CLMI一个收集本地机器资料的批处理文件

2024年1月24日发(作者：)

[原创]CLMI一个收集本地机器资料的批处理文件

文章标题:[原创]CLMI一个收集本地机器资料的批处理文件顶部 我非我 发布于:2005-08-2120:10 [楼主][原创]CLMI一个收集本地机器资料的批处理文件

文章作者：wofeiwo[F.S.T][S.4.T]

信息来源：邪恶八进制信息安全团队（）

CLMI(CollectLocalMachineInformation)Ver0.1

一般当你成功渗透了一台主机.第一件事,除了修改log和做后门外.恐怕就是收集此主机的系统信息.而通常这是个很麻烦而机械的过程.为此我特意写了个批处理.用常用的工具来收集本地机器的信息.这里我用winrar捆绑成了一个自解压缩的exe文件.你可以上传到对方主机上然后在cmd下运行.或者,双击也可以.他会弹出一个cmd窗口.并解压到当前目录的CLMI目录下.等他执行完毕(需要一点时间).会在CLMI目录下生成一个.那里,就是你所想要的结果.

btw:我没有在bat里把用完的程序自动删除.或许.那里面也有你想要用的.eg:findpass:)

请使用的时候把杀毒软件的文件查杀保护关掉.可能会有影响.

文件下载

MD5:8b66530d405261bdf4ad926c9908fd67

以下是我在我的一台国外肉鸡上运行得到的结果:

Quote:

-------------------------------------------------------------------------------

CollectLocalMachineInformationerVer0.12005.8.18

StartworkingatThu08/18/200522:19:

Thefollowlinesaretheinformations

Scriptcreatedbywofeiwo

-------------------------------------------------------------------------------

sysinforeport

SysinfoDisplayerV1.7ByMeteor(Slackbot)

ComputerName:xxx

UserName:xxx

RegisteredOrganization:FriendsMarketingLimited

RegisteredOwner:FriendsMarketingLimited

SourcePath:E:I386

Cpu:Intel(R)Pentium(R)4CPU3.00GHz

Ram:1006MBTotal,489MBFree

Os:2003Server(Build3790)

Uptime:5Day17Hour11Minute

SystemDirectory:C:WINDOWSsystem32

NumberofProcessors:2

CurrentDisplayMode:1024x768(16Bit)(42Hz)

DiskInformation:

DriveA:(REMOVABLE)

DriveC:(FIXED)TotalSpace:20481M-->20.0GFreeSpace:15424M-->15.1G

DriveD:(FIXED)TotalSpace:93981M-->91.8GFreeSpace:45876M-->44.8G

DriveF:(FIXED)TotalSpace:114463M-->111.8GFreeSpace:113919M-->111.2G

NICInformaton:

#1InterfaceName:Intel(R)PRO/100VENetworkConnection

MacAddress:00:0C:F1:B8:E1:AF

GateWayAddress:

IPAddress:

SubNetMask:

DHCPEnabled:No

PrimaryWinsServer:N/A

DhcpServer:N/A

-------------------------------------------------------------------------------

languagereport

LanguageViewerV1.0ByWinEggDrop

TheDefaultLanguage:English(UnitedStates)

-------------------------------------------------------------------------------

whoamireport

xxxwofeiwo

-------------------------------------------------------------------------------

Useraccountsforxxx

-------------------------------------------------------------------------------

uhh un-nun varietymagic

vector videoqq visualart

wailok wakhk wallmark

warehouse wimkchannel winglee-pool

winningrepublic winnyefanho wkpeople

wochetex workeat workmart

workout xemaxcorp yanyuen

yogurtsky zeroz

Thecommandcompletedsuccessfully.

Aliasname administrators

Comment Administratorshavecompleteandunrestrictedaccesstothecomputer/domain

Members

-------------------------------------------------------------------------------

Administrator

wofeiwo

Thecommandcompletedsuccessfully.

Forceuserlogoffhowlongaftertimeexpires?: Never

Minimumpasswordage(days): 0

Maximumpasswordage(days): 42

Minimumpasswordlength: 0

Lengthofpasswordhistorymaintained: None

Lockoutthreshold: Never

Lockoutduration(minutes): 30

Lockoutobservationwindow(minutes): 30

Computerrole: SERVER

Thecommandcompletedsuccessfully.

-------------------------------------------------------------------------------

findpassreport

ToFindPasswordintheWinlogonprocess

Usage:findpassDomainNameUserNamePID-of-WinLogon

ThedebugprivilegehasbeenaddedtoPasswordReminder.

.

PasswordReminderisunabletofindthepasswordinmemory.

