Exploit template enhancement

README.md

@@ -57,7 +57,7 @@ Can be deployed on victim machines to scan the intranet.
 - dnsserver.py: Create a temporary dns server responding dynamically to basic DNS requests (in-memory)
 - sshserver.py: Create a temporary ssh server to intercept credentials (TODO: relay) (in-memory)
 - smtpserver.py: Create a temporary smtp server (in-memory)
-- ftpserver.py: Create a temporary ftp server (in-memory, thanks to @thanks to [@benzammour](https://github.com/benzammour))
+- ftpserver.py: Create a temporary ftp server (in-memory, thanks to [@benzammour](https://github.com/benzammour))
 - template.py: Creates a template for web exploits, similar to pwnlib's template
 - pcap_file_extract.py: Lists and extracts files from http connections found in pcap files
 - find_git_commit.py: Compares a local repository (e.g. downloaded from a remote server) with another git repository to guess the commit hash. Useful to find used versions

git-dumper.py

@@ -530,7 +530,7 @@ if __name__ == '__main__':
                                      description='Dump a git repository from a website.')
     parser.add_argument('url', metavar='URL',
                         help='url')
-    parser.add_argument('directory', metavar='DIR',
+    parser.add_argument('--directory', metavar='DIR', default=None, type=str,
                         help='output directory')
     parser.add_argument('--proxy',
                         help='use the specified proxy')
@@ -577,6 +577,13 @@ if __name__ == '__main__':
             parser.error('invalid proxy')
 
     # output directory
+    if args.directory is None:
+        parsed_url = urllib.parse.urlparse(args.url)
+        if not parsed_url or not parsed_url.hostname:
+            parser.error('no output directory given and cannot derive from URL')
+        else:
+            args.directory = parsed_url.hostname
+
     if not os.path.exists(args.directory):
         os.makedirs(args.directory)
 

sqli.py

@@ -5,12 +5,14 @@ import string
 class SQLi(ABC):
 
     @staticmethod
-    def build_query(column: str|list, table=None, condition=None, offset=None):
-        column = column if isinstance(column, str) else ",".join(column)
-        condition = "" if not condition else f" WHERE {condition}"
-        offset = "" if offset is None else f" OFFSET {offset}"
-        table = "" if not table else f" FROM {table}"
-        return f"SELECT {column}{table}{condition} LIMIT 1{offset}"
+    def build_query(column: str|list, table=None, condition=None, offset=None, limit=1):
+        query = "SELECT "
+        query += column if isinstance(column, str) else ",".join(column)
+        query += "" if not table else f" FROM {table}"
+        query += "" if not condition else f" WHERE {condition}"
+        query += "" if limit is None else f" LIMIT {limit}"
+        query += "" if offset is None or limit is None else f" OFFSET {offset}"
+        return query
 
     def extract_multiple_ints(self, column: str, table=None, condition=None, verbose=False):
         row_count = self.extract_int(f"COUNT({column})", table=table, condition=condition, verbose=verbose)
@@ -34,9 +36,11 @@ class SQLi(ABC):
 
         return rows
 
-    @abstractmethod
-    def ascii(self):
-        pass
+    def substring(self, what, offset: int, size: int):
+        return f"substr({what},{offset},{size})"
+
+    def ascii(self, what):
+        return f"ascii({what})"
 
     @abstractmethod
     def extract_int(self, column: str, table=None, condition=None, 
@@ -153,6 +157,25 @@ class ReflectedSQLi(SQLi, ABC):
 
         return rows
 
+    @classmethod
+    def guess_reflected_columns(cls, callback):
+        data = None
+        column_count = 1
+        while data is None:
+            query_columns = list(map(lambda c: f"'column-{c}-sqli'", range(column_count)))
+            query_str = cls.build_query(query_columns)
+            data = callback(query_str) # should return some kind of text for a given query
+            if not data:
+                column_count += 1
+                continue
+
+        reflected_columns = []
+        for c in range(column_count):
+            column_name = f"'column-{c}-sqli'"
+            reflected_columns.append(str if column_name in data else None) # how to guess the type (str/int)?
+
+        return reflected_columns
+
     # todo: extract_multiple with columns as dict (name -> type), e.g. extract_multiple({"id": int, "name": str})
 
