Results of tearing hair out all day, it's better but still not there …

…yet - DENY before ALLOW stuff
lkarlslund · Sep 7, 2022 · 81002e2 · 81002e2
1 parent 59a557d
commit 81002e2
Show file tree

Hide file tree

Showing 4 changed files with 163 additions and 110 deletions.
diff --git a/modules/engine/analyzeobjects.go b/modules/engine/analyzeobjects.go
@@ -8,7 +8,7 @@ import (
 
 var PwnMemberOfGroup = NewEdge("MemberOfGroup") // FIXME, this should be generalized to expand-anyway-priority somehoe
 
-var SortBy Attribute
+var SortBy Attribute = NonExistingAttribute
 
 type ProbabilityCalculatorFunction func(source, target *Object) Probability
 
@@ -239,32 +239,46 @@ func AnalyzeObjects(opts AnalyzeObjectsOptions) (pg Graph) {
 						}
 					}
 					ui.Debug().Msgf("Expansion limit compromise - added %v groups as they fit under the expansion limit %v", added, opts.MaxOutgoingConnections)
+				}
 
-					// Add some more to expansion limit hit objects if we know how
-					if SortBy != 0 {
+				// Add some more to expansion limit hit objects if we know how
+				if SortBy != NonExistingAttribute {
+					var additionaladded int
 
-						// Find the most important ones that are not groups
-						var notadded []ObjectPair
-						for pwnpair, _ := range newconnectionsmap {
-							if _, found := implicatedobjectsmap[pwnpair.Target]; !found {
-								notadded = append(notadded, pwnpair)
-							}
+					// Find the most important ones that are not groups
+					var notadded []GraphEdge
+					for pwnpair, detectedmethods := range newconnectionsmap {
+						if _, found := implicatedobjectsmap[pwnpair.Target]; !found {
+							notadded = append(notadded, GraphEdge{
+								Source:     pwnpair.Source,
+								Target:     pwnpair.Target,
+								EdgeBitmap: detectedmethods,
+							})
 						}
+					}
 
-						sort.Slice(notadded, func(i, j int) bool {
-							iv, _ := notadded[i].Target.AttrInt(SortBy)
-							jv, _ := notadded[j].Target.AttrInt(SortBy)
-							return iv > jv
-						})
-
-						for i := 0; i+added < opts.MaxOutgoingConnections && i < len(notadded); i++ {
+					sort.Slice(notadded, func(i, j int) bool {
+						iv, _ := notadded[i].Target.AttrInt(SortBy)
+						jv, _ := notadded[j].Target.AttrInt(SortBy)
+						return iv > jv
+					})
+
+					for i := 0; i+added < opts.MaxOutgoingConnections && i < len(notadded); i++ {
+						connectionsmap[ObjectPair{
+							Source: notadded[i].Source,
+							Target: notadded[i].Target,
+						}] = notadded[i].EdgeBitmap
+						if _, found := implicatedobjectsmap[notadded[i].Target]; !found {
 							newimplicatedobjects[notadded[i].Target] = struct{}{} // Add this as our best item
 						}
+						additionaladded++
 					}
 
-					ri.canexpand = len(newconnectionsmap) - added
+					ui.Debug().Msgf("Added additionally %v prioritized objects", additionaladded)
+					added += additionaladded
 				}
 
+				ri.canexpand = len(newconnectionsmap) - added
 			}
 
 			ri.processed = true
@@ -324,10 +338,13 @@ func AnalyzeObjects(opts AnalyzeObjectsOptions) (pg Graph) {
 			break
 		}
 
+		ui.Debug().Msgf("Post graph object filtering remove %v nodes", removed)
+
 		weremovedsomething = true
 	}
 
 	// PruneIslands
+	var prunedislands int
 	if opts.PruneIslands || weremovedsomething {
 		// Find island nodes
 		pointedto := make(map[*Object]struct{})
@@ -339,10 +356,16 @@ func AnalyzeObjects(opts AnalyzeObjectsOptions) (pg Graph) {
 			if _, found := pointedto[node]; !found {
 				if _, found := opts.IncludeObjects.FindByID(node.ID()); opts.PruneIslands || !found {
 					delete(implicatedobjectsmap, node)
+					prunedislands++
 				}
 			}
 		}
 	}
+	if prunedislands > 0 {
+		ui.Debug().Msgf("Pruning islands removed %v nodes", prunedislands)
+	}
+
+	ui.Info().Msgf("Graph query resulted in %v nodes", len(implicatedobjectsmap))
 
 	// Convert map to slice
 	pg.Connections = make([]GraphEdge, len(connectionsmap))

diff --git a/modules/engine/const.go b/modules/engine/const.go
@@ -24,7 +24,7 @@ const (
 	UAC_TRUSTED_TO_AUTH_FOR_DELEGATION = 0x1000000
 	UAC_PARTIAL_SECRETS_ACCOUNT        = 0x04000000
 
-	RIGHT_GENERIC_READ ACLPermissionMask = RIGHT_READ_CONTROL | RIGHT_DS_LIST_CONTENTS | RIGHT_DS_READ_PROPERTY | RIGHT_DS_LIST_OBJECT /*
+	RIGHT_GENERIC_READ Mask = RIGHT_READ_CONTROL | RIGHT_DS_LIST_CONTENTS | RIGHT_DS_READ_PROPERTY | RIGHT_DS_LIST_OBJECT /*
 		** Mask value is not stored in AD but deduced from mask bits combined **
 		RIGHT_GENERIC_READ = 0x80000000 /*
 			The right to read permissions and all properties of the object, and list the contents of the