analyze

package
v0.0.0-...-f1573f2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 20, 2024 License: AGPL-3.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DOMAIN_USER_RID_ADMIN                 = 0x000001F4 // Built-in Administrator account
	DOMAIN_USER_RID_KRBTGT                = 0x000001F6 // krbtgt account
	DOMAIN_GROUP_RID_ADMINS               = 0x00000200 // Domain Admins group
	DOMAIN_GROUP_RID_USERS                = 0x00000201 // Domain Users group
	DOMAIN_GROUP_RID_CONTROLLERS          = 0x00000204 // Domain Controllers group
	DOMAIN_GROUP_RID_SCHEMA_ADMINS        = 0x00000206 // Schema Admins group
	DOMAIN_GROUP_RID_ENTERPRISE_ADMINS    = 0x00000207 // Enterprise Admins group
	DOMAIN_GROUP_RID_READONLY_CONTROLLERS = 0x00000209 // Read-only Domain Controllers group
	DOMAIN_ALIAS_RID_ADMINS               = 0x00000220 // Administrators group
	DOMAIN_ALIAS_RID_ACCOUNT_OPS          = 0x00000224 // Account Operators group
	DOMAIN_ALIAS_RID_SYSTEM_OPS           = 0x00000225 // Server Operators group
	DOMAIN_ALIAS_RID_PRINT_OPS            = 0x00000226 // Print Operators group
	DOMAIN_ALIAS_RID_BACKUP_OPS           = 0x00000227 // Backup Operators group
	DOMAIN_ALIAS_RID_REPLICATOR           = 0x00000228 // Replicator group
)

Variables

View Source 
var (
	ResetPwd, _                             = uuid.FromString("{00299570-246d-11d0-a768-00aa006e0529}")
	DSReplicationGetChanges                 = uuid.UUID{0x11, 0x31, 0xf6, 0xaa, 0x9c, 0x07, 0x11, 0xd1, 0xf7, 0x9f, 0x00, 0xc0, 0x4f, 0xc2, 0xdc, 0xd2}
	DSReplicationGetChangesAll              = uuid.UUID{0x11, 0x31, 0xf6, 0xad, 0x9c, 0x07, 0x11, 0xd1, 0xf7, 0x9f, 0x00, 0xc0, 0x4f, 0xc2, 0xdc, 0xd2}
	DSReplicationSyncronize                 = uuid.UUID{0x11, 0x31, 0xf6, 0xab, 0x9c, 0x07, 0x11, 0xd1, 0xf7, 0x9f, 0x00, 0xc0, 0x4f, 0xc2, 0xdc, 0xd2}
	DSReplicationGetChangesInFilteredSet, _ = uuid.FromString("{89e95b76-444d-4c62-991a-0facbeda640c}")

	AttributeMember                = uuid.UUID{0xbf, 0x96, 0x79, 0xc0, 0x0d, 0xe6, 0x11, 0xd0, 0xa2, 0x85, 0x00, 0xaa, 0x00, 0x30, 0x49, 0xe2}
	AttributeSetGroupMembership, _ = uuid.FromString("{BC0AC240-79A9-11D0-9020-00C04FC2D4CF}")
	AttributeSIDHistory            = uuid.UUID{0x17, 0xeb, 0x42, 0x78, 0xd1, 0x67, 0x11, 0xd0, 0xb0, 0x02, 0x00, 0x00, 0xf8, 0x03, 0x67, 0xc1}

	AttributeAllowedToActOnBehalfOfOtherIdentity, _ = uuid.FromString("{3F78C3E5-F79A-46BD-A0B8-9D18116DDC79}")
	AttributeAllowedToDelegateTo, _                 = uuid.FromString("{800d94d7-b7a1-42a1-b14d-7cae1423d07f}")

	AttributeMSDSGroupMSAMembership       = uuid.UUID{0x88, 0x8e, 0xed, 0xd6, 0xce, 0x04, 0xdf, 0x40, 0xb4, 0x62, 0xb8, 0xa5, 0x0e, 0x41, 0xba, 0x38}
	AttributeGPLink, _                    = uuid.FromString("{F30E3BBE-9FF0-11D1-B603-0000F80367C1}")
	AttributeMSDSKeyCredentialLink, _     = uuid.FromString("{5B47D60F-6090-40B2-9F37-2A4DE88F3063}")
	AttributeSecurityGUIDGUID, _          = uuid.FromString("{bf967924-0de6-11d0-a285-00aa003049e2}")
	AttributeAltSecurityIdentitiesGUID, _ = uuid.FromString("{00FBF30C-91FE-11D1-AEBC-0000F80367C1}")
	AttributeProfilePathGUID, _           = uuid.FromString("{bf967a05-0de6-11d0-a285-00aa003049e2}")
	AttributeScriptPathGUID, _            = uuid.FromString("{bf9679a8-0de6-11d0-a285-00aa003049e2}")
	AttributeMSDSManagedPasswordId, _     = uuid.FromString("{0e78295a-c6d3-0a40-b491-d62251ffa0a6}")
	AttributeUserAccountControlGUID, _    = uuid.FromString("{bf967a68-0de6-11d0-a285-00aa003049e2}")
	AttributePwdLastSetGUID, _            = uuid.FromString("{bf967a0a-0de6-11d0-a285-00aa003049e2}")

	ExtendedRightCertificateEnroll, _     = uuid.FromString("{0e10c968-78fb-11d2-90d4-00c04f79dc55}")
	ExtendedRightCertificateAutoEnroll, _ = uuid.FromString("{a05b8cc2-17bc-4802-a710-e7c15ab866a2}")

	ValidateWriteSelfMembership, _ = uuid.FromString("{bf9679c0-0de6-11d0-a285-00aa003049e2}")
	ValidateWriteSPN, _            = uuid.FromString("{f3a64788-5306-11d1-a9c5-0000f80367c1}")

	ObjectGuidUser, _            = uuid.FromString("{bf967aba-0de6-11d0-a285-00aa003049e2")
	ObjectGuidComputer, _        = uuid.FromString("{bf967a86-0de6-11d0-a285-00aa003049e2")
	ObjectGuidGroup, _           = uuid.FromString("{bf967a9c-0de6-11d0-a285-00aa003049e2")
	ObjectGuidDomain, _          = uuid.FromString("{19195a5a-6da0-11d0-afd3-00c04fd930c9")
	ObjectGuidDNSZone, _         = uuid.FromString("{e0fa1e8b-9b45-11d0-afdd-00c04fd930c9")
	ObjectGuidDNSNode, _         = uuid.FromString("{e0fa1e8c-9b45-11d0-afdd-00c04fd930c9")
	ObjectGuidGPO, _             = uuid.FromString("{f30e3bc2-9ff0-11d1-b603-0000f80367c1")
	ObjectGuidOU, _              = uuid.FromString("{bf967aa5-0de6-11d0-a285-00aa003049e2")
	ObjectGuidAttributeSchema, _ = uuid.FromString("{BF967A80-0DE6-11D0-A285-00AA003049E2}")

	AdministratorsSID, _           = windowssecurity.ParseStringSID("S-1-5-32-544")
	BackupOperatorsSID, _          = windowssecurity.ParseStringSID("S-1-5-32-551")
	PrintOperatorsSID, _           = windowssecurity.ParseStringSID("S-1-5-32-550")
	ServerOperatorsSID, _          = windowssecurity.ParseStringSID("S-1-5-32-549")
	EnterpriseDomainControllers, _ = windowssecurity.ParseStringSID("S-1-5-9")

	GPLinkCache = engine.NewAttribute("gpLinkCache")

	NetBIOSName = engine.NewAttribute("nETBIOSName")
	NCName      = engine.NewAttribute("nCName")
	DNSRoot     = engine.NewAttribute("dnsRoot")

	MemberOfIndirect = engine.NewAttribute("memberOfIndirect")

	ObjectTypeMachine    = engine.NewObjectType("Machine", "Machine")
	DomainJoinedSID      = engine.NewAttribute("domainJoinedSid").Merge()
	DnsHostName          = engine.NewAttribute("dnsHostName")
	EdgeAuthenticatesAs  = engine.NewEdge("AuthenticatesAs")
	EdgeInheritsSecurity = engine.NewEdge("InheritsSecurity").SetDefault(true, true, false)

	CertificateTemplates   = engine.NewAttribute("certificateTemplates")
	PublishedBy            = engine.NewAttribute("publishedBy")
	PublishedByDnsHostName = engine.NewAttribute("publishedByDnsHostName")

	MetaPasswordAge  = engine.NewAttribute("passwordAge")
	MetaLastLoginAge = engine.NewAttribute("lastLoginAge")

	EdgeMachineAccount = engine.NewEdge("MachineAccount").RegisterProbabilityCalculator(func(source, target *engine.Object) engine.Probability {
		return -1
	}).Describe("Indicates this is the domain joined computer account belonging to the machine")
)

Interesting permissions on AD

View Source 
var (
	AbsolutePath    = engine.NewAttribute("absolutePath").Single()
	RelativePath    = engine.NewAttribute("relativePath").Single()
	BinarySize      = engine.NewAttribute("binarySize").Single()
	ExposedPassword = engine.NewAttribute("exposedPassword")