 class BlindSQLi(SQLi, ABC):
@@ -206,7 +229,7 @@ class BlindSQLi(SQLi, ABC):
         cur_str = ""
         while True:
             found = False
-            cur_column = self.ascii() + f"(substr({column},{len(cur_str) + 1},1))"
+            cur_column = self.ascii(self.substring(column, len(cur_str) + 1, 1))
             if charset:
                 query = self.build_query(cur_column, table, condition, offset)
                 for c in charset:
@@ -234,7 +257,6 @@ class BlindSQLi(SQLi, ABC):
 
         return cur_str
 
-
 class PostgreSQLi(SQLi, ABC):
     def get_database_version(self, verbose=False):
         return self.extract_string("VERSION()", verbose=verbose)
@@ -254,9 +276,6 @@ class PostgreSQLi(SQLi, ABC):
                                              f"table_schema='{schema}' AND table_name='{table}'",
                                              verbose=verbose)
 
-    def ascii(self):
-        return "ascii"
-
 class MySQLi(SQLi, ABC):
     def get_database_version(self, verbose=False):
         return self.extract_string("VERSION()", verbose=verbose)
@@ -276,10 +295,6 @@ class MySQLi(SQLi, ABC):
                                              f"table_schema='{schema}' AND table_name='{table}'",
                                              verbose=verbose)
 
-    def ascii(self):
-        return "ascii"
-
-
 class SQLitei(SQLi, ABC):
     def get_database_version(self, verbose=False):
         return self.extract_string("sqlite_version()", verbose=verbose)
@@ -298,5 +313,5 @@ class SQLitei(SQLi, ABC):
         # TODO: we could query the "sql" column and parse it using regex
         raise Exception("Not implemented!")
 
-    def ascii(self):
-        return "unicode"
+    def ascii(self, what):
+        return f"unicode({what})"

subdomainFuzz.sh

@@ -14,7 +14,7 @@ fi
 
 DOMAIN=$(echo $DOMAIN | sed -e 's|^[^/]*//||' -e 's|/.*$||')
 
-
+if [ $# -lt 2 ]; then
   echo "[ ] Resolving IP-Address…"
   output=$(resolveip $DOMAIN 2>&1)
   status=$(echo $?)
@@ -22,6 +22,12 @@ if ! [[ $status == 0 ]] ; then
     echo "[-] ${output}"
     exit
   fi
+  IP_ADDRESS=$(echo $output | head -n 1 |  awk '{print $NF}')
+  echo "[+] IP-Address: ${IP_ADDRESS}"
+else
+  IP_ADDRESS=$2
+  echo "[+] Using IP-Address: ${IP_ADDRESS}"
+fi
 
 function sni () {
   protocol=$1
@@ -37,14 +43,12 @@ function sni () {
   echo $sni
 }
 
-IP_ADDRESS=$(echo $output | head -n 1 |  awk '{print $NF}')
-echo "[+] IP-Address: ${IP_ADDRESS}"
 echo "[ ] Retrieving default site…"
 rnd=$(uuidgen)
 sni=$(sni ${PROTOCOL} ${rnd}.${DOMAIN})
-charcountDomain=$(curl -s "${PROTOCOL}://${DOMAIN}" -k -m 5 | wc -m)
 charcountIpAddress=$(curl -s "${PROTOCOL}://${IP_ADDRESS}" -k -m 5 | wc -m)
 charcountNonExistent=$(curl -s "${PROTOCOL}://${rnd}.${DOMAIN}" --resolve "${sni}:${IP_ADDRESS}" -k -m 5 | wc -m)
+charcountDomain=$(curl -s "${PROTOCOL}://${DOMAIN}" -k -m 5 | wc -m)
 echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}"
 echo "[ ] Fuzzing…"
 

template.py

@@ -1,23 +1,40 @@
 #!/usr/bin/env python
 
+import re
 import sys
 import json
+import argparse
 import urllib.parse
 
 def generate_template(base_url, features):
 
