPNTarget
{
ComputerSid = hostSid,
Port = port,
Service = "SQLAdmin"
});
}
}
user.SPNTargets = resolved.Distinct().ToArray();
}
/// <summary>
/// Grab properties from User objects
/// </summary>
/// <param name="wrapper"></param>
/// <returns></returns>
private static async Task ParseUserProperties(User wrapper)
{
var result = wrapper.SearchResult;
// Start with UAC properties
var userAccountControl = result.GetProperty("useraccountcontrol");
var enabled = true;
var trustedToAuth = false;
var sensitive = false;
var dontReqPreAuth = false;
var passwdNotReq = false;
var unconstrained = false;
var pwdNeverExires = false;
if (int.TryParse(userAccountControl, out var baseFlags))
{
var uacFlags = (UacFlags)baseFlags;
enabled = (uacFlags & UacFlags.AccountDisable) == 0;
trustedToAuth = (uacFlags & UacFlags.TrustedToAuthForDelegation) != 0;
sensitive = (uacFlags & UacFlags.NotDelegated) != 0;
dontReqPreAuth = (uacFlags & UacFlags.DontReqPreauth) != 0;
passwdNotReq = (uacFlags & UacFlags.PasswordNotRequired) != 0;
unconstrained = (uacFlags & UacFlags.TrustedForDelegation) != 0;
pwdNeverExires = (uacFlags & UacFlags.DontExpirePassword) != 0;
}
wrapper.Properties.Add("dontreqpreauth", dontReqPreAuth);
wrapper.Properties.Add("passwordnotreqd", passwdNotReq);
wrapper.Properties.Add("unconstraineddelegation", unconstrained);
wrapper.Properties.Add("sensitive", sensitive);
wrapper.Properties.Add("enabled", enabled);
wrapper.Properties.Add("pwdneverexpires", pwdNeverExires);
var trustedToAuthComputers = new List <string>();
// Parse Allowed To Delegate
if (trustedToAuth)
{
var delegates = result.GetPropertyAsArray("msds-AllowedToDelegateTo");
wrapper.Properties.Add("allowedtodelegate", delegates);
//Try to resolve each computer to a SID
foreach (var computerName in delegates)
{
var resolvedHost = await ResolutionHelpers.ResolveHostToSid(computerName, wrapper.Domain);
trustedToAuthComputers.Add(resolvedHost);
}
}
wrapper.AllowedToDelegate = trustedToAuthComputers.Distinct().ToArray();
//Grab time based properties
wrapper.Properties.Add("lastlogon", ConvertToUnixEpoch(result.GetProperty("lastlogon")));
wrapper.Properties.Add("lastlogontimestamp", ConvertToUnixEpoch(result.GetProperty("lastlogontimestamp")));
wrapper.Properties.Add("pwdlastset", ConvertToUnixEpoch(result.GetProperty("pwdlastset")));
var servicePrincipalNames = result.GetPropertyAsArray("serviceprincipalname");
wrapper.Properties.Add("serviceprincipalnames", servicePrincipalNames);
wrapper.Properties.Add("hasspn", servicePrincipalNames.Length > 0);
wrapper.Properties.Add("displayname", result.GetProperty("displayname"));
wrapper.Properties.Add("email", result.GetProperty("mail"));
wrapper.Properties.Add("title", result.GetProperty("title"));
wrapper.Properties.Add("homedirectory", result.GetProperty("homedirectory"));
wrapper.Properties.Add("userpassword", result.GetProperty("userpassword"));
var adminCount = result.GetProperty("admincount");
if (adminCount != null)
{
var a = int.Parse(adminCount);
wrapper.Properties.Add("admincount", a != 0);
}
else
{
wrapper.Properties.Add("admincount", false);
}
var sidHistory = result.GetPropertyAsArrayOfBytes("sidhistory");
var sidHistoryList = new List <string>();
var sidHistoryPrincipals = new List <GenericMember>();
foreach (var sid in sidHistory)
{
var s = Helpers.CreateSecurityIdentifier(sid)?.Value;
if (s != null)
{
sidHistoryList.Add(s);
var sidType = await ResolutionHelpers.LookupSidType(s, wrapper.Domain);
if (sidType != LdapTypeEnum.Unknown)
{
sidHistoryPrincipals.Add(new GenericMember
{
MemberId = s,
MemberType = sidType
});
}
}
}
wrapper.HasSIDHistory = sidHistoryPrincipals.ToArray();
wrapper.Properties.Add("sidhistory", sidHistoryList.ToArray());
}
/// <summary>
/// Grabs properties from Computer objects
/// </summary>
/// <param name="wrapper"></param>
/// <returns></returns>
private static async Task ParseComputerProperties(Computer wrapper)
{
var result = wrapper.SearchResult;
var userAccountControl = result.GetProperty("useraccountcontrol");
var enabled = true;
var trustedToAuth = false;
var unconstrained = false;
if (int.TryParse(userAccountControl, out var baseFlags))
{
var uacFlags = (UacFlags)baseFlags;
enabled = (uacFlags & UacFlags.AccountDisable) == 0;
trustedToAuth = (uacFlags & UacFlags.TrustedToAuthForDelegation) != 0;
unconstrained = (uacFlags & UacFlags.TrustedForDelegation) != 0;
}
wrapper.Properties.Add("enabled", enabled);
wrapper.Properties.Add("unconstraineddelegation", unconstrained);
var trustedToAuthComputers = new List <string>();
// Parse Allowed To Delegate
if (trustedToAuth)
{
var delegates = result.GetPropertyAsArray("msds-AllowedToDelegateTo");
wrapper.Properties.Add("allowedtodelegate", delegates);
// For each computer thats in this array, try and turn it into a SID
foreach (var computerName in delegates)
{
var resolvedHost = await ResolutionHelpers.ResolveHostToSid(computerName, wrapper.Domain);
trustedToAuthComputers.Add(resolvedHost);
}
}
wrapper.AllowedToDelegate = trustedToAuthComputers.Distinct().ToArray();
var allowedToAct = result.GetPropertyAsBytes("msDS-AllowedToActOnBehalfOfOtherIdentity");
var allowedToActPrincipals = new List <GenericMember>();
if (allowedToAct != null)
{
var securityDescriptor = new ActiveDirectorySecurity();
securityDescriptor.SetSecurityDescriptorBinaryForm(allowedToAct);
foreach (ActiveDirectoryAccessRule ace in securityDescriptor.GetAccessRules(true, true,
typeof(SecurityIdentifier)))
{
var sid = ace.IdentityReference.Value;
LdapTypeEnum type;
if (CommonPrincipal.GetCommonSid(sid, out var principal))
{
type = principal.Type;
sid = Helpers.ConvertCommonSid(sid, wrapper.Domain);
}
else
{
type = await ResolutionHelpers.LookupSidType(sid, wrapper.Domain);
}
allowedToActPrincipals.Add(new GenericMember
{
MemberType = type,
MemberId = sid
});
}
}
wrapper.AllowedToAct = allowedToActPrincipals.Distinct().ToArray();
wrapper.Properties.Add("serviceprincipalnames", result.GetPropertyAsArray("serviceprincipalname"));
wrapper.Properties.Add("lastlogontimestamp", ConvertToUnixEpoch(result.GetProperty("lastlogontimestamp")));
wrapper.Properties.Add("pwdlastset", ConvertToUnixEpoch(result.GetProperty("pwdlastset")));
var os = result.GetProperty("operatingsystem");
var sp = result.GetProperty("operatingsystemservicepack");
if (sp != null)
{
os = $"{os} {sp}";
}
wrapper.Properties.Add("operatingsystem", os);
}
/// <summary>
/// Wraps the NetSessionEnum API call with a timeout and parses the results
/// </summary>
/// <param name="computer"></param>
/// <returns></returns>
private static async Task <List <Session> > GetNetSessions(Computer computer)
{
var resumeHandle = IntPtr.Zero;
var sessionInfoType = typeof(SESSION_INFO_10);
var entriesRead = 0;
var ptrInfo = IntPtr.Zero;
var sessionList = new List <Session>();
try
{
var task = Task.Run(() => NetSessionEnum(computer.APIName, null, null, 10,
out ptrInfo, -1, out entriesRead, out _, ref resumeHandle));
//10 second timeout
if (await Task.WhenAny(task, Task.Delay(10000)) != task)
{
if (Options.Instance.DumpComputerStatus)
{
OutputTasks.AddComputerStatus(new ComputerStatus
{
ComputerName = computer.DisplayName,
Status = "Timeout",
Task = "NetSessionEnum"
});
}
return(sessionList);
}
var taskResult = task.Result;
if (taskResult != 0)
{
if (Options.Instance.DumpComputerStatus)
{
OutputTasks.AddComputerStatus(new ComputerStatus
{
ComputerName = computer.DisplayName,
Status = ((NetApiStatus)taskResult).ToString(),
Task = "NetSessionEnum"
});
}
return(sessionList);
}
var sessions = new SESSION_INFO_10[entriesRead];
var iterator = ptrInfo;
for (var i = 0; i < entriesRead; i++)
{
sessions[i] = (SESSION_INFO_10)Marshal.PtrToStructure(iterator, sessionInfoType);
iterator = (IntPtr)(iterator.ToInt64() + Marshal.SizeOf(sessionInfoType));
}
if (Options.Instance.DumpComputerStatus)
{
OutputTasks.AddComputerStatus(new ComputerStatus
{
ComputerName = computer.DisplayName,
Status = "Success",
Task = "NetSessionEnum"
});
}
foreach (var session in sessions)
{
var sessionUsername = session.sesi10_username;
var computerName = session.sesi10_cname;
if (computerName == null)
{
continue;
}
string computerSid = null;
//Filter out computer accounts, Anonymous Logon, empty users
if (sessionUsername.EndsWith(
"$") || sessionUsername.Trim() == "" || sessionUsername == "$" || sessionUsername ==
Options.Instance.CurrentUserName || sessionUsername == "ANONYMOUS LOGON")
{
continue;
}
//Remove leading backslashes
if (computerName.StartsWith("\\"))
{
computerName = computerName.TrimStart('\\');
}
//Remove empty sessions
if (string.IsNullOrEmpty(computerName))
{
continue;
}
//If the session is pointing to localhost, we already know what the SID of the computer is
if (computerName.Equals("[::1]") || computerName.Equals("127.0.0.1"))
{
computerSid = computer.ObjectIdentifier;
}
//Try converting the computer name to a SID if we didn't already get it from a localhost
computerSid = computerSid ?? await ResolutionHelpers.ResolveHostToSid(computerName, computer.Domain);
//Try converting the username to a SID
var searcher = Helpers.GetDirectorySearcher(computer.Domain);
var sids = await searcher.LookupUserInGC(sessionUsername);
if (sids?.Length > 0)
{
foreach (var sid in sids)
{
sessionList.Add(new Session
{
ComputerId = computerSid,
UserId = sid
});
}
}
else
{
var(success, sid, _) =
await ResolutionHelpers.ResolveAccountNameToSidAndType(sessionUsername, computer.Domain);
if (success)
{
sessionList.Add(new Session
{
ComputerId = computerSid,
UserId = sid
});
}
else
{
sessionList.Add(new Session
{
ComputerId = computerSid,
UserId = sessionUsername
});
}
}
}
return(sessionList);
}
finally
{
if (ptrInfo != IntPtr.Zero)
{
NetApiBufferFree(ptrInfo);
}
}
}
