Breaking ResolveHostToSid into two functions to handle DNS hostname r…

…esolution
SpecterOps · Mar 12, 2024 · dfbd537 · dfbd537
1 parent 1ccdb77
commit dfbd537
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 16 deletions.
diff --git a/src/CommonLib/ILDAPUtils.cs b/src/CommonLib/ILDAPUtils.cs
@@ -55,6 +55,14 @@ public interface ILDAPUtils
         /// <returns></returns>
         IEnumerable<string> DoRangedRetrieval(string distinguishedName, string attributeName);
 
+        /// <summary>
+        ///     Takes a host in most applicable forms from AD and attempts to resolve it into a SID, falling back to hostname if SID cannot be resolved.
+        /// </summary>
+        /// <param name="hostname"></param>
+        /// <param name="domain"></param>
+        /// <returns></returns>
+        Task<string> ResolveHostToSidWithHostnameFallback(string hostname, string domain);
+
         /// <summary>
         ///     Takes a host in most applicable forms from AD and attempts to resolve it into a SID.
         /// </summary>

diff --git a/src/CommonLib/LDAPUtils.cs b/src/CommonLib/LDAPUtils.cs
@@ -572,6 +572,38 @@ public IEnumerable<string> DoRangedRetrieval(string distinguishedName, string at
             }
         }
 
+        /// <summary>
+        /// Takes a host in most applicable forms from AD and attempts to resolve it into a SID, falling back to hostname if SID cannot be resolved.
+        /// </summary>
+        /// <param name="hostname"></param>
+        /// <param name="domain"></param>
+        /// <returns></returns>
+        public async Task<string> ResolveHostToSidWithHostnameFallback(string hostname, string domain)
+        {
+            var sid = await ResolveHostToSid(hostname, domain);
+            if (string.IsNullOrEmpty(sid))
+            {
+                //If we get here, everything has failed, and life is very sad.
+                var strippedHost = Helpers.StripServicePrincipalName(hostname).ToUpper().TrimEnd('$');
+                var normalDomain = NormalizeDomainName(domain);
+
+                var tempName = strippedHost;
+                var tempDomain = normalDomain;
+
+                if (tempName.Contains("."))
+                {
+                    _hostResolutionMap.TryAdd(strippedHost, tempName);
+                    return tempName;
+                }
+
+                tempName = $"{tempName}.{tempDomain}";
+                _hostResolutionMap.TryAdd(strippedHost, tempName);
+                return tempName;
+            }
+
+            return sid;
+        }
+
         /// <summary>
         ///     Takes a host in most applicable forms from AD and attempts to resolve it into a SID.
         /// </summary>
@@ -689,19 +721,8 @@ public async Task<string> ResolveHostToSid(string hostname, string domain)
                 }
             }
 
-            //If we get here, everything has failed, and life is very sad.
-            tempName = strippedHost;
-            tempDomain = normalDomain;
-
-            if (tempName.Contains("."))
-            {
-                _hostResolutionMap.TryAdd(strippedHost, tempName);
-                return tempName;
-            }
-
-            tempName = $"{tempName}.{tempDomain}";
-            _hostResolutionMap.TryAdd(strippedHost, tempName);
-            return tempName;
+            // Sad times
+            return null;
         }
 
         /// <summary>

diff --git a/src/CommonLib/Processors/LDAPPropertyProcessor.cs b/src/CommonLib/Processors/LDAPPropertyProcessor.cs
@@ -178,7 +178,7 @@ public async Task<UserProperties> ReadUserProperties(ISearchResultEntry entry)
                         continue;
 
                     var resolvedHost = await _utils.ResolveHostToSid(d, domain);
-                    if (resolvedHost != null && resolvedHost.Contains("S-1"))
+                    if (resolvedHost != null && resolvedHost.StartsWith("S-1"))
                         comps.Add(new TypedPrincipal
                         {
                             ObjectIdentifier = resolvedHost,
@@ -285,8 +285,8 @@ public async Task<ComputerProperties> ReadComputerProperties(ISearchResultEntry
                 {
                     var hname = d.Contains("/") ? d.Split('/')[1] : d;
                     hname = hname.Split(':')[0];
-                    var resolvedHost = await _utils.ResolveHostToSid(hname, domain);
-                    if (resolvedHost != null && (resolvedHost.Contains(".") || resolvedHost.Contains("S-1")))
+                    var resolvedHost = await _utils.ResolveHostToSidWithHostnameFallback(hname, domain);
+                    if (resolvedHost != null && (resolvedHost.Contains(".") || resolvedHost.StartsWith("S-1")))
                         comps.Add(new TypedPrincipal
                         {
                             ObjectIdentifier = resolvedHost,