SpecterOps · rvazarkar · Dec 9, 2024 · Dec 9, 2024 · Dec 11, 2024 · Dec 16, 2024
diff --git a/src/CommonLib/Enums/CollectionMethod.cs b/src/CommonLib/Enums/CollectionMethod.cs
@@ -1,10 +1,8 @@
 using System;
 
-namespace SharpHoundCommonLib.Enums
-{
+namespace SharpHoundCommonLib.Enums {
     [Flags]
-    public enum CollectionMethod
-    {
+    public enum CollectionMethod {
         None = 0,
         Group = 1,
         LocalAdmin = 1 << 1,
@@ -25,10 +23,19 @@ public enum CollectionMethod
         CARegistry = 1 << 16,
         DCRegistry = 1 << 17,
         CertServices = 1 << 18,
+        LdapServices = 1 << 19,
+        WebClientService = 1 << 21,
+        SmbInfo = 1 << 22,
+        //TODO: Re-introduce this when we're ready for Event Log collection
+        //EventLogs = 1 << 23,
         LocalGroups = DCOM | RDP | LocalAdmin | PSRemote,
-        ComputerOnly = LocalGroups | Session | UserRights | CARegistry | DCRegistry,
-        DCOnly = ACL | Container | Group | ObjectProps | Trusts | GPOLocalGroup | CertServices,
-        Default = Group | Session | Trusts | ACL | ObjectProps | LocalGroups | SPNTargets | Container | CertServices,
-        All = Default | LoggedOn | GPOLocalGroup | UserRights | CARegistry | DCRegistry
+        ComputerOnly = LocalGroups | Session | UserRights | CARegistry | DCRegistry | WebClientService | SmbInfo,
+        DCOnly = ACL | Container | Group | ObjectProps | Trusts | GPOLocalGroup | CertServices | LdapServices | SmbInfo,
+
+        Default = Group | Session | Trusts | ACL | ObjectProps | LocalGroups | SPNTargets | Container | CertServices |
+                  LdapServices | SmbInfo,
+
+        All = Default | LoggedOn | GPOLocalGroup | UserRights | CARegistry | DCRegistry | WebClientService |
+              LdapServices
     }
 }
diff --git a/src/CommonLib/Enums/EventIds.cs b/src/CommonLib/Enums/EventIds.cs
@@ -0,0 +1,6 @@
+namespace SharpHoundCommonLib.Enums;
+
+public class EventIds {
+    public static int LogonEvent = 4624;
+    public static int ValidateCredentialsEvent = 4776;
+}
diff --git a/src/CommonLib/Enums/LdapErrorCodes.cs b/src/CommonLib/Enums/LdapErrorCodes.cs
@@ -1,12 +1,12 @@
-namespace SharpHoundCommonLib.Enums
-{
-    public enum LdapErrorCodes : int
-    {
+namespace SharpHoundCommonLib.Enums {
+    public enum LdapErrorCodes : int {
         Success = 0,
+        StrongAuthRequired = 8,
+        SaslBindInProgress = 14,
         InvalidCredentials = 49,
         Busy = 51,
         ServerDown = 81,
         LocalError = 82,
-        KerberosAuthType = 83
+        KerberosAuthType = 83,
     }
 }
diff --git a/src/CommonLib/Enums/LdapOption.cs b/src/CommonLib/Enums/LdapOption.cs
@@ -0,0 +1,12 @@
+namespace SharpHoundCommonLib.Enums {
+    public enum LdapOption : int {
+        Ssl = 0x0A,
+        ProtocolVersion = 0x11,
+        ResultCode = 0x31,
+        ServerError = 0x33,
+        ServerCertificate = 0x81,
+        Sign = 0x95,
+        Encrypt = 0x96,
+        Timeout = 0x5002,
+    }
+}
diff --git a/src/CommonLib/Enums/LdapOptionValue.cs b/src/CommonLib/Enums/LdapOptionValue.cs
@@ -0,0 +1,13 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace SharpHoundCommonLib.Enums {
+    public enum LdapOptionValue : int {
+        Off = 0,
+        On = 1,
+        Version3 = 3,
+    };
+}
diff --git a/src/CommonLib/Enums/LdapSupportedSaslMechanisms.cs b/src/CommonLib/Enums/LdapSupportedSaslMechanisms.cs
@@ -0,0 +1,14 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace SharpHoundCommonLib.Enums {
+    public static class LdapSupportedSaslMechanisms {
+        public const string GSSAPI = "GSSAPI";
+        public const string GSS_SPNEGO = "GSS-SPNEGO";
+        public const string EXTERNAL = "EXTERNAL";
+        public const string DIGEST_MD5 = "DIGEST_MD5";
+    }
+}
diff --git a/src/CommonLib/Extensions.cs b/src/CommonLib/Extensions.cs
@@ -186,7 +186,7 @@ public static string LdapValue(this Guid s)
         /// <param name="methods"></param>
         /// <returns></returns>
         public static bool IsComputerCollectionSet(this CollectionMethod methods) {
-            const CollectionMethod test = CollectionMethod.ComputerOnly | CollectionMethod.LoggedOn;
+            const CollectionMethod test = CollectionMethod.ComputerOnly | CollectionMethod.LoggedOn | CollectionMethod.SmbInfo | CollectionMethod.WebClientService;
             return (methods & test) != 0;
         }
 

