Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86369593

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking

0x00 前言在域滲透中,獲得了域控制器權限後,需要獲得域用戶的登錄信息,包括域用戶登錄的IP地址和登錄時間。通常使用的方法是查看域控制器的登錄日誌(Eventid=4624)。然而,人工從登錄日誌(Eventid=4624)中篩選出域用戶登錄的IP地址和登錄時間需要耗費大量時間,不僅無效數據多,而且需要多次判斷,所以我們需要編寫程序來實現這個功能。

在實際使用過程中,為了能夠適配多種環境,還需要支持本地和多種協議的遠程登錄。於是本文將要分享我的實現方法,開源兩個工具,記錄細節。

0x01 簡介本文將要介紹以下內容:

通過EventLogSession實現

通過WMI實現

開源代碼

0x02 通過EventLogSession實現通過查詢資料發現,通過EventLogSession不僅支持解析本地日誌內容,還支持通過RPC遠程解析日誌,下面介紹關於EventLogSession的開發細節

1.輸出Eventid=4624的日誌內容C Sharp實現代碼:

usingSystem;

usingSystem.Diagnostics.Eventing.Reader;

namespaceTest1

{

classProgram

{

staticvoidMain(string[]args)

{

varsession=newEventLogSession();

stringLogName='Security';

stringXPathQuery='*[System/EventID=4624]';

EventLogQueryeventLogQuery=newEventLogQuery(LogName,PathType.LogName,XPathQuery)

{

Session=session,

TolerateQueryErrors=true,

ReverseDirection=true

};

using(EventLogReadereventLogReader=newEventLogReader(eventLogQuery))

{

eventLogReader.Seek(System.IO.SeekOrigin.Begin,0);

do

{

EventRecordeventData=eventLogReader.ReadEvent();

if(eventData==null)

break;

Console.WriteLine(eventData.FormatDescription());

eventData.Dispose();

}while(true);

}

}

}

}以上代碼能夠查詢本地日誌並輸出日誌的完整內容

2.xml格式解析為了便於提取內容,可以選擇將輸出內容轉換為xml格式

關鍵代碼:

Console.WriteLine(eventData.ToXml());輸出內容示例:

image.png

從xml格式中,可直接提取出EventRecordID,關鍵代碼:

XmlDocumentxmldoc=newXmlDocument();

xmldoc.LoadXml(eventData.ToXml());

XmlNodeListrecordid=xmldoc.GetElementsByTagName('EventRecordID');

Console.WriteLine(recordid[0].InnerText);提取TargetUserName需要先取出Data的內容,再做一個篩選,關鍵代碼:

XmlNodeListdata=xmldoc.GetElementsByTagName('Data');

foreach(XmlNodevalueindata)

{

if(value.OuterXml.Contains('TargetUserName'))

{

Console.WriteLine(value.InnerText);

}

}這裡我們一共需要篩選出以下屬性:

TargetUserSid

TargetDomainName

TargetUserName

IpAddress

在做字符匹配時,由於格式固定,所以我們可以從固定偏移位置得到對應的屬性,避免多次判斷,提高查詢效率

關鍵代碼:

XmlNodeListdata=xmldoc.GetElementsByTagName('Data');

StringtargetUserSid=data[4].InnerText;

StringtargetDomainName=data[6].InnerText;

StringtargetUserName=data[5].InnerText;

StringipAddress=data[18].InnerText;3.篩選判斷條件為了篩選出有效登錄信息,這裡對targetUserSid和ipAddress的長度做了判斷,targetUserSid長度需要大於9,ipAddress長度需要大於8

關鍵代碼:

XmlNodeListdata=xmldoc.GetElementsByTagName('Data');

StringtargetUserSid=data[4].InnerText;

StringtargetDomainName=data[6].InnerText;

StringtargetUserName=data[5].InnerText;

StringipAddress=data[18].InnerText;

if(targetUserSid.Length9ipAddress.Length8)

{

Console.WriteLine(targetUserSid);

Console.WriteLine(targetDomainName);

Console.WriteLine(targetUserName);

Console.WriteLine(ipAddress);

}4.支持篩選指定時間內的日誌可以通過修改搜索條件實現,關鍵代碼:

stringXPathQuery='(Event/System/EventID=4624)andEvent/System/TimeCreated/@SystemTime='2022-01-26T02:30:39'andEvent/System/TimeCreated/@SystemTime='2022-01-26T02:30:39'andEvent/System/TimeCreated/@SystemTime=20210526ANDTimeGenerated=20210526ANDTimeGenerated=20220426';

ManagementScopes=newManagementScope('root\\CIMV2');

SelectQueryq=newSelectQuery(queryString);

ManagementObjectSearchermos=newManagementObjectSearcher(s,q);

intflagTotal=0;

intflagExist=0;

foreach(ManagementObjectoinmos.Get())

{

flagTotal++;

StringMessage=o.GetPropertyValue('Message').ToString();

intpos1=Message.LastIndexOf('SecurityID');

intpos2=Message.LastIndexOf('AccountName');

intpos3=Message.LastIndexOf('AccountDomain');

intpos4=Message.LastIndexOf('LogonID');

intpos5=Message.LastIndexOf('SourceNetworkAddress');

intpos6=Message.LastIndexOf('SourcePort');

intlength1=pos2-pos1-16;

intlength2=pos4-pos3-20;

intlength3=pos3-pos2-17;

intlength4=pos6-pos5-27;

if(length10||length20||length30||length40)

continue;

StringtargetUserSid=Message.Substring(pos1+14,length1);

StringtargetDomainName=Message.Substring(pos3+17,length2);

StringtargetUserName=Message.Substring(pos2+15,length3);

StringipAddress=Message.Substring(pos5+24,length4);

{

Console.WriteLine('[+]EventRecordID:'+o.GetPropertyValue('RecordNumber'));

Console.WriteLine('TimeCreated:'+o.GetPropertyValue('TimeGenerated'));

Console.WriteLine('UserSid:'+targetUserSid);

Console.WriteLine('DomainName:'+targetDomainName);

Console.WriteLine('UserName:'+targetUserName);

Console.WriteLine('IpAddress:'+ipAddress);

flagExist++;

}

}

Console.WriteLine('Total:'+flagTotal+',Exist:'+flagExist);

}

}

}5.支持遠程登錄關鍵代碼:

varopt=newConnectionOptions();

opt.Username='TEST\\Administrator';

opt.Password='Password@123';

ManagementScopes=newManagementScope('\\\\192.168.1.1\\root\\CIMV2',opt);將以上代碼整合,得出最終代碼,代碼已上傳至github,地址如下:

https://github.com/3gstudent/Homework-of-C-Sharp/blob/master/SharpGetUserLoginIPWMI.cs

代碼支持以下功能:

可使用csc.exe進行編譯,支持3.5和4.0

支持本地和遠程日誌解析,遠程日誌解析使用WMI方式

支持判斷條件,可篩選指定日期

自動提取信息:EventRecordID、TimeCreated、UserSid、DomainName、UserName和IpAddress

0x04 小結本文介紹了獲得域用戶登錄信息的實現細節,開源兩個工具SharpGetUserLoginIPRPC.cs和SharpGetUserLoginIPWMI.cs,在通信效率上,RPC要快於WMI。