Created
May 28, 2020 12:51
-
-
Save RCStep/304ba63dae58d9d09e5f9b6b63ace260 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.DirectoryServices.ActiveDirectory; | |
| using System.Text.RegularExpressions; | |
| namespace SharpSniper | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { | |
| if (args.Length != 3 && args.Length != 1) | |
| { | |
| System.Console.WriteLine("\r\n\r\nSniper: Find hostname and IP address of specific user (CEO etc) in Domain (requires Domain Admin Rights or remote " + | |
| "DC event logs must be readable by your user."); | |
| System.Console.WriteLine("Usage:"); | |
| System.Console.WriteLine("Credentialed Auth: Sniper.exe TARGET_USERNAME DAUSER DAPASSWORD"); | |
| System.Console.WriteLine("Process Token Auth: Sniper.exe TARGET_USERNAME"); | |
| System.Environment.Exit(1); | |
| } | |
| string targetusername = String.Empty; | |
| string dauser = String.Empty; | |
| string dapass = String.Empty; | |
| bool credentialed = false; | |
| targetusername = args[0]; | |
| if (args.Length == 3) | |
| { | |
| credentialed = true; | |
| dauser = args[1]; | |
| dapass = args[2]; | |
| } | |
| string domain_name = DomainInformation.GetDomainOrWorkgroup(); | |
| try | |
| { | |
| Domain domain = Domain.GetCurrentDomain(); | |
| if (domain != null) | |
| { | |
| System.Console.WriteLine("Domain: " + domain_name + "\n"); | |
| } | |
| else | |
| { | |
| System.Console.WriteLine("Not Domain Joined"); | |
| } | |
| //System.Console.WriteLine("Domain: " + domain_name + "\n"); | |
| //Finds all of the discoverable domain controllers in this domain. | |
| List<string> dclist = new List<string>(); | |
| foreach (DomainController dc in domain.FindAllDiscoverableDomainControllers()) | |
| { | |
| dclist.Add(dc.Name); | |
| } | |
| if (dclist.Count != 0) | |
| { | |
| System.Console.WriteLine("DC Found: "); | |
| foreach (string dc in dclist) | |
| { | |
| System.Console.WriteLine(dc + ""); | |
| } | |
| } | |
| else | |
| { | |
| System.Console.WriteLine("No DCs Found"); | |
| } | |
| // Loop through domain controllers and find IP of targetuser logon | |
| foreach (string dcfound in dclist) | |
| { | |
| string target_hostname = string.Empty; | |
| System.Console.WriteLine("\nSearching DC: " + dcfound + "\n"); | |
| target_hostname = credentialed ? | |
| QueryDC.QueryRemoteComputer(targetusername, domain_name, dcfound, dauser, dapass) : | |
| QueryDC.QueryRemoteComputer(targetusername, domain_name, dcfound); | |
| Regex ip = new Regex(@"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"); | |
| MatchCollection result = ip.Matches(target_hostname); | |
| { | |
| if (result.Count != 0) | |
| { | |
| System.Console.WriteLine("Logon Events Found: "); | |
| Console.WriteLine("User: " + targetusername + " - " + "IP Address: " + result[0]); | |
| // Console.WriteLine("Data: " + target_hostname); | |
| } | |
| else | |
| { | |
| System.Console.WriteLine("No logon events found for User: " + targetusername); | |
| } | |
| } | |
| } | |
| System.Console.WriteLine("Done."); | |
| System.Environment.Exit(0); | |
| } | |
| catch (Exception ex) | |
| { | |
| System.Console.WriteLine(ex.ToString()); | |
| System.Environment.Exit(1); | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment