有点bug,顺便新增了点功能,下版一起发下,代码太垃圾了--,成都有1加我
刚好有这方面需求,然后第一次写c#,代码比较垃圾,文章写的可能有点小乱但是全部代码已经贴出--。轻喷~~~~,成都有1加我好友。
获取基本信息例如:获取域类计算机,用户,组和密码策略
0x01 活动目录信息获取
ldapsearch基本命令:
-x 进行简单认证
-D 用来绑定服务器的DN
-h 目录服务的地址
-w 绑定DN的密码
-f 使用ldif文件进行条目添加的文件
例子 ldapadd -x -D "cn=root,dc=starxing,dc=com" -w secret -f /root/test.ldif
ldapadd -x -D "cn=root,dc=starxing,dc=com" -w secret (这样写就是在命令行添加条目)
ldapsearch
-x 进行简单认证
-D 用来绑定服务器的DN
-w 绑定DN的密码
-b 指定要查询的根节点
-H 制定要查询的服务器1.1 获取用户
"(&(objectClass=user)(objectCategory=person))"
ldapsearch -x -H ldap://192.168.11.16 -D "CN=hack,CN=Users,DC=redteam,DC=local" -w test123.. -b "DC=redteam,DC=local" "(&(objectClass=user)(objectCategory=person))" | grep name
1.2 获取计算机
"(&(objectCategory=computer)(objectClass=computer))"
ldapsearch -x -H ldap://192.168.11.16 -D "CN=hack,CN=Users,DC=redteam,DC=local" -w test123.. -b "DC=redteam,DC=local" "(&(objectCategory=computer)(objectClass=computer))" | grep cn
1.3 获取所有组
"(&(objectCategory=group))"
ldapsearch -x -H ldap://192.168.11.16 -D "CN=hack,CN=Users,DC=redteam,DC=local" -w test123.. -b "DC=redteam,DC=local" "(&(objectCategory=group))" | grep -E "cn:"
1.4 c#实现以上功能
首先要判断在域外还是在域内
先写一个连接ldap方法:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;
namespace LdaopDemo
{
public class Ldapconn
{
public static DirectoryEntry coon = null;
public static DirectorySearcher search = null;
public static string url = "";
public static string user = "";
public static string pass = "";
//域内
public static DirectoryEntry ldap_coon_nopass(DirectoryEntry ldap_coon)
{
ldap_coon = new DirectoryEntry();
return ldap_coon;
}
public static DirectorySearcher ldap_search_nopass(DirectorySearcher ldap_search)
{
ldap_search = new DirectorySearcher(coon);
return ldap_search;
}
public static DirectoryEntry Get_coon_nopass()
{
coon = ldap_coon_nopass(coon);
return coon;
}
public static DirectorySearcher Get_search_nopass()
{
search = ldap_search_nopass(search);
return search;
}
//域外
public static void SET_LDAP_USER_PASS()
{
Console.Write("Domain IP:");
url = Console.ReadLine();
url = "LDAP://" + url;
Console.Write("user:");
user = Console.ReadLine();
Console.Write("pass:");
pass = Console.ReadLine();
//url = "LDAP://192.168.11.16";
//user = "hack";
//pass = "test123..";
String path = "CN=AdminSDHolder,CN=System,DC=redteam,DC=local";
}
public static DirectoryEntry ldap_coon(DirectoryEntry ldap_coon)
{
ldap_coon = new DirectoryEntry(url, user, pass);
return ldap_coon;
}
public static DirectorySearcher ldap_search(DirectorySearcher ldap_search)
{
ldap_search = new DirectorySearcher(coon);
return ldap_search;
}
public static DirectoryEntry Get_coon()
{
coon = ldap_coon(coon);
return coon;
}
public static DirectorySearcher Get_search()
{
search = ldap_search(search);
return search;
}
}
}通过判断url是否为空来进行判断是在域外还是在域内
public static DirectoryEntry coon = null;
public static DirectorySearcher search = null;
public static void LDAP_COON()
{
if (Ldapconn.url == "")
{
try
{
coon = Ldapconn.Get_coon_nopass();
search = Ldapconn.Get_search_nopass();
}
catch
{
Console.Write("coon error");
}
}
else
{
try
{
