diff --git a/StandIn/StandIn/Program.cs b/StandIn/StandIn/Program.cs index 227a49f..4e8c1ee 100644 --- a/StandIn/StandIn/Program.cs +++ b/StandIn/StandIn/Program.cs @@ -15,10 +15,10 @@ namespace StandIn { class Program { - public static void returnObject(String sObject, String sDomain = "", String sUser = "", String sPass = "", String sFilter = "") + public static void returnObject(String sObject, String sDomain = "", String sUser = "", String sPass = "", String sFilter = "", String sPath = "") { // Create searcher - hStandIn.SearchObject so = hStandIn.createSearchObject(sDomain, sUser, sPass); + hStandIn.SearchObject so = hStandIn.createSearchObject(sDomain, sUser, sPass, sPath); if (!so.success) { Console.WriteLine("[!] Failed to create directory searcher.."); @@ -192,10 +192,10 @@ public static void returnObject(String sObject, String sDomain = "", String sUse } } - public static void returnLDAP(String sLDAP, String sDomain = "", String sUser = "", String sPass = "", String sFilter = "", UInt32 iLimit = 0) + public static void returnLDAP(String sLDAP, String sDomain = "", String sUser = "", String sPass = "", String sPath = "", String sFilter = "", UInt32 iLimit = 0) { // Create searcher - hStandIn.SearchObject so = hStandIn.createSearchObject(sDomain, sUser, sPass); + hStandIn.SearchObject so = hStandIn.createSearchObject(sDomain, sUser, sPass, sPath); if (!so.success) { Console.WriteLine("[!] Failed to create directory searcher.."); @@ -1347,7 +1347,7 @@ public static void GPOObjectIncCounter(String sGPOName, String sTaskType, String public static void setAllowedToActOnBehalfOfOtherIdentity(String sMachineName, String sObjectSID, String sDomain = "", String sUser = "", String sPass = "") { // Create searcher - hStandIn.SearchObject so = hStandIn.createSearchObject(sDomain, sUser, sPass, true); + hStandIn.SearchObject so = hStandIn.createSearchObject(sDomain, sUser, sPass, "", true); if (!so.success) { Console.WriteLine("[!] Failed to create directory searcher.."); @@ -1418,7 +1418,7 @@ public static void setAllowedToActOnBehalfOfOtherIdentity(String sMachineName, S public static void removeAllowedToActOnBehalfOfOtherIdentity(String sMachineName, String sDomain = "", String sUser = "", String sPass = "") { // Create searcher - hStandIn.SearchObject so = hStandIn.createSearchObject(sDomain, sUser, sPass, true); + hStandIn.SearchObject so = hStandIn.createSearchObject(sDomain, sUser, sPass, "", true); if (!so.success) { Console.WriteLine("[!] Failed to create directory searcher.."); @@ -1709,10 +1709,10 @@ public static void deleteMachineAccount(String sMachineName, String sDomain = "" } } - public static void getObjectAccessPermissions(String sObject, String sNTAccount = "", String sDomain = "", String sUser = "", String sPass = "") + public static void getObjectAccessPermissions(String sObject, String sNTAccount = "", String sDomain = "", String sUser = "", String sPass = "", String sPath = "") { // Create searcher - hStandIn.SearchObject so = hStandIn.createSearchObject(sDomain, sUser, sPass); + hStandIn.SearchObject so = hStandIn.createSearchObject(sDomain, sUser, sPass, sPath); if (!so.success) { Console.WriteLine("[!] Failed to create directory searcher.."); @@ -3348,6 +3348,9 @@ class ArgOptions [Option(null, "pass")] public String sPass { get; set; } + [Option(null, "path")] + public String sPath { get; set; } + [Option(null, "grant")] public String sGrant { get; set; } @@ -3511,7 +3514,7 @@ static void Main(string[] args) { if (ArgOptions.bAccess) { - getObjectAccessPermissions(ArgOptions.sObject, ArgOptions.sNtaccount, ArgOptions.sDomain, ArgOptions.sUser, ArgOptions.sPass); + getObjectAccessPermissions(ArgOptions.sObject, ArgOptions.sNtaccount, ArgOptions.sDomain, ArgOptions.sUser, ArgOptions.sPass, ArgOptions.sPath); } else if (!String.IsNullOrEmpty(ArgOptions.sGrant)) { @@ -3591,7 +3594,7 @@ static void Main(string[] args) } else if (!String.IsNullOrEmpty(ArgOptions.sLdap)) { - returnLDAP(ArgOptions.sLdap, ArgOptions.sDomain, ArgOptions.sUser, ArgOptions.sPass, ArgOptions.sFilter, ArgOptions.iLimit); + returnLDAP(ArgOptions.sLdap, ArgOptions.sDomain, ArgOptions.sUser, ArgOptions.sPass, ArgOptions.sPath, ArgOptions.sFilter, ArgOptions.iLimit); } else if (ArgOptions.bGPO) { diff --git a/StandIn/StandIn/hStandIn.cs b/StandIn/StandIn/hStandIn.cs index 8c6496d..b295207 100644 --- a/StandIn/StandIn/hStandIn.cs +++ b/StandIn/StandIn/hStandIn.cs @@ -178,6 +178,7 @@ public static void getHelp() "--domain Domain name, e.g. REDHOOK\n" + "--user User name\n" + "--pass Password\n" + + "--path LDAP path / container to search in\n" + "--newpass New password to set for object\n" + "--gpo List group policy objects\n" + "--acl Show ACL's for returned GPO's\n" + @@ -228,7 +229,8 @@ public static void getHelp() "# Grant object access permissions\n" + "StandIn.exe --object \"distinguishedname=DC=redhook,DC=local\" --grant \"REDHOOK\\MBWillett\" --type DCSync\n" + "StandIn.exe --object \"distinguishedname=DC=redhook,DC=local\" --grant \"REDHOOK\\MBWillett\" --guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\n" + - "StandIn.exe --object samaccountname=SomeTarget001$ --grant \"REDHOOK\\MBWillett\" --type GenericWrite --domain redhook --user RFludd --pass Cl4vi$Alchemi4e\n\n" + + "StandIn.exe --object samaccountname=SomeTarget001$ --grant \"REDHOOK\\MBWillett\" --type GenericWrite --domain redhook --user RFludd --pass Cl4vi$Alchemi4e\n" + + "StandIn.exe --object (&(objectClass=pKICertificateTemplate)(cn=User)) --path LDAP://CN=Configuration,DC=redhook,DC=local --access\n\n" + "# Set object password\n" + "StandIn.exe --object samaccountname=SomeTarget001$ --newpass \"Arkh4mW1tch!\"\n" + @@ -357,14 +359,18 @@ public static String genAccountPass() return new string(sPass); } - public static SearchObject createSearchObject(String sDomain = "", String sUser = "", String sPass = "", Boolean ActOnBehalf = false) + public static SearchObject createSearchObject(String sDomain = "", String sUser = "", String sPass = "", String sPath = "", Boolean ActOnBehalf = false) { DirectoryEntry de = null; DirectorySearcher ds = null; SearchObject resultObject = new SearchObject(); try { - de = new DirectoryEntry(); + if (sPath == "") + de = new DirectoryEntry(); + else + de = new DirectoryEntry(sPath); + resultObject.sDC = de.Options.GetCurrentServerName(); Console.WriteLine("\n[?] Using DC : " + de.Options.GetCurrentServerName()); if (!String.IsNullOrEmpty(sDomain) && !String.IsNullOrEmpty(sUser) && !String.IsNullOrEmpty(sPass))