2015-11-06 01:43:30 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
include Msf::Post::Windows::Registry
|
|
|
|
|
2015-12-03 23:55:12 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(
|
|
|
|
update_info(
|
|
|
|
info,
|
2015-12-04 20:35:42 +00:00
|
|
|
'Name' => 'Windows Antivirus Exclusions Enumeration',
|
|
|
|
'Description' => %q(
|
|
|
|
This module will enumerate the file, directory, process and
|
|
|
|
extension-based exclusions from supported AV products, which
|
|
|
|
currently includes Microsoft Defender, Microsoft Security
|
|
|
|
Essentials/Antimalware, and Symantec Endpoint Protection.
|
|
|
|
),
|
2015-11-06 01:43:30 +00:00
|
|
|
'License' => MSF_LICENSE,
|
2015-12-04 00:07:49 +00:00
|
|
|
'Author' => [
|
|
|
|
'Andrew Smith', # original metasploit module
|
|
|
|
'Jon Hart <jon_hart[at]rapid7.com>' # improved metasploit module
|
|
|
|
],
|
2015-11-06 01:43:30 +00:00
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
2015-12-03 23:55:12 +00:00
|
|
|
)
|
|
|
|
)
|
2015-12-04 00:07:49 +00:00
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2015-12-04 19:42:03 +00:00
|
|
|
OptBool.new('DEFENDER', [true, 'Enumerate exclusions for Microsoft Defender', true]),
|
2015-12-04 18:27:14 +00:00
|
|
|
OptBool.new('ESSENTIALS', [true, 'Enumerate exclusions for Microsoft Security Essentials/Antimalware', true]),
|
2015-12-04 00:07:49 +00:00
|
|
|
OptBool.new('SEP', [true, 'Enumerate exclusions for Symantec Endpoint Protection (SEP)', true])
|
|
|
|
]
|
|
|
|
)
|
2015-11-06 01:43:30 +00:00
|
|
|
end
|
|
|
|
|
2015-12-04 19:42:03 +00:00
|
|
|
DEFENDER = 'Windows Defender'
|
2015-12-04 18:27:14 +00:00
|
|
|
DEFENDER_BASE_KEY = 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender'
|
2015-12-04 19:42:03 +00:00
|
|
|
ESSENTIALS = 'Microsoft Security Essentials / Antimalware'
|
2015-12-04 18:27:14 +00:00
|
|
|
ESSENTIALS_BASE_KEY = 'HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware'
|
2015-12-04 19:42:03 +00:00
|
|
|
SEP = 'Symantec Endpoint Protection (SEP)'
|
2015-12-04 18:27:14 +00:00
|
|
|
SEP_BASE_KEY = 'HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection'
|
2015-11-06 01:43:30 +00:00
|
|
|
|
2015-12-04 18:27:14 +00:00
|
|
|
def av_installed?(base_key, product)
|
|
|
|
if registry_key_exist?(base_key)
|
2015-12-04 19:42:03 +00:00
|
|
|
print_good("Found #{product}")
|
2015-12-04 18:27:14 +00:00
|
|
|
true
|
2015-11-27 21:41:40 +00:00
|
|
|
else
|
2015-12-04 18:27:14 +00:00
|
|
|
false
|
2015-11-27 21:41:40 +00:00
|
|
|
end
|
|
|
|
end
|
2015-12-03 23:55:12 +00:00
|
|
|
|
2015-11-27 21:41:40 +00:00
|
|
|
def excluded_sep
|
2015-12-04 19:42:03 +00:00
|
|
|
base_exclusion_key = "#{SEP_BASE_KEY}\\Exclusions\\ScanningEngines\\Directory"
|
|
|
|
admin_exclusion_key = "#{base_exclusion_key}\\Admin"
|
|
|
|
admin_exclusion_key = "#{base_exclusion_key}\\Client"
|
|
|
|
|
|
|
|
paths = []
|
|
|
|
if (admin_exclusion_keys = registry_enumkeys(admin_exclusion_key))
|
|
|
|
admin_exclusion_keys.map do |key|
|
|
|
|
paths << registry_getvaldata("#{admin_exclusion_key}\\#{key}", 'DirectoryName') + ' (admin)'
|
2015-12-03 23:55:12 +00:00
|
|
|
end
|
|
|
|
end
|
2015-12-04 19:42:03 +00:00
|
|
|
if (client_exclusion_keys = registry_enumkeys(client_exclusion_key))
|
|
|
|
client_exclusion_keys.map do |key|
|
|
|
|
paths << registry_getvaldata("#{client_exclusion_key}\\#{key}", 'DirectoryName') + ' (client)'
|
2015-12-03 23:55:12 +00:00
|
|
|
end
|
|
|
|
end
|
2015-12-04 20:35:42 +00:00
|
|
|
