SnaffCon · alexlee820 · Feb 23, 2026 · Feb 23, 2026
diff --git a/SnaffCore/ADObject.cs b/SnaffCore/ADObject.cs
@@ -0,0 +1,76 @@
+using DSInternals.Common.Data;
+using System;
+using System.Collections.Generic;
+using System.DirectoryServices;
+using System.Globalization;
+using System.Linq;
+using System.Net.NetworkInformation;
+using System.Security.Cryptography.X509Certificates;
+using System.Security.Principal;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace SnaffCore.ADWS
+{
+    public class ADObject
+    {
+        public string Class { get; set; }
+        public int AdminCount { get; set; }
+        public X509Certificate2Collection CACertificate { get; set; }
+        public string[] CertificateTemplates { get; set; }
+        public string Description { get; set; }
+        public string DisplayName { get; set; }
+        public string DistinguishedName { get; set; }
+        public string DNSHostName { get; set; }
+        public string Cn { get; set; }
+        public byte[] DnsRecord { get; set; }
+        public int DSMachineAccountQuota { get; set; }
+        public string GPCFileSysPath { get; set; }
+        public string IsDeleted { get; set; }
+        public string GPLink { get; set; }
+        public int GPOptions { get; set; }
+        public DateTime LastLogon { get; set; }
+        public DateTime LastLogonTimestamp { get; set; }
+        public string[] Member { get; set; }
+        public ActiveDirectorySecurity MsDSAllowedToActOnBehalfOfOtherIdentity { get; set; }
+        public KeyCredential[] MsDSKeyCredentialLink { get; set; }
+        public string[] MsDSAllowedToDelegateTo { get; set; }
+        public int FunctionalLevel { get; set; }
+        public long MsMCSAdmPwdExpirationTime { get; set; }
+        public int MsPKICertificateNameFlag { get; set; }
+        public int MsPKIMinimalKeySize { get; set; }
+        public int MsPKIEnrollmentFlag { get; set; }
+        public int MsPKIPrivateKeyFlag { get; set; }
+        public string Name { get; set; }
+        public ActiveDirectorySecurity NTSecurityDescriptor { get; set; }
+        public Guid ObjectGUID { get; set; }
+        public SecurityIdentifier ObjectSid { get; set; }
+        public string OperatingSystem { get; set; }
+        public string[] PKIExtendedKeyUsage { get; set; }
+        public int PrimaryGroupID { get; set; }
+        public DateTime PwdLastSet { get; set; }
+        public string SAMAccountName { get; set; }
+        public string ScriptPath { get; set; }
+        public SecurityIdentifier SecurityIdentifier { get; set; }
+        public string[] ServicePrincipalName { get; set; }
+        public SecurityIdentifier[] SIDHistory { get; set; }
+        public int TrustAttributes { get; set; }
+        public int TrustDirection { get; set; }
+        public int UserAccountControl { get; set; }
+        public DateTime WhenCreated { get; set; }
+        public string Email { get; set; }
+        public string Title { get; set; }
+        public string HomeDirectory { get; set; }
+        public string UserPassword { get; set; }
+        public string UnixUserPassword { get; set; }
+        public string UnicodePassword { get; set; }
+        public string MsSFU30Password { get; set; }
+        public byte[] PKIExpirationPeriod { get; set; }
+        public byte[] PKIOverlapPeriod { get; set; }
+        public ADObject()
+        {
+        }
+    }
+
+
+}
diff --git a/SnaffCore/ADWS/ADWSConnection.cs b/SnaffCore/ADWS/ADWSConnection.cs
@@ -0,0 +1,70 @@
+using System.ServiceModel;
+using System.ServiceModel.Channels;
+using System.Xml.Serialization;
+using System.Xml;
+using System.Xml.Linq;
+using System.ServiceModel.Description;
+using System.Globalization;
+using System.Security.Principal;
+using System.DirectoryServices;
+using System;
+using System.Linq;
+using System.Collections.Generic;
+using System.IO;
+using System.Threading.Tasks;
+using System.Net;
+using System.Security.Cryptography.X509Certificates;
+using System.Text.RegularExpressions;
+using SnaffCore.ADWS;
+
+namespace SnaffCore.ADWS
+{
+    internal class ADWSConnection
+    {
+        public string BaseUri { get; set; }
+        public string Instance { get; set; }
+        public string DomainName { get; set; }
+        public string DefaultNamingContext { get; set; }
+        public NetworkCredential Credentials { get; set; }
+
+        public NetTcpBinding Binding { get; set; }
+        public MessageVersion Version { get; set; }
+        public ADWSConnection(string domainName, string instance, NetworkCredential credentials)
+        {
+            this.DomainName = domainName;
+            UriBuilder uriBuilder = new UriBuilder();
+            uriBuilder.Scheme = "net.tcp";
+            uriBuilder.Host = domainName;
+            uriBuilder.Port = 9389;
+            this.BaseUri = uriBuilder.ToString();
+
+            this.Instance = instance;
+
+            this.Binding = new NetTcpBinding();
+
+            this.Binding.OpenTimeout = new TimeSpan(0, 10, 0);
+            this.Binding.CloseTimeout = new TimeSpan(0, 10, 0);
+            this.Binding.SendTimeout = new TimeSpan(0, 10, 0);
+            this.Binding.ReceiveTimeout = new TimeSpan(0, 10, 0);
+            this.Binding.MaxBufferSize = 1073741824;
+            this.Binding.MaxReceivedMessageSize = 1073741824;
+            this.Binding.ReaderQuotas.MaxDepth = 64;
+            this.Binding.ReaderQuotas.MaxArrayLength = 2147483647;
+            this.Binding.ReaderQuotas.MaxStringContentLength = 2147483647;
+            this.Binding.ReaderQuotas.MaxNameTableCharCount = 2147483647;
+            this.Binding.ReaderQuotas.MaxBytesPerRead = 2147483647;
+            EnvelopeVersion envelopeVersion = EnvelopeVersion.Soap12;
+            AddressingVersion addressingVersion = AddressingVersion.WSAddressing10;
+            this.Version = MessageVersion.CreateVersion(envelopeVersion, addressingVersion);
+            this.Credentials = credentials;
+
+            foreach (String DC in domainName.Split('.'))
+            {
+                this.DefaultNamingContext += ",DC=" + DC;
+            }
+            this.DefaultNamingContext = this.DefaultNamingContext.TrimStart(',');
+        }
+
+
+    }
+}
diff --git a/SnaffCore/ADWS/Enumeration/EnumerateRequest.cs b/SnaffCore/ADWS/Enumeration/EnumerateRequest.cs
@@ -0,0 +1,79 @@
+using Microsoft.ActiveDirectory.Management.IMDA;
+using System;
+using System.Collections.Generic;
+using System.DirectoryServices.Protocols;
+using System.Linq;
+using System.Net;
+using System.ServiceModel.Channels;
+using System.ServiceModel.Description;
+using System.ServiceModel;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.ActiveDirectory.Management.WSE;
+using System.Xml.Linq;
+using System.Text.RegularExpressions;
+
+namespace SnaffCore.ADWS.Enumeration
+{
+    internal class EnumerateRequest
+    {
+        ADWSConnection adwsConnection = null;
+        string Instance { get; set; }
+        string BaseUri { get; set; }
+        NetworkCredential Credentials { get; set; }
+
+        NetTcpBinding Binding { get; set; }
+        MessageVersion Version { get; set; }
+
+        public EnumerateRequest(ADWSConnection adwsConnection)
+        {
+            this.adwsConnection = adwsConnection;
+            this.Instance = adwsConnection.Instance;
+            this.BaseUri = adwsConnection.BaseUri;
+            this.Binding = adwsConnection.Binding;
+            this.Credentials = adwsConnection.Credentials;
+        }
+
+        public List<ADObject> Enumerate(string filter, string searchBase, string searchScope, IList<string> attributeList)
+        {
+            var endpointAddress = new System.ServiceModel.EndpointAddress(this.BaseUri + "ActiveDirectoryWebServices/Windows/Enumeration");
+            var searchClient = new Microsoft.ActiveDirectory.WebServices.Proxy.SearchClient(this.Binding, endpointAddress);
+            UpdateCredentials(searchClient.ClientCredentials);
+
+            DirectoryControl[] controls = new DirectoryControl[2];
+            controls[0] = new PageResultRequestControl();
+            controls[1] = new SecurityDescriptorFlagControl(System.DirectoryServices.Protocols.SecurityMasks.Dacl);
+
+            ADEnumerateLdapRequest Request = new ADEnumerateLdapRequest(this.Instance, filter, searchBase, searchScope, attributeList);
+
+            Message resp = searchClient.Enumerate(Request);
+
+            var enumerateResponse = MessageToXDocument(resp);
+            string enumerationContext = enumerateResponse
+                .Descendants(XName.Get("EnumerationContext", "http://schemas.xmlsoap.org/ws/2004/09/enumeration"))
+                .FirstOrDefault()?
+                .Value;
+
+            PullRequest pullRequest = new PullRequest(adwsConnection);
+            return pullRequest.Pull(searchClient, enumerationContext);
+
+        }
+
+        public void UpdateCredentials(ClientCredentials c)
+        {
+            c.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
+            c.Windows.ClientCredential = this.Credentials;
+        }
+
+        static XDocument MessageToXDocument(Message message)
+        {
+            return XDocument.Parse(ReplaceHexadecimalSymbols(message.ToString()));
+        }
+
+        static string ReplaceHexadecimalSymbols(string txt)
+        {
+            string r = "[\x00-\x08\x0B\x0C\x0E-\x1F\x26]";
+            return Regex.Replace(txt, r, "", RegexOptions.Compiled);
+        }
+    }
+}