	EdgeExposesPassword       = engine.NewEdge("ExposesPassword").Tag("Pivot")
	EdgeContainsSensitiveData = engine.NewEdge("ContainsSensitiveData")
	EdgeReadSensitiveData     = engine.NewEdge("ReadSensitiveData")
	EdgeOwns                  = engine.NewEdge("Owns")
	EdgeFSPartOfGPO           = engine.NewEdge("FSPartOfGPO")
	EdgeFileCreate            = engine.NewEdge("FileCreate")
	EdgeDirCreate             = engine.NewEdge("DirCreate")
	EdgeFileWrite             = engine.NewEdge("FileWrite")
	EdgeTakeOwnership         = engine.NewEdge("FileTakeOwnership").Tag("Pivot")
	EdgeModifyDACL            = engine.NewEdge("FileModifyDACL").Tag("Pivot")
)
View Source 
var (
	GLoader = engine.AddLoader(func() engine.Loader { return (&GPOLoader{}) })
)
View Source 
var (
	LoaderID = engine.AddLoader(func() engine.Loader { return (&ADLoader{}) })
)
View Source 
var TrustMap gsync.MapOf[TrustPair, TrustInfo]

Functions

func FindDomain 

func FindDomain(ao *engine.Objects) (domaincontext, netbiosname, dnssuffix string, domainsid windowssecurity.SID, err error)

func FindWellKnown 

func FindWellKnown(ao *engine.Objects, s windowssecurity.SID) *engine.Object

func GPOparseScheduledTasks 

func GPOparseScheduledTasks(rawxml string) []string

func GetDomainInfo 

func GetDomainInfo(domain *engine.Object, ao *engine.Objects) (domaincontext, netbiosname, dnssuffix string, domainsid windowssecurity.SID, err error)

func ImportGPOInfo 

func ImportGPOInfo(ginfo activedirectory.GPOdump, ao *engine.Objects) error

func TranslateLocalizedNameToSID 

func TranslateLocalizedNameToSID(name string) (windowssecurity.SID, error)

Types

type ADLoader 

type ADLoader struct {
	// contains filtered or unexported fields
}

func (*ADLoader) Close 

func (ld *ADLoader) Close() ([]*engine.Objects, error)

func (*ADLoader) Init 

func (ld *ADLoader) Init() error

func (*ADLoader) Load 

func (ld *ADLoader) Load(path string, cb engine.ProgressCallbackFunc) error

func (*ADLoader) Name 

func (ld *ADLoader) Name() string

type Action 

type Action struct {
	Command   string `xml:"Exec>Command"`
	Arguments string `xml:"Exec>Arguments"`
}

type GPOLoader 

type GPOLoader struct {
	// contains filtered or unexported fields
}

func (*GPOLoader) Close 

func (ld *GPOLoader) Close() ([]*engine.Objects, error)

func (*GPOLoader) Init 

func (ld *GPOLoader) Init() error

func (*GPOLoader) Load 

func (ld *GPOLoader) Load(path string, cb engine.ProgressCallbackFunc) error

func (*GPOLoader) Name 

func (ld *GPOLoader) Name() string

type Group 

type Group struct {
	XMLName    xml.Name `xml:"Group"`
	Name       string   `xml:"name,attr"`
	Properties []Properties
}

type Groups 

type Groups struct {
	XMLName xml.Name `xml:"Groups"`
	Group   []Group
}

type Member 

type Member struct {
	// XMLName xml.Name `xml:"Member"`
	Action string `xml:"action,attr"`
	Name   string `xml:"name,attr"`
	SID    string `xml:"sid,attr"`
}

type Members 

type Members struct {
	Member []Member
}

type Properties 

type Properties struct {
	Action  string `xml:"action,attr"`
	SID     string `xml:"groupSid,attr"`
	Name    string `xml:"groupName,attr"`
	Members Members
}

type SIDpair 

type SIDpair struct {
	GroupSID   string
	GroupName  string
	MemberSID  string
	MemberName string
}

func GPOparseGptTmplInf 

func GPOparseGptTmplInf(rawini string) []SIDpair

func GPOparseGroups 

func GPOparseGroups(rawxml string) []SIDpair

type ScheduledTasks 

type ScheduledTasks struct {
	Tasks []TaskV2 `xml:"TaskV2"`
}

type TaskV2 

type TaskV2 struct {
	UserID   string   `xml:"Properties>Task>Principals>Principal>UserId"`
	RunLevel string   `xml:"Properties>Task>Principals>Principal>RunLevel"`
	Actions  []Action `xml:"Properties>Task>Actions"`
}

type TrustDirection 

type TrustDirection byte
const (
	Disabled TrustDirection = iota
	Incoming
	Outgoing
	Bidirectional
)

type TrustInfo 

type TrustInfo struct {
	Direction  TrustDirection
	Attributes int
}

type TrustPair 

type TrustPair struct {
	SourceNCName  string // Naming Context (dc=contoso,dc=com)
	SourceDNSRoot string // DNS root (contoso.com)
	SourceNetbios string // NETBIOS translation for above (CONTOSO)
	SourceSID     string // Domain SID (s-1-5-21-1111111111-1111111111-111111111-1111111)
	TargetDNSRoot string // Target DNS root (factory.contoso.com)
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.