drop

Gumdrop.exe was created to quickly gather useful information about a Windows host.  This tool can be leveraged offensively or defensively during a Cyber competition to learn more about the host.

You invoke gumdrop.exe with -w <fileName> and it will create a text file with information about the host:

The tool is basically running various OS commands to gather information about the host.  The code snippet below uses the Python module _winreg to query the Windows registry (HLKM..CurrentVersionRun) , this is a very common AutoStart Extensibility Point (ASEP), which allows code to execute when a user authenticates to the OS.  The output of the command is written to a file object that was created in the main() function:

The next snippet of code contains many of the OS commands that are executed.  The tool executes:

  • “ipconfig /all”
  • “dir /b %TEMP%”
  • “arp -a”
  • “netstat -ano | findstr ESTABLISHED”
  • “netstat -ano | findstr LISTENING”
  • “tasklist”
  • “set”

The Python Subprocess module is utilized to store the command’s output to a variable which is written to the report file object.  With Python’s Subprocess module you put the command into an array so “ipconfig /all” becomes

[“ipconfig” , “/all”].  Then we change the output to PIPE which can then be stored into a variable.  Executing a command with os.system(“<command>”) will open a terminal window and send the STDOUT to that terminal process, which doesn’t work for our report.  We could have solved this problem by using os.system(“command >> reportName.txt”), but using the Subprocess module is a more Pythonic solution.  You can take a look at the code below and follow the same logic to append additional commands for your own usage: