| | 1 | | using System; |
| | 2 | | using System.Collections.Concurrent; |
| | 3 | | using System.Collections.Generic; |
| | 4 | | using System.Security.Principal; |
| | 5 | | using System.Threading.Tasks; |
| | 6 | | using Microsoft.Extensions.Logging; |
| | 7 | | using SharpHoundCommonLib.Enums; |
| | 8 | | using SharpHoundCommonLib.OutputTypes; |
| | 9 | | using SharpHoundRPC; |
| | 10 | | using SharpHoundRPC.Shared; |
| | 11 | | using SharpHoundRPC.Wrappers; |
| | 12 | |
|
| | 13 | | namespace SharpHoundCommonLib.Processors |
| | 14 | | { |
| | 15 | | public class LocalGroupProcessor |
| | 16 | | { |
| | 17 | | public delegate Task ComputerStatusDelegate(CSVComputerStatus status); |
| | 18 | | private readonly ILogger _log; |
| | 19 | | private readonly ILDAPUtils _utils; |
| | 20 | |
|
| 4 | 21 | | public LocalGroupProcessor(ILDAPUtils utils, ILogger log = null) |
| 4 | 22 | | { |
| 4 | 23 | | _utils = utils; |
| 4 | 24 | | _log = log ?? Logging.LogProvider.CreateLogger("LocalGroupProcessor"); |
| 4 | 25 | | } |
| | 26 | |
|
| | 27 | | public event ComputerStatusDelegate ComputerStatusEvent; |
| | 28 | |
|
| | 29 | | public virtual Result<ISAMServer> OpenSamServer(string computerName) |
| 0 | 30 | | { |
| 0 | 31 | | var result = SAMServer.OpenServer(computerName); |
| 0 | 32 | | if (result.IsFailed) |
| 0 | 33 | | { |
| 0 | 34 | | return Result<ISAMServer>.Fail(result.SError); |
| | 35 | | } |
| | 36 | |
|
| 0 | 37 | | return Result<ISAMServer>.Ok(result.Value); |
| 0 | 38 | | } |
| | 39 | |
|
| | 40 | | public IAsyncEnumerable<LocalGroupAPIResult> GetLocalGroups(ResolvedSearchResult result) |
| 0 | 41 | | { |
| 0 | 42 | | return GetLocalGroups(result.DisplayName, result.ObjectId, result.Domain, result.IsDomainController); |
| 0 | 43 | | } |
| | 44 | |
|
| | 45 | | /// <summary> |
| | 46 | | /// Gets local groups from a computer |
| | 47 | | /// </summary> |
| | 48 | | /// <param name="computerName"></param> |
| | 49 | | /// <param name="computerObjectId">The objectsid of the computer in the domain</param> |
| | 50 | | /// <param name="computerDomain">The domain the computer belongs too</param> |
| | 51 | | /// <param name="isDomainController">Is the computer a domain controller</param> |
| | 52 | | /// <returns></returns> |
| | 53 | | public async IAsyncEnumerable<LocalGroupAPIResult> GetLocalGroups(string computerName, string computerObjectId, |
| | 54 | | string computerDomain, bool isDomainController) |
| 2 | 55 | | { |
| | 56 | | //Open a handle to the server |
| 2 | 57 | | var openServerResult = OpenSamServer(computerName); |
| 2 | 58 | | if (openServerResult.IsFailed) |
| 0 | 59 | | { |
| 0 | 60 | | _log.LogTrace("OpenServer failed on {ComputerName}: {Error}", computerName, openServerResult.SError); |
| 0 | 61 | | await SendComputerStatus(new CSVComputerStatus |
| 0 | 62 | | { |
| 0 | 63 | | Task = "SamConnect", |
| 0 | 64 | | ComputerName = computerName, |
| 0 | 65 | | Status = openServerResult.SError |
| 0 | 66 | | }); |
| 0 | 67 | | yield break; |
| | 68 | | } |
| | 69 | |
|
| 2 | 70 | | var server = openServerResult.Value; |
| 2 | 71 | | var typeCache = new ConcurrentDictionary<string, CachedLocalItem>(); |
| | 72 | |
|
| | 73 | | //Try to get the machine sid for the computer if its not already cached |
| | 74 | | SecurityIdentifier machineSid; |
| 2 | 75 | | if (!Cache.GetMachineSid(computerObjectId, out var tempMachineSid)) |
