infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Simplify AV enumeration code

bug/bundler_fix
Jon Hart 2015-12-04 10:27:14 -08:00
parent 28ee056c32
commit 1968a76863
No known key found for this signature in database
GPG Key ID: 2FA9F0A3AFA8E9D3
1 changed files with 12 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
modules/post/windows/gather/enum_av_excluded.rb
View File

@ -28,43 +28,23 @@ class Metasploit3 < Msf::Post
register_options( register_options(
[ [
OptBool.new('DEFENDER', [true, 'Enumerate exclusions for Microsoft Defener', true]), OptBool.new('DEFENDER', [true, 'Enumerate exclusions for Microsoft Defener', true]),
OptBool.new('ESSENTIALS', [true, 'Enumerate exclusions for Microsoft Security Essentials', true]), OptBool.new('ESSENTIALS', [true, 'Enumerate exclusions for Microsoft Security Essentials/Antimalware', true]),
OptBool.new('SEP', [true, 'Enumerate exclusions for Symantec Endpoint Protection (SEP)', true]) OptBool.new('SEP', [true, 'Enumerate exclusions for Symantec Endpoint Protection (SEP)', true])
] ]
) )
end end
def enum_mssec DEFENDER_BASE_KEY = 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender'
if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft").include?("Microsoft Antimalware") ESSENTIALS_BASE_KEY = 'HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware'
print_status "MS Security Essentials Identified" SEP_BASE_KEY = 'HKLM\\SOFTWARE\\Symantec\\Symantec Endpoint Protection'
return true
else
return false
end
rescue
return false
end
def enum_defender def av_installed?(base_key, product)
if registry_enumkeys("HKLM\\SOFTWARE\\Microsoft").include?("Windows Defender") if registry_key_exist?(base_key)
print_status "Windows Defender Identified" print_status("Found #{product}")
return true true
else else
return false false
end end
rescue
return false
end
def enum_sep
if registry_enumkeys("HKLM\\SOFTWARE\\Symantec").include?("Symantec Endpoint Protection")
print_status "SEP Identified"
return true
else
return false
end
rescue
return false
end end
def excluded_sep def excluded_sep
@ -130,15 +110,15 @@ class Metasploit3 < Msf::Post
print_status("Enumerating Excluded Paths for AV on #{sysinfo['Computer']}") print_status("Enumerating Excluded Paths for AV on #{sysinfo['Computer']}")
found = false found = false
if datastore['DEFENDER'] && enum_defender if datastore['DEFENDER'] && av_installed?(DEFENDER_BASE_KEY, 'Microsoft Defender')
found = true found = true
excluded_defender excluded_defender
end end
if datastore['ESSENTIALS'] && enum_mssec if datastore['ESSENTIALS'] && av_installed?(ESSENTIALS_BASE_KEY, 'Microsoft Security Essentials / Antimalware')
found = true found = true
excluded_mssec excluded_mssec
end end
if datastore['SEP'] && enum_sep if datastore['SEP'] && av_installed?(SEP_BASE_KEY, 'Symantec Endpoint Protection')
found = true found = true
excluded_sep excluded_sep
end end