예제 #1
0
        /// Method for remote registry query for logged on users - need to make this so user can input their own options
        public static void RegQuery(string nekoFolder, string domainURL, string Username, string Password)
        {
            //Confirm that user has appropriate creds and is able to query registry remotely.
            Console.WriteLine("This process typically requires domain admin privileges and remote registry enabled. Conintue? Enter 'y' or 'n':");
            string userDecision = Console.ReadLine();

            while (userDecision != "y" && userDecision != "")
            {
                Console.WriteLine("Invalid Selection.\r\nThis process typically requires domain admin privileges and remote registry enabled. Conintue? Enter 'y' or 'n':");
            }
            if (userDecision == "y")
            {
                //Need to turn this into list from previous results
                Console.WriteLine("Enter '1' to use results from LDAP recon or '2' to specify target computer name:");
                userDecision = Console.ReadLine();
                while (userDecision != "1" && userDecision != "2")
                {
                    Console.WriteLine("Invalid selection.\r\nEnter '1' to use results from LDAP recon or '2' to specify target computer name:");
                }

                if (userDecision == "2")
                {
                    //Declare computer name
                    string computerName = "";
                    //Get computer name
                    Console.WriteLine("Specify target computer name:");
                    computerName = Console.ReadLine();

                    //Open remote key
                    try
                    {
                        //Specifiy key
                        RegistryKey registryKey = RegistryKey.OpenRemoteBaseKey(RegistryHive.LocalMachine, computerName, RegistryView.Registry64);

                        var key = registryKey.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI");
                        if (key == null)
                        {
                        }
                        //Create objects for values
                        object lastUser        = key.GetValue("LastLoggedOnUser");
                        object lastDisplayName = key.GetValue("LastLoggedOnDisplayName");

                        //Display information
                        Console.WriteLine(lastUser.ToString(), lastDisplayName.ToString());

                        //Write out results
                        File.AppendAllText(nekoFolder + "\\User Locations.txt", "Last user: "******"Display Name: " + lastDisplayName.ToString() + Environment.NewLine
                                           + "Computer Name: " + computerName + Environment.NewLine);
                    }
                    catch (UnauthorizedAccessException)
                    {
                        Console.WriteLine("Access Denied. Insuficient privileges.");
                    }
                    catch (Exception e)
                    {
                        Console.WriteLine(e);
                    }
                }
                else
                {
                    //ComputerName from list
                    //Access list class from LDAP recon, need to make this so user can specify their own list if they want.
                    Console.WriteLine("Have you run LDAP recon to generate machine name list? Enter 'y' or 'n'");
                    string userChoice = Console.ReadLine();
                    while (userChoice != "y" && userChoice != "n")
                    {
                        Console.WriteLine("Invalid selection. Have you run LDAP computer recon to generate machine name list? Enter 'y' or 'n'");
                        //Set input
                        userChoice = Console.ReadLine();
                    }
                    //Run ldap comnputer recon
                    if (userChoice == "n")
                    {
                        try
                        {
                            var computerList = Neko.ADComputer.GetADComputers(domainURL, Username, Password);
                            Console.WriteLine("\r\nFound computers:");

                            //Get unique file to prevent overwriting
                            string writePath = UniqueFileCheck.UniqueFile(nekoFolder + "\\LDAP Computer Recon.txt");

                            //Start stream writer for writing results
                            using (var writer = new StreamWriter(writePath, append: true))
                            {
                                foreach (var computer in computerList)
                                {
                                    Console.WriteLine(computer.ComputerInfo);
                                    Console.WriteLine(computer.LastLogon);
                                    Console.WriteLine(computer.ComputerType);

                                    //Write out results
                                    writer.WriteLine(Environment.NewLine + "Computer Name: " + computer.ComputerInfo + Environment.NewLine + "Last Logon: " + computer.LastLogon
                                                     + Environment.NewLine + "Computer type " + computer.ComputerType);
                                    writer.Flush();
                                }
                            }
                        }
                        catch (Exception e)
                        {
                            Console.WriteLine(e);
                        }
                    }
                    // Run remote registry recon for all machines in list.
                    else
                    {
                        var computerList = ADComputer.GetADComputers(domainURL, Username, Password);

