def add_user_properties(user, entry):
props = user['Properties']
# print entry
# Is user enabled? Checked by seeing if the UAC flag 2 (ACCOUNT_DISABLED) is not set
props['enabled'] = ADUtils.get_entry_property(
entry, 'userAccountControl', default=0) & 2 == 0
props['lastlogon'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry, 'lastLogon', default=0,
raw=True))
props['pwdlastset'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry,
'pwdLastSet',
default=0,
raw=True))
props['serviceprincipalnames'] = ADUtils.get_entry_property(
entry, 'servicePrincipalName', [])
props['hasspn'] = len(props['serviceprincipalnames']) > 0
props['displayname'] = ADUtils.get_entry_property(entry, 'displayName')
props['email'] = ADUtils.get_entry_property(entry, 'mail')
props['title'] = ADUtils.get_entry_property(entry, 'title')
props['homedirectory'] = ADUtils.get_entry_property(
entry, 'homeDirectory')
props['description'] = ADUtils.get_entry_property(entry, 'description')
props['userpassword'] = ADUtils.get_entry_property(
entry, 'userPassword')
props['admincount'] = ADUtils.get_entry_property(
entry, 'adminCount', 0) == 1
def get_bloodhound_data(self, entry, collect):
data = {
'Name': self.hostname.upper(),
'PrimaryGroup': self.primarygroup,
'LocalAdmins': self.admins,
'Properties': {
'objectsid': self.objectsid,
'domain': self.ad.domain,
'highvalue': False
},
"RemoteDesktopUsers": [],
"DcomUsers": [],
"AllowedToDelegate": []
}
props = data['Properties']
# via the TRUSTED_FOR_DELEGATION (0x00080000) flag in UAC
props['unconstraineddelegation'] = ADUtils.get_entry_property(entry, 'userAccountControl', default=0) & 0x00080000 == 0x00080000
if 'objectprops' in collect:
props['enabled'] = ADUtils.get_entry_property(entry, 'userAccountControl', default=0) & 2 == 0
props['lastlogon'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry, 'lastLogon', default=0, raw=True)
)
props['pwdlastset'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry, 'pwdLastSet', default=0, raw=True)
)
props['serviceprincipalnames'] = ADUtils.get_entry_property(entry, 'servicePrincipalName', [])
props['description'] = ADUtils.get_entry_property(entry, 'description')
props['operatingsystem'] = ADUtils.get_entry_property(entry, 'operatingSystem')
# Add SP to OS if specified
servicepack = ADUtils.get_entry_property(entry, 'operatingSystemServicePack')
if servicepack:
props['operatingsystem'] = '%s %s' % (props['operatingsystem'], servicepack)
# TODO: AllowedToDelegate
return data
def add_user_properties(user, entry):
"""
Resolve properties for user objects
"""
props = user['Properties']
# print entry
# Is user enabled? Checked by seeing if the UAC flag 2 (ACCOUNT_DISABLED) is not set
props['enabled'] = ADUtils.get_entry_property(
entry, 'userAccountControl', default=0) & 2 == 0
props['lastlogon'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry, 'lastLogon', default=0,
raw=True))
if props['lastlogon'] == 0:
props['lastlogon'] = -1
props['lastlogontimestamp'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry,
'lastlogontimestamp',
default=0,
raw=True))
if props['lastlogontimestamp'] == 0:
props['lastlogontimestamp'] = -1
props['pwdlastset'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry,
'pwdLastSet',
default=0,
raw=True))
props['dontreqpreauth'] = ADUtils.get_entry_property(
entry, 'userAccountControl', default=0) & 0x00400000 == 0x00400000
props['pwdneverexpires'] = ADUtils.get_entry_property(
entry, 'userAccountControl', default=0) & 0x00010000 == 0x00010000
props['sensitive'] = ADUtils.get_entry_property(
entry, 'userAccountControl', default=0) & 0x00100000 == 0x00100000
props['serviceprincipalnames'] = ADUtils.get_entry_property(
entry, 'servicePrincipalName', [])
props['hasspn'] = len(props['serviceprincipalnames']) > 0
props['displayname'] = ADUtils.get_entry_property(entry, 'displayName')
props['email'] = ADUtils.get_entry_property(entry, 'mail')
props['title'] = ADUtils.get_entry_property(entry, 'title')
props['homedirectory'] = ADUtils.get_entry_property(
entry, 'homeDirectory')
