def dump(self):
print("[VAULT_VPOL]")
print("Version : %8x (%d)" % (self['Version'], self['Version']))
print("Guid : %s" % bin_to_string(self['Guid']))
print("Description : %s" % (self['Description'].decode('utf-16le')))
print("Size : 0x%.8x (%d)" % (self['Size'], self['Size']))
print("Guid2 : %s" % bin_to_string(self['Guid2']))
print("Guid3 : %s" % bin_to_string(self['Guid3']))
print("KeySize : 0x%.8x (%d)" %
(self['KeySize'], self['KeySize']))
self['Blob'].dump()
print()
def can_add_member(ace):
writeprivs = ace['Ace']['Mask'].hasPriv(
ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_WRITE_PROP)
if ace['AceType'] != ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE or ace['Ace'][
'ObjectType'] == '':
return writeprivs
userprivs = bin_to_string(
ace['Ace']
['ObjectType']).lower() == 'bf9679c0-0de6-11d0-a285-00aa003049e2'
return writeprivs and userprivs
def can_create_users(ace):
createprivs = ace['Ace']['Mask'].hasPriv(
ACCESS_ALLOWED_OBJECT_ACE.ADS_RIGHT_DS_CREATE_CHILD)
if ace['AceType'] != ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE or ace['Ace'][
'ObjectType'] == '':
return False
userprivs = bin_to_string(
ace['Ace']
['ObjectType']).lower() == 'bf967aba-0de6-11d0-a285-00aa003049e2'
return createprivs and userprivs
def dump(self):
print("[DOMAINKEY]")
print("Version : %8x (%d)" % (self['Version'], self['Version']))
print("Guid : %s" % bin_to_string(self['Guid']))
print("SecretLen : %8x (%d)" %
(self['SecretLen'], self['SecretLen']))
print("AccessCheckLen: %.8x (%d)" %
(self['AccessCheckLen'], self['AccessCheckLen']))
print("SecretData : %s" % (hexlify(self['SecretData'])))
print("AccessCheck : %s" % (hexlify(self['AccessCheck'])))
print()
def dump(self):
print("[VCRD]")
print("SchemaGuid : %s" % bin_to_string(self['SchemaGuid']))
print("LastWritten : %s" %
(datetime.utcfromtimestamp(getUnixTime(self['LastWritten']))))
print("FriendlyName: %s" % (self['FriendlyName'].decode('utf-16le')))
print()
for i, entry in enumerate(self.mapEntries):
entry.dump()
self.attributes[i].dump()
print()
print("Remaining : %s" % (hexlify(self['Data'])))
print()
def dump(self):
print("[BLOB]")
print("Version : %8x (%d)" %
(self['Version'], self['Version']))
print("Guid Credential : %s" % bin_to_string(self['GuidCredential']))
print("MasterKeyVersion : %8x (%d)" %
(self['MasterKeyVersion'], self['MasterKeyVersion']))
print("Guid MasterKey : %s" % bin_to_string(self['GuidMasterKey']))
print("Flags : %8x (%s)" %
(self['Flags'], getFlags(FLAGS, self['Flags'])))
print("Description : %s" %
(self['Description'].decode('utf-16le')))
print("CryptAlgo : %.8x (%d) (%s)" %
(self['CryptAlgo'], self['CryptAlgo'],
ALGORITHMS(self['CryptAlgo']).name))
print("Salt : %s" % (hexlify(self['Salt'])))
print("HMacKey : %s" % (hexlify(self['HMacKey'])))
print("HashAlgo : %.8x (%d) (%s)" %
(self['HashAlgo'], self['HashAlgo'], ALGORITHMS(
self['HashAlgo']).name))
print("HMac : %s" % (hexlify(self['HMac'])))
print("Data : %s" % (hexlify(self['Data'])))
print("Sign : %s" % (hexlify(self['Sign'])))
print()
def dump(self):
print("[CREDHIST]")
print("Version : %8x (%d)" % (self['Version'], self['Version']))
print("Guid : %s" % bin_to_string(self['Guid']))
print()
def checkSecurityDescriptors(self, entries, privs, membersids, sidmapping,
domainDumper):
standardrights = [
self.GENERIC_ALL, self.GENERIC_WRITE, self.GENERIC_READ,
ACCESS_MASK.WRITE_DACL
]
for entry in entries:
if entry['type'] != 'searchResEntry':
continue
dn = entry['dn']
try:
sdData = entry['raw_attributes']['nTSecurityDescriptor'][0]
except IndexError:
# We don't have the privileges to read this security descriptor
continue
hasFullControl = False
secDesc = ldaptypes.SR_SECURITY_DESCRIPTOR()
secDesc.fromString(sdData)
if secDesc['OwnerSid'] != '' and secDesc[
'OwnerSid'].formatCanonical() in membersids:
sid = secDesc['OwnerSid'].formatCanonical()
LOG.debug(
'Permission found: Full Control on %s; Reason: Owner via %s'
% (dn, sidmapping[sid]))
hasFullControl = True
# Iterate over all the ACEs
for ace in secDesc['Dacl'].aces:
sid = ace['Ace']['Sid'].formatCanonical()
if ace['AceType'] != ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE and ace[
'AceType'] != ACCESS_ALLOWED_ACE.ACE_TYPE:
continue
if not ace.hasFlag(ACE.INHERITED_ACE) and ace.hasFlag(
ACE.INHERIT_ONLY_ACE):
# ACE is set on this object, but only inherited, so not applicable to us
continue
# Check if the ACE has restrictions on object type
if ace['AceType'] == ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE \
and ace.hasFlag(ACE.INHERITED_ACE) \
and ace['Ace'].hasFlag(ACCESS_ALLOWED_OBJECT_ACE.ACE_INHERITED_OBJECT_TYPE_PRESENT):
# Verify if the ACE applies to this object type
inheritedObjectType = bin_to_string(
ace['Ace']['InheritedObjectType']).lower()
if not self.aceApplies(
inheritedObjectType,
entry['raw_attributes']['objectClass'][-1]):
continue
# Check for non-extended rights that may not apply to us
if ace['Ace']['Mask']['Mask'] in standardrights or ace['Ace'][
'Mask'].hasPriv(ACCESS_MASK.WRITE_DACL):
# Check if this applies to our objecttype
if ace['AceType'] == ACCESS_ALLOWED_OBJECT_ACE.ACE_TYPE and ace[
'Ace'].hasFlag(ACCESS_ALLOWED_OBJECT_ACE.
ACE_OBJECT_TYPE_PRESENT):
objectType = bin_to_string(
ace['Ace']['ObjectType']).lower()
if not self.aceApplies(
objectType,
entry['raw_attributes']['objectClass'][-1]):
# LOG.debug('ACE does not apply, only to %s', objectType)
continue
if sid in membersids:
# Generic all
if ace['Ace']['Mask'].hasPriv(self.GENERIC_ALL):
ace.dump()
LOG.debug(
'Permission found: Full Control on %s; Reason: GENERIC_ALL via %s'
% (dn, sidmapping[sid]))
hasFullControl = True
if can_create_users(ace) or hasFullControl:
if not hasFullControl:
LOG.debug(
'Permission found: Create users in %s; Reason: Granted to %s'
% (dn, sidmapping[sid]))
if dn == 'CN=Users,%s' % domainDumper.root:
# We can create users in the default container, this is preferred
privs['create'] = True
privs['createIn'] = dn
else:
# Could be a different OU where we have access
# store it until we find a better place
if privs[
'createIn'] != 'CN=Users,%s' % domainDumper.root and 'organizationalUnit' in entry[
'raw_attributes']['objectClass']:
privs['create'] = True
privs['createIn'] = dn
if can_add_member(ace) or hasFullControl:
if 'group' in entry['raw_attributes']['objectClass']:
# We can add members to a group
if not hasFullControl:
LOG.debug(
'Permission found: Add member to %s; Reason: Granted to %s'
% (dn, sidmapping[sid]))
privs['escalateViaGroup'] = True
privs['escalateGroup'] = dn
if ace['Ace']['Mask'].hasPriv(
ACCESS_MASK.WRITE_DACL) or hasFullControl:
if not hasFullControl:
LOG.debug(
'Permission found: Write Dacl of %s; Reason: Granted to %s'
% (dn, sidmapping[sid]))
# We can modify the domain Dacl
if 'domain' in entry['raw_attributes']['objectClass']:
privs['aclEscalate'] = True
privs['aclEscalateIn'] = dn
