2018-01-03 14:43:27 -05:00

81 lines
2.0 KiB
Perl

#-----------------------------------------------------------
# dcom.pl
# DCOM ports can be set, and in Matt Graeber's BlackHat 2015 paper,
# he recommends modifying the ports
#
# https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows
# -Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
#
#
# Change history
# 20151203 - created
#
# References
# http://blog.backslasher.net/setting-dynamic-rpc-port-ranges.html
#
# Copyright (c) 2015 QAR, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package dcom;
use strict;
# Declarations #
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
category => "system config",
version => 20151203);
my $VERSION = getVersion();
# Functions #
sub getConfig {return %config}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
sub getDescr {}
sub getShortDescr {
return "Check DCOM Ports";
}
sub getRefs {}
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching dcom v.".$VERSION);
::rptMsg("dcom v.".$VERSION);
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key;
my $ports;
my $key_path = "Microsoft\\Rpc\\Internet";
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
eval {
$ports = $key->get_value("Ports")->get_data();
::rptMsg("Ports value found: ".$ports);
};
eval {
$ports = $key->get_value("PortsInternetAvailable")->get_data();
::rptMsg("PortsInternetAvailable value found: ".$ports);
};
eval {
$ports = $key->get_value("UseInternetPorts")->get_data();
::rptMsg("UseInternetPorts value found: ".$ports);
};
}
else {
}
}
1;