Jump to content











Photo
- - - - -

Info_Hack


  • Please log in to reply
48 replies to this topic

#26 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13745 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 08 June 2011 - 06:52 PM


:timestamp

for /F "tokens=1-4 delims=:., " %%a in ("%TIME%") do set tijd=%%a:%%b:%%c

for /F "tokens=1-4 delims=/- " %%A in ('date/T') do set datum=%%A-%%B-%%C-%%D

set timestamp=[%datum%][%tijd%]

goto :EOF


Its possible the timestamp needs some little work to make it international
Its also possible that I made some errors on the code, but I’m sure you will find out the useful pieces to place in your batch
....

Just for the record, actual "international" Date/time support is quite complex.
Hints/links here:
http://reboot.pro/14431/page__st__38

But since it is just for a timestamp, there is no real *need* :dubbio: to parse the %TIME% and the %DATE% (instead of using the date /t command) variables, every user will have the log with his/her regional settings, or in other words, wouldn't this work allright? :unsure:

:timestamp

set timestamp=[%DATE%][%TIME%]

goto :EOF


:cheers:
Wonko

#27 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 10 June 2011 - 06:31 PM

Some suggestions:

Good stuff
I'm happy to announce that the next alpha will also include a full registry dump
i fond a app that uses "Volume Shadow Service" to copy the registry files wile windows is using it
Iow. it will be able to copy System,Sam,Security,Software and Ntuser.dat(of the current user)
This means that you can:
1. Backup the registry and load it with a PE registry app
2. Use a a program like Cane&Able to attempt a Password Recovery
the downside is that you will need to be a administrator user to get the dump
and you will probably need Visual C++ 2008 8.0 to run the app

#28 martin.be2

martin.be2

    Newbie

  • Members
  • 12 posts
  •  
    Netherlands

Posted 11 June 2011 - 11:25 AM

Good stuff
I'm happy to announce that the next alpha will also include a full registry dump
i fond a app that uses "Volume Shadow Service" to copy the registry files wile windows is using it
Iow. it will be able to copy System,Sam,Security,Software and Ntuser.dat(of the current user)
This means that you can:
1. Backup the registry and load it with a PE registry app
2. Use a a program like Cane&Able to attempt a Password Recovery
the downside is that you will need to be a administrator user to get the dump
and you will probably need Visual C++ 2008 8.0 to run the app



http://sourceforge.n...jects/hobocopy/

Also take a look at the software combofix

if you have restorpoint enabled you als can copy the restorepoint to get the systen,sam,security,software and ntuser.dat
so hobocopy in only useful on win2000 or win2003/2008 servers

#29 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 11 June 2011 - 12:05 PM

if you have restorpoint enabled you als can copy the restorepoint to get the systen,sam,security,software and ntuser.dat
so hobocopy in only useful on win2000 or win2003/2008 servers

I have tested hobocopy on Win7 64,win7 32 and xp pro sp3
iw works you just have to use the correct exe for it

im having some trouble with the longing script:
the code you gave me will take too long to write
and might not be the best choice,because the script is still in alpha
so i googled and came up with:
set LogFile=%Directory%\Log.txt

if "%~1" == "NOWLOGGING" goto NowLogging

    %0 "NOWLOGGING" > "%LogFile%" 2>&1

    goto :EOF

:NowLogging
this code you add to the top just after all the "set" commands
the problem is that the log dumps everything in to a txt file and dose not
display a "live Feed", i could add "type log.txt" but it wont be "live"
do you think you can help??

#30 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 11 June 2011 - 12:41 PM

The only thing i can come up with:
echo Infohack %ihver%              by DarkPhoeniX &(echo Infohack %ihver%              by DarkPhoeniX >> Log.txt)
add it to every "echo" line that echo's to the console
but it will take long to wright....

#31 martin.be2

martin.be2

    Newbie

  • Members
  • 12 posts
  •  
    Netherlands

Posted 11 June 2011 - 04:12 PM

im having some trouble with the longing script:
the code you gave me will take too long to write
and might not be the best choice,because the script is still in alpha
....

display a "live Feed", i could add "type log.txt" but it wont be "live"
do you think you can help??


hmm, it should work ?
(probably I made some error)

I use it all the time and the reason I use it is because it will speed up my code, and not slow it down

I will try to write a simple batch and post this later on so you can copy/paste it and do some test on it

#32 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13745 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 June 2011 - 06:15 PM

@darkphoenix
What you seem like needing is a TEE command.
http://en.wikipedia....ki/Tee_(command)

