< Summary

Class:	SharpHoundCommonLib.Processors.LDAPPropertyProcessor
Assembly:	SharpHoundCommonLib
File(s):	D:\a\SharpHoundCommon\SharpHoundCommon\src\CommonLib\Processors\LDAPPropertyProcessor.cs
Covered lines:	363
Uncovered lines:	90
Coverable lines:	453
Total lines:	819
Line coverage:	80.1% (363 of 453)
Covered branches:	99
Total branches:	161
Branch coverage:	61.4% (99 of 161)

Metrics

Method	Branch coverage	Cyclomatic complexity	Sequence coverage
.cctor()	100%	1	100%
.ctor(...)	100%	1	100%
GetCommonProps(...)	100%	1	100%
ReadDomainProperties(...)	100%	2	100%
FunctionalLevelToString(...)	100%	9	100%
ReadGPOProperties(...)	50%	2	100%
ReadOUProperties(...)	100%	1	100%
ReadGroupProperties(...)	100%	2	100%
ReadContainerProperties(...)	100%	1	0%
ReadUserProperties()	90%	20	98.79%
ReadComputerProperties()	78.57%	28	89.88%
ReadRootCAProperties(...)	50%	2	42.85%
ReadAIACAProperties(...)	50%	2	55.55%
ReadEnterpriseCAProperties(...)	0%	4	0%
ReadNTAuthStoreProperties(...)	100%	1	100%
ReadCertTemplateProperties(...)	91.66%	12	100%
ReadIssuancePolicyProperties(...)	100%	4	100%
ParseAllProperties(...)	80%	20	74.19%
ParseCertTemplateApplicationPolicies(...)	50%	12	56.25%
BestGuessConvert(...)	50%	8	100%
ConvertPKIPeriod(...)	5.88%	34	12.5%

File(s)

D:\a\SharpHoundCommon\SharpHoundCommon\src\CommonLib\Processors\LDAPPropertyProcessor.cs

#	Line	Line coverage
	`1`	`using System;`
	`2`	`using System.Collections.Generic;`
	`3`	`using System.Diagnostics.CodeAnalysis;`
	`4`	`using System.Linq;`
	`5`	`using System.Reflection;`
	`6`	`using System.Runtime.InteropServices;`
	`7`	`using System.Security.AccessControl;`
	`8`	`using System.Security.Cryptography.X509Certificates;`
	`9`	`using System.Security.Principal;`
	`10`	`using System.Threading.Tasks;`
	`11`	`using SharpHoundCommonLib.Enums;`
	`12`	`using SharpHoundCommonLib.LDAPQueries;`
	`13`	`using SharpHoundCommonLib.OutputTypes;`
	`14`
	`15`	`namespace SharpHoundCommonLib.Processors`
	`16`	`{`
	`17`	`public class LDAPPropertyProcessor`
	`18`	`{`
1	`19`	`private static readonly string[] ReservedAttributes = CommonProperties.TypeResolutionProps`
1	`20`	`.Concat(CommonProperties.BaseQueryProps).Concat(CommonProperties.GroupResolutionProps)`
1	`21`	`.Concat(CommonProperties.ComputerMethodProps).Concat(CommonProperties.ACLProps)`
1	`22`	`.Concat(CommonProperties.ObjectPropsProps).Concat(CommonProperties.ContainerProps)`
1	`23`	`.Concat(CommonProperties.SPNTargetProps).Concat(CommonProperties.DomainTrustProps)`
1	`24`	`.Concat(CommonProperties.GPOLocalGroupProps).ToArray();`
	`25`
	`26`	`private readonly ILDAPUtils _utils;`
	`27`
14	`28`	`public LDAPPropertyProcessor(ILDAPUtils utils)`
14	`29`	`{`
14	`30`	`_utils = utils;`
14	`31`	`}`
	`32`
	`33`	`private static Dictionary<string, object> GetCommonProps(ISearchResultEntry entry)`
20	`34`	`{`
20	`35`	`return new Dictionary<string, object>`
20	`36`	`{`
20	`37`	`{`
20	`38`	`"description", entry.GetProperty(LDAPProperties.Description)`
20	`39`	`},`
20	`40`	`{`
20	`41`	`"whencreated", Helpers.ConvertTimestampToUnixEpoch(entry.GetProperty(LDAPProperties.WhenCreated))`
20	`42`	`}`
20	`43`	`};`
20	`44`	`}`
	`45`
	`46`	`/// <summary>`
	`47`	`/// Reads specific LDAP properties related to Domains`
	`48`	`/// </summary>`
	`49`	`/// <param name="entry"></param>`
	`50`	`/// <returns></returns>`
	`51`	`public static Dictionary<string, object> ReadDomainProperties(ISearchResultEntry entry)`
2	`52`	`{`
2	`53`	`var props = GetCommonProps(entry);`
	`54`
3	`55`	`if (!int.TryParse(entry.GetProperty(LDAPProperties.DomainFunctionalLevel), out var level)) level = -1;`
	`56`
2	`57`	`props.Add("functionallevel", FunctionalLevelToString(level));`
	`58`
2	`59`	`return props;`
2	`60`	`}`
	`61`
	`62`	`/// <summary>`
	`63`	`/// Converts a numeric representation of a functional level to its appropriate functional level string`
	`64`	`/// </summary>`
	`65`	`/// <param name="level"></param>`
	`66`	`/// <returns></returns>`
	`67`	`public static string FunctionalLevelToString(int level)`
11	`68`	`{`
11	`69`	`var functionalLevel = level switch`
11	`70`	`{`
1	`71`	`0 => "2000 Mixed/Native",`
1	`72`	`1 => "2003 Interim",`
1	`73`	`2 => "2003",`
1	`74`	`3 => "2008",`
1	`75`	`4 => "2008 R2",`
1	`76`	`5 => "2012",`
2	`77`	`6 => "2012 R2",`
1	`78`	`7 => "2016",`
2	`79`	`_ => "Unknown"`
11	`80`	`};`
	`81`
11	`82`	`return functionalLevel;`
11	`83`	`}`
	`84`
	`85`	`/// <summary>`
	`86`	`/// Reads specific LDAP properties related to GPOs`
	`87`	`/// </summary>`
	`88`	`/// <param name="entry"></param>`
