public void StartStealthEnumeration() { var output = new BlockingCollection <Wrapper <OutputBase> >(); var writer = _options.Uri == null ? StartOutputWriter(output) : StartRestWriter(output); foreach (var domainName in _utils.GetDomainList()) { Console.WriteLine($"Starting stealth enumeration for {domainName}\n"); var domainSid = _utils.GetDomainSid(domainName); var data = LdapFilter.GetLdapFilter(_options.CollectMethod, _options.ExcludeDC, true); switch (_options.CollectMethod) { case CollectionMethod.ObjectProps: Console.WriteLine("Doing stealth enumeration for object properties"); foreach (var entry in _utils.DoSearch(data.Filter, SearchScope.Subtree, data.Properties, domainName)) { var resolved = entry.ResolveAdEntry(); OutputBase props; if (resolved.ObjectType.Equals("computer")) { props = ObjectPropertyHelpers.GetComputerProps(entry, resolved); } else { props = ObjectPropertyHelpers.GetUserProps(entry, resolved); } if (props != null) { output.Add(new Wrapper <OutputBase> { Item = props }); } } break; case CollectionMethod.Session: Console.WriteLine("Doing stealth enumeration for sessions"); foreach (var path in SessionHelpers.CollectStealthTargets(domainName)) { var sessions = SessionHelpers.GetNetSessions(path, domainName); foreach (var s in sessions) { output.Add(new Wrapper <OutputBase> { Item = s }); } } break; case CollectionMethod.ComputerOnly: Console.WriteLine("Doing stealth enumeration for sessions"); foreach (var path in SessionHelpers.CollectStealthTargets(domainName)) { var sessions = SessionHelpers.GetNetSessions(path, domainName); foreach (var s in sessions) { output.Add(new Wrapper <OutputBase> { Item = s }); } } Console.WriteLine("Doing stealth enumeration for admins"); foreach (var entry in _utils.DoSearch( data.Filter, SearchScope.Subtree, data.Properties, domainName)) { foreach (var admin in LocalAdminHelpers.GetGpoAdmins(entry, domainName)) { output.Add(new Wrapper <OutputBase> { Item = admin }); } } break; case CollectionMethod.Default: Console.WriteLine("Doing stealth enumeration for sessions"); foreach (var path in SessionHelpers.CollectStealthTargets(domainName)) { var sessions = SessionHelpers.GetNetSessions(path, domainName); foreach (var s in sessions) { output.Add(new Wrapper <OutputBase> { Item = s }); } } Console.WriteLine("Doing stealth enumeration for admins"); foreach (var entry in _utils.DoSearch( "(&(objectCategory=groupPolicyContainer)(name=*)(gpcfilesyspath=*))", SearchScope.Subtree, new[] { "displayname", "name", "gpcfilesyspath" }, domainName)) { foreach (var admin in LocalAdminHelpers.GetGpoAdmins(entry, domainName)) { output.Add(new Wrapper <OutputBase> { Item = admin }); } } Console.WriteLine("Doing stealth enumeration for groups"); foreach (var entry in _utils.DoSearch("(|(memberof=*)(primarygroupid=*))", SearchScope.Subtree, new[] { "samaccountname", "distinguishedname", "dnshostname", "samaccounttype", "primarygroupid", "memberof", "serviceprincipalname" }, domainName)) { var resolvedEntry = entry.ResolveAdEntry(); foreach (var group in GroupHelpers.ProcessAdObject(entry, resolvedEntry, domainSid)) { output.Add(new Wrapper <OutputBase> { Item = group }); } } break; case CollectionMethod.SessionLoop: Console.WriteLine("Doing stealth enumeration for sessions"); foreach (var path in SessionHelpers.CollectStealthTargets(domainName)) { var sessions = SessionHelpers.GetNetSessions(path, domainName); foreach (var s in sessions) { output.Add(new Wrapper <OutputBase> { Item = s }); } } break; case CollectionMethod.LoggedOn: Console.WriteLine("Doing LoggedOn enumeration for stealth targets"); foreach (var path in SessionHelpers.CollectStealthTargets(domainName)) { var sessions = SessionHelpers.GetNetLoggedOn(path, domainName); foreach (var s in sessions) { output.Add(new Wrapper <OutputBase> { Item = s }); } sessions = SessionHelpers.GetRegistryLoggedOn(path); foreach (var s in sessions) { output.Add(new Wrapper <OutputBase> { Item = s }); } } break; case CollectionMethod.Group: Console.WriteLine("Doing stealth enumeration for groups"); foreach (var entry in _utils.DoSearch(data.Filter, SearchScope.Subtree, data.Properties, domainName)) { var resolvedEntry = entry.ResolveAdEntry(); foreach (var group in GroupHelpers.ProcessAdObject(entry, resolvedEntry, domainSid)) { output.Add(new Wrapper <OutputBase> { Item = group }); } } break; case CollectionMethod.LocalGroup: //This case will never happen break; case CollectionMethod.GPOLocalGroup: Console.WriteLine("Doing stealth enumeration for admins"); foreach (var entry in _utils.DoSearch( data.Filter, SearchScope.Subtree, data.Properties, domainName)) { foreach (var admin in LocalAdminHelpers.GetGpoAdmins(entry, domainName)) { output.Add(new Wrapper <OutputBase> { Item = admin }); } } break; case CollectionMethod.Trusts: var trusts = DomainTrustEnumeration.DoTrustEnumeration(domainName); foreach (var trust in trusts) { output.Add(new Wrapper <OutputBase> { Item = trust }); } break; case CollectionMethod.ACL: Console.WriteLine("Doing stealth enumeration for ACLs"); foreach (var entry in _utils.DoSearch( data.Filter, SearchScope.Subtree, data.Properties, domainName)) { foreach (var acl in AclHelpers.ProcessAdObject(entry, domainName)) { output.Add(new Wrapper <OutputBase> { Item = acl }); } } break; default: throw new ArgumentOutOfRangeException(); } output.CompleteAdding(); writer.Wait(); Console.WriteLine($"Finished stealth enumeration for {domainName}"); } if (!_options.CollectMethod.Equals(CollectionMethod.SessionLoop)) { return; } if (_options.MaxLoopTime != null) { if (DateTime.Now > _options.LoopEnd) { Console.WriteLine("Exiting session loop as LoopEndTime as passed"); return; } } Console.WriteLine($"Starting next session run in {_options.LoopTime} minutes"); new ManualResetEvent(false).WaitOne(_options.LoopTime * 60 * 1000); if (_options.MaxLoopTime != null) { if (DateTime.Now > _options.LoopEnd) { Console.WriteLine("Exiting session loop as LoopEndTime as passed"); return; } } Console.WriteLine("Starting next enumeration loop"); StartStealthEnumeration(); }
private Task StartRunner(BlockingCollection <Wrapper <SearchResultEntry> > processQueue, BlockingCollection <Wrapper <OutputBase> > writeQueue) { return(Task.Factory.StartNew(() => { foreach (var wrapper in processQueue.GetConsumingEnumerable()) { var entry = wrapper.Item; var resolved = entry.ResolveAdEntry(); if (resolved == null) { Interlocked.Increment(ref _currentCount); wrapper.Item = null; continue; } switch (_options.CollectMethod) { case CollectionMethod.ObjectProps: { OutputBase props; if (resolved.ObjectType.Equals("computer")) { props = ObjectPropertyHelpers.GetComputerProps(entry, resolved); } else { props = ObjectPropertyHelpers.GetUserProps(entry, resolved); } if (props != null) { writeQueue.Add(new Wrapper <OutputBase> { Item = props }); } } break; case CollectionMethod.Group: { var groups = GroupHelpers.ProcessAdObject(entry, resolved, _currentDomainSid); foreach (var g in groups) { writeQueue.Add(new Wrapper <OutputBase> { Item = g }); } } break; case CollectionMethod.ComputerOnly: { if (!