From 80211420a66b7b4051fe7dea837e1517a3fcefce Mon Sep 17 00:00:00 2001 From: rvazarkar Date: Tue, 15 Aug 2023 09:30:35 -0400 Subject: [PATCH 1/7] fix: remove call to IsTextUnicode to allow CollectAllProperties to function properly --- .../Processors/LDAPPropertyProcessor.cs | 32 ++++++++----------- 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/src/CommonLib/Processors/LDAPPropertyProcessor.cs b/src/CommonLib/Processors/LDAPPropertyProcessor.cs index f5a667c6..6b4ebd80 100644 --- a/src/CommonLib/Processors/LDAPPropertyProcessor.cs +++ b/src/CommonLib/Processors/LDAPPropertyProcessor.cs @@ -7,25 +7,19 @@ using System.Security.Principal; using System.Threading.Tasks; using SharpHoundCommonLib.Enums; +using SharpHoundCommonLib.LDAPQueries; using SharpHoundCommonLib.OutputTypes; namespace SharpHoundCommonLib.Processors { public class LDAPPropertyProcessor { - private static readonly string[] ReservedAttributes = - { - "pwdlastset", "lastlogon", "lastlogontimestamp", "objectsid", - "sidhistory", "useraccountcontrol", "operatingsystem", - "operatingsystemservicepack", "serviceprincipalname", "displayname", "mail", "title", - "homedirectory", "description", "admincount", "userpassword", "gpcfilesyspath", "objectclass", - "msds-behavior-version", "objectguid", "name", "gpoptions", "msds-allowedtodelegateto", - "msDS-allowedtoactonbehalfofotheridentity", "displayname", - "sidhistory", "samaccountname", "samaccounttype", "objectsid", "objectguid", "objectclass", - "msds-groupmsamembership", - "distinguishedname", "memberof", "logonhours", "ntsecuritydescriptor", "dsasignature", "repluptodatevector", - "member", "whenCreated" - }; + private static readonly string[] ReservedAttributes = CommonProperties.TypeResolutionProps + .Concat(CommonProperties.BaseQueryProps).Concat(CommonProperties.GroupResolutionProps) + .Concat(CommonProperties.ComputerMethodProps).Concat(CommonProperties.ACLProps) + .Concat(CommonProperties.ObjectPropsProps).Concat(CommonProperties.ContainerProps) + .Concat(CommonProperties.SPNTargetProps).Concat(CommonProperties.DomainTrustProps) + .Concat(CommonProperties.GPOLocalGroupProps).ToArray(); private readonly ILDAPUtils _utils; @@ -404,12 +398,11 @@ public async Task ReadComputerProperties(ISearchResultEntry /// public Dictionary ParseAllProperties(ISearchResultEntry entry) { - var flag = IsTextUnicodeFlags.IS_TEXT_UNICODE_STATISTICS; var props = new Dictionary(); foreach (var property in entry.PropertyNames()) { - if (ReservedAttributes.Contains(property)) + if (ReservedAttributes.Contains(property, StringComparer.OrdinalIgnoreCase)) continue; var collCount = entry.PropCount(property); @@ -420,8 +413,7 @@ public Dictionary ParseAllProperties(ISearchResultEntry entry) { var testBytes = entry.GetByteProperty(property); - if (testBytes == null || testBytes.Length == 0 || - !IsTextUnicode(testBytes, testBytes.Length, ref flag)) continue; + if (testBytes == null || testBytes.Length == 0) continue; var testString = entry.GetProperty(property); @@ -434,7 +426,7 @@ public Dictionary ParseAllProperties(ISearchResultEntry entry) else { var arrBytes = entry.GetByteArrayProperty(property); - if (arrBytes.Length == 0 || !IsTextUnicode(arrBytes[0], arrBytes[0].Length, ref flag)) + if (arrBytes.Length == 0) continue; var arr = entry.GetArrayProperty(property); @@ -461,6 +453,10 @@ private static object BestGuessConvert(string property) //This string corresponds to the max int, and is usually set in accountexpires if (property == "9223372036854775807") return -1; + //Try parsing as an int + if (int.TryParse(property, out var num)) return num; + + //Just return the property as a string return property; } From 6fe3f3255dbc61ae48434eda114118ae9456fc05 Mon Sep 17 00:00:00 2001 From: spyr0 <78267628+spyr0-sec@users.noreply.github.com> Date: Tue, 15 Aug 2023 16:03:23 +0100 Subject: [PATCH 2/7] Added msLAPS-PasswordExpirationTime property (cherry picked from commit be5818e83993f723f7109257769d586a6785a0a7) --- src/CommonLib/LDAPProperties.cs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/CommonLib/LDAPProperties.cs b/src/CommonLib/LDAPProperties.cs index 491ab272..fe36196d 100644 --- a/src/CommonLib/LDAPProperties.cs +++ b/src/CommonLib/LDAPProperties.cs @@ -34,7 +34,8 @@ public class LDAPProperties public const string OperatingSystem = "operatingsystem"; public const string ServicePack = "operatingsystemservicepack"; public const string DNSHostName = "dnshostname"; - public const string LAPSExpirationTime = "ms-mcs-admpwdexpirationtime"; + public const string LAPSExpirationTime = "mslaps-passwordexpirationtime"; + public const string LegacyLAPSExpirationTime = "ms-mcs-admpwdexpirationtime"; public const string Members = "member"; public const string SecurityDescriptor = "ntsecuritydescriptor"; public const string SecurityIdentifier = "securityidentifier"; @@ -49,4 +50,4 @@ public class LDAPProperties public const string LdapAdminLimits = "ldapadminlimits"; public const string HostServiceAccount = "msds-hostserviceaccount"; } -} \ No newline at end of file +} From 8f2608ffac411cc4f60569e37b8440e8a8d98196 Mon Sep 17 00:00:00 2001 From: spyr0 <78267628+spyr0-sec@users.noreply.github.com> Date: Tue, 15 Aug 2023 16:12:12 +0100 Subject: [PATCH 3/7] Check for either LAPS attribute (cherry picked from commit 1f2089b2a0a11fd157fe88f357cd282d0198413a) --- src/CommonLib/SearchResultEntryWrapper.