| | 1 | | using System; |
| | 2 | | using System.Collections.Generic; |
| | 3 | | using System.DirectoryServices.Protocols; |
| | 4 | | using Microsoft.Extensions.Logging; |
| | 5 | | using SharpHoundCommonLib.Enums; |
| | 6 | | using SharpHoundCommonLib.LDAPQueries; |
| | 7 | | using SharpHoundCommonLib.OutputTypes; |
| | 8 | |
|
| | 9 | | namespace SharpHoundCommonLib.Processors |
| | 10 | | { |
| | 11 | | public class ContainerProcessor |
| | 12 | | { |
| | 13 | | private readonly ILogger _log; |
| | 14 | | private readonly ILDAPUtils _utils; |
| | 15 | |
|
| 6 | 16 | | public ContainerProcessor(ILDAPUtils utils, ILogger log = null) |
| 6 | 17 | | { |
| 6 | 18 | | _utils = utils; |
| 6 | 19 | | _log = log ?? Logging.LogProvider.CreateLogger("ContainerProc"); |
| 6 | 20 | | } |
| | 21 | |
|
| | 22 | | private static bool IsDistinguishedNameFiltered(string distinguishedName) |
| 7 | 23 | | { |
| 7 | 24 | | var dn = distinguishedName.ToUpper(); |
| 8 | 25 | | if (dn.Contains("CN=PROGRAM DATA,DC=")) return true; |
| | 26 | |
|
| 9 | 27 | | if (dn.Contains("CN=SYSTEM,DC=")) return true; |
| | 28 | |
|
| 3 | 29 | | return false; |
| 7 | 30 | | } |
| | 31 | |
|
| | 32 | | /// <summary> |
| | 33 | | /// Helper function to pass commonlib types to GetContainingObject |
| | 34 | | /// </summary> |
| | 35 | | /// <param name="entry"></param> |
| | 36 | | /// <returns></returns> |
| | 37 | | public TypedPrincipal GetContainingObject(ISearchResultEntry entry) |
| 0 | 38 | | { |
| 0 | 39 | | return GetContainingObject(entry.DistinguishedName); |
| 0 | 40 | | } |
| | 41 | |
|
| | 42 | | /// <summary> |
| | 43 | | /// Uses the distinguishedname of an object to get its containing object by stripping the first part and using t |
| | 44 | | /// Saves lots of LDAP calls compared to enumerating container info directly |
| | 45 | | /// </summary> |
| | 46 | | /// <param name="distinguishedName"></param> |
| | 47 | | /// <returns></returns> |
| | 48 | | public TypedPrincipal GetContainingObject(string distinguishedName) |
| 4 | 49 | | { |
| 4 | 50 | | var containerDn = Helpers.RemoveDistinguishedNamePrefix(distinguishedName); |
| | 51 | |
|
| 4 | 52 | | if (containerDn.StartsWith("CN=BUILTIN", StringComparison.OrdinalIgnoreCase)) |
| 1 | 53 | | { |
| 1 | 54 | | var domain = Helpers.DistinguishedNameToDomain(distinguishedName); |
| 1 | 55 | | var domainSid = _utils.GetSidFromDomainName(domain); |
| 1 | 56 | | return new TypedPrincipal(domainSid, Label.Domain); |
| | 57 | | } |
| | 58 | |
|
| 3 | 59 | | if (string.IsNullOrEmpty(containerDn)) |
| 1 | 60 | | return null; |
| | 61 | |
|
| 2 | 62 | | return _utils.ResolveDistinguishedName(containerDn); |
| 4 | 63 | | } |
| | 64 | |
|
| | 65 | | /// <summary> |
| | 66 | | /// Helper function using commonlib types to pass to GetContainerChildObjects |
| | 67 | | /// </summary> |
| | 68 | | /// <param name="result"></param> |
| | 69 | | /// <param name="entry"></param> |
| | 70 | | /// <returns></returns> |
| | 71 | | public IEnumerable<TypedPrincipal> GetContainerChildObjects(ResolvedSearchResult result, |
| | 72 | | ISearchResultEntry entry) |
| 0 | 73 | | { |
| 0 | 74 | | var name = result.DisplayName; |
| 0 | 75 | | var dn = entry.DistinguishedName; |
| | 76 | |
|
| 0 | 77 | | return GetContainerChildObjects(dn, name); |
| 0 | 78 | | } |
| | 79 | |
|
| | 80 | | /// <summary> |
| | 81 | | /// Finds all immediate child objects of a container. |
| | 82 | | /// </summary> |
| | 83 | | /// <param name="distinguishedName"></param> |
