public static JObject ParseSddlString(string rawSddl, SecurableObjectType type)
{
var sddl = new Sddl(rawSddl, type);
return(sddl.ToJObject());
//return new JObject();
}
/// <summary>
/// Check if user canot change password.
/// @param sddl SSDL.
/// @return <tt>true</tt> if user cannot change password: <tt>false</tt> otherwise.
/// </summary>
public static bool IsUserCannotChangePassword(Sddl sddl)
{
var res = false;
List <Ace> aces = sddl.GetDacl().GetAces();
for (var i = 0; !res && i < aces.Count; i++)
{
Ace ace = aces[i];
if (ace.GetAceType() == AceType.AccessDeniedObjectAceType &&
ace.GetObjectFlags().GetFlags().Contains(AceObjectFlags.Flag.AceObjectTypePresent))
{
if (ace.GetObjectType() == ucpObjectGuid)
{
SID sid = ace.GetSid();
if (sid.GetSubAuthorities().Count == 1)
{
if (sid.GetIdentifierAuthority().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }) &&
sid.GetSubAuthorities().First().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00 }) ||
sid.GetIdentifierAuthority().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x05 }) &&
sid.GetSubAuthorities().First().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x0a }))
{
res = true;
}
}
}
}
}
return(res);
}
static void Main(string[] args)
{
SecurableObjectType type = SecurableObjectType.Unknown;
string sddlString;
switch (args.Length)
{
case 2:
if (Enum.TryParse(typeof(SecurableObjectType), args[1], out var value))
{
type = (SecurableObjectType)value;
goto case 1;
}
else
{
goto default;
}
case 1:
sddlString = args[0];
break;
default:
Usage();
return;
}
var sddl = new Sddl(sddlString, type);
Console.WriteLine(sddl.ToString());
}
public static JObject ParseSddlString(string rawSddl, SecurableObjectType type)
{
Sddl sddl = new Sddl(rawSddl, type);
JObject sddlJObject = sddl.ToJObject();
return(sddlJObject);
}
public void LdapConnection_GetNtSecurityDescriptor()
{
Sddl sddl = new Sddl(File.ReadAllBytes(Config.GetLocation("AdsddlTest.bin")));
// sddl test
byte revision = sddl.GetRevision();
Assert.Equal(0x01, revision);
byte[] flags = sddl.GetControlFlags();
Assert.Equal(new byte[] { 0x84, 0x14 }, flags);
int sddlSize = sddl.GetSize();
Assert.Equal(2688, sddlSize);
SID group = sddl.GetGroup();
Assert.Equal("S-1-5-32-544", group.ToString());
SID owner = sddl.GetOwner();
Assert.Equal("S-1-5-32-544", owner.ToString());
// dacl test
Acl dacl = sddl.GetDacl();
Assert.Equal("P(D;;Dc;;;S-1-1-0)(OA;CIIO;Rp;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIO;Rp;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIO;Rp;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIO;Rp;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIO;Rp;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIO;Rp;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIO;Rp;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIO;Rp;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIO;Rp;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIO;Rp;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;;Cr;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-3915767550-1135939244-3079240635-522)(OA;;Cr;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3915767550-1135939244-3079240635-498)(OA;;Cr;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3915767550-1135939244-3079240635-516)(OA;CI;RpWp;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3915767550-1135939244-3079240635-526)(OA;CI;RpWp;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3915767550-1135939244-3079240635-527)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-3-0)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIO;Rp;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIO;Rp;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIO;Rp;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIO;Wp;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;;Cr;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-32-544)(OA;;Cr;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-32-544)(OA;;Cr;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-32-544)(OA;;Cr;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-32-544)(OA;;Cr;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