| 2 | 76 | | { |
| 2 | 77 | | var getMachineSidResult = server.GetMachineSid(); |
| 2 | 78 | | if (getMachineSidResult.IsFailed) |
| 0 | 79 | | { |
| 0 | 80 | | _log.LogTrace("GetMachineSid failed on {ComputerName}: {Error}", computerName, getMachineSidResult.S |
| 0 | 81 | | await SendComputerStatus(new CSVComputerStatus |
| 0 | 82 | | { |
| 0 | 83 | | Status = getMachineSidResult.SError, |
| 0 | 84 | | ComputerName = computerName, |
| 0 | 85 | | Task = "GetMachineSid" |
| 0 | 86 | | }); |
| | 87 | | //If we can't get a machine sid, we wont be able to make local principals with unique object ids, or |
| 0 | 88 | | _log.LogWarning("Unable to get machineSid for {Computer}: {Status}. Abandoning local group processin |
| 0 | 89 | | yield break; |
| | 90 | | } |
| | 91 | |
|
| 2 | 92 | | machineSid = getMachineSidResult.Value; |
| 2 | 93 | | Cache.AddMachineSid(computerObjectId, machineSid.Value); |
| 2 | 94 | | } |
| | 95 | | else |
| 0 | 96 | | { |
| 0 | 97 | | machineSid = new SecurityIdentifier(tempMachineSid); |
| 0 | 98 | | } |
| | 99 | |
|
| | 100 | | //Get all available domains in the server |
| 2 | 101 | | var getDomainsResult = server.GetDomains(); |
| 2 | 102 | | if (getDomainsResult.IsFailed) |
| 0 | 103 | | { |
| 0 | 104 | | _log.LogTrace("GetDomains failed on {ComputerName}: {Error}", computerName, getDomainsResult.SError); |
| 0 | 105 | | await SendComputerStatus(new CSVComputerStatus |
| 0 | 106 | | { |
| 0 | 107 | | Task = "GetDomains", |
| 0 | 108 | | ComputerName = computerName, |
| 0 | 109 | | Status = getDomainsResult.SError |
| 0 | 110 | | }); |
| 0 | 111 | | yield break; |
| | 112 | | } |
| | 113 | |
|
| | 114 | | //Loop over each domain result and process its member groups |
| 12 | 115 | | foreach (var domainResult in getDomainsResult.Value) |
| 3 | 116 | | { |
| | 117 | | //Skip non-builtin domains on domain controllers |
| 3 | 118 | | if (isDomainController && !domainResult.Name.Equals("builtin", StringComparison.OrdinalIgnoreCase)) |
| 0 | 119 | | continue; |
| | 120 | |
|
| | 121 | | //Open a handle to the domain |
| 3 | 122 | | var openDomainResult = server.OpenDomain(domainResult.Name); |
| 3 | 123 | | if (openDomainResult.IsFailed) |
| 0 | 124 | | { |
| 0 | 125 | | _log.LogTrace("Failed to open domain {Domain} on {ComputerName}: {Error}", domainResult.Name, comput |
| 0 | 126 | | await SendComputerStatus(new CSVComputerStatus |
| 0 | 127 | | { |
| 0 | 128 | | Task = $"OpenDomain - {domainResult.Name}", |
| 0 | 129 | | ComputerName = computerName, |
| 0 | 130 | | Status = openDomainResult.SError |
| 0 | 131 | | }); |
| 0 | 132 | | continue; |
| | 133 | | } |
| | 134 | |
|
| 3 | 135 | | var domain = openDomainResult.Value; |
| | 136 | |
|
| | 137 | | //Open a handle to the available aliases |
| 3 | 138 | | var getAliasesResult = domain.GetAliases(); |
| | 139 | |
|
| 3 | 140 | | if (getAliasesResult.IsFailed) |
| 0 | 141 | | { |
| 0 | 142 | | _log.LogTrace("Failed to open Aliases on Domain {Domain} on on {ComputerName}: {Error}", domainResul |
| 0 | 143 | | await SendComputerStatus(new CSVComputerStatus |
| 0 | 144 | | { |
| 0 | 145 | | Task = $"GetAliases - {domainResult.Name}", |
| 0 | 146 | | ComputerName = computerName, |
| 0 | 147 | | Status = getAliasesResult.SError |
| 0 | 148 | | }); |
| 0 | 149 | | continue; |
| | 150 | | } |
| | 151 | |
|
| 19 | 152 | | foreach (var alias in getAliasesResult.Value) |
| 5 | 153 | | { |
| 5 | 154 | | _log.LogTrace("Opening alias {Alias} with RID {Rid} in domain {Domain} on computer {ComputerName}", |
| | 155 | | //Try and resolve the group name using several different criteria |
| 5 | 156 | | var resolvedName = ResolveGroupName(alias.Name, computerName, computerObjectId, computerDomain, alia |
| 5 | 157 | | isDomainController, |
| 5 | 158 | | domainResult.Name.Equals("builtin", StringComparison.OrdinalIgnoreCase)); |
| | 159 | |
|
| 5 | 160 | | var ret = new LocalGroupAPIResult |
| 5 | 161 | | { |
| 5 | 162 | | Name = resolvedName.PrincipalName, |
| 5 | 163 | | ObjectIdentifier = resolvedName.ObjectId |
| 5 | 164 | | }; |
| | 165 | |
|
| | 166 | | //Open a handle to the alias |
| 5 | 167 | | var openAliasResult = domain.OpenAlias(alias.Rid); |
| 5 | 168 | | if (openAliasResult.IsFailed) |
| 0 | 169 | | { |
| 0 | 170 | | _log.LogTrace("Failed to open alias {Alias} with RID {Rid} in domain {Domain} on computer {Compu |
| 0 | 171 | | await SendComputerStatus(new CSVComputerStatus |
| 0 | 172 | | { |
| 0 | 173 | | Task = $"OpenAlias - {alias.Name}", |
| 0 | 174 | | ComputerName = computerName, |
| 0 | 175 | | Status = openAliasResult.SError |
| 0 | 176 | | }); |
| 0 | 177 | | ret.Collected = false; |
| 0 | 178 | | ret.FailureReason = $"SamOpenAliasInDomain failed with status {openAliasResult.SError}"; |
| 0 | 179 | | yield return ret; |
| 0 | 180 | | continue; |
| | 181 | | } |
| | 182 | |
|
| 5 | 183 | | var localGroup = openAliasResult.Value; |
| | 184 | | //Call GetMembersInAlias to get raw group members |
| 5 | 185 | | var getMembersResult = localGroup.GetMembers(); |
| 5 | 186 | | if (getMembersResult.IsFailed) |
| 0 | 187 | | { |
| 0 | 188 | | _log.LogTrace("Failed to get members in alias {Alias} with RID {Rid} in domain {Domain} on compu |
| 0 | 189 | | await SendComputerStatus(new CSVComputerStatus |
| 0 | 190 | | { |
| 0 | 191 | | Task = $"GetMembersInAlias - {alias.Name}", |
| 0 | 192 | | ComputerName = computerName, |
| 0 | 193 | | Status = getMembersResult.SError |
| 0 | 194 | | }); |
| 0 | 195 | | ret.Collected = false; |
| 0 | 196 | | ret.FailureReason = $"SamGetMembersInAlias failed with status {getMembersResult.SError}"; |
| 0 | 197 | | yield return ret; |
| 0 | 198 | | continue; |
| | 199 | | } |
| | 200 | |
|
| 5 | 201 | | await SendComputerStatus(new CSVComputerStatus |
| 5 | 202 | | { |
| 5 | 203 | | Task = $"GetMembersInAlias - {alias.Name}", |
| 5 | 204 | | ComputerName = computerName, |
| 5 | 205 | | Status = CSVComputerStatus.StatusSuccess |
| 5 | 206 | | }); |
| | 207 | |
|
| 5 | 208 | | var results = new List<TypedPrincipal>(); |
| 5 | 209 | | var names = new List<NamedPrincipal>(); |
| | 210 | |
|
| 37 | 211 | | foreach (var securityIdentifier in getMembersResult.Value) |
| 11 | 212 | | { |
| 11 | 213 | | _log.LogTrace("Got member sid {Sid} in alias {Alias} with RID {Rid} in domain {Domain} on comput |
| | 214 | | //Check if the sid is one of our filtered ones. Throw it out if it is |
| 11 | 215 | | if (Helpers.IsSidFiltered(securityIdentifier.Value)) |
| 1 | 216 | | continue; |
| | 217 | |
|
| 10 | 218 | | var sidValue = securityIdentifier.Value; |
| | 219 | |
|
| 10 | 220 | | if (isDomainController) |
| 5 | 221 | | { |
| 5 | 222 | | var result = ResolveDomainControllerPrincipal(sidValue, computerDomain); |