	`89`	`/// <returns></returns>`
	`90`	`public static Dictionary<string, object> ReadGPOProperties(ISearchResultEntry entry)`
1	`91`	`{`
1	`92`	`var props = GetCommonProps(entry);`
1	`93`	`props.Add("gpcpath", entry.GetProperty(LDAPProperties.GPCFileSYSPath)?.ToUpper());`
1	`94`	`return props;`
1	`95`	`}`
	`96`
	`97`	`/// <summary>`
	`98`	`/// Reads specific LDAP properties related to OUs`
	`99`	`/// </summary>`
	`100`	`/// <param name="entry"></param>`
	`101`	`/// <returns></returns>`
	`102`	`public static Dictionary<string, object> ReadOUProperties(ISearchResultEntry entry)`
1	`103`	`{`
1	`104`	`var props = GetCommonProps(entry);`
1	`105`	`return props;`
1	`106`	`}`
	`107`
	`108`	`/// <summary>`
	`109`	`/// Reads specific LDAP properties related to Groups`
	`110`	`/// </summary>`
	`111`	`/// <param name="entry"></param>`
	`112`	`/// <returns></returns>`
	`113`	`public static Dictionary<string, object> ReadGroupProperties(ISearchResultEntry entry)`
3	`114`	`{`
3	`115`	`var props = GetCommonProps(entry);`
	`116`
3	`117`	`var ac = entry.GetProperty(LDAPProperties.AdminCount);`
3	`118`	`if (ac != null)`
2	`119`	`{`
2	`120`	`var a = int.Parse(ac);`
2	`121`	`props.Add("admincount", a != 0);`
2	`122`	`}`
	`123`	`else`
1	`124`	`{`
1	`125`	`props.Add("admincount", false);`
1	`126`	`}`
	`127`
3	`128`	`return props;`
3	`129`	`}`
	`130`
	`131`	`/// <summary>`
	`132`	`/// Reads specific LDAP properties related to containers`
	`133`	`/// </summary>`
	`134`	`/// <param name="entry"></param>`
	`135`	`/// <returns></returns>`
	`136`	`public static Dictionary<string, object> ReadContainerProperties(ISearchResultEntry entry)`
0	`137`	`{`
0	`138`	`var props = GetCommonProps(entry);`
0	`139`	`return props;`
0	`140`	`}`
	`141`
	`142`	`/// <summary>`
	`143`	`/// Reads specific LDAP properties related to Users`
	`144`	`/// </summary>`
	`145`	`/// <param name="entry"></param>`
	`146`	`/// <returns></returns>`
	`147`	`public async Task<UserProperties> ReadUserProperties(ISearchResultEntry entry)`
4	`148`	`{`
4	`149`	`var userProps = new UserProperties();`
4	`150`	`var props = GetCommonProps(entry);`
	`151`
4	`152`	`var uacFlags = (UacFlags)0;`
4	`153`	`var uac = entry.GetProperty(LDAPProperties.UserAccountControl);`
4	`154`	`if (int.TryParse(uac, out var flag))`
3	`155`	`{`
3	`156`	`uacFlags = (UacFlags)flag;`
3	`157`	`}`
	`158`
4	`159`	`props.Add("sensitive", uacFlags.HasFlag(UacFlags.NotDelegated));`
4	`160`	`props.Add("dontreqpreauth", uacFlags.HasFlag(UacFlags.DontReqPreauth));`
4	`161`	`props.Add("passwordnotreqd", uacFlags.HasFlag(UacFlags.PasswordNotRequired));`
4	`162`	`props.Add("unconstraineddelegation", uacFlags.HasFlag(UacFlags.TrustedForDelegation));`
4	`163`	`props.Add("pwdneverexpires", uacFlags.HasFlag(UacFlags.DontExpirePassword));`
4	`164`	`props.Add("enabled", !uacFlags.HasFlag(UacFlags.AccountDisable));`
4	`165`	`props.Add("trustedtoauth", uacFlags.HasFlag(UacFlags.TrustedToAuthForDelegation));`
	`166`
4	`167`	`var domain = Helpers.DistinguishedNameToDomain(entry.DistinguishedName);`
	`168`
4	`169`	`var comps = new List<TypedPrincipal>();`
4	`170`	`if (uacFlags.HasFlag(UacFlags.TrustedToAuthForDelegation))`
1	`171`	`{`
1	`172`	`var delegates = entry.GetArrayProperty(LDAPProperties.AllowedToDelegateTo);`
1	`173`	`props.Add("allowedtodelegate", delegates);`
	`174`
7	`175`	`foreach (var d in delegates)`
2	`176`	`{`
2	`177`	`if (d == null)`
0	`178`	`continue;`
	`179`
2	`180`	`var resolvedHost = await _utils.ResolveHostToSid(d, domain);`
2	`181`	`if (resolvedHost != null && resolvedHost.Contains("S-1"))`
2	`182`	`comps.Add(new TypedPrincipal`
2	`183`	`{`
2	`184`	`ObjectIdentifier = resolvedHost,`
2	`185`	`ObjectType = Label.Computer`
2	`186`	`});`
2	`187`	`}`
1	`188`	`}`
	`189`
4	`190`	`userProps.AllowedToDelegate = comps.Distinct().ToArray();`
	`191`
4	`192`	`props.Add("lastlogon", Helpers.ConvertFileTimeToUnixEpoch(entry.GetProperty(LDAPProperties.LastLogon)));`
4	`193`	`props.Add("lastlogontimestamp",`
4	`194`	`Helpers.ConvertFileTimeToUnixEpoch(entry.GetProperty(LDAPProperties.LastLogonTimestamp)));`
4	`195`	`props.Add("pwdlastset",`
4	`196`	`Helpers.ConvertFileTimeToUnixEpoch(entry.GetProperty(LDAPProperties.PasswordLastSet)));`
4	`197`	`var spn = entry.GetArrayProperty(LDAPProperties.ServicePrincipalNames);`
4	`198`	`props.Add("serviceprincipalnames", spn);`
4	`199`	`props.Add("hasspn", spn.Length > 0);`
4	`200`	`props.Add("displayname", entry.GetProperty(LDAPProperties.DisplayName));`
4	`201`	`props.Add("email", entry.GetProperty(LDAPProperties.Email));`
