- fixed wlan enumeration - if wlanapi.dll is unsupported, try to use netsh
- added support to log to file - updated check for modifiable services - updated documentation
This commit is contained in:
makikvues
parent
aa8091e504
commit
1eb12a5852
@ -81,7 +81,7 @@ filesinfo Search files that can contains credentials
|
|||||||
eventsinfo Display interesting events information
|
eventsinfo Display interesting events information
|
||||||
wait Wait for user input between checks
|
wait Wait for user input between checks
|
||||||
debug Display debugging information - memory usage, method execution time
|
debug Display debugging information - memory usage, method execution time
|
||||||
log Log all output to file "out.txt"
|
log=[logfile] Log all output to file defined as logfile, or to "out.txt" if not specified
|
||||||
|
|
||||||
Additional checks (slower):
|
Additional checks (slower):
|
||||||
-lolbas Run additional LOLBAS check
|
-lolbas Run additional LOLBAS check
|
||||||
|
|||||||
@ -44,7 +44,7 @@ namespace winPEAS.Checks
|
|||||||
// github url for Linpeas.sh
|
// github url for Linpeas.sh
|
||||||
public static string LinpeasUrl = "https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh";
|
public static string LinpeasUrl = "https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh";
|
||||||
|
|
||||||
public const string LogFile = "out.txt";
|
public const string DefaultLogFile = "out.txt";
|
||||||
|
|
||||||
|
|
||||||
class SystemCheck
|
class SystemCheck
|
||||||
@ -96,20 +96,34 @@ namespace winPEAS.Checks
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (string.Equals(arg, "log", StringComparison.CurrentCultureIgnoreCase))
|
if (arg.StartsWith("log", StringComparison.CurrentCultureIgnoreCase))
|
||||||
{
|
{
|
||||||
|
// get logfile argument if present
|
||||||
|
string logFile = DefaultLogFile;
|
||||||
|
var parts = arg.Split('=');
|
||||||
|
if (parts.Length == 2)
|
||||||
|
{
|
||||||
|
logFile = parts[1];
|
||||||
|
|
||||||
|
if (string.IsNullOrWhiteSpace(logFile))
|
||||||
|
{
|
||||||
|
Beaprint.PrintException("Please specify a valid log file.");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
fileStream = new FileStream(LogFile, FileMode.OpenOrCreate, FileAccess.Write);
|
fileStream = new FileStream(logFile, FileMode.OpenOrCreate, FileAccess.Write);
|
||||||
fileWriter = new StreamWriter(fileStream);
|
fileWriter = new StreamWriter(fileStream);
|
||||||
}
|
}
|
||||||
catch (Exception ex)
|
catch (Exception ex)
|
||||||
{
|
{
|
||||||
Beaprint.PrintException($"Cannot open \"{LogFile}\" for writing:\n {ex.Message}");
|
Beaprint.PrintException($"Cannot open \"{logFile}\" for writing:\n {ex.Message}");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
Beaprint.ColorPrint($"\"log\" argument present, redirecting output to file \"{LogFile}\"", Beaprint.ansi_color_good);
|
Beaprint.ColorPrint($"\"log\" argument present, redirecting output to file \"{logFile}\"", Beaprint.ansi_color_good);
|
||||||
Console.SetOut(fileWriter);
|
Console.SetOut(fileWriter);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -124,10 +124,22 @@ namespace winPEAS.Checks
|
|||||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can modify any service");
|
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can modify any service");
|
||||||
if (modifiableServices.Count > 0)
|
if (modifiableServices.Count > 0)
|
||||||
{
|
{
|
||||||
Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:");
|
Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:");
|
||||||
Dictionary<string, string> colorsMS = new Dictionary<string, string>()
|
Dictionary<string, string> colorsMS = new Dictionary<string, string>()
|
||||||
{
|
{
|
||||||
{ ".*", Beaprint.ansi_color_bad },
|
// modify
|
||||||
|
{ "AllAccess", Beaprint.ansi_color_bad },
|
||||||
|
{ "ChangeConfig", Beaprint.ansi_color_bad },
|
||||||
|
{ "WriteDac", Beaprint.ansi_color_bad },
|
||||||
|
{ "WriteOwner", Beaprint.ansi_color_bad },
|
||||||
|
{ "AccessSystemSecurity", Beaprint.ansi_color_bad },
|
||||||
|
{ "GenericAll", Beaprint.ansi_color_bad },
|
||||||
|
{ "GenericWrite (ChangeConfig)", Beaprint.ansi_color_bad },
