diff --git a/payloads/library/recon/VulnerabilityScanner/VulnerabilityScanner.txt b/payloads/library/recon/VulnerabilityScanner/VulnerabilityScanner.txt new file mode 100644 index 0000000..f7893f6 --- /dev/null +++ b/payloads/library/recon/VulnerabilityScanner/VulnerabilityScanner.txt @@ -0,0 +1,629 @@ +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%% Title: VulnerabilityScanner %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%% Author: Github.com/MarkCyber %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%% Description: This script scans for vulnerabilities %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%% Target: Windows machines with admin access %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%% Category: Recon %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%% This script requires a secondary USB named "MYUSB" to save credentials to %%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +DELAY 1000 +REM Open Start Menu +CONTROL ESCAPE +DELAY 2000 +STRING powershell +REM Navigate to the context menu to run PowerShell as an administrator +DELAY 500 +RIGHTARROW +DELAY 100 +DOWNARROW +DELAY 100 +ENTER +DELAY 3000 +ALT Y +DELAY 5000 +REM Set PowerShell Execution Policy to Bypass +DELAY 1000 +STRING set-executionpolicy bypass -scope process -force +DELAY 200 +ENTER +DELAY 200 +REM Create the PowerShell script in memory and execute it +DELAY 200 +STRING $usbName = "MYUSB" +DELAY 200 +ENTER +DELAY 200 +STRING $usbDrive = Get-WmiObject Win32_Volume | Where-Object { $_.Label -eq $usbName } | Select-Object -ExpandProperty DriveLetter +DELAY 200 +ENTER +DELAY 200 +STRING if ($usbDrive) { +DELAY 200 +ENTER +DELAY 200 +STRING $owner = (Get-WmiObject Win32_ComputerSystem).UserName +DELAY 200 +ENTER +DELAY 200 +STRING $directoryPath = Join-Path -Path $usbDrive -ChildPath $owner +DELAY 200 +ENTER +DELAY 200 +STRING New-Item -ItemType Directory -Path $directoryPath +DELAY 200 +ENTER +DELAY 200 +STRING $resultsFilePath = Join-Path -Path $directoryPath -ChildPath "results.txt" +DELAY 200 +ENTER +DELAY 200 +STRING "" > $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING function check-passwordpolicy { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING net accounts +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking password policy: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function audit-services { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-service | select-object name, displayname, status, starttype +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error auditing services: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-networksettings { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-netipconfiguration +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking network settings: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-softwarevulnerabilities { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-itemproperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | select-object displayname, displayversion, publisher +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking software vulnerabilities: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-cve { +DELAY 200 +ENTER +DELAY 200 +STRING param ( +DELAY 200 +ENTER +DELAY 200 +STRING [string]$productname, +DELAY 200 +ENTER +DELAY 200 +STRING [string]$version +DELAY 200 +ENTER +DELAY 200 +STRING ) +DELAY 200 +ENTER +DELAY 200 +STRING $initialDelay = 2 +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING $uri = "https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=$productname+$version" +DELAY 200 +ENTER +DELAY 200 +STRING start-sleep -seconds $initialDelay +DELAY 200 +ENTER +DELAY 200 +STRING $response = invoke-restmethod -uri $uri -method get +DELAY 200 +ENTER +DELAY 200 +STRING if ($response.totalresults -gt 0) { +DELAY 200 +ENTER +DELAY 200 +STRING foreach ($cve in $response.result.cve_items) { +DELAY 200 +ENTER +DELAY 200 +STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } else { +DELAY 200 +ENTER +DELAY 200 +STRING "no cves found for $productname $version" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking CVEs: $_" +DELAY 200 +ENTER +DELAY 200 +STRING if ($_.Exception -match '403') { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "403 Forbidden error encountered. Retrying in 60 seconds..." +DELAY 200 +ENTER +DELAY 200 +STRING start-sleep -seconds 60 +DELAY 200 +ENTER +DELAY 200 +STRING $retryResponse = invoke-restmethod -uri $uri -method get +DELAY 200 +ENTER +DELAY 200 +STRING if ($retryResponse.totalresults -gt 0) { +DELAY 200 +ENTER +DELAY 200 +STRING foreach ($cve in $retryResponse.result.cve_items) { +DELAY 200 +ENTER +DELAY 200 +STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } else { +DELAY 200 +ENTER +DELAY 200 +STRING "no cves found for $productname $version" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function analyze-logs { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-eventlog -logname system -newest 100 +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error analyzing logs: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-openports { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING netstat -an +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking open ports: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-missingupdates { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Checking Windows Update logs..." +DELAY 200 +ENTER +DELAY 200 +STRING $updateLogPath = Join-Path -Path $directoryPath -ChildPath "WindowsUpdate.log" +DELAY 200 +ENTER +DELAY 200 +STRING Get-WindowsUpdateLog -LogPath $updateLogPath +DELAY 200 +ENTER +DELAY 200 +STRING write-output "WindowsUpdate.log written to $updateLogPath" +DELAY 200 +ENTER +DELAY 200 +STRING Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Temp\WindowsUpdateLog\*" -Recurse -Force +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error getting Windows Update log: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-firewallstatus { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING netsh advfirewall show allprofiles +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking firewall status: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-smbv1status { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-windowsoptionalfeature -online -featurename smb1protocol +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking SMBv1 status: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING function check-antivirusstatus { +DELAY 200 +ENTER +DELAY 200 +STRING try { +DELAY 200 +ENTER +DELAY 200 +STRING get-mpcomputerstatus +DELAY 200 +ENTER +DELAY 200 +STRING } catch { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error checking antivirus status: $_" +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING check-passwordpolicy >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING audit-services >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-networksettings >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-softwarevulnerabilities >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING analyze-logs >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-openports >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-missingupdates >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-firewallstatus >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-smbv1status >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING check-antivirusstatus >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +REM Dynamically identify critical software from running processes and scheduled tasks +STRING $runningSoftware = Get-Process | Select-Object Name | Sort-Object Name -Unique +DELAY 200 +ENTER +DELAY 200 +STRING $scheduledTasks = schtasks /query /fo CSV | ConvertFrom-Csv | Select-Object TaskName, TaskToRun | Sort-Object TaskToRun -Unique +DELAY 200 +ENTER +DELAY 200 +REM Combine running software and scheduled tasks +STRING $softwareList = @() +DELAY 200 +ENTER +DELAY 200 +STRING foreach ($process in $runningSoftware) { +DELAY 200 +ENTER +DELAY 200 +STRING $softwareList += $process.Name +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING foreach ($task in $scheduledTasks) { +DELAY 200 +ENTER +DELAY 200 +STRING $softwareList += [System.IO.Path]::GetFileNameWithoutExtension($task.TaskToRun) +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +REM Remove duplicates and empty entries +STRING $softwareList = $softwareList | Sort-Object -Unique | Where-Object { $_ -ne "" } +DELAY 200 +ENTER +DELAY 200 +REM Check CVEs for identified software +STRING foreach ($software in $softwareList) { +DELAY 200 +ENTER +DELAY 200 +STRING $version = (Get-ItemProperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | Where-Object { $_.DisplayName -eq $software }).DisplayVersion +DELAY 200 +ENTER +DELAY 200 +STRING if ($version) { +DELAY 200 +ENTER +DELAY 200 +STRING check-cve -productname $software -version $version >> $resultsFilePath +DELAY 200 +ENTER +DELAY 200 +STRING $initialDelay += (Get-Random -Minimum 5 -Maximum 10) +DELAY 200 +ENTER +DELAY 200 +STRING start-sleep -seconds $initialDelay +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Results saved to USB drive." +DELAY 200 +ENTER +DELAY 200 +STRING } else { +DELAY 200 +ENTER +DELAY 200 +STRING write-output "Error: USB drive MYUSB not found." +DELAY 200 +ENTER +DELAY 200 +STRING } +DELAY 200 +ENTER +DELAY 200 +STRING invoke-command -scriptblock $script +DELAY 200 +ENTER +DELAY 20000