sloshnmosh Posted March 6, 2015 Share Posted March 6, 2015 I found a visual basic script embedded in the C:\Windows\System32 folder of Windows 7 called "GatherNetworkInfo.vbs" When I right clicked on this script with the "edit" option and read the code I thought it was a virus! But it existed on another laptop running Windows 7 Ultimate. (I think it is part of netsh tracing function) Anyway, I copied and pasted this script to my desktop and then opened a command terminal in my Desktop path and ran the strange script with: "wscript GatherNetworkInfo.vbs" and lo-and-behold a folder magically appeared on my Desktop called "config" and inside this folder it listed my admin username, my machine name, intimate details about my network card and settings, details about my router and neighboring routers, my current firewall settings, my installed Microsoft security updates and a plethora of other juicy security details. I think this script can be used to do information gathering during a pen-test and could probably be made to pipe the "config" folder on to a rubber ducky. Anyways I felt the script a little too dangerous to have just sitting there ready to be executed because the info gathered would be all anyone would need to remote access your box especially if one or more security patches were found not to be installed. I deleted this script from my working box for security with a live linux disk but kept a copy of it for my USB Rubber Ducky to use as reconnaissance . The script is completely portable and uses embedded systems such as netsh to gather all its info so I think it is a shoe-in for a pen-testers toolbox. Quote Link to comment Share on other sites More sharing options...
sud0nick Posted March 6, 2015 Share Posted March 6, 2015 (edited) Could you post the code, please? I'm interested in this but your story does nothing for anyone without the code. Edit: I actually just found it on my work computer too. I'll post the code for those that don't have Windows machines. Dim FSO, shell, xslProcessor Sub RunCmd(CommandString, OutputFile) cmd = "cmd /c " + CommandString + " >> " + OutputFile shell.Run cmd, 0, True End Sub Sub GetOSInfo(outputFileName) On Error Resume Next strComputer = "." HKEY_LOCAL_MACHINE = &H80000002 Dim objReg, outputFile Dim buildDetailNames, buildDetailRegValNames buildDetailNames = Array("Product Name", "Version", "Build Lab", "Type") buildDetailRegValNames = Array("ProductName", "CurrentVersion", "BuildLabEx", "CurrentType") Set outputFile = FSO.OpenTextFile(outputFileName, 2, True) Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") outputFile.WriteLine("[Architecture/Processor Information]") outputFile.WriteLine() outputFile.Close cmd = "cmd /c set processor >> " & outputFileName shell.Run cmd, 0, True Set outputFile = FSO.OpenTextFile(outputFileName, 8, True) outputFile.WriteLine() outputFile.WriteLine("[Operating System Information]") outputFile.WriteLine() strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion" for I = 0 to UBound(buildDetailNames) objReg.GetStringValue HKEY_LOCAL_MACHINE, strKeyPath, buildDetailRegValNames(I), info outputFile.WriteLine(buildDetailNames(I) + " = " + info) Next outputFile.WriteLine() strKeyPath = "SYSTEM\SETUP" objReg.GetDWordValue HKEY_LOCAL_MACHINE, strKeyPath, "Upgrade", upgradeInfo if IsNull(upgradeInfo) Then outputFile.WriteLine("This is a clean installed system") Else outputFile.WriteLine("This is an upgraded system") End If outputFile.WriteLine(buildDetailNames(I) + " = " + info) outputFile.WriteLine() outputFile.WriteLine("[File versions]") outputFile.WriteLine() Set shell = WScript.CreateObject( "WScript.Shell" ) windir = shell.ExpandEnvironmentStrings("%windir%\system32\") Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Dim FileSet FileSet = Array("onex.dll", "l2nacp.dll", "wlanapi.dll", "wlancfg.dll", "wlanconn.dll", "wlandlg.dll", "wlanext.exe", "wlangpui.dll", "wlanhc.dll", "wlanhlp.dll", "wlaninst.dll", "wlanmm.dll", "wlanmmhc.dll", "wlanmsm.dll", "wlanpref.dll", "wlansec.dll", "wlansvc.dll", "wlanui.dll") For Each file in FileSet filename = windir + file strQuery = "Select * from CIM_Datafile Where Name = '" + Replace(filename, "\", "\\") + "'" Set fileProp = objWMIService.ExecQuery _ (strQuery) For Each objFile in fileProp outputFile.WriteLine(file + " " + objFile.Version) Next Next Dim Dot3FileSet Dot3FileSet = Array("onex.dll", "dot3api.dll", "dot3cfg.dll", "dot3dlg.dll", "dot3gpclnt.dll", "dot3gpui.dll", "dot3msm.dll", "dot3svc.dll", "dot3ui.dll") For Each file in Dot3FileSet filename = windir + file strQuery = "Select * from CIM_Datafile Where Name = '" + Replace(filename, "\", "\\") + "'" Set fileProp = objWMIService.ExecQuery _ (strQuery) For Each objFile in fileProp outputFile.WriteLine(file + " " + objFile.Version) Next Next call GetBatteryInfo(outputFile) outputFile.Close Set outputFile = FSO.OpenTextFile(outputFileName, 8, True) outputFile.WriteLine("") outputFile.WriteLine("[System Information]") outputFile.WriteLine("") outputFile.Close 'Comments: Dumping System Information using "systeminfo" command cmd = "cmd /c systeminfo >> " & outputFileName shell.Run cmd, 0, True Set outputFile = FSO.OpenTextFile(outputFileName, 8, True) outputFile.WriteLine("") outputFile.WriteLine("[User Information]") outputFile.WriteLine("") outputFile.Close cmd = "cmd /c set u >> " & outputFileName shell.Run cmd, 0, True End Sub Sub GetBatteryInfo(outputFile) On Error Resume Next strComputer = "." outputFile.WriteLine() outputFile.WriteLine("[Power Information]") outputFile.WriteLine() Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery("Select * from Win32_Battery") if colItems.Count = 0 Then outputFile.WriteLine("It is a Desktop running on AC") Else For Each objItem in colItems if objItem.Availability = 2 Then outputFile.WriteLine("Machine is running on AC Adapter") Else if objitem.Availability = 3 Then outputFile.WriteLine("Machine is running on Battery") End If End If Next End If End Sub Sub GetWcnInfo(outputFileName) On Error Resume Next Dim WcnInfoFile Set WcnInfoFile= FSO.OpenTextFile(outputFileName, 8, True) WcnInfoFile.WriteLine("-------------------------------------") WcnInfoFile.WriteLine("---------+ WCN Information +---------") WcnInfoFile.WriteLine("-------------------------------------") WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("-----------------") WcnInfoFile.WriteLine("+ Services Status") WcnInfoFile.WriteLine("-----------------") WcnInfoFile.WriteLine("") WcnInfoFile.Close Set objShell = WScript.CreateObject( "WScript.Shell" ) cmd = "cmd /c sc query wcncsvc >> " & outputFileName objShell.Run cmd, 0, True cmd = "cmd /c sc query wlansvc >> " & outputFileName objShell.Run cmd, 0, True cmd = "cmd /c sc query eaphost >> " & outputFileName objShell.Run cmd, 0, True cmd = "cmd /c sc query fdrespub >> " & outputFileName objShell.Run cmd, 0, True cmd = "cmd /c sc query upnphost >> " & outputFileName objShell.Run cmd, 0, True cmd = "cmd /c sc query eaphost >> " & outputFileName objShell.Run cmd, 0, True Set WcnInfoFile= FSO.OpenTextFile(outputFileName, 8, True) WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("-----------------------") WcnInfoFile.WriteLine("+ WCN Files Information ") WcnInfoFile.WriteLine("-----------------------") WcnInfoFile.WriteLine("") strComputer = "." Set shell = WScript.CreateObject( "WScript.Shell" ) windir = shell.ExpandEnvironmentStrings("%windir%\system32\") Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Dim FileSet FileSet = Array("wcncsvc.dll", "wcnapi.dll", "fdwcn.dll", "wcneapauthproxy.dll", "wcneappeerproxy.dll", "wcnwiz.dll", "wcnnetsh.dll", "wczdlg.dll") For Each file in FileSet filename = windir + file strQuery = "Select * from CIM_Datafile Where Name = '" + Replace(filename, "\", "\\") + "'" Set fileProp = objWMIService.ExecQuery _ (strQuery) For Each objFile in fileProp WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("---------------------") WcnInfoFile.WriteLine(file) WcnInfoFile.WriteLine("---------------------") WcnInfoFile.WriteLine(" - Version : " + objFile.Version ) WcnInfoFile.WriteLine(" - Creation Date : " + objFile.CreationDate ) WcnInfoFile.WriteLine(" - Description : " + objFile.Description ) WcnInfoFile.WriteLine(" - Installation Date : " + objFile.InstallDate ) WcnInfoFile.WriteLine(" - In Use Count : " + objFile.InUseCount ) WcnInfoFile.WriteLine(" - Last Accessed : " + objFile.LastAccessed ) WcnInfoFile.WriteLine(" - Last Modified : " + objFile.LastModified ) WcnInfoFile.WriteLine(" - Status : " + objFile.Status ) Next Next WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("-------------------------------") WcnInfoFile.WriteLine("+ Network Adapters Information ") WcnInfoFile.WriteLine("-------------------------------") WcnInfoFile.WriteLine("") strQuery = "Select * from Win32_NetworkAdapter " Set AdapterProp = objWMIService.ExecQuery _ (strQuery) For Each objFile in AdapterProp WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("---------------------") WcnInfoFile.WriteLine("DeviceID : " + objFile.DeviceID ) WcnInfoFile.WriteLine("---------------------") WcnInfoFile.WriteLine(" - Adapter Type : " + objFile.AdapterType ) WcnInfoFile.WriteLine(" - Auto Sense : " + objFile.AutoSense ) WcnInfoFile.WriteLine(" - Description : " + objFile.Description ) WcnInfoFile.WriteLine(" - NetConnectionID : " + objFile.NetConnectionID ) WcnInfoFile.WriteLine(" - GUID : " + objFile.GUID ) WcnInfoFile.WriteLine(" - MACAddress : " + objFile.MACAddress ) WcnInfoFile.WriteLine(" - Manufacturer : " + objFile.Manufacturer ) WcnInfoFile.WriteLine(" - MaxSpeed : " + objFile.MaxSpeed ) WcnInfoFile.WriteLine(" - Speed : " + objFile.Speed ) WcnInfoFile.WriteLine(" - Name : " + objFile.Name ) Select Case objFile.NetConnectionStatus Case 0 strAvail= "Disconnected" Case 1 strAvail= "Connecting" Case 2 strAvail= "Connected" Case 3 strAvail= "Disconnecting" Case 4 strAvail= "Hardware not present" Case 5 strAvail= "Hardware disabled" Case 6 strAvail= "Hardware malfunction" Case 7 strAvail= "Media disconnected" Case 8 strAvail= "Authenticating" Case 9 strAvail= "Authentication succeeded" Case 10 strAvail= "Authentication failed" Case 11 strAvail= "Invalid address" Case 12 strAvail= "Credentials required" End Select WcnInfoFile.WriteLine(" - NetConnectionStatus : " + strAvail ) WcnInfoFile.WriteLine(" - NetEnabled : " + objFile.NetEnabled ) WcnInfoFile.WriteLine(" - NetworkAddresses : " + objFile.NetworkAddresses ) WcnInfoFile.WriteLine(" - PermanentAddress : " + objFile.PermanentAddress ) WcnInfoFile.WriteLine(" - PhysicalAdapter : " + objFile.PhysicalAdapter ) WcnInfoFile.WriteLine(" - PNPDeviceID : " + objFile.PNPDeviceID ) WcnInfoFile.WriteLine(" - ProductName : " + objFile.ProductName ) WcnInfoFile.WriteLine(" - ServiceName : " + objFile.ServiceName ) WcnInfoFile.WriteLine(" - SystemName : " + objFile.SystemName ) WcnInfoFile.WriteLine(" - TimeOfLastReset : " + objFile.TimeOfLastReset ) WcnInfoFile.WriteLine(" - Status : " + objFile.Status ) Select Case objFile.StatusInfo Case 1 strAvail= "Other" Case 2 strAvail= "Unknown" Case 3 strAvail= "Enabled" Case 4 strAvail= "Disabled" Case 5 strAvail= "Not Applicable" End Select WcnInfoFile.WriteLine(" - StatusInfo : " + strAvail ) Select Case objFile.Availability Case 1 strAvail= "Other" Case 2 strAvail= "Unknown" Case 3 strAvail= "Running or Full Power" Case 4 strAvail= "Warning" Case 5 strAvail= "In test" Case 6 strAvail= "Not Applicable" Case 7 strAvail= "Power Off" Case 8 strAvail= "Off Line" Case 9 strAvail= "Off Duty" Case 10 strAvail= "Degraded" Case 11 strAvail= "Not Installed" Case 12 strAvail= "Install Error" Case 13 strAvail= "Power Save - Unknown" Case 14 strAvail= "Power Save - Low Power Mode" Case 15 strAvail= "Power Save - Standby" Case 16 strAvail= "Power Cycle" Case 17 strAvail= "Power Save - Warning" End Select WcnInfoFile.WriteLine(" - Availability : " + strAvail ) WcnInfoFile.WriteLine(" - Caption : " + objFile.Caption ) Select Case objFile.ConfigManagerErrorCode Case 0 strAvail= "Device is working properly" Case 1 strAvail= "Device is not configured correctly" Case 2 strAvail= "Windows cannot load the driver for this device" Case 3 strAvail= "Driver for this device might be corrupted, or the system may be low on memory or other resources" Case 4 strAvail= "Device is not working properly. One of its drivers or the registry might be corrupted." Case 5 strAvail= "Driver for the device requires a resource that Windows cannot manage." Case 6 strAvail= "Boot configuration for the device conflicts with other devices" Case 7 strAvail= "Cannot filter" Case 8 strAvail= "Driver loader for the device is missing" Case 9 strAvail= "Device is not working properly. The controlling firmware is incorrectly reporting the resources for the device" Case 10 strAvail= "Device cannot start" Case 11 strAvail= "Device failed" Case 12 strAvail= "Device cannot find enough free resources to use" Case 13 strAvail= "Windows cannot verify the device's resources" Case 14 strAvail= "Device cannot work properly until the computer is restarted" Case 15 strAvail= "Device is not working properly due to a possible re-enumeration problem" Case 16 strAvail= "Windows cannot identify all of the resources that the device uses" Case 17 strAvail= "Device is requesting an unknown resource type." Case 18 strAvail= "Device drivers must be reinstalled" Case 19 strAvail= "Failure using the VxD loader" Case 20 strAvail= "Registry might be corrupted." Case 21 strAvail= "System failure. If changing the device driver is ineffective, see the hardware documentation. Windows is removing the device" Case 22 strAvail= "Device is disabled" Case 23 strAvail= "System failure. If changing the device driver is ineffective, see the hardware documentation" Case 24 strAvail= "Device is not present, not working properly, or does not have all of its drivers installed." Case 25 strAvail= "Windows is still setting up the device" Case 27 strAvail= "Device does not have valid log configuration." Case 28 strAvail= "Device drivers are not installed." Case 29 strAvail= "Device is disabled. The device firmware did not provide