-    ip_address = "util.get_address()"
-    for feature in features:
-        if feature.lower().startswith("ip_address="):
-            ip_address = "'" + feature.split("=")[1] + "'"
+    # we could all need that
+    imports = [
+        "os", "io", "re", "sys",
+        "json", "time", "base64", "requests",
+        "subprocess", "urllib.parse"
+    ]
+
+    partial_imports = {
+        "bs4": ["BeautifulSoup"],
+        "hackingscripts": ["util", "rev_shell"],
+        "urllib3.exceptions": ["InsecureRequestWarning"]
+    }
+
+    main_code = []
+    methods = []
+    ip_address_arg = next(filter(lambda f: re.match(r"ip_address=(.*)", f), features), None)
+    ip_address = "util.get_address()" if not ip_address_arg else "'" + ip_address_arg[1] + "'"
 
     variables = {
         "IP_ADDRESS": ip_address, 
-        "BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"',
-        "PROXIES": json.dumps({"http":"http://127.0.0.1:8080", "https":"http://127.0.0.1:8080"})
+        "BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"'
     }
     
-    if "proxies" in features or "burp" in features:
+    proxy_arg = next(filter(lambda f: re.match(r"proxy=(.*)", f), features), None)
+    if proxy_arg or "burp" in features:
+        proxy_url = "http://127.0.0.1:8080" if not proxy_arg else proxy_arg[1]
+        variables["PROXIES"] = json.dumps({"http": proxy_url, "https": proxy_url})
         proxy = """
     if \"proxies\" not in kwargs:
         kwargs[\"proxies\"] = PROXIES
@@ -35,7 +52,7 @@ def generate_template(base_url, features):
         vhost_param = ""
         full_url = "BASE_URL + uri"
         
-    request_method = f"""def request(method, uri{vhost_param}, **kwargs):
+    methods.insert(0, f"""def request(method, uri{vhost_param}, **kwargs):
     if not uri.startswith("/") and uri != "":
         uri = "/" + uri
 
@@ -52,25 +69,12 @@ def generate_template(base_url, features):
     {proxy}
     url = {full_url}
     return client.request(method, url, **kwargs)
-"""
-
-    methods = [request_method]
-
-    if "login" in features or "account" in features:
-        variables["USERNAME"] = '"Blindhero"'
-        variables["PASSWORD"] = '"test1234"'
-        methods.append("""
-def login(username, password):
-    session = requests.Session()
-    res = request("POST", "/login", data={"username": username, "password": password}, session=session)
-    if res.status_code != 200:
-        print("[-] Error logging in")
-        exit()
-    
-    return session
 """)
 
     if "register" in features or "account" in features:
+        main_code.append("""if not register(USERNAME, PASSWORD):
+        exit(1)
+""")
         variables["USERNAME"] = '"Blindhero"'
         variables["PASSWORD"] = '"test1234"'
         methods.append("""
@@ -83,11 +87,71 @@ def register(username, password):
     return True
 """)
 
