// the host enumeration block we're using to enumerate all servers
private static IEnumerable <FoundFile> _Find_InterestingDomainShareFile(string[] ComputerName, string[] Include, string[] ExcludedShares, bool OfficeDocs, bool ExcludeHidden, bool FreshEXEs, bool CheckWriteAccess, DateTime?LastAccessTime, DateTime?LastWriteTime, DateTime?CreationTime, IntPtr TokenHandle)
{
var LogonToken = IntPtr.Zero;
if (TokenHandle != IntPtr.Zero)
{
// impersonate the the token produced by LogonUser()/Invoke-UserImpersonation
LogonToken = InvokeUserImpersonation.Invoke_UserImpersonation(new Args_Invoke_UserImpersonation
{
TokenHandle = TokenHandle,
Quiet = true
});
}
var FoundFiles = new List <FoundFile>();
foreach (var TargetComputer in ComputerName)
{
var SearchShares = new List <string>();
if (TargetComputer.StartsWith(@"\\"))
{
// if a share is passed as the server
SearchShares.Add(TargetComputer);
}
else
{
var Up = TestConnection.Ping(TargetComputer, 1);
if (Up)
{
// get the shares for this host and check what we find
var Shares = GetNetShare.Get_NetShare(new Args_Get_NetShare
{
ComputerName = new[] { TargetComputer }
});
foreach (var Share in Shares)
{
var ShareName = Share.Name;
var Path = @"\\" + TargetComputer + @"\" + ShareName;
// make sure we get a real share name back
if ((!string.IsNullOrEmpty(ShareName)) && (ShareName.Trim() != ""))
{
// skip this share if it's in the exclude list
if (!ExcludedShares.ContainsNoCase(ShareName))
{
// check if the user has access to this path
try
{
Directory.GetFiles(Path);
SearchShares.Add(Path);
}
catch
{
Logger.Write_Verbose($@"[!] No access to {Path}");
}
}
}
}
}
}
foreach (var Share in SearchShares)
{
Logger.Write_Verbose($@"Searching share: {Share}");
var SearchArgs = new Args_Find_InterestingFile
{
Path = new[] { Share },
Include = Include
};
if (OfficeDocs)
{
SearchArgs.OfficeDocs = OfficeDocs;
}
if (FreshEXEs)
{
SearchArgs.FreshEXEs = FreshEXEs;
}
if (LastAccessTime != null)
{
SearchArgs.LastAccessTime = LastAccessTime;
}
if (LastWriteTime != null)
{
SearchArgs.LastWriteTime = LastWriteTime;
}
if (CreationTime != null)
{
SearchArgs.CreationTime = CreationTime;
}
if (CheckWriteAccess)
{
SearchArgs.CheckWriteAccess = CheckWriteAccess;
}
FoundFiles.AddRange(Find_InterestingFile(SearchArgs));
}
}
if (TokenHandle != IntPtr.Zero)
{
InvokeRevertToSelf.Invoke_RevertToSelf(LogonToken);
}
return(FoundFiles);
}
public static IEnumerable <FoundFile> Find_InterestingFile(Args_Find_InterestingFile args = null)
{
if (args == null)
{
args = new Args_Find_InterestingFile();
}
if (args.OfficeDocs)
{
args.Include = new[] { ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx" };
}
else if (args.FreshEXEs)
{
// find .exe's accessed within the last 7 days
args.LastAccessTime = DateTime.Now.Date.AddDays(-7);
args.Include = new[] { ".exe" };
}
var FoundFiles = new List <FoundFile>();
var MappedComputers = new Dictionary <string, bool>();
foreach (var TargetPath in args.Path)
{
if ((TargetPath.IsRegexMatch(@"\\\\.*\\.*")) && (args.Credential != null))
{
var HostComputer = new System.Uri(TargetPath).Host;
if (!MappedComputers[HostComputer])
{
// map IPC$ to this computer if it's not already
AddRemoteConnection.Add_RemoteConnection(new Args_Add_RemoteConnection {
ComputerName = new[] { HostComputer }, Credential = args.Credential
});
MappedComputers[HostComputer] = true;
}
}
var files = PathExtension.GetDirectoryFiles(TargetPath, args.Include, SearchOption.AllDirectories);
//var files = Directory.EnumerateFiles(TargetPath, "*.*", SearchOption.AllDirectories)
// .Where(x => args.Include.EndsWith(x, StringComparison.OrdinalIgnoreCase));
foreach (var file in files)
{
var Continue = true;
// check if we're excluding hidden files
if (args.ExcludeHidden)
{
Continue = !File.GetAttributes(file).HasFlag(FileAttributes.Hidden);
}
// check if we're excluding folders
if (args.ExcludeFolders && Directory.Exists(file))
{
Logger.Write_Verbose($@"Excluding: {file}");
Continue = false;
}
if (args.LastAccessTime != null && (File.GetLastAccessTime(file) < args.LastAccessTime.Value))
{
Continue = false;
}
if (args.LastWriteTime != null && (File.GetLastWriteTime(file) < args.LastWriteTime.Value))
{
Continue = false;
}
if (args.CreationTime != null && (File.GetCreationTime(file) < args.CreationTime.Value))
{
Continue = false;
}
if (args.CheckWriteAccess && !Test_Write(file))
{
Continue = false;
}
if (Continue)
{
String owner;
try
{
owner = File.GetAccessControl(file).GetOwner(typeof(SecurityIdentifier)).Translate(typeof(System.Security.Principal.NTAccount)).Value;
}
catch {
owner = "Access was Denied";
}
DateTime lastAccessTime;
try
{
lastAccessTime = File.GetLastAccessTime(file);
}
catch { lastAccessTime = new DateTime(); }
DateTime lastWriteTime;
try
{
lastWriteTime = File.GetLastWriteTime(file);
} catch { lastWriteTime = new DateTime(); }
DateTime creationTime;
try
{
creationTime = File.GetCreationTime(file);
} catch { creationTime = new DateTime(); }
long length;
try
{
length = new FileInfo(file).Length;
}catch { length = 0; }
var FoundFile = new FoundFile
{
Path = file,
Owner = owner,
LastAccessTime = lastAccessTime,
LastWriteTime = lastWriteTime,
CreationTime = creationTime,
Length = length
};
FoundFiles.Add(FoundFile);
}
}
}
// remove the IPC$ mappings
foreach (var key in MappedComputers.Keys)
{
RemoveRemoteConnection.Remove_RemoteConnection(new Args_Remove_RemoteConnection {
ComputerName = new[] { key }
});
}
return(FoundFiles);
}
public static IEnumerable <FoundFile> Find_InterestingFile(Args_Find_InterestingFile args = null)
{
return(FindInterestingFile.Find_InterestingFile(args));
}