the required resources." Case 30 strAvail= "Device is using an IRQ resource that another device is using." Case 31 strAvail= "Device is not working properly. Windows cannot load the required device drivers." End Select WcnInfoFile.WriteLine(" - ConfigManagerErrorCode: " + strAvail ) WcnInfoFile.WriteLine(" - Error Cleared : " + objFile.ErrorCleared ) WcnInfoFile.WriteLine(" - Error Description : " + objFile.ErrorDescription) WcnInfoFile.WriteLine(" - LastErrorCode : " + objFile.LastErrorCode) WcnInfoFile.WriteLine(" - Index : " + objFile.Index) WcnInfoFile.WriteLine(" - Installed : " + objFile.Installed ) WcnInfoFile.WriteLine(" - Install Date : " + objFile.InstallDate ) WcnInfoFile.WriteLine(" - InterfaceIndex : " + objFile.InterfaceIndex ) Next WcnInfoFile.Close Set WcnInfoFile = FSO.OpenTextFile(outputFileName, 8, True) WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("-----------------------") WcnInfoFile.WriteLine("+ ipconfig information") WcnInfoFile.WriteLine("-----------------------") WcnInfoFile.WriteLine("") WcnInfoFile.Close cmd = "cmd /c ipconfig /all >> " & outputFileName objShell.Run cmd, 0, True Set WcnInfoFile = FSO.OpenTextFile(outputFileName, 8, True) WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("----------------------") WcnInfoFile.WriteLine("+ Softap Capabilities ") WcnInfoFile.WriteLine("----------------------") WcnInfoFile.WriteLine("") WcnInfoFile.Close cmd = "cmd /c netsh wlan show device >> " & outputFileName objShell.Run cmd, 0, True Set WcnInfoFile = FSO.OpenTextFile(outputFileName, 8, True) WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("----------------------") WcnInfoFile.WriteLine("+ Dump wcncsvc RegKey ") WcnInfoFile.WriteLine("----------------------") WcnInfoFile.WriteLine("") WcnInfoFile.Close cmd = "cmd /c reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc\Parameters >> " & outputFileName objShell.Run cmd, 0, True ' Set shell = WScript.CreateObject( "WScript.Shell" ) ' windir = shell.ExpandEnvironmentStrings("%windir%\system32\") ' filename = windir + "wcnwiz.dll" ' commandname = windir + "rundll32.exe" ' cmd = "cmd /c "& commandname &" "& filename &" , RunDumpWcnCache >> " & outputFileName ' objShell.Run cmd, 0, True Set WcnInfoFile = FSO.OpenTextFile(outputFileName, 8, True) WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("--------------------------------") WcnInfoFile.WriteLine("+ Network Discovery Information.") WcnInfoFile.WriteLine("--------------------------------") WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("------------------------------") WcnInfoFile.WriteLine("- Current Profile information") WcnInfoFile.WriteLine("------------------------------") WcnInfoFile.WriteLine("") ' Profile Type Const NET_FW_PROFILE2_DOMAIN = 1 Const NET_FW_PROFILE2_PRIVATE = 2 Const NET_FW_PROFILE2_PUBLIC = 4 ' Direction Const NET_FW_RULE_DIR_IN = 1 Const NET_FW_RULE_DIR_OUT = 2 ' Create the FwPolicy2 object. Dim fwPolicy2 Dim ProfileType ProfileType = Array("Domain", "Private", "Public") Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2") CurrentProfile = fwPolicy2.CurrentProfileTypes WcnInfoFile.WriteLine ("Current firewall profile is: ") '// The returned 'CurrentProfiles' bitmask can have more than 1 bit set if multiple profiles '// are active or current at the same time if ( CurrentProfile AND NET_FW_PROFILE2_DOMAIN ) then WcnInfoFile.WriteLine(ProfileType(0)) end if if ( CurrentProfile AND NET_FW_PROFILE2_PRIVATE ) then WcnInfoFile.WriteLine(ProfileType(1)) end if if ( CurrentProfile AND NET_FW_PROFILE2_PUBLIC ) then WcnInfoFile.WriteLine(ProfileType(2)) end if WcnInfoFile.Close cmd = "cmd /c netsh advfirewall show currentprofile >> " & outputFileName objShell.Run cmd, 0, True Set WcnInfoFile = FSO.OpenTextFile(outputFileName, 8, True) WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine("----------------------------------------------") WcnInfoFile.WriteLine("- Network discovery status for current profile") WcnInfoFile.WriteLine("----------------------------------------------") WcnInfoFile.WriteLine("") Dim rule ' Get the Rules object Dim RulesObject Set RulesObject = fwPolicy2.Rules For Each rule In Rulesobject if rule.Grouping = "@FirewallAPI.dll,-32752" then WcnInfoFile.WriteLine("") WcnInfoFile.WriteLine(" Rule Name: " & rule.Name) WcnInfoFile.WriteLine(" ----------------------------------------------") WcnInfoFile.WriteLine(" Enabled: " & rule.Enabled) WcnInfoFile.WriteLine(" Description: " & rule.Description) WcnInfoFile.WriteLine(" Application Name: " & rule.ApplicationName) WcnInfoFile.WriteLine(" Service Name: " & rule.ServiceName) Select Case rule.Direction Case NET_FW_RULE_DIR_IN WcnInfoFile.WriteLine(" Direction: In") Case NET_FW_RULE_DIR_OUT WcnInfoFile.WriteLine(" Direction: Out") End Select end if Next WcnInfoFile.Close End Sub Sub GetWirelessAdapterInfo(outputFile) On Error Resume Next Dim adapters, objReg Dim adapterDetailNames, adapterDetailRegValNames adapterDetailNames = Array("Driver Description", "Adapter Guid", "Hardware ID", "Driver Date", "Driver Version", "Driver Provider") adapterDetailRegValNames = Array("DriverDesc", "NetCfgInstanceId", "MatchingDeviceId", "DriverDate", "DriverVersion", "ProviderName") IHVDetailNames = Array("ExtensibilityDLL", "UIExtensibilityCLSID", "GroupName", "DiagnosticsID") IHVDetailRegValNames = Array("ExtensibilityDLL", "UIExtensibilityCLSID", "GroupName", "DiagnosticsID") HKEY_LOCAL_MACHINE = &H80000002 strComputer = "." Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\" objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, adapterSet For Each adapter In adapterSet If StrComp("Properties", adapter) Then fullstrKeyPath = strKeyPath + adapter objReg.GetDWORDValue HKEY_LOCAL_MACHINE, fullstrKeyPath, "*IfType", ifType If ifType = 71 Then for I = 0 to UBound(adapterDetailNames) objReg.GetStringValue HKEY_LOCAL_MACHINE, fullstrKeyPath, adapterDetailRegValNames(I), info outputFile.WriteLine(adapterDetailNames(I) + " = " + info) Next ihvKeyPath = fullstrKeyPath + "\Ndi\IHVExtensions" For J = 0 to UBound(IHVDetailNames) objReg.GetStringValue HKEY_LOCAL_MACHINE, ihvKeyPath, IHVDetailRegValNames(J), ihvInfo outputFile.WriteLine(IHVDetailNames(J) + " = " + ihvInfo) Next objReg.GetDWordValue HKEY_LOCAL_MACHINE, ihvKeyPath, "AdapterOUI", ihvInfo outputFile.WriteLine("AdapterOUI = " + CSTR(ihvInfo)) outputFile.WriteLine() End If End If Next Set objShell = WScript.CreateObject( "WScript.Shell" ) tempFile = "tempfile.txt" cmd = "cmd /c tasklist > " & tempFile objShell.Run cmd, 0, True Set objTextFile = FSO.OpenTextFile(tempFile, 1) strIHVOutput = objTextFile.ReadAll() Set regEx = New RegExp regEx.Pattern = "^wlanext.exe[\s|a-z|A-Z|\d]*" regEx.Multiline = True regEx.IgnoreCase = True regEx.Global = True Set Matches = regEx.Execute(strIHVOutput) For Each match in Matches outputFile.WriteLine(match.Value) Next End Sub Sub GetWirelessAutoconfigLog(logFileName) On Error Resume Next Set objShell = WScript.CreateObject( "WScript.Shell" ) 'Export the operational log cmd = "cmd /c wevtutil epl ""Microsoft-Windows-WLAN-AutoConfig/Operational"" " & logFileName objShell.Run cmd, 0, True 'Archive the log so that it can be read on different machines cmd = "cmd /c wevtutil al " & logFileName objShell.Run cmd, 0, True End Sub Sub GetWiredAdapterInfo(outputFile) On Error Resume Next Dim adapters, objReg Dim adapterDetailNames, adapterDetailRegValNames adapterDetailNames = Array("Driver Description", "Adapter Guid", "Hardware ID", "Driver Date", "Driver Version", "Driver Provider") adapterDetailRegValNames = Array("DriverDesc", "NetCfgInstanceId", "MatchingDeviceId", "DriverDate", "DriverVersion", "ProviderName") HKEY_LOCAL_MACHINE = &H80000002 strComputer = "." Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv") strKeyPath = "SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\" objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, adapterSet For Each adapter In adapterSet If StrComp("Properties", adapter) Then fullstrKeyPath = strKeyPath + adapter objReg.GetDWORDValue HKEY_LOCAL_MACHINE, fullstrKeyPath, "*IfType", ifType If ifType = 6 Then for I = 0 to UBound(adapterDetailNames) objReg.GetStringValue HKEY_LOCAL_MACHINE, fullstrKeyPath, adapterDetailRegValNames(I), info outputFile.WriteLine(adapterDetailNames(I) + " = " + info) Next outputFile.WriteLine() End If End If Next End Sub Sub GetEnvironmentInfo(outputFileName) On Error Resume Next Dim envInfoFile Set objShell = WScript.CreateObject( "WScript.Shell" ) cmd = "cmd /c netsh wlan show all > " & outputFileName objShell.Run cmd, 0, True cmd = "cmd /c netsh lan show interfaces >> " & outputFileName objShell.Run cmd, 0, True cmd = "cmd /c netsh lan show settings >> " & outputFileName objShell.Run cmd, 0, True cmd = "cmd /c netsh lan show profiles >> " & outputFileName objShell.Run cmd, 0, True cmd = "cmd /c ipconfig /all >> " & outputFileName objShell.Run cmd, 0, True RunCmd "echo.", outputFileName RunCmd "echo ROUTE PRINT:", outputFileName RunCmd "route print", outputFileName Set envInfoFile = FSO.OpenTextFile(outputFileName, 8, True) envInfoFile.WriteLine("") envInfoFile.WriteLine("Machine certificates...") envInfoFile.WriteLine("") envInfoFile.Close cmd = "cmd /c certutil -v -store -silent My >> " & outputFileName objShell.Run cmd, 0, True Set envInfoFile = FSO.OpenTextFile(outputFileName, 8, True) envInfoFile.WriteLine("") envInfoFile.WriteLine("User certificates...") envInfoFile.WriteLine("") envInfoFile.Close cmd = "cmd /c certutil -v -store -silent -user My >> " & outputFileName objShell.Run cmd, 0, True End Sub 'Comments: Function to dump a tree under a registry path into a file Sub DumpRegKey(outputFileName,regpath) On Error Resume Next Dim cmd Set objShell = WScript.CreateObject( "WScript.Shell" ) cmd = "cmd /c reg export " & regpath & " " & outputFileName & " /y" objShell.Run cmd, 0, True End Sub Sub DumpAllKeys On Error Resume Next Dim NotifRegFile, RegFolder, Key RegFolder = "Reg" if Not FSO.FolderExists(RegFolder) Then FSO.CreateFolder RegFolder End If ' Dump WLAN registry keys AllCredRegFile = RegFolder + "\AllCred.reg.txt" AllCredFilterFile = RegFolder + "\AllCredFilter.reg.txt" CredRegFileA = RegFolder + "\{07AA0886-CC8D-4e19-A410-1C75AF686E62}.reg.txt" CredRegFileB = RegFolder + "\{33c86cd6-705f-4ba1-9adb-67070b837775}.reg.txt" CredRegFileC = RegFolder + "\{edd749de-2ef1-4a80-98d1-81f20e6df58e}.reg.txt" APIPermRegFile = RegFolder + "\APIPerm.reg.txt" NotifRegFile = RegFolder + "\Notif.reg.txt" GPTRegFile = RegFolder + "\GPT.reg.txt" CUWlanSvcRegFile = RegFolder + "\HKCUWlanSvc.reg.txt" LMWlanSvcRegFile = RegFolder + "\HKLMWlanSvc.reg.txt" NidRegFile = RegFolder + "\NetworkProfiles.reg.txt" call DumpRegKey(NotifRegFile ,"""HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications""") call DumpRegKey(AllCredRegFile ,"""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers""") call DumpRegKey(AllCredFilterFile,"""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters""") call DumpRegKey(CredRegFileA ,"""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{07AA0886-CC8D-4e19-A410-1C75AF686E62}""") call DumpRegKey(CredRegFileB ,"""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{33c86cd6-705f-4ba1-9adb-67070b837775}""") call DumpRegKey(CredRegFileC ,"""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{edd749de-2ef1-4a80-98d1-81f20e6df58e}""") call DumpRegKey(APIPermRegFile ,"""HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc\Parameters\WlanAPIPermissions""") call DumpRegKey(GPTRegFile , """HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless\GPTWirelessPolicy""") call DumpRegKey(CUWlanSvcRegFile ,"""HKCU\SOFTWARE\Microsoft\Wlansvc""") call DumpRegKey(LMWlanSvcRegFile ,"""HKLM\SOFTWARE\Microsoft\Wlansvc""") ' Dump Dot3 registry keys LMDot3SvcRegFile = RegFolder + "\HKLMDot3Svc.reg.txt" CUDot3SvcRegFile = RegFolder + "\HKCUDot3Svc.reg.txt" LGPPolicyFile = RegFolder + "\L2GP.reg.txt" call DumpRegKey(LMDot3SvcRegFile ,"""HKLM\SOFTWARE\Microsoft\dot3svc""") call DumpRegKey(CUDot3SvcRegFile ,"""HKCU\SOFTWARE\Microsoft\dot3svc""") call DumpRegKey(LGPPolicyFile ,"""HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy""") call DumpRegKey(NidRegFile ,"""HKLM\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\NetworkList""") End Sub ' Dump Winsock LSP catalog Sub DumpWinsockCatalog(outputFileName) On Error Resume Next Dim envInfoFile Set objShell = WScript.CreateObject( "WScript.Shell" ) cmd = "cmd /c netsh winsock show catalog > " & outputFileName objShell.Run cmd, 0, True End Sub ' Dump the Windows Firewall Configuration Sub GetWindowsFirewallInfo(configFileName, logFileName, effectiveRulesFileName, consecLogFileName, logFileNameVerbose, consecLogFileNameVerbose) On Error Resume Next Dim envInfoFile Set objShell = WScript.CreateObject( "WScript.Shell" ) cmd = "cmd /c echo Current Profiles: > " & configFileName objShell.Run cmd, 0, True cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & configFileName objShell.Run cmd, 0, True 'Dump the current profiles cmd = "cmd /c netsh advfirewall monitor show currentprofile >> " & configFileName objShell.Run cmd, 0, True cmd = "cmd /c echo Firewall Configuration: >> " & configFileName objShell.Run cmd, 0, True cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & configFileName objShell.Run cmd, 0, True ' Dump the firewall configuration cmd = "cmd /c netsh advfirewall monitor show firewall >> " & configFileName objShell.Run cmd, 0, True cmd = "cmd /c echo Connection Security Configuration: >> " & configFileName objShell.Run cmd, 0, True cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & configFileName objShell.Run cmd, 0, True 'Dump the connection security configuration cmd = "cmd /c netsh advfirewall monitor show consec >> " & configFileName objShell.Run cmd, 0, True cmd = "cmd /c echo Firewall Rules : >> " & configFileName objShell.Run cmd, 0, True cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & configFileName objShell.Run cmd, 0, True 'Dump the firewall rules cmd = "cmd /c netsh advfirewall firewall show rule name=all verbose >> " & configFileName objShell.Run cmd, 0, True cmd = "cmd /c echo Connection Security Rules : >> " & configFileName objShell.Run cmd, 0, True cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & configFileName objShell.Run cmd, 0, True 'Dump the connection security rules cmd = "cmd /c netsh advfirewall consec show rule name=all verbose >> " & configFileName objShell.Run cmd, 0, True 'Dump the firewall rules from Dynamic Store cmd = "cmd /c echo Firewall Rules currently enforced : > " & effectiveRulesFileName objShell.Run cmd, 0, True cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & effectiveRulesFileName objShell.Run cmd, 0, True cmd = "cmd /c netsh advfirewall monitor show firewall rule name=all >> " & effectiveRulesFileName objShell.Run cmd, 0, True 'Dump the connection security rules from Dynamic Store cmd = "cmd /c echo Connection Security Rules currently enforced : >> " & effectiveRulesFileName objShell.Run cmd, 0, True cmd = "cmd /c echo ------------------------------------------------------------------------ >> " & effectiveRulesFileName objShell.Run cmd, 0, True cmd = "cmd /c netsh advfirewall monitor show consec rule name=all >> " & effectiveRulesFileName objShell.Run cmd, 0, True 'Export the operational log cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"" " & logFileName objShell.Run cmd, 0, True 'Archive the log so that it could be read on different machines cmd = "cmd /c wevtutil al " & logFileName objShell.Run cmd, 0, True 'Export the operational log cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"" " & consecLogFileName objShell.Run cmd, 0, True 'Archive the log so that it could be read on different machines cmd = "cmd /c wevtutil al " & consecLogFileName objShell.Run cmd, 0, True 'Export the operational log cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"" " & logFileNameVerbose objShell.Run cmd, 0, True 'Archive the log so that it could be read on different machines cmd = "cmd /c wevtutil al " & logFileNameVerbose objShell.Run cmd, 0, True 'Export the operational log cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"" " & consecLogFileNameVerbose objShell.Run cmd, 0, True 'Archive the log so that it could be read on different machines cmd = "cmd /c wevtutil al " & consecLogFileNameVerbose objShell.Run cmd, 0, True End Sub Sub GetWfpInfo(outputFileName, logFileName) On Error Resume Next Set objShell = WScript.CreateObject( "WScript.Shell" ) cmd = "cmd /c netsh wfp show filters file=" & outputFileName & " > " & logFileName objShell.Run cmd, 0, True End Sub ' Dump Netio State Sub GetNetioInfo(outputFileName) On Error Resume Next Set objShell = WScript.CreateObject( "WScript.Shell" ) cmd = "cmd /c netsh interface teredo show state > " & outputFileName objShell.Run cmd, 0, True cmd = "cmd /c netsh interface httpstunnel show interface >> " & outputFileName objShell.Run cmd, 0, True cmd = "cmd /c netsh interface httpstunnel show statistics >> " & outputFileName objShell.Run cmd, 0, True End Sub Sub GetDnsInfo(logFileName) On Error Resume Next Set objShell = WScript.CreateObject( "WScript.Shell" ) RunCmd "echo IPCONFIG /DISPLAYDNS: ", logFileName RunCmd "ipconfig /displaydns", logFileName RunCmd "echo. ", logFileName RunCmd "echo NETSH NAMESPACE SHOW EFFECTIVE:", logFileName RunCmd "netsh namespace show effective", logFileName RunCmd "echo.", logFileName RunCmd "echo NETSH NAMESPACE SHOW POLICY:", logFileName RunCmd "netsh namespace show policy", logFileName End Sub Sub GetNeighborInfo(logFileName) On Error Resume Next Set objShell = WScript.CreateObject( "WScript.Shell" ) RunCmd "echo ARP -A:", logFileName RunCmd "arp -a", logFileName RunCmd "echo.", logFileName RunCmd "echo NETSH INT IPV6 SHOW NEIGHBORS:", logFileName RunCmd "netsh int ipv6 show neigh", logFileName End Sub Sub GetFileSharingInfo(logFileName) On Error Resume Next Set objShell = WScript.CreateObject( "WScript.Shell" ) RunCmd "echo NBTSTAT -N:", logFileName RunCmd "nbtstat -n", logFileName RunCmd "echo.", logFileName RunCmd "echo NBTSTAT -C:", logFileName RunCmd "nbtstat -c", logFileName RunCmd "echo.", logFileName RunCmd "echo NET CONFIG RDR:", logFileName RunCmd "net config rdr", logFileName RunCmd "echo.", logFileName RunCmd "echo NET CONFIG SRV:", logFileName RunCmd "net config srv", logFileName RunCmd "echo.", logFileName RunCmd "echo NET SHARE:", logFileName RunCmd "net share", logFileName End Sub Sub GetGPResultInfo(logFileName) On Error Resume Next Set objShell = WScript.CreateObject( "WScript.Shell" ) cmd = "cmd /c gpresult /scope:computer /v 1> " & logFileName & " 2>&1" objShell.Run cmd, 0, True End Sub Sub GetNetEventsInfo(outputFileName, logFileName) On Error Resume Next Set objShell = WScript.CreateObject( "WScript.Shell" ) cmd = "cmd /c netsh wfp show