                        foreach (var computerName in computerList)
                        {
                            // Open remote key
                            try
                            {
                                // Specifiy key
                                RegistryKey registryKey = RegistryKey.OpenRemoteBaseKey(RegistryHive.LocalMachine, computerName.ComputerInfo, RegistryView.Registry64);

                                var key = registryKey.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI");
                                if (key == null)
                                {
                                }
                                // Create objects for values
                                object lastUser        = key.GetValue("LastLoggedOnUser");
                                object lastDisplayName = key.GetValue("LastLoggedOnDisplayName");

                                // Display information
                                Console.WriteLine(lastUser.ToString(), lastDisplayName.ToString());

                                // Write out results
                                File.AppendAllText(nekoFolder + "\\User Locations.txt", "Last user: "******"Display Name: " + lastDisplayName.ToString() + Environment.NewLine
                                                   + "Computer Name: " + computerName + Environment.NewLine);
                            }
                            catch (Exception e)
                            {
                                Console.WriteLine(e);
                            }
                        }
                    }
                }
            }
        }
예제 #2
0
        public static void LocalMachine(string nekoFolder)
        {
            //Net commands
            try
            {
                //New array for commands
                string[] netDomain = new string[5];
                netDomain[0] = "accounts";
                netDomain[1] = "group \"domain admins\" /domain";
                netDomain[2] = "localgroup administrators";
                netDomain[3] = "group \"domain controllers\" /domain";
                netDomain[4] = "start";

                //Get unique file to prevent overwriting
                string writePath = UniqueFileCheck.UniqueFile(nekoFolder + "\\Local Account Information.txt");

                //Start stream writer for writing results
                using (var writer = new StreamWriter(writePath, append: true))
                {
                    foreach (string argument in netDomain)
                    {
                        //Start new process
                        Process netProcess = new Process();
                        //Configure process
                        ProcessStartInfo netConfig = new ProcessStartInfo();
                        netConfig.WindowStyle    = ProcessWindowStyle.Hidden;
                        netConfig.CreateNoWindow = true;
                        //Launch cmd
                        netConfig.FileName = "net.exe";
                        //Enable reading output
                        netConfig.RedirectStandardOutput = true;
                        netConfig.RedirectStandardError  = true;
                        netConfig.UseShellExecute        = false;
                        //Pass arguments
                        //netConfig.Arguments = netDomain;
                        netProcess.StartInfo = netConfig;
                        netConfig.Arguments  = argument;
                        netProcess.Start();
                        string netDomainResult = netProcess.StandardOutput.ReadToEnd();
                        string netErr          = netProcess.StandardError.ReadToEnd();
                        //Write results and clear buffer
                        writer.WriteLine(netDomainResult + netErr + Environment.NewLine);
                        writer.Flush();
                        Console.WriteLine(netDomainResult);
                    }
                }
            }
            catch (Exception)
            {
                Console.WriteLine("Command requires you are logged in with a domain account.");
            }
            //CMD commands
            try
            {
                //Array for commands
                string[] cmdArgs = new string[5];
                cmdArgs[0] = "/c arp -a";
                cmdArgs[1] = "/c route print";
                cmdArgs[2] = "/c netstat -ano | find /i \"listening\"";
                cmdArgs[3] = "/c ipconfig /all";
                cmdArgs[4] = "/c tasklist";


                //Get unique name
                //Get unique file to prevent overwriting
                string writePath = UniqueFileCheck.UniqueFile(nekoFolder + "\\Local Machine Network and Task Recon.txt");

                //Start stream writer for writing results
                using (var writer = new StreamWriter(writePath, append: true))
                {
                    foreach (string argument in cmdArgs)
                    {
                        //Start new process
                        Process cmdProcess = new Process();
                        //Configure process
                        ProcessStartInfo cmdConfig = new ProcessStartInfo();
                        cmdConfig.WindowStyle    = ProcessWindowStyle.Hidden;
                        cmdConfig.CreateNoWindow = true;
                        //Launch cmd
                        cmdConfig.FileName = "cmd.exe";
                        //Enable reading output
                        cmdConfig.RedirectStandardOutput = true;
                        cmdConfig.RedirectStandardError  = true;
                        cmdConfig.UseShellExecute        = false;
                        //Pass arguments
                        //netConfig.Arguments = netDomain;
                        cmdProcess.StartInfo = cmdConfig;
                        cmdConfig.Arguments  = argument;
                        cmdProcess.Start();
                        string cmdDomainResult = cmdProcess.StandardOutput.ReadToEnd();
                        string cmdErr          = cmdProcess.StandardError.ReadToEnd();
                        //Append local machine info to results
                        writer.WriteLine(cmdDomainResult + cmdErr + Environment.NewLine);
                        writer.Flush();

