feat: merge both unconstrainted delegation controls in one

Mazars-Tech · Oct 27, 2023 · 60f62d7 · 60f62d7
1 parent f79a689
commit 60f62d7
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 68 deletions.
diff --git a/ad_miner/sources/html/templates/main_header.html b/ad_miner/sources/html/templates/main_header.html
@@ -926,44 +926,14 @@ <h2 class="accordion-header" id="headingThree">
                               <input
                                 class="form-check-input"
                                 type="checkbox"
-                                value="dc_with_unconstrained_delegations"
-                                id="checkbox_dc_with_unconstrained_delegations"
+                                value="non-dc_with_unconstrained_delegations"
+                                id="checkbox_non-dc_with_unconstrained_delegations"
                               />
                               <label
                                 class="form-check-label"
-                                for="checkbox_dc_with_unconstrained_delegations"
+                                for="checkbox_non-dc_with_unconstrained_delegations"
                               >
-                                Non-DC with unconstrained delegations
-                              </label>
-                            </div>
-
-                            <div class="form-check">
-                              <input
-                                class="form-check-input"
-                                type="checkbox"
-                                value="non-dc_users_with_unconstrained_delegations"
-                                id="checkbox_non-dc_users_with_unconstrained_delegations"
-                              />
-                              <label
-                                class="form-check-label"
-                                for="checkbox_non-dc_users_with_unconstrained_delegations"
-                              >
-                                Non-DC with unconstrained delegations
-                              </label>
-                            </div>
-
-                            <div class="form-check">
-                              <input
-                                class="form-check-input"
-                                type="checkbox"
-                                value="non-dc_users_with_unconstrained_delegations"
-                                id="checkbox_non-dc_users_with_unconstrained_delegations"
-                              />
-                              <label
-                                class="form-check-label"
-                                for="checkbox_non-dc_users_with_unconstrained_delegations"
-                              >
-                                Users with unconstrained delegations
+                                Non-DC accounts with unconstrained delegations
                               </label>
                             </div>
 

diff --git a/ad_miner/sources/modules/computers.py b/ad_miner/sources/modules/computers.py
@@ -94,7 +94,6 @@ def __init__(self, arguments, neo4j, domain):
         self.generateADCSListPage()
         self.genObsoleteOSPage()
         self.genNonDCWithUnconstrainedPage()
-        self.genDCUsersWithUnconstrainedPage()
         self.genUsersConstrainedPage()
         self.genComputersAdminOfPages()
         self.genComputersWithMostAdminsPage()
@@ -233,7 +232,7 @@ def genObsoleteOSPage(self):
         page.render()
         self.list_computers_os_obsolete = cleaned_data
 
-    # Non DC computers with unconstrained delegations
+    # Non DC computers and users with unconstrained delegations
     def genNonDCWithUnconstrainedPage(self):
         if self.list_computers_unconstrained_delegations is None:
             return
@@ -248,32 +247,14 @@ def genNonDCWithUnconstrainedPage(self):
         for d in self.computers_non_dc_unconstrained_delegations:
             d["domain"] = '<i class="bi bi-globe2"></i> ' + d["domain"]
             d["name"] = '<i class="bi bi-pc-display"></i> ' + d["name"]
-        grid.setData(self.computers_non_dc_unconstrained_delegations)
-        page.addComponent(grid)
-        page.render()
-
-    # Non DC users with unconstrained delegations
-    def genDCUsersWithUnconstrainedPage(self):
-        if (
-            self.list_users_unconstrained_delegations is None
-            or self.users_non_dc_unconstrained_delegations is None
-        ):
-            return
-        page = Page(
-            self.arguments.cache_prefix,
-            "non-dc_users_with_unconstrained_delegations",
-            "Non-DC users with unconstrained delegations",
-            "non-dc_users_with_unconstrained_delegations",
-        )
-        grid = Grid("Non-DC users with unconstrained delegations")
-        grid.setheaders(["domain", "name"])
         for d in self.users_non_dc_unconstrained_delegations:
             d["domain"] = '<i class="bi bi-globe2"></i> ' + d["domain"]
             d["name"] = '<i class="bi bi-person-fill"></i> ' + d["name"]
-        grid.setData(self.users_non_dc_unconstrained_delegations)
+        grid.setData(self.computers_non_dc_unconstrained_delegations + self.users_non_dc_unconstrained_delegations)
         page.addComponent(grid)
         page.render()
 
+
     # Users with constrained delegations
     def genUsersConstrainedPage(self):
         if self.users_constrained_delegations is None:

diff --git a/ad_miner/sources/modules/description.json b/ad_miner/sources/modules/description.json
@@ -215,26 +215,26 @@
   "non-dc_with_unconstrained_delegations": {
     "title": "Accounts with unconstrained delegations",
     "description": "These accounts are allowed to connect to any service with the identity of another user who connected to them.",
-    "risk": "These computers can impersonate any domain and eventually lead to full compromise of the infrastructure. Optimally, this list should be empty as delegation should be set up with constrained delegation.",
+    "risk": "These accounts can impersonate any domain and eventually lead to full compromise of the infrastructure. Optimally, this list should be empty as delegation should be set up with constrained delegation.",
     "poa": "Unless necessary, switch to constrained delegation for a safer infrastructure."
   },
 
   "graph_path_objects_to_unconstrained_delegation": {
     "description": "Path to accounts that are allowed to connect to any service with the identity of another user who connected to them.",
-    "risk": "These computers can impersonate any domain and eventually lead to full compromise of the infrastructure. Optimally, this list should be empty as delegation should be set up with constrained delegation.",
+    "risk": "These accounts can impersonate any domain and eventually lead to full compromise of the infrastructure. Optimally, this list should be empty as delegation should be set up with constrained delegation.",
     "poa": "Unless necessary, switch to constrained delegation for a safer infrastructure."
   },
 
   "non-dc_users_with_unconstrained_delegations": {
     "title": "Users with unconstrained delegations",
     "description": "These user accounts are allowed to connect to any service with the identity of another user who connected to them. It only concerns users that are not sensitive.",
-    "risk": "These computers can impersonate any domain and eventually lead to full compromise of the infrastructure. Optimally, this list should be empty as delegation should be set up with constrained delegation.",
+    "risk": "These accounts can impersonate any domain and eventually lead to full compromise of the infrastructure. Optimally, this list should be empty as delegation should be set up with constrained delegation.",
     "poa": "Unless necessary, switch to constrained delegation for a safer infrastructure."
   },
 
   "graph_path_objects_to_unconstrained_delegation_users": {
     "description": "Path to user accounts that are allowed to connect to any service with the identity of another user who connected to them.",
-    "risk": "These computers can impersonate any domain and eventually lead to full compromise of the infrastructure. Optimally, this list should be empty as delegation should be set up with constrained delegation.",
+    "risk": "These accounts can impersonate any domain and eventually lead to full compromise of the infrastructure. Optimally, this list should be empty as delegation should be set up with constrained delegation.",
     "poa": "Unless necessary, switch to constrained delegation for a safer infrastructure."
   },
 

diff --git a/ad_miner/sources/modules/main_page.py b/ad_miner/sources/modules/main_page.py
@@ -181,9 +181,6 @@ def create_dico_data(
         "non-dc_with_unconstrained_delegations": len(
             computers.computers_non_dc_unconstrained_delegations
         ) if computers.computers_non_dc_unconstrained_delegations else 0,
-        "non-dc_users_with_unconstrained_delegations": len(
-            computers.users_non_dc_unconstrained_delegations
-        ) if computers.users_non_dc_unconstrained_delegations else 0,
         "users_constrained_delegations": len(computers.users_constrained_delegations) if computers.users_constrained_delegations else 0,
         "krb_last_change": max(
             [dict["pass_last_change"] for dict in users.users_krb_pwd_last_set]
@@ -316,7 +313,6 @@ def render(
         "kerberoastables": f"{dico_data['value']['kerberoastables']} kerberoastable accounts",
         "as_rep": f"{dico_data['value']['as_rep']} accounts are AS-REP-roastable",
         "non-dc_with_unconstrained_delegations": f"{dico_data['value']['non-dc_with_unconstrained_delegations']} non-DC with unconstrained delegations",
-        "non-dc_users_with_unconstrained_delegations": f"{dico_data['value']['non-dc_users_with_unconstrained_delegations']} users with unconstrained delegations",
         "users_constrained_delegations": f"{dico_data['value']['users_constrained_delegations']} users with constrained delegations",
         "krb_last_change": f"krbtgt not updated in > {dico_data['value']['krb_last_change']} days",
         "users_admin_of_computers": f"{dico_data['value']['users_admin_of_computers']} users with admin privs.",

diff --git a/ad_miner/sources/modules/rating.py b/ad_miner/sources/modules/rating.py
@@ -33,9 +33,6 @@ def rating(users, domains, computers, objects, arguments):
     d[
         presence_of(computers.list_computers_unconstrained_delegations, criticity=2)
     ].append("non-dc_with_unconstrained_delegations")
-    d[presence_of(computers.list_users_unconstrained_delegations, criticity=2)].append(
-        "non-dc_users_with_unconstrained_delegations"
-    )
     d[constrainedDelegation(computers.users_constrained_delegations)].append(
         "users_constrained_delegations"
     )

diff --git a/ad_miner/sources/modules/smolcard_class.py b/ad_miner/sources/modules/smolcard_class.py
@@ -26,7 +26,6 @@
         "kerberoastables",
         "as_rep",
         "non-dc_with_unconstrained_delegations",
-        "non-dc_users_with_unconstrained_delegations",
         "users_constrained_delegations",
         "krb_last_change",
         "graph_list_objects_rbcd",