4	`202`	`props.Add("title", entry.GetProperty(LDAPProperties.Title));`
4	`203`	`props.Add("homedirectory", entry.GetProperty(LDAPProperties.HomeDirectory));`
4	`204`	`props.Add("userpassword", entry.GetProperty(LDAPProperties.UserPassword));`
4	`205`	`props.Add("unixpassword", entry.GetProperty(LDAPProperties.UnixUserPassword));`
4	`206`	`props.Add("unicodepassword", entry.GetProperty(LDAPProperties.UnicodePassword));`
4	`207`	`props.Add("sfupassword", entry.GetProperty(LDAPProperties.MsSFU30Password));`
4	`208`	`props.Add("logonscript", entry.GetProperty(LDAPProperties.ScriptPath));`
	`209`
4	`210`	`var ac = entry.GetProperty(LDAPProperties.AdminCount);`
4	`211`	`if (ac != null)`
3	`212`	`{`
3	`213`	`if (int.TryParse(ac, out var parsed))`
2	`214`	`props.Add("admincount", parsed != 0);`
	`215`	`else`
1	`216`	`props.Add("admincount", false);`
3	`217`	`}`
	`218`	`else`
1	`219`	`{`
1	`220`	`props.Add("admincount", false);`
1	`221`	`}`
	`222`
4	`223`	`var sh = entry.GetByteArrayProperty(LDAPProperties.SIDHistory);`
4	`224`	`var sidHistoryList = new List<string>();`
4	`225`	`var sidHistoryPrincipals = new List<TypedPrincipal>();`
20	`226`	`foreach (var sid in sh)`
4	`227`	`{`
	`228`	`string sSid;`
	`229`	`try`
4	`230`	`{`
4	`231`	`sSid = new SecurityIdentifier(sid, 0).Value;`
3	`232`	`}`
1	`233`	`catch`
1	`234`	`{`
1	`235`	`continue;`
	`236`	`}`
	`237`
3	`238`	`sidHistoryList.Add(sSid);`
	`239`
3	`240`	`var res = _utils.ResolveIDAndType(sSid, domain);`
	`241`
3	`242`	`sidHistoryPrincipals.Add(res);`
3	`243`	`}`
	`244`
4	`245`	`userProps.SidHistory = sidHistoryPrincipals.Distinct().ToArray();`
	`246`
4	`247`	`props.Add("sidhistory", sidHistoryList.ToArray());`
	`248`
4	`249`	`userProps.Props = props;`
	`250`
4	`251`	`return userProps;`
4	`252`	`}`
	`253`
	`254`	`/// <summary>`
	`255`	`/// Reads specific LDAP properties related to Computers`
	`256`	`/// </summary>`
	`257`	`/// <param name="entry"></param>`
	`258`	`/// <returns></returns>`
	`259`	`public async Task<ComputerProperties> ReadComputerProperties(ISearchResultEntry entry)`
3	`260`	`{`
3	`261`	`var compProps = new ComputerProperties();`
3	`262`	`var props = GetCommonProps(entry);`
	`263`
3	`264`	`var flags = (UacFlags)0;`
3	`265`	`var uac = entry.GetProperty(LDAPProperties.UserAccountControl);`
3	`266`	`if (int.TryParse(uac, out var flag))`
2	`267`	`{`
2	`268`	`flags = (UacFlags)flag;`
2	`269`	`}`
	`270`
3	`271`	`props.Add("enabled", !flags.HasFlag(UacFlags.AccountDisable));`
3	`272`	`props.Add("unconstraineddelegation", flags.HasFlag(UacFlags.TrustedForDelegation));`
3	`273`	`props.Add("trustedtoauth", flags.HasFlag(UacFlags.TrustedToAuthForDelegation));`
3	`274`	`props.Add("isdc", flags.HasFlag(UacFlags.ServerTrustAccount));`
	`275`
3	`276`	`var domain = Helpers.DistinguishedNameToDomain(entry.DistinguishedName);`
	`277`
3	`278`	`var comps = new List<TypedPrincipal>();`
3	`279`	`if (flags.HasFlag(UacFlags.TrustedToAuthForDelegation))`
2	`280`	`{`
2	`281`	`var delegates = entry.GetArrayProperty(LDAPProperties.AllowedToDelegateTo);`
2	`282`	`props.Add("allowedtodelegate", delegates);`
	`283`
18	`284`	`foreach (var d in delegates)`
6	`285`	`{`
6	`286`	`var hname = d.Contains("/") ? d.Split('/')[1] : d;`
6	`287`	`hname = hname.Split(':')[0];`
6	`288`	`var resolvedHost = await _utils.ResolveHostToSid(hname, domain);`
6	`289`	`if (resolvedHost != null && resolvedHost.Contains("S-1"))`
6	`290`	`comps.Add(new TypedPrincipal`
6	`291`	`{`
6	`292`	`ObjectIdentifier = resolvedHost,`
6	`293`	`ObjectType = Label.Computer`
6	`294`	`});`
6	`295`	`}`
2	`296`	`}`
	`297`
3	`298`	`compProps.AllowedToDelegate = comps.Distinct().ToArray();`
	`299`
3	`300`	`var allowedToActPrincipals = new List<TypedPrincipal>();`
3	`301`	`var rawAllowedToAct = entry.GetByteProperty(LDAPProperties.AllowedToActOnBehalfOfOtherIdentity);`
3	`302`	`if (rawAllowedToAct != null)`
0	`303`	`{`
0	`304`	`var sd = _utils.MakeSecurityDescriptor();`
0	`305`	`sd.SetSecurityDescriptorBinaryForm(rawAllowedToAct, AccessControlSections.Access);`
0	`306`	`foreach (var rule in sd.GetAccessRules(true, true, typeof(SecurityIdentifier)))`
0	`307`	`{`
0	`308`	`var res = _utils.ResolveIDAndType(rule.IdentityReference(), domain);`
0	`309`	`allowedToActPrincipals.Add(res);`
0	`310`	`}`
0	`311`	`}`
	`312`
3	`313`	`compProps.AllowedToAct = allowedToActPrincipals.ToArray();`
	`314`
3	`315`	`props.Add("lastlogon", Helpers.ConvertFileTimeToUnixEpoch(entry.GetProperty(LDAPProperties.LastLogon)));`
3	`316`	`props.Add("lastlogontimestamp",`
3	`317`	`Helpers.ConvertFileTimeToUnixEpoch(entry.GetProperty(LDAPProperties.LastLogonTimestamp)));`
3	`318`	`props.Add("pwdlastset",`
3	`319`	`Helpers.ConvertFileTimeToUnixEpoch(entry.GetProperty(LDAPProperties.PasswordLastSet)));`
3	`320`	`props.Add("serviceprincipalnames", entry.GetArrayProperty(LDAPProperties.ServicePrincipalNames));`
3	`321`	`props.Add("email", entry.GetProperty(LDAPProperties.Email));`
3	`322`	`var os = entry.GetProperty(LDAPProperties.OperatingSystem);`
3	`323`	`var sp = entry.GetProperty(LDAPProperties.ServicePack);`
	`324`
5	`325`	`if (sp != null) os = $"{os} {sp}";`
	`326`
3	`327`	`props.Add("operatingsystem", os);`
	`328`
3	`329`	`var sh = entry.GetByteArrayProperty(LDAPProperties.SIDHistory);`
3	`330`	`var sidHistoryList = new List<string>();`
3	`331`	`var sidHistoryPrincipals = new List<TypedPrincipal>();`
15	`332`	`foreach (var sid in sh)`
3	`333`	`{`
	`334`	`string sSid;`
	`335`	`try`
3	`336`	`{`
3	`337`	`sSid = new SecurityIdentifier(sid, 0).Value;`
2	`338`	`}`
1	`339`	`catch`
1	`340`	`{`
1	`341`	`continue;`
	`342`	`}`
	`343`
2	`344`	`sidHistoryList.Add(sSid);`
	`345`
2	`346`	`var res = _utils.ResolveIDAndType(sSid, domain);`
	`347`
2	`348`	`sidHistoryPrincipals.Add(res);`
2	`349`	`}`
	`350`
3	`351`	`compProps.SidHistory = sidHistoryPrincipals.ToArray();`
	`352`
3	`353`	`props.Add("sidhistory", sidHistoryList.ToArray());`
	`354`
3	`355`	`var hsa = entry.GetArrayProperty(LDAPProperties.HostServiceAccount);`
3	`356`	`var smsaPrincipals = new List<TypedPrincipal>();`
3	`357`	`if (hsa != null)`
3	`358`	`{`
13	`359`	`foreach (var dn in hsa)`
2	`360`	`{`
2	`361`	`var resolvedPrincipal = _utils.ResolveDistinguishedName(dn);`
	`362`
2	`363`	`if (resolvedPrincipal != null)`
2	`364`	`smsaPrincipals.Add(resolvedPrincipal);`
2	`365`	`}`
3	`366`	`}`
	`367`
3	`368`	`compProps.DumpSMSAPassword = smsaPrincipals.ToArray();`
	`369`
3	`370`	`compProps.Props = props;`
	`371`
3	`372`	`return compProps;`
3	`373`	`}`
	`374`
	`375`	`/// <summary>`
	`376`	`/// Returns the properties associated with the RootCA`
	`377`	`/// </summary>`
	`378`	`/// <param name="entry"></param>`
	`379`	`/// <returns>Returns a dictionary with the common properties of the RootCA</returns>`
	`380`	`public static Dictionary<string, object> ReadRootCAProperties(ISearchResultEntry entry)`
1	`381`	`{`
1	`382`	`var props = GetCommonProps(entry);`
	`383`
	`384`	`// Certificate`
1	`385`	`var rawCertificate = entry.GetByteProperty(LDAPProperties.CACertificate);`
1	`386`	`if (rawCertificate != null)`
0	`387`	`{`
0	`388`	`var cert = new ParsedCertificate(rawCertificate);`
0	`389`	`props.Add("certthumbprint", cert.Thumbprint);`
0	`390`	`props.Add("certname", cert.Name);`
0	`391`	`props.Add("certchain", cert.Chain);`
0	`392`	`props.Add("hasbasicconstraints", cert.HasBasicConstraints);`
0	`393`	`props.Add("basicconstraintpathlength", cert.BasicConstraintPathLength);`
0	`394`	`}`
	`395`
1	`396`	`return props;`
1	`397`	`}`
	`398`
	`399`	`/// <summary>`
	`400`	`/// Returns the properties associated with the AIACA`
	`401`	`/// </summary>`
	`402`	`/// <param name="entry"></param>`
	`403`	`/// <returns>Returns a dictionary with the common properties and the crosscertificatepair property of the AICA</`
	`404`	`public static Dictionary<string, object> ReadAIACAProperties(ISearchResultEntry entry)`
1	`405`	`{`
1	`406`	`var props = GetCommonProps(entry);`
1	`407`	`var crossCertificatePair = entry.GetByteArrayProperty((LDAPProperties.CrossCertificatePair));`
1	`408`	`var hasCrossCertificatePair = crossCertificatePair.Length > 0;`
	`409`
1	`410`	`props.Add("crosscertificatepair", crossCertificatePair);`
1	`411`	`props.Add("hascrosscertificatepair", hasCrossCertificatePair);`
	`412`
	`413`	`// Certificate`
1	`414`	`var rawCertificate = entry.GetByteProperty(LDAPProperties.CACertificate);`
1	`415`	`if (rawCertificate != null)`
0	`416`	`{`
0	`417`	`var cert = new ParsedCertificate(rawCertificate);`
0	`418`	`props.Add("certthumbprint", cert.Thumbprint);`
0	`419`	`props.Add("certname", cert.Name);`
0	`420`	`props.Add("certchain", cert.Chain);`
0	`421`	`props.Add("hasbasicconstraints", cert.HasBasicConstraints);`
0	`422`	`props.Add("basicconstraintpathlength", cert.BasicConstraintPathLength);`
0	`423`	`}`
	`424`
1	`425`	`return props;`
1	`426`	`}`
	`427`
	`428`	`public static Dictionary<string, object> ReadEnterpriseCAProperties(ISearchResultEntry entry)`
0	`429`	`{`
0	`430`	`var props = GetCommonProps(entry);`
0	`431`	`if (entry.GetIntProperty("flags", out var flags)) props.Add("flags", (PKICertificateAuthorityFlags)flags);`
0	`432`	`props.Add("caname", entry.GetProperty(LDAPProperties.Name));`
0	`433`	`props.Add("dnshostname", entry.GetProperty(LDAPProperties.DNSHostName));`
	`434`
	`435`	`// Certificate`
0	`436`	`var rawCertificate = entry.GetByteProperty(LDAPProperties.CACertificate);`
0	`437`	`if (rawCertificate != null)`
0	`438`	`{`
0	`439`	`var cert = new ParsedCertificate(rawCertificate);`
0	`440`	`props.Add("certthumbprint", cert.Thumbprint);`
0	`441`	`props.Add("certname", cert.Name);`
0	`442`	`props.Add("certchain", cert.Chain);`
0	`443`	`props.Add("hasbasicconstraints", cert.HasBasicConstraints);`
0	`444`	`props.Add("basicconstraintpathlength", cert.BasicConstraintPathLength);`
0	`445`	`}`
	`446`
0	`447`	`return props;`
0	`448`	`}`
	`449`
	`450`	`/// <summary>`
	`451`	`/// Returns the properties associated with the NTAuthStore. These properties will only contain common properties`
	`452`	`/// </summary>`
	`453`	`/// <param name="entry"></param>`
	`454`	`/// <returns>Returns a dictionary with the common properties of the NTAuthStore</returns>`
	`455`	`public static Dictionary<string, object> ReadNTAuthStoreProperties(ISearchResultEntry entry)`
1	`456`	`{`
1	`457`	`var props = GetCommonProps(entry);`
1	`458`	`return props;`
1	`459`	`}`
	`460`
	`461`	`/// <summary>`
	`462`	`/// Reads specific LDAP properties related to CertTemplates`
	`463`	`/// </summary>`
	`464`	`/// <param name="entry"></param>`
	`465`	`/// <returns>Returns a dictionary associated with the CertTemplate properties that were read</returns>`
	`466`	`public static Dictionary<string, object> ReadCertTemplateProperties(ISearchResultEntry entry)`
1	`467`	`{`
1	`468`	`var props = GetCommonProps(entry);`
	`469`
1	`470`	`props.Add("validityperiod", ConvertPKIPeriod(entry.GetByteProperty(LDAPProperties.PKIExpirationPeriod)));`
1	`471`	`props.Add("renewalperiod", ConvertPKIPeriod(entry.GetByteProperty(LDAPProperties.PKIOverlappedPeriod)));`
	`472`
1	`473`	`if (entry.GetIntProperty(LDAPProperties.TemplateSchemaVersion, out var schemaVersion))`
1	`474`	`props.Add("schemaversion", schemaVersion);`
	`475`
1	`476`	`props.Add("displayname", entry.GetProperty(LDAPProperties.DisplayName));`
1	`477`	`props.Add("oid", entry.GetProperty(LDAPProperties.CertTemplateOID));`
	`478`
1	`479`	`if (entry.GetIntProperty(LDAPProperties.PKIEnrollmentFlag, out var enrollmentFlagsRaw))`
1	`480`	`{`
1	`481`	`var enrollmentFlags = (PKIEnrollmentFlag)enrollmentFlagsRaw;`
	`482`
1	`483`	`props.Add("enrollmentflag", enrollmentFlags);`
1	`484`	`props.Add("requiresmanagerapproval", enrollmentFlags.HasFlag(PKIEnrollmentFlag.PEND_ALL_REQUESTS));`
1	`485`	`props.Add("nosecurityextension", enrollmentFlags.HasFlag(PKIEnrollmentFlag.NO_SECURITY_EXTENSION));`
1	`486`	`}`
	`487`
1	`488`	`if (entry.GetIntProperty(LDAPProperties.PKINameFlag, out var nameFlagsRaw))`
1	`489`	`{`
1	`490`	`var nameFlags = (PKICertificateNameFlag)nameFlagsRaw;`
	`491`
1	`492`	`props.Add("certificatenameflag", nameFlags);`
1	`493`	`props.Add("enrolleesuppliessubject",`
1	`494`	`nameFlags.HasFlag(PKICertificateNameFlag.ENROLLEE_SUPPLIES_SUBJECT));`
1	`495`	`props.Add("subjectaltrequireupn",`
1	`496`	`nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_ALT_REQUIRE_UPN));`
1	`497`	`props.Add("subjectaltrequiredns",`
1	`498`	`nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_ALT_REQUIRE_DNS));`
1	`499`	`props.Add("subjectaltrequiredomaindns",`
1	`500`	`nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_ALT_REQUIRE_DOMAIN_DNS));`
1	`501`	`props.Add("subjectaltrequireemail",`
1	`502`	`nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_ALT_REQUIRE_EMAIL));`
1	`503`	`props.Add("subjectaltrequirespn",`
1	`504`	`nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_ALT_REQUIRE_SPN));`
1	`505`	`props.Add("subjectrequireemail",`
1	`506`	`nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_REQUIRE_EMAIL));`
1	`507`	`}`
	`508`
1	`509`	`var ekus = entry.GetArrayProperty(LDAPProperties.ExtendedKeyUsage);`
1	`510`	`props.Add("ekus", ekus);`
1	`511`	`var certificateApplicationPolicy = entry.GetArrayProperty(LDAPProperties.CertificateApplicationPolicy);`
1	`512`	`props.Add("certificateapplicationpolicy", certificateApplicationPolicy);`
	`513`
1	`514`	`var certificatePolicy = entry.GetArrayProperty(LDAPProperties.CertificatePolicy);`
1	`515`	`props.Add("certificatepolicy", certificatePolicy);`
	`516`
1	`517`	`if (entry.GetIntProperty(LDAPProperties.NumSignaturesRequired, out var authorizedSignatures))`
