原文:https://xz.aliyun.com/t/11667,无编译好的版本,代码有点问题,需要整合、修改并编译。
在域外我们需要指定ip地址,域用户账户和密码,三个参数。在主函数中用了NDesk.Options来处理获取的参数,先定义三个list:
List<string> domains = new List<string>();
List<string> users = new List<string>();
List<string> passes = new List<string>();
工具一般运行-h会提示使用信息,在主函数中定义一个bool变量,命名为show_help,初始值为false,当为true时,代表用户使用-h参数,获取帮助信息,并在主函数中new一个options来存放帮助信息。
bool show_help = false;
OptionSet options = new OptionSet()
{
{ "d|domain=", "the {IP} of the DC target",v => domains.Add (v) },
{ "u|user=", "the {user} of the DC target",v => users.Add (v) },
{ "p|pass=", "the {pass} of the DC target",v => passes.Add (v) },
{ "h|help", "show this message and exit",v => show_help = v != null },
};
再在主类中,主函数外,定义公共静态成员函数,用来输出帮助信息。
public static void ShowHelp(OptionSet p)
{
Console.WriteLine("Usage:");
p.WriteOptionDescriptions(Console.Out);
}
最后在主函数内,调用该函数。
options.Parse(args);
if (show_help)
{
ShowHelp(options);
return;
}
然后写了个GetArgsValue类来存储这些值。
public static class GetArgsValue
{
public static string domain = "";
public static string user = "";
public static string pass = "";
public static void GetDomainValue(List<string> param1 = null)
{
foreach (string p in param1)
{
domain = p;
}
} public static void GetUserValue(List<string> param2 = null)
{
foreach (string p in param2)
{
user = p;
}
}
public static void GetPassValue(List<string> param3 = null)
{
foreach (string p in param3)
{
pass = p;
}
}
}
思路:先进行LDAP连接,后在用户过滤器中,指定过滤条件(&(objectclass=computer))获取机器。使用System.DirectoryServices命名空间,来连接LDAP目录,然后获取机器名,最后将机器名写入到machine.txt文本中,供下面函数调用。
public static DirectoryEntry coon = null;
public static DirectorySearcher search = null;public static void Machine()
{
string url = "LDAP://" + GetArgsValue.domain;
//域外
if (GetArgsValue.user != "" && GetArgsValue.pass != "")
{
string username = GetArgsValue.user;
string password = GetArgsValue.pass;
coon = new DirectoryEntry(url, username, password);
search = new DirectorySearcher(coon);
}
//域内
else
{
coon = new DirectoryEntry(url);
search = new DirectorySearcher(coon);
}
search.Filter = "(&(objectclass=computer))";
using (StreamWriter file = new StreamWriter(@"machine.txt", true))
{
foreach (SearchResult r in search.FindAll())
{
string computername = "";
computername = r.Properties["cn"][0].ToString();
//Console.WriteLine("===========All Computers===========");
//Console.WriteLine(computername);
file.WriteLine(computername);
}
}
}
百度现成的代码,用的Ping类。
public static bool IsMachineUp(string hostName)
{
bool retVal = false;
try
{
Ping pingSender = new Ping();
PingOptions options = new PingOptions();
options.DontFragment = true;
string data = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
byte[] buffer = Encoding.ASCII.GetBytes(data);
int timeout = 120; PingReply reply = pingSender.Send(hostName, timeout, buffer, options);
if (reply.Status == IPStatus.Success)
{
retVal = true;
}
}
catch (Exception ex)
{
retVal = false;
}
return retVal;
}
1. 先在同一目录下,创建CInfos文件夹。
2. 然后获取目标机器c:\users\目录,如果存在该目录创建机器名。
3. 再遍历users目录存在哪些用户,同理如果存在desktop目录创建用户名和desktop.txt。
4. 接下来就是遍历desktop目录所有文件以及文件夹内的文件。
public static void C()
{
try
{
string CFiles = "";
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
try
{
string machine = machine_name.ReadLine();
if (IsMachineUp(machine))
{
string currentpath = Directory.GetCurrentDirectory();
CFiles = currentpath + "\\CInfos";
Directory.CreateDirectory(CFiles); Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[*]" + machine);
Console.ForegroundColor = ConsoleColor.White;
//获取users目录
string dpath = @"\\" + machine + @"\c$";
var d_list = Directory.EnumerateDirectories(dpath);
if (Directory.Exists(dpath))
{
//创建机器名文件夹
string MachineFolder = CFiles + "\\" + machine;
Directory.CreateDirectory(MachineFolder);
//创建输出文本
string E_txt = MachineFolder + "\\cFiles.txt";
StreamWriter sw = File.CreateText(E_txt);
sw.Close();
try
{
var files = Directory.GetFiles(dpath);
foreach (string file in files)
{
Console.WriteLine(file);
string create_time = Directory.GetCreationTime(file).ToString();
string writeFileTo = "create time:" + create_time + " " + file + "\r\n";
File.AppendAllText(E_txt, writeFileTo);
}
var directorys = Directory.EnumerateDirectories(dpath);
foreach (string directory in directorys)
{
if (!directory.Contains("System Volume Information"))
{
string[] AllFiles = Directory.GetFileSystemEntries(directory, "*", SearchOption.AllDirectories);
foreach (string file in AllFiles)
{
string create_time = Directory.GetCreationTime(file).ToString();
Console.WriteLine(file);
string writeFileTo = "create time:" + create_time + " " + file + "\r\n";
File.AppendAllText(E_txt, writeFileTo);
}
}
}
}
catch (UnauthorizedAccessException ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ForegroundColor = ConsoleColor.White;
continue;
}
}
}
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ForegroundColor = ConsoleColor.White;
continue;
}
}
machine_name.Close();
Console.WriteLine("[+]out put to:" + CFiles);
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] error");
Console.WriteLine("[-] Exception: " + ex.Message);
Console.ForegroundColor = ConsoleColor.White;
return;
}
}
}
域内:
DomainInfo_Find.exe -d 192.168.52.138
域外:
DomainInfo_Find.exe -d 192.168.52.138 -u God\wangfly -p Wzh`password
Github地址:https://github.com/wangfly-me/DomainInfo_Find
推荐阅读:
2022年零基础+进阶系统化白帽黑客学习 | 10月特别优惠活动
点赞,转发,在看
原创投稿作者:[email protected]华东天勇战队