Skip to content

Commit bd51740

Browse files
jiushilljiushill
authored
Add files via upload
1 parent 018eec2 commit bd51740

1 file changed

Lines changed: 198 additions & 0 deletions

File tree

windows_collect.py

Lines changed: 198 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,198 @@
1+
import os
2+
3+
def collect():
4+
xj=open('save.txt','w')
5+
xj.close()
6+
7+
print('[+]什么是操作系统和架构?它缺少任何补丁吗?')
8+
systeminfo=os.popen('systeminfo')
9+
wmic_qfe=os.popen('wmic qfe')
10+
for s in systeminfo:
11+
print(s,file=open('save.txt','a'))
12+
for c in wmic_qfe:
13+
print(c,file=open('save.txt','a'))
14+
15+
print('[+]环境变量有什么有趣的吗?域控制器在LOGONSERVER?')
16+
set=os.popen('set')
17+
#Get_chiditem=os.popen('Get-ChildItem Env: | ft Key,Value')
18+
for e in set:
19+
print(e,file=open('save.txt','a'))
20+
#for t in Get_chiditem:
21+
#print(t,file=open('save.txt','a'))
22+
23+
print('[+]还有其他连接的驱动器吗?')
24+
net_use=os.popen('net use')
25+
wmic_log=os.popen('wmic logicaldisk get caption,description,providername')
26+
#psd=os.popen('Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root')
27+
for ne in net_use:
28+
print(ne,file=open('save.txt','a'))
29+
for g in wmic_log:
30+
print(g,file=open('save.txt','a'))
31+
#for d in psd:
32+
#print(d,file=open('save.txt','a'))
33+
34+
print('[+]你是谁?')
35+
whoami=os.popen('whoami')
36+
username=os.popen('echo %USERNAME%')
37+
for whoa in whoami:
38+
print(whoa,file=open('save.txt','a'))
39+
for m in username:
40+
print(m,file=open('save.txt','a'))
41+
42+
print('[+]任何有趣的用户权限?注意:“状态”列并不表示用户具有或无权访问此权限。如果列出了该权限,则该用户拥有该权限。')
43+
priv=os.popen('whoami /priv')
44+
for i in priv:
45+
print(i,file=open('save.txt','a'))
46+
47+
print('[+]用户在系统上有什么用途?任何未清理的旧用户配置文件?')
48+
ur=os.popen('net users')
49+
bw=os.popen('dir /b /ad "C:/Users/"')
50+
#bs=os.popen('dir /b /ad "C:/Documents and Settings/" # Windows XP and below')
51+
for r in ur:
52+
print(r,file=open('save.txt','a'))
53+
for w in bw:
54+
print(w,file=open('save.txt','a'))
55+
#for s in bs:
56+
#print(s,file=open('save.txt','a'))
57+
58+
print('[+]还有其他人登录吗?')
59+
qwinsta=os.popen('qwinsta')
60+
for w in qwinsta:
61+
print(w,file=open('save.txt','a'))
62+
63+
print('[+]系统上有哪些组?')
64+
net_localgroup=os.popen('net localgroup')
65+
for group in net_localgroup:
66+
print(group,file=open('save.txt','a'))
67+
68+
print('[+]Administrators组中是否有任何用户?')
69+
net_localgroup_Administrators=os.popen('net localgroup Administrators')
70+
for administrator in net_localgroup_Administrators:
71+
print(administrator,file=open('save.txt','a'))
72+
73+
print('[+]用户自动登录注册表中的任何内容?')
74+
reg_query=os.popen('reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"')
75+
for v in reg_query:
76+
print(v,file=open('save.txt','a'))
77+
78+
print('[+]在Credential Manager中有什么有趣的东西吗?')
79+
cmdkey_list=os.popen('cmdkey /list')
80+
for l in cmdkey_list:
81+
print(l,file=open('save.txt','a'))
82+
83+
print('[+]cmdkey /list我们可以访问SAM和SYSTEM文件吗?')
84+
lg=['%SYSTEMROOT%/repair/SAM','%SYSTEMROOT%/System32/config/RegBack/SAM','%SYSTEMROOT%/System32/config/SAM','%SYSTEMROOT%/repair/system','%SYSTEMROOT%/System32/config/SYSTEM','%SYSTEMROOT%/System32/config/RegBack/system']
85+
for k in lg:
86+
system=os.popen(k)
87+
for q in system:
88+
print(q,file=open('save.txt','a'))
89+
90+
print('[+]安装了什么软件?')
91+
rj=['dir /a "C:\Program Files"','dir /a "C:\Program Files (x86)"','reg query HKEY_LOCAL_MACHINE\SOFTWARE']
92+
for j in rj:
93+
qw=os.popen(j)
94+
for w in qw:
95+
print(w,file=open('save.txt','a'))
