| | 1 | | using System.Collections.Generic; |
| | 2 | | using System.Linq; |
| | 3 | |
|
| | 4 | | namespace SharpHoundCommonLib.LDAPQueries |
| | 5 | | { |
| | 6 | | /// <summary> |
| | 7 | | /// A class used to more easily build LDAP filters based on the common filters used by SharpHound |
| | 8 | | /// </summary> |
| | 9 | | public class LDAPFilter |
| | 10 | | { |
| 11 | 11 | | private readonly List<string> _filterParts = new(); |
| 11 | 12 | | private readonly List<string> _mandatory = new(); |
| | 13 | |
|
| | 14 | | /// <summary> |
| | 15 | | /// Pre-filters conditions passed into filters. Will fix filters that are missing parentheses naively |
| | 16 | | /// </summary> |
| | 17 | | /// <param name="conditions"></param> |
| | 18 | | /// <returns></returns> |
| | 19 | | private static string[] CheckConditions(IEnumerable<string> conditions) |
| 2 | 20 | | { |
| 2 | 21 | | return conditions.Select(FixFilter).ToArray(); |
| 2 | 22 | | } |
| | 23 | |
|
| | 24 | | private static string FixFilter(string filter) |
| 2 | 25 | | { |
| 4 | 26 | | if (!filter.StartsWith("(")) filter = $"({filter}"; |
| | 27 | |
|
| 4 | 28 | | if (!filter.EndsWith(")")) filter = $"{filter})"; |
| | 29 | |
|
| 2 | 30 | | return filter; |
| 2 | 31 | | } |
| | 32 | |
|
| | 33 | | /// <summary> |
| | 34 | | /// Takes a base filter and appends any number of LDAP conditionals in a LDAP "And" statement. |
| | 35 | | /// Returns the base filter if no extra conditions are specified |
| | 36 | | /// </summary> |
| | 37 | | /// <param name="baseFilter"></param> |
| | 38 | | /// <param name="conditions"></param> |
| | 39 | | /// <returns></returns> |
| | 40 | | private static string BuildString(string baseFilter, params string[] conditions) |
| 18 | 41 | | { |
| 34 | 42 | | if (conditions.Length == 0) return baseFilter; |
| | 43 | |
|
| 2 | 44 | | return $"(&{baseFilter}{string.Join("", CheckConditions(conditions))})"; |
| 18 | 45 | | } |
| | 46 | |
|
| | 47 | | /// <summary> |
| | 48 | | /// Add a wildcard filter will match all object types |
| | 49 | | /// </summary> |
| | 50 | | /// <param name="conditions"></param> |
| | 51 | | /// <returns></returns> |
| | 52 | | public LDAPFilter AddAllObjects(params string[] conditions) |
| 2 | 53 | | { |
| 2 | 54 | | _filterParts.Add(BuildString("(objectclass=*)", conditions)); |
| | 55 | |
|
| 2 | 56 | | return this; |
| 2 | 57 | | } |
| | 58 | |
|
| | 59 | | /// <summary> |
| | 60 | | /// Add a filter that will match User objects |
| | 61 | | /// </summary> |
| | 62 | | /// <param name="conditions"></param> |
| | 63 | | /// <returns></returns> |
| | 64 | | public LDAPFilter AddUsers(params string[] conditions) |
| 3 | 65 | | { |
| 3 | 66 | | _filterParts.Add(BuildString("(samaccounttype=805306368)", conditions)); |
| | 67 | |
|
| 3 | 68 | | return this; |
| 3 | 69 | | } |
| | 70 | |
|
| | 71 | | /// <summary> |
| | 72 | | /// Add a filter that will match Group objects |
| | 73 | | /// </summary> |
| | 74 | | /// <param name="conditions"></param> |
| | 75 | | /// <returns></returns> |
| | 76 | | public LDAPFilter AddGroups(params string[] conditions) |
| 3 | 77 | | { |
| 3 | 78 | | _filterParts.Add(BuildString( |
| 3 | 79 | | "(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=5368709 |
| 3 | 80 | | conditions)); |
| | 81 | |
|
| 3 | 82 | | return this; |
| 3 | 83 | | } |
| | 84 | |
|
| | 85 | | /// <summary> |
| | 86 | | /// Add a filter that will include any object with a primary group |
| | 87 | | /// </summary> |
| | 88 | | /// <param name="conditions"></param> |
| | 89 | | /// <returns></returns> |
| | 90 | | public LDAPFilter AddPrimaryGroups(params string[] conditions) |
| 0 | 91 | | { |
| 0 | 92 | | _filterParts.Add(BuildString("(primarygroupid=*)", conditions)); |
| | 93 | |
|
| 0 | 94 | | return this; |
| 0 | 95 | | } |
| | 96 | |
|
| | 97 | | /// <summary> |
| | 98 | | /// Add a filter that will include GPO objects |
