shadowbrokers-exploits/windows/Resources/Ep/Scripts/mapport.eps

287 lines
6.5 KiB
PostScript
Raw Normal View History

#--------------------------------------------------------
# File: mapport.eps
#
# portmap using available data from ps and netstat
# does not work on Win2k. Only checks TCP connections
#
# Version 1 - 2008, 20 Oct
#--------------------------------------------------------
@include "_GenericFunctions.epm";
@include "_GetSystemPaths.epm";
@include "_GetDirectory.epm";
@case-sensitive off;
@echo off;
#-----------------------------------------------------
# Variable Init
#-----------------------------------------------------
bool $do_query = false;
if ($argc > 2) {
showusage();
}
else {
if ($argc == 2) {
if ($argv[1] == "-detail") {
$do_query = true;
}
else {
showusage();
return true;
}
}
#-------- Check to see if it is XP or 2003 ------------
@echo off;
@record on;
ifnot (`machineinfo`) {
echo "machineinfo command failed.";
return false;
}
else {
string $os_version = GetCmdData("os_version");
@record off;
if ($os_version != "5.1" && $os_version != "5.2") {
echo "This only runs on WinXP or Win2k3";
echo "This is Windows $os_version";
return false;
}
string $scriptsDir;
_GetEPScriptsPath($scriptsDir);
string $rootDir;
string $systemDir;
_GetSystemPaths($rootDir, $systemDir);
# -------- Define where the text file is for the queries ---------------
string $dir = GetCmdData("dir");
string $macFile = "tcp_ports.txt";
string $fileDir = "$dir\\$macFile";
int $numLines;
string $line_broken;
string $port_query;
bool $retVal;
int $todo = 0;
int $i= 0;
int $sizeofi = 0;
int $n = 0;
int $portline = $i;
int $portoffset = 1;
int $pidline = $i;
int $pidoffset = 4;
string $listenportarray;
string $pidarray = "pid";
string $portarray = "port";
string $temp = "";
# -------------- run netstat amd record it ------------
@echo off;
@record on;
$retVal = `run -command "netstat -anop tcp" -redirect`;
@record off;
if ($retVal == false ) {
echo "ERROR: netstat -anop tcp failed to run";
echo "Exiting...";
return false;
}
# ------ "output" is magic word to get raw output from this command.
# This is because there is no XML description for how to read the data
string $netstatoutput = GetCmdData("output");
# ----------- Break apart netstat into pieces -----------
# The entire output is broken by spaces, which mean more processing later.
string $linebroken = Split(" ", $netstatoutput);
string $lines;
string $cleanbreak;
$i= 0;
$sizeofi = 0;
#----------- Sort thru the pieces, cutting out the blank ones ----
foreach $lines ($linebroken) {
if ($lines != "") {
# echo "$i : $lines";
$cleanbreak[$i] = $lines;
$i++;
}
$sizeofi = $i;
}
echo " ";
echo "PROCESS | PORT | PID";
echo "----------------------------------------";
# After the output is read in from the netstat command, we need to convert it
# to useful info, this next loop cuts the listen port out of the netstat output
# This is where the real data starts, element 9, so start the index there
$i = 9;
while ($i < $sizeofi) {
# -------- EP makes me do each math operation seperatly... ------
$portline = $i;
$portline += $portoffset;
$pidline = $i;
$pidline += $pidoffset;
$listenportarray = Split(":", $cleanbreak[$portline]);
# ------- Create the arrays with a common index, n
$pidarray[$n] = $cleanbreak[$pidline];
$portarray[$n] = $listenportarray[1];
$n++;
# ------- netstat gives us 5 columns each prog, so jump to the next set
$i += 5;
}
# ---- Next, we grab the process list -----------
@record on;
$retVal = `processlist`;
@record off;
@echo on;
# ---- processlist has real XML already, so no need to do hacky breakout of raw data
string $processnames = GetCmdData("name");
int $processpids = GetCmdData("id");
int $pidlines;
string $tempint;
string $tempstring;
$sizeofi = sizeof($processpids);
$i = 0;
int $search_num = 0;
bool $querystatus;
while ($i < $sizeofi) {
$search_num = 0;
while ($search_num < $n) {
# ----- each pid has a newline at the end, so I have to split it and take the first part ---
$tempstring = Split("\n", $pidarray[$search_num]);
$tempint = $tempstring[0];
if ($processpids[$i] == <int>$tempint) {
echo "$processnames[$i] \tTCP:$portarray[$search_num] \t (PID $processpids[$i])";
if ($do_query == true) {
$querystatus = showportquery( <string>$portarray[$search_num] );
if ($querystatus == false) {
$do_query = false;
}
echo "";
}
}
$search_num++;
}
$i++;
}
return true;
}
}
sub showusage ()
{
echo "Map Port:";
echo "------------------------------------------------------- ";
echo " Attempts to associate a Process - Port - PID, like the program portmap ";
echo " Works on Windows XP or 2003.";
echo " -detail provides information about the nature of why a port may be open";
echo "";
echo "Usage: mapport [no file arguments]";
echo " or mapport -detail";
echo " ";
return true;
}
sub showportquery (IN string $port_query)
{
string $scriptsDir;
_GetEPScriptsPath($scriptsDir);
string $rootDir;
string $systemDir;
_GetSystemPaths($rootDir, $systemDir);
string $dir = GetCmdData("dir");
string $macFile = "tcp_ports.txt";
string $fileDir = "$dir\\$macFile";
int $numLines;
string $line_broken;
int $portquery_loop = 0;
string $lines;
if(ReadFile($fileDir, $lines)){
int $foundsomething = 0;
string $line;
foreach $line ($lines) {
$line_broken = Split("\t", $line);
# ------ Line broken columns -------------------
# line_broken[0] = port
# line_broken[1] = protocol
# line_broken[2] = known program
# line_broken[3] = description
# line_broken[4] = confidence
if ($line_broken[0] == $port_query) {
echo " $port_query:$line_broken[3]";
$foundsomething++;
}
}
if($foundsomething == 0) {
#---------This is to display a error instead of no results ----------
echo " $port_query: Nothing matched";
return true;
}
}
else {
# -----If the file doesn't open, give a useful error -------
echo "ERROR: Port list file not found";
echo "File: $macFile";
echo "File Directory is: $fileDir";
echo "File expected to be at D:\\OPSDisk\\Resources\\EP\\Scripts\\tcp_ports.txt";
return false;
}
return true;
}