96+
97+
print('[+]程序文件夹中每个人或用户的完全权限?')
98+
icacls=['icacls "C:\Program Files\*" 2>nul','icacls "C:\Program Files (x86)\*" 2>nul','icacls "C:\Program Files\*" 2>nul ','icacls "C:\Program Files (x86)\*"']
99+
for aw in icacls:
100+
qdw=os.popen(aw)
101+
for rs in qdw:
102+
print(rs,file=open('save.txt','a'))
103+
104+
105+
print('[+]系统上正在运行的进程/服务是什么?内部服务没有暴露吗?如果是这样,我们可以打开它吗?')
106+
tasklist=['tasklist /svc','tasklist /v','net start','sc query',]
107+
for t in tasklist:
108+
wx=os.popen(t)
109+
for p in wx:
110+
print(p,file=open('save.txt','a'))
111+
112+
print('[+]有没有不带引号的服务路径?')
113+
wmcs=os.popen('wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """')
114+
for m in wmcs:
115+
print(m,file=open('save.txt','a'))
116+
117+
print('[+]那里有什么预定的任务?什么定制实施?')
118+
xw=os.popen('schtasks /query /fo LIST 2>nul | findstr TaskName')
119+
print(xw,file=open('save.txt','a'))
120+
121+
print('[+]启动时跑了什么?')
122+
qz=['wmic startup get caption,command','reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run','reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce','reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run','reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce','dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"','dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"']
123+
for z in qz:
124+
xq=os.popen(z)
125+
for r in xq:
126+
print(r,file=open('save.txt','a'))
127+
128+
print('[+]连接了哪些NIC?有多个网络吗?')
129+
ipconfig_all=os.popen('ipconfig /all')
130+
for all in ipconfig_all:
131+
print(all,file=open('save.txt','a'))
132+
133+
print('[+]我们有什么路线?')
134+
xpo=os.popen('route print')
135+
for o in xpo:
136+
print(o,file=open('save.txt','a'))
137+
138+
print('[+]ARP缓存中的任何内容?')
139+
arp=os.popen('arp -a')
140+
for p in arp:
141+
print(p,file=open('save.txt','a'))
142+
143+
print('[+]是否有与其他主机的连接?')
144+
sw=os.popen('netstat -ano')
145+
for b in sw:
146+
print(b,file=open('save.txt','a'))
147+
148+
print('[+]防火墙是否已打开?如果是这样配置的是什么?')
149+
fq=['netsh firewall show state','netsh firewall show config','netsh advfirewall firewall show rule name=all','netsh advfirewall export "firewall.txt"']
150+
for u in fq:
151+
fhq=os.popen(u)
152+
for f in fhq:
153+
print(f,file=open('save.txt','a'))
154+
155+
print('[+]还有其他有趣的界面配置吗?')
156+
netsh_dump=os.popen('netsh dump')
157+
for ump in netsh_dump:
158+
print(ump,file=open('save.txt','a'))
159+
160+
print('[+]注册表中的任何密码?')
161+
lv=['reg query HKCU /f password /t REG_SZ /s','reg query HKLM /f password /t REG_SZ /s ']
162+
for pasw in lv:
163+
passwd=os.popen(pasw)
164+
for pd in passwd:
165+
print(pd,file=open('save.txt','a'))
166+
167+
print('[+]是否有可用的sysprep或无人值守文件?')
168+
zi=os.popen('dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul')
169+
for nb in zi:
170+
print(nb,file=open('save.txt','a'))
171+
172+
print('[+]有待观察的有趣文件吗?可能在用户目录(桌面,文档等)中?')
173+
sl=os.popen('dir /s *pass* == *vnc* == *.config* 2>nul')
174+
for lw in sl:
175+
print(lw,file=open('save.txt','a'))
176+
print('')
177+
print('')
178+
179+
print('[*]判断是否存在以下路径')
180+
lss=[]
181+
if os.path.exists('list.txt'):
182+
print('[+]存在list.txt')
183+
else:
184+
print('[-]不存在list.txt')
185+
exit()
186+
187+
dk=open('list.txt','r')
188+
for r in dk.readlines():
189+
qk="".join(r.split('\n'))
190+
lss.append(qk)
191+
192+
for g in lss:
193+
if os.path.exists(g):
194+
print('[+]存在 {}'.format(g))
195+
else:
196+
print('[-]不存在{}'.format(g))
197+
198+
collect()

0 commit comments

Comments
 (0)