| | 1 | | using System.Collections.Generic; |
| | 2 | | using Microsoft.Extensions.Logging; |
| | 3 | | using SharpHoundCommonLib.OutputTypes; |
| | 4 | |
|
| | 5 | | namespace SharpHoundCommonLib.Processors |
| | 6 | | { |
| | 7 | | public class SPNProcessors |
| | 8 | | { |
| | 9 | | private const string MSSQLSPNString = "mssqlsvc"; |
| | 10 | | private readonly ILogger _log; |
| | 11 | | private readonly ILDAPUtils _utils; |
| | 12 | |
|
| 6 | 13 | | public SPNProcessors(ILDAPUtils utils, ILogger log = null) |
| 6 | 14 | | { |
| 6 | 15 | | _utils = utils; |
| 6 | 16 | | _log = log ?? Logging.LogProvider.CreateLogger("SPNProc"); |
| 6 | 17 | | } |
| | 18 | |
|
| | 19 | | public IAsyncEnumerable<SPNPrivilege> ReadSPNTargets(ResolvedSearchResult result, |
| | 20 | | ISearchResultEntry entry) |
| 0 | 21 | | { |
| 0 | 22 | | var members = entry.GetArrayProperty(LDAPProperties.ServicePrincipalNames); |
| 0 | 23 | | var name = result.DisplayName; |
| 0 | 24 | | var dn = entry.DistinguishedName; |
| | 25 | |
|
| 0 | 26 | | return ReadSPNTargets(members, dn, name); |
| 0 | 27 | | } |
| | 28 | |
|
| | 29 | | public async IAsyncEnumerable<SPNPrivilege> ReadSPNTargets(string[] servicePrincipalNames, |
| | 30 | | string distinguishedName, string objectName = "") |
| 6 | 31 | | { |
| 6 | 32 | | if (servicePrincipalNames.Length == 0) |
| 1 | 33 | | { |
| 1 | 34 | | _log.LogTrace("SPN Array is empty for {Name}", objectName); |
| 1 | 35 | | yield break; |
| | 36 | | } |
| | 37 | |
|
| 5 | 38 | | var domain = Helpers.DistinguishedNameToDomain(distinguishedName); |
| | 39 | |
|
| 25 | 40 | | foreach (var spn in servicePrincipalNames) |
| 5 | 41 | | { |
| | 42 | | //This SPN format isn't useful for us right now (username@domain) |
| 5 | 43 | | if (spn.Contains("@")) |
| 1 | 44 | | { |
| 1 | 45 | | _log.LogTrace("Skipping spn without @ {SPN} for {Name}", spn, objectName); |
| 1 | 46 | | continue; |
| | 47 | | } |
| | 48 | |
|
| 4 | 49 | | _log.LogTrace("Processing SPN {SPN} for {Name}", spn, objectName); |
| | 50 | |
|
| 4 | 51 | | if (spn.ToLower().Contains(MSSQLSPNString)) |
| 3 | 52 | | { |
| 3 | 53 | | _log.LogTrace("Matched SQL SPN {SPN} for {Name}", spn, objectName); |
| 3 | 54 | | var port = 1433; |
| | 55 | |
|
| 3 | 56 | | if (spn.Contains(":")) |
| 2 | 57 | | if (!int.TryParse(spn.Split(':')[1], out port)) |
| 1 | 58 | | port = 1433; |
| | 59 | |
|
| 3 | 60 | | var host = await _utils.ResolveHostToSid(spn, domain); |
| 3 | 61 | | _log.LogTrace("Resolved {SPN} to {Hostname}", spn, host); |
| 3 | 62 | | if (host != null && host.StartsWith("S-1-")) |
| 3 | 63 | | yield return new SPNPrivilege |
| 3 | 64 | | { |
| 3 | 65 | | ComputerSID = host, |
| 3 | 66 | | Port = port, |
| 3 | 67 | | Service = EdgeNames.SQLAdmin |
| 3 | 68 | | }; |
| 3 | 69 | | } |
| 4 | 70 | | } |
| 6 | 71 | | } |
| | 72 | | } |
| | 73 | | } |