-32-544)(OA;;Cr;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-32-544)(OA;;Cr;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;Rp;c7407360-20bf-11d0-a768-00aa006e0529;;S-1-5-32-554)(OA;;Rp;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;S-1-5-32-554)(OA;CIIO;LcRpLoRc;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIO;LcRpLoRc;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIO;LcRpLoRc;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;;Cr;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;S-1-5-11)(OA;;Cr;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-9)(OA;;Cr;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;S-1-5-11)(OA;;Cr;280f369c-67c7-438e-ae98-1d46f3c6f541;;S-1-5-11)(OA;;Cr;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-9)(OA;;Cr;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-9)(OA;;Cr;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-9)(OA;;Cr;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-9)(OA;;Rp;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;S-1-5-11)(OA;OICI;RpWp;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;S-1-5-10)(OA;CIIO;RpWpCr;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;S-1-5-10)(A;;CcLcSWRpWpLoCrRcWdWo;;;S-1-5-21-3915767550-1135939244-3079240635-512)(A;CI;CcDcLcSWRpWpDtLoCrSdRcWdWo;;;S-1-5-21-3915767550-1135939244-3079240635-519)(A;;RpRc;;;S-1-5-32-554)(A;CI;Lc;;;S-1-5-32-554)(A;CI;CcLcSWRpWpLoCrSdRcWdWo;;;S-1-5-32-544)(A;;Rp;;;S-1-1-0)(A;;LcRpLoRc;;;S-1-5-9)(A;;LcRpLoRc;;;S-1-5-11)(A;;CcDcLcSWRpWpDtLoCrSdRcWdWo;;;S-1-5-18)", dacl.ToString());
AclRevision daclRevision = dacl.GetRevision();
Assert.Equal(AclRevision.AclRevisionDs, daclRevision);
int acesCount = dacl.GetAceCount();
Assert.Equal(54, acesCount);
int daclSize = dacl.GetSize();
Assert.Equal(2436, daclSize);
// sacl test
Acl sacl = sddl.GetSacl();
Assert.Equal("P(OU;CISA;Wp;;;S-1-3191541491-0)(OU;CISA;Wp;;;S-1-3208318707-0)(AU;SA;Cr;;;S-1-5-21-3915767550-1135939244-3079240635-513)(AU;SA;Cr;;;S-1-5-32-544)(AU;SA;WpWdWo;;;S-1-1-0)", sacl.ToString());
AclRevision saclRevision = sacl.GetRevision();
Assert.Equal(AclRevision.AclRevisionDs, saclRevision);
int saclAcesCount = sacl.GetAceCount();
Assert.Equal(5, saclAcesCount);
int saclSize = sacl.GetSize();
Assert.Equal(200, saclSize);
}
public void SddlString_Should_Be_Parsed_And_Printed_As_Expected(string sddlString, string expectedOutput)
{
// Arrange
// Act
var sddl = new Sddl(sddlString);
var actualOutput = sddl.ToString();
// Assert
actualOutput = actualOutput.Replace("\r\n", "\n");
expectedOutput = expectedOutput.Replace("\r\n", "\n");
Assert.Equal(expectedOutput, actualOutput);
}
public void Two_Different_Sddl_Object_Should_Not_Be_Equal(string sddlString0, string sddlString1)
{
Sddl sddlObject0 = null;
Sddl sddlObject1 = null;
if (!string.IsNullOrEmpty(sddlString0))
{
sddlObject0 = new Sddl(sddlString0);
}
if (!string.IsNullOrEmpty(sddlString1))
{
sddlObject1 = new Sddl(sddlString1);
}
Assert.True(sddlObject0 != sddlObject1);
}
/// <summary>
/// Fetches the DACL of the object which is evaluated by
/// {@linkplain net.tirasa.adsddl.ntsd.dacl.DACLAssertor#doAssert}
/// @throws CommunicationException
/// @throws NameNotFoundException
/// @throws NamingException
/// </summary>
private void GetDacl()
{
SearchRequest directoryRequest = new SearchRequest(LdapUtils.GetDnFromHostname(),
"",
Native.Native.LdapSearchScope.LDAP_SCOPE_SUBTREE)
{
Attributes = { LdapAttributes.NtSecurityDescriptor }
};
directoryRequest.Controls.Add(new SecurityDescriptorFlagControl(SecurityMasks.Owner | SecurityMasks.Group | SecurityMasks.Dacl | SecurityMasks.Sacl));
SearchResponse response = (SearchResponse)this.ldapContext.SendRequest(directoryRequest);
DirectoryEntry entry = response.Entries.FirstOrDefault();
if (entry == null)
{
throw new LdapException("Couldn't find ldap");
}
byte[] descbytes = entry.GetBytes(LdapAttributes.NtSecurityDescriptor);
Sddl sddl = new Sddl(descbytes);
this.dacl = sddl.GetDacl();
}
/// <summary>
/// Set "User Cannot Change Password ACL".
/// @param sddl SDDL.
/// @param cannot <tt>true</tt> to set the ACL; <tt>false</tt> to unset.
/// @return updated SDDL.
