刚好有这方面需求,然后第一次写c#,代码比较垃圾,文章写的可能有点小乱但是全部代码已经贴出--。轻喷~~~~,成都有1加我好友。

获取基本信息例如:获取域类计算机,用户,组和密码策略

0x01 活动目录信息获取

ldapsearch基本命令:

-x   进行简单认证
-D   用来绑定服务器的DN
-h   目录服务的地址
-w   绑定DN的密码
-f   使用ldif文件进行条目添加的文件
例子 ldapadd -x -D "cn=root,dc=starxing,dc=com" -w secret -f /root/test.ldif
ldapadd -x -D "cn=root,dc=starxing,dc=com" -w secret (这样写就是在命令行添加条目)
ldapsearch
-x   进行简单认证
-D   用来绑定服务器的DN
-w   绑定DN的密码
-b   指定要查询的根节点
-H   制定要查询的服务器

1.1 获取用户

"(&(objectClass=user)(objectCategory=person))"
ldapsearch -x -H ldap://192.168.11.16 -D "CN=hack,CN=Users,DC=redteam,DC=local" -w test123.. -b "DC=redteam,DC=local" "(&(objectClass=user)(objectCategory=person))" | grep name

1.2 获取计算机

"(&(objectCategory=computer)(objectClass=computer))"
ldapsearch -x -H ldap://192.168.11.16 -D "CN=hack,CN=Users,DC=redteam,DC=local" -w test123.. -b "DC=redteam,DC=local" "(&(objectCategory=computer)(objectClass=computer))" | grep cn

1.3 获取所有组

"(&(objectCategory=group))"
ldapsearch -x -H ldap://192.168.11.16 -D "CN=hack,CN=Users,DC=redteam,DC=local" -w test123.. -b "DC=redteam,DC=local" "(&(objectCategory=group))" | grep -E "cn:"

1.4 c#实现以上功能

首先要判断在域外还是在域内

先写一个连接ldap方法:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;

namespace LdaopDemo
{
    public class Ldapconn
    {
        public static DirectoryEntry coon = null;
        public static DirectorySearcher search = null;

        public static string url = "";
        public static string user = "";
        public static string pass = "";


        //域内
        public static DirectoryEntry ldap_coon_nopass(DirectoryEntry ldap_coon)
        {
            ldap_coon = new DirectoryEntry();
            return ldap_coon;
        }

        public static DirectorySearcher ldap_search_nopass(DirectorySearcher ldap_search)
        {
            ldap_search = new DirectorySearcher(coon);
            return ldap_search;
        }

        public static DirectoryEntry Get_coon_nopass()
        {
            coon = ldap_coon_nopass(coon);
            return coon;
        }

        public static DirectorySearcher Get_search_nopass()
        {
            search = ldap_search_nopass(search);
            return search;
        }

        //域外
        public static void SET_LDAP_USER_PASS()
        {
            Console.Write("Domain IP:");
            url = Console.ReadLine();
            url = "LDAP://" + url;
            Console.Write("user:");
            user = Console.ReadLine();
            Console.Write("pass:");
            pass = Console.ReadLine();
            //url = "LDAP://192.168.11.16";
            //user = "hack";
            //pass = "test123..";

            String path = "CN=AdminSDHolder,CN=System,DC=redteam,DC=local";


        }

        public static DirectoryEntry ldap_coon(DirectoryEntry ldap_coon)
        {
            ldap_coon = new DirectoryEntry(url, user, pass);
            return ldap_coon;
        }

        public static DirectorySearcher ldap_search(DirectorySearcher ldap_search)
        {
            ldap_search = new DirectorySearcher(coon);
            return ldap_search;
        }

        public static DirectoryEntry Get_coon()
        {
            coon = ldap_coon(coon);
            return coon;
        }
        public static DirectorySearcher Get_search()
        {
            search = ldap_search(search);
            return search;
        }
    }
}

通过判断url是否为空来进行判断是在域外还是在域内

public static DirectoryEntry coon = null;
        public static DirectorySearcher search = null;
        public static void LDAP_COON()
        {
            if (Ldapconn.url == "")
            {
                try
                {
                    coon = Ldapconn.Get_coon_nopass();
                    search = Ldapconn.Get_search_nopass();
                }
                catch
                {
                    Console.Write("coon error");
                }

