darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- fixed wlan enumeration - if wlanapi.dll is unsupported, try to use netsh

Browse Source 
- added support to log to file
- updated check for modifiable services
- updated documentation
This commit is contained in:
makikvues 2021-09-21 21:02:52 +02:00
parent aa8091e504
commit 1eb12a5852
6 changed files with 96 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
winPEAS/winPEASexe/README.md
View File

@ -81,7 +81,7 @@ filesinfo Search files that can contains credentials
eventsinfo Display interesting events information eventsinfo Display interesting events information
wait Wait for user input between checks wait Wait for user input between checks
debug Display debugging information - memory usage, method execution time debug Display debugging information - memory usage, method execution time
log Log all output to file "out.txt" log=[logfile] Log all output to file defined as logfile, or to "out.txt" if not specified
Additional checks (slower): Additional checks (slower):
-lolbas Run additional LOLBAS check -lolbas Run additional LOLBAS check

28
winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
View File

@ -44,11 +44,11 @@ namespace winPEAS.Checks
// github url for Linpeas.sh // github url for Linpeas.sh
public static string LinpeasUrl = "https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh"; public static string LinpeasUrl = "https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh";
public const string LogFile = "out.txt"; public const string DefaultLogFile = "out.txt";
class SystemCheck class SystemCheck
{ {
public string Key { get; } public string Key { get; }
public ISystemCheck Check { get; } public ISystemCheck Check { get; }
@ -96,20 +96,34 @@ namespace winPEAS.Checks
return; return;
} }
if (string.Equals(arg, "log", StringComparison.CurrentCultureIgnoreCase)) if (arg.StartsWith("log", StringComparison.CurrentCultureIgnoreCase))
{ {
// get logfile argument if present
string logFile = DefaultLogFile;
var parts = arg.Split('=');
if (parts.Length == 2)
{
logFile = parts[1];
if (string.IsNullOrWhiteSpace(logFile))
{
Beaprint.PrintException("Please specify a valid log file.");
return;
}
}
try try
{ {
fileStream = new FileStream(LogFile, FileMode.OpenOrCreate, FileAccess.Write); fileStream = new FileStream(logFile, FileMode.OpenOrCreate, FileAccess.Write);
fileWriter = new StreamWriter(fileStream); fileWriter = new StreamWriter(fileStream);
} }
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.PrintException($"Cannot open \"{LogFile}\" for writing:\n {ex.Message}"); Beaprint.PrintException($"Cannot open \"{logFile}\" for writing:\n {ex.Message}");
return; return;
} }
Beaprint.ColorPrint($"\"log\" argument present, redirecting output to file \"{LogFile}\"", Beaprint.ansi_color_good); Beaprint.ColorPrint($"\"log\" argument present, redirecting output to file \"{logFile}\"", Beaprint.ansi_color_good);
Console.SetOut(fileWriter); Console.SetOut(fileWriter);
} }
@ -257,7 +271,7 @@ namespace winPEAS.Checks
try try
{ {
Beaprint.GrayPrint(" - Getting Win32_UserAccount info..."); Beaprint.GrayPrint(" - Getting Win32_UserAccount info...");
// by default only enumerate local users // by default only enumerate local users
SelectQuery query = new SelectQuery("Win32_UserAccount", "LocalAccount=true"); SelectQuery query = new SelectQuery("Win32_UserAccount", "LocalAccount=true");
if (IsDomainEnumeration) if (IsDomainEnumeration)

22
winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs
View File

@ -15,13 +15,13 @@ namespace winPEAS.Checks
Beaprint.GreatPrint("Services Information"); Beaprint.GreatPrint("Services Information");
/// Start finding Modifiable services so any function could use them /// Start finding Modifiable services so any function could use them
try try
{ {
CheckRunner.Run(() => CheckRunner.Run(() =>
{ {
modifiableServices = ServicesInfoHelper.GetModifiableServices(winPEAS.Checks.Checks.CurrentUserSiDs); modifiableServices = ServicesInfoHelper.GetModifiableServices(winPEAS.Checks.Checks.CurrentUserSiDs);
}, isDebug); }, isDebug);
} }
catch (Exception ex) catch (Exception ex)
{ {
@ -34,7 +34,7 @@ namespace winPEAS.Checks
PrintModifiableServices, PrintModifiableServices,
PrintWritableRegServices, PrintWritableRegServices,
PrintPathDllHijacking, PrintPathDllHijacking,
}.ForEach(action => CheckRunner.Run(action, isDebug)); }.ForEach(action => CheckRunner.Run(action, isDebug));
} }
void PrintInterestingServices() void PrintInterestingServices()
@ -124,10 +124,22 @@ namespace winPEAS.Checks
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can modify any service"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can modify any service");
if (modifiableServices.Count > 0) if (modifiableServices.Count > 0)
{ {
Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:"); Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:");
Dictionary<string, string> colorsMS = new Dictionary<string, string>() Dictionary<string, string> colorsMS = new Dictionary<string, string>()
{ {
{ ".*", Beaprint.ansi_color_bad }, // modify
{ "AllAccess", Beaprint.ansi_color_bad },
{ "ChangeConfig", Beaprint.ansi_color_bad },
{ "WriteDac", Beaprint.ansi_color_bad },
{ "WriteOwner", Beaprint.ansi_color_bad },
{ "AccessSystemSecurity", Beaprint.ansi_color_bad },
{ "GenericAll", Beaprint.ansi_color_bad },
{ "GenericWrite (ChangeConfig)", Beaprint.ansi_color_bad },
// start/stop
{ "GenericExecute (Start/Stop)", Beaprint.ansi_color_yellow },
{ "Start", Beaprint.ansi_color_yellow },
{ "Stop", Beaprint.ansi_color_yellow },
}; };
Beaprint.DictPrint(modifiableServices, colorsMS, false, true); Beaprint.DictPrint(modifiableServices, colorsMS, false, true);
} }

