| 1 | + | using System; |
| 2 | + | using System.Collections; |
| 3 | + | using System.Collections.Generic; |
| 4 | + | using System.DirectoryServices; |
| 5 | + | using System.IO; |
| 6 | + | using System.Linq; |
| 7 | + | using System.Net; |
| 8 | + | using System.Net.NetworkInformation; |
| 9 | + | using System.Text; |
| 10 | + | using System.Web.Script.Serialization; |
| 11 | + | |
| 12 | + | namespace SharpMapExec.Lib |
| 13 | + | { |
| 14 | + | // https://github.com/ustayready/SharpHose |
| 15 | + | public class LDAPPasswordPolicy |
| 16 | + | { |
| 17 | + | public int LockoutThreshold { get; set; } |
| 18 | + | public long LockoutDuration { get; set; } |
| 19 | + | public long LockoutObservationWindow { get; set; } |
| 20 | + | public int MinimumPasswordLength { get; set; } |
| 21 | + | public long MinimumPasswordAge { get; set; } |
| 22 | + | public long MaximumPasswordAge { get; set; } |
| 23 | + | public bool PossiblyCustomized { get; set; } |
| 24 | + | public string Name { get; set; } |
| 25 | + | public bool IsFineGrained { get; set; } |
| 26 | + | public int PasswordHistoryLength { get; set; } |
| 27 | + | public List<string> AppliesToDN { get; set; } |
| 28 | + | public int PasswordPrecendence { get; set; } |
| 29 | + | public bool ComplexityEnabled { get; set; } |
| 30 | + | public bool ReversibleEncryptionEnabled { get; set; } |
| 31 | + | public string ADSPath { get; set; } |
| 32 | + | public List<string> AppliesToUsers { get; set; } |
| 33 | + | |
| 34 | + | public LDAPPasswordPolicy(SearchResult result, bool isFineGrained) |
| 35 | + | { |
| 36 | + | AppliesToDN = new List<string>(); |
| 37 | + | AppliesToUsers = new List<string>(); |
| 38 | + | IsFineGrained = isFineGrained; |
| 39 | + | |
| 40 | + | if (isFineGrained) |
| 41 | + | { |
| 42 | + | LoadFineGrainedPolicy(result); |
| 43 | + | } |
| 44 | + | else |
| 45 | + | { |
| 46 | + | LoadDomainPolicy(result); |
| 47 | + | } |
| 48 | + | } |
| 49 | + | |
| 50 | + | private void LoadFineGrainedPolicy(SearchResult result) |
| 51 | + | { |
| 52 | + | foreach (DictionaryEntry prop in result.Properties) |
| 53 | + | { |
| 54 | + | var property = (string)prop.Key; |
| 55 | + | var value = (ResultPropertyValueCollection)prop.Value; |
| 56 | + | |
| 57 | + | if (property == "msds-psoappliesto") |
| 58 | + | { |
| 59 | + | foreach (string applies in (ResultPropertyValueCollection)value) |
| 60 | + | { |
| 61 | + | AppliesToDN.Add(applies); |
| 62 | + | } |
| 63 | + | } |
| 64 | + | else if (new string[] { "name", "adspath" }.Any(x => x == property)) |
| 65 | + | { |
| 66 | + | switch (property) |
| 67 | + | { |
| 68 | + | case "name": |
| 69 | + | Name = (string)value[0]; |
| 70 | + | break; |
| 71 | + | |
| 72 | + | case "adspath": |
| 73 | + | ADSPath = (string)value[0]; |
| 74 | + | break; |
| 75 | + | } |
| 76 | + | } |
| 77 | + | else if (new string[] { "msds-passwordcomplexityenabled", "msds-passwordreversibleencryptionenabled" }.Any(x => x == property)) |
| 78 | + | { |
| 79 | + | bool placeHolder = (bool)value[0]; |
| 80 | + | switch (property) |
| 81 | + | { |
| 82 | + | case "msds-passwordcomplexityenabled": |
| 83 | + | ComplexityEnabled = placeHolder; |
| 84 | + | break; |
| 85 | + | |
| 86 | + | case "msds-passwordreversibleencryptionenabled": |
| 87 | + | ReversibleEncryptionEnabled = placeHolder; |
| 88 | + | break; |
| 89 | + | } |
| 90 | + | } |
| 91 | + | else if (new string[] { "msds-lockoutobservationwindow", "msds-lockoutduration", "msds-minimumpasswordage", "msds-maximumpasswordage" }.Any(x => x == property)) |
| 92 | + | { |
| 93 | + | long placeHolder = (long)value[0]; |