_utils.PingHost(resolved.BloodHoundDisplay)) { Interlocked.Increment(ref _noPing); break; } try { var admins = LocalAdminHelpers.GetSamAdmins(resolved); foreach (var admin in admins) { writeQueue.Add(new Wrapper <OutputBase> { Item = admin }); } } catch (TimeoutException) { Interlocked.Increment(ref _timeouts); } if (_options.ExcludeDC && entry.DistinguishedName.Contains("OU=Domain Controllers")) { break; } try { var sessions = SessionHelpers.GetNetSessions(resolved, _currentDomain); foreach (var session in sessions) { writeQueue.Add(new Wrapper <OutputBase> { Item = session }); } } catch (TimeoutException) { Interlocked.Increment(ref _timeouts); } } break; case CollectionMethod.LocalGroup: { if (!_utils.PingHost(resolved.BloodHoundDisplay)) { Interlocked.Increment(ref _noPing); break; } try { var admins = LocalAdminHelpers.GetSamAdmins(resolved); foreach (var admin in admins) { writeQueue.Add(new Wrapper <OutputBase> { Item = admin }); } } catch (TimeoutException) { Interlocked.Increment(ref _timeouts); } } break; case CollectionMethod.GPOLocalGroup: foreach (var admin in LocalAdminHelpers.GetGpoAdmins(entry, _currentDomain)) { writeQueue.Add(new Wrapper <OutputBase> { Item = admin }); } break; case CollectionMethod.Session: { if (!_utils.PingHost(resolved.BloodHoundDisplay)) { Interlocked.Increment(ref _noPing); break; } if (_options.ExcludeDC && entry.DistinguishedName.Contains("OU=Domain Controllers")) { break; } try { var sessions = SessionHelpers.GetNetSessions(resolved, _currentDomain); foreach (var session in sessions) { writeQueue.Add(new Wrapper <OutputBase> { Item = session }); } } catch (TimeoutException) { Interlocked.Increment(ref _timeouts); } } break; case CollectionMethod.LoggedOn: { if (!_utils.PingHost(resolved.BloodHoundDisplay)) { Interlocked.Increment(ref _noPing); break; } var sessions = SessionHelpers.GetNetLoggedOn(resolved, _currentDomain); foreach (var s in sessions) { writeQueue.Add(new Wrapper <OutputBase> { Item = s }); } sessions = SessionHelpers.GetRegistryLoggedOn(resolved); foreach (var s in sessions) { writeQueue.Add(new Wrapper <OutputBase> { Item = s }); } } break; case CollectionMethod.Trusts: break; case CollectionMethod.ACL: { var acls = AclHelpers.ProcessAdObject(entry, _currentDomain); foreach (var a in acls) { writeQueue.Add(new Wrapper <OutputBase> { Item = a }); } } break; case CollectionMethod.SessionLoop: { if (!_utils.PingHost(resolved.BloodHoundDisplay)) { Interlocked.Increment(ref _noPing); break; } if (_options.ExcludeDC && entry.DistinguishedName.Contains("OU=Domain Controllers")) { break; } try { var sessions = SessionHelpers.GetNetSessions(resolved, _currentDomain); foreach (var session in sessions) { writeQueue.Add(new Wrapper <OutputBase> { Item = session }); } } catch (TimeoutException) { Interlocked.Increment(ref _timeouts); } } break; case CollectionMethod.Default: { var groups = GroupHelpers.ProcessAdObject(entry, resolved, _currentDomainSid); foreach (var g in groups) { writeQueue.Add(new Wrapper <OutputBase> { Item = g }); } if (!resolved.ObjectType.Equals("computer")) { break; } if (_options.Ou != null && !entry.DistinguishedName.Contains(_options.Ou)) { break; } if (!_utils.PingHost(resolved.BloodHoundDisplay)) { Interlocked.Increment(ref _noPing); break; } try { var admins = LocalAdminHelpers.GetSamAdmins(resolved); foreach (var admin in admins) { writeQueue.Add(new Wrapper <OutputBase> { Item = admin }); } } catch (TimeoutException) { Interlocked.Increment(ref _timeouts); } if (_options.ExcludeDC && entry.DistinguishedName.Contains("OU=Domain Controllers")) { break; } try { var sessions = SessionHelpers.GetNetSessions(resolved, _currentDomain); foreach (var session in sessions) { writeQueue.Add(new Wrapper <OutputBase> { Item = session }); } } catch (TimeoutException) { Interlocked.Increment(ref _timeouts); } } break; default: throw new ArgumentOutOfRangeException(); } Interlocked.Increment(ref _currentCount); wrapper.Item = null; } }, TaskCreationOptions.LongRunning)); }