            }
            else
            {
                try
                {
                    coon = Ldapconn.Get_coon();
                    search = Ldapconn.Get_search();
                }
                catch
                {
                    Console.Write("coon error");
                }

            }
        }

获取域内用户,计算机,组

public void GetComputers()
        {
            LDAP_COON();
            //查询域内机器
            search.Filter = "(&(objectclass=computer))";
            Console.WriteLine("===========All Computers===========");
            foreach (SearchResult r in search.FindAll())
            {
                string computername = "";
                try
                {
                    computername = r.Properties["dnshostname"][0].ToString();
                    Console.WriteLine(computername);
                }
                catch
                {
                    Console.WriteLine("error");
                }
            }
        }

        public void GetAllUsers()
        {
            LDAP_COON();
            //查询域内用户
            search.Filter = "(&(objectClass=user)(objectCategory=person))";
            Console.WriteLine("===========All Users===========");
            foreach (SearchResult r in search.FindAll())
            {
                string users = "";
                try
                {
                    users = r.Properties["name"][0].ToString();
                    Console.WriteLine(users);
                }
                catch
                {
                    Console.WriteLine("error");
                }
            }
        }

        public void GetAllGroups()
        {
            LDAP_COON();
            //获取域内所有组:
            search.Filter = "(&(objectCategory=group))";
            Console.WriteLine("===========All Groups===========");
            foreach (SearchResult r in search.FindAll())
            {
                string groups = "";
                string groupdescription = "";
                try
                {
                    groups = r.Properties["cn"][0].ToString();
                    groupdescription = r.Properties["description"][0].ToString();
                    Console.WriteLine("Group: " + groups);
                    Console.WriteLine("Description: " + groupdescription + "\r\n");
                }
                catch
                {
                    Console.WriteLine("error");
                }
            }

获取密码策略:
lockoutDuration 锁定持续时间
lockoutThreshold 多少次锁定
maxPwdAge 最大修改密码时间
minPwdAge 最小修改密码时间
minPwdLength 最小密码长度

public void GetPassPolicy()
        {
            LDAP_COON();
            Console.WriteLine("===========Pass Policy===========");
            SearchResult r = search.FindOne();
            long maxDays = 0;
            long minDays = 0;
            Int64 maxPwdAge = 0;
            Int64 minPwdAge = 0;
            string minPwdLength = "";
            string lockoutThreshold = "";
            Int64 lockoutDuration = 0;
            long lockTime = 0;
            try
            {
                maxPwdAge = (Int64)r.Properties["maxPwdAge"][0];
                maxDays = maxPwdAge / -864000000000;

                minPwdAge = (Int64)r.Properties["minPwdAge"][0];
                minDays = minPwdAge / -864000000000;

                minPwdLength = r.Properties["minPwdLength"][0].ToString();

                lockoutThreshold = r.Properties["lockoutThreshold"][0].ToString();

                lockoutDuration = (Int64)r.Properties["lockoutDuration"][0];
                lockTime = lockoutDuration / -864000000000; 


                Console.WriteLine("minPwdAge:" + minDays);
                Console.WriteLine("maxPwdAge:" + maxDays);
                Console.WriteLine("minPwdLength:" + minPwdLength);
                Console.WriteLine("lockoutThreshold:" + lockoutThreshold);
                Console.WriteLine("lockoutDuration:" + lockTime);
            }
            catch
            {
                Console.WriteLine("error");
            }
        }


0x02 检测AdminSDHolder

AdminSDHolder是一个特殊的AD容器,具有一些默认安全权限,用作受保护的AD账户和组的模板。
Active Directory将采用AdminSDHolder对象的ACL并定期将其应用于所有受保护的AD账户和组,以防止意外和无意的修改并确保对这些对象的访问是安全的。
如果能够修改AdminSDHolder对象的ACL,那么修改的权限将自动应用于所有受保护的AD账户和组。

受保护的AD账户和组的特征如下:
AdminCount属性为1。
但是,如果对象已移出受保护组,其AdminCount属性仍为1,也就是说,有可能获得曾经是受保护组的帐户和组。

枚举受保护的AD用户:


枚举受保护的AD组:

这里来对hack用户添加

域控执行

PS C:\Users\Administrator\Desktop> Import-Module ActiveDirectoryPS C:\Users\Administrator\Desktop> Add-DomainObjectAcl -TargetIdentity AdminSDHolder -PrincipalIdentity hack -Rights All
Get-DomainObjectAcl adminsdholder | ?{$_.SecurityIdentifier -match "S-1-5-21-151877218-3666268517-4145415712-1123"} | select objectdn,ActiveDirectoryRights |sort -Unique

可以看到hack用户对该组具有完全控制权限

这里再来通过powershell添加一个用户hack2

2.1 c#实现检测功能

我们前面已经把hack用户添加完全控制权限,使用c#输出AdminCount为1的用户是无法输出出来的

LDAP_COON();
            //person
            search.Filter = "(&(objectcategory=person)(admincount=1))";
            Console.WriteLine("===========AdminSDHolder Users===========");
            foreach (SearchResult r in search.FindAll())
            {
                string users = "";
                try
                {
                    users = r.Properties["name"][0].ToString();
                    Console.WriteLine(users);
                }
                catch
                {
                    Console.WriteLine("error");
                }
            }
            //group
            search.Filter = "(&(objectcategory=group)(admincount=1))";
            Console.WriteLine("===========AdminSDHolder Groups===========");
            foreach (SearchResult r in search.FindAll())
            {
                string groups = "";
                try
                {
                    groups = r.Properties["name"][0].ToString();
                    Console.WriteLine(groups);
                }
                catch
                {
                    Console.WriteLine("error");
                }
            }

可以看到并不存在hack用户而且输出出来的也不一定对AdminSDHoler组有完全控制权限,所以直接通过查询ace来进行判断

直接通过绑定path为:LDAP://CN=AdminSDHolder,CN=System,DC=your domain,DC=local来查询

每个域的domain name不一样所以先查询domain name

public static String GetDomainDNS()
        {
            LDAP_COON();
            search.Filter = "(&(objectClass=domainDNS))";
            foreach (SearchResult r in search.FindAll())
            {
                string domainDNS_Name = "";
                try
                {
                    domainDNS_Name = r.Properties["distinguishedName"][0].ToString();
                    Domain_DNS_Name = domainDNS_Name;
                }
                catch
                {
                    Console.WriteLine("error");
                    Domain_DNS_Name = "error";
                }
            }
            return Domain_DNS_Name;
        }

但是如果在域内这里代码拼接就会出现问题所以还要查询dns_first_name也就比如说redteam.local中的redteam

public static String Get_Dns_First_Name()
        {
            LDAP_COON();
            search.Filter = "(&(objectClass=domainDNS))";
            foreach (SearchResult r in search.FindAll())
            {
                string domainDC_Name = "";
                try
                {
                    domainDC_Name = r.Properties["dc"][0].ToString();
                    Dns_First_Name = domainDC_Name;
                }
                catch
                {
                    Console.WriteLine("error");
                    Dns_First_Name = "error";
                }
            }
            return Dns_First_Name;
        }

sid转换为name

public string SidToUserName(string sid)
        {
            LDAP_COON();
            if(Ldapconn.url == "")
            {
                string url = "LDAP://<SID=" + sid + ">";
                DirectoryEntry coon = new DirectoryEntry(url);
                DirectorySearcher search = new DirectorySearcher(coon);
                search.Filter = "(&(objectClass=user)(objectCategory=person))";
                foreach (SearchResult r in search.FindAll())
                {
                    string users = "";
                    try
                    {
                        users = r.Properties["name"][0].ToString();
                        return users;
                    }
                    catch
                    {
                        Console.WriteLine("error");
                    }
                }
            }
            else
            {
                string url = Ldapconn.url+"/<SID=" + sid + ">";
                string username = "hack";
                string password = "test123..";
                //Console.WriteLine(url);
                DirectoryEntry coon = new DirectoryEntry(url, username, password);
                DirectorySearcher search = new DirectorySearcher(coon);
                search.Filter = "(&(objectClass=user)(objectCategory=person))";
                foreach (SearchResult r in search.FindAll())
                {
                    string users = "";
                    try
                    {
                        users = r.Properties["name"][0].ToString();
                        return users;
                    }
                    catch
                    {
                        Console.WriteLine("error");
                    }
                }
            }
            return "error";
        }