| | 99 | | /// </summary> |
| | 100 | | /// <param name="conditions"></param> |
| | 101 | | /// <returns></returns> |
| | 102 | | public LDAPFilter AddGPOs(params string[] conditions) |
| 0 | 103 | | { |
| 0 | 104 | | _filterParts.Add(BuildString("(&(objectcategory=groupPolicyContainer)(flags=*))", conditions)); |
| | 105 | |
|
| 0 | 106 | | return this; |
| 0 | 107 | | } |
| | 108 | |
|
| | 109 | | /// <summary> |
| | 110 | | /// Add a filter that will include OU objects |
| | 111 | | /// </summary> |
| | 112 | | /// <param name="conditions"></param> |
| | 113 | | /// <returns></returns> |
| | 114 | | public LDAPFilter AddOUs(params string[] conditions) |
| 1 | 115 | | { |
| 1 | 116 | | _filterParts.Add(BuildString("(objectcategory=organizationalUnit)", conditions)); |
| | 117 | |
|
| 1 | 118 | | return this; |
| 1 | 119 | | } |
| | 120 | |
|
| | 121 | | /// <summary> |
| | 122 | | /// Add a filter that will include Domain objects |
| | 123 | | /// </summary> |
| | 124 | | /// <param name="conditions"></param> |
| | 125 | | /// <returns></returns> |
| | 126 | | public LDAPFilter AddDomains(params string[] conditions) |
| 0 | 127 | | { |
| 0 | 128 | | _filterParts.Add(BuildString("(objectclass=domain)", conditions)); |
| | 129 | |
|
| 0 | 130 | | return this; |
| 0 | 131 | | } |
| | 132 | |
|
| | 133 | | /// <summary> |
| | 134 | | /// Add a filter that will include Container objects |
| | 135 | | /// </summary> |
| | 136 | | /// <param name="conditions"></param> |
| | 137 | | /// <returns></returns> |
| | 138 | | public LDAPFilter AddContainers(params string[] conditions) |
| 1 | 139 | | { |
| 1 | 140 | | _filterParts.Add(BuildString("(objectClass=container)", conditions)); |
| | 141 | |
|
| 1 | 142 | | return this; |
| 1 | 143 | | } |
| | 144 | |
|
| | 145 | | /// <summary> |
| | 146 | | /// Add a filter that will include Configuration objects |
| | 147 | | /// </summary> |
| | 148 | | /// <param name="conditions"></param> |
| | 149 | | /// <returns></returns> |
| | 150 | | public LDAPFilter AddConfiguration(params string[] conditions) |
| 0 | 151 | | { |
| 0 | 152 | | _filterParts.Add(BuildString("(objectClass=configuration)", conditions)); |
| | 153 | |
|
| 0 | 154 | | return this; |
| 0 | 155 | | } |
| | 156 | |
|
| | 157 | | /// <summary> |
| | 158 | | /// Add a filter that will include Computer objects |
| | 159 | | /// |
| | 160 | | /// Note that gMSAs and sMSAs have this samaccounttype as well |
| | 161 | | /// </summary> |
| | 162 | | /// <param name="conditions"></param> |
| | 163 | | /// <returns></returns> |
| | 164 | | public LDAPFilter AddComputers(params string[] conditions) |
| 2 | 165 | | { |
| 2 | 166 | | _filterParts.Add(BuildString("(samaccounttype=805306369)", conditions)); |
| 2 | 167 | | return this; |
| 2 | 168 | | } |
| | 169 | |
|
| | 170 | | /// <summary> |
| | 171 | | /// Add a filter that will include PKI Certificate templates |
| | 172 | | /// </summary> |
| | 173 | | /// <param name="conditions"></param> |
| | 174 | | /// <returns></returns> |
| | 175 | | public LDAPFilter AddCertificateTemplates(params string[] conditions) |
| 1 | 176 | | { |
| 1 | 177 | | _filterParts.Add(BuildString("(objectclass=pKICertificateTemplate)", conditions)); |
| 1 | 178 | | return this; |
| 1 | 179 | | } |
| | 180 | |
|
| | 181 | | /// <summary> |
| | 182 | | /// Add a filter that will include Certificate Authorities |
| | 183 | | /// </summary> |
| | 184 | | /// <param name="conditions"></param> |
| | 185 | | /// <returns></returns> |
| | 186 | | public LDAPFilter AddCertificateAuthorities(params string[] conditions) |
| 1 | 187 | | { |
| 1 | 188 | | _filterParts.Add(BuildString("(|(objectClass=certificationAuthority)(objectClass=pkiEnrollmentService))", |
| 1 | 189 | | conditions)); |
| 1 | 190 | | return this; |
| 1 | 191 | | } |
| | 192 | |
|
| | 193 | | /// <summary> |