| 94 | + | switch (property) |
| 95 | + | { |
| 96 | + | case "msds-lockoutobservationwindow": |
| 97 | + | LockoutObservationWindow = placeHolder; |
| 98 | + | break; |
| 99 | + | |
| 100 | + | case "msds-lockoutduration": |
| 101 | + | LockoutDuration = placeHolder; |
| 102 | + | break; |
| 103 | + | |
| 104 | + | case "msds-minimumpasswordage": |
| 105 | + | MinimumPasswordAge = placeHolder; |
| 106 | + | break; |
| 107 | + | |
| 108 | + | case "msds-maximumpasswordage": |
| 109 | + | MaximumPasswordAge = placeHolder; |
| 110 | + | break; |
| 111 | + | } |
| 112 | + | } |
| 113 | + | else |
| 114 | + | { |
| 115 | + | int placeHolder; |
| 116 | + | int.TryParse(value[0].ToString(), out placeHolder); |
| 117 | + | |
| 118 | + | switch (property) |
| 119 | + | { |
| 120 | + | case "msds-lockoutthreshold": |
| 121 | + | LockoutThreshold = placeHolder; |
| 122 | + | break; |
| 123 | + | |
| 124 | + | case "msds-minimumpasswordlength": |
| 125 | + | MinimumPasswordLength = placeHolder; |
| 126 | + | break; |
| 127 | + | |
| 128 | + | case "msds-passwordhistorylength": |
| 129 | + | PasswordHistoryLength = placeHolder; |
| 130 | + | break; |
| 131 | + | |
| 132 | + | case "msds-passwordsettingsprecedence": |
| 133 | + | PasswordPrecendence = placeHolder; |
| 134 | + | break; |
| 135 | + | } |
| 136 | + | } |
| 137 | + | } |
| 138 | + | } |
| 139 | + | |
| 140 | + | public void LoadDomainPolicy(SearchResult result) |
| 141 | + | { |
| 142 | + | PasswordPrecendence = 0; |
| 143 | + | |
| 144 | + | foreach (DictionaryEntry prop in result.Properties) |
| 145 | + | { |
| 146 | + | var property = (string)prop.Key; |
| 147 | + | var value = (ResultPropertyValueCollection)prop.Value; |
| 148 | + | |
| 149 | + | if (new string[] { "name", "adspath" }.Any(x => x == property)) |
| 150 | + | { |
| 151 | + | switch (property) |
| 152 | + | { |
| 153 | + | case "name": |
| 154 | + | Name = (string)value[0]; |
| 155 | + | break; |
| 156 | + | |
| 157 | + | case "adspath": |
| 158 | + | ADSPath = (string)value[0]; |
| 159 | + | break; |
| 160 | + | } |
| 161 | + | } |
| 162 | + | else if (new string[] { "lockoutobservationwindow", "lockoutduration", "minpwdage", "maxpwdage" }.Any(x => x == property)) |
| 163 | + | { |
| 164 | + | long placeHolder = (long)value[0]; |
| 165 | + | switch (property) |
| 166 | + | { |
| 167 | + | case "lockoutobservationwindow": |
| 168 | + | LockoutObservationWindow = placeHolder; |
| 169 | + | break; |
| 170 | + | |
| 171 | + | case "lockoutduration": |
| 172 | + | LockoutDuration = placeHolder; |
| 173 | + | break; |
| 174 | + | |
| 175 | + | case "minpwdage": |
| 176 | + | MinimumPasswordAge = placeHolder; |
| 177 | + | break; |
| 178 | + | |
| 179 | + | case "maxpwdage": |
| 180 | + | MaximumPasswordAge = placeHolder; |
| 181 | + | break; |
| 182 | + | } |
| 183 | + | } |
| 184 | + | else |
| 185 | + | { |
| 186 | + | int placeHolder; |
| 187 | + | int.TryParse(value[0].ToString(), out placeHolder); |
| 188 | + | |
| 189 | + | switch (property) |
| 190 | + | { |
| 191 | + | case "lockoutthreshold": |
| 192 | + | LockoutThreshold = placeHolder; |
| 193 | + | break; |
| 194 | + | |
| 195 | + | case "minpwdlength": |
| 196 | + | MinimumPasswordLength = placeHolder; |
| 197 | + | break; |
| 198 | + | |
| 199 | + | case "pwdhistorylength": |
| 200 | + | PasswordHistoryLength = placeHolder; |
| 201 | + | break; |
| 202 | + | |
| 203 | + | case "passwordsettingsprecedence": |
| 204 | + | PasswordPrecendence = placeHolder; |
| 205 | + | break; |
| 206 | + | |
| 207 | + | case "msds-behavior-version": |
| 208 | + | PossiblyCustomized = placeHolder >= 3 ? true : false; ; |