props['description'] = ADUtils.get_entry_property(entry, 'description')
props['userpassword'] = ADUtils.get_entry_property(
entry, 'userPassword')
props['admincount'] = ADUtils.get_entry_property(
entry, 'adminCount', 0) == 1
if len(
ADUtils.get_entry_property(entry, 'msDS-AllowedToDelegateTo',
[])) > 0:
props['allowedtodelegate'] = ADUtils.get_entry_property(
entry, 'msDS-AllowedToDelegateTo', [])
props['sidhistory'] = [
LDAP_SID(bsid).formatCanonical()
for bsid in ADUtils.get_entry_property(entry, 'sIDHistory', [])
]
def get_bloodhound_data(self, entry, collect, skip_acl=False):
data = {
'ObjectIdentifier':
self.objectsid,
'AllowedToAct': [],
'PrimaryGroupSID':
self.primarygroup,
'LocalAdmins': {
'Collected': 'localadmin' in collect
and not self.permanentfailure,
'FailureReason': None,
'Results': self.admins,
},
'PSRemoteUsers': {
'Collected': 'psremote' in collect
and not self.permanentfailure,
'FailureReason': None,
'Results': self.psremote
},
'Properties': {
'name':
self.hostname.upper(),
'domainsid':
self.ad.domain_object.sid,
'domain':
self.ad.domain.upper(),
'distinguishedname':
ADUtils.get_entry_property(entry, 'distinguishedName').upper()
},
'RemoteDesktopUsers': {
'Collected': 'rdp' in collect and not self.permanentfailure,
'FailureReason': None,
'Results': self.rdp
},
'DcomUsers': {
'Collected': 'dcom' in collect and not self.permanentfailure,
'FailureReason': None,
'Results': self.dcom
},
'AllowedToDelegate': [],
'Sessions': {
'Collected': 'session' in collect
and not self.permanentfailure,
'FailureReason': None,
'Results': self.sessions
},
'PrivilegedSessions': {
'Collected': 'loggedon' in collect
and not self.permanentfailure,
'FailureReason': None,
'Results': self.loggedon
},
# Unsupported for now
'RegistrySessions': {
'Collected': False,
'FailureReason': None,
'Results': []
},
'Aces': [],
'HasSIDHistory': [],
'IsDeleted':
ADUtils.get_entry_property(entry, 'isDeleted', default=False),
'Status':
None
}
props = data['Properties']
# via the TRUSTED_FOR_DELEGATION (0x00080000) flag in UAC
props['unconstraineddelegation'] = ADUtils.get_entry_property(
entry, 'userAccountControl', default=0) & 0x00080000 == 0x00080000
props['enabled'] = ADUtils.get_entry_property(
entry, 'userAccountControl', default=0) & 2 == 0
props['trustedtoauth'] = ADUtils.get_entry_property(
entry, 'userAccountControl', default=0) & 0x01000000 == 0x01000000
if 'objectprops' in collect or 'acl' in collect:
props['haslaps'] = ADUtils.get_entry_property(
entry, 'ms-mcs-admpwdexpirationtime', 0) != 0
if 'objectprops' in collect:
props['lastlogon'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry,
'lastlogon',
default=0,
raw=True))
props['lastlogontimestamp'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry,
'lastlogontimestamp',
default=0,
raw=True))
if props['lastlogontimestamp'] == 0:
props['lastlogontimestamp'] = -1
props['pwdlastset'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry,
'pwdLastSet',
default=0,
raw=True))
whencreated = ADUtils.get_entry_property(entry,
'whencreated',
default=0)
if not isinstance(whencreated, int):
whencreated = calendar.timegm(whencreated.timetuple())
props['whencreated'] = whencreated
props['serviceprincipalnames'] = ADUtils.get_entry_property(
entry, 'servicePrincipalName', [])
props['description'] = ADUtils.get_entry_property(
entry, 'description')
props['operatingsystem'] = ADUtils.get_entry_property(
entry, 'operatingSystem')
# Add SP to OS if specified
servicepack = ADUtils.get_entry_property(
entry, 'operatingSystemServicePack')
if servicepack:
props['operatingsystem'] = '%s %s' % (props['operatingsystem'],
servicepack)
props['sidhistory'] = [
LDAP_SID(bsid).formatCanonical()
for bsid in ADUtils.get_entry_property(entry, 'sIDHistory', [])
]
delegatehosts = ADUtils.get_entry_property(
entry, 'msDS-AllowedToDelegateTo', [])
for host in delegatehosts:
try:
target = host.split('/')[1]
except IndexError:
logging.warning('Invalid delegation target: %s', host)
continue
try:
sid = self.ad.computersidcache.get(target.lower())