                        Console.WriteLine(cmdDomainResult);
                    }
                }
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }
            //Get service permissions
            try
            {
                //Command
                string  scArg     = "/c sc query";
                Process scProcess = new Process();
                //Configure process
                ProcessStartInfo scConfig = new ProcessStartInfo();
                scConfig.WindowStyle    = ProcessWindowStyle.Hidden;
                scConfig.CreateNoWindow = true;
                //Launch cmd
                scConfig.FileName = "cmd.exe";
                //Enable reading output
                scConfig.RedirectStandardOutput = true;
                scConfig.RedirectStandardError  = true;
                scConfig.UseShellExecute        = false;
                //Pass arguments
                //netConfig.Arguments = netDomain;
                scProcess.StartInfo = scConfig;
                scConfig.Arguments  = scArg;
                scProcess.Start();
                string scResult = scProcess.StandardOutput.ReadToEnd();
                string scErr    = scProcess.StandardError.ReadToEnd();
                //Append local machine info to results
                File.AppendAllText(nekoFolder + "\\Local Machine Services.txt", scResult + scErr + Environment.NewLine);
                Console.WriteLine(scResult);

                //Regex matching pattern for SERVICE_NAME:
                string pattern = @"(?<=\SERVICE_NAME:\s)(\w+)";

                //Create list for matched values
                List <string> serviceList = new List <string>();

                //Match regex pattern
                MatchCollection matches = Regex.Matches(scResult, pattern);
                for (int i = 0; i < matches.Count; i++)
                {
                    //Console.WriteLine(matches[i].ToString());
                    //serviceList.Add(matches[i].ToString());
                    string services = matches[i].ToString();
                    Console.WriteLine(services);
                    File.AppendAllText(nekoFolder + "\\Local Machine Services.txt", services + Environment.NewLine);
                    string  scSDSHOW    = "/c sc sdshow " + services;
                    Process scSdProcess = new Process();
                    //Configure process
                    ProcessStartInfo scSdConfig = new ProcessStartInfo();
                    scSdConfig.WindowStyle    = ProcessWindowStyle.Hidden;
                    scSdConfig.CreateNoWindow = true;
                    //Launch cmd
                    scSdConfig.FileName = "cmd.exe";
                    //Enable reading output
                    scSdConfig.RedirectStandardOutput = true;
                    scSdConfig.RedirectStandardError  = true;
                    scSdConfig.UseShellExecute        = false;
                    //Pass arguments
                    //netConfig.Arguments = netDomain;
                    scSdProcess.StartInfo = scSdConfig;
                    scSdConfig.Arguments  = scSDSHOW;
                    scSdProcess.Start();
                    string scSD    = scSdProcess.StandardOutput.ReadToEnd();
                    string scSdErr = scSdProcess.StandardError.ReadToEnd();
                    //Append local machine info to results
                    File.AppendAllText(nekoFolder + "\\Local Machine Services.txt", scSD + scSdErr + Environment.NewLine);
                    Console.WriteLine(scSD);
                }
            }
            catch (Exception e)
            {
                Console.WriteLine(e);
            }
        }
예제 #3
0
        // Method for remote registry tampering
        public static void RegModification(string nekoFolder, string domainURL, string Username, string Password)
        {
            // Confirm that user has appropriate creds and is able to query registry remotely.
            Console.WriteLine("This process typically requires domain admin privileges and remote registry enabled. Conintue? Enter 'y' or 'n':");
            string userDecision = Console.ReadLine();

            while (userDecision != "y" && userDecision != "")
            {
                Console.WriteLine("Invalid Selection.\r\nThis process typically requires domain admin privileges and remote registry enabled. Conintue? Enter 'y' or 'n':");
            }
            if (userDecision == "y")
            {
                // Need to turn this into list from previous results
                Console.WriteLine("Enter '1' to use results from LDAP recon or '2' to specify target computer name:");
                userDecision = Console.ReadLine();
                while (userDecision != "1" && userDecision != "2")
                {
                    Console.WriteLine("Invalid selection.\r\nEnter '1' to use results from LDAP recon or '2' to specify target computer name:");
                    userDecision = Console.ReadLine();
                }

                if (userDecision == "2")
                {
                    // Declare computer name
                    string computerName = "";
                    //Get computer name
                    Console.WriteLine("Specify target computer name:");
                    computerName = Console.ReadLine();