| | 194 | | /// Add a filter that will include Enterprise Certificate Authorities |
| | 195 | | /// </summary> |
| | 196 | | /// <param name="conditions"></param> |
| | 197 | | /// <returns></returns> |
| | 198 | | public LDAPFilter AddEnterpriseCertificationAuthorities(params string[] conditions) |
| 1 | 199 | | { |
| 1 | 200 | | _filterParts.Add(BuildString("(objectCategory=pKIEnrollmentService)", conditions)); |
| 1 | 201 | | return this; |
| 1 | 202 | | } |
| | 203 | |
|
| | 204 | | /// <summary> |
| | 205 | | /// Add a filter that will include Issuance Policies |
| | 206 | | /// </summary> |
| | 207 | | /// <param name="conditions"></param> |
| | 208 | | /// <returns></returns> |
| | 209 | | public LDAPFilter AddIssuancePolicies(params string[] conditions) |
| 0 | 210 | | { |
| 0 | 211 | | _filterParts.Add(BuildString("(objectClass=msPKI-Enterprise-Oid)", conditions)); |
| 0 | 212 | | return this; |
| 0 | 213 | | } |
| | 214 | |
|
| | 215 | | /// <summary> |
| | 216 | | /// Add a filter that will include schema items |
| | 217 | | /// </summary> |
| | 218 | | /// <param name="conditions"></param> |
| | 219 | | /// <returns></returns> |
| | 220 | | public LDAPFilter AddSchemaID(params string[] conditions) |
| 0 | 221 | | { |
| 0 | 222 | | _filterParts.Add(BuildString("(schemaidguid=*)", conditions)); |
| 0 | 223 | | return this; |
| 0 | 224 | | } |
| | 225 | |
|
| | 226 | | /// <summary> |
| | 227 | | /// Add a filter that will include Computer objects but exclude gMSA and sMSA objects |
| | 228 | | /// </summary> |
| | 229 | | /// <param name="conditions"></param> |
| | 230 | | /// <returns></returns> |
| | 231 | | public LDAPFilter AddComputersNoMSAs(params string[] conditions) |
| 3 | 232 | | { |
| 3 | 233 | | _filterParts.Add(BuildString("(&(samaccounttype=805306369)(!(objectclass=msDS-GroupManagedServiceAccount))(! |
| 3 | 234 | | return this; |
| 3 | 235 | | } |
| | 236 | |
|
| | 237 | | /// <summary> |
| | 238 | | /// Adds a generic user specified filter |
| | 239 | | /// </summary> |
| | 240 | | /// <param name="filter">LDAP Filter to add to query</param> |
| | 241 | | /// <param name="enforce">If true, filter will be AND otherwise OR</param> |
| | 242 | | /// <returns></returns> |
| | 243 | | public LDAPFilter AddFilter(string filter, bool enforce) |
| 0 | 244 | | { |
| 0 | 245 | | if (enforce) |
| 0 | 246 | | _mandatory.Add(FixFilter(filter)); |
| | 247 | | else |
| 0 | 248 | | _filterParts.Add(FixFilter(filter)); |
| | 249 | |
|
| 0 | 250 | | return this; |
| 0 | 251 | | } |
| | 252 | |
|
| | 253 | | /// <summary> |
| | 254 | | /// Combines all the specified parts of the LDAP filter and merges them into a single string |
| | 255 | | /// </summary> |
| | 256 | | /// <returns></returns> |
| | 257 | | public string GetFilter() |
| 9 | 258 | | { |
| | 259 | |
|
| 9 | 260 | | var filterPartList = _filterParts.ToArray().Distinct(); |
| 9 | 261 | | var mandatoryList = _mandatory.ToArray().Distinct(); |
| | 262 | |
|
| 9 | 263 | | var filterPartsExceptMandatory = filterPartList.Except(mandatoryList).ToList(); |
| | 264 | |
|
| 9 | 265 | | var filterPartsDistinct = string.Join("", filterPartsExceptMandatory); |
| 9 | 266 | | var mandatoryDistinct = string.Join("", mandatoryList); |
| | 267 | |
|
| 9 | 268 | | if (filterPartsExceptMandatory.Count == 1) |
| 8 | 269 | | filterPartsDistinct = filterPartsExceptMandatory[0]; |
| 1 | 270 | | else if (filterPartsExceptMandatory.Count > 1) |
| 1 | 271 | | filterPartsDistinct = $"(|{filterPartsDistinct})"; |
| | 272 | |
|
| 9 | 273 | | filterPartsDistinct = _mandatory.Count > 0 ? $"(&{filterPartsDistinct}{mandatoryDistinct})" : filterPartsDis |
| | 274 | |
|
| 9 | 275 | | return filterPartsDistinct; |
| 9 | 276 | | } |
| | 277 | |
|
| | 278 | | public IEnumerable<string> GetFilterList() |
| 1 | 279 | | { |
| 1 | 280 | | return _filterParts; |
| 1 | 281 | | } |
| | 282 | | } |
| | 283 | | } |