coon = Ldapconn.Get_coon();
search = Ldapconn.Get_search();
}
catch
{
Console.Write("coon error");
}
}
}获取域内用户,计算机,组
public void GetComputers()
{
LDAP_COON();
//查询域内机器
search.Filter = "(&(objectclass=computer))";
Console.WriteLine("===========All Computers===========");
foreach (SearchResult r in search.FindAll())
{
string computername = "";
try
{
computername = r.Properties["dnshostname"][0].ToString();
Console.WriteLine(computername);
}
catch
{
Console.WriteLine("error");
}
}
}
public void GetAllUsers()
{
LDAP_COON();
//查询域内用户
search.Filter = "(&(objectClass=user)(objectCategory=person))";
Console.WriteLine("===========All Users===========");
foreach (SearchResult r in search.FindAll())
{
string users = "";
try
{
users = r.Properties["name"][0].ToString();
Console.WriteLine(users);
}
catch
{
Console.WriteLine("error");
}
}
}
public void GetAllGroups()
{
LDAP_COON();
//获取域内所有组:
search.Filter = "(&(objectCategory=group))";
Console.WriteLine("===========All Groups===========");
foreach (SearchResult r in search.FindAll())
{
string groups = "";
string groupdescription = "";
try
{
groups = r.Properties["cn"][0].ToString();
groupdescription = r.Properties["description"][0].ToString();
Console.WriteLine("Group: " + groups);
Console.WriteLine("Description: " + groupdescription + "\r\n");
}
catch
{
Console.WriteLine("error");
}
}
获取密码策略:
lockoutDuration 锁定持续时间
lockoutThreshold 多少次锁定
maxPwdAge 最大修改密码时间
minPwdAge 最小修改密码时间
minPwdLength 最小密码长度
public void GetPassPolicy()
{
LDAP_COON();
Console.WriteLine("===========Pass Policy===========");
SearchResult r = search.FindOne();
long maxDays = 0;
long minDays = 0;
Int64 maxPwdAge = 0;
Int64 minPwdAge = 0;
string minPwdLength = "";
string lockoutThreshold = "";
Int64 lockoutDuration = 0;
long lockTime = 0;
try
{
maxPwdAge = (Int64)r.Properties["maxPwdAge"][0];
maxDays = maxPwdAge / -864000000000;
minPwdAge = (Int64)r.Properties["minPwdAge"][0];
minDays = minPwdAge / -864000000000;
minPwdLength = r.Properties["minPwdLength"][0].ToString();
lockoutThreshold = r.Properties["lockoutThreshold"][0].ToString();
lockoutDuration = (Int64)r.Properties["lockoutDuration"][0];
lockTime = lockoutDuration / -864000000000;
Console.WriteLine("minPwdAge:" + minDays);
Console.WriteLine("maxPwdAge:" + maxDays);
Console.WriteLine("minPwdLength:" + minPwdLength);
Console.WriteLine("lockoutThreshold:" + lockoutThreshold);
Console.WriteLine("lockoutDuration:" + lockTime);
}
catch
{
Console.WriteLine("error");
}
}
0x02 检测AdminSDHolder
AdminSDHolder是一个特殊的AD容器,具有一些默认安全权限,用作受保护的AD账户和组的模板。
Active Directory将采用AdminSDHolder对象的ACL并定期将其应用于所有受保护的AD账户和组,以防止意外和无意的修改并确保对这些对象的访问是安全的。
如果能够修改AdminSDHolder对象的ACL,那么修改的权限将自动应用于所有受保护的AD账户和组。
受保护的AD账户和组的特征如下:
AdminCount属性为1。
但是,如果对象已移出受保护组,其AdminCount属性仍为1,也就是说,有可能获得曾经是受保护组的帐户和组。
枚举受保护的AD用户:
枚举受保护的AD组:
这里来对hack用户添加
域控执行
PS C:\Users\Administrator\Desktop> Import-Module ActiveDirectoryPS C:\Users\Administrator\Desktop> Add-DomainObjectAcl -TargetIdentity AdminSDHolder -PrincipalIdentity hack -Rights AllGet-DomainObjectAcl adminsdholder | ?{$_.SecurityIdentifier -match "S-1-5-21-151877218-3666268517-4145415712-1123"} | select objectdn,ActiveDirectoryRights |sort -Unique可以看到hack用户对该组具有完全控制权限