| | 84 | | /// <param name="containerName"></param> |
| | 85 | | /// <returns></returns> |
| | 86 | | public IEnumerable<TypedPrincipal> GetContainerChildObjects(string distinguishedName, string containerName = "") |
| 1 | 87 | | { |
| 1 | 88 | | var filter = new LDAPFilter().AddComputers().AddUsers().AddGroups().AddOUs().AddContainers(); |
| 1 | 89 | | filter.AddCertificateAuthorities().AddCertificateTemplates().AddEnterpriseCertificationAuthorities(); |
| 17 | 90 | | foreach (var childEntry in _utils.QueryLDAP(filter.GetFilter(), SearchScope.OneLevel, |
| 1 | 91 | | CommonProperties.ObjectID, Helpers.DistinguishedNameToDomain(distinguishedName), |
| 1 | 92 | | adsPath: distinguishedName)) |
| 7 | 93 | | { |
| 7 | 94 | | var dn = childEntry.DistinguishedName; |
| 7 | 95 | | if (IsDistinguishedNameFiltered(dn)) |
| 4 | 96 | | { |
| 4 | 97 | | _log.LogTrace("Skipping filtered child {Child} for {Container}", dn, containerName); |
| 4 | 98 | | continue; |
| | 99 | | } |
| | 100 | |
|
| 3 | 101 | | var id = childEntry.GetObjectIdentifier(); |
| 3 | 102 | | if (id == null) |
| 1 | 103 | | { |
| 1 | 104 | | _log.LogTrace("Got null ID for {ChildDN} under {Container}", childEntry.DistinguishedName, |
| 1 | 105 | | containerName); |
| 1 | 106 | | continue; |
| | 107 | | } |
| | 108 | |
|
| 2 | 109 | | var res = _utils.ResolveIDAndType(id, Helpers.DistinguishedNameToDomain(dn)); |
| 2 | 110 | | if (res == null) |
| 1 | 111 | | { |
| 1 | 112 | | _log.LogTrace("Failed to resolve principal for {ID}", id); |
| 1 | 113 | | continue; |
| | 114 | | } |
| | 115 | |
|
| 1 | 116 | | yield return res; |
| 1 | 117 | | } |
| 1 | 118 | | } |
| | 119 | |
|
| | 120 | | public IEnumerable<GPLink> ReadContainerGPLinks(ResolvedSearchResult result, ISearchResultEntry entry) |
| 0 | 121 | | { |
| 0 | 122 | | var links = entry.GetProperty(LDAPProperties.GPLink); |
| | 123 | |
|
| 0 | 124 | | return ReadContainerGPLinks(links); |
| 0 | 125 | | } |
| | 126 | |
|
| | 127 | | /// <summary> |
| | 128 | | /// Reads the "gplink" property from a SearchResult and converts the links into the acceptable SharpHound fo |
| | 129 | | /// </summary> |
| | 130 | | /// <param name="gpLink"></param> |
| | 131 | | /// <returns></returns> |
| | 132 | | public IEnumerable<GPLink> ReadContainerGPLinks(string gpLink) |
| 3 | 133 | | { |
| 3 | 134 | | if (gpLink == null) |
| 1 | 135 | | yield break; |
| | 136 | |
|
| 14 | 137 | | foreach (var link in Helpers.SplitGPLinkProperty(gpLink)) |
| 4 | 138 | | { |
| 4 | 139 | | var enforced = link.Status.Equals("2"); |
| | 140 | |
|
| 4 | 141 | | var res = _utils.ResolveDistinguishedName(link.DistinguishedName); |
| | 142 | |
|
| 4 | 143 | | if (res == null) |
| 1 | 144 | | { |
| 1 | 145 | | _log.LogTrace("Failed to resolve DN {DN}", link.DistinguishedName); |
| 1 | 146 | | continue; |
| | 147 | | } |
| | 148 | |
|
| 3 | 149 | | yield return new GPLink |
| 3 | 150 | | { |
| 3 | 151 | | GUID = res.ObjectIdentifier, |
| 3 | 152 | | IsEnforced = enforced |
| 3 | 153 | | }; |
| 3 | 154 | | } |
| 2 | 155 | | } |
| | 156 | |
|
| | 157 | | /// <summary> |
| | 158 | | /// Checks if a container blocks privilege inheritance |
| | 159 | | /// </summary> |
| | 160 | | /// <param name="gpOptions"></param> |
| | 161 | | /// <returns></returns> |
| | 162 | | public static bool ReadBlocksInheritance(string gpOptions) |
| 3 | 163 | | { |
| 3 | 164 | | return gpOptions is "1"; |
| 3 | 165 | | } |
| | 166 | | } |
| | 167 | | } |