/// </summary>
public static Sddl UserCannotChangePassword(Sddl sddl, bool cannot)
{
AceType type = cannot ? AceType.AccessDeniedObjectAceType : AceType.AccessAllowedObjectAceType;
Ace self = null;
Ace all = null;
List <Ace> aces = sddl.GetDacl().GetAces();
for (var i = 0; (all == null || self == null) && i < aces.Count; i++)
{
Ace ace = aces[i];
if ((ace.GetAceType() == AceType.AccessAllowedObjectAceType ||
ace.GetAceType() == AceType.AccessDeniedObjectAceType) &&
ace.GetObjectFlags().GetFlags().Contains(AceObjectFlags.Flag.AceObjectTypePresent))
{
if (ace.GetObjectType() == ucpObjectGuid)
{
SID sid = ace.GetSid();
if (sid.GetSubAuthorities().Count == 1)
{
if (self == null &&
sid.GetIdentifierAuthority().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }) &&
sid.GetSubAuthorities().First().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00 }))
{
self = ace;
self.SetType(type);
}
else if (all == null &&
sid.GetIdentifierAuthority().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x05 }) &&
sid.GetSubAuthorities().First().SequenceEqual(new byte[] { 0x00, 0x00, 0x00, 0x0a }))
{
all = ace;
all.SetType(type);
}
}
}
}
}
if (self == null)
{
// prepare aces
self = Ace.NewInstance(type);
self.SetObjectFlags(new AceObjectFlags(AceObjectFlags.Flag.AceObjectTypePresent));
self.SetObjectType(ucpObjectGuid);
self.SetRights(new AceRights().AddOjectRight(AceRights.ObjectRight.Cr));
SID sid = SID.NewInstance(NumberFacility.GetBytes(0x000000000001, 6));
sid.AddSubAuthority(NumberFacility.GetBytes(0));
self.SetSid(sid);
sddl.GetDacl().GetAces().Add(self);
}
if (all == null)
{
all = Ace.NewInstance(type);
all.SetObjectFlags(new AceObjectFlags(AceObjectFlags.Flag.AceObjectTypePresent));
all.SetObjectType(ucpObjectGuid);
all.SetRights(new AceRights().AddOjectRight(AceRights.ObjectRight.Cr));
SID sid = SID.NewInstance(NumberFacility.GetBytes(0x000000000005, 6));
sid.AddSubAuthority(NumberFacility.GetBytes(0x0A));
all.SetSid(sid);
sddl.GetDacl().GetAces().Add(all);
}
return(sddl);
}
/// <summary>
/// Process record.
/// </summary>
protected override void ProcessRecord()
{
IEnumerable <Sid> sids;
switch (ParameterSetName)
{
case "sddl":
sids = Sddl.Select(s => new Sid(s));
break;
case "name":
sids = Name.Select(s => NtSecurity.LookupAccountName(s));
break;
case "service":
sids = ServiceName.Select(s => NtSecurity.GetServiceSid(s));
break;
case "il":
sids = IntegrityLevel.Select(s => NtSecurity.GetIntegritySid(s));
break;
case "il_raw":
sids = IntegrityLevelRaw.Select(s => NtSecurity.GetIntegritySidRaw(s));
break;
case "package":
sids = PackageName.Select(s => TokenUtils.DerivePackageSidFromName(s));
if (RestrictedPackageName != null)
{
sids = sids.Select(s => TokenUtils.DeriveRestrictedPackageSidFromSid(s, RestrictedPackageName));
}
if (AsCapability)
{
sids = sids.Select(s => NtSecurity.PackageSidToCapability(s));
}
break;
case "known":
sids = KnownSid.Select(s => KnownSids.GetKnownSid(s));
break;
case "token":
using (NtToken token = NtToken.OpenProcessToken())
{
Sid temp = null;
if (PrimaryGroup)
{
temp = token.PrimaryGroup;
}
else if (Owner)
{
temp = token.Owner;
}
else if (LogonGroup)
{
temp = token.LogonSid.Sid;
}
else if (AppContainer)
{
temp = token.AppContainerSid;
}
else if (Label)
{
temp = token.IntegrityLevelSid.Sid;
}
else
{
temp = token.User.Sid;
}
sids = new[] { temp };
}
break;
case "cap":
sids = CapabilityName.Select(s => CapabilityGroup ? NtSecurity.GetCapabilityGroupSid(s)
: NtSecurity.GetCapabilitySid(s));
break;
case "sid":
sids = new[] { new Sid(SecurityAuthority, RelativeIdentifier ?? new uint[0]) };
break;
case "rawsa":
sids = new[] { new Sid(new SidIdentifierAuthority(SecurityAuthorityByte), RelativeIdentifier) };
break;
case "logon":
sids = new[] { NtSecurity.GetLogonSessionSid() };
break;
case "trust":
sids = new[] { NtSecurity.GetTrustLevelSid(TrustType, TrustLevel) };
break;
case "ace":
sids = AccessControlEntry.Select(a => a.Sid);
break;
case "relsid":
sids = new[] { Sibling?BaseSid.CreateSibling(RelativeIdentifier) : BaseSid.CreateRelative(RelativeIdentifier) };
break;
case "bytes":
sids = new[] { new Sid(Byte) };
break;
default:
throw new ArgumentException("No SID type specified");
}
if (AsSddl)
{
WriteObject(sids.Select(s => s.ToString()), true);
}
else if (AsName)
{
WriteObject(sids.Select(s => s.Name), true);
}
else
{
WriteObject(sids, true);
}
}
