SecuLab

from smb.SMBConnection import SMBConnection

conn = SMBConnection(userid="", password="", client_machine_name="", servername="", 

                                domain="",use_ntlm_v2=True, is_direct_tcp=True)
conn.connect(serverip = "", 445)
shares = conn.listShares()

for share in shares:
      if not share.isSpecial and share.name not in ['NETLOGON', 'SYSVOL']:
            print("share name :" + share.name)
            sharedfiles = conn.listPath(share.name,'/')
            for sharedfile in sharedfiles:
                  print(sharedfile.filename)
                  conn.close()

import pymysql

ratency = 2
conn = pymysql.connect(host="", user="", password="", read_timeout=ratency, write_timeout=ratency)

if conn.open == True:

     curs = conn.cursor()
     command = "show databases"
     curs.execute(command)
     rows = curs.fetchall()
     print(rows)
     conn.close()
     
''' case of using Dict type
cursor = conn.cursor(pymysql.cursors.DictCursor)
sql = 'select * from some_talbe'
cursor.execute(sql)
result = cursor.fetchall()
print(result)
'''
     
else:
      print("can not connected")

import telnetlib

infile = open("list.txt", "r")
ips = []
delay_second = 2

account_tup = (("admin", "admin"),
               ("admin", "password"),
               ("root", "root"),
               ("root", "password"),
               ("root", ""),
               ("guest", ""),
               ("db2admin", "db2admin")
               ("db2inst1", "db2inst1")
               ("db2as", "db2as")
               ("db2fenc1", "db2fenc1")
               ("db2admin", "ibmdb2")
               ("db2inst1", "ibmdb2")
               ("db2as", "ibmdb2")
               ("db2fenc1", "ibmdb2")
              )

lines = infile.readlines()
for line in lines:
    ips.append(line)
infile.close()
total_count = (lines.__len__()) * (len(account_tup))
now_count = 1


def tryConnectTelnet(host, user, password):
    global now_count
    with telnetlib.Telnet(host) as con:
        con.read_until("Login:", delay_second)
        con.read_until(b"login:", delay_second)
        print("[Try Action] input account completed")
        con.write(user + b"\n")
        con.read_until("Password:", delay_second)
        print("[Try Action] input password completed")
        con.write(password + b"\n")
        now_count = now_count + 1
        if con.eof:
            return "Closed connection"
        # con.write(b"ls\n")
        # con.write(b"exit\n")
        # my_text = con.set_debuglevel(1000)
        return con.read_until(b".", delay_second)


def print_result(return_str):
    tag = b"[[[Return Result]]]"
    if len(return_str) <= 5:
        print((tag + b"enmpty").decode())
    else:
        print(len(return_str))
        print((tag + return_str).decode())


for ip in ips:
    host = ip.strip("\n")
    print("==========[" + ip + "]==========")
    for a_value in account_tup:
        print(r"====[" + str(now_count) + "/" + str(total_count) + " try to " + a_value[0] + "/" + a_value[1])
        return_value = tryConnectTelnet(host, a_value[0].encode(), a_value[1].encode())
        print_result(return_value)
        with open("output.txt", "a") as outfile:
            outfile.write(host + ":" + a_value[0] + ":" + a_value[1] + ":" +return_value.decode() + "\n")

@echo off

 

REM ===== Get administrator priviliege =====

>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

IF '%errorlevel%' NEQ '0' (

   echo Ask for administrator priviliege ...

   goto UACPrompt

) else ( goto gotAdmin )

:UACPrompt

   echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"

   set params = %*:"=""

   echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs"

   "%temp%\getadmin.vbs"

   REM del "%temp%\getadmin.vbs"

   exit /B

:gotAdmin

 

REM ===== Move to current path =====

pushd "%CD%"

   CD /D "%~dp0"

 

setlocal

set CURPATH=%cd%

set SECUHOST=10.10.10.10

set SECUPORT=80

 

color 2f

 

echo ### ADV200006 Incident response Script by. security group ###

echo ### 1. Change filename atmfd.dll ###

 

systeminfo > systeminfo.txt

type systeminfo.txt | find /i "x64-based" 

if NOT ERRORLEVEL 1 goto x64-based

 

echo ######### windows 32bit check ##########

cd "%windir%\system32"

takeown.exe /f atmfd.dll

IF ERRORLEVEL 1 goto no-atmfd-in-system32-at-32bit

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F) 

rename atmfd.dll x-atmfd.dll

SET RESULT="Changed-atmfd.dll-in-32bit-system"

:no-atmfd-in-system32-at-32bit

SET RESULT="Not-exist-atmfd.dll-in-32bit-system"

goto end-change-atmfd

 

:x64-based

echo ######### windows 64bit check ##########

 

cd "%windir%\system32"

takeown.exe /f atmfd.dll

IF ERRORLEVEL 1 goto no-atmfd-in-system32-at-64bit 

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F) 

rename atmfd.dll x-atmfd.dll

SET RESULT="Changed-atmfd.dll-in-64bit-system"

:no-atmfd-in-system32-at-64bit

SET RESULT="Not-exist-atmfd.dll-in-64bit-system"

 

cd "%windir%\syswow64"

takeown.exe /f atmfd.dll

IF ERRORLEVEL 1 goto no-atmfd-in-syswow64-at-64bit

icacls.exe atmfd.dll /save atmfd.dll.acl

icacls.exe atmfd.dll /grant Administrators:(F) 

rename atmfd.dll x-atmfd.dll

SET RESULT="Changed-atmfd.dll-in-64bit-system"

:no-atmfd-in-syswow64-at-64bit

SET RESULT="Not-exist-atmfd.dll-in-64bit-system"

 

:end-change-atmfd

echo %RESULT%

 

echo ### 2. Disable WebClient Service ###

net stop WebClient

sc config WebClient start=disabled

 

echo ### 3. Disable icon preview option and Remove check-box field in folder option ###

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableThumbnails /t REG_DWORD /d 1 /f

REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableThumbnails /t REG_DWORD /d 1 /f

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v IconsOnly /t REG_DWORD /d 1 /f

echo ### Finished ADV200006 Incident response Script ###

 

PAUSE

::EXIT

 

:: [References]

::  https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006

:: https://portal.msrc.microsoft.com/ko-kr/security-guidance/advisory/adv200006

:: https://docs.microsoft.com/ko-kr/security-updates/securitybulletins/2015/ms15-077

:: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-077

:: https://blog.alyac.co.kr/381

:: https://blog.alyac.co.kr/2855

:: https://jxo21.tistory.com/14

:: https://www.maketecheasier.com/disable-image-preview-thumbnail-windows/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

#!/bin/bash
if [ $# -eq 0 ]
then
echo $'Usage:\n\tscan_vul_smb_v3.11.sh TARGET_IP_or_CIDR'
exit 1
fi
echo "Checking if there's SMB v3.11 in" $1 "..."
nmap -p445 --script smb-protocols -Pn -n $1 | grep -P '\d+\.\d+\.\d+\.\d+|^\|.\s+3.11' | tr '\n' ' ' | replace 'Nmap scan report for' '@' | tr "@" "\n" | grep 3.11 | tr '|' ' ' | tr '_' ' ' | grep -oP '\d+\.\d+\.\d+\.\d+'
if [[ $? != 0 ]]; then
echo "There's no SMB v3.11"
fi
####
# Credit: nikallass
####