From 1907029f4c985d0013125fddf8359f9512300b04 Mon Sep 17 00:00:00 2001 From: Rohan Vazarkar Date: Mon, 29 Jul 2024 10:35:51 -0400 Subject: [PATCH] Properly append relative search base (#144) * fix: property append relative search base to the dn * chore: delete log * chore: remove duplicate ldap filter * chore: format code --- src/CommonLib/LdapQueries/LdapFilter.cs | 83 +++++++++---------------- src/CommonLib/LdapUtils.cs | 8 +-- 2 files changed, 35 insertions(+), 56 deletions(-) diff --git a/src/CommonLib/LdapQueries/LdapFilter.cs b/src/CommonLib/LdapQueries/LdapFilter.cs index 58bb4fbb..428440aa 100644 --- a/src/CommonLib/LdapQueries/LdapFilter.cs +++ b/src/CommonLib/LdapQueries/LdapFilter.cs @@ -1,13 +1,11 @@ using System.Collections.Generic; using System.Linq; -namespace SharpHoundCommonLib.LDAPQueries -{ +namespace SharpHoundCommonLib.LDAPQueries { /// /// A class used to more easily build LDAP filters based on the common filters used by SharpHound /// - public class LdapFilter - { + public class LdapFilter { private readonly List _filterParts = new(); private readonly List _mandatory = new(); @@ -16,13 +14,11 @@ public class LdapFilter /// /// /// - private static string[] CheckConditions(IEnumerable conditions) - { + private static string[] CheckConditions(IEnumerable conditions) { return conditions.Select(FixFilter).ToArray(); } - private static string FixFilter(string filter) - { + private static string FixFilter(string filter) { if (!filter.StartsWith("(")) filter = $"({filter}"; if (!filter.EndsWith(")")) filter = $"{filter})"; @@ -37,8 +33,7 @@ private static string FixFilter(string filter) /// /// /// - private static string BuildString(string baseFilter, params string[] conditions) - { + private static string BuildString(string baseFilter, params string[] conditions) { if (conditions.Length == 0) return baseFilter; return $"(&{baseFilter}{string.Join("", CheckConditions(conditions))})"; @@ -49,8 +44,7 @@ private static string BuildString(string baseFilter, params string[] conditions) /// /// /// - public LdapFilter AddAllObjects(params string[] conditions) - { + public LdapFilter AddAllObjects(params string[] conditions) { _filterParts.Add(BuildString("(objectclass=*)", conditions)); return this; @@ -61,8 +55,7 @@ public LdapFilter AddAllObjects(params string[] conditions) /// /// /// - public LdapFilter AddUsers(params string[] conditions) - { + public LdapFilter AddUsers(params string[] conditions) { _filterParts.Add(BuildString("(samaccounttype=805306368)", conditions)); return this; @@ -73,8 +66,7 @@ public LdapFilter AddUsers(params string[] conditions) /// /// /// - public LdapFilter AddGroups(params string[] conditions) - { + public LdapFilter AddGroups(params string[] conditions) { _filterParts.Add(BuildString( "(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(samaccounttype=536870913))", conditions)); @@ -87,8 +79,7 @@ public LdapFilter AddGroups(params string[] conditions) /// /// /// - public LdapFilter AddPrimaryGroups(params string[] conditions) - { + public LdapFilter AddPrimaryGroups(params string[] conditions) { _filterParts.Add(BuildString("(primarygroupid=*)", conditions)); return this; @@ -99,8 +90,7 @@ public LdapFilter AddPrimaryGroups(params string[] conditions) /// /// /// - public LdapFilter AddGPOs(params string[] conditions) - { + public LdapFilter AddGPOs(params string[] conditions) { _filterParts.Add(BuildString("(&(objectcategory=groupPolicyContainer)(flags=*))", conditions)); return this; @@ -111,8 +101,7 @@ public LdapFilter AddGPOs(params string[] conditions) /// /// /// - public LdapFilter AddOUs(params string[] conditions) - { + public LdapFilter AddOUs(params string[] conditions) { _filterParts.Add(BuildString("(objectcategory=organizationalUnit)", conditions)); return this; @@ -123,8 +112,7 @@ public LdapFilter AddOUs(params string[] conditions) /// /// /// - public LdapFilter AddDomains(params string[] conditions) - { + public LdapFilter AddDomains(params string[] conditions) { _filterParts.Add(BuildString("(objectclass=domain)", conditions)); return this; @@ -135,8 +123,7 @@ public LdapFilter AddDomains(params string[] conditions) /// /// /// - public LdapFilter AddContainers(params string[] conditions) - { + public LdapFilter AddContainers(params string[] conditions) { _filterParts.Add(BuildString("(objectClass=container)", conditions)); return this; @@ -147,8 +134,7 @@ public LdapFilter AddContainers(params string[] conditions) /// /// /// - public LdapFilter AddConfiguration(params string[] conditions) - { + public LdapFilter AddConfiguration(params string[] conditions) { _filterParts.Add(BuildString("(objectClass=configuration)", conditions)); return this; @@ -161,8 +147,7 @@ public LdapFilter AddConfiguration(params string[] conditions) /// /// /// - public LdapFilter AddComputers(params string[] conditions) - { + public LdapFilter AddComputers(params string[] conditions) { _filterParts.Add(BuildString("(samaccounttype=805306369)", conditions)); return this; } @@ -172,8 +157,7 @@ public LdapFilter AddComputers(params string[] conditions) /// /// /// - public LdapFilter AddCertificateTemplates(params string[] conditions) - { + public LdapFilter AddCertificateTemplates(params string[] conditions) { _filterParts.Add(BuildString("(objectclass=pKICertificateTemplate)", conditions)); return this; } @@ -183,9 +167,8 @@ public LdapFilter AddCertificateTemplates(params string[] conditions) /// /// /// - public LdapFilter AddCertificateAuthorities(params string[] conditions) - { - _filterParts.Add(BuildString("(|(objectClass=certificationAuthority)(objectClass=pkiEnrollmentService))", + public LdapFilter AddCertificateAuthorities(params string[] conditions) { + _filterParts.Add(BuildString("(objectClass=certificationAuthority)", conditions)); return this; } @@ -195,8 +178,7 @@ public LdapFilter AddCertificateAuthorities(params string[] conditions) /// /// /// - public LdapFilter AddEnterpriseCertificationAuthorities(params string[] conditions) - { + public LdapFilter AddEnterpriseCertificationAuthorities(params string[] conditions) { _filterParts.Add(BuildString("(objectCategory=pKIEnrollmentService)", conditions)); return this; } @@ -206,8 +188,7 @@ public LdapFilter AddEnterpriseCertificationAuthorities(params string[] conditio /// /// /// - public LdapFilter AddIssuancePolicies(params string[] conditions) - { + public LdapFilter AddIssuancePolicies(params string[] conditions) { _filterParts.Add(BuildString("(objectClass=msPKI-Enterprise-Oid)", conditions)); return this; } @@ -217,8 +198,7 @@ public LdapFilter AddIssuancePolicies(params string[] conditions) /// /// /// - public LdapFilter AddSchemaID(params string[] conditions) - { + public LdapFilter AddSchemaID(params string[] conditions) { _filterParts.Add(BuildString("(schemaidguid=*)", conditions)); return this; } @@ -228,9 +208,10 @@ public LdapFilter AddSchemaID(params string[] conditions) /// /// /// - public LdapFilter AddComputersNoMSAs(params string[] conditions) - { - _filterParts.Add(BuildString("(&(samaccounttype=805306369)(!(objectclass=msDS-GroupManagedServiceAccount))(!(objectclass=msDS-ManagedServiceAccount)))", conditions)); + public LdapFilter AddComputersNoMSAs(params string[] conditions) { + _filterParts.Add(BuildString( + "(&(samaccounttype=805306369)(!(objectclass=msDS-GroupManagedServiceAccount))(!(objectclass=msDS-ManagedServiceAccount)))", + conditions)); return this; } @@ -240,8 +221,7 @@ public LdapFilter AddComputersNoMSAs(params string[] conditions) /// LDAP Filter to add to query /// If true, filter will be AND otherwise OR /// - public LdapFilter AddFilter(string filter, bool enforce) - { + public LdapFilter AddFilter(string filter, bool enforce) { if (enforce) _mandatory.Add(FixFilter(filter)); else @@ -254,9 +234,7 @@ public LdapFilter AddFilter(string filter, bool enforce) /// Combines all the specified parts of the LDAP filter and merges them into a single string /// /// - public string GetFilter() - { - + public string GetFilter() { var filterPartList = _filterParts.ToArray().Distinct(); var mandatoryList = _mandatory.ToArray().Distinct(); @@ -270,13 +248,14 @@ public string GetFilter() else if (filterPartsExceptMandatory.Count > 1) filterPartsDistinct = $"(|{filterPartsDistinct})"; - filterPartsDistinct = _mandatory.Count > 0 ? $"(&{filterPartsDistinct}{mandatoryDistinct})" : filterPartsDistinct; + filterPartsDistinct = _mandatory.Count > 0 + ? $"(&{filterPartsDistinct}{mandatoryDistinct})" + : filterPartsDistinct; return filterPartsDistinct; } - public IEnumerable GetFilterList() - { + public IEnumerable GetFilterList() { return _filterParts.Distinct(); } } diff --git a/src/CommonLib/LdapUtils.cs b/src/CommonLib/LdapUtils.cs index a7e0bf63..bc087b69 100644 --- a/src/CommonLib/LdapUtils.cs +++ b/src/CommonLib/LdapUtils.cs @@ -704,10 +704,10 @@ private bool CreateSearchRequest(LdapQueryParameters queryParameters, }; connectionWrapper.SaveContext(queryParameters.NamingContext, basePath); - - if (!string.IsNullOrWhiteSpace(queryParameters.RelativeSearchBase)) { - basePath = $"{queryParameters.RelativeSearchBase},{basePath}"; - } + } + + if (string.IsNullOrWhiteSpace(queryParameters.SearchBase) && !string.IsNullOrWhiteSpace(queryParameters.RelativeSearchBase)) { + basePath = $"{queryParameters.RelativeSearchBase},{basePath}"; } searchRequest = new SearchRequest(basePath, queryParameters.LDAPFilter, queryParameters.SearchScope,