-
Notifications
You must be signed in to change notification settings - Fork 51
/
SharpGetUserLoginIPRPC.cs
125 lines (122 loc) · 5.48 KB
/
SharpGetUserLoginIPRPC.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
using System;
using System.Diagnostics.Eventing.Reader;
using System.Xml;
using System.Security;
namespace SharpGetUserLoginIPRPC
{
class Program
{
static void ShowUsage()
{
String Usage = @"
SharpGetUserLoginIPRPC
Use RPC to get the login IP of domain users through the event log.
Support local and remote access
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SharpGetUserLoginIPRPC.cs
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpGetUserLoginIPRPC.cs
Usage:
SharpGetUserLoginIPRPC <target> <query>
target:
- localhost
- domain\username:password@server
query:
- all
- Event/System/TimeCreated/@SystemTime>='2022-01-01T00:00:00'
Eg:
SharpGetUserLoginIPRPC.exe localhost all
SharpGetUserLoginIPRPC.exe test.com\administrator:password@123@192.168.1.1 ""Event/System/TimeCreated/@SystemTime >= '2022-01-26T02:30:39' and Event/System/TimeCreated/@SystemTime <= '2022-01-26T02:31:00'""
";
Console.WriteLine(Usage);
}
static void Main(String[] args)
{
if (args.Length != 2)
{
ShowUsage();
System.Environment.Exit(0);
}
try
{
EventLogSession session;
String queryPath;
if (args[0] == "localhost")
{
Console.WriteLine("[*] Try to query local eventlog");
session = new EventLogSession();
}
else
{
Console.WriteLine(args[0]);
int pos1 = args[0].IndexOf("\\");
String domain = args[0].Substring(0, pos1);
int pos2 = args[0].IndexOf(":");
String username = args[0].Substring(pos1+1, pos2-pos1-1);
int pos3 = args[0].LastIndexOf("@");
String password = args[0].Substring(pos2+1, pos3-pos2-1);
String server = args[0].Substring(pos3+1);
Console.WriteLine("[*] Try to query remote eventlog");
Console.WriteLine(" Domain : " + domain);
Console.WriteLine(" Username : " + username);
Console.WriteLine(" Password : " + password);
Console.WriteLine(" Server : " + server);
SecureString securePwd = new SecureString();
foreach (char c in password)
{
securePwd.AppendChar(c);
}
session = new EventLogSession(server, domain, username, securePwd, SessionAuthentication.Negotiate);
}
if (args[1] == "all")
queryPath = "(Event/System/EventID=4624)";
else
queryPath = "(Event/System/EventID=4624) and " + args[1];
Console.WriteLine("[*] Try to query: " + queryPath);
EventLogQuery eventLogQuery = new EventLogQuery("Security", PathType.LogName, queryPath)
{
Session = session,
TolerateQueryErrors = true,
ReverseDirection = true
};
int flagTotal = 0;
int flagExist = 0;
using (EventLogReader eventLogReader = new EventLogReader(eventLogQuery))
{
eventLogReader.Seek(System.IO.SeekOrigin.Begin, 0);
do
{
EventRecord eventData = eventLogReader.ReadEvent();
if (eventData == null)
break;
flagTotal++;
XmlDocument xmldoc = new XmlDocument();
xmldoc.LoadXml(eventData.ToXml());
XmlNodeList recordid = xmldoc.GetElementsByTagName("EventRecordID");
XmlNodeList data = xmldoc.GetElementsByTagName("Data");
String targetUserSid = data[4].InnerText;
String targetDomainName = data[6].InnerText;
String targetUserName = data[5].InnerText;
String ipAddress = data[18].InnerText;
if (targetUserSid.Length > 9 && ipAddress.Length > 8)
{
Console.WriteLine("[+] EventRecordID: " + recordid[0].InnerText);
Console.WriteLine(" TimeCreated : " + eventData.TimeCreated);
Console.WriteLine(" UserSid: " + targetUserSid);
Console.WriteLine(" DomainName: " + targetDomainName);
Console.WriteLine(" UserName: " + targetUserName);
Console.WriteLine(" IpAddress: " + ipAddress);
flagExist++;
}
eventData.Dispose();
} while (true);
Console.WriteLine("Total: " + flagTotal + ", Exist: " + flagExist);
}
}
catch (Exception e)
{
Console.WriteLine("[!] ERROR: {0}", e);
}
}
}
}