Detects named pipes and installed services remotely as unprivileged user. Heavily based on tothi/servicedetector.
a) With pipx.
pipx install git+https://github.com/dadevel/servicedetector.git@mainb) With pip.
pip3 install git+https://github.com/dadevel/servicedetector.git@mainScan computers for WebClient and other NTLM coercion opportunities.
servicedetector -c coercion -u jdoe -p 'passw0rd' ws01.corp.local ws02.corp.local ws03.corp.localScan computers for installed AV/EDR products.
servicedetector -c epp -u jdoe -p 'passw0rd' srv01.corp.local srv02.corp.local srv03.corp.localYou can check for all known software by leaving out the -c option.
Running this script connects to the target over SMB and ...
-
performs the LsarLookupNames() RPC call to check if a given service is installed. This does not allow to determine if a service is running or stopped. Furthermore it is not possible to list services. Only names of known services can be queried.
-
lists named pipes trough the
IPC$share. This allows to infer which services are running as long as the respective process creates a named pipe. -
prints additional info about the target like NetExec.
Service names and named pipe paths are defined in indicators.csv.