anssi-fr / ad-control-paths Goto Github PK

Hi,

Thanks for the tool which looks very promissing.

I'm trying to export data from a very large resource active directory (> 100 000 users).
The AD is not near my area so the connection is slow.
I've tried 3 different exports which is failing everytime for the same reason: the object has been deleted since the export started.
The failure occurs in ldapdump.c line 909.

I've tried as an alternative a ntds.dit export but dsamain seems unable to mount it (with a message about the corruption of second level indexes). Same problem when trying to mount it with an AD LDS.

Is it possible to fix the case where the object has been deleted since the beginning of the export ?
I would have it done my self but there is a lot of impacts in the calling functions.

* Command: .\Bin\LdapDump.exe -x 'INFO' -f 'C:\Users\alpha\Documents\AD-control-paths-master\Dump\\logs\tatayoyo.ldpdmp.log' -a 'C:\Users\alpha\Documents\AD-control-paths-master\Dump\\dumps\tatayoyo.ace.ldpdmp.tsv' -o 'C:\Users\alpha\Documents\AD-control-paths-master\Dump\\dumps\tatayoyo.obj.ldpdmp.tsv' -c 'C:\Users\alpha\Documents\AD-contr ol-paths-master\Dump\\dumps\tatayoyo.sch.ldpdmp.tsv' -s '10.10.10.10'
[07:59:31] [+] Start
[07:59:31] [.] -- Setting log level to <INFO>
[07:59:31] [.] -- Setting log file to <C:\Users\alpha\Documents\AD-control-paths-master\Dump\\logs\tatayoyo.ldpdmp.log>
[07:59:31] [.] -- LDAP server <10.10.10.10:389>
[07:59:31] [.] -- LDAP implicit authentication with username <alpha>
[07:59:31] [.] -- Dumping <ace:C:\Users\alpha\Documents\AD-control-paths-master\Dump\\dumps\tatayoyo.ace.ldpdmp.tsv> <obj:C:\Users\alpha\Documents\AD-control-paths-master\Dump\\dumps\tatayoyo.obj.ldpdmp.tsv> <sch:C:\Users\alpha\Documents\AD-control-paths-master\Dump\\dumps\tatayoyo.sch.ldpdmp.tsv>
[07:59:31] [.] -- Dumping data on default NC (domain/config/schema)
[07:59:31] [+] Connecting to LDAP server...
[07:59:31] [.] -- Domain NC: <DC=tatayoyo,DC=LOCAL>
[07:59:31] [.] -- Config NC: <CN=Configuration,DC=tatayoyo,DC=LOCAL>
[07:59:31] [.] -- Schema NC: <CN=Schema,CN=Configuration,DC=tatayoyo,DC=LOCAL>
[07:59:31] [+] Dumping ACEs into <C:\Users\alpha\Documents\AD-control-paths-master\Dump\\dumps\tatayoyo.ace.ldpdmp.tsv>
[09:11:30] [.] -- Count: <288278>
[09:11:30] [+] Dumping Object list into <C:\Users\alpha\Documents\AD-control-paths-master\Dump\\dumps\tatayoyo.obj.ldpdmp.tsv>
[11:37:42] [-] Unknown DN <CN=XXXXXXX,OU= XXX,OU=XXXX,OU=tatayoyo,DC=tatayoyo,DC=LOCAL>

LDapDump warnings prevent build:

Severity    Code    Description Project File    Line    Suppression State
Warning C4311   'type cast': pointer truncation from 'char *' to 'DWORD'    LdapDump    C:\git\AD-control-paths\Dump\Src\LdapDump\LdapDump\Ldap.c   795 
Warning C4311   'type cast': pointer truncation from 'PTCHAR' to 'DWORD'    LdapDump    C:\git\AD-control-paths\Dump\Src\LdapDump\LdapDump\Ldap.c   795 

Removing the DWORD casts and defining DWORD64 dwStrSize = 0, dnsDomainLen = 0; fixes the issue.