There are several external .exe's and also ways to make one in batch, see here:
http://www.robvander...redirection.php
http://www.robvander...ixports.php#TEE

http://www.commandline.co.uk/mtee/
http://unxutils.sourceforge.net/
http://sourceforge.n...files/unxutils/

:ph34r:
Wonko

#33 martin.be2

martin.be2

    Newbie

  • Members
  • 12 posts
  •  
    Netherlands

Posted 11 June 2011 - 08:33 PM

The only thing i can come up with:

echo Infohack %ihver%              by DarkPhoeniX &(echo Infohack %ihver%              by DarkPhoeniX >> Log.txt)
add it to every "echo" line that echo's to the console
but it will take long to wright....



can you please make 2 batfiles

first file name it func.bat and place it in a testdir

@echo off

if "%1" == "" goto funcusage

if %1== help goto funcusage

if %1== -help goto funcusage

set function=%1

shift

shift

set comment=%0 %1 %2 %3 %4 %5 %6 %7 %8 %9

if %function%==mac goto mac

if %function%==log goto log

if %function%==ouinum goto ouinum

goto funcend



:log

call :timestamp

if NOT "%log%"=="" if "%filelogging%"=="yes" echo %timestamp% %comment% >> %log%

echo %timestamp% %comment%

goto :EOF



:mac

set MAC=

FOR /F "tokens=*" %%A IN ('NBTSTAT -a %COMPUTERNAME% 2^>NUL ^| FINDSTR /R /I /C:"[0-9A-F][0-9A-F]-*[0-9A-F][0-9A-F]-*[0-



9A-F][0-9A-F]-*[0-9A-F][0-9A-F]-*[0-9A-F][0-9A-F]-*[0-9A-F][0-9A-F]"') DO FOR %%B IN (%%A) DO SET MAC=%%B

goto :EOF



:ouinum

set ouinum=

set MAC=FF-FF-FF-00-00-00

FOR /F "tokens=2" %%A IN ('arp -a %1 2^>NUL ^| FIND "%0 "') do FOR %%B IN (%%A) DO SET MAC=%%B

for /f "Tokens=1-3 Delims=-" %%i in ('echo %MAC%') do set ouinum=%%i-%%j-%%k

goto :EOF



:timestamp

rem 

set timestamp=[%DATE%][%TIME%]

goto :EOF





:funcusage

echo use %0 {function} {parameter}  

echo in this test i have include log, mac, ouinum

pause

goto :EOF





:funcend

goto :EOF

the second file name it logdemo.bat and place it in the same testdir

@echo off

goto skipheader

*****************************************************************************************

*

* This is a sample how to use subroutines inside a batch

*

* It will demonstrate how to use a "function" to log comment to console and logfile

*

*******************************************************************************************************************

:skipheader



::some custom settings

set filelogging=yes



::some system settings

set curdir=%cd%

if not exist .\%COMPUTERNAME%\con mkdir .\%COMPUTERNAME%

set log=.\%COMPUTERNAME%\log.txt

set func=call func





%func% log This will log to file and console without using a 

%func% log tee command.

%func% log But you can only log 10 "words" 

%func% log "With quotes you can make a logline a lot longer so its not a real problem"



::i will cal the mac function 

%func%  mac

%func% log The mac adres is %mac% 

%func% log But its not the right way to use this without 

%func% log checking for the existing of a Ethernet device



::i will call the ouinum

%func% ouinum 192.168.20.1

%func% log the ouinum is %ouinum%

%func% log "This can be handy to find out what kind of ethernet device you are facing"

%func% log "(like a printer, and read the pagecounter with wget)"

%func% log "End of the demo, hope you can use some parts"

%func% log "Regards, Martinb"


If you make more batchfiles you will find it useful to create universal routines so you don’t have to reinvent the wheel on every batch you create

Edited by martin.be2, 11 June 2011 - 08:35 PM.


#34 gutnik

gutnik

    Member

  • Advanced user
  • 46 posts

Posted 12 June 2011 - 10:42 AM

All this is very interesting.
L.A.G.

#35 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 12 June 2011 - 01:42 PM

thanx martin.be2 & Wonko the Sane
but their is one problem you both suggested a external "*.bat" file to start loging
this means that that bat file will need to be compressed in components.7z and the loging will start before the decompression
i could always add a external bat (non compressed) file but i wold like to use internal commands...
im now working on a way to integrate the bat to infohack.bat
thanx a lot for all of your help!!!


ok i have it i modified martin's code to "call :lable" rater then "call func.bat"
i think this is what you implied when you first said to use subroutines

set logline=call log

should have been
set logline=call :log

sorry if im so stupid with .Bat scripting but i relay learned a lot the past days...