                    // Get Hive name
                    Console.WriteLine("Specify hive:" +
                                      "\r\n\r\n1: Local Machine" +
                                      "\r\n\r\n2: Current User" +
                                      "\r\n\r\n3: Users" +
                                      "\r\n\r\n4: Classes Root");
                    string userChoice = Console.ReadLine();
                    // Loop to confirm correct input
                    while (userChoice != "1" && userChoice != "2" && userChoice != "3" && userChoice != "4")
                    {
                        Console.WriteLine("Invalid selection" +
                                          "\r\n\r\nSpecify hive:" +
                                          "\r\n\r\n1: LocalMachine" +
                                          "\r\n\r\n2: CurrentUser" +
                                          "\r\n\r\n3: Users" +
                                          "\r\n\r\n4: ClassesRoot");
                    }

                    // Declare registryhive
                    RegistryHive registryHive = RegistryHive.LocalMachine;
                    if (userChoice == "1")
                    {
                        // Do nothing since it was set to default of LocalMachine
                    }
                    // Set as CurrentUser hive
                    else if (userChoice == "2")
                    {
                        registryHive = RegistryHive.CurrentUser;
                    }
                    // Set as Users hive
                    else if (userChoice == "3")
                    {
                        registryHive = RegistryHive.Users;
                    }
                    // Set as ClassesRoot hive
                    else if (userChoice == "4")
                    {
                        registryHive = RegistryHive.ClassesRoot;
                    }

                    // Specify reg name
                    Console.WriteLine("Specify registry Name, e.g. 'DisableAntiSpyware':");
                    string name = Console.ReadLine();

                    // Get key choice
                    Console.WriteLine(@"Specify registry key, e.g. 'SOFTWARE\Microsoft\Windows\CurrentVersion\Authenication\LogonUI':");
                    string regKey = @Console.ReadLine();

                    // Choose new value
                    Console.WriteLine("Specify new registry value, e.g. '0':");
                    string newValue = Console.ReadLine();

                    // Open remote key
                    try
                    {
                        // Open key
                        RegistryKey registryKey = RegistryKey.OpenRemoteBaseKey(registryHive, computerName, RegistryView.Registry64);

                        // open subkey
                        var key = registryKey.OpenSubKey(regKey);
                        if (key == null)
                        {
                        }
                        // Create objects for values
                        key.SetValue(name, newValue);

                        // Check that value was modified
                        object regValue = key.GetValue(name);

                        // Display information
                        Console.WriteLine(regValue.ToString());

                        // Write out results
                        File.AppendAllText(nekoFolder + "\\Registry modifications.txt", name + regValue.ToString() + Environment.NewLine + Environment.NewLine
                                           + "Computer Name: " + computerName + Environment.NewLine);
                    }
                    catch (UnauthorizedAccessException)
                    {
                        Console.WriteLine("Access Denied. Insuficient privileges.");
                    }
                    catch (Exception e)
                    {
                        Console.WriteLine(e);
                    }
                }
                else
                {
                    // ComputerName from list
                    // Access list class from LDAP recon, need to make this so user can specify their own list if they want.
                    Console.WriteLine("Have you run LDAP recon to generate machine name list? Enter 'y' or 'n'");
                    string userChoice = Console.ReadLine();
                    while (userChoice != "y" && userChoice != "n")
                    {
                        Console.WriteLine("Invalid selection. Have you run LDAP computer recon to generate machine name list? Enter 'y' or 'n'");
                    }
                    // Run ldap comnputer recon
                    if (userChoice == "n")
                    {
                        try
                        {
                            var computerList = Neko.ADComputer.GetADComputers(domainURL, Username, Password);
                            Console.WriteLine("\r\nFound computers:");