这里再来通过powershell添加一个用户hack2
2.1 c#实现检测功能
我们前面已经把hack用户添加完全控制权限,使用c#输出AdminCount为1的用户是无法输出出来的
LDAP_COON();
//person
search.Filter = "(&(objectcategory=person)(admincount=1))";
Console.WriteLine("===========AdminSDHolder Users===========");
foreach (SearchResult r in search.FindAll())
{
string users = "";
try
{
users = r.Properties["name"][0].ToString();
Console.WriteLine(users);
}
catch
{
Console.WriteLine("error");
}
}
//group
search.Filter = "(&(objectcategory=group)(admincount=1))";
Console.WriteLine("===========AdminSDHolder Groups===========");
foreach (SearchResult r in search.FindAll())
{
string groups = "";
try
{
groups = r.Properties["name"][0].ToString();
Console.WriteLine(groups);
}
catch
{
Console.WriteLine("error");
}
}
可以看到并不存在hack用户而且输出出来的也不一定对AdminSDHoler组有完全控制权限,所以直接通过查询ace来进行判断
直接通过绑定path为:LDAP://CN=AdminSDHolder,CN=System,DC=your domain,DC=local来查询
每个域的domain name不一样所以先查询domain name
public static String GetDomainDNS()
{
LDAP_COON();
search.Filter = "(&(objectClass=domainDNS))";
foreach (SearchResult r in search.FindAll())
{
string domainDNS_Name = "";
try
{
domainDNS_Name = r.Properties["distinguishedName"][0].ToString();
Domain_DNS_Name = domainDNS_Name;
}
catch
{
Console.WriteLine("error");
Domain_DNS_Name = "error";
}
}
return Domain_DNS_Name;
}但是如果在域内这里代码拼接就会出现问题所以还要查询dns_first_name也就比如说redteam.local中的redteam
public static String Get_Dns_First_Name()
{
LDAP_COON();
search.Filter = "(&(objectClass=domainDNS))";
foreach (SearchResult r in search.FindAll())
{
string domainDC_Name = "";
try
{
domainDC_Name = r.Properties["dc"][0].ToString();
Dns_First_Name = domainDC_Name;
}
catch
{
Console.WriteLine("error");
Dns_First_Name = "error";
}
}
return Dns_First_Name;
}sid转换为name
public string SidToUserName(string sid)
{
LDAP_COON();
if(Ldapconn.url == "")
{
string url = "LDAP://<SID=" + sid + ">";
DirectoryEntry coon = new DirectoryEntry(url);
DirectorySearcher search = new DirectorySearcher(coon);
search.Filter = "(&(objectClass=user)(objectCategory=person))";
foreach (SearchResult r in search.FindAll())
{
string users = "";
try
{
users = r.Properties["name"][0].ToString();
return users;
}
catch
{
Console.WriteLine("error");
}
}
}
else
{
string url = Ldapconn.url+"/<SID=" + sid + ">";
string username = "hack";
string password = "test123..";
//Console.WriteLine(url);
DirectoryEntry coon = new DirectoryEntry(url, username, password);
DirectorySearcher search = new DirectorySearcher(coon);
search.Filter = "(&(objectClass=user)(objectCategory=person))";
foreach (SearchResult r in search.FindAll())
{
string users = "";
try
{
users = r.Properties["name"][0].ToString();
return users;
}
catch
{
Console.WriteLine("error");
}
}
}
return "error";
}然后查询具有GenericAll权限的用户
Console.WriteLine("===========AdminSDHolder ACL===========");
string dns_name = basicInfo.GetDomainDNS();//DC=redteam,DC=local
String AdminSDHolder_path = "/CN=AdminSDHolder,CN=System," + dns_name;
String AdminSDHoler_Acl = "";