-    main = """
+    if "login" in features or "account" in features:
+        main_code.append("""session = login(USERNAME, PASSWORD)
+    if not session:
+        exit(1)
+""")
+        variables["USERNAME"] = '"username"'
+        variables["PASSWORD"] = '"password"'
+        methods.append("""
+def login(username, password):
+    session = requests.Session()
+    res = request("POST", "/login", data={"username": username, "password": password}, session=session)
+    if res.status_code != 200:
+        print("[-] Error logging in")
+        exit()
+    
+    return session
+""")
+
+    if "sqli" in features:
+        partial_imports["hackingscripts.sqli"] = ["MySQLi", "PostgreSQLi", "BlindSQLi", "ReflectedSQLi"]
+        methods.append("""
+class ReflectedSQLiPoC(MySQLi, ReflectedSQLi):
+    def __init__(self):
+        # TODO: specify reflected columns with their types
+        super().__init__([None, str, int])
+    def reflected_sqli(self, columns: list, table=None, condition=None, offset=None, verbose=False):
+        # TODO: build query and extract columns from response
+        return None
+""")
+        methods.append("""
+class BlindSQLiPoC(MySQLi, BlindSQLi):
+    def blind_sqli(self, condition: str, verbose=False) -> bool:
+        # TODO: build query and evaluate condition
+        return False
+""")
+
+        main_code.append("""poc = ReflectedSQLiPoC()
+    print(poc.get_current_user())  
+""")
+
+    if "http-server" in features or "file-server" in features:
+        partial_imports["hackingscripts.fileserver"] = ["HttpFileServer"]
+        main_code.append("""file_server = HttpFileServer("0.0.0.0", 3000)
+    file_server.enableLogging()
+    file_server.addRoute("/dynamic", on_request)
+    file_server.addFile("/static", b"static-content")
+    file_server.startBackground()
+""")
+
+        methods.append("""
+def on_request(req):
+    # TODO: auto generated method stub
+    return 200, b"", { "X-Custom-Header": "1" }     
+""")
+
+    if len(main_code) == 0:
+        main_code = ["pass"]
+
+    main = f"""
 if __name__ == "__main__":
-    pass
+    {'\n    '.join(main_code)}
 """
 
+    imports = "\n".join(f"import {i}" for i in sorted(imports, key=len))
+    imports += "\n" + "\n".join(sorted(list(f"from {p} import {', '.join(i)}" for p, i in partial_imports.items()), key=len))
     variables = "\n".join(f"{k} = {v}" for k, v in variables.items())
     header = f"""#!/usr/bin/env python
 
@@ -96,21 +160,7 @@ if __name__ == "__main__":
 # For more information, visit: https://git.romanh.de/Roman/HackingScripts
 # 
 
-import os
-import io
-import re
-import sys
-import json
-import time
-import base64
-import requests
-import subprocess
-import urllib.parse
-from bs4 import BeautifulSoup
-from hackingscripts import util, rev_shell
-from hackingscripts.fileserver import HttpFileServer
-from hackingscripts.sqli import MySQLi, PostgreSQLi, BlindSQLi, ReflectedSQLi
-from urllib3.exceptions import InsecureRequestWarning
+{imports}
 requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
 
 {variables}
@@ -121,14 +171,38 @@ requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
 
 if __name__ == "__main__":
 
-    if len(sys.argv) < 2:
-        print("Usage: %s <URL> [features]" % sys.argv[0])
-        exit()
+    parser = argparse.ArgumentParser(
+        description="Exploit Template for web attacks",
+        formatter_class=argparse.RawTextHelpFormatter
+    )
 
-    url = sys.argv[1]
+    available_features = [
+        "ip_address=[...]: Local IP-Address for reverse connections",
+        "burp|proxy=[...]: Tunnel traffic through a given proxy or Burp defaults",
+        "subdomain|vhost: Allow to specify a subdomain for outgoing requests",
+        "register|account: Generate an account registration method stub",
+        "login|account: Generate an account login method stub",
+        "sqli: Generate an template SQL-Injection class",
+        "http-server|file-server: Generate code for starting an in-memory http server"
+    ]
+
+    parser.add_argument("url", type=str, help="Target URL")
+    parser.add_argument(
+        "-f",
+        "--features",
+        nargs="*",
+        type=str,
+        default=[],
+        help="Optional list of features:\n- " + "\n- ".join(available_features)
+    )
+
+    args = parser.parse_args()
+
+    url = args.url
     if "://" not in url:
         url = "http://" + url
 
