Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed LAPS attributes #167

Merged
merged 7 commits into from
Oct 18, 2024
Merged

Fixed LAPS attributes #167

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
553a596
Update LDAPProperties.cs
spyr0-sec Oct 2, 2024
7d16833
Update ACLProcessor.cs
spyr0-sec Oct 2, 2024
86224d8
Update ACLProcessor.cs
spyr0-sec Oct 2, 2024
57cedd1
Update LDAPProperties.cs
spyr0-sec Oct 2, 2024
b272381
Merge branch 'v4' into v4
rvazarkar Oct 15, 2024
33c75a3
Fixed ReadLAPSPassword Logic
spyr0-sec Oct 16, 2024
c444644
Merge branch 'v4' into v4
rvazarkar Oct 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion src/CommonLib/Enums/LDAPProperties.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ public static class LDAPProperties
public const string ServicePack = "operatingsystemservicepack";
public const string DNSHostName = "dnshostname";
public const string LAPSExpirationTime = "mslaps-passwordexpirationtime";
public const string LAPSPassword = "mslaps-password";
public const string LAPSPlaintextPassword = "ms-laps-password";
public const string LAPSEncryptedPassword = "ms-laps-encryptedpassword";
public const string LegacyLAPSExpirationTime = "ms-mcs-admpwdexpirationtime";
public const string LegacyLAPSPassword = "ms-mcs-admpwd";
public const string Members = "member";
Expand Down
30 changes: 19 additions & 11 deletions src/CommonLib/Processors/ACLProcessor.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ private async Task BuildGuidCache(string domain) {
}

name = name.ToLower();

string guid;
try
{
Expand All @@ -74,7 +75,7 @@ private async Task BuildGuidCache(string domain) {
continue;
}

if (name is LDAPProperties.LAPSPassword or LDAPProperties.LegacyLAPSPassword) {
if (name is LDAPProperties.LAPSPlaintextPassword or LDAPProperties.LAPSEncryptedPassword or LDAPProperties.LegacyLAPSPassword) {
_log.LogInformation("Found GUID for ACL Right {Name}: {Guid} in domain {Domain}", name, guid, domain);
_guidMap.TryAdd(guid, name);
}
Expand Down Expand Up @@ -309,8 +310,6 @@ public async IAsyncEnumerable<ACE> ProcessACL(byte[] ntSecurityDescriptor, strin
aceInheritanceHash = CalculateInheritanceHash(ir, aceRights, aceType, ace.InheritedObjectType());
}

_guidMap.TryGetValue(aceType, out var mappedGuid);

_log.LogTrace("Processing ACE with rights {Rights} and guid {GUID} on object {Name}", aceRights,
aceType, objectName);

Expand Down Expand Up @@ -423,14 +422,23 @@ public async IAsyncEnumerable<ACE> ProcessACL(byte[] ntSecurityDescriptor, strin
RightName = EdgeNames.AllExtendedRights,
InheritanceHash = aceInheritanceHash
};
else if (mappedGuid is LDAPProperties.LegacyLAPSPassword or LDAPProperties.LAPSPassword)
yield return new ACE {
PrincipalType = resolvedPrincipal.ObjectType,
PrincipalSID = resolvedPrincipal.ObjectIdentifier,
IsInherited = inherited,
RightName = EdgeNames.ReadLAPSPassword,
InheritanceHash = aceInheritanceHash
};
else if (_guidMap.TryGetValue(aceType, out var lapsAttribute))
{
// Compare the retrieved attribute name against LDAPProperties values
if (lapsAttribute == LDAPProperties.LegacyLAPSPassword ||
lapsAttribute == LDAPProperties.LAPSPlaintextPassword ||
lapsAttribute == LDAPProperties.LAPSEncryptedPassword)
{
yield return new ACE
{
PrincipalType = resolvedPrincipal.ObjectType,
PrincipalSID = resolvedPrincipal.ObjectIdentifier,
IsInherited = inherited,
RightName = EdgeNames.ReadLAPSPassword,
InheritanceHash = aceInheritanceHash
};
}
}
}
} else if (objectType == Label.CertTemplate) {
if (aceType is ACEGuids.AllGuid or "")
Expand Down
Loading