Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/main' into v3
Browse files Browse the repository at this point in the history
# Conflicts:
#	src/CommonLib/LDAPUtils.cs
#	src/CommonLib/Processors/ComputerAvailability.cs
#	src/CommonLib/SharpHoundCommonLib.csproj
  • Loading branch information
rvazarkar committed Feb 10, 2023
2 parents 24e749e + abd79e8 commit b76682e
Show file tree
Hide file tree
Showing 5 changed files with 60 additions and 8 deletions.
23 changes: 23 additions & 0 deletions .github/workflows/cla.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: "CLA Assistant"
on:
issue_comment:
types: [created]
pull_request_target:
types: [opened,closed,synchronize]

jobs:
CLAssistant:
runs-on: ubuntu-latest
steps:
- name: "CLA Assistant"
if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
uses: contributor-assistant/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PERSONAL_ACCESS_TOKEN : ${{ secrets.REPO_SCOPE }}
with:
path-to-signatures: 'signatures.json'
path-to-document: 'https://github.com/BloodHoundAD/CLA/blob/main/ICLA.md'
branch: 'main'
remote-organization-name: BloodHoundAD
remote-repository-name: CLA
2 changes: 2 additions & 0 deletions src/CommonLib/EdgeNames.cs
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ public static class EdgeNames
public const string AddSelf = "AddSelf";
public const string GetChanges = "GetChanges";
public const string GetChangesAll = "GetChangesAll";
public const string GetChangesInFilteredSet = "GetChangesInFilteredSet";
public const string AllExtendedRights = "AllExtendedRights";
public const string ForceChangePassword = "ForceChangePassword";
public const string AddAllowedToAct = "AddAllowedToAct";
Expand All @@ -19,5 +20,6 @@ public static class EdgeNames
public const string WriteSPN = "WriteSPN";
public const string AddKeyCredentialLink = "AddKeyCredentialLink";
public const string SQLAdmin = "SQLAdmin";
public const string WriteAccountRestrictions = "WriteAccountRestrictions";
}
}
25 changes: 17 additions & 8 deletions src/CommonLib/LDAPUtils.cs
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ private static readonly ConcurrentDictionary<string, ResolvedWellKnownPrincipal>

private readonly ConcurrentDictionary<string, Domain> _domainCache = new();
private readonly ConcurrentDictionary<string, string> _domainControllerCache = new();
private readonly ConcurrentDictionary<string, string> _gcControllerCache = new();

private readonly ConcurrentDictionary<string, LdapConnection> _globalCatalogConnections = new();
private readonly ConcurrentDictionary<string, string> _hostResolutionMap = new();
Expand Down Expand Up @@ -884,12 +885,14 @@ public bool TestLDAPConfig(string domain)
{
var filter = new LDAPFilter();
filter.AddDomains();

var resDomain = GetDomain(domain)?.Name ?? domain;
_log.LogTrace("Testing LDAP connection for domain {Domain}", resDomain);

var result = QueryLDAP(filter.GetFilter(), SearchScope.Subtree, CommonProperties.ObjectID, resDomain)
.DefaultIfEmpty(null).FirstOrDefault();

_log.LogTrace("Result object from LDAP connection test is {DN}", result?.DistinguishedName ?? "null");

_log.LogTrace("Result object from LDAP connection test is {DN}", result?.DistinguishedName ?? "null");

Expand Down Expand Up @@ -1301,12 +1304,18 @@ private async Task<LdapConnection> CreateLDAPConnection(string domainName = null

private async Task<string> GetUsableDomainController(Domain domain, bool gc = false)
{
if (gc && _gcControllerCache.TryGetValue(domain.Name.ToUpper(), out var dc))
return dc;

if (!gc && _domainControllerCache.TryGetValue(domain.Name.ToUpper(), out dc))
return dc;

var port = gc ? 3268 : _ldapConfig.GetPort();
var pdc = domain.PdcRoleOwner.Name;
if (await _portScanner.CheckPort(pdc, port))
{
_domainControllerCache.TryAdd(domain.Name, pdc);
_log.LogDebug("Found usable Domain Controller for {Domain} : {PDC}", domain.Name, pdc);
_domainControllerCache.TryAdd(domain.Name.ToUpper(), pdc);
_log.LogInformation("Found usable Domain Controller for {Domain} : {PDC}", domain.Name, pdc);
return pdc;
}