1	`518`	`props.Add("authorizedsignatures", authorizedSignatures);`
	`519`
1	`520`	`var hasUseLegacyProvider = false;`
1	`521`	`if (entry.GetIntProperty(LDAPProperties.PKIPrivateKeyFlag, out var privateKeyFlagsRaw))`
1	`522`	`{`
1	`523`	`var privateKeyFlags = (PKIPrivateKeyFlag)privateKeyFlagsRaw;`
1	`524`	`hasUseLegacyProvider = privateKeyFlags.HasFlag(PKIPrivateKeyFlag.USE_LEGACY_PROVIDER);`
1	`525`	`}`
	`526`
1	`527`	`props.Add("applicationpolicies", ParseCertTemplateApplicationPolicies(entry.GetArrayProperty(LDAPProperties.`
1	`528`	`props.Add("issuancepolicies", entry.GetArrayProperty(LDAPProperties.IssuancePolicies));`
	`529`
	`530`	`// Construct effectiveekus`
1	`531`	`var effectiveekus = schemaVersion == 1 & ekus.Length > 0 ? ekus : certificateApplicationPolicy;`
1	`532`	`props.Add("effectiveekus", effectiveekus);`
	`533`
	`534`	`// Construct authenticationenabled`
1	`535`	`var authenticationEnabled = effectiveekus.Intersect(Helpers.AuthenticationOIDs).Any() \| effectiveekus.Length`
1	`536`	`props.Add("authenticationenabled", authenticationEnabled);`
	`537`
1	`538`	`return props;`
1	`539`	`}`
	`540`
	`541`	`public IssuancePolicyProperties ReadIssuancePolicyProperties(ISearchResultEntry entry)`
2	`542`	`{`
2	`543`	`var ret = new IssuancePolicyProperties();`
2	`544`	`var props = GetCommonProps(entry);`
2	`545`	`props.Add("displayname", entry.GetProperty(LDAPProperties.DisplayName));`
2	`546`	`props.Add("certtemplateoid", entry.GetProperty(LDAPProperties.CertTemplateOID));`
	`547`
2	`548`	`var link = entry.GetProperty(LDAPProperties.OIDGroupLink);`
2	`549`	`if (!string.IsNullOrEmpty(link))`
1	`550`	`{`
1	`551`	`var linkedGroup = _utils.ResolveDistinguishedName(link);`
1	`552`	`if (linkedGroup != null)`
1	`553`	`{`
1	`554`	`props.Add("oidgrouplink", linkedGroup.ObjectIdentifier);`
1	`555`	`ret.GroupLink = linkedGroup;`
1	`556`	`}`
1	`557`	`}`
	`558`
2	`559`	`ret.Props = props;`
2	`560`	`return ret;`
2	`561`	`}`
	`562`
	`563`	`/// <summary>`
	`564`	`/// Attempts to parse all LDAP attributes outside of the ones already collected and converts them to a human`
	`565`	`/// format using a best guess`
	`566`	`/// </summary>`
	`567`	`/// <param name="entry"></param>`
	`568`	`public Dictionary<string, object> ParseAllProperties(ISearchResultEntry entry)`
5	`569`	`{`
5	`570`	`var props = new Dictionary<string, object>();`
	`571`
5	`572`	`var type = typeof(LDAPProperties);`
340	`573`	`var reserved = type.GetFields(BindingFlags.Static \| BindingFlags.Public).Select(x => x.GetValue(null).ToStri`
	`574`
31	`575`	`foreach (var property in entry.PropertyNames())`
8	`576`	`{`
8	`577`	`if (ReservedAttributes.Contains(property, StringComparer.OrdinalIgnoreCase))`
3	`578`	`continue;`
	`579`
5	`580`	`var collCount = entry.PropCount(property);`
5	`581`	`if (collCount == 0)`
0	`582`	`continue;`
	`583`
5	`584`	`if (collCount == 1)`
5	`585`	`{`
5	`586`	`var testBytes = entry.GetByteProperty(property);`
	`587`
6	`588`	`if (testBytes == null \|\| testBytes.Length == 0) continue;`
	`589`
4	`590`	`var testString = entry.GetProperty(property);`
	`591`
4	`592`	`if (!string.IsNullOrEmpty(testString))`
4	`593`	`if (property == "badpasswordtime")`
1	`594`	`props.Add(property, Helpers.ConvertFileTimeToUnixEpoch(testString));`
	`595`	`else`
3	`596`	`props.Add(property, BestGuessConvert(testString));`
4	`597`	`}`
	`598`	`else`
0	`599`	`{`
0	`600`	`var arrBytes = entry.GetByteArrayProperty(property);`
0	`601`	`if (arrBytes.Length == 0)`
0	`602`	`continue;`
	`603`
0	`604`	`var arr = entry.GetArrayProperty(property);`
0	`605`	`if (arr.Length > 0) props.Add(property, arr.Select(BestGuessConvert).ToArray());`
0	`606`	`}`
4	`607`	`}`
	`608`
5	`609`	`return props;`
5	`610`	`}`
	`611`
	`612`	`/// <summary>`
	`613`	`/// Parse CertTemplate attribute msPKI-RA-Application-Policies`
	`614`	`/// </summary>`
	`615`	`/// <param name="applicationPolicies"></param>`
	`616`	`/// <param name="schemaVersion"></param>`
	`617`	`/// <param name="hasUseLegacyProvider"></param>`
	`618`	`private static string[] ParseCertTemplateApplicationPolicies(string[] applicationPolicies, int schemaVersion, bo`
1	`619`	`{`
1	`620`	`if (applicationPolicies == null`
1	`621`	`\|\| applicationPolicies.Length == 0`
1	`622`	`\|\| schemaVersion == 1`
1	`623`	`\|\| schemaVersion == 2`
1	`624`	`\|\| (schemaVersion == 4 && hasUseLegacyProvider))`
1	`625`	`{`
1	`626`	`return applicationPolicies;`
	`627`	`}`
	`628`	`else`
0	`629`	`{`
	`630`	// Format: "Name`Type`Value`Name`Type`Value`..."