AceFilter gives the following error:

Severity    Code    Description Project File    Line    Suppression State
Error   LNK1104 cannot open file 'C:\git\AD-control-paths\Dump\Src\AceFilter\x64\Release\Loopback.dll'  Loopback (AceFilterPlugins\Importers\Loopback)  C:\git\AD-control-paths\Dump\Src\AceFilter\AceFilterPlugins\Importers\Loopback\LINK 1   

But compiles fine if you build it a second time...

ControlRelationsProviders gives:

Severity    Code    Description Project File    Line    Suppression State
Warning C4311   'type cast': pointer truncation from 'PTCHAR' to 'DWORD'    Control.Sysvol.Sd   c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\ldap.c 811 
Warning C6328   Size mismatch: 'unsigned int' passed as _Param_(4) when 'long long' is required in call to 'fprintf'.   Control.Ad.PrimaryGroup c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\utils.c    102 Active
Warning C6328   Size mismatch: 'unsigned int' passed as _Param_(4) when 'long long' is required in call to 'fprintf'.   Control.Ad.SidHistory   c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\utils.c    102 Active
Warning C4311   'type cast': pointer truncation from 'char *' to 'DWORD'    Control.Ad.Group    c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\ldap.c 811 
Warning C4311   'type cast': pointer truncation from 'char *' to 'DWORD'    Control.Ad.Gplink   c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\ldap.c 811 
Warning C4311   'type cast': pointer truncation from 'PTCHAR' to 'DWORD'    Control.Ad.Group    c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\ldap.c 811 
Warning C4311   'type cast': pointer truncation from 'char *' to 'DWORD'    Control.Ad.Sd   c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\ldap.c 811 
Warning C4311   'type cast': pointer truncation from 'PTCHAR' to 'DWORD'    Control.Ad.Gplink   c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\ldap.c 811 
Warning C4311   'type cast': pointer truncation from 'PTCHAR' to 'DWORD'    Control.Ad.Sd   c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\ldap.c 811 
Warning C4311   'type cast': pointer truncation from 'char *' to 'DWORD'    Control.Ad.Container    c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\ldap.c 811 
Warning C4311   'type cast': pointer truncation from 'PTCHAR' to 'DWORD'    Control.Ad.Container    c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\ldap.c 811 
Warning C4477   'fprintf' : format string '%llu' requires an argument of type 'unsigned __int64', but variadic argument 2 has type 'size_t' Control.Ad.SidHistory   c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\utils.c    102 
Warning C4477   'fprintf' : format string '%llu' requires an argument of type 'unsigned __int64', but variadic argument 2 has type 'size_t' Control.Ad.PrimaryGroup c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\utils.c    102 
Warning C4311   'type cast': pointer truncation from 'char *' to 'DWORD'    Control.Sysvol.Sd   c:\git\ad-control-paths\dump\src\controlrelationsproviders\utils\ldap.c 811 

Again it is fine without /WX

Should ldap.c be duplicated between the projects?

Having this architecture:

Root domain FQDN: B.cheval.com
Child domain FQDN: A.B.cheval.com

Running the Dump.ps1 on A.B.cheval.com outputs B_blabla.csv files instead of A_blabla.csv inducing failure on next steps which expects A_blabla.csv.

Is the Sysvol supposed to be filtered by ObjectType? With the filter I get 0 kept ACEs from the Sysvol.

As far as I can tell FileSystems dont have a concept of ObjectTypes?

This was introduced in 0c5d4f0

Hello,

When using Get-ADCPDump on a robocopy of the SYSVOL share, I have the following error message:

New-PSDrive : En cas d’utilisation du paramètre Persist, la racine doit correspondre à un emplacement sur le système de fichiers d’un ordinateur distant.
Au caractère Ligne:1 : 1
+ New-PSDrive -PSProvider FileSystem -Root C:\Users\xxx\Desktop\NTDS\20 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument : (D:PSDriveInfo) [New-PSDrive], NotSupportedException
    + FullyQualifiedErrorId : DriveRootNotNetworkPath,Microsoft.PowerShell.Commands.NewPSDriveCommand

Removing "-persist" from the New-PSDrive command fixes the issue.