-    features = [] if len(sys.argv) < 3 else sys.argv[2].split(",")
+    features = args.features
     template = generate_template(url, features)
     print(template)
+

util.py

@@ -135,6 +135,9 @@ def assert_json_path(res, path, value, err=None):
 
     json_data = json.loads(res.text)
     for key in filter(None, path.split(".")):
+        match = re.match(r"\[([0-9]+)\]", key)
+        if match:
+            key = int(match[1])
         json_data = json_data[key]
 
     if json_data == value:

win/winPEAS.bat

@@ -69,57 +69,62 @@ ECHO.
 CALL :T_Progress 2
 
 :ListHotFixes
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
     wmic qfe get Caption,Description,HotFixID,InstalledOn | more
+) else (
+    powershell -command "Get-HotFix | Format-Table -AutoSize"
+)
 set expl=no
 for /f "tokens=3-9" %%a in ('systeminfo') do (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i "2000 XP 2003 2008 vista" && set expl=yes) & (ECHO."%%a %%b %%c %%d %%e %%f %%g" | findstr /i /C:"windows 7" && set expl=yes)
 IF "%expl%" == "yes" ECHO.   [i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2592799" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2592799" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-080 patch is NOT installed! (Vulns: XP/SP3,2K3/SP3-afd.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3143141" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB3143141" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-032 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2393802" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS11-011 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB982799" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB982799" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-59 patch is NOT installed! (Vulns: 2K8,Vista,7/SP0-Chimichurri)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979683" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB979683" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-21 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2305420" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2305420" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-092 patch is NOT installed! (Vulns: 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB981957" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB981957" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-073 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB4013081" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB4013081" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS17-017 patch is NOT installed! (Vulns: 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB977165" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB977165" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS10-015 patch is NOT installed! (Vulns: 2K,XP,2K3,2K8,Vista,7-User Mode to Ring)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB941693" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB941693" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS08-025 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB920958" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB920958" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-049 patch is NOT installed! (Vulns: 2K/SP4-ZwQuerySysInfo)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB914389" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB914389" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS06-030 patch is NOT installed! (Vulns: 2K,XP/SP2-Mrxsmb.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB908523" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB908523" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-055 patch is NOT installed! (Vulns: 2K/SP4-APC Data-Free)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB890859" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB890859" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS05-018 patch is NOT installed! (Vulns: 2K/SP3/4,XP/SP1/2-CSRSS)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB842526" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB842526" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-019 patch is NOT installed! (Vulns: 2K/SP2/3/4-Utility Manager)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB835732" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB835732" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-011 patch is NOT installed! (Vulns: 2K/SP2/3/4,XP/SP0/1-LSASS service BoF)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB841872" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB841872" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS04-020 patch is NOT installed! (Vulns: 2K/SP4-POSIX)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2975684" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2975684" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-040 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB3136041" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS16-016 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3057191" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB3057191" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS15-051 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2989935" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2989935" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS14-070 patch is NOT installed! (Vulns: 2K3/SP2-TCP/IP)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2778930" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2778930" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-005 patch is NOT installed! (Vulns: Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2850851" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2850851" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-053 patch is NOT installed! (Vulns: 7SP0/SP1_x86-schlamperei)
-IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2870008" 1>NUL
+IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn 2>nul | findstr /C:"KB2870008" 1>NUL
 IF "%expl%" == "yes" IF errorlevel 1 ECHO.MS13-081 patch is NOT installed! (Vulns: 7SP0/SP1_x86-track_popup_menu)
 ECHO.
 CALL :T_Progress 2
@@ -197,7 +202,12 @@ CALL :T_Progress 1
 
 :AVSettings
 CALL :ColorLine " %E%33m[+]%E%97m Registered Anti-Virus(AV)"
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
     WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
+) else (
+    powershell -command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName"
+) 
 ECHO.Checking for defender whitelisted PATHS
 reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" 2>nul
 CALL :T_Progress 1
@@ -226,7 +236,12 @@ CALL :T_Progress 3
 :MountedDisks
 CALL :ColorLine " %E%33m[+]%E%97m MOUNTED DISKS"
 ECHO.   [i] Maybe you find something interesting
-(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
+    wmic logicaldisk get caption | more
+) else (
+    fsutil fsinfo drives
+)
 ECHO.
 CALL :T_Progress 1
 