37
winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs
View File

@ -22,7 +22,7 @@ namespace winPEAS.Checks
public void PrintInfo(bool isDebug) public void PrintInfo(bool isDebug)
{ {
Beaprint.GreatPrint("Windows Credentials"); Beaprint.GreatPrint("Windows Credentials");
new List<Action> new List<Action>
{ {
PrintVaultCreds, PrintVaultCreds,
@ -184,7 +184,7 @@ namespace winPEAS.Checks
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi");
var credFiles = KnownFileCredsInfo.GetCredFiles(); var credFiles = KnownFileCredsInfo.GetCredFiles();
Beaprint.DictPrint(credFiles, false); Beaprint.DictPrint(credFiles, false);
if (credFiles.Count != 0) if (credFiles.Count != 0)
{ {
Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the creds file"); Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the creds file");
@ -201,11 +201,11 @@ namespace winPEAS.Checks
try try
{ {
Beaprint.MainPrint("Checking for RDCMan Settings Files"); Beaprint.MainPrint("Checking for RDCMan Settings Files");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager", Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager",
"Dump credentials from Remote Desktop Connection Manager"); "Dump credentials from Remote Desktop Connection Manager");
var rdcFiles = RemoteDesktop.GetRDCManFiles(); var rdcFiles = RemoteDesktop.GetRDCManFiles();
Beaprint.DictPrint(rdcFiles, false); Beaprint.DictPrint(rdcFiles, false);
if (rdcFiles.Count != 0) if (rdcFiles.Count != 0)
{ {
Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the .rdg file"); Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the .rdg file");
@ -252,6 +252,9 @@ namespace winPEAS.Checks
try try
{ {
Beaprint.MainPrint("Looking for saved Wifi credentials"); Beaprint.MainPrint("Looking for saved Wifi credentials");
WlanClient wlanClient = new WlanClient();
foreach (var @interface in new WlanClient().Interfaces) foreach (var @interface in new WlanClient().Interfaces)
{ {
foreach (var profile in @interface.GetProfiles()) foreach (var profile in @interface.GetProfiles())
@ -276,6 +279,26 @@ namespace winPEAS.Checks
catch (Exception ex) catch (Exception ex)
{ {
Beaprint.PrintException(ex.Message); Beaprint.PrintException(ex.Message);
// revert to old way
Beaprint.NoColorPrint("Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'");
Dictionary<string, string> networkConnections = Wifi.Wifi.Retrieve();
Dictionary<string, string> ansi_colors_regexp = new Dictionary<string, string>();
if (networkConnections.Count > 0)
{
//Make sure the passwords are all flagged as ansi_color_bad.
foreach (var connection in networkConnections)
{
ansi_colors_regexp.Add(connection.Value, Beaprint.ansi_color_bad);
}
Beaprint.DictPrint(networkConnections, ansi_colors_regexp, false);
}
else
{
Beaprint.NoColorPrint("No saved Wifi credentials found");
}
} }
} }
@ -302,7 +325,7 @@ namespace winPEAS.Checks
Beaprint.NoColorPrint(" You must be an administrator to run this check"); Beaprint.NoColorPrint(" You must be an administrator to run this check");
return; return;
} }
var script = AppCmd.GetExtractAppCmdCredsPowerShellScript(); var script = AppCmd.GetExtractAppCmdCredsPowerShellScript();
string args = @$" {script}"; string args = @$" {script}";
@ -346,7 +369,7 @@ namespace winPEAS.Checks
{ {
Beaprint.MainPrint("Looking SSClient.exe"); Beaprint.MainPrint("Looking SSClient.exe");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm"); Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#scclient-sccm");
if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe"))) if (File.Exists(Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe")))
{ {
Beaprint.BadPrint(" SCClient.exe was found in " + Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe DLL Side loading?")); Beaprint.BadPrint(" SCClient.exe was found in " + Environment.ExpandEnvironmentVariables(@"%systemroot%\Windows\CCM\SCClient.exe DLL Side loading?"));
@ -470,7 +493,7 @@ namespace winPEAS.Checks
{ 2, "Require Remote Credential Guard" }, { 2, "Require Remote Credential Guard" },
{ 3, "Require Restricted Admin or Remote Credential Guard" }, { 3, "Require Restricted Admin or Remote Credential Guard" },
}; };
var str = $"{type} - Unknown"; var str = $"{type} - Unknown";
if (types.ContainsKey(type.Value)) if (types.ContainsKey(type.Value))

