From 1274f2109794c2782a8862a39d4d31bd3b4e3702 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Fri, 30 Sep 2022 19:47:38 +0200 Subject: [PATCH] debug regex searches --- winPEAS/README.md | 2 +- winPEAS/winPEASexe/README.md | 3 +- winPEAS/winPEASexe/winPEAS/Checks/Checks.cs | 21 ++++++-- .../winPEASexe/winPEAS/Checks/FileAnalysis.cs | 50 +++++++++++++++--- .../winPEASexe/winPEAS/Helpers/Beaprint.cs | 52 ++++++++++--------- .../winPEAS/Helpers/Search/SearchHelper.cs | 6 +-- .../winPEASexe/winPEAS/winPEAS.csproj.user | 2 +- 7 files changed, 94 insertions(+), 42 deletions(-) diff --git a/winPEAS/README.md b/winPEAS/README.md index 6635535..f46fbb8 100755 --- a/winPEAS/README.md +++ b/winPEAS/README.md @@ -22,4 +22,4 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. -By Polop(TM) +By Polop diff --git a/winPEAS/winPEASexe/README.md b/winPEAS/winPEASexe/README.md index 9f3511b..ce7327e 100755 --- a/winPEAS/winPEASexe/README.md +++ b/winPEAS/winPEASexe/README.md @@ -85,6 +85,7 @@ searchpf Search credentials via regex also in Program Files folders wait Wait for user input between checks debug Display debugging information - memory usage, method execution time log[=logfile] Log all output to file defined as logfile, or to "out.txt" if not specified +MaxRegexFileSize=1000000 Max file size (in Bytes) to search regex in. Default: 1000000B Additional checks (slower): -lolbas Run additional LOLBAS check @@ -285,4 +286,4 @@ If you find any issue, please report it using **[github issues](https://github.c All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. -By Polop(TM), makikvues (makikvues2[at]gmail[dot].com) +By Polop diff --git a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs index 67e4d8c..cf81d16 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs @@ -35,8 +35,9 @@ namespace winPEAS.Checks public static string PaintActiveUsersNoAdministrator = ""; public static string PaintDisabledUsers = ""; public static string PaintDisabledUsersNoAdministrator = ""; - public static bool is_long_path = false; - public static bool warning_is_long_path = false; + public static bool IsLongPath = false; + public static bool WarningIsLongPath = false; + public static int MaxRegexFileSize = 1000000; //static string paint_lockoutUsers = ""; public static string PaintAdminUsers = ""; public static YamlConfig YamlConfig; @@ -161,6 +162,16 @@ namespace winPEAS.Checks SearchProgramFiles = true; } + if (string.Equals(arg, "max-regex-file-size", StringComparison.CurrentCultureIgnoreCase)) + { + var parts = arg.Split('='); + if (parts.Length >= 2 && !string.IsNullOrEmpty(parts[1])) + { + MaxRegexFileSize = Int32.Parse(parts[1]); + } + + } + if (string.Equals(arg, "-lolbas", StringComparison.CurrentCultureIgnoreCase)) { IsLolbas = true; @@ -414,11 +425,11 @@ namespace winPEAS.Checks { if (RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\FileSystem", "LongPathsEnabled") != "1") { - System.Console.WriteLine(@"Long paths are disabled, so the maximum length of a path supported is 260chars(this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD"); - is_long_path = false; + System.Console.WriteLine(@"Long paths are disabled, so the maximum length of a path supported is 260chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD"); + IsLongPath = false; } else - is_long_path = true; + IsLongPath = true; } catch (Exception ex) { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs b/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs index 4418797..7fd41b5 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs @@ -1,5 +1,6 @@ using System; using System.Collections.Generic; +using System.Diagnostics; using System.IO; using System.Linq; using System.Text.RegularExpressions; @@ -70,6 +71,9 @@ namespace winPEAS.Checks private static bool[] Search(List files, string fileName, FileSettings fileSettings, ref int resultsCount, string searchName, bool somethingFound) { + if (Checks.IsDebug) + Beaprint.PrintDebugLine($"Searching for {fileName}"); + bool isRegexSearch = fileName.Contains("*"); bool isFolder = fileSettings.files != null; string pattern = string.Empty; @@ -139,6 +143,7 @@ namespace winPEAS.Checks } } + return new bool[] { false, somethingFound }; } @@ -232,7 +237,7 @@ namespace winPEAS.Checks ".txt", ".text", ".md", ".markdown", ".toml", ".rtf", // config - ".conf", ".config", ".json", ".yml", ".yaml", ".xml", ".xaml", + ".cnf", ".conf", ".config", ".json", ".yml", ".yaml", ".xml", ".xaml", // dev ".py", ".js", ".html", ".c", ".cpp", ".pl", ".rb", ".smali", ".java", ".php", ".bat", ".ps1", @@ -246,11 +251,30 @@ namespace winPEAS.Checks "eula.rtf", "changelog.md" }; - // No dirs, less thatn 