Add files via upload

Scripts/ConfigParsers/parser-sssd.conf.ps1

@@ -0,0 +1,133 @@
+# Author: Scott Sutherland, NetSPI (@_nullbind / nullbind)
+
+function Get-ConfigCredentials {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true)]
+        [string]$FilePath
+    )
+
+    # Initialize a hashtable to store extracted values
+    $configData = @{
+        Domain   = $null
+        Server   = $null
+        Username = $null
+        Password = $null
+    }
+
+    # Check if the file exists
+    if (-Not (Test-Path -Path $FilePath)) {
+        Write-Error "File not found: $FilePath"
+        return
+    }
+
+    # Read the configuration file
+    $configFile = Get-Content -Path $FilePath
+
+    # Parse the configuration file line by line
+    foreach ($line in $configFile) {
+        # Ignore comment lines and empty lines
+        if ($line -match '^\s*#' -or $line -match '^\s*$') {
+            continue
+        }
+
+        # Extract the domain (e.g., ad_domain or similar)
+        if ($line -match 'ad_domain\s*=\s*(.+)') {
+            $configData.Domain = $matches[1].Trim()
+        }
+
+        # Extract the server (e.g., krb5_server or similar)
+        if ($line -match 'krb5_server\s*=\s*(.+)') {
+            $configData.Server = $matches[1].Trim()
+        }
+
+        # Extract the username (e.g., ldap_default_bind_dn or similar)
+        if ($line -match 'ldap_default_bind_dn\s*=\s*(.+)') {
+            $configData.Username = $matches[1].Trim()
+        }
+
+        # Extract the password (e.g., ldap_default_authtok or similar)
+        if ($line -match 'ldap_default_authtok\s*=\s*(.+)') {
+            $configData.Password = $matches[1].Trim()
+        }
+    }
+
+    # Output the extracted configuration as a PowerShell object
+    [PSCustomObject]@{
+        Domain   = $configData.Domain
+        Server   = $configData.Server
+        Username = $configData.Username
+        Password = $configData.Password
+    }
+}
+
+# Example usage:
+$config = Get-ConfigCredentials -FilePath "c:\temp\configs\sssd.conf"
+$config | Format-List
+
+
+<# sssd.conf - used to support kerberos authentication in Linux
+
+
+[sssd]
+config_file_version = 2
+services = nss, pam, ssh, sudo
+domains = example.com
+
+[nss]
+filter_groups = root
+filter_users = root
+
+[pam]
+offline_credentials_expiration = 2
+offline_failed_login_attempts = 3
+offline_failed_login_delay = 5
+
+[domain/example.com]
+# Basic configuration for connecting to Active Directory
+id_provider = ad
+auth_provider = ad
+access_provider = ad
+
+# Enable Kerberos for authentication
+krb5_realm = EXAMPLE.COM
+krb5_server = ad.example.com
+krb5_kpasswd = ad.example.com
+
+# Active Directory server information
+ad_domain = example.com
+ad_server = ad.example.com
+ad_hostname = linuxclient.example.com
+
+# INSECURE PRACTICE: Hardcoding AD username and password in sssd.conf
+# These values will expose the username and password in plaintext
+ldap_default_bind_dn = cn=admin,cn=users,dc=example,dc=com
+ldap_default_authtok = P@ssw0rd123
+
+# Using the above configuration exposes credentials to anyone who can read this file
+
+# User and group filtering (optional)
+ldap_id_mapping = true
+
+# Performance optimizations
+cache_credentials = true
+enumerate = false
+use_fully_qualified_names = false
+
+# Access Control (Optional: limit login to users in AD group 'LinuxAdmins')
+access_provider = simple
+simple_allow_groups = LinuxAdmins
+
+# Security settings
+min_id = 1000
+fallback_homedir = /home/%u
+
+# Timeout and retry settings for better AD stability
+ldap_search_timeout = 10
+ldap_connection_expire_timeout = 60
+
+# Debugging options (uncomment for troubleshooting)
+# debug_level = 9
+
+
+#>