netevents file=" & outputFileName & " 1> " & logFileName & " 2>&1" objShell.Run cmd, 0, True End Sub Sub GetShowStateInfo(outputFileName, logFileName) On Error Resume Next Set objShell = WScript.CreateObject( "WScript.Shell" ) cmd = "cmd /c netsh wfp show state file=" & outputFileName & " 1> " & logFileName & " 2>&1" objShell.Run cmd, 0, True End Sub Sub GetSysPortsInfo(outputFileName, logFileName) On Error Resume Next Set objShell = WScript.CreateObject( "WScript.Shell" ) cmd = "cmd /c netsh wfp show sysports file=" & outputFileName & " 1> " & logFileName & " 2>&1" objShell.Run cmd, 0, True End Sub On Error Resume Next Dim adapterInfoFile, netInfoFile, WcnInfoFile Set FSO = CreateObject("Scripting.FileSystemObject") Set shell = WScript.CreateObject( "WScript.Shell" ) sysdrive = shell.ExpandEnvironmentStrings("%SystemDrive%\") configFolder = "config" osinfoFileName = configFolder + "\osinfo.txt" adapterinfoFileName = configFolder + "\adapterinfo.txt" envinfoFileName = configFolder + "\envinfo.txt" wirelessAutoconfigLogFileName = configFolder + "\WLANAutoConfigLog.evtx" wscatFileName = configFolder + "\WinsockCatalog.txt" wcnFileName = configFolder + "\WcnInfo.txt" wcncachedumpFile= sysdrive + "\wcncachedump.txt" windowsFirewallConfigFileName = configFolder + "\WindowsFirewallConfig.txt" windowsFirewallEffectiveRulesFileName = configFolder + "\WindowsFirewallEffectiveRules.txt" windowsFirewallLogFileName = configFolder + "\WindowsFirewallLog.evtx" windowsFirewallConsecLogFileName = configFolder + "\WindowsFirewallConsecLog.evtx" windowsFirewallVerboseLogFileName = configFolder + "\WindowsFirewallLogVerbose.evtx" windowsFirewallConsecVerboseLogFileName = configFolder + "\WindowsFirewallConsecLogVerbose.evtx" wfpfiltersfilename=configFolder + "\wfpfilters.xml" wfplogfilename=configFolder + "\wfplog.log" netioStateFilename=configFolder + "\netiostate.txt" dnsInfoFileName = configFolder + "\Dns.txt" neighborsFileName = configFolder + "\Neighbors.txt" filesharingFileName = configFolder + "\FileSharing.txt" gpresultFileName = configFolder + "\gpresult.txt" neteventsFileName = configFolder + "\netevents.xml" neteventsFileLog = configFolder + "\neteventslog.txt" showstateFileName = configFolder + "\wfpstate.xml" showstateFileLog = configFolder + "\wfpstatelog.txt" sysportsFileName = configFolder + "\sysports.xml" sysportsFileLog = configFolder + "\sysportslog.txt" if Not FSO.FolderExists(configFolder) Then FSO.CreateFolder configFolder End If call DumpAllKeys call GetOSInfo(osinfoFileName) Set adapterInfoFile = FSO.OpenTextFile(adapterInfoFileName, 2, True) call GetWirelessAdapterInfo(adapterInfoFile) call GetWiredAdapterInfo(adapterInfoFile) adapterInfoFile.Close call GetWirelessAutoconfigLog(wirelessAutoConfigLogFileName) call GetEnvironmentInfo(envinfoFileName) call DumpWinsockCatalog(wscatFileName) call GetWindowsFirewallInfo(windowsFirewallConfigFileName, windowsFirewallLogFileName, windowsFirewallEffectiveRulesFileName,windowsFirewallConsecLogFileName, windowsFirewallVerboseLogFileName, windowsFirewallConsecVerboseLogFileName) call GetWcnInfo(wcnFileName) call GetWfpInfo(wfpfiltersfilename, wfplogfilename) call GetNetioInfo(netioStateFilename) call GetDnsInfo(dnsInfoFileName) call GetNeighborInfo(neighborsFileName) call GetFileSharingInfo(filesharingFileName) call GetGPResultInfo(gpresultFileName) call GetNetEventsInfo(neteventsFileName, neteventsFileLog) call GetShowStateInfo(showstateFileName, showstateFileLog) call GetSysPortsInfo(sysportsFileName, sysportsFileLog) Edited March 6, 2015 by sud0nick Quote Link to comment Share on other sites More sharing options...
sud0nick Posted March 6, 2015 Share Posted March 6, 2015 (edited) It won't let me edit my previous post because of all the text and possibly the garbage network I'm using at work. I ran the script on my computer and it actually created 2 folders for me: config/ and Reg/. config/ contains these files: adapterinfo.txt Dns.txt envinfo.txt FileSharing.txt gpresult.txt Neighbors.txt neteventslog.txt netiostate.txt osinfo.txt sysportslog.txt WcnInfo.txt wfplog.log wfpstatelog.txt WindowsFirewallConfig.txt WindowsFirewallEffectiveRules.txt WindowsFirewallLog.evtx WindowsFirewallLogVerbose.evtx WinsockCatalog.txt WLANAutoConfigLog.evtx The Reg/ folder contains: AllCred.reg.txt AllCredFilter.reg.txt APIPerm.reg.txt HKLMWlanSvc.reg.txt Notif.reg.txt Some of the processes require elevation in order to populate the files with info but there is still a lot that can be gathered with a regular user account. This is definitely a good find and can be useful for quickly gathering information from a PC. Edited March 6, 2015 by sud0nick Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.