Sometimes .csv produced by Dump.ps1 can be corrupted (Internet connection disabled, user forced to stop process, etc.). This corrupted files are only noticed when trying to import results in neo4j database as it raises an error.

Adding a check (or an extra option to Dump.ps1 to be able to verify if target .csv files are well-formed) would prevent user from restarting dump from the beginning (which can be very long).

Missing PLUGIN_DECLARE_REQUIREMENT(PLUGIN_REQUIRE_GUID_RESOLUTION);

Causes these plugins to fail if not run with other plugins.

Used to store the computer password when using LAPS (https://www.microsoft.com/en-us/download/details.aspx?id=46899)
If "all extended rights" is set on an OU, the group which has this permission can read the password.

Hi!
Is there any reason for ovali not to show any progress and not visualizing my report?
I tried the sample, it works - several seconds and vuala.
My json output file is about 15,2 MB, has some extra symbols (cyrillic) - structure is correct, if compare to sample json.
Though I can see my DB structure through Neoj4, i'd like to try ovali too.

Impressed by your work! Great!

ERROR ON QUERY THE GRAPH DATABASE:

[!]Neo4j returned an error:
Unable to deserialize request: Illegal unquoted character ((CTRL-CHAR, code 10)): has to be escaped using backslash to be included in string value
at [Source: HttpInputOverHTTP@3e538d5d[c=204,q=0,[0]=null,s=STREAM]; line: 1, column: 33]
Exiting

Hello,

I got this error everytime i'm trying to dump the ACEs of a big NTDS database. The error is occuring when I'm connected to a domain controller or a dsamain instance. The error is happening after a couple of hours (between 4 and 5 hours).

Hello,

when the following command is executed:
.\Bin\AceFilter.exe --loglvl='INFO' --logfile='XXX.acefilter.ldap.msr.log' --importer='LdapDump' --writer='MasterSlaveRelation' --filters='Inherited,ControlAd' -- msrout='XXX.acefilter.ldap.msr.tsv' ldpobj='XXX.obj.ldpdmp.tsv' ldpsch='XXX.sch.ldpdmp.tsv' ldpace='XXX.ace.ldpdmp.tsv'

I got the following error:
[10:06:41] [+] Constructing caches
[10:06:41] [.] -- Plugins require SID or DN resolution, constructing object cache
[10:06:42] [-] Wrong number of token : <5/4>

I have tried to execute the script on various machines and using LDAP Instance / Domain Controller.

Hello,

I am using the lastest version with Powershell, and I run into an issue when I try to launch a query on a specific instance port.

If I launch the following query: .\Query.ps1 -quick -neo4jPort '7475'

This error message is displayed:

Unable to deserialize request: Illegal unquoted character ((CTRL-CHAR, code 10)): has to be escaped using backslash to be included in string value at [Source: HttpInputOverHTTP@2c5ae8d3[c=204,q=0,[0]=null,s=STREAM]; line: 1, column: 33]

Hello, I try to test the script but I get some running error.

1. I downloaded AD-control-paths
2. I downloaded the 3 Prerequisites
3. I run the script: ".\Dump.ps1 -outputDir C:\TP\ -domainController dc1 domainDnsName testdomain.local"
4. I get the following error:
   C:\Users\Administrator\Desktop\AD-Control-Path\AD-control-paths-master\Dump\Dump.ps1 : Cannot process argument transformation on parameter 'ldapPort'. Cannot convert value "testdomain.local" to type "System.Int32". Error: "Input string was
   not in a correct format."
   At line:1 char:11

• .\Dump.ps1 <<<< -outputDir C:\TP\ -domainController dc1 domainDnsName testdomain.local
  • CategoryInfo : InvalidData: (:) [Dump.ps1], ParameterBindin...mationException
  • FullyQualifiedErrorId : ParameterArgumentTransformationError,Dump.ps1

After starting the Dump script, I receive this error:
"Current arguments:
outputDir -> C:\TP\20190127_testdomain.local
domainController -> dc1
domainDnsName -> testdomain.local
[+] Starting
[+] Using implicit authentication
[+] Dumping LDAP and SYSVOL data

• Command: .\Bin\directorycrawler.exe -w 'INFO' -f 'C:\TP\20190127_testdomain.local\Logs\BI.dircrwl.log' -j '.\Bin\ADng_ADCP.json' -o 'C:\TP' -s 'dc1' -c 'BI' -d 'testdomain.local'
• Time : 00:00:00.0057250
• Return : FAIL - The term '.\Bin\directorycrawler.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
  try again.
  [+] Done. Total time: 00:00:00.2438465"

I do not found the directorycrawler.exe binary in the downloaded package...
Where did I go wrong?