| 209 | + | break; |
| 210 | + | } |
| 211 | + | } |
| 212 | + | } |
| 213 | + | } |
| 214 | + | } |
| 215 | + | |
| 216 | + | public class UserInfo |
| 217 | + | { |
| 218 | + | public virtual string Username { get; set; } |
| 219 | + | public virtual Domain.UserState UserState { get; set; } |
| 220 | + | } |
| 221 | + | |
| 222 | + | public class LDAPUserInfo : UserInfo |
| 223 | + | { |
| 224 | + | public override string Username { get; set; } |
| 225 | + | |
| 226 | + | public int BadPasswordCount { get; set; } |
| 227 | + | public DateTime BadPasswordTime { get; set; } |
| 228 | + | public DateTime LockoutTime { get; set; } |
| 229 | + | public int LockoutDuration { get; set; } |
| 230 | + | public DateTime PasswordLastSet { get; set; } |
| 231 | + | public string PolicyName { get; set; } |
| 232 | + | |
| 233 | + | public LDAPUserInfo(SearchResult result) |
| 234 | + | { |
| 235 | + | Username = result.Properties["sAMAccountname"][0].ToString().ToLower(); |
| 236 | + | |
| 237 | + | int badPwdCount = 0; |
| 238 | + | if (result.Properties.Contains("badPwdCount")) |
| 239 | + | int.TryParse(result.Properties["badPwdCount"][0].ToString(), out badPwdCount); |
| 240 | + | BadPasswordCount = badPwdCount; |
| 241 | + | |
| 242 | + | long badPasswordTime = 0; |
| 243 | + | if (result.Properties.Contains("badPasswordTime")) |
| 244 | + | long.TryParse(result.Properties["badPasswordTime"][0].ToString(), out badPasswordTime); |
| 245 | + | |
| 246 | + | try |
| 247 | + | { |
| 248 | + | if (badPasswordTime != -1) |
| 249 | + | BadPasswordTime = DateTime.FromFileTime(badPasswordTime); |
| 250 | + | } |
| 251 | + | catch |
| 252 | + | { |
| 253 | + | throw new Exception($"Bad password time: {badPasswordTime} for {Username}"); |
| 254 | + | } |
| 255 | + | |
| 256 | + | long lockoutTime = 0; |
| 257 | + | if (result.Properties.Contains("lockoutTime")) |
| 258 | + | long.TryParse(result.Properties["lockoutTime"][0].ToString(), out lockoutTime); |
| 259 | + | |
| 260 | + | try |
| 261 | + | { |
| 262 | + | if (lockoutTime != -1) |
| 263 | + | LockoutTime = DateTime.FromFileTime(lockoutTime); |
| 264 | + | } |
| 265 | + | catch |
| 266 | + | { |
| 267 | + | throw new Exception($"Bad lockout time: {lockoutTime} for {Username}"); |
| 268 | + | } |
| 269 | + | |
| 270 | + | int lockoutDuration = 0; |
| 271 | + | if (result.Properties.Contains("lockoutDuration")) |
| 272 | + | int.TryParse(result.Properties["lockoutDuration"][0].ToString(), out lockoutDuration); |
| 273 | + | LockoutDuration = lockoutDuration; |
| 274 | + | |
| 275 | + | long pwdLastSet = 0; |
| 276 | + | if (result.Properties.Contains("pwdLastSet")) |
| 277 | + | long.TryParse(result.Properties["pwdLastSet"][0].ToString(), out pwdLastSet); |
| 278 | + | |
| 279 | + | try |
| 280 | + | { |
| 281 | + | if (pwdLastSet != -1) |
| 282 | + | PasswordLastSet = DateTime.FromFileTime(pwdLastSet); |
| 283 | + | } |
| 284 | + | catch |
| 285 | + | { |
| 286 | + | throw new Exception($"Bad password last set time: {pwdLastSet} for {Username}"); |
| 287 | + | } |
| 288 | + | } |
| 289 | + | } |
| 290 | + | |
| 291 | + | public static class LDAPExtensions |
| 292 | + | { |
| 293 | + | public static LDAPPasswordPolicy GetUserPolicy(this LDAPUserInfo user, List<LDAPPasswordPolicy> Policies) |
| 294 | + | { |
| 295 | + | var policy = Policies |
| 296 | + | .Where(x => x.IsFineGrained && x.AppliesToUsers.Contains(user.Username, StringComparer.OrdinalIgnoreCase)) |
| 297 | + | .OrderByDescending(y => y.PasswordPrecendence); |
| 298 | + | |
| 299 | + | if (policy.Count() > 0) |
| 300 | + | { |
| 301 | + | return policy.First(); |
| 302 | + | } |