if (Ldapconn.url == "")
{
string dc_name = Get_Dns_First_Name();
AdminSDHolder_path = "LDAP://" + dc_name + ":389" + AdminSDHolder_path; //LDAP://redteam:389/CN=AdminSDHolder,CN=System,DC=redteam,DC=local
}
else
{
AdminSDHolder_path = Ldapconn.url + AdminSDHolder_path;
}
// //Ldapconn.url == "LDAP://name:389"
//Console.WriteLine(AdminSDHolder_path);
coon.Path = AdminSDHolder_path;
ActiveDirectorySecurity sec = coon.ObjectSecurity;
AuthorizationRuleCollection rules = null;
rules = sec.GetAccessRules(true, true, typeof(NTAccount));
Console.WriteLine("===========GenericAll===========");
foreach (ActiveDirectoryAccessRule rule in rules)
{
if (rule.ActiveDirectoryRights.ToString().Equals("GenericAll"))
{
string acl = rule.IdentityReference.Value;
if (acl.Contains("-"))
{
//Console.WriteLine(acl);
string user_name = SidToUserName(acl);
Console.WriteLine(user_name);
}
else
{
Console.WriteLine(acl);
}
}
}
2.2 Program.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using NDesk.Options;
using LdaopDemo.BasicInfo;
using LdaopDemo.backdoor;
namespace LdaopDemo
{
class Program
{
public static String dns_name = "";
public static void ShowHelp(OptionSet p)
{
Console.WriteLine("Usage:");
p.WriteOptionDescriptions(Console.Out);
}
static void Main(string[] args)
{
var _GetComputers = false;
var _GetUsers = false;
var _GetGroups = false;
var _pass = false;
var show_help = false;
var _policy = false;
var _AdminSDHolder = false;
OptionSet options = new OptionSet()
{
{"GetComputers","get all computers\n",v=>_GetComputers= v != null },
{"GetUsers","get all users\n",v=>_GetUsers =v!= null},
{"GetGroups","get all groups\n",v=>_GetGroups =v!= null},
{"pass","out domain\n", v => _pass = v != null},
{"GetPassPolicy","get pass policy\n",v => _policy = v != null},
{"AdminSDHolder","AdminSDHolder\n",v => _AdminSDHolder = v != null},
{"h|help","Show Help\n", v => show_help = v != null}
};
try
{
options.Parse(args);
if (show_help)
{
ShowHelp(options);
return;
}
basicInfo getinfo = new basicInfo();
AdminSDHolder _adminsdholder = new AdminSDHolder();
if (_GetComputers)
{
if (!_pass)
{
getinfo.GetComputers();
}else if (_pass)
{
Ldapconn.SET_LDAP_USER_PASS();
dns_name = basicInfo.GetDomainDNS();
Console.WriteLine("===========Domain DNS===========");
Console.WriteLine(dns_name);
getinfo.GetComputers();
}
}
if (_GetUsers)
{
if (!_pass)
{
getinfo.GetAllUsers();
}
else if (_pass)
{
Ldapconn.SET_LDAP_USER_PASS();
dns_name = basicInfo.GetDomainDNS();
Console.WriteLine("===========Domain DNS===========");
Console.WriteLine(dns_name);
getinfo.GetAllUsers();
}
}
if (_GetGroups)
{
if (!_pass)
{
getinfo.GetAllGroups();
}
else if (_pass)
{
Ldapconn.SET_LDAP_USER_PASS();
dns_name = basicInfo.GetDomainDNS();
Console.WriteLine("===========Domain DNS===========");
Console.WriteLine(dns_name);
getinfo.GetAllGroups();
}
}
if (_policy)
{
if (!_pass)
{
getinfo.GetPassPolicy();
}else if (_pass)
{
Ldapconn.SET_LDAP_USER_PASS();
dns_name = basicInfo.GetDomainDNS();
Console.WriteLine("===========Domain DNS===========");
Console.WriteLine(dns_name);