然后查询具有GenericAll权限的用户

Console.WriteLine("===========AdminSDHolder ACL===========");
            string dns_name = basicInfo.GetDomainDNS();//DC=redteam,DC=local
            String AdminSDHolder_path = "/CN=AdminSDHolder,CN=System," + dns_name;
            String AdminSDHoler_Acl = "";
            if (Ldapconn.url == "")
            {
                string dc_name = Get_Dns_First_Name();
                AdminSDHolder_path = "LDAP://" + dc_name + ":389" + AdminSDHolder_path;    //LDAP://redteam:389/CN=AdminSDHolder,CN=System,DC=redteam,DC=local
            }
            else
            {
                AdminSDHolder_path = Ldapconn.url + AdminSDHolder_path;
            }
            // //Ldapconn.url == "LDAP://name:389"
            //Console.WriteLine(AdminSDHolder_path);
            coon.Path = AdminSDHolder_path;
            ActiveDirectorySecurity sec = coon.ObjectSecurity;
            AuthorizationRuleCollection rules = null;
            rules = sec.GetAccessRules(true, true, typeof(NTAccount));

           Console.WriteLine("===========GenericAll===========");
            foreach (ActiveDirectoryAccessRule rule in rules)
            {
                if (rule.ActiveDirectoryRights.ToString().Equals("GenericAll"))
                {
                    string acl = rule.IdentityReference.Value;
                    if (acl.Contains("-"))
                    {
                        //Console.WriteLine(acl);
                        string user_name = SidToUserName(acl);
                        Console.WriteLine(user_name);
                    }
                    else
                    {
                        Console.WriteLine(acl);
                    }
                }
            }

2.2 Program.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using NDesk.Options;
using LdaopDemo.BasicInfo;
using LdaopDemo.backdoor;

namespace LdaopDemo
{

    class Program
    {
        public static String dns_name = "";
        public static void ShowHelp(OptionSet p)
        {
            Console.WriteLine("Usage:");
            p.WriteOptionDescriptions(Console.Out);
        }
        static void Main(string[] args)
        {
            var _GetComputers = false;
            var _GetUsers = false;
            var _GetGroups = false;
            var _pass = false;
            var show_help = false;
            var _policy = false;
            var _AdminSDHolder = false;

            OptionSet options = new OptionSet()
            {
                {"GetComputers","get all computers\n",v=>_GetComputers= v != null },
                {"GetUsers","get all users\n",v=>_GetUsers =v!= null},
                {"GetGroups","get all groups\n",v=>_GetGroups =v!= null},
                {"pass","out domain\n", v => _pass = v != null},
                {"GetPassPolicy","get pass policy\n",v => _policy = v != null},
                {"AdminSDHolder","AdminSDHolder\n",v => _AdminSDHolder = v != null},
                {"h|help","Show Help\n", v => show_help = v != null}
            };

            try
            {
                options.Parse(args);
                if (show_help)
                {
                    ShowHelp(options);
                    return;
                }
                basicInfo getinfo = new basicInfo();
                AdminSDHolder _adminsdholder = new AdminSDHolder();
                if (_GetComputers)
                {
                    if (!_pass)
                    {

                        getinfo.GetComputers();
                    }else if (_pass)
                    {
                        Ldapconn.SET_LDAP_USER_PASS();
                        dns_name = basicInfo.GetDomainDNS();
                        Console.WriteLine("===========Domain DNS===========");
                        Console.WriteLine(dns_name);
                        getinfo.GetComputers();
                    }
                }

                if (_GetUsers)
                {
                    if (!_pass)
                    {
                        getinfo.GetAllUsers();
                    }
                    else if (_pass)
                    {
                        Ldapconn.SET_LDAP_USER_PASS();
                        dns_name = basicInfo.GetDomainDNS();
                        Console.WriteLine("===========Domain DNS===========");
                        Console.WriteLine(dns_name);
                        getinfo.GetAllUsers();
                    }
                }

                if (_GetGroups)
                {
                    if (!_pass)
                    {
                        getinfo.GetAllGroups();
                    }
                    else if (_pass)
                    {
                        Ldapconn.SET_LDAP_USER_PASS();
                        dns_name = basicInfo.GetDomainDNS();
                        Console.WriteLine("===========Domain DNS===========");
                        Console.WriteLine(dns_name);
                        getinfo.GetAllGroups();
                    }
                }