| 303 | + | else |
| 304 | + | { |
| 305 | + | return Policies.First(x => !x.IsFineGrained); |
| 306 | + | } |
| 307 | + | } |
| 308 | + | |
| 309 | + | public static LDAPUserInfo ClassifyUser(this LDAPUserInfo user, LDAPPasswordPolicy policy) |
| 310 | + | { |
| 311 | + | user.PolicyName = policy.Name; |
| 312 | + | if (policy.LockoutThreshold == 0) |
| 313 | + | { |
| 314 | + | user.UserState = Domain.UserState.SAFE_TO_SPRAY; |
| 315 | + | return user; |
| 316 | + | } |
| 317 | + | |
| 318 | + | var now = DateTime.Now; |
| 319 | + | var start = new DateTime(1900, 01, 01); |
| 320 | + | var badPasswordCount = user.BadPasswordCount; |
| 321 | + | var lockoutDurationTime = user.LockoutTime.AddTicks((policy.LockoutDuration * -1)); |
| 322 | + | var observationTime = user.BadPasswordTime.AddTicks((policy.LockoutObservationWindow * -1)); |
| 323 | + | |
| 324 | + | if ((badPasswordCount == policy.LockoutThreshold) && (observationTime > now)) |
| 325 | + | { |
| 326 | + | user.UserState = Domain.UserState.LOCKED_OUT; |
| 327 | + | } |
| 328 | + | else if (badPasswordCount == (policy.LockoutThreshold - 1)) |
| 329 | + | { |
| 330 | + | user.UserState = Domain.UserState.PENDING_LOCK_OUT; |
| 331 | + | } |
| 332 | + | |
| 333 | + | if (observationTime < now) |
| 334 | + | { |
| 335 | + | user.UserState = Domain.UserState.SAFE_TO_SPRAY; |
| 336 | + | var diff = (policy.LockoutThreshold - 1); |
| 337 | + | } |
| 338 | + | else if ((badPasswordCount < (policy.LockoutThreshold - 1)) && (observationTime > now)) |
| 339 | + | { |
| 340 | + | user.UserState = Domain.UserState.SAFE_TO_SPRAY; |
| 341 | + | var diff = (policy.LockoutThreshold - 1) - badPasswordCount; |
| 342 | + | } |
| 343 | + | |
| 344 | + | if (lockoutDurationTime < start) |
| 345 | + | { |
| 346 | + | // Never locked out |
| 347 | + | } |
| 348 | + | if ((lockoutDurationTime > start) && (observationTime < now)) |
| 349 | + | { |
| 350 | + | // Was locked out |
| 351 | + | } |
| 352 | + | if ((badPasswordCount == (policy.LockoutThreshold - 1)) && (lockoutDurationTime < start) && (observationTime < now)) |
| 353 | + | { |
| 354 | + | // Almost locked out |
| 355 | + | } |
| 356 | + | if ((badPasswordCount > 0) && (badPasswordCount < (policy.LockoutThreshold - 1)) && (observationTime < now)) |
| 357 | + | { |
| 358 | + | // Prior failed attempts |
| 359 | + | } |
| 360 | + | return user; |
| 361 | + | } |
| 362 | + | } |
| 363 | + | |
| 364 | + | public class Domain |
| 365 | + | { |
| 366 | + | public enum UserState |
| 367 | + | { |
| 368 | + | LOCKED_OUT = 0, |
| 369 | + | PENDING_LOCK_OUT = 1, |
| 370 | + | SAFE_TO_SPRAY = 2, |
| 371 | + | NOT_YET_KNOWN = 3 |
| 372 | + | } |
| 373 | + | |
| 374 | + | public static string[] GetList(List<LDAPPasswordPolicy> Policies, List<UserInfo> Users) |
| 375 | + | { |
| 376 | + | string[] users; |
| 377 | + | var excluded = new List<string>(); |
| 378 | + | |
| 379 | + | var removedUnsafe = Users.RemoveAll(x => x.UserState != UserState.SAFE_TO_SPRAY); |
| 380 | + | |
| 381 | + | var fineGrainedPoliciesUserCount = Policies |
| 382 | + | .Where(x => x.IsFineGrained) |
| 383 | + | .Sum(y => y.AppliesToUsers.Count()); |
| 384 | + | |
| 385 | + | var defaultPolicyUserCount = Users.Count() - fineGrainedPoliciesUserCount; |
| 386 | + | |
| 387 | + | var removedExcluded = Users.RemoveAll(x => excluded.Contains(x.Username, StringComparer.OrdinalIgnoreCase)); |
| 388 | + | |
| 389 | + | Console.WriteLine($"Default Policy: {defaultPolicyUserCount} total user(s)"); |
| 390 | + | Console.WriteLine($"Fine Grained Policies: {fineGrainedPoliciesUserCount} total user(s)"); |