18
winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
View File

@ -31,7 +31,7 @@ namespace winPEAS.Helpers
public static string ansi_users_disabled = BLUE; public static string ansi_users_disabled = BLUE;
public static string ansi_current_user = MAGENTA; public static string ansi_current_user = MAGENTA;
private static string Advisory = private static string Advisory =
"winpeas should be used for authorized penetration testing and/or educational purposes only." + "winpeas should be used for authorized penetration testing and/or educational purposes only." +
"Any misuse of this software will not be the responsibility of the author or of any other collaborator. " + "Any misuse of this software will not be the responsibility of the author or of any other collaborator. " +
"Use it at your own networks and/or with the network owner's permission."; "Use it at your own networks and/or with the network owner's permission.";
@ -43,7 +43,7 @@ namespace winPEAS.Helpers
///////////////////////////////// /////////////////////////////////
public static void PrintBanner() public static void PrintBanner()
{ {
Console.WriteLine(BLUE + string.Format(@" Console.WriteLine(BLUE + string.Format(@"
{0}*((,.,/((((((((((((((((((((/, */ {0}*((,.,/((((((((((((((((((((/, */
{0},/*,..*((((((((((((((((((((((((((((((((((, {0},/*,..*((((((((((((((((((((((((((((((((((,
{0},*/((((((((((((((((((/, .*//((//**, .*(((((((* {0},*/((((((((((((((((((/, .*//((//**, .*(((((((*
@ -71,9 +71,9 @@ namespace winPEAS.Helpers
{0}(((((((((/,. ,*//////*,. ./(((((((((((((((. {0}(((((((((/,. ,*//////*,. ./(((((((((((((((.
{0}(((((((((((((((((((((((((((((/", LGREEN, GREEN, BLUE, NOCOLOR) + NOCOLOR); {0}(((((((((((((((((((((((((((((/", LGREEN, GREEN, BLUE, NOCOLOR) + NOCOLOR);
Console.WriteLine(); Console.WriteLine();
Console.WriteLine(LYELLOW + "ADVISORY: " + BLUE + Advisory); Console.WriteLine(LYELLOW + "ADVISORY: " + BLUE + Advisory);
Console.WriteLine(); Console.WriteLine();
} }
public static void PrintMarketingBanner() public static void PrintMarketingBanner()
@ -140,13 +140,13 @@ namespace winPEAS.Helpers
Console.WriteLine(LBLUE + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR); Console.WriteLine(LBLUE + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR);
Console.WriteLine(LBLUE + " wait" + GRAY + " Wait for user input between checks" + NOCOLOR); Console.WriteLine(LBLUE + " wait" + GRAY + " Wait for user input between checks" + NOCOLOR);
Console.WriteLine(LBLUE + " debug" + GRAY + " Display debugging information - memory usage, method execution time" + NOCOLOR); Console.WriteLine(LBLUE + " debug" + GRAY + " Display debugging information - memory usage, method execution time" + NOCOLOR);
Console.WriteLine(LBLUE + " log" + GRAY +$" Log all output to file \"{Checks.Checks.LogFile}\"" + NOCOLOR); Console.WriteLine(LBLUE + " log[=logfile]" + GRAY + $" Log all output to file defined as logfile, or to \"{Checks.Checks.DefaultLogFile}\" if not specified" + NOCOLOR);
Console.WriteLine(); Console.WriteLine();
Console.WriteLine(LCYAN + " Additional checks (slower):"); Console.WriteLine(LCYAN + " Additional checks (slower):");
Console.WriteLine(LBLUE + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR); Console.WriteLine(LBLUE + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR);
Console.WriteLine(LBLUE + " -linpeas=[url]" + GRAY + $" Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" + Console.WriteLine(LBLUE + " -linpeas=[url]" + GRAY + $" Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" +
$" (default: {Checks.Checks.LinpeasUrl})" + NOCOLOR); $" (default: {Checks.Checks.LinpeasUrl})" + NOCOLOR);
} }
@ -215,7 +215,7 @@ namespace winPEAS.Helpers
internal static void PrintDebugLine(string log) internal static void PrintDebugLine(string log)
{ {
Console.WriteLine(YELLOW + " [Debug] " + log + NOCOLOR); Console.WriteLine(YELLOW + " [Debug] " + log + NOCOLOR);
Console.WriteLine(); Console.WriteLine();
} }
@ -228,7 +228,