	`631`	`// (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/c55ec697-be3f-4117-8316-8895e4`
	`632`	`// Return the Value of Name = "msPKI-RA-Application-Policies" entries`
0	`633`	var entries = applicationPolicies[0].Split('`');
0	`634`	`return Enumerable.Range(0, entries.Length / 3)`
0	`635`	`.Select(i => entries.Skip(i * 3).Take(3).ToArray())`
0	`636`	`.Where(parts => parts.Length == 3 && parts[0].Equals(LDAPProperties.ApplicationPolicies, StringCompa`
0	`637`	`.Select(parts => parts[2])`
0	`638`	`.ToArray();`
	`639`	`}`
1	`640`	`}`
	`641`
	`642`	`/// <summary>`
	`643`	`/// Does a best guess conversion of the property to a type useable by the UI`
	`644`	`/// </summary>`
	`645`	`/// <param name="property"></param>`
	`646`	`/// <returns></returns>`
	`647`	`private static object BestGuessConvert(string property)`
3	`648`	`{`
	`649`	`//Parse boolean values`
3	`650`	`if (bool.TryParse(property, out var boolResult)) return boolResult;`
	`651`
	`652`	`//A string ending with 0Z is likely a timestamp`
3	`653`	`if (property.EndsWith("0Z")) return Helpers.ConvertTimestampToUnixEpoch(property);`
	`654`
	`655`	`//This string corresponds to the max int, and is usually set in accountexpires`
3	`656`	`if (property == "9223372036854775807") return -1;`
	`657`
	`658`	`//Try parsing as an int`
3	`659`	`if (int.TryParse(property, out var num)) return num;`
	`660`
	`661`	`//Just return the property as a string`
3	`662`	`return property;`
3	`663`	`}`
	`664`
	`665`	`/// <summary>`
	`666`	`/// Converts PKIExpirationPeriod/PKIOverlappedPeriod attributes to time approximate times`
	`667`	`/// </summary>`
	`668`	`/// <remarks>https://www.sysadmins.lv/blog-en/how-to-convert-pkiexirationperiod-and-pkioverlapperiod-active-dire`
	`669`	`/// <param name="bytes"></param>`
	`670`	`/// <returns>Returns a string representing the time period associated with the input byte array in a human reada`
	`671`	`private static string ConvertPKIPeriod(byte[] bytes)`
2	`672`	`{`
2	`673`	`if (bytes == null \|\| bytes.Length == 0)`
2	`674`	`return "Unknown";`
	`675`
	`676`	`try`
0	`677`	`{`
0	`678`	`Array.Reverse(bytes);`
0	`679`	`var temp = BitConverter.ToString(bytes).Replace("-", "");`
0	`680`	`var value = Convert.ToInt64(temp, 16) * -.0000001;`
	`681`
0	`682`	`if (value % 31536000 == 0 && value / 31536000 >= 1)`
0	`683`	`{`
0	`684`	`if (value / 31536000 == 1) return "1 year";`
	`685`
0	`686`	`return $"{value / 31536000} years";`
	`687`	`}`
	`688`
0	`689`	`if (value % 2592000 == 0 && value / 2592000 >= 1)`
0	`690`	`{`
0	`691`	`if (value / 2592000 == 1) return "1 month";`
	`692`
0	`693`	`return $"{value / 2592000} months";`
	`694`	`}`
	`695`
0	`696`	`if (value % 604800 == 0 && value / 604800 >= 1)`
0	`697`	`{`
0	`698`	`if (value / 604800 == 1) return "1 week";`
	`699`
0	`700`	`return $"{value / 604800} weeks";`
	`701`	`}`
	`702`
0	`703`	`if (value % 86400 == 0 && value / 86400 >= 1)`
0	`704`	`{`
0	`705`	`if (value / 86400 == 1) return "1 day";`
	`706`
0	`707`	`return $"{value / 86400} days";`
	`708`	`}`
	`709`
0	`710`	`if (value % 3600 == 0 && value / 3600 >= 1)`
0	`711`	`{`
0	`712`	`if (value / 3600 == 1) return "1 hour";`
	`713`
0	`714`	`return $"{value / 3600} hours";`
	`715`	`}`
	`716`
0	`717`	`return "";`
	`718`	`}`
0	`719`	`catch (Exception)`
0	`720`	`{`
0	`721`	`return "Unknown";`
	`722`	`}`
2	`723`	`}`
	`724`
	`725`	`[DllImport("Advapi32", SetLastError = false)]`
	`726`	`private static extern bool IsTextUnicode(byte[] buf, int len, ref IsTextUnicodeFlags opt);`
	`727`
	`728`	`[Flags]`
	`729`	`[SuppressMessage("ReSharper", "UnusedMember.Local")]`
	`730`	`[SuppressMessage("ReSharper", "InconsistentNaming")]`
	`731`	`private enum IsTextUnicodeFlags`
	`732`	`{`
	`733`	`IS_TEXT_UNICODE_ASCII16 = 0x0001,`