| 391 | + | Console.WriteLine($"Removed {removedUnsafe} unsafe user(s)"); |
| 392 | + | Console.WriteLine($"Removed {removedExcluded} excluded user(s)"); |
| 393 | + | Console.WriteLine($"Spraying {Users.Count()} user(s)"); |
| 394 | + | Console.WriteLine($"-----------------------------------"); |
| 395 | + | Console.WriteLine(); |
| 396 | + | |
| 397 | + | users = Users.Select(i => i.Username).ToArray(); |
| 398 | + | |
| 399 | + | return users; |
| 400 | + | } |
| 401 | + | |
| 402 | + | public static int DisplayPolicyUsers(string policyName, List<LDAPPasswordPolicy> Policies, List<UserInfo> Users, bool onlyCount = false) |
| 403 | + | { |
| 404 | + | var users = new List<string>(); |
| 405 | + | var policy = Policies.FirstOrDefault(x => x.Name.ToLower() == policyName.ToLower()); |
| 406 | + | |
| 407 | + | if (policy != null) |
| 408 | + | { |
| 409 | + | if (policy.IsFineGrained) |
| 410 | + | { |
| 411 | + | users = policy.AppliesToUsers; |
| 412 | + | } |
| 413 | + | else |
| 414 | + | { |
| 415 | + | var domUsers = new List<string>(); |
| 416 | + | Users.ForEach(x => domUsers.Add(x.Username)); |
| 417 | + | |
| 418 | + | var fgUsers = new List<string>(); |
| 419 | + | Policies.Where(x => x.IsFineGrained).ToList() |
| 420 | + | .ForEach(p => p.AppliesToUsers.ForEach(x => fgUsers.Add(x))); |
| 421 | + | |
| 422 | + | users = domUsers.Where(p => fgUsers.All(p2 => p2.ToLower() != p.ToLower())) |
| 423 | + | .Distinct().ToList(); |
| 424 | + | } |
| 425 | + | } |
| 426 | + | else |
| 427 | + | { |
| 428 | + | Console.WriteLine($"Policy not found: {policyName}"); |
| 429 | + | } |
| 430 | + | return users.Count; |
| 431 | + | } |
| 432 | + | |
| 433 | + | public static void DisplayPolicyDetails(LDAPPasswordPolicy policy, List<LDAPPasswordPolicy> Policies, List<UserInfo> Users) |
| 434 | + | { |
| 435 | + | var count = DisplayPolicyUsers(policy.Name, Policies, Users, true); |
| 436 | + | |
| 437 | + | var lockoutDurationTs = new TimeSpan(policy.LockoutDuration * -1); |
| 438 | + | var lockoutObservationWindowTs = new TimeSpan(policy.LockoutObservationWindow * -1); |
| 439 | + | var MinimumPasswordAgeTs = new TimeSpan(policy.MinimumPasswordAge * -1); |
| 440 | + | var MaximumPasswordAgeTs = new TimeSpan(policy.MaximumPasswordAge * -1); |
| 441 | + | |
| 442 | + | Console.WriteLine($"-----------------------------------"); |
| 443 | + | Console.WriteLine($"Name: {policy.Name}"); |
| 444 | + | Console.WriteLine($"Order Precedence: {policy.PasswordPrecendence}"); |
| 445 | + | Console.WriteLine($"ADs Path: {policy.ADSPath}"); |
| 446 | + | Console.WriteLine($"Is Fine Grained? {policy.IsFineGrained}"); |
| 447 | + | if (policy.IsFineGrained) { Console.WriteLine($"Applied to: {policy.AppliesToUsers.Count} users"); } |
| 448 | + | Console.WriteLine($"Minimum Password Length: {policy.MinimumPasswordLength}"); |
| 449 | + | Console.WriteLine($"Lockout Threshold: {policy.LockoutThreshold}"); |
| 450 | + | Console.WriteLine($"Lockout Duration: {string.Format("{0:%d}d {0:%h}h {0:%m}m {0:%s}s", lockoutDurationTs)}"); |
| 451 | + | Console.WriteLine($"Lockout Observation Window: {string.Format("{0:%d}d {0:%h}h {0:%m}m {0:%s}s", lockoutObservationWindowTs)}"); |
| 452 | + | Console.WriteLine($"Minimum / Maximum Password Age: {string.Format("{0:%d}d {0:%h}h {0:%m}m {0:%s}s", MinimumPasswordAgeTs)} / {string.Format("{0:%d}d {0:%h}h {0:%m}m {0:%s}s", MaximumPasswordAgeTs)}"); |
| 453 | + | Console.WriteLine($"Password History Length: {policy.PasswordHistoryLength}"); |
| 454 | + | Console.WriteLine($"Applies to: {count} users"); |
| 455 | + | Console.WriteLine(); |
| 456 | + | } |
| 457 | + | |