|
||||||
|
|
||||||
|
// start/stop
|
||||||
|
{ "GenericExecute (Start/Stop)", Beaprint.ansi_color_yellow },
|
||||||
|
{ "Start", Beaprint.ansi_color_yellow },
|
||||||
|
{ "Stop", Beaprint.ansi_color_yellow },
|
||||||
};
|
};
|
||||||
Beaprint.DictPrint(modifiableServices, colorsMS, false, true);
|
Beaprint.DictPrint(modifiableServices, colorsMS, false, true);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -252,6 +252,9 @@ namespace winPEAS.Checks
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
Beaprint.MainPrint("Looking for saved Wifi credentials");
|
Beaprint.MainPrint("Looking for saved Wifi credentials");
|
||||||
|
|
||||||
|
WlanClient wlanClient = new WlanClient();
|
||||||
|
|
||||||
foreach (var @interface in new WlanClient().Interfaces)
|
foreach (var @interface in new WlanClient().Interfaces)
|
||||||
{
|
{
|
||||||
foreach (var profile in @interface.GetProfiles())
|
foreach (var profile in @interface.GetProfiles())
|
||||||
@ -276,6 +279,26 @@ namespace winPEAS.Checks
|
|||||||
catch (Exception ex)
|
catch (Exception ex)
|
||||||
{
|
{
|
||||||
Beaprint.PrintException(ex.Message);
|
Beaprint.PrintException(ex.Message);
|
||||||
|
|
||||||
|
// revert to old way
|
||||||
|
Beaprint.NoColorPrint("Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'");
|
||||||
|
|
||||||
|
Dictionary<string, string> networkConnections = Wifi.Wifi.Retrieve();
|
||||||
|
Dictionary<string, string> ansi_colors_regexp = new Dictionary<string, string>();
|
||||||
|
|
||||||
|
if (networkConnections.Count > 0)
|
||||||
|
{
|
||||||
|
//Make sure the passwords are all flagged as ansi_color_bad.
|
||||||
|
foreach (var connection in networkConnections)
|
||||||
|
{
|
||||||
|
ansi_colors_regexp.Add(connection.Value, Beaprint.ansi_color_bad);
|
||||||
|
}
|
||||||
|
Beaprint.DictPrint(networkConnections, ansi_colors_regexp, false);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Beaprint.NoColorPrint("No saved Wifi credentials found");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -140,7 +140,7 @@ namespace winPEAS.Helpers
|
|||||||
Console.WriteLine(LBLUE + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR);
|
Console.WriteLine(LBLUE + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR);
|
||||||
Console.WriteLine(LBLUE + " wait" + GRAY + " Wait for user input between checks" + NOCOLOR);
|
Console.WriteLine(LBLUE + " wait" + GRAY + " Wait for user input between checks" + NOCOLOR);
|
||||||
Console.WriteLine(LBLUE + " debug" + GRAY + " Display debugging information - memory usage, method execution time" + NOCOLOR);
|
Console.WriteLine(LBLUE + " debug" + GRAY + " Display debugging information - memory usage, method execution time" + NOCOLOR);
|
||||||
Console.WriteLine(LBLUE + " log" + GRAY +$" Log all output to file \"{Checks.Checks.LogFile}\"" + NOCOLOR);
|
Console.WriteLine(LBLUE + " log[=logfile]" + GRAY + $" Log all output to file defined as logfile, or to \"{Checks.Checks.DefaultLogFile}\" if not specified" + NOCOLOR);
|
||||||
Console.WriteLine();
|
Console.WriteLine();
|
||||||
Console.WriteLine(LCYAN + " Additional checks (slower):");
|
Console.WriteLine(LCYAN + " Additional checks (slower):");
|
||||||
Console.WriteLine(LBLUE + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR);
|
Console.WriteLine(LBLUE + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR);
|
||||||
|
|||||||
@ -271,11 +271,15 @@ namespace winPEAS.Helpers
|
|||||||
|
|
||||||
else if (permissionType == PermissionType.WRITEABLE_OR_EQUIVALENT_SVC)
|
else if (permissionType == PermissionType.WRITEABLE_OR_EQUIVALENT_SVC)
|
||||||
{
|
{
|
||||||
|
// docs:
|
||||||
|
// https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights
|
||||||
|
// https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/grant-users-rights-manage-services
|
||||||
|
|
||||||
interesting_perms = new Dictionary<string, int>()
|
interesting_perms = new Dictionary<string, int>()
|
||||||
{
|
{
|
||||||
{ "AllAccess", 0xf01ff},
|
{ "AllAccess", 0xf01ff}, // full control
|
||||||
//{"QueryConfig" , 1}, //Grants permission to query the service's configuration.