                if (_policy)
                {
                    if (!_pass)
                    {
                        getinfo.GetPassPolicy();
                    }else if (_pass)
                    {
                        Ldapconn.SET_LDAP_USER_PASS();
                        dns_name = basicInfo.GetDomainDNS();
                        Console.WriteLine("===========Domain DNS===========");
                        Console.WriteLine(dns_name);
                        getinfo.GetPassPolicy();
                    }
                }

                if (_AdminSDHolder)
                {
                    if (!_pass)
                    {
                        _adminsdholder.EnumUsersAndGroups_AdminSDHolder();
                    }
                    else if (_pass)
                    {
                        Ldapconn.SET_LDAP_USER_PASS();
                        dns_name = basicInfo.GetDomainDNS();
                        Console.WriteLine("===========Domain DNS===========");
                        Console.WriteLine(dns_name);
                        _adminsdholder.EnumUsersAndGroups_AdminSDHolder();
                    }
                }
            }
            catch
            {
                Console.WriteLine("error!");
            }
        }
    }
}

2.3 Ldapcoon.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;

namespace LdaopDemo
{
    public class Ldapconn
    {
        public static DirectoryEntry coon = null;
        public static DirectorySearcher search = null;

        public static string url = "";
        public static string user = "";
        public static string pass = "";


        //域内
        public static DirectoryEntry ldap_coon_nopass(DirectoryEntry ldap_coon)
        {
            ldap_coon = new DirectoryEntry();
            return ldap_coon;
        }

        public static DirectorySearcher ldap_search_nopass(DirectorySearcher ldap_search)
        {
            ldap_search = new DirectorySearcher(coon);
            return ldap_search;
        }

        public static DirectoryEntry Get_coon_nopass()
        {
            coon = ldap_coon_nopass(coon);
            return coon;
        }

        public static DirectorySearcher Get_search_nopass()
        {
            search = ldap_search_nopass(search);
            return search;
        }

        //域外
        public static void SET_LDAP_USER_PASS()
        {
            Console.Write("Domain IP:");
            url = Console.ReadLine();
            url = "LDAP://" + url;
            Console.Write("user:");
            user = Console.ReadLine();
            Console.Write("pass:");
            pass = Console.ReadLine();
            //url = "LDAP://192.168.11.16";
            //user = "hack";
            //pass = "test123..";

            String path = "CN=AdminSDHolder,CN=System,DC=redteam,DC=local";


        }

        public static DirectoryEntry ldap_coon(DirectoryEntry ldap_coon)
        {
            ldap_coon = new DirectoryEntry(url, user, pass);
            return ldap_coon;
        }

        public static DirectorySearcher ldap_search(DirectorySearcher ldap_search)
        {
            ldap_search = new DirectorySearcher(coon);
            return ldap_search;
        }

        public static DirectoryEntry Get_coon()
        {
            coon = ldap_coon(coon);
            return coon;
        }
        public static DirectorySearcher Get_search()
        {
            search = ldap_search(search);
            return search;
        }
    }
}

2.4 basicInfo.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;

namespace LdaopDemo.BasicInfo
{
    class basicInfo
    {
        public static DirectoryEntry coon = null;
        public static DirectorySearcher search = null;
        public static String Domain_DNS_Name = "";
        public static void LDAP_COON()
        {
            if (Ldapconn.url == "")
            {
                try
                {
                    coon = Ldapconn.Get_coon_nopass();
                    search = Ldapconn.Get_search_nopass();
                }
                catch
                {
                    Console.Write("coon error");
                }

            }
            else
            {
                try
                {
                    coon = Ldapconn.Get_coon();
                    search = Ldapconn.Get_search();
                }
                catch
                {
                    Console.Write("coon error");
                }