1MB, only interesting extensions and not false positives files. - var files = InitializeFileSearch(Checks.SearchProgramFiles).Where(f => !f.IsDirectory && valid_extensions.Contains(f.Extension.ToLower()) && !invalid_names.Contains(f.Filename.ToLower()) && f.Size > 0 && f.Size < 1000000).ToList(); + if (Checks.IsDebug) + Beaprint.PrintDebugLine("Looking for secrets inside files via regexes"); + + // No dirs, less than 1MB, only interesting extensions and not false positives files. + var files = InitializeFileSearch(Checks.SearchProgramFiles).Where(f => !f.IsDirectory && valid_extensions.Contains(f.Extension.ToLower()) && !invalid_names.Contains(f.Filename.ToLower()) && f.Size > 0 && f.Size < Checks.MaxRegexFileSize).ToList(); var config = Checks.RegexesYamlConfig; // Get yaml info Dictionary>>> foundRegexes = new Dictionary>>> { }; + if (Checks.IsDebug) + { + Beaprint.PrintDebugLine($"Searching regexes in {files.Count} files"); + valid_extensions.ForEach(ext => + { + int cont = 0; + files.ForEach(f => + { + if (f.Extension.ToLower() == ext.ToLower()) + cont++; + }); + Beaprint.PrintDebugLine($"Found {cont} files with ext {ext}"); + }); + + } + /* * Useful for debbugging purposes to see the common file extensions found Dictionary dict_str = new Dictionary(); @@ -283,8 +307,7 @@ namespace winPEAS.Checks Parallel.ForEach(files, new ParallelOptions { MaxDegreeOfParallelism = num_threads }, f => { - //foreach (var f in files) - //{ + foreach (var regex_obj in config.regular_expresions) { foreach (var regex in regex_obj.regexes) @@ -296,6 +319,13 @@ namespace winPEAS.Checks List results = new List { }; + var timer = new Stopwatch(); + if (Checks.IsDebug) + { + timer.Start(); + } + + try { string text = System.IO.File.ReadAllText(f.FullPath); @@ -313,12 +343,20 @@ namespace winPEAS.Checks { // Cannot read the file } + + if (Checks.IsDebug) + { + timer.Stop(); + + TimeSpan timeTaken = timer.Elapsed; + if (timeTaken.TotalMilliseconds > 1000) + Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}s in {f.FullPath}"); + } } } pb += (double)100 / files.Count; progress.Report(pb / 100); //Value must be in [0..1] range }); - //} }, Checks.IsDebug); } diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs index cd35496..105dc22 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs @@ -122,29 +122,31 @@ namespace winPEAS.Helpers public static void PrintUsage() { Console.WriteLine(YELLOW + " [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally" + NOCOLOR); - Console.WriteLine(LBLUE + " domain" + GRAY + " Enumerate domain information" + NOCOLOR); - Console.WriteLine(LBLUE + " systeminfo" + GRAY + " Search system information" + NOCOLOR); - Console.WriteLine(LBLUE + " userinfo" + GRAY + " Search user information" + NOCOLOR); - Console.WriteLine(LBLUE + " processinfo" + GRAY + " Search processes information" + NOCOLOR); - Console.WriteLine(LBLUE + " servicesinfo" + GRAY + " Search services information" + NOCOLOR); - Console.WriteLine(LBLUE + " applicationsinfo" + GRAY + " Search installed applications information" + NOCOLOR); - Console.WriteLine(LBLUE + " networkinfo" + GRAY + " Search network information" + NOCOLOR); - Console.WriteLine(LBLUE + " windowscreds" + GRAY + " Search windows credentials" + NOCOLOR); - Console.WriteLine(LBLUE + " browserinfo" + GRAY + " Search browser information" + NOCOLOR); - Console.WriteLine(LBLUE + " filesinfo" + GRAY + " Search generic files that can contains credentials" + NOCOLOR); - Console.WriteLine(LBLUE + " fileanalysis" + GRAY + " Search specific files that can contains credentials and for regexes inside files" + NOCOLOR); - Console.WriteLine(LBLUE + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR); + Console.WriteLine(LCYAN + " domain" + GRAY + " Enumerate domain information" + NOCOLOR); + Console.WriteLine(LCYAN + " systeminfo" + GRAY + " Search system information" + NOCOLOR); + Console.WriteLine(LCYAN + " userinfo" + GRAY + " Search user information" + NOCOLOR); + Console.WriteLine(LCYAN + " processinfo" + GRAY + " Search processes information" + NOCOLOR); + Console.WriteLine(LCYAN + " servicesinfo" + GRAY + " Search services information" + NOCOLOR); + Console.WriteLine(LCYAN + " applicationsinfo" + GRAY + " Search installed applications information" + NOCOLOR); + Console.WriteLine(LCYAN + " networkinfo" + GRAY + " Search network information" + NOCOLOR); + Console.WriteLine(LCYAN + " windowscreds" + GRAY + " Search windows credentials" + NOCOLOR); + Console.WriteLine(LCYAN + " browserinfo" + GRAY + " Search browser information" + NOCOLOR); + Console.WriteLine(LCYAN + " filesinfo" + GRAY + " Search generic files that can contains