I'm trying to run query.rb --quick but a timeout error occurs. I've dumped the AD to Desktop\AD-control-paths\Dump. Here is the full log:
ruby : C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/socket.rb:267:in `select_with_timeout':
connect_write timeout reached (Excon::Error::Timeout)
At line:1 char:1

• ruby query.rb --quick --color 2> log.txt

•   + CategoryInfo          : NotSpecified: (C:/Ruby24-x64/l...Error::Timeout):String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
  
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/socket.rb:131:in `rescue in block in connect'
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/socket.rb:112:in `block in connect'
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/socket.rb:103:in `each'
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/socket.rb:103:in `connect'
  
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/socket.rb:29:in `initialize'
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/connection.rb:405:in `new'
  
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/connection.rb:405:in `socket'
  
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/connection.rb:100:in `request_call'
  
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/middlewares/mock.rb:48:in `request_call'
  
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/middlewares/instrumentor.rb:26:in `request_call'
  
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/middlewares/base.rb:16:in `request_call'
  
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/middlewares/base.rb:16:in `request_call'
  
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/middlewares/base.rb:16:in `request_call'
  
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/excon-0.57.1/lib/excon/connection.rb:249:in `request'
  
    from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/neography-1.8.0/lib/neography/connection.rb:75:in `block (3 levels) in 
  

class:Connection'

from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/neography-1.8.0/lib/neography/connection.rb:89:in `log'

from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/neography-1.8.0/lib/neography/connection.rb:67:in `block (2 levels) in 

class:Connection'

from C:/Ruby24-x64/lib/ruby/gems/2.4.0/gems/neography-1.8.0/lib/neography/rest/cypher.rb:15:in `execute_query'

from C:/Users/psandhu/Desktop/AD-control-paths/Query/lib/neowrapper.rb:79:in `search'

from query.rb:205:in `block in <main>'

from query.rb:200:in `each'

from query.rb:200:in `<main>'

The executables as part of the Prepare step Prepare-ADCPDump will throw an Access Violation error if the "Relations" folder does not exist.

This is noted in the readme, but a validation check, more descriptive error, or creation of missing folder may be beneficial.

I wasn't able to grab dmps.

You should currently use implicit authentication or skip the sysvol part of the dump with -ldapOnly.

Build Error : 'UtilsLib.h' : No such file or directory

Hello,
Firstly, thanks for the tools !

I have an issue when I try to import the csv files into Neo4j.
I've got the following error :

Error in input data
Caused by: Extra column not present in header on line 0 in ....\Ldap\OP_LDAp_obj.csv with value gPLink

This is the command line i ran :
".\bin\neo4j-import --into data/databses/adcp.db --id-type string --nodes $((dir PATH\Ldap\*.csv) -join ',') --relationships $((dir PATH\Relations*.csv -exclude *.deny.csv) -join ',') ` --input-encoding UTF-16LE --multile-fields=true --legacy-style-quoting=false"

I must precise that I'm working with a VM.

Have you any idea what's wrong with the import ?

Hi,

I'm looking about LdapDump (Dump\Src\LdapDump) to be able to quickly export the extended permissions which were set on the AD.
Indeed, you've made an amazing work and using the ldap interface, you are using the quickest path I know.

But it is running very slow on my big AD & on a workstation and I wanted to understand why (#1). I plan to run it very often to catch if somebody did modify some permissions.
I've put a break and found out that the results are not pagged (only one result per page).

Is this problem related to the DC (configuration, ...) or something related to the program itself ?
(said otherwise: can you reproduce this problem ?)

regards,
Vincent

I know this is on roadmap but just to keep a track of it (also I have some suggestions) :)

So, it would be awesome to provide Dump.ps1 a file containing all required information to proceed dump on multiple domains.

Such a file could have this structure:
domainFQDNorIP:SYSVOLpath:DomainName:User:Password

Good practice is to have users being able to log on domains they only have to (meaning all users shouldn't be able to log on every existing domain), if so providing User:Password on per domain would guarantee Dump.ps1 working as expected.

Sometimes users of a specific domain have special rights on other domains/forest (like in Administrative forest or just not well hardened AD), so it would be awesome to be able to add to control paths these kind of users (thus proceeding control paths on cross domain users).

Moreover, as doing a pentest you don't always have a valid user per domain straightaway, it would be nice to be able to re-compute control paths once you obtained such user. This could be done by adding a new feature where you can provide domains you want to look for.

https://msdn.microsoft.com/en-us/library/ms684372(v=vs.85).aspx

This propertyset applies to User, and inetOrgPerson classes, and allows access to Is-Member-Of-DL and Member. https://technet.microsoft.com/en-us/library/cc755430(v=ws.10).aspx

Is-Member-Of-DL is a computed attribute, and cannot be modified by users. If you attempt to change it via the GUI you are actually writing to Member on the target group and need the correct positions on the target group.

Member only applies to groups, and not User or InetOrgPerson? https://msdn.microsoft.com/en-us/library/ms677097(v=vs.85).aspx

I have tried setting this permission in test environment (Win2k8R2), but only get errors when I try and add users to groups saying I dont have permissions on the target group. Am I missing something? Does it work in different functional levels?

While dumping, it can happen that Dump.ps1 produces some errors (like denied access to some SYSVOL files). It could be interesting to display at the end of every dump step how many errors are critical and need to be fixed in order to have a consistent final result (involving restarting the dump-step after finding what is wrong) and how many are not.

This amount of errors could be logged in per-dumping step log files with such colors very wow.

Hello,

I try to test the script but I get some running error.

1. downloaded AD-control-paths
2. downloaded the 3 Prerequisites
3. run the script: "..\Dump.ps1 -outputDir .\test -ldapOnly -domainController 127.0.0.1 -domainDnsName my.lab"
4. get the following error:

error popup;

Debug Error!
Program:
..\AD-control-paths-master\Dump\Bin\Control.Ad.PrimaryGroup.exe
Modules:
..\AD-control-paths-master\Dump\Bin\Control.Ad.PrimaryGroup.exe
Files:

Run-Time Check Failure #0 - The value of ESP was not propery saved across a function call. this is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.

error into prompt:

---

• Command: .\Bin\Control.Ad.PrimaryGroup.exe -D 'INFO' -L '.\test\20190409_my.lab\Logs\CS.control.ad.primarygroup.log' -I '.\test\20190409_my.lab\Ldap\CS_LDAP_obj.csv' -O '.\test\20190409_my.lab\Relations\CS.control.ad.primarygroup.csv'

[13:00:17] [+] Starting
[13:00:17] [.] Opening outfile <.\test\20190409_my.lab\Relations\CS.control.ad.primarygroup.csv>
[13:00:17] [.] Opening infile(s) <.\test\20190409_my.lab\Ldap\CS_LDAP_obj.csv>
*

• Time : 00:00:54.4988414
• Return : FAIL - return code out-of-range (255)
  [+] Done. Total time: 00:01:00.1918790

Have you an idea ?

thank you

Hi ,

I´m trying to deploy this project , but  i recieved some  "exe not found" .... 

Return : FAIL - The term '.\Bin\Control.Ad.Container.exe' is not recognized as the name .....

Anybody knows where can i find all the exe files that i need ?? T

Thanks for your support :)

Hi,

I run into an error when I try to compile the code in VS.

I retargeted the solution with the right version of the SDK.
But when I build the solution: I have the following error :
- wpp : error : (FindFileOnPath)File defaultwpp.ini not found

Any ideas about the issue?