| 458 | + | public static List<string> GetPasswordPolicyUsers(LDAPPasswordPolicy policy, DirectoryEntry directoryObject) |
| 459 | + | { |
| 460 | + | Console.WriteLine($"[-] Retrieving users for policy: {policy.Name}"); |
| 461 | + | |
| 462 | + | var users = new List<string>(); |
| 463 | + | policy.AppliesToDN.ForEach(a => |
| 464 | + | { |
| 465 | + | var groupSearch = new DirectorySearcher(directoryObject); |
| 466 | + | groupSearch.Filter = $"(&(objectCategory=user)(memberOf={a}))"; |
| 467 | + | groupSearch.PageSize = 1000; |
| 468 | + | groupSearch.PropertiesToLoad.Add("sAMAccountName"); |
| 469 | + | groupSearch.SearchScope = SearchScope.Subtree; |
| 470 | + | |
| 471 | + | var groupResults = groupSearch.FindAll(); |
| 472 | + | if (groupResults.Count > 0) |
| 473 | + | { |
| 474 | + | for (var i = 0; i < groupResults.Count; i++) |
| 475 | + | { |
| 476 | + | var username = (string)groupResults[i].Properties["sAMAccountname"][0]; |
| 477 | + | users.Add(username.ToLower()); |
| 478 | + | } |
| 479 | + | } |
| 480 | + | else |
| 481 | + | { |
| 482 | + | var userSearch = new DirectorySearcher(directoryObject); |
| 483 | + | userSearch.Filter = $"(&(objectCategory=user)(distinguishedName={a}))"; |
| 484 | + | userSearch.PageSize = 1000; |
| 485 | + | userSearch.PropertiesToLoad.Add("sAMAccountName"); |
| 486 | + | userSearch.SearchScope = SearchScope.Subtree; |
| 487 | + | var userResults = userSearch.FindOne(); |
| 488 | + | |
| 489 | + | if (userResults != null) |
| 490 | + | { |
| 491 | + | var username = (string)userResults.Properties["sAMAccountname"][0]; |
| 492 | + | users.Add(username.ToLower()); |
| 493 | + | } |
| 494 | + | } |
| 495 | + | }); |
| 496 | + | return users; |
| 497 | + | } |
| 498 | + | |
| 499 | + | static public LDAPPasswordPolicy GetDomainPolicy(DirectoryEntry directoryObject) |
| 500 | + | { |
| 501 | + | var searcher = new DirectorySearcher(directoryObject); |
| 502 | + | searcher.SearchScope = SearchScope.Base; |
| 503 | + | searcher.PropertiesToLoad.Add("name"); |
| 504 | + | searcher.PropertiesToLoad.Add("msds-behavior-version"); |
| 505 | + | searcher.PropertiesToLoad.Add("lockoutduration"); |
| 506 | + | searcher.PropertiesToLoad.Add("lockoutthreshold"); |
| 507 | + | searcher.PropertiesToLoad.Add("lockoutobservationwindow"); |
| 508 | + | searcher.PropertiesToLoad.Add("minpwdlength"); |
| 509 | + | searcher.PropertiesToLoad.Add("minpwdage"); |
| 510 | + | searcher.PropertiesToLoad.Add("maxpwdage"); |
| 511 | + | searcher.PropertiesToLoad.Add("pwdhistorylength"); |
| 512 | + | searcher.PropertiesToLoad.Add("adspath"); |
| 513 | + | searcher.PropertiesToLoad.Add("pwdproperties"); |
| 514 | + | |
| 515 | + | var result = searcher.FindOne(); |
| 516 | + | var policy = new LDAPPasswordPolicy(result, false); |
| 517 | + | policy.AppliesToUsers = new List<string>(); |
| 518 | + | |
| 519 | + | return policy; |
| 520 | + | } |
| 521 | + | |
| 522 | + | public static List<LDAPPasswordPolicy> GetFineGrainedPolicies(DirectoryEntry directoryObject) |
| 523 | + | { |
| 524 | + | var policies = new List<LDAPPasswordPolicy>(); |
| 525 | + | var policySearch = new DirectorySearcher(directoryObject); |
| 526 | + | |
| 527 | + | policySearch.Filter = $"(objectclass=msDS-PasswordSettings)"; |
| 528 | + | policySearch.PropertiesToLoad.Add("name"); |
| 529 | + | policySearch.PropertiesToLoad.Add("msds-lockoutthreshold"); |
| 530 | + | policySearch.PropertiesToLoad.Add("msds-psoappliesto"); |
| 531 | + | policySearch.PropertiesToLoad.Add("msds-minimumpasswordlength"); |
| 532 | + | policySearch.PropertiesToLoad.Add("msds-passwordhistorylength"); |
