/// <summary> /// Grabs computers names from the text file specified in the options, and attempts to resolve them to LDAP objects. /// Pushes the corresponding LDAP objects to the queue. /// </summary> /// <param name="queue"></param> /// <returns></returns> protected override async Task ProduceLdap(ITargetBlock <SearchResultEntry> queue) { var computerFile = Options.Instance.ComputerFile; var token = Helpers.GetCancellationToken(); OutputTasks.StartOutputTimer(); //Open the file for reading using (var fileStream = new StreamReader(new FileStream(computerFile, FileMode.Open, FileAccess.Read))) { string computer; // Loop over each line in the file while ((computer = fileStream.ReadLine()) != null) { //If the cancellation token is set, cancel enumeration if (token.IsCancellationRequested) { break; } string sid; if (!computer.StartsWith("S-1-5-21")) { //The computer isn't a SID so try to convert it to one sid = await ResolutionHelpers.ResolveHostToSid(computer, DomainName); } else { //The computer is already a sid, so just store it off sid = computer; } try { //Convert the sid to a hex representation and find the entry in the domain var hexSid = Helpers.ConvertSidToHexSid(sid); var entry = await Searcher.GetOne($"(objectsid={hexSid})", Props, SearchScope.Subtree); if (entry == null) { //We couldn't find the entry for whatever reason Console.WriteLine($"Failed to resolve {computer}"); continue; } //Success! Send the computer to be processed await queue.SendAsync(entry); } catch { Console.WriteLine($"Failed to resolve {computer}"); } } } queue.Complete(); }
/// <summary> /// Finds stealth targets using ldap properties. /// </summary> /// <returns></returns> private async Task <Dictionary <string, SearchResultEntry> > FindPathTargetSids() { var paths = new ConcurrentDictionary <string, byte>(); var sids = new Dictionary <string, SearchResultEntry>(); //Request user objects with the "homedirectory", "scriptpath", or "profilepath" attributes Parallel.ForEach(Searcher.QueryLdap( "(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(homedirectory=*)(scriptpath=*)(profilepath=*)))", new[] { "homedirectory", "scriptpath", "profilepath" }, SearchScope.Subtree), (searchResult) => { //Grab any properties that exist, filter out null values var poss = new[] { searchResult.GetProperty("homedirectory"), searchResult.GetProperty("scriptpath"), searchResult.GetProperty("profilepath") }.Where(s => s != null); // Loop over each possibility, and grab the hostname from the path, adding it to a list foreach (var s in poss) { var split = s?.Split('\\'); if (!(split?.Length >= 3)) { continue; } var path = split[2]; paths.TryAdd(path, new byte()); } }); // Loop over the paths we grabbed, and resolve them to sids. foreach (var path in paths.Keys) { var sid = await ResolutionHelpers.ResolveHostToSid(path, DomainName); if (sid != null) { var searchResult = await Searcher.GetOne($"(objectsid={Helpers.ConvertSidToHexSid(sid)})", Props, SearchScope.Subtree); sids.Add(sid, searchResult); } } //Return all the sids corresponding to objects return(sids); }
private static async Task ProcessUserSPNs(User user) { var servicePrincipalNames = user.SearchResult.GetPropertyAsArray("serviceprincipalname"); var domain = user.Domain; var resolved = new List <SPNTarget>(); //Loop over the spns, and look for any that start with mssqlsvc foreach (var spn in servicePrincipalNames.Where(x => x.StartsWith("mssqlsvc", StringComparison.OrdinalIgnoreCase))) { int port; if (spn.Contains(":")) { var success = int.TryParse(spn.Split(':')[1], out port); if (!success) { port = 1433; } } else { port = 1433; } //Try to turn the host into a SID var hostSid = await ResolutionHelpers.ResolveHostToSid(spn, domain); if (hostSid.StartsWith("S-1-5")) { resolved.Add(new SPNTarget { ComputerSid = hostSid, Port = port, Service = "SQLAdmin" }); } } user.SPNTargets = resolved.Distinct().ToArray(); }