	`734`	`IS_TEXT_UNICODE_REVERSE_ASCII16 = 0x0010,`
	`735`
	`736`	`IS_TEXT_UNICODE_STATISTICS = 0x0002,`
	`737`	`IS_TEXT_UNICODE_REVERSE_STATISTICS = 0x0020,`
	`738`
	`739`	`IS_TEXT_UNICODE_CONTROLS = 0x0004,`
	`740`	`IS_TEXT_UNICODE_REVERSE_CONTROLS = 0x0040,`
	`741`
	`742`	`IS_TEXT_UNICODE_SIGNATURE = 0x0008,`
	`743`	`IS_TEXT_UNICODE_REVERSE_SIGNATURE = 0x0080,`
	`744`
	`745`	`IS_TEXT_UNICODE_ILLEGAL_CHARS = 0x0100,`
	`746`	`IS_TEXT_UNICODE_ODD_LENGTH = 0x0200,`
	`747`	`IS_TEXT_UNICODE_DBCS_LEADBYTE = 0x0400,`
	`748`	`IS_TEXT_UNICODE_NULL_BYTES = 0x1000,`
	`749`
	`750`	`IS_TEXT_UNICODE_UNICODE_MASK = 0x000F,`
	`751`	`IS_TEXT_UNICODE_REVERSE_MASK = 0x00F0,`
	`752`	`IS_TEXT_UNICODE_NOT_UNICODE_MASK = 0x0F00,`
	`753`	`IS_TEXT_UNICODE_NOT_ASCII_MASK = 0xF000`
	`754`	`}`
	`755`	`}`
	`756`
	`757`	`public class ParsedCertificate`
	`758`	`{`
	`759`	`public string Thumbprint { get; set; }`
	`760`	`public string Name { get; set; }`
	`761`	`public string[] Chain { get; set; } = Array.Empty<string>();`
	`762`	`public bool HasBasicConstraints { get; set; } = false;`
	`763`	`public int BasicConstraintPathLength { get; set; }`
	`764`
	`765`	`public ParsedCertificate(byte[] rawCertificate)`
	`766`	`{`
	`767`	`var parsedCertificate = new X509Certificate2(rawCertificate);`
	`768`	`Thumbprint = parsedCertificate.Thumbprint;`
	`769`	`var name = parsedCertificate.FriendlyName;`
	`770`	`Name = string.IsNullOrEmpty(name) ? Thumbprint : name;`
	`771`
	`772`	`// Chain`
	`773`	`X509Chain chain = new X509Chain();`
	`774`	`chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;`
	`775`	`chain.Build(parsedCertificate);`
	`776`	`var temp = new List<string>();`
	`777`	`foreach (X509ChainElement cert in chain.ChainElements) temp.Add(cert.Certificate.Thumbprint);`
	`778`	`Chain = temp.ToArray();`
	`779`
	`780`	`// Extensions`
	`781`	`X509ExtensionCollection extensions = parsedCertificate.Extensions;`
	`782`	`List<CertificateExtension> certificateExtensions = new List<CertificateExtension>();`
	`783`	`foreach (X509Extension extension in extensions)`
	`784`	`{`
	`785`	`CertificateExtension certificateExtension = new CertificateExtension(extension);`
	`786`	`switch (certificateExtension.Oid.Value)`
	`787`	`{`
	`788`	`case CAExtensionTypes.BasicConstraints:`
	`789`	`X509BasicConstraintsExtension ext = (X509BasicConstraintsExtension)extension;`
	`790`	`HasBasicConstraints = ext.HasPathLengthConstraint;`
	`791`	`BasicConstraintPathLength = ext.PathLengthConstraint;`
	`792`	`break;`
	`793`	`}`
	`794`	`}`
	`795`	`}`
	`796`	`}`
	`797`
	`798`	`public class UserProperties`
	`799`	`{`
	`800`	`public Dictionary<string, object> Props { get; set; } = new();`
	`801`	`public TypedPrincipal[] AllowedToDelegate { get; set; } = Array.Empty<TypedPrincipal>();`
	`802`	`public TypedPrincipal[] SidHistory { get; set; } = Array.Empty<TypedPrincipal>();`
	`803`	`}`
	`804`
	`805`	`public class ComputerProperties`
	`806`	`{`
	`807`	`public Dictionary<string, object> Props { get; set; } = new();`
	`808`	`public TypedPrincipal[] AllowedToDelegate { get; set; } = Array.Empty<TypedPrincipal>();`
	`809`	`public TypedPrincipal[] AllowedToAct { get; set; } = Array.Empty<TypedPrincipal>();`
	`810`	`public TypedPrincipal[] SidHistory { get; set; } = Array.Empty<TypedPrincipal>();`
	`811`	`public TypedPrincipal[] DumpSMSAPassword { get; set; } = Array.Empty<TypedPrincipal>();`
	`812`	`}`
	`813`
	`814`	`public class IssuancePolicyProperties`
	`815`	`{`
	`816`	`public Dictionary<string, object> Props { get; set; } = new();`
	`817`	`public TypedPrincipal GroupLink { get; set; } = new TypedPrincipal();`
	`818`	`}`
	`819`	`}`

< Summary

Metrics

File(s)

D:\a\SharpHoundCommon\SharpHoundCommon\src\CommonLib\Processors\LDAPPropertyProcessor.cs

Methods/Properties