| 533 | + | policySearch.PropertiesToLoad.Add("msds-lockoutobservationwindow"); |
| 534 | + | policySearch.PropertiesToLoad.Add("msds-lockoutduration"); |
| 535 | + | policySearch.PropertiesToLoad.Add("msds-minimumpasswordage"); |
| 536 | + | policySearch.PropertiesToLoad.Add("msds-maximumpasswordage"); |
| 537 | + | policySearch.PropertiesToLoad.Add("msds-passwordsettingsprecedence"); |
| 538 | + | policySearch.PropertiesToLoad.Add("msds-passwordcomplexityenabled"); |
| 539 | + | policySearch.PropertiesToLoad.Add("msds-passwordreversibleencryptionenabled"); |
| 540 | + | |
| 541 | + | var pwdPolicies = policySearch.FindAll(); |
| 542 | + | |
| 543 | + | foreach (SearchResult result in pwdPolicies) |
| 544 | + | { |
| 545 | + | var policy = new LDAPPasswordPolicy(result, true); |
| 546 | + | policy.AppliesToUsers = GetPasswordPolicyUsers(policy, directoryObject); |
| 547 | + | policies.Add(policy); |
| 548 | + | } |
| 549 | + | |
| 550 | + | return policies; |
| 551 | + | } |
| 552 | + | |
| 553 | + | public static string BindPath(string domain, string domainController, string ou = "") |
| 554 | + | { |
| 555 | + | string bindPath = String.Format("LDAP://{0}", domainController); |
| 556 | + | |
| 557 | + | if (!String.IsNullOrEmpty(ou)) |
| 558 | + | { |
| 559 | + | string ouPath = ou.Replace("ldap", "LDAP").Replace("LDAP://", ""); |
| 560 | + | bindPath = String.Format("{0}/{1}", bindPath, ouPath); |
| 561 | + | } |
| 562 | + | else if (!String.IsNullOrEmpty(domain)) |
| 563 | + | { |
| 564 | + | string domainPath = domain.Replace(".", ",DC="); |
| 565 | + | bindPath = String.Format("{0}/DC={1}", bindPath, domainPath); |
| 566 | + | } |
| 567 | + | |
| 568 | + | return bindPath; |
| 569 | + | } |
| 570 | + | |
| 571 | + | public static string FindDomainController(string domain) |
| 572 | + | { |
| 573 | + | var pingSender = new Ping(); |
| 574 | + | var options = new PingOptions(); |
| 575 | + | options.DontFragment = true; |
| 576 | + | |
| 577 | + | byte[] buffer = Encoding.ASCII.GetBytes(new string('A', 32)); |
| 578 | + | var reply = pingSender.Send(domain, 120, buffer, options); |
| 579 | + | if (reply.Status == IPStatus.Success) |
| 580 | + | { |
| 581 | + | try |
| 582 | + | { |
| 583 | + | return Dns.GetHostEntry(reply.Address.ToString()).HostName; |
| 584 | + | } |
| 585 | + | catch |
| 586 | + | { |
| 587 | + | return reply.Address.ToString(); |
| 588 | + | } |
| 589 | + | } |
| 590 | + | else |
| 591 | + | { |
| 592 | + | return string.Empty; |
| 593 | + | } |
| 594 | + | } |
| 595 | + | |
| 596 | + | public static void GetUsers(string domain, string domainController = "", string ou = "") |
| 597 | + | { |
| 598 | + | if (string.IsNullOrEmpty(domainController)) |
| 599 | + | domainController = FindDomainController(domain); |
| 600 | + | string bindPath = BindPath(domain, domainController); |
| 601 | + | //Console.WriteLine(bindPath); |
| 602 | + | |
| 603 | + | DirectoryEntry directoryObject = new DirectoryEntry(bindPath); |
| 604 | + | List<LDAPPasswordPolicy> Policies = new List<LDAPPasswordPolicy>(); |
| 605 | + | List<UserInfo> Users = new List<UserInfo>(); |
| 606 | + | |
| 607 | + | DirectorySearcher userSearcher = new DirectorySearcher(directoryObject); |
| 608 | + | userSearcher.Filter = "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"; |
| 609 | + | userSearcher.PropertiesToLoad.Add("sAMAccountName"); |
| 610 | + | userSearcher.PropertiesToLoad.Add("badPwdCount"); |
| 611 | + | userSearcher.PropertiesToLoad.Add("badPasswordTime"); |
| 612 | + | userSearcher.PropertiesToLoad.Add("lockoutTime"); |
| 613 | + | userSearcher.PropertiesToLoad.Add("lockoutDuration"); |