getinfo.GetPassPolicy();
}
}
if (_AdminSDHolder)
{
if (!_pass)
{
_adminsdholder.EnumUsersAndGroups_AdminSDHolder();
}
else if (_pass)
{
Ldapconn.SET_LDAP_USER_PASS();
dns_name = basicInfo.GetDomainDNS();
Console.WriteLine("===========Domain DNS===========");
Console.WriteLine(dns_name);
_adminsdholder.EnumUsersAndGroups_AdminSDHolder();
}
}
}
catch
{
Console.WriteLine("error!");
}
}
}
}2.3 Ldapcoon.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;
namespace LdaopDemo
{
public class Ldapconn
{
public static DirectoryEntry coon = null;
public static DirectorySearcher search = null;
public static string url = "";
public static string user = "";
public static string pass = "";
//域内
public static DirectoryEntry ldap_coon_nopass(DirectoryEntry ldap_coon)
{
ldap_coon = new DirectoryEntry();
return ldap_coon;
}
public static DirectorySearcher ldap_search_nopass(DirectorySearcher ldap_search)
{
ldap_search = new DirectorySearcher(coon);
return ldap_search;
}
public static DirectoryEntry Get_coon_nopass()
{
coon = ldap_coon_nopass(coon);
return coon;
}
public static DirectorySearcher Get_search_nopass()
{
search = ldap_search_nopass(search);
return search;
}
//域外
public static void SET_LDAP_USER_PASS()
{
Console.Write("Domain IP:");
url = Console.ReadLine();
url = "LDAP://" + url;
Console.Write("user:");
user = Console.ReadLine();
Console.Write("pass:");
pass = Console.ReadLine();
//url = "LDAP://192.168.11.16";
//user = "hack";
//pass = "test123..";
String path = "CN=AdminSDHolder,CN=System,DC=redteam,DC=local";
}
public static DirectoryEntry ldap_coon(DirectoryEntry ldap_coon)
{
ldap_coon = new DirectoryEntry(url, user, pass);
return ldap_coon;
}
public static DirectorySearcher ldap_search(DirectorySearcher ldap_search)
{
ldap_search = new DirectorySearcher(coon);
return ldap_search;
}
public static DirectoryEntry Get_coon()
{
coon = ldap_coon(coon);
return coon;
}
public static DirectorySearcher Get_search()
{
search = ldap_search(search);
return search;
}
}
}2.4 basicInfo.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;
namespace LdaopDemo.BasicInfo
{
class basicInfo
{
public static DirectoryEntry coon = null;
public static DirectorySearcher search = null;
public static String Domain_DNS_Name = "";
public static void LDAP_COON()
{
if (Ldapconn.url == "")
{
try
{
coon = Ldapconn.Get_coon_nopass();
search = Ldapconn.Get_search_nopass();
}
catch
{
Console.Write("coon error");
}
}
else
{
try
{
coon = Ldapconn.Get_coon();
search = Ldapconn.Get_search();
}
catch
{
Console.Write("coon error");
}
}
}
public static String GetDomainDNS()
{
LDAP_COON();
search.Filter = "(&(objectClass=domainDNS))";
foreach (SearchResult r in search.FindAll())
{
string domainDNS_Name = "";
try
{
domainDNS_Name = r.Properties["distinguishedName"][0].ToString();
Domain_DNS_Name = domainDNS_Name;
}
catch
{
Console.WriteLine("error");
Domain_DNS_Name = "error";
}
}
return Domain_DNS_Name;
}
public void GetComputers()
{
LDAP_COON();
//查询域内机器
search.Filter = "(&(objectclass=computer))";
Console.WriteLine("===========All Computers===========");
