def enum_user(self, user_data):
user_data = MSADUser.from_ldap(user_data)
user = ADUser.from_aduser(user_data)
user.ad_id = self.ad_id
self.session.add(user)
self.session.commit()
self.session.refresh(user)
for spn in getattr(user, 'allowedtodelegateto', []):
con = JackDawUserConstrainedDelegation()
con.spn = spn
con.targetaccount = LDAPEnumeratorManager.spn_to_account(spn)
user.allowedtodelegateto.append(con)
self.session.commit()
membership_attr = {
'dn': str(user.dn),
'cn': str(user.cn),
'guid': str(user.objectGUID),
'sid': str(user.objectSid),
'type': 'user'
}
self.member_ctr += 1
job = LDAPAgentJob(LDAPAgentCommand.MEMBERSHIPS, membership_attr)
self.agent_in_q.put(job)
self.sd_ctr += 1
job = LDAPAgentJob(LDAPAgentCommand.SDS, {
'dn': user.dn,
'obj_type': 'user'
})
self.agent_in_q.put(job)
async def get_all_users(self):
try:
async for user_data, err in self.ldap.get_all_users():
if err is not None:
raise err
try:
user = ADUser.from_aduser(user_data)
except:
await self.agent_out_q.put((LDAPAgentCommand.EXCEPTION,
str(traceback.format_exc())))
continue
spns = []
if user_data.servicePrincipalName is not None:
for spn in user_data.servicePrincipalName:
spns.append(
JackDawSPN.from_spn_str(spn, user.objectSid))
await self.agent_out_q.put((LDAPAgentCommand.USER, {
'user': user,
'spns': spns
}))
except:
await self.agent_out_q.put(
(LDAPAgentCommand.EXCEPTION, str(traceback.format_exc())))
finally:
await self.agent_out_q.put((LDAPAgentCommand.USERS_FINISHED, None))
async def get_all_users(self):
try:
async for user_data in self.ldap.get_all_user_objects():
user = ADUser.from_aduser(user_data)
await self.agent_out_q.coro_put((LDAPAgentCommand.USER, user))
except:
await self.agent_out_q.coro_put(
(LDAPAgentCommand.EXCEPTION, str(traceback.format_exc())))
finally:
await self.agent_out_q.coro_put(
(LDAPAgentCommand.USERS_FINISHED, None))
def import_users(self):
print('Importing users!')
for user in self.get_file('users')['users']:
#pprint.pprint(user)
#input()
m = ADUser()
m.ad_id = self.ads[user['Properties']['objectsid'].rsplit('-',
1)[0]]
m.name = user['Name'].split('@', 1)[0]
m.objectSid = user['Properties']['objectsid']
m.description = user['Properties']['description']
m.displayName = user['Properties']['displayname']
m.email = user['Properties']['email']
self.db_session.add(m)
self.db_session.commit()
def import_users(self):
logger.debug('[BHIMPORT] Importing users')
meta = self.get_file('users')['meta']
total = meta['count']
for user in tqdm(self.get_file('users')['users'],
desc='Users ',
total=total,
disable=self.disable_print_progress):
try:
if self.debug is True:
pretty(user)
input()
if self.bloodhound_version == '2':
m = ADUser()
m.ad_id = self.ads[user['Properties']['objectsid'].rsplit(
'-', 1)[0]]
m.name = user['Name'].split('@', 1)[0]
m.sAMAccountName = m.name
m.objectSid = user['Properties']['objectsid']
m.canLogon = user['Properties'].get('enabled')
m.lastLogonTimestamp = convert_to_dt(
user['Properties'].get('lastlogontimestamp'))
m.lastLogon = convert_to_dt(
user['Properties'].get('lastlogon'))
m.pwdLastSet = convert_to_dt(
user['Properties'].get('pwdlastset'))
m.displayName = user['Properties'].get('displayname')
m.email = user['Properties'].get('email')
m.description = user['Properties'].get('description')
m.UAC_DONT_REQUIRE_PREAUTH = user['Properties'].get(
'dontreqpreauth')
m.UAC_PASSWD_NOTREQD = user['Properties'].get(
'passwordnotreqd')
m.UAC_TRUSTED_FOR_DELEGATION = user['Properties'].get(
'unconstraineddelegation')
m.adminCount = user['Properties'].get('admincount')
#not importing [Properties][highvalue] [Properties][hasspn] [Properties][title] [Properties][homedirectory] [Properties][userpassword] [Properties][sensitive] [AllowedToDelegate] [SPNTargets]
else:
m = ADUser()
m.ad_id = self.ads[user['Properties']['objectid'].rsplit(
'-', 1)[0]]
m.dn = user['Properties']['distinguishedname']
m.name = user['Properties']['name'].split('@', 1)[0]
m.sAMAccountName = m.name
m.objectSid = user['Properties']['objectid']
m.description = user['Properties']['description']
m.displayName = user['Properties']['displayname']
m.email = user['Properties']['email']
m.UAC_DONT_REQUIRE_PREAUTH = user['Properties'][
'dontreqpreauth']
m.UAC_PASSWD_NOTREQD = user['Properties'][
'passwordnotreqd']
m.UAC_TRUSTED_FOR_DELEGATION = user['Properties'][
'unconstraineddelegation']
m.canLogon = user['Properties']['enabled']
if 'pwdneverexpires' in user['Properties']:
m.UAC_DONT_EXPIRE_PASSWD = user['Properties'][
'pwdneverexpires']
m.adminCount = user['Properties']['admincount']
m.pwdLastSet = convert_to_dt(
user['Properties']['pwdlastset'])
m.lastLogonTimestamp = convert_to_dt(
user['Properties']['lastlogontimestamp'])
m.lastLogon = convert_to_dt(
user['Properties']['lastlogon'])
m.displayName = user['Properties']['displayname']
#not importing [Properties][highvalue] [Properties][hasspn] [Properties][sidhistory] [Properties][title] [Properties][homedirectory] [Properties][userpassword] [Properties][sensitive] [HasSIDHistory] [AllowedToDelegate] [SPNTargets]
if user['Properties'].get('highvalue') is True:
hvt = ADObjProps(self.graphid, m.objectSid, 'HVT')
self.db_session.add(hvt)
if 'serviceprincipalnames' in user['Properties']:
if len(user['Properties']['serviceprincipalnames']) > 0:
m.servicePrincipalName = '|'.join(
user['Properties']['serviceprincipalnames'])
self.spns.append(
(m.objectSid, m.ad_id,
user['Properties']['serviceprincipalnames']))
self.db_session.add(m)
edgeinfo = EdgeLookup(m.ad_id, m.objectSid, 'user')
self.db_session.add(edgeinfo)
#self.db_session.commit()
if user['Aces'] is not None:
self.insert_acl(m.objectSid, 'user', user['Aces'], m.ad_id)
except Exception as e:
logger.debug(
'[BHIMPORT] Error while processing user %s Reason: %s' %
(user, e))
continue
self.db_session.commit()
def get_all_users(self): for user in self.ldap.get_all_user_objects(): #TODO: fix this ugly stuff here... if user.sAMAccountName[-1] == "$": continue yield (user, ADUser.from_aduser(user))