|
//{"QueryConfig" , 1}, //Grants permission to query the service's configuration.
|
||||||
//{"ChangeConfig" , 2}, //Grants permission to change the service's permission.
|
{"ChangeConfig" , 2}, //Grants permission to change the service's permission.
|
||||||
//{"QueryStatus" , 4}, //Grants permission to query the service's status.
|
//{"QueryStatus" , 4}, //Grants permission to query the service's status.
|
||||||
//{"EnumerateDependents" , 8}, //Grants permissionto enumerate the service's dependent services.
|
//{"EnumerateDependents" , 8}, //Grants permissionto enumerate the service's dependent services.
|
||||||
//{"PauseContinue" , 64}, //Grants permission to pause/continue the service.
|
//{"PauseContinue" , 64}, //Grants permission to pause/continue the service.
|
||||||
@ -283,15 +287,17 @@ namespace winPEAS.Helpers
|
|||||||
//{"UserDefinedControl" , 256}, //Grants permission to run the service's user-defined control.
|
//{"UserDefinedControl" , 256}, //Grants permission to run the service's user-defined control.
|
||||||
//{"Delete" , 65536}, //Grants permission to delete the service.
|
//{"Delete" , 65536}, //Grants permission to delete the service.
|
||||||
//{"ReadControl" , 131072}, //Grants permission to query the service's security descriptor.
|
//{"ReadControl" , 131072}, //Grants permission to query the service's security descriptor.
|
||||||
{"WriteDac" , 262144}, //Grants permission to set the service's discretionary access list.
|
{"WriteDac" , 0x40000}, //Grants permission to set the service's discretionary access list.
|
||||||
{"WriteOwner" , 524288}, //Grants permission to modify the group and owner of a service.
|
{"WriteOwner" , 0x80000}, //Grants permission to modify the group and owner of a service.
|
||||||
//{"Synchronize" , 1048576},
|
//{"Synchronize" , 1048576},
|
||||||
{"AccessSystemSecurity" , 16777216}, //The right to get or set the SACL in the object security descriptor.
|
{"AccessSystemSecurity" , 16777216}, //The right to get or set the SACL in the object security descriptor.
|
||||||
{"GenericAll" , 268435456},
|
{"GenericAll" , 0x1000_0000},
|
||||||
{"GenericWrite" , 1073741824},
|
//{"GenericWrite" , 0x4000_0000},
|
||||||
{"GenericExecute" , 536870912},
|
//{"GenericExecute" , 0x2000_0000},
|
||||||
{"Start" , 16}, //Grants permission to start the service.
|
{"GenericWrite (ChangeConfig)" , 0x2_0002},
|
||||||
{"Stop" , 32}, //Grants permission to stop the service.
|
{"GenericExecute (Start/Stop)" , 0x2_01F0},
|
||||||
|
{"Start" , 0x0010}, //Grants permission to start the service.
|
||||||
|
{"Stop" , 0x0020}, //Grants permission to stop the service.
|
||||||
//{"GenericRead" , 2147483648}
|
//{"GenericRead" , 2147483648}
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user