print_exclusions_table(SEP, 'path', paths)
|
2015-12-04 19:42:03 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def excluded_defender
|
2015-12-04 20:35:42 +00:00
|
|
|
print_exclusions_table(DEFENDER, 'extension', registry_enumvals("#{DEFENDER_BASE_KEY}\\Exclusions\\Extensions"))
|
|
|
|
print_exclusions_table(DEFENDER, 'path', registry_enumvals("#{DEFENDER_BASE_KEY}\\Exclusions\\Paths"))
|
|
|
|
print_exclusions_table(DEFENDER, 'process', registry_enumvals("#{DEFENDER_BASE_KEY}\\Exclusions\\Processes"))
|
2015-11-27 21:41:40 +00:00
|
|
|
end
|
2015-12-03 23:55:12 +00:00
|
|
|
|
2015-11-27 21:45:52 +00:00
|
|
|
def excluded_mssec
|
2015-12-04 20:35:42 +00:00
|
|
|
print_exclusions_table(ESSENTIALS, 'extension', registry_enumvals("#{ESSENTIALS_BASE_KEY}\\Exclusions\\Extensions"))
|
|
|
|
print_exclusions_table(ESSENTIALS, 'path', registry_enumvals("#{ESSENTIALS_BASE_KEY}\\Exclusions\\Paths"))
|
|
|
|
print_exclusions_table(ESSENTIALS, 'process', registry_enumvals("#{ESSENTIALS_BASE_KEY}\\Exclusions\\Processes"))
|
2015-11-27 21:41:40 +00:00
|
|
|
end
|
2015-12-03 23:55:12 +00:00
|
|
|
|
2015-12-04 20:35:42 +00:00
|
|
|
def print_exclusions_table(product, exclusion_type, exclusions)
|
2015-12-04 20:19:17 +00:00
|
|
|
exclusions ||= []
|
|
|
|
exclusions = exclusions.compact.reject { |e| e.blank? }
|
|
|
|
if exclusions.empty?
|
2015-12-04 20:35:42 +00:00
|
|
|
print_status("No #{exclusion_type} exclusions for #{product}")
|
2015-12-04 19:42:03 +00:00
|
|
|
return
|
2015-11-06 01:43:30 +00:00
|
|
|
end
|
2015-12-04 19:42:03 +00:00
|
|
|
table = Rex::Ui::Text::Table.new(
|
2015-12-04 20:35:42 +00:00
|
|
|
'Header' => "#{product} excluded #{exclusion_type.pluralize}",
|
2015-12-04 19:42:03 +00:00
|
|
|
'Indent' => 1,
|
2015-12-04 20:35:42 +00:00
|
|
|
'Columns' => [ exclusion_type.capitalize ]
|
2015-12-04 19:42:03 +00:00
|
|
|
)
|
|
|
|
exclusions.map { |exclusion| table << [exclusion] }
|
|
|
|
print_line(table.to_s)
|
2015-11-06 01:43:30 +00:00
|
|
|
end
|
|
|
|
|
2015-12-04 00:07:49 +00:00
|
|
|
def setup
|
2015-12-04 19:42:03 +00:00
|
|
|
if sysinfo['Architecture'] =~ /WOW64/
|
|
|
|
fail_with(Failure::BadConfig, 'You are running this module from a 32-bit process on a 64-bit machine. ' \
|
|
|
|
'Migrate to a 64-bit process and try again')
|
|
|
|
end
|
2015-12-04 00:07:49 +00:00
|
|
|
unless datastore['DEFENDER'] || datastore['ESSENTIALS'] || datastore['SEP']
|
|
|
|
fail_with(Failure::BadConfig, 'Must set one or more of DEFENDER, ESSENTIALS or SEP to true')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-11-06 01:43:30 +00:00
|
|
|
def run
|
2015-12-04 00:07:49 +00:00
|
|
|
print_status("Enumerating Excluded Paths for AV on #{sysinfo['Computer']}")
|
2015-12-04 19:42:03 +00:00
|
|
|
|
2015-12-04 00:07:49 +00:00
|
|
|
found = false
|
2015-12-04 19:42:03 +00:00
|
|
|
if datastore['DEFENDER'] && av_installed?(DEFENDER_BASE_KEY, DEFENDER)
|
2015-12-04 00:07:49 +00:00
|
|
|
found = true
|
|
|
|
excluded_defender
|
|
|
|
end
|
2015-12-04 19:42:03 +00:00
|
|
|
if datastore['ESSENTIALS'] && av_installed?(ESSENTIALS_BASE_KEY, ESSENTIALS)
|
2015-12-04 00:07:49 +00:00
|
|
|
found = true
|
|
|
|
excluded_mssec
|
|
|
|
end
|
2015-12-04 19:42:03 +00:00
|
|
|
if datastore['SEP'] && av_installed?(SEP_BASE_KEY, SEP)
|
2015-12-04 00:07:49 +00:00
|
|
|
found = true
|
|
|
|
excluded_sep
|
|
|
|
end
|
|
|
|
|
|
|
|
print_error "No supported AV identified" unless found
|
2015-11-06 01:43:30 +00:00
|
|
|
end
|
|
|
|
end
|