| 7 | 223 | | if (result != null) results.Add(result); |
| 5 | 224 | | continue; |
| | 225 | | } |
| | 226 | |
|
| | 227 | | //If we get a local well known principal, we need to convert it using the computer's objectid |
| 5 | 228 | | if (ConvertLocalWellKnownPrincipal(securityIdentifier, computerObjectId, computerDomain, out var |
| 1 | 229 | | { |
| | 230 | | //If the principal is null, it means we hit a weird edge case, but this is a local well know |
| 1 | 231 | | if (principal != null) |
| 1 | 232 | | results.Add(principal); |
| 1 | 233 | | continue; |
| | 234 | | } |
| | 235 | |
|
| | 236 | | //If the security identifier starts with the machine sid, we need to resolve it as a local objec |
| 4 | 237 | | if (securityIdentifier.IsEqualDomainSid(machineSid)) |
| 3 | 238 | | { |
| | 239 | | //Check if we've already previously resolved and cached this sid |
| 3 | 240 | | if (typeCache.TryGetValue(sidValue, out var cachedLocalItem)) |
| 0 | 241 | | { |
| 0 | 242 | | results.Add(new TypedPrincipal |
| 0 | 243 | | { |
| 0 | 244 | | ObjectIdentifier = sidValue, |
| 0 | 245 | | ObjectType = cachedLocalItem.Type |
| 0 | 246 | | }); |
| | 247 | |
|
| 0 | 248 | | names.Add(new NamedPrincipal |
| 0 | 249 | | { |
| 0 | 250 | | ObjectId = sidValue, |
| 0 | 251 | | PrincipalName = cachedLocalItem.Name |
| 0 | 252 | | }); |
| | 253 | | //Move on |
| 0 | 254 | | continue; |
| | 255 | | } |
| | 256 | |
|
| | 257 | | //Attempt to lookup the principal in the server directly |
| 3 | 258 | | var lookupUserResult = server.LookupPrincipalBySid(securityIdentifier); |
| 3 | 259 | | if (lookupUserResult.IsFailed) |
| 0 | 260 | | { |
| 0 | 261 | | _log.LogTrace("Unable to resolve local sid {SID}: {Error}", sidValue, lookupUserResult.S |
| 0 | 262 | | continue; |
| | 263 | | } |
| | 264 | |
|
| 3 | 265 | | var (name, use) = lookupUserResult.Value; |
| 3 | 266 | | var objectType = use switch |
| 3 | 267 | | { |
| 2 | 268 | | SharedEnums.SidNameUse.User => Label.LocalUser, |
| 0 | 269 | | SharedEnums.SidNameUse.Group => Label.LocalGroup, |
| 1 | 270 | | SharedEnums.SidNameUse.Alias => Label.LocalGroup, |
| 0 | 271 | | _ => Label.Base |
| 3 | 272 | | }; |
| | 273 | |
|
| | 274 | | // Cache whatever we looked up for future lookups |
| 3 | 275 | | typeCache.TryAdd(sidValue, new CachedLocalItem(name, objectType)); |
| | 276 | |
|
| | 277 | | // Throw out local users |
| 3 | 278 | | if (objectType == Label.LocalUser) |
| 2 | 279 | | continue; |
| | 280 | |
|
| 1 | 281 | | var newSid = $"{computerObjectId}-{securityIdentifier.Rid()}"; |
| | 282 | |
|
| 1 | 283 | | results.Add(new TypedPrincipal |
| 1 | 284 | | { |
| 1 | 285 | | ObjectIdentifier = newSid, |
| 1 | 286 | | ObjectType = objectType |
| 1 | 287 | | }); |
| | 288 | |
|
| 1 | 289 | | names.Add(new NamedPrincipal |
| 1 | 290 | | { |
| 1 | 291 | | PrincipalName = name, |
| 1 | 292 | | ObjectId = newSid |
| 1 | 293 | | }); |
| 1 | 294 | | continue; |
| | 295 | | } |
| | 296 | |
|
| | 297 | | //If we get here, we most likely have a domain principal in a local group |
| 1 | 298 | | var resolvedPrincipal = _utils.ResolveIDAndType(sidValue, computerDomain); |
| 2 | 299 | | if (resolvedPrincipal != null) results.Add(resolvedPrincipal); |
| 1 | 300 | | } |
| | 301 | |
|
| 5 | 302 | | ret.Collected = true; |
| 5 | 303 | | ret.LocalNames = names.ToArray(); |
| 5 | 304 | | ret.Results = results.ToArray(); |
| 5 | 305 | | yield return ret; |
| 5 | 306 | | } |
| 3 | 307 | | } |
| 2 | 308 | | } |
| | 309 | |
|
| | 310 | | private TypedPrincipal ResolveDomainControllerPrincipal(string sid, string computerDomain) |
| 5 | 311 | | { |
| | 312 | | //If the server is a domain controller and we have a well known group, use the domain value |
| 5 | 313 | | if (_utils.GetWellKnownPrincipal(sid, computerDomain, out var wellKnown)) |
| 1 | 314 | | return wellKnown; |
| 4 | 315 | | return _utils.ResolveIDAndType(sid, computerDomain); |
| 5 | 316 | | } |
| | 317 | |
|
| | 318 | | private bool ConvertLocalWellKnownPrincipal(SecurityIdentifier sid, string computerObjectId, string computerDoma |
| 5 | 319 | | { |
| 5 | 320 | | if (WellKnownPrincipal.GetWellKnownPrincipal(sid.Value, out var common)) |
| 1 | 321 | | { |
| 1 | 322 | | if (sid.Value is "S-1-1-0" or "S-1-5-11") |
| 0 | 323 | | { |
| 0 | 324 | | _utils.GetWellKnownPrincipal(sid.Value, computerDomain, out principal); |
| 0 | 325 | | return true; |
| | 326 | | } |
| | 327 | |
|
| 1 | 328 | | principal = new TypedPrincipal |
| 1 | 329 | | { |
| 1 | 330 | | ObjectIdentifier = $"{computerObjectId}-{sid.Rid()}", |
| 1 | 331 | | ObjectType = common.ObjectType switch |
| 1 | 332 | | { |
| 0 | 333 | | Label.User => Label.LocalUser, |
| 1 | 334 | | Label.Group => Label.LocalGroup, |
| 0 | 335 | | _ => common.ObjectType |
| 1 | 336 | | } |
| 1 | 337 | | }; |
| | 338 | |
|
| 1 | 339 | | return true; |
| | 340 | | } |
| | 341 | |
|
| 4 | 342 | | principal = null; |
| 4 | 343 | | return false; |
| 5 | 344 | | } |
| | 345 | |
|
| | 346 | | private NamedPrincipal ResolveGroupName(string baseName, string computerName, string computerDomainSid, |
| | 347 | | string domainName, int groupRid, bool isDc, bool isBuiltIn) |
| 7 | 348 | | { |
| 7 | 349 | | if (isDc) |
| 3 | 350 | | { |
| 3 | 351 | | if (isBuiltIn) |
| 3 | 352 | | { |
| | 353 | | //If this is the builtin group on the DC, the groups correspond to the domain well known groups |
| 3 | 354 | | _utils.GetWellKnownPrincipal($"S-1-5-32-{groupRid}".ToUpper(), domainName, out var principal); |
| 3 | 355 | | return new NamedPrincipal |
| 3 | 356 | | { |
| 3 | 357 | | ObjectId = principal.ObjectIdentifier, |
| 3 | 358 | | PrincipalName = "IGNOREME" |
| 3 | 359 | | }; |
| | 360 | | } |
| | 361 | |
|
| 0 | 362 | | if (computerDomainSid == null) |
| 0 | 363 | | return null; |
| | 364 | | //We shouldn't hit this provided our isDC logic is correct since we're skipping non-builtin groups |
| 0 | 365 | | return new NamedPrincipal |
| 0 | 366 | | { |
| 0 | 367 | | ObjectId = $"{computerDomainSid}-{groupRid}".ToUpper(), |
| 0 | 368 | | PrincipalName = "IGNOREME" |
| 0 | 369 | | }; |
| | 370 | | } |
| | 371 | |
|
| 4 | 372 | | if (computerDomainSid == null) |
| 0 | 373 | | return null; |
| | 374 | | //Take the local machineSid, append the groupRid, and make a name from the group name + computername |
| 4 | 375 | | return new NamedPrincipal |
| 4 | 376 | | { |
| 4 | 377 | | ObjectId = $"{computerDomainSid}-{groupRid}", |
| 4 | 378 | | PrincipalName = $"{baseName}@{computerName}".ToUpper() |
| 4 | 379 | | }; |
| 7 | 380 | | } |
| | 381 | |
|
| | 382 | | private async Task SendComputerStatus(CSVComputerStatus status) |
| 5 | 383 | | { |
| 5 | 384 | | if (ComputerStatusEvent is not null) await ComputerStatusEvent(status); |
| 5 | 385 | | } |
| | 386 | | } |
| | 387 | | } |