Expand All @@ -1315,14 +1324,14 @@ private async Task<string> GetUsableDomainController(Domain domain, bool gc = fa
{
var name = domainController.Name;
if (!await _portScanner.CheckPort(name, port)) continue;
_log.LogDebug("Found usable Domain Controller for {Domain} : {PDC}", domain.Name, name);
_domainControllerCache.TryAdd(domain.Name, name);
_log.LogInformation("Found usable Domain Controller for {Domain} : {PDC}", domain.Name, name);
_domainControllerCache.TryAdd(domain.Name.ToUpper(), name);
return name;
}

//If we get here, somehow we didn't get any usable DCs. Save it off as null
_domainControllerCache.TryAdd(domain.Name, null);
_log.LogDebug("Unable to find usable domain controller for {Domain}", domain.Name);
_domainControllerCache.TryAdd(domain.Name.ToUpper(), null);
_log.LogWarning("Unable to find usable domain controller for {Domain}", domain.Name);
return null;
}

Expand Down Expand Up @@ -1383,4 +1392,4 @@ private class ResolvedWellKnownPrincipal
public string WkpId { get; set; }
}
}
}
}
2 changes: 2 additions & 0 deletions src/CommonLib/Processors/ACEGuids.cs
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,13 @@ public class ACEGuids
{
public const string DSReplicationGetChanges = "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2";
public const string DSReplicationGetChangesAll = "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2";
public const string DSReplicationGetChangesInFilteredSet = "89e95b76-444d-4c62-991a-0facbeda640c";
public const string UserForceChangePassword = "00299570-246d-11d0-a768-00aa006e0529";
public const string AllGuid = "00000000-0000-0000-0000-000000000000";
public const string WriteMember = "bf9679c0-0de6-11d0-a285-00aa003049e2";
public const string WriteAllowedToAct = "3f78c3e5-f79a-46bd-a0b8-9d18116ddc79";
public const string WriteSPN = "f3a64788-5306-11d1-a9c5-0000f80367c1";
public const string AddKeyPrincipal = "5b47d60f-6090-40b2-9f37-2a4de88f3063";
public const string UserAccountRestrictions = "4c164200-20c0-11d0-a768-00aa006e0529";
}
}
16 changes: 16 additions & 0 deletions src/CommonLib/Processors/ACLProcessor.cs
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,14 @@ public IEnumerable<ACE> ProcessACL(byte[] ntSecurityDescriptor, string objectDom
IsInherited = inherited,
RightName = EdgeNames.GetChangesAll
};
else if (aceType == ACEGuids.DSReplicationGetChangesInFilteredSet)
yield return new ACE
{
PrincipalType = resolvedPrincipal.ObjectType,
PrincipalSID = resolvedPrincipal.ObjectIdentifier,
IsInherited = inherited,
RightName = EdgeNames.GetChangesInFilteredSet
};
else if (aceType is ACEGuids.AllGuid or "")
yield return new ACE
{
Expand Down Expand Up @@ -367,6 +375,14 @@ public IEnumerable<ACE> ProcessACL(byte[] ntSecurityDescriptor, string objectDom
IsInherited = inherited,
RightName = EdgeNames.AddAllowedToAct
};
else if (objectType == Label.Computer && aceType == ACEGuids.UserAccountRestrictions && !resolvedPrincipal.ObjectIdentifier.EndsWith("-512"))
yield return new ACE
{
PrincipalType = resolvedPrincipal.ObjectType,
PrincipalSID = resolvedPrincipal.ObjectIdentifier,
IsInherited = inherited,
RightName = EdgeNames.WriteAccountRestrictions
};
else if (objectType == Label.Group && aceType == ACEGuids.WriteMember)
yield return new ACE
{
Expand Down

0 comments on commit b76682e

Please sign in to comment.