| 614 | + | userSearcher.PropertiesToLoad.Add("pwdLastSet"); |
| 615 | + | userSearcher.SearchScope = SearchScope.Subtree; |
| 616 | + | |
| 617 | + | try |
| 618 | + | { |
| 619 | + | //pass policy |
| 620 | + | Policies.Add(GetDomainPolicy(directoryObject)); |
| 621 | + | |
| 622 | + | var fineGrainedPolicies = GetFineGrainedPolicies(directoryObject); |
| 623 | + | fineGrainedPolicies.ForEach(x => x.AppliesToUsers = GetPasswordPolicyUsers(x, directoryObject)); |
| 624 | + | Policies.AddRange(fineGrainedPolicies); |
| 625 | + | |
| 626 | + | //users |
| 627 | + | SearchResultCollection users = userSearcher.FindAll(); |
| 628 | + | foreach (SearchResult user_ in users) |
| 629 | + | { |
| 630 | + | LDAPPasswordPolicy policy; |
| 631 | + | var user = new LDAPUserInfo(user_); |
| 632 | + | policy = user.GetUserPolicy(Policies); |
| 633 | + | user = user.ClassifyUser(policy); |
| 634 | + | Users.Add(user); |
| 635 | + | } |
| 636 | + | |
| 637 | + | Console.WriteLine($"[*] {Users.Count} users & {Policies.Count} policies found"); |
| 638 | + | Console.WriteLine("[*] Saving to users.json and policy.json to loot folder"); |
| 639 | + | File.WriteAllText(Path.Combine("loot", "users.json"), new JavaScriptSerializer().Serialize(Users)); |
| 640 | + | File.WriteAllText(Path.Combine("loot", "policy.json"), new JavaScriptSerializer().Serialize(Policies)); |
| 641 | + | } |
| 642 | + | catch (System.Runtime.InteropServices.COMException ex) |
| 643 | + | { |
| 644 | + | switch ((uint)ex.ErrorCode) |
| 645 | + | { |
| 646 | + | case 0x8007052E: |
| 647 | + | throw new Exception("[-] Login error when retrieving usernames from dc \"" + domainController + "\"! Bad creds?"); |
| 648 | + | case 0x8007203A: |
| 649 | + | throw new Exception("[-] Error connecting with the dc \"" + domainController + "\"! Make sure that provided /domain or /dc are valid"); |
| 650 | + | case 0x80072032: |
| 651 | + | throw new Exception("[-] Invalid syntax in DN specification! Make sure that /ou is correct"); |
| 652 | + | case 0x80072030: |
| 653 | + | throw new Exception("[-] There is no such object on the server! Make sure that /ou is correct"); |
| 654 | + | default: |
| 655 | + | throw ex; |
| 656 | + | } |
| 657 | + | } |
| 658 | + | catch (Exception e) |
| 659 | + | { |
| 660 | + | throw e; |
| 661 | + | } |
| 662 | + | } |
| 663 | + | |
| 664 | + | public static void PrintProperties(object myObj, string header = "", int offset = 0) |
| 665 | + | { |
| 666 | + | string trail = String.Concat(Enumerable.Repeat(" ", offset)); |
| 667 | + | |
| 668 | + | if (!string.IsNullOrEmpty(header)) |
| 669 | + | Console.WriteLine(header); |
| 670 | + | |
| 671 | + | foreach (var prop in myObj.GetType().GetProperties()) |
| 672 | + | { |
| 673 | + | try |
| 674 | + | { |
| 675 | + | if (!string.IsNullOrEmpty((string)(prop.GetValue(myObj, null)))) |
| 676 | + | Console.WriteLine(trail + prop.Name + ": " + prop.GetValue(myObj, null)); |
| 677 | + | } |
| 678 | + | catch (Exception e) |
| 679 | + | { |
| 680 | + | Console.WriteLine(trail + prop.Name + ": " + prop.GetValue(myObj, null)); |
| 681 | + | } |
| 682 | + | } |
| 683 | + | |
| 684 | + | foreach (var field in myObj.GetType().GetFields()) |
| 685 | + | { |
| 686 | + | try |
| 687 | + | { |
| 688 | + | if (!string.IsNullOrEmpty((string)field.GetValue(myObj))) |
| 689 | + | Console.WriteLine(trail + field.Name + ": " + field.GetValue(myObj)); |
| 690 | + | } |
| 691 | + | catch (Exception e) |
| 692 | + | { |
| 693 | + | Console.WriteLine(trail + field.Name + ": " + field.GetValue(myObj)); |
| 694 | + | } |
| 695 | + | } |
| 696 | + | } |
| 697 | + | } |
| 698 | + | } |