diff --git a/src/CommonLib/Helpers.cs b/src/CommonLib/Helpers.cs
@@ -39,7 +39,7 @@ public static string RemoveDistinguishedNamePrefix(string distinguishedName) {
             //Start at the first instance of a comma, and continue to loop while we still have commas. If we get -1, it means we ran out of commas.
             //This allows us to cleanly iterate over all indexes of commas in our DNs and find the first non-escaped one
             for (var i = distinguishedName.IndexOf(','); i > -1; i = distinguishedName.IndexOf(',', i + 1)) {
-                //If theres a comma at the beginning of the DN, something screwy is going on. Just ignore it
+                //If there's a comma at the beginning of the DN, something screwy is going on. Just ignore it
                 if (i == 0) {
                     continue;
                 }
@@ -300,6 +300,16 @@ public static IRegistryKey OpenRemoteRegistry(string target) {
             CommonOids.ClientAuthentication,
             CommonOids.AnyPurpose
         };
+
+        public static string DumpDirectoryObject(this IDirectoryObject directoryObject) {
+            var builder = new StringBuilder();
+            builder.AppendLine("PropertyName : PropertyValue");
+            foreach (var prop in directoryObject.PropertyNames()) {
+                builder.AppendLine($"{prop} : {directoryObject.GetProperty(prop)}");
+            }
+
+            return builder.ToString();
+        }
     }
 
     public class ParsedGPLink {

diff --git a/src/CommonLib/IRegistryKey.cs b/src/CommonLib/IRegistryKey.cs
@@ -26,9 +26,9 @@ public object GetValue(string subkey, string name)
 
     public class MockRegistryKey : IRegistryKey
     {
-        public virtual object GetValue(string subkey, string name)
-        {
-            throw new System.NotImplementedException();
+        public virtual object GetValue(string subkey, string name) {
+            //Unimplemented
+            return default;
         }
     }
 }
diff --git a/src/CommonLib/Impersonate.cs b/src/CommonLib/Impersonate.cs
@@ -86,11 +86,11 @@ public class Impersonator : IDisposable {
         /// <summary>
         /// Begins impersonation with the given credentials, Logon type and Logon provider.
         /// </summary>
-        ///<param name = "userName" > Name of the user.</param>
-        ///<param name = "domainName" > Name of the domain.</param>
-        ///<param name = "password" > The password. <see cref = "System.String" /></ param >
-        ///< param name="logonType">Type of the logon.</param>
-        ///<param name = "logonProvider" > The logon provider. <see cref = "Mit.Sharepoint.WebParts.EventLogQuery.Network.LogonProvider" /></ param >
+        ///<param name="userName" > Name of the user.</param>
+        ///<param name="domainName" > Name of the domain.</param>
+        ///<param name="password" > The password.</param >
+        ///<param name="logonType">Type of the logon.</param>
+        ///<param name="logonProvider" > The logon provider. <see cref="Mit.Sharepoint.WebParts.EventLogQuery.Network.LogonProvider"/></param >
         public Impersonator(string userName, string domainName, string password, LogonType logonType,
             LogonProvider logonProvider) {
             Impersonate(userName, domainName, password, logonType, logonProvider);
@@ -125,10 +125,11 @@ public void Dispose() {
         /// </summary>
         ///<param name = "userName" > Name of the user.</param>
         ///<param name = "domainName" > Name of the domain.</param>
-        ///<param name = "password" > The password. <see cref = "System.String" /></ param >
-        ///< param name="logonType">Type of the logon.</param>
+        ///<param name = "password" > The password. <see cref = "System.String" /></param >
+        ///<param name="logonType">Type of the logon.</param>
         ///<param name = "logonProvider" > The logon provider. <see cref = "Mit.Sharepoint.WebParts.EventLogQuery.Network.LogonProvider" /></ param >
-        public void Impersonate(string userName, string domainName, string password, LogonType logonType = LogonType.LOGON32_LOGON_INTERACTIVE,
+        public void Impersonate(string userName, string domainName, string password,
+            LogonType logonType = LogonType.LOGON32_LOGON_INTERACTIVE,
             LogonProvider logonProvider = LogonProvider.LOGON32_PROVIDER_DEFAULT) {
             UndoImpersonation();
 
@@ -149,14 +150,11 @@ public void Impersonate(string userName, string domainName, string password, Log
                             ref logonTokenDuplicate) != 0) {
                         var wi = new WindowsIdentity(logonTokenDuplicate);
                         wi.Impersonate(); // discard the returned identity context (which is the context of the application pool)
-                    }
-                    else
+                    } else
                         throw new Win32Exception(Marshal.GetLastWin32Error());
-                }
-                else
+                } else
                     throw new Win32Exception(Marshal.GetLastWin32Error());
-            }
-            finally {
+            } finally {
                 if (logonToken != IntPtr.Zero)
                     Win32NativeMethods.CloseHandle(logonToken);