            }
        }

        public static String GetDomainDNS()
        {
            LDAP_COON();
            search.Filter = "(&(objectClass=domainDNS))";
            foreach (SearchResult r in search.FindAll())
            {
                string domainDNS_Name = "";
                try
                {
                    domainDNS_Name = r.Properties["distinguishedName"][0].ToString();
                    Domain_DNS_Name = domainDNS_Name;
                }
                catch
                {
                    Console.WriteLine("error");
                    Domain_DNS_Name = "error";
                }
            }
            return Domain_DNS_Name;
        }

        public void GetComputers()
        {
            LDAP_COON();
            //查询域内机器
            search.Filter = "(&(objectclass=computer))";
            Console.WriteLine("===========All Computers===========");
            foreach (SearchResult r in search.FindAll())
            {
                string computername = "";
                try
                {
                    computername = r.Properties["dnshostname"][0].ToString();
                    Console.WriteLine(computername);
                }
                catch
                {
                    Console.WriteLine("error");
                }
            }
        }

        public void GetAllUsers()
        {
            LDAP_COON();
            //查询域内用户
            search.Filter = "(&(objectClass=user)(objectCategory=person))";
            Console.WriteLine("===========All Users===========");
            foreach (SearchResult r in search.FindAll())
            {
                string users = "";
                try
                {
                    users = r.Properties["name"][0].ToString();
                    Console.WriteLine(users);
                }
                catch
                {
                    Console.WriteLine("error");
                }
            }
        }

        public void GetAllGroups()
        {
            LDAP_COON();
            //获取域内所有组:
            search.Filter = "(&(objectCategory=group))";
            Console.WriteLine("===========All Groups===========");
            foreach (SearchResult r in search.FindAll())
            {
                string groups = "";
                string groupdescription = "";
                try
                {
                    groups = r.Properties["cn"][0].ToString();
                    groupdescription = r.Properties["description"][0].ToString();
                    Console.WriteLine("Group: " + groups);
                    Console.WriteLine("Description: " + groupdescription + "\r\n");
                }
                catch
                {
                    Console.WriteLine("error");
                }
            }

            //密码策略
            /*
            lockoutDuration  锁定持续时间
            lockoutThreshold 多少次锁定
            maxPwdAge        最大修改密码时间
            minPwdAge        最小修改密码时间
            minPwdLength     最小密码长度
             */
        }
        public void GetPassPolicy()
        {
            LDAP_COON();
            Console.WriteLine("===========Pass Policy===========");
            SearchResult r = search.FindOne();
            long maxDays = 0;
            long minDays = 0;
            Int64 maxPwdAge = 0;
            Int64 minPwdAge = 0;
            string minPwdLength = "";
            string lockoutThreshold = "";
            Int64 lockoutDuration = 0;
            long lockTime = 0;
            try
            {
                maxPwdAge = (Int64)r.Properties["maxPwdAge"][0];
                maxDays = maxPwdAge / -864000000000;

                minPwdAge = (Int64)r.Properties["minPwdAge"][0];
                minDays = minPwdAge / -864000000000;

                minPwdLength = r.Properties["minPwdLength"][0].ToString();

                lockoutThreshold = r.Properties["lockoutThreshold"][0].ToString();

                lockoutDuration = (Int64)r.Properties["lockoutDuration"][0];
                lockTime = lockoutDuration / -864000000000; 


                Console.WriteLine("minPwdAge:" + minDays);
                Console.WriteLine("maxPwdAge:" + maxDays);
                Console.WriteLine("minPwdLength:" + minPwdLength);
                Console.WriteLine("lockoutThreshold:" + lockoutThreshold);
                Console.WriteLine("lockoutDuration:" + lockTime);
            }
            catch
            {
                Console.WriteLine("error");
            }
        }
    }
}

2.5 AdminSDHolder.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;
using System.Security.AccessControl;
using System.Security.Principal;
using LdaopDemo.BasicInfo;
using System.Text.RegularExpressions;

namespace LdaopDemo.backdoor
{
    class AdminSDHolder
    {
        public static DirectoryEntry coon = null;
        public static DirectorySearcher search = null;
        public static string Dns_First_Name = "";
        public static void LDAP_COON()
        {
            if (Ldapconn.url == "")
            {
                try
                {
                    coon = Ldapconn.Get_coon_nopass();
                    search = Ldapconn.Get_search_nopass();
                }
                catch
                {
                    Console.Write("coon error");
                }

            }
            else
            {
                try
                {
                    coon = Ldapconn.Get_coon();
                    search = Ldapconn.Get_search();
                }
                catch
                {
                    Console.Write("coon error");
                }