credentials" + NOCOLOR); + Console.WriteLine(LCYAN + " fileanalysis" + GRAY + " Search specific files that can contains credentials and for regexes inside files" + NOCOLOR); + Console.WriteLine(LCYAN + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR); Console.WriteLine(); - Console.WriteLine(LBLUE + " quiet" + GRAY + " Do not print banner" + NOCOLOR); - Console.WriteLine(LBLUE + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR); - Console.WriteLine(LBLUE + " searchpf" + GRAY + " Search credentials via regex also in Program Files folders" + NOCOLOR); - Console.WriteLine(LBLUE + " wait" + GRAY + " Wait for user input between checks" + NOCOLOR); - Console.WriteLine(LBLUE + " debug" + GRAY + " Display debugging information - memory usage, method execution time" + NOCOLOR); - Console.WriteLine(LBLUE + " log[=logfile]" + GRAY + $" Log all output to file defined as logfile, or to \"{Checks.Checks.DefaultLogFile}\" if not specified" + NOCOLOR); + Console.WriteLine(LCYAN + " quiet" + GRAY + " Do not print banner" + NOCOLOR); + Console.WriteLine(LCYAN + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR); + Console.WriteLine(LCYAN + " searchpf" + GRAY + " Search credentials via regex also in Program Files folders" + NOCOLOR); + Console.WriteLine(LCYAN + " wait" + GRAY + " Wait for user input between checks" + NOCOLOR); + Console.WriteLine(LCYAN + " debug" + GRAY + " Display debugging information - memory usage, method execution time" + NOCOLOR); + Console.WriteLine(LCYAN + " log[=logfile]" + GRAY + $" Log all output to file defined as logfile, or to \"{Checks.Checks.DefaultLogFile}\" if not specified" + NOCOLOR); + Console.WriteLine(LCYAN + " max-regex-file-size=1000000" + GRAY + $" Max file size (in Bytes) to search regex in. Default: {Checks.Checks.MaxRegexFileSize}B" + NOCOLOR); + Console.WriteLine(); - Console.WriteLine(LCYAN + " Additional checks (slower):"); - Console.WriteLine(LBLUE + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR); - Console.WriteLine(LBLUE + " -linpeas=[url]" + GRAY + $" Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" + + Console.WriteLine(GREEN + " Additional checks (slower):"); + Console.WriteLine(LCYAN + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR); + Console.WriteLine(LCYAN + " -linpeas=[url]" + GRAY + $" Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" + $" (default: {Checks.Checks.LinpeasUrl})" + NOCOLOR); } @@ -215,16 +217,16 @@ namespace winPEAS.Helpers public static void LongPathWarning(string path) { - if (!Checks.Checks.warning_is_long_path) + if (!Checks.Checks.WarningIsLongPath) { - GrayPrint($"The path {path} is too large, try to enable LongPathsin th registry (no more warning about this will be shown)"); - Checks.Checks.warning_is_long_path = true; + GrayPrint($"The path {path} is too large, try to enable LongPaths in the registry (no more warning about this will be shown)"); + Checks.Checks.WarningIsLongPath = true; } } internal static void PrintDebugLine(string log) { - Console.WriteLine(YELLOW + " [Debug] " + log + NOCOLOR); + Console.WriteLine(DGRAY + " [Debug] " + log + NOCOLOR); Console.WriteLine(); } diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs index d4415cf..3e1c52d 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs @@ -76,7 +76,7 @@ namespace winPEAS.Helpers.Search if (!StaticExtensions.Contains(f.Extension.ToLower())) { // It should always be lesss than 260, but some times it isn't so this will bypass that file - if (Checks.Checks.is_long_path || f.FullName.Length <= 260) + if (Checks.Checks.IsLongPath || f.FullName.Length <= 260) { CustomFileInfo file_info = new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false); files.Add(file_info); @@ -171,7 +171,7 @@ namespace winPEAS.Helpers.Search { foreach (var directory in directories) { - if (Checks.Checks.is_long_path || directory.FullName.Length <= 260) + if (Checks.Checks.IsLongPath || directory.FullName.Length <= 260) files.Add(new CustomFileInfo(directory.Name, null, directory.FullName, 0, true)); else if (directory.FullName.Length > 260) @@ -183,7 +183,7 @@ namespace winPEAS.Helpers.Search { if (!StaticExtensions.Contains(f.Extension.ToLower())) { - if (Checks.Checks.is_long_path || f.FullName.Length <= 260) + if (Checks.Checks.IsLongPath || f.FullName.Length <= 260) files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false)); else if (f.FullName.Length > 260) diff --git a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user index 7c81c6a..0ca5182 100755 --- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user +++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user @@ -5,7 +5,7 @@ - fileanalysis + fileanalysis debug debug