#36 martin.be2

martin.be2

    Newbie

  • Members
  • 12 posts
  •  
    Netherlands

Posted 12 June 2011 - 06:30 PM

..but i relay learned a lot the past days...


That is exactly the thing I was talking about when I said

"its better to share ideas, then share scripts"


Waiting for next beta.. :thumbsup:

#37 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 12 June 2011 - 07:31 PM

Waiting for next beta.. :thumbsup:

I just finished the writing the log script (whoop)
I will have to add the "Volume Shadow Service" registry copy later
so Alpha8 will be delayed for a few days sorry :cheers:

#38 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 15 June 2011 - 05:04 PM

Update to Info_hack 1a8
see first post..Here
as always:"if you have some suggestions ,ideas please share!!!"

#39 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 19 June 2011 - 06:49 PM

I would like to add a feather to detect if a antivirus is installed & up-to-date
dose anyone know how to do this?
i read somewhere that you can do this by making a .vbs script that works in the same way that Windows security center finds a av

and i need a .vbs script to hide windows (the cmd console)
i could use nircmd but its going to be too slow to first extract it then run the command...
so the .bat is going to have to write the .vbs then execute it
thanx for the help....

#40 martin.be2

martin.be2

    Newbie

  • Members
  • 12 posts
  •  
    Netherlands

Posted 19 June 2011 - 07:53 PM

I would like to add a feather to detect if a antivirus is installed & up-to-date
dose anyone know how to do this?
i read somewhere that you can do this by making a .vbs script that works in the same way that Windows security center finds a av

and i need a .vbs script to hide windows (the cmd console)
i could use nircmd but its going to be too slow to first extract it then run the command...
so the .bat is going to have to write the .vbs then execute it
thanx for the help....



please name this av.vbs

On Error Resume Next



Const ForAppending = 2

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objLogFile = objFSO.OpenTextFile("antivir.txt", ForAppending, True)

Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter")





For Each av in oWMI.ExecQuery("Select * from AntiVirusProduct")

    If av.onAccessScanningEnabled = 0 Then enabled = " *On-access scanning disabled*" Else enabled = " *On-access scanning enabled*" 

    If av.productUptoDate = 0 Then updated = " (Outdated)" Else updated = " (Updated)"

    objLogFile.Write("AV: " _

        & av.displayName _

        & enabled _

        & updated _

        & vbCrLf )

Next



For Each spy in oWMI.ExecQuery("Select * from AntiSpywareProduct")

    If spy.ProductEnabled = 0 Then enabled = " *disabled*" Else enabled = " *enabled*" 

    If spy.productUptoDate = 0 Then updated = " (Outdated)" Else updated = " (Updated)"

    objLogFile.Write("SP: " _

        & spy.displayName _

        & enabled _

        & updated _

        & " " & spy.instanceGuid _

        & vbCrLf )

Next



For Each fw in oWMI.ExecQuery("Select * from FirewallProduct")

    If fw.Enabled = 0 Then enabled = " *disabled*" Else enabled = " *enabled*" 

    objLogFile.Write("FW: " _

        & fw.displayName _

        & enabled _

        & vbCrLf )

Next



objLogFile.Close

wscript.quit

and just call this with

CSCRIPT //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs

to hide the active window you can use some external commands like

CMDOW Commandline Window Utility

you can also use some vbs like this

(its from robvanderwoude.com where you can find lots of info)

Option Explicit



Dim i, strArguments, wshShell



If WScript.Arguments.Count = 0 Then Syntax

If WScript.Arguments(0) = "/?" Then Syntax



strArguments = ""



For i = 0 To WScript.Arguments.Count - 1

	strArguments = strArguments & " " & WScript.Arguments(i)

Next



Set wshShell = CreateObject( "WScript.Shell" )

wshShell.Run Trim( strArguments ), 0, False

Set wshShell = Nothing





Sub Syntax

	Dim strMsg

	strMsg = "RunNHide.vbs,  Version 2.00" & vbCrLf _

	       & "Run a batch file or (console) command in a hidden window" & vbCrLf _

	       & vbCrLf _

	       & "Usage:  RUNNHIDE.VBS  some_command  [ some_arguments ]" & vbCrLf _

	       & vbCrLf _

	       & "Where:  ""some_command""    is the batch file or (console) command" & vbCrLf _

	       & "                          you want to run hidden" & vbCrLf _

	       & "        ""some_arguments""  are optional arguments for ""some_command""" & vbCrLf _

	       & vbCrLf _

	       & "Based on a ""one-liner"" by Alistair Johnson" & vbCrLf _

	       & "www.microsoft.com/technet/scriptcenter/csc/scripts/scripts/running/cscte009.mspx" _

	       & vbCrLf & vbCrLf _

	       & "Written by Rob van der Woude" & vbCrLf _

	       & "http://www.robvanderwoude.com"

	WScript.Echo strMsg

	WScript.Quit 1

End Sub


regards, Martinb

#41 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 19 June 2011 - 08:21 PM

thanx marten b i will start the testing.........

#42 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 21 June 2011 - 01:42 AM

i did some research and i wont be able to add a "check for Antivirus" script because windows only gives a API to a respectable av company for windows 7 to check what the status of a Av is

Alejandro Campos Magencio
9 Feb 2009 4:22 AM

Hi,

This namespace is no longer available on Windows Vista SP1/2008 Server. That namespace is the legacy store for ISV products to register and report the status of their AV/AS/FW products.

We no longer support writing directly to the root\securitycenter WMI namespace, and instead vendors must use our API. This API is not published and is only made available for those vendors that meet the criteria. Contact info can be found here:

Implementing the Teredo Security Model

http://msdn.microsof.../bb190942(VS.85).aspx

"

The API utilized to register a firewall with the WSC can be obtained by contacting Microsoft at wscisv@microsoft.com. A Non-Disclosure Agreement (NDA) is required for the disclosure of this API due to security concerns.

"

I've only found this public info on the API:

Windows Security Center

http://msdn.microsof.../bb963845(VS.85).aspx

Regards,

Alex

More on this here

The script for "Spy-mode"(hidden mode) is done, it extracts then run Nircmd.exe to hide the CMD window(it's fast too)
i was thinking of adding a "installer" but i fear that this will make it too shady for a AV company to bear, they will probably mark it as a Trojan then

The idea of this script is mainly :

1.Test your computer's secretary
2.Help retrieve a lost password
3.get information relative to help fixing a computer

its not intended as spyware that is why I'm hesitant to add the "Spy-mode" and especially the installer

but as always:"if you have some suggestions ,ideas please share!!!"(i need some ideas for the next ver.)

#43 Mcasper

Mcasper
  • Members
  • 1 posts
  •  
    Italy

Posted 15 January 2012 - 03:39 PM

Hy, your sw is fantastic and very useful . When i try in mu w7 x64 i find an error in row when invoke wirelesskey64

%SUBecho% -log "Dumping --- Wireless Keys for x64"
"%comp%WirelessKeyView.exe" /shtml %Directory%/html/Wireless_Keys64.html

I correct in wirelesskeyview64.exe and show me all wireless key .

Sorry for my english.

Thank you for your work. :1st:

Edited by Mcasper, 15 January 2012 - 03:39 PM.


#44 crash

crash
  • Members
  • 6 posts
  •  
    Argentina

Posted 15 January 2012 - 04:20 PM

Thanks for sharing your work is fantastic and very easy to use :good:

#45 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 15 January 2012 - 10:08 PM

Thank you Mcasper i will fix it in the next version
i found the same problem with "MyEventViewer64.exe"

I will start on the update next month and im researching a Bios,shared folder and antivirus information dump
also im looking into creating a switch to not scan with autoruns,and a method of cutting autoruns's dump time

new topic location: http://reboot.pro/16...__fromsearch__1
download location: http://reboot.pro/fi...e/118-infohack/

#46 gutnik

gutnik

    Member

  • Advanced user
  • 46 posts

Posted 18 January 2012 - 09:33 PM

I agree that new version is much better than prevous. It is more penetrable.

L.A.G.

#47 darren rose

darren rose

    Frequent Member

  • Advanced user
  • 374 posts
  • Location:Norwich, Norfolk
  •  
    United Kingdom

Posted 18 April 2012 - 02:23 PM

i did some research and i wont be able to add a "check for Antivirus" script because windows only gives a API to a respectable av company for windows 7 to check what the status of a Av is


For info you can still use WMI on Windows Vista/7 to retrieve antivirus information - it is just in a different area

WMISecurityCenter2

Can retrieve antivirusproduct, antispywareproduct and firewallproduct name

It also returns a productstate value that when converted to HEX you can use to work out if product enabled/disabled and whether it is up-to-date or outdated

Hope this helps - just thought I would mention it as currently writing a VB.net app to show various bits of information including the above

Regards

#48 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 26 May 2012 - 09:27 PM

Thanx Darren i found a way to do this in cmd scripting i just don't have a lot of time anymore...
I will try to get back into this as soon as im done updating my company's code

#49 z101891

z101891
  • Members
  • 9 posts
  •  
    United States

Posted 09 September 2015 - 12:19 AM

DarkPhoenix,

Have you updated this batch file?

The current version keeps faulting with Autoruns:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users