data['AllowedToDelegate'].append(sid)
except KeyError:
if '.' in target:
data['AllowedToDelegate'].append(target.upper())
if len(delegatehosts) > 0:
props['allowedtodelegate'] = delegatehosts
# Process resource-based constrained delegation
_, aces = parse_binary_acl(
data, 'computer',
ADUtils.get_entry_property(
entry,
'msDS-AllowedToActOnBehalfOfOtherIdentity',
raw=True), self.addc.objecttype_guid_map)
outdata = self.aceresolver.resolve_aces(aces)
for delegated in outdata:
if delegated['RightName'] == 'Owner':
continue
if delegated['RightName'] == 'GenericAll':
data['AllowedToAct'].append({
'ObjectIdentifier':
delegated['PrincipalSID'],
'ObjectType':
delegated['PrincipalType']
})
# Run ACL collection if this was not already done centrally
if 'acl' in collect and not skip_acl:
_, aces = parse_binary_acl(
data, 'computer',
ADUtils.get_entry_property(entry,
'nTSecurityDescriptor',
raw=True),
self.addc.objecttype_guid_map)
# Parse aces
data['Aces'] = self.aceresolver.resolve_aces(aces)
return data
def get_bloodhound_data(self, entry, collect, skip_acl=False):
data = {
'ObjectIdentifier': self.objectsid,
'AllowedToAct': [],
'PrimaryGroupSid': self.primarygroup,
'LocalAdmins': self.admins,
'PSRemoteUsers': self.psremote,
'Properties': {
'name': self.hostname.upper(),
'objectid': self.objectsid,
'domain': self.ad.domain.upper(),
'highvalue': False,
'distinguishedname': ADUtils.get_entry_property(entry, 'distinguishedName')
},
'RemoteDesktopUsers': self.rdp,
'DcomUsers': self.dcom,
'AllowedToDelegate': [],
'Sessions': self.sessions,
'Aces': []
}
props = data['Properties']
# via the TRUSTED_FOR_DELEGATION (0x00080000) flag in UAC
props['unconstraineddelegation'] = ADUtils.get_entry_property(entry, 'userAccountControl', default=0) & 0x00080000 == 0x00080000
props['enabled'] = ADUtils.get_entry_property(entry, 'userAccountControl', default=0) & 2 == 0
if 'objectprops' in collect or 'acl' in collect:
props['haslaps'] = ADUtils.get_entry_property(entry, 'ms-mcs-admpwdexpirationtime', 0) != 0
if 'objectprops' in collect:
props['lastlogontimestamp'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry, 'lastlogontimestamp', default=0, raw=True)
)
props['pwdlastset'] = ADUtils.win_timestamp_to_unix(
ADUtils.get_entry_property(entry, 'pwdLastSet', default=0, raw=True)
)
props['serviceprincipalnames'] = ADUtils.get_entry_property(entry, 'servicePrincipalName', [])
props['description'] = ADUtils.get_entry_property(entry, 'description')
props['operatingsystem'] = ADUtils.get_entry_property(entry, 'operatingSystem')
# Add SP to OS if specified
servicepack = ADUtils.get_entry_property(entry, 'operatingSystemServicePack')
if servicepack:
props['operatingsystem'] = '%s %s' % (props['operatingsystem'], servicepack)
delegatehosts = ADUtils.get_entry_property(entry, 'msDS-AllowedToDelegateTo', [])
for host in delegatehosts:
try:
target = host.split('/')[1]
except IndexError:
logging.warning('Invalid delegation target: %s', host)
continue
try:
sid = self.ad.computersidcache.get(target.lower())
data['AllowedToDelegate'].append(sid)
except KeyError:
if '.' in target:
data['AllowedToDelegate'].append(target.upper())
if len(delegatehosts) > 0:
props['allowedtodelegate'] = delegatehosts
# Process resource-based constrained delegation
_, aces = parse_binary_acl(data,
'computer',
ADUtils.get_entry_property(entry,
'msDS-AllowedToActOnBehalfOfOtherIdentity',
raw=True),
self.addc.objecttype_guid_map)
outdata = self.aceresolver.resolve_aces(aces)
for delegated in outdata:
if delegated['RightName'] == 'Owner':
continue
if delegated['RightName'] == 'GenericAll':
data['AllowedToAct'].append({'MemberId': delegated['PrincipalSID'], 'MemberType': delegated['PrincipalType']})
# Run ACL collection if this was not already done centrally
if 'acl' in collect and not skip_acl:
_, aces = parse_binary_acl(data,
'computer',
ADUtils.get_entry_property(entry,
'nTSecurityDescriptor',
raw=True),
self.addc.objecttype_guid_map)
# Parse aces
data['Aces'] = self.aceresolver.resolve_aces(aces)
return data