Adding Additional Locations for compstatus.csv Logging (#214)

* Add TODO Comments Highlighting Possible SMB calls

* feat: Add ComputerStatusEvent when ResolveHostToSid Succeeds, Add Event ot LdapPropertyProcessor and SPNProcessors

* chore: Remove Todos, Add Logs, Clean up ComputerName with Helper Function

* test: Add tests for sending computer status event

* test: Fixed Unit Test for Build

* test: Move ComputerStatus to ReadUserProperties TrustedToAuthTest

Author: Michael Cuomo

src/CommonLib/LdapUtils.cs

@@ -589,6 +589,7 @@ public bool GetDomain(out Domain domain) {
             if (await GetWorkstationInfo(strippedHost) is (true, var workstationInfo)) {
                 var tempName = workstationInfo.ComputerName;
                 var tempDomain = workstationInfo.LanGroup;
+                _log.LogTrace("Get workstation info for {HostName} succeeded. Workstation {ComputerName} found.", host, tempName);
 
                 if (string.IsNullOrWhiteSpace(tempDomain)) {
                     tempDomain = domain;
@@ -673,7 +674,10 @@ public bool GetDomain(out Domain domain) {
         /// <returns></returns>
         private async Task<(bool Success, NetAPIStructs.WorkstationInfo100 Info)> GetWorkstationInfo(string hostname) {
             if (!await _portScanner.CheckPort(hostname))
+            {
+                _log.LogTrace("CheckPort returned false for {HostName}.", hostname);
                 return (false, default);
+            }
 
             var result = _nativeMethods.CallNetWkstaGetInfo(hostname);
             if (result.IsSuccess) return (true, result.Value);

src/CommonLib/Processors/ComputerSessionProcessor.cs

@@ -137,8 +137,16 @@ await SendComputerStatus(new CSVComputerStatus {
                 if (computerSessionName is "[::1]" or "127.0.0.1")
                     resolvedComputerSID = computerSid;
                 else if (await _utils.ResolveHostToSid(computerSessionName, computerDomain) is (true, var tempSid))
+                {
                     //Attempt to resolve the host name to a SID
                     resolvedComputerSID = tempSid;
+                    await SendComputerStatus(new CSVComputerStatus {
+                        Status = CSVComputerStatus.StatusSuccess,
+                        Task = "NetSessionEnum",
+                        ComputerName = computerSessionName,
+                    });
+                }
+                    
 
                 //Throw out this data if we couldn't resolve it successfully. 
                 if (resolvedComputerSID == null || !resolvedComputerSID.StartsWith("S-1")) {
@@ -153,10 +161,17 @@ await SendComputerStatus(new CSVComputerStatus {
                 else {
                     var res = await _utils.ResolveAccountName(username, computerDomain);
                     if (res.Success)
+                    {
+                        await SendComputerStatus(new CSVComputerStatus {
+                            Status = CSVComputerStatus.StatusSuccess,
+                            Task = "NetSessionEnum",
+                            ComputerName = computerSessionName,
+                        });
                         results.Add(new Session {
                             ComputerSID = resolvedComputerSID,
                             UserSID = res.Principal.ObjectIdentifier
                         });
+                    }
                 }
             }
 

src/CommonLib/Processors/LdapPropertyProcessor.cs

@@ -17,6 +17,8 @@
 namespace SharpHoundCommonLib.Processors {
     public class LdapPropertyProcessor {
         private static readonly HashSet<string> ReservedAttributes = new();
+        public delegate Task ComputerStatusDelegate(CSVComputerStatus status);
+        public event ComputerStatusDelegate ComputerStatusEvent;
 
         static LdapPropertyProcessor() {
             ReservedAttributes.UnionWith(CommonProperties.TypeResolutionProps);
@@ -249,10 +251,17 @@ public async Task<UserProperties> ReadUserProperties(IDirectoryObject entry, str
 
                     var resolvedHost = await _utils.ResolveHostToSid(d, domain);
                     if (resolvedHost.Success && resolvedHost.SecurityIdentifier.Contains("S-1"))
+                    {
+                        await SendComputerStatus(new CSVComputerStatus {
+                            Status = CSVComputerStatus.StatusSuccess,
+                            Task = nameof(ReadUserProperties),
+                            ComputerName = Helpers.StripServicePrincipalName(d).ToUpper().TrimEnd('$'),
+                        });
                         comps.Add(new TypedPrincipal {
                             ObjectIdentifier = resolvedHost.SecurityIdentifier,
                             ObjectType = Label.Computer
                         });
+                    }
                 }
             }
 