            }
        }

        public static String Get_Dns_First_Name()
        {
            LDAP_COON();
            search.Filter = "(&(objectClass=domainDNS))";
            foreach (SearchResult r in search.FindAll())
            {
                string domainDC_Name = "";
                try
                {
                    domainDC_Name = r.Properties["dc"][0].ToString();
                    Dns_First_Name = domainDC_Name;
                }
                catch
                {
                    Console.WriteLine("error");
                    Dns_First_Name = "error";
                }
            }
            return Dns_First_Name;
        }
        //sid to username
        public string SidToUserName(string sid)
        {
            LDAP_COON();
            if(Ldapconn.url == "")
            {
                string url = "LDAP://<SID=" + sid + ">";
                DirectoryEntry coon = new DirectoryEntry(url);
                DirectorySearcher search = new DirectorySearcher(coon);
                search.Filter = "(&(objectClass=user)(objectCategory=person))";
                foreach (SearchResult r in search.FindAll())
                {
                    string users = "";
                    try
                    {
                        users = r.Properties["name"][0].ToString();
                        return users;
                    }
                    catch
                    {
                        Console.WriteLine("error");
                    }
                }
            }
            else
            {
                string url = Ldapconn.url+"/<SID=" + sid + ">";
                string username = "hack";
                string password = "test123..";
                //Console.WriteLine(url);
                DirectoryEntry coon = new DirectoryEntry(url, username, password);
                DirectorySearcher search = new DirectorySearcher(coon);
                search.Filter = "(&(objectClass=user)(objectCategory=person))";
                foreach (SearchResult r in search.FindAll())
                {
                    string users = "";
                    try
                    {
                        users = r.Properties["name"][0].ToString();
                        return users;
                    }
                    catch
                    {
                        Console.WriteLine("error");
                    }
                }
            }
            return "error";
        }
        public void EnumUsersAndGroups_AdminSDHolder()
        {
            LDAP_COON();
            //person
            search.Filter = "(&(objectcategory=person)(admincount=1))";
            Console.WriteLine("===========AdminSDHolder Users===========");
            foreach (SearchResult r in search.FindAll())
            {
                string users = "";
                try
                {
                    users = r.Properties["name"][0].ToString();
                    Console.WriteLine(users);
                }
                catch
                {
                    Console.WriteLine("error");
                }
            }
            //group
            search.Filter = "(&(objectcategory=group)(admincount=1))";
            Console.WriteLine("===========AdminSDHolder Groups===========");
            foreach (SearchResult r in search.FindAll())
            {
                string groups = "";
                try
                {
                    groups = r.Properties["name"][0].ToString();
                    Console.WriteLine(groups);
                }
                catch
                {
                    Console.WriteLine("error");
                }
            }
            //acl
            Console.WriteLine("===========AdminSDHolder ACL===========");
            string dns_name = basicInfo.GetDomainDNS();//DC=redteam,DC=local
            String AdminSDHolder_path = "/CN=AdminSDHolder,CN=System," + dns_name;
            String AdminSDHoler_Acl = "";
            if (Ldapconn.url == "")
            {
                string dc_name = Get_Dns_First_Name();
                AdminSDHolder_path = "LDAP://" + dc_name + ":389" + AdminSDHolder_path;    //LDAP://redteam:389/CN=AdminSDHolder,CN=System,DC=redteam,DC=local
            }
            else
            {
                AdminSDHolder_path = Ldapconn.url + AdminSDHolder_path;
            }
            // //Ldapconn.url == "LDAP://name:389"
            //Console.WriteLine(AdminSDHolder_path);
            coon.Path = AdminSDHolder_path;
            ActiveDirectorySecurity sec = coon.ObjectSecurity;
            AuthorizationRuleCollection rules = null;
            rules = sec.GetAccessRules(true, true, typeof(NTAccount));

           Console.WriteLine("===========GenericAll===========");
            foreach (ActiveDirectoryAccessRule rule in rules)
            {
                if (rule.ActiveDirectoryRights.ToString().Equals("GenericAll"))
                {
                    string acl = rule.IdentityReference.Value;
                    if (acl.Contains("-"))
                    {
                        //Console.WriteLine(acl);
                        string user_name = SidToUserName(acl);
                        Console.WriteLine(user_name);
                    }
                    else
                    {
                        Console.WriteLine(acl);
                    }
                }
            }
        }
    }
}
点击收藏 | 0 关注 | 1
登录 后跟帖