@@ -273,16 +288,30 @@ tasklist /SVC
 ECHO.
 CALL :T_Progress 2
 ECHO.   [i] Checking file permissions of running processes (File backdooring - maybe the same files start automatically when Administrator logs in)
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
 	for /f "tokens=2 delims='='" %%x in ('wmic process list full ^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
 		for /f eol^=^"^ delims^=^" %%z in ('ECHO.%%x') do (
 			icacls "%%z" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
 		)
 	)
+) else (
+	for /f "tokens=*" %%x in ('powershell -command "Get-Process | Where-Object {$_.Path -and $_.Path -notlike '*system32*'} | Select-Object -ExpandProperty Path -Unique"') do (
+		icacls "%%x" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+	)
+)
 ECHO.
 ECHO.   [i] Checking directory permissions of running processes (DLL injection)
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
 	for /f "tokens=2 delims='='" %%x in ('wmic process list full ^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('ECHO.%%x') do (
 		icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
 	)
+) else (
+	for /f "tokens=*" %%x in ('powershell -command "Get-Process | Where-Object {$_.Path -and $_.Path -notlike '*system32*'} | Select-Object -ExpandProperty Path -Unique"') do (
+		for /f "delims=" %%d in ("%%~dpx") do icacls "%%d" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && ECHO.
+	)
+)
 ECHO.
 CALL :T_Progress 3
 
@@ -452,9 +481,20 @@ ECHO.
 :ServiceBinaryPermissions
 CALL :ColorLine " %E%33m[+]%E%97m SERVICE BINARY PERMISSIONS WITH WMIC and ICACLS"
 ECHO.   [?] https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#services
+where wmic >nul 2>&1
+if %errorlevel% equ 0 (
 	for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do (
 		for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
 	)
+) else (
+	for /f "tokens=*" %%a in ('powershell -command "Get-CimInstance -ClassName Win32_Service | Where-Object {$_.PathName -and $_.PathName -notlike '*system32*'} | Select-Object -ExpandProperty PathName"') do (
+		for /f "tokens=1 delims= " %%b in ("%%a") do (
+			set "svcpath=%%b"
+			set "svcpath=!svcpath:~1,-1!"
+			if exist "!svcpath!" icacls "!svcpath!" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && ECHO.
+		)
+	)
+)
 ECHO.
 CALL :T_Progress 1
 
@@ -628,6 +668,8 @@ if "%long%" == "true" (
 	ECHO.
 	ECHO.   [i] Iterating through the drives
 	ECHO.
+	where wmic >nul 2>&1
+	if !errorlevel! equ 0 (
 		for /f %%x in ('wmic logicaldisk get name ^| more') do (
 			set tdrive=%%x
 			if "!tdrive:~1,2!" == ":" (
@@ -640,6 +682,17 @@ if "%long%" == "true" (
 				ECHO.
 			)
 		)
+	) else (
+		for /f %%x in ('powershell -command "Get-PSDrive -PSProvider FileSystem | Where-Object {$_.Root -match ':'} | Select-Object -ExpandProperty Name"') do (
+			%%x:
+			CALL :ColorLine " %E%33m[+]%E%97m FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config"
+			findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul
+			ECHO.
+			CALL :ColorLine " %E%33m[+]%E%97m FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\"
+			dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\"
+			ECHO.
+		)
+	)
 	CALL :T_Progress 2
 ) ELSE (
 	CALL :T_Progress 2
@@ -654,7 +707,8 @@ EXIT /B
 
 :SetOnce
 REM :: ANSI escape character is set once below - for ColorLine Subroutine
-SET "E=0x1B["
+for /F %%a in ('echo prompt $E ^| cmd') do set "ESC=%%a"
+SET "E=%ESC%["
 SET "PercentageTrack=0"
 EXIT /B
 
@@ -666,5 +720,5 @@ EXIT /B
 
 :ColorLine
 SET "CurrentLine=%~1"
-FOR /F "delims=" %%A IN ('FORFILES.EXE /P %~dp0 /M %~nx0 /C "CMD /C ECHO.!CurrentLine!"') DO ECHO.%%A
+ECHO.!CurrentLine!
 EXIT /B