                            // Get unique file to prevent overwriting
                            string writePath = UniqueFileCheck.UniqueFile(nekoFolder + "\\LDAP Computer Recon.txt");

                            // Start stream writer for writing results
                            using (var writer = new StreamWriter(writePath, append: true))
                            {
                                foreach (var computer in computerList)
                                {
                                    Console.WriteLine(computer.ComputerInfo);
                                    Console.WriteLine(computer.LastLogon);
                                    Console.WriteLine(computer.ComputerType);

                                    // Write out results
                                    writer.WriteLine(Environment.NewLine + "Computer Name: " + computer.ComputerInfo + Environment.NewLine + "Last Logon: " + computer.LastLogon
                                                     + Environment.NewLine + "Computer type " + computer.ComputerType);
                                    writer.Flush();
                                }
                            }
                        }
                        catch (UnauthorizedAccessException)
                        {
                            Console.WriteLine("Access Denied. Insuficient privileges.");
                        }
                        catch (Exception e)
                        {
                            Console.WriteLine(e);
                        }
                    }
                    // Run remote registry recon for all machines in list.
                    else
                    {
                        var computerList = ADComputer.GetADComputers(domainURL, Username, Password);

                        foreach (var computerName in computerList)
                        {
                            //Get Hive name
                            Console.WriteLine("Specify hive:" +
                                              "\r\n\r\n1: Local Machine" +
                                              "\r\n\r\n2: Current User" +
                                              "\r\n\r\n3: Users" +
                                              "\r\n\r\n4: Classes Root");
                            userChoice = Console.ReadLine();
                            // Loop to confirm correct input
                            while (userChoice != "1" && userChoice != "2" && userChoice != "3" && userChoice != "4")
                            {
                                Console.WriteLine("Invalid selection" +
                                                  "\r\n\r\nSpecify hive:" +
                                                  "\r\n\r\n1: LocalMachine" +
                                                  "\r\n\r\n2: CurrentUser" +
                                                  "\r\n\r\n3: Users" +
                                                  "\r\n\r\n4: ClassesRoot");
                            }

                            // Declare registryhive
                            RegistryHive registryHive = RegistryHive.LocalMachine;
                            if (userChoice == "1")
                            {
                                // Do nothing since it was set to default of LocalMachine
                            }
                            // Set as CurrentUser hive
                            else if (userChoice == "2")
                            {
                                registryHive = RegistryHive.CurrentUser;
                            }
                            // Set as Users hive
                            else if (userChoice == "3")
                            {
                                registryHive = RegistryHive.Users;
                            }
                            //Set as ClassesRoot hive
                            else if (userChoice == "4")
                            {
                                registryHive = RegistryHive.ClassesRoot;
                            }

                            // Specify reg name
                            Console.WriteLine("Specify registry Name, e.g. 'DisableAntiSpyware':");
                            string name = Console.ReadLine();

                            // Get key choice
                            Console.WriteLine(@"Specify registry key, e.g. 'SOFTWARE\Microsoft\Windows\CurrentVersion\Authenication\LogonUI':");
                            string regKey = @Console.ReadLine();

                            // Choose new value
                            Console.WriteLine("Specify new registry value, e.g. '0':");
                            string newValue = Console.ReadLine();

                            // Open remote key
                            try
                            {
                                //Open key
                                RegistryKey registryKey = RegistryKey.OpenRemoteBaseKey(registryHive, computerName.ComputerInfo, RegistryView.Registry64);

                                //open subkey
                                var key = registryKey.OpenSubKey(regKey);
                                if (key == null)
                                {
                                }
                                //Create objects for values
                                key.SetValue(name, newValue);

                                //Check that value was modified
                                object regValue = key.GetValue(name);

                                //Display information
                                Console.WriteLine(regValue.ToString());

                                //Write out results
                                File.AppendAllText(nekoFolder + "\\Registry modifications.txt", name + regValue.ToString() + Environment.NewLine + Environment.NewLine
                                                   + "Computer Name: " + computerName + Environment.NewLine);
                            }
                            catch (UnauthorizedAccessException)
                            {
                                Console.WriteLine("Access Denied. Insuficient privileges.");
                            }
                            catch (Exception e)
                            {
                                Console.WriteLine(e);
                            }
                        }
                    }
                }
            }
        }