As I’ve started learning what the most common misconfigurations are on a Windows machine I decided that I should start creating a script to automate the searching for them. I have started an initial script to search for some common things that I do every time I try to escalate a Windows machine and will continue to update and improve on it.
Description
This is a python script that will collect some important information about the Windows system regarding patching, permission issues, and potentially leaked credentials in files and/or the registry. The intent is to continue adding to the script as I find more things to search for.
Right now it is a single file and the intial intent was to have just one file to copy around. However, I believe to make it more modular and feature rich it will need to be split up and become more of a python module or library where the intent would be to alway compile it with PyInstaller before deploying to a Windows machine.
At any rate, this is the initial script that I’m running against a Windows system and will continue to tweak and add to.
Goals
To create a single script that I can run against a Windows machine to collect targeted information. Among the information is:
- System information and currently installed patches
- Poorly permissioned Windows Services and Scheduled tasks (looks at both binpath file as well as directory permissions)
- Passwords/credentials leaked in files on disk
- unattended install files
- Passwords/credentials in the registry
Usage
- The script can run on its own via python3+PyWin32 if it is installed on the Windows machine
- If not, you can use pyinstaller to turn it into an executable and move the executable to the windows machine
- NOTE: pyinstaller supports python 3.3-3.5 (not the latest 3.6 at the time of this writing) so if you are going to use pyinstaller make sure you are targeting python 3.5 instead
Pre-requisites
- Python3 (specifically 3.5 if you are going to use pyinstaller)
- PyInstaller
- PyWin32
- accesschk.exe / accesschk64.exe
Create the self-contained Windows executable
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
c:\Users\sengen\Desktop>pyinstaller --onefile WinEnum.py
78 INFO: PyInstaller: 3.2.1
78 INFO: Python: 3.5.3
78 INFO: Platform: Windows-7-6.1.7601-SP1
78 INFO: wrote c:\Users\sengen\Desktop\WinEnum.spec
78 INFO: UPX is not available.
78 INFO: Extending PYTHONPATH with paths
['c:\\Users\\sengen\\Desktop', 'c:\\Users\\sengen\\Desktop']
78 INFO: checking Analysis
78 INFO: Building Analysis because out00-Analysis.toc is non existent
78 INFO: Initializing module dependency graph...
78 INFO: Initializing module graph hooks...
78 INFO: Analyzing base_library.zip ...
2140 INFO: running Analysis out00-Analysis.toc
2156 INFO: Adding Microsoft.Windows.Common-Controls to dependent assemblies of f
inal executable
required by c:\program files\python35\python.exe
2453 INFO: Caching module hooks...
2468 INFO: Analyzing c:\Users\sengen\Desktop\WinEnum.py
2468 INFO: Loading module hooks...
2468 INFO: Loading module hook "hook-pydoc.py"...
2468 INFO: Loading module hook "hook-encodings.py"...
2546 INFO: Loading module hook "hook-xml.py"...
2718 INFO: Looking for ctypes DLLs
2718 INFO: Analyzing run-time hooks ...
2718 INFO: Looking for dynamic libraries
2812 INFO: Looking for eggs
2812 INFO: Using Python library c:\program files\python35\python35.dll
2812 INFO: Found binding redirects:
[]
2812 INFO: Warnings written to c:\Users\sengen\Desktop\build\WinEnum\warnWinEnum
.txt
2812 INFO: checking PYZ
2812 INFO: Building PYZ because out00-PYZ.toc is non existent
2812 INFO: Building PYZ (ZlibArchive) c:\Users\sengen\Desktop\build\WinEnum\out0
0-PYZ.pyz
3250 INFO: Building PYZ (ZlibArchive) c:\Users\sengen\Desktop\build\WinEnum\out0
0-PYZ.pyz completed successfully.
3265 INFO: checking PKG
3265 INFO: Building PKG because out00-PKG.toc is non existent
3265 INFO: Building PKG (CArchive) out00-PKG.pkg
4890 INFO: Building PKG (CArchive) out00-PKG.pkg completed successfully.
4890 INFO: Bootloader c:\program files\python35\lib\site-packages\PyInstaller\bo
otloader\Windows-64bit\run.exe
4890 INFO: checking EXE
4890 INFO: Building EXE because out00-EXE.toc is non existent
4890 INFO: Building EXE from out00-EXE.toc
4890 INFO: Appending archive to EXE c:\Users\sengen\Desktop\dist\WinEnum.exe
4890 INFO: Building EXE from out00-EXE.toc completed successfully.
The repository with the script
All the future Windows enumeration and data collection script will be in the following repository (including this first one, WinEnum.py)
https://github.com/tdmathison/WindowsEnumeration