foreach (SearchResult r in search.FindAll())
{
string computername = "";
try
{
computername = r.Properties["dnshostname"][0].ToString();
Console.WriteLine(computername);
}
catch
{
Console.WriteLine("error");
}
}
}
public void GetAllUsers()
{
LDAP_COON();
//查询域内用户
search.Filter = "(&(objectClass=user)(objectCategory=person))";
Console.WriteLine("===========All Users===========");
foreach (SearchResult r in search.FindAll())
{
string users = "";
try
{
users = r.Properties["name"][0].ToString();
Console.WriteLine(users);
}
catch
{
Console.WriteLine("error");
}
}
}
public void GetAllGroups()
{
LDAP_COON();
//获取域内所有组:
search.Filter = "(&(objectCategory=group))";
Console.WriteLine("===========All Groups===========");
foreach (SearchResult r in search.FindAll())
{
string groups = "";
string groupdescription = "";
try
{
groups = r.Properties["cn"][0].ToString();
groupdescription = r.Properties["description"][0].ToString();
Console.WriteLine("Group: " + groups);
Console.WriteLine("Description: " + groupdescription + "\r\n");
}
catch
{
Console.WriteLine("error");
}
}
//密码策略
/*
lockoutDuration 锁定持续时间
lockoutThreshold 多少次锁定
maxPwdAge 最大修改密码时间
minPwdAge 最小修改密码时间
minPwdLength 最小密码长度
*/
}
public void GetPassPolicy()
{
LDAP_COON();
Console.WriteLine("===========Pass Policy===========");
SearchResult r = search.FindOne();
long maxDays = 0;
long minDays = 0;
Int64 maxPwdAge = 0;
Int64 minPwdAge = 0;
string minPwdLength = "";
string lockoutThreshold = "";
Int64 lockoutDuration = 0;
long lockTime = 0;
try
{
maxPwdAge = (Int64)r.Properties["maxPwdAge"][0];
maxDays = maxPwdAge / -864000000000;
minPwdAge = (Int64)r.Properties["minPwdAge"][0];
minDays = minPwdAge / -864000000000;
minPwdLength = r.Properties["minPwdLength"][0].ToString();
lockoutThreshold = r.Properties["lockoutThreshold"][0].ToString();
lockoutDuration = (Int64)r.Properties["lockoutDuration"][0];
lockTime = lockoutDuration / -864000000000;
Console.WriteLine("minPwdAge:" + minDays);
Console.WriteLine("maxPwdAge:" + maxDays);
Console.WriteLine("minPwdLength:" + minPwdLength);
Console.WriteLine("lockoutThreshold:" + lockoutThreshold);
Console.WriteLine("lockoutDuration:" + lockTime);
}
catch
{
Console.WriteLine("error");
}
}
}
}2.5 AdminSDHolder.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;
using System.Security.AccessControl;
using System.Security.Principal;
using LdaopDemo.BasicInfo;
using System.Text.RegularExpressions;
namespace LdaopDemo.backdoor
{
class AdminSDHolder
{
public static DirectoryEntry coon = null;
public static DirectorySearcher search = null;
public static string Dns_First_Name = "";
public static void LDAP_COON()
{
if (Ldapconn.url == "")
{
try
{
coon = Ldapconn.Get_coon_nopass();
search = Ldapconn.Get_search_nopass();
}
catch
{
Console.Write("coon error");
}
}
else
{
try
{
coon = Ldapconn.Get_coon();
search = Ldapconn.Get_search();
}
catch
{
Console.Write("coon error");
}
}
}
public static String Get_Dns_First_Name()
{
LDAP_COON();
search.Filter = "(&(objectClass=domainDNS))";
foreach (SearchResult r in search.FindAll())
{
