def check_target_is_user_by_name(self, user: str, domain: str) -> bool: """ 检查目标账号是否为 OU=Users """ key = user + REDIS_KEY_USERNAME_IS_USERS_SUFFIX record = self.redis.get_str_value(key) # 存在redis缓存记录 if record: if record == "true": return True else: return False # 不存在 则通过ldap查询,再更新redis缓存 else: ldap = LDAPSearch(domain) user_entry = ldap.search_by_name(user=user, attributes=["cn"]) if user_entry: dn = str(user_entry.entry_dn) if "OU=Users".lower() in dn.lower() or "CN=Users".lower( ) in dn.lower(): self.redis.set_str_value( key, "true", expire=ACCOUNT_INFO_REDIS_EXPIRE_TIME) return True self.redis.set_str_value(key, "false", expire=ACCOUNT_INFO_REDIS_EXPIRE_TIME) return False
def check_target_is_aes_support(self, name: str, domain: str) -> bool: key = name + REDIS_KEY_USERNAME_AES_SUPPORT_SUFFIX # 先查redis is_support = self.redis.get_str_value(key) # if is_support is not None: return is_support == "true" else: ldap = LDAPSearch(domain) user_entry = ldap.search_by_name( name, attributes=["msDS-SupportedEncryptionTypes"]) if not user_entry: return False support_types = user_entry.entry_attributes_as_dict[ "msDS-SupportedEncryptionTypes"] if len(support_types) == 0: return False support_types = support_types[0] # 等于8 支持AES128加密 if support_types >= 8: self.redis.set_str_value(key, "true") return True else: self.redis.set_str_value(key, "false") return False
def init_sensitive_groups(domain): logger.info("init sensitive groups.") domain = get_netbios_domain(domain) ldap_search = LDAPSearch(domain) redis = RedisHelper() mongo = MongoHelper(uri=MongoConfig.uri, db=MongoConfig.db, collection=MongoConfig.settings_collection) sensitive_groups = [] for item in default_sensitive_groups(domain): if len(item["sid"]) > 0: sensitive_groups.append(item) else: entry = ldap_search.search_by_name(item["name"], attributes=["objectSid"]) if not entry or len( entry.entry_attributes_as_dict["objectSid"]) == 0: continue sid = entry.entry_attributes_as_dict["objectSid"][0] item["sid"] = sid sensitive_groups.append(item) logger.info(",".join(list(map(lambda x: x["name"], sensitive_groups)))) sensitive_entry = mongo.find_one({"name": "sensitive_entry"})["value"] sensitive_entry["group"] = sensitive_groups mongo.update_one({"name": "sensitive_entry"}, {"$set": { "value": sensitive_entry }}, upsert=True) redis.set_str_value("sensitive_entry" + REDIS_KEY_SUFFIX, simplejson.dumps(sensitive_entry))
def get_user_info_by_name(self, user_name: str, domain: str) -> User: key = user_name + REDIS_KEY_USERNAME_SID_SUFFIX # 先查redis user_sid = self.redis.get_str_value(key) # redis 缓存未命中 再查mongo if not user_sid: ldap = LDAPSearch(domain) user_entry = ldap.search_by_name(user_name, attributes=["objectSid"]) if not user_entry: return user_sid = user_entry.entry_attributes_as_dict["objectSid"][0] self.redis.set_str_value(key, user_sid, expire=ACCOUNT_INFO_REDIS_EXPIRE_TIME) user = User({ "user_name": user_name, "user_sid": user_sid, "logon_id": "", "domain_name": domain }) return user