/// <summary> /// Grab properties from User objects /// </summary> /// <param name="wrapper"></param> /// <returns></returns> private static async Task ParseUserProperties(User wrapper) { var result = wrapper.SearchResult; // Start with UAC properties var userAccountControl = result.GetProperty("useraccountcontrol"); var enabled = true; var trustedToAuth = false; var sensitive = false; var dontReqPreAuth = false; var passwdNotReq = false; var unconstrained = false; var pwdNeverExires = false; if (int.TryParse(userAccountControl, out var baseFlags)) { var uacFlags = (UacFlags)baseFlags; enabled = (uacFlags & UacFlags.AccountDisable) == 0; trustedToAuth = (uacFlags & UacFlags.TrustedToAuthForDelegation) != 0; sensitive = (uacFlags & UacFlags.NotDelegated) != 0; dontReqPreAuth = (uacFlags & UacFlags.DontReqPreauth) != 0; passwdNotReq = (uacFlags & UacFlags.PasswordNotRequired) != 0; unconstrained = (uacFlags & UacFlags.TrustedForDelegation) != 0; pwdNeverExires = (uacFlags & UacFlags.DontExpirePassword) != 0; } wrapper.Properties.Add("dontreqpreauth", dontReqPreAuth); wrapper.Properties.Add("passwordnotreqd", passwdNotReq); wrapper.Properties.Add("unconstraineddelegation", unconstrained); wrapper.Properties.Add("sensitive", sensitive); wrapper.Properties.Add("enabled", enabled); wrapper.Properties.Add("pwdneverexpires", pwdNeverExires); var trustedToAuthComputers = new List <string>(); // Parse Allowed To Delegate if (trustedToAuth) { var delegates = result.GetPropertyAsArray("msds-AllowedToDelegateTo"); wrapper.Properties.Add("allowedtodelegate", delegates); //Try to resolve each computer to a SID foreach (var computerName in delegates) { var resolvedHost = await ResolutionHelpers.ResolveHostToSid(computerName, wrapper.Domain); trustedToAuthComputers.Add(resolvedHost); } } wrapper.AllowedToDelegate = trustedToAuthComputers.Distinct().ToArray(); //Grab time based properties wrapper.Properties.Add("lastlogon", ConvertToUnixEpoch(result.GetProperty("lastlogon"))); wrapper.Properties.Add("lastlogontimestamp", ConvertToUnixEpoch(result.GetProperty("lastlogontimestamp"))); wrapper.Properties.Add("pwdlastset", ConvertToUnixEpoch(result.GetProperty("pwdlastset"))); var servicePrincipalNames = result.GetPropertyAsArray("serviceprincipalname"); wrapper.Properties.Add("serviceprincipalnames", servicePrincipalNames); wrapper.Properties.Add("hasspn", servicePrincipalNames.Length > 0); wrapper.Properties.Add("displayname", result.GetProperty("displayname")); wrapper.Properties.Add("email", result.GetProperty("mail")); wrapper.Properties.Add("title", result.GetProperty("title")); wrapper.Properties.Add("homedirectory", result.GetProperty("homedirectory")); wrapper.Properties.Add("userpassword", result.GetProperty("userpassword")); var adminCount = result.GetProperty("admincount"); if (adminCount != null) { var a = int.Parse(adminCount); wrapper.Properties.Add("admincount", a != 0); } else { wrapper.Properties.Add("admincount", false); } var sidHistory = result.GetPropertyAsArrayOfBytes("sidhistory"); var sidHistoryList = new List <string>(); var sidHistoryPrincipals = new List <GenericMember>(); foreach (var sid in sidHistory) { var s = Helpers.CreateSecurityIdentifier(sid)?.Value; if (s != null) { sidHistoryList.Add(s); var sidType = await ResolutionHelpers.LookupSidType(s, wrapper.Domain); if (sidType != LdapTypeEnum.Unknown) { sidHistoryPrincipals.Add(new GenericMember { MemberId = s, MemberType = sidType }); } } } wrapper.HasSIDHistory = sidHistoryPrincipals.ToArray(); wrapper.Properties.Add("sidhistory", sidHistoryList.ToArray()); }
/// <summary> /// Grabs properties from Computer objects /// </summary> /// <param name="wrapper"></param> /// <returns></returns> private static async Task ParseComputerProperties(Computer wrapper) { var result = wrapper.SearchResult; var userAccountControl = result.GetProperty("useraccountcontrol"); var enabled = true; var trustedToAuth = false; var unconstrained = false; if (int.TryParse(userAccountControl, out var baseFlags)) { var uacFlags = (UacFlags)baseFlags; enabled = (uacFlags & UacFlags.AccountDisable) == 0; trustedToAuth = (uacFlags & UacFlags.TrustedToAuthForDelegation) != 0; unconstrained = (uacFlags & UacFlags.TrustedForDelegation) != 0; } wrapper.Properties.Add("enabled", enabled); wrapper.Properties.Add("unconstraineddelegation", unconstrained); var trustedToAuthComputers = new List <string>(); // Parse Allowed To Delegate if (trustedToAuth) { var delegates = result.GetPropertyAsArray("msds-AllowedToDelegateTo"); wrapper.Properties.Add("allowedtodelegate", delegates); // For each computer thats in this array, try and turn it into a SID foreach (var computerName in delegates) { var resolvedHost = await ResolutionHelpers.ResolveHostToSid(computerName, wrapper.Domain); trustedToAuthComputers.Add(resolvedHost); } } wrapper.AllowedToDelegate = trustedToAuthComputers.Distinct().ToArray(); var allowedToAct = result.GetPropertyAsBytes("msDS-AllowedToActOnBehalfOfOtherIdentity"); var allowedToActPrincipals = new List <GenericMember>(); if (allowedToAct != null) { var securityDescriptor = new ActiveDirectorySecurity(); securityDescriptor.SetSecurityDescriptorBinaryForm(allowedToAct); foreach (ActiveDirectoryAccessRule ace in securityDescriptor.GetAccessRules(true, true, typeof(SecurityIdentifier))) { var sid = ace.IdentityReference.Value; LdapTypeEnum type; if (CommonPrincipal.GetCommonSid(sid, out var principal)) { type = principal.Type; sid = Helpers.ConvertCommonSid(sid, wrapper.Domain); } else { type = await ResolutionHelpers.LookupSidType(sid, wrapper.Domain); } allowedToActPrincipals.Add(new GenericMember { MemberType = type, MemberId = sid }); } } wrapper.AllowedToAct = allowedToActPrincipals.Distinct().ToArray(); wrapper.Properties.Add("serviceprincipalnames", result.GetPropertyAsArray("serviceprincipalname")); wrapper.Properties.Add("lastlogontimestamp", ConvertToUnixEpoch(result.GetProperty("lastlogontimestamp"))); wrapper.Properties.Add("pwdlastset", ConvertToUnixEpoch(result.GetProperty("pwdlastset"))); var os = result.GetProperty("operatingsystem"); var sp = result.GetProperty("operatingsystemservicepack"); if (sp != null) { os = $"{os} {sp}"; } wrapper.Properties.Add("operatingsystem", os); }
/// <summary> /// Wraps the NetSessionEnum API call with a timeout and parses the results /// </summary> /// <param name="computer"></param> /// <returns></returns> private static async Task <List <Session> > GetNetSessions(Computer computer) { var resumeHandle = IntPtr.Zero; var sessionInfoType = typeof(SESSION_INFO_10); var entriesRead = 0; var ptrInfo = IntPtr.Zero; var sessionList = new List <Session>(); try { var task = Task.Run(() => NetSessionEnum(computer.APIName, null, null, 10, out ptrInfo, -1, out entriesRead, out _, ref resumeHandle)); //10 second timeout if (await Task.WhenAny(task, Task.Delay(10000)) != task) { if (Options.Instance.DumpComputerStatus) { OutputTasks.AddComputerStatus(new ComputerStatus { ComputerName = computer.DisplayName, Status = "Timeout", Task = "NetSessionEnum" }); } return(sessionList); } var taskResult = task.Result; if (taskResult != 0) { if (Options.Instance.DumpComputerStatus) { OutputTasks.AddComputerStatus(new ComputerStatus { ComputerName = computer.DisplayName, Status = ((NetApiStatus)taskResult).ToString(), Task = "NetSessionEnum" }); } return(sessionList); } var sessions = new SESSION_INFO_10[entriesRead]; var iterator = ptrInfo; for (var i = 0; i < entriesRead; i++) { sessions[i] = (SESSION_INFO_10)Marshal.PtrToStructure(iterator, sessionInfoType); iterator = (IntPtr)(iterator.ToInt64() + Marshal.SizeOf(sessionInfoType)); } if (Options.Instance.DumpComputerStatus) { OutputTasks.AddComputerStatus(new ComputerStatus { ComputerName = computer.DisplayName, Status = "Success", Task = "NetSessionEnum" }); } foreach (var session in sessions) { var sessionUsername = session.sesi10_username; var computerName = session.sesi10_cname; if (computerName == null) { continue; } string computerSid = null; //Filter out computer accounts, Anonymous Logon, empty users if (sessionUsername.EndsWith( "$") || sessionUsername.Trim() == "" || sessionUsername == "$" || sessionUsername == Options.Instance.CurrentUserName || sessionUsername == "ANONYMOUS LOGON") { continue; } //Remove leading backslashes if (computerName.StartsWith("\\")) { computerName = computerName.TrimStart('\\'); } //Remove empty sessions if (string.IsNullOrEmpty(computerName)) { continue; } //If the session is pointing to localhost, we already know what the SID of the computer is if (computerName.Equals("[::1]") || computerName.Equals("127.0.0.1")) { computerSid = computer.ObjectIdentifier; } //Try converting the computer name to a SID if we didn't already get it from a localhost computerSid = computerSid ?? await ResolutionHelpers.ResolveHostToSid(computerName, computer.Domain); //Try converting the username to a SID var searcher = Helpers.GetDirectorySearcher(computer.Domain); var sids = await searcher.LookupUserInGC(sessionUsername); if (sids?.Length > 0) { foreach (var sid in sids) { sessionList.Add(new Session { ComputerId = computerSid, UserId = sid }); } } else { var(success, sid, _) = await ResolutionHelpers.ResolveAccountNameToSidAndType(sessionUsername, computer.Domain); if (success) { sessionList.Add(new Session { ComputerId = computerSid, UserId = sid }); } else { sessionList.Add(new Session { ComputerId = computerSid, UserId = sessionUsername }); } } } return(sessionList); } finally { if (ptrInfo != IntPtr.Zero) { NetApiBufferFree(ptrInfo); } } }