string domainDC_Name = "";
try
{
domainDC_Name = r.Properties["dc"][0].ToString();
Dns_First_Name = domainDC_Name;
}
catch
{
Console.WriteLine("error");
Dns_First_Name = "error";
}
}
return Dns_First_Name;
}
//sid to username
public string SidToUserName(string sid)
{
LDAP_COON();
if(Ldapconn.url == "")
{
string url = "LDAP://<SID=" + sid + ">";
DirectoryEntry coon = new DirectoryEntry(url);
DirectorySearcher search = new DirectorySearcher(coon);
search.Filter = "(&(objectClass=user)(objectCategory=person))";
foreach (SearchResult r in search.FindAll())
{
string users = "";
try
{
users = r.Properties["name"][0].ToString();
return users;
}
catch
{
Console.WriteLine("error");
}
}
}
else
{
string url = Ldapconn.url+"/<SID=" + sid + ">";
string username = "hack";
string password = "test123..";
//Console.WriteLine(url);
DirectoryEntry coon = new DirectoryEntry(url, username, password);
DirectorySearcher search = new DirectorySearcher(coon);
search.Filter = "(&(objectClass=user)(objectCategory=person))";
foreach (SearchResult r in search.FindAll())
{
string users = "";
try
{
users = r.Properties["name"][0].ToString();
return users;
}
catch
{
Console.WriteLine("error");
}
}
}
return "error";
}
public void EnumUsersAndGroups_AdminSDHolder()
{
LDAP_COON();
//person
search.Filter = "(&(objectcategory=person)(admincount=1))";
Console.WriteLine("===========AdminSDHolder Users===========");
foreach (SearchResult r in search.FindAll())
{
string users = "";
try
{
users = r.Properties["name"][0].ToString();
Console.WriteLine(users);
}
catch
{
Console.WriteLine("error");
}
}
//group
search.Filter = "(&(objectcategory=group)(admincount=1))";
Console.WriteLine("===========AdminSDHolder Groups===========");
foreach (SearchResult r in search.FindAll())
{
string groups = "";
try
{
groups = r.Properties["name"][0].ToString();
Console.WriteLine(groups);
}
catch
{
Console.WriteLine("error");
}
}
//acl
Console.WriteLine("===========AdminSDHolder ACL===========");
string dns_name = basicInfo.GetDomainDNS();//DC=redteam,DC=local
String AdminSDHolder_path = "/CN=AdminSDHolder,CN=System," + dns_name;
String AdminSDHoler_Acl = "";
if (Ldapconn.url == "")
{
string dc_name = Get_Dns_First_Name();
AdminSDHolder_path = "LDAP://" + dc_name + ":389" + AdminSDHolder_path; //LDAP://redteam:389/CN=AdminSDHolder,CN=System,DC=redteam,DC=local
}
else
{
AdminSDHolder_path = Ldapconn.url + AdminSDHolder_path;
}
// //Ldapconn.url == "LDAP://name:389"
//Console.WriteLine(AdminSDHolder_path);
coon.Path = AdminSDHolder_path;
ActiveDirectorySecurity sec = coon.ObjectSecurity;
AuthorizationRuleCollection rules = null;
rules = sec.GetAccessRules(true, true, typeof(NTAccount));
Console.WriteLine("===========GenericAll===========");
foreach (ActiveDirectoryAccessRule rule in rules)
{
if (rule.ActiveDirectoryRights.ToString().Equals("GenericAll"))
{
string acl = rule.IdentityReference.Value;
if (acl.Contains("-"))
{
//Console.WriteLine(acl);
string user_name = SidToUserName(acl);
Console.WriteLine(user_name);
}
else
{
Console.WriteLine(acl);
}
}
}
}
}
}
点击收藏 | 0
关注 | 1