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/CommonLib/SearchResultEntryWrapper.cs b/src/CommonLib/SearchResultEntryWrapper.cs index a29e38d6..81e4113f 100644 --- a/src/CommonLib/SearchResultEntryWrapper.cs +++ b/src/CommonLib/SearchResultEntryWrapper.cs @@ -246,7 +246,7 @@ public bool IsGMSA() public bool HasLAPS() { - return GetProperty(LDAPProperties.LAPSExpirationTime) != null; + return GetProperty(LDAPProperties.LAPSExpirationTime) != null || GetProperty(LDAPProperties.LegacyLAPSExpirationTime) != null; } public SearchResultEntry GetEntry() @@ -254,4 +254,4 @@ public SearchResultEntry GetEntry() return _entry; } } -} \ No newline at end of file +} From 355face6edac8031907da54a5b7472b48945cd48 Mon Sep 17 00:00:00 2001 From: rvazarkar Date: Wed, 16 Aug 2023 14:41:50 -0400 Subject: [PATCH 4/7] chore: bump verison --- src/CommonLib/SharpHoundCommonLib.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/CommonLib/SharpHoundCommonLib.csproj b/src/CommonLib/SharpHoundCommonLib.csproj index d0938a38..92ff866e 100644 --- a/src/CommonLib/SharpHoundCommonLib.csproj +++ b/src/CommonLib/SharpHoundCommonLib.csproj @@ -9,7 +9,7 @@ Common library for C# BloodHound enumeration tasks GPL-3.0-only https://github.com/BloodHoundAD/SharpHoundCommon - 3.0.6 + 3.0.7 SharpHoundCommonLib SharpHoundCommonLib From d8b71d2b735f0f815465487fd579cbf2279aa8e1 Mon Sep 17 00:00:00 2001 From: rvazarkar Date: Wed, 16 Aug 2023 14:46:10 -0400 Subject: [PATCH 5/7] feat: update publish.yml in v3 --- .github/workflows/publish.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index edb1dbd3..c587362e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -42,6 +42,12 @@ jobs: - name: Publish NuGet run: dotnet nuget push *.nupkg -s https://api.nuget.org/v3/index.json -k ${{ secrets.NUGET_TOKEN }} + + - name: Prep Packages + run: dotnet nuget add source --username {{github.actor}} --password ${{ secrets.GITHUB_TOKEN }} --store-password-in-clear-text --name github "https://nuget.pkg.github.com/BloodHoundAD/index.json" + + - name: Publish to GitHub Packages + run: dotnet nuget push *.nupkg --api-key ${{ secrets.GITHUB_TOKEN }} --source "github" ghpages: name: ghpages From 936fdbff21cdc31bace8832d99b2e4fa3bd5b138 Mon Sep 17 00:00:00 2001 From: rvazarkar Date: Wed, 16 Aug 2023 15:19:33 -0400 Subject: [PATCH 6/7] chore: update publish.yml --- .github/workflows/publish.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c587362e..92213363 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -39,9 +39,6 @@ jobs: - name: Pack run: dotnet pack --no-restore -c Release -p:PackageVersion=${{ steps.version.outputs.result }} -o . - - - name: Publish NuGet - run: dotnet nuget push *.nupkg -s https://api.nuget.org/v3/index.json -k ${{ secrets.NUGET_TOKEN }} - name: Prep Packages run: dotnet nuget add source --username {{github.actor}} --password ${{ secrets.GITHUB_TOKEN }} --store-password-in-clear-text --name github "https://nuget.pkg.github.com/BloodHoundAD/index.json" @@ -49,6 +46,9 @@ jobs: - name: Publish to GitHub Packages run: dotnet nuget push *.nupkg --api-key ${{ secrets.GITHUB_TOKEN }} --source "github" + - name: Publish NuGet + run: dotnet nuget push *.nupkg -s https://api.nuget.org/v3/index.json -k ${{ secrets.NUGET_TOKEN }} --skip-duplicate + ghpages: name: ghpages needs: nuget From 485054c7b6b2eab56ab174cc41e4e9258065ecdf Mon Sep 17 00:00:00 2001 From: rvazarkar Date: Wed, 16 Aug 2023 15:33:18 -0400 Subject: [PATCH 7/7] fix: missing $ in publish --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 92213363..be378cd4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -41,7 +41,7 @@ jobs: run: dotnet pack --no-restore -c Release -p:PackageVersion=${{ steps.version.outputs.result }} -o . - name: Prep Packages - run: dotnet nuget add source --username {{github.actor}} --password ${{ secrets.GITHUB_TOKEN }} --store-password-in-clear-text --name github "https://nuget.pkg.github.com/BloodHoundAD/index.json" + run: dotnet nuget add source --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }} --store-password-in-clear-text --name github "https://nuget.pkg.github.com/BloodHoundAD/index.json" - name: Publish to GitHub Packages run: dotnet nuget push *.nupkg --api-key ${{ secrets.GITHUB_TOKEN }} --source "github"