-------------------------------------------------------------------------------

queryuserreport

USERNAME SESSIONNAME IDSTATE IDLETIMELOGONTIME

>wofeiwo rdp-tcp#5 1Active .8/18/200510:18PM

-------------------------------------------------------------------------------

queryautorunreport

AutoRunViewerV1.0ByWinEggDrop

Registry:

-------------------------------------------------------------------------------

HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonUserinit

C:,

HKLMSOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonShell

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemShell

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

HKCUSoftwareMicrosoftWindowsCurrentVersionRun

HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices

HKCUSoftwareMicrosoftWindowsCurrentVersionRunServices

HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce

HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce

HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnceEx

HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceEx

HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemScripts

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemScripts

HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad

PostBootReminder --> %SystemRoot%

CDBurn --> %SystemRoot%

WebCheck --> %SystemRoot%

SysTray --> C:

HKCUSoftwareMicrosoftWindowsNTCurrentVersionWindowsRun

HKCUSoftwareMicrosoftWindowsNTCurrentVersionWindowsLoad

HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

HKCUSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

HKLMSOFTWAREMicrosoftCommandProcessorAutoRun

HKLMSOFTWAREMicrosoftCommandProcessorLoad

-------------------------------------------------------------------------------

None-Registry:

-------------------------------------------------------------------------------

C:DocumentsandSettingsTsInternetuserStartMenuProgramsStartup

C:DocumentsandSettingsAllUsersStartMenuProgramsStartup

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

checksniffreport

Anti-SnifferV1.0ByWinEggDrop

AboutToCheck1NIC

CheckingOnNIC#0->

NoSnifferIsRunningOnNIC#0->

CheckSnifferCompleted

-------------------------------------------------------------------------------

netsharereport

Sharename Resource Remark

-------------------------------------------------------------------------------

D$ D: Defaultshare

F$ F: Defaultshare

ADMIN$ C:WINDOWS RemoteAdmin

C$ C: Defaultshare

IPC$ RemoteIPC

Thecommandcompletedsuccessfully.

-------------------------------------------------------------------------------

netstartreport

TheseWindowsservicesarestarted:

Apache

AutomaticUpdates

COM+EventSystem

ComputerBrowser

CryptographicServices

DHCPClient

DistributedFileSystem

DistributedLinkTrackingClient

DistributedTransactionCoordinator

DNSClient

ErrorReportingService

EventLog

FTPPublishingService

HelpandSupport

HTTPSSL

IISAdminService

IPSECServices

LogicalDiskManager

MerakMailServerControl

NetworkConnections

NetworkLocationAwareness(NLA)

PlugandPlay

ProtectedStorage

RemoteAccessConnectionManager

RemoteProcedureCall(RPC)

RemoteServerManager

RoutingandRemoteAccess

SecondaryLogon

SecurityAccountsManager

Server

ShellHardwareDetection

SystemEventNotification

TaskScheduler

TCP/IPNetBIOSHelper

Telephony

TerminalServices

WebElementManager

WindowsManagementInstrumentation

WindowsTime

WinHTTPWebProxyAuto-DiscoveryService

Workstation

WorldWideWebPublishingService

Thecommandcompletedsuccessfully.

-------------------------------------------------------------------------------

mportreport

TCP/IPProcessToPortMapperV1.3ForNT/2K/XP/2003ByMeteor(Slackbot)

TheSystemIsServer2003

-------------------------------------------------------------------------------

Pid Port Proto Path

1376-->21 TCP C:

3172-->80 TCP C:

2788-->80 TCP C:

736 -->135 TCP C:

4 -->139 TCP

4 -->445 TCP

556 -->1025 TCP C:

1008-->1026 TCP C:

1376-->1027 TCP C:

4 -->1723 TCP

1376-->1724 TCP C:

784 -->3389 TCP C:

1824-->4096 TCP C:

1824-->7810 TCP C:

1448-->32000 TCP D:

1448-->32001 TCP D:

1448-->123 UDP D:

4 -->123 UDP

1448-->137 UDP D:

1376-->138 UDP C:

1376-->445 UDP C:

2788-->500 UDP C:

784 -->1030 UDP C:

1824-->1031 UDP C:

736 -->1034 UDP C:

4 -->1048 UDP

556 -->1701 UDP C:

1008-->3456 UDP C:

1376-->4500 UDP C:

-------------------------------------------------------------------------------

PortMapperCompleted

-------------------------------------------------------------------------------

gpresultreport

Microsoft(R)Windows(R)OperatingSystemGroupPolicyResulttoolv2.0

Copyright(C)MicrosoftCorp.1981-2001

CreatedOn8/18/2005at10:19:59PM

RSOPdataforxxxwofeiwoonxxx:LoggingMode

-----------------------------------------------------------

OSType: Microsoft(R)Windows(R)Server2003,WebEdition

OSConfiguration: StandaloneServer

OSVersion: 5.2.3790

TerminalServerMode: RemoteAdministration

SiteName: N/A

RoamingProfile:

LocalProfile: C:DocumentsandSettingswofeiwo

Connectedoveraslowlink?:Yes

COMPUTERSETTINGS

------------------

LasttimeGroupPolicywasapplied:8/18/2005at9:21:40PM

GroupPolicywasappliedfrom: N/A

GroupPolicyslowlinkthreshold: 500kbps

DomainName: MSHK1

DomainType:

AppliedGroupPolicyObjects

-----------------------------

N/A

ThefollowingGPOswerenotappliedbecausetheywerefilteredout

-------------------------------------------------------------------

LocalGroupPolicy

Filtering:NotApplied(Empty)

Thecomputerisapartofthefollowingsecuritygroups

-------------------------------------------------------

BUILTINAdministrators

Everyone

NTAUTHORITYAuthenticatedUsers

USERSETTINGS

--------------

LasttimeGroupPolicywasapplied:8/18/2005at10:18:24PM

GroupPolicywasappliedfrom: N/A

GroupPolicyslowlinkthreshold: 500kbps

DomainName: xxx

DomainType:

AppliedGroupPolicyObjects

-----------------------------

N/A

ThefollowingGPOswerenotappliedbecausetheywerefilteredout

-------------------------------------------------------------------

LocalGroupPolicy

Filtering:NotApplied(Empty)

Theuserisapartofthefollowingsecuritygroups

---------------------------------------------------

None

Everyone

BUILTINAdministrators

RemoteDesktopUsers

BUILTINUsers

REMOTEINTERACTIVELOGON

NTAUTHORITYINTERACTIVE

NTAUTHORITYAuthenticatedUsers

ThisOrganization

LOCAL

NTLMAuthentication

-------------------------------------------------------------------------------

顶部 d0t 发布于:2005-08-2219:53 [1楼]

类似/coolice/ CoolICE的代码，

不过LZ大部分是借助了已有程序，通用性比CoolICE的好一些，终究不同系统，批处理处理的结果不一样。顶部 我非我 发布于:2005-08-2221:10 [2楼]

Quote:

下面是引用n3tl04d于2005-08-2219:42发表的:

拿源代码来看看啊！

原文件你自己解压用记事本看就可以了.没什么好玩的东西.就是执行下程序.

另.回楼上.部分信息.其实我也借用了CoolICE的代码.

不得不承认.CoolICE的确是牛人.赞一个顶部 vikxeo 发布于:2005-08-2313:23 [3楼]

这是一个用批处理+winrar做成的检查系统信息的程序，程序中用了fport2.0作进程和端口映射。程序运行是自释放到%windir%temp目录下，运行结束自动删除释放的文件。在windows2000server测试通过

功能：

1、显示系统版本：ver

2、显示正在运行的进程

3、显示注册表中自启动的内容

4、显示当前的网络连接

5、显示文件的内容

6、显示文件的内容

7、显示系统服务的信息

下载：/tools/200410/顶部 千寂孤城 发布

于:2005-08-2314:06 [4楼]

直接用系统自带的命令systeminfo也能获得不少信息顶部 nop 发布于:2005-08-2314:36

[5楼]

Quote:

下面是引用千寂孤城于2005-08-2314:06发表的:

直接用系统自带的命令systeminfo也能获得不少信息

可惜只能在windowsXPpro和windows2003上使用顶部 我非我 发布于:2005-08-2319:54

[6楼]

Quote:

下面是引用vikxeo于2005-08-2313:23发表的:

这是一个用批处理+winrar做成的检查系统信息的程序，程序中用了fport2.0作进程和端口映射。程序运行是自释放到%windir%temp目录下，运行结束自动删除释放的文件。在windows2000server测试通过

功能：

1、显示系统版本：ver

.......

这个,首先说明.因为使用了fport,所以不能在2003系统上使用.所以我用了更好点的mport

其次,个人觉得5、显示文件的内容6、显示文件的内容没有什么大用.如果只是判断系统版本的话.sysinfo足以.

第三..我这个批处理可能收集的信息比较齐一点.用到了我想到的所有..当然,不足也肯定有的.各位可以根据自己需要更改,添加功能.反正也比较方便.顶部 vikxeo 发布于:2005-08-2522:34 [7楼]

Quote:

下面是引用我非我于2005-08-2319:54发表的:

这个,首先说明.因为使用了fport,所以不能在2003系统上使用.所以我用了更好点的mport

楼主说的极是！哈哈，我觉得再转化成exe文件更好！顶部 vikxeo 发布于:2005-08-2600:15

[8楼]

Quote:

WindowsRegistryEditorVersion5.00

[-HKEY_CLASSES_ROOTbatfile]

[-HKEY_CLASSES_ROOTcmdfile]

这样一来批处理命令就挂了！顶部 我非我 发布于:2005-08-2609:50 [9楼]

Quote:

下面是引用vikxeo于2005-08-2522:34发表的:

楼主说的极是！哈哈，我觉得再转化成exe文件更好！

可惜bat2exe很不好用.常常出错.我转化出来的就没有成功运行(c)Copyleft2003-2007,EvilOctalSecurityTeam.

ThisfileisdecompiledbyanunregisteredversionofChmDecompiler.

Regsiteredversiondoesnotshowthismessage.

YoucandownloadChmDecompilerat:/