@@ -369,10 +378,17 @@ public async Task<ComputerProperties> ReadComputerProperties(IDirectoryObject en
 
                     var resolvedHost = await _utils.ResolveHostToSid(d, domain);
                     if (resolvedHost.Success && resolvedHost.SecurityIdentifier.Contains("S-1"))
+                    {
+                        await SendComputerStatus(new CSVComputerStatus {
+                            Status = CSVComputerStatus.StatusSuccess,
+                            Task = nameof(ReadComputerProperties),
+                            ComputerName = d,
+                        });
                         comps.Add(new TypedPrincipal {
                             ObjectIdentifier = resolvedHost.SecurityIdentifier,
                             ObjectType = Label.Computer
                         });
+                    }
                 }
             }
 
@@ -917,6 +933,10 @@ private enum IsTextUnicodeFlags {
             IS_TEXT_UNICODE_NOT_UNICODE_MASK = 0x0F00,
             IS_TEXT_UNICODE_NOT_ASCII_MASK = 0xF000
         }
+        
+        private async Task SendComputerStatus(CSVComputerStatus status) {
+            if (ComputerStatusEvent is not null) await ComputerStatusEvent.Invoke(status);
+        }
     }
 
     public class ParsedCertificate {

src/CommonLib/Processors/PortScanner.cs

@@ -47,6 +47,7 @@ public virtual async Task<bool> CheckPort(string hostname, int port = 445, int t
                         PortScanCache.TryAdd(key, false);
                         return false;
                     }
+                    _log.LogTrace("CheckPort Succeeded for {HostName}:{Port}", hostname, port);
 
                     PortScanCache.TryAdd(key, true);
                     return true;

src/CommonLib/Processors/SPNProcessors.cs

@@ -1,5 +1,6 @@
 using System.Collections.Generic;
 using System.Linq;
+using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
 using SharpHoundCommonLib.Enums;
 using SharpHoundCommonLib.OutputTypes;
@@ -9,6 +10,8 @@ public class SPNProcessors {
         private const string MSSQLSPNString = "mssqlsvc";
         private readonly ILogger _log;
         private readonly ILdapUtils _utils;
+        public delegate Task ComputerStatusDelegate(CSVComputerStatus status);
+        public event ComputerStatusDelegate ComputerStatusEvent;
 
         public SPNProcessors(ILdapUtils utils, ILogger log = null) {
             _utils = utils;
@@ -52,6 +55,11 @@ public async IAsyncEnumerable<SPNPrivilege> ReadSPNTargets(string[] servicePrinc
 
                     if (await _utils.ResolveHostToSid(spn, domainName) is (true, var host) && host.StartsWith("S-1")) {
                         _log.LogTrace("Resolved {SPN} to {Hostname}", spn, host);
+                        await SendComputerStatus(new CSVComputerStatus {
+                            Status = CSVComputerStatus.StatusSuccess,
+                            Task = nameof(ReadSPNTargets),
+                            ComputerName = Helpers.StripServicePrincipalName(spn).ToUpper().TrimEnd('$'),
+                        });
                         yield return new SPNPrivilege {
                             ComputerSID = host,
                             Port = port,
@@ -61,5 +69,9 @@ public async IAsyncEnumerable<SPNPrivilege> ReadSPNTargets(string[] servicePrinc
                 }
             }
         }
+        
+        private async Task SendComputerStatus(CSVComputerStatus status) {
+            if (ComputerStatusEvent is not null) await ComputerStatusEvent.Invoke(status);
+        }
     }
 }

test/unit/ComputerSessionProcessorTest.cs

@@ -257,5 +257,37 @@ public async Task ComputerSessionProcessor_TestTimeoutPrivileged() {
             var status = receivedStatus[0];
             Assert.Equal("Timeout", status.Status);
         }
+
+        [Fact]
+        public async Task ComputerSessionProcessor_ReadUserSessionSendsComputerStatus()
+        {
+            var nativeMethods = new Mock<NativeMethods>();
+            nativeMethods.Setup(x => x.NetWkstaUserEnum(It.IsAny<string>())).Returns(() => {
+                Task.Delay(1000).Wait();
+                return Array.Empty<NetWkstaUserEnumResults>();
+            });
+            var receivedStatus = new List<CSVComputerStatus>();
+            var mockNativeMethods = new Mock<NativeMethods>();
+            var apiResult = new NetSessionEnumResults[] {
+                new("admin", "\\\\127.0.0.1")
+            };
+            mockNativeMethods.Setup(x => x.NetSessionEnum(It.IsAny<string>())).Returns(apiResult);
+
+            var expected = new Session[] {
+                new() {
+                    ComputerSID = _computerSid,
+                    UserSID = "S-1-5-21-3130019616-2776909439-2417379446-2116"
+                }
+            };
+
+            var processor = new ComputerSessionProcessor(new MockLdapUtils(), mockNativeMethods.Object,null, "dfm");
+            processor.ComputerStatusEvent += async status => { receivedStatus.Add(status); };
+            var result = await processor.ReadUserSessions("win10", _computerSid, _computerDomain);
+            Assert.True(result.Collected);
+            Assert.Equal(expected, result.Results); 
+            Assert.Single(receivedStatus);
+            var status = receivedStatus[0];
+            Assert.Equal("Success", status.Status);
+        }
     }
 }

test/unit/LdapPropertyTests.cs

@@ -204,6 +204,8 @@ public async Task LDAPPropertyProcessor_ReadUserProperties_TestTrustedToAuth()
                 }, "S-1-5-21-3130019616-2776909439-2417379446-1101", "");
 
             var processor = new LdapPropertyProcessor(new MockLdapUtils());
+            var receivedStatus = new List<CSVComputerStatus>();
+            processor.ComputerStatusEvent += async status => { receivedStatus.Add(status); };
             var test = await processor.ReadUserProperties(mock, "testlab.local");
             var props = test.Props;
             var keys = props.Keys;
@@ -230,6 +232,13 @@ public async Task LDAPPropertyProcessor_ReadUserProperties_TestTrustedToAuth()
                 }
             };
             Assert.Equal(expected, atdr);
+            
+            // Send Computer Status
+            Assert.NotEmpty(receivedStatus);
+            foreach (var status in receivedStatus)
+            {
+                Assert.Equal("Success", status.Status);
+            }
         }
 
         [Fact]
@@ -444,6 +453,8 @@ public async Task LDAPPropertyProcessor_ReadComputerProperties_HappyPath()
                 }, "S-1-5-21-3130019616-2776909439-2417379446-1101","");
 
             var processor = new LdapPropertyProcessor(new MockLdapUtils());
+            var receivedStatus = new List<CSVComputerStatus>();
+            processor.ComputerStatusEvent += async status => { receivedStatus.Add(status); };
             var test = await processor.ReadComputerProperties(mock, "testlab.local");
             var props = test.Props;
             var keys = props.Keys;
@@ -497,6 +508,13 @@ public async Task LDAPPropertyProcessor_ReadComputerProperties_HappyPath()
                 ObjectIdentifier = "S-1-5-21-3130019616-2776909439-2417379446-1105",
                 ObjectType = Label.User
             }, test.SidHistory);
+            
+            // Send Computer Status
+            Assert.NotEmpty(receivedStatus);
+            foreach (var status in receivedStatus)
+            {
+                Assert.Equal("Success", status.Status);
+            }
         }
 
         [Fact]

test/unit/SPNProcessorsTest.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Threading.Tasks;
 using CommonLibTest.Facades;
 using SharpHoundCommonLib;
@@ -103,5 +104,32 @@ public async void ReadSPNTargets_SPNWithAddressSign_NotRead()
             await foreach (var spn in processor.ReadSPNTargets(servicePrincipalNames, distinguishedName))
                 Assert.Null(spn);
         }
+        
+        [Fact]
+        public async void ReadSPNTargets_SendComputerStatus()
+        {
+            var processor = new SPNProcessors(new MockLdapUtils());
+            string[] servicePrincipalNames = {"MSSQLSvc/PRIMARY.TESTLAB.LOCAL:2345"};
+            const string distinguishedName = "cn=policies,cn=system,DC=testlab,DC=local";
+            var receivedStatus = new List<CSVComputerStatus>();
+            processor.ComputerStatusEvent += async status => { receivedStatus.Add(status); };
+
+            var expected = new SPNPrivilege
+            {
+                ComputerSID = "S-1-5-21-3130019616-2776909439-2417379446-1001", Port = 2345,
+                Service = EdgeNames.SQLAdmin
+            };
+
+            var count = 0;
+            await foreach (var actual in processor.ReadSPNTargets(servicePrincipalNames, distinguishedName))
+            {
+                Assert.Equal(expected.ComputerSID, actual.ComputerSID);
+                Assert.Equal(expected.Port, actual.Port);
+                Assert.Equal(expected.Service, actual.Service);
+                count += 1;
+            }
+            Assert.NotEmpty(receivedStatus);
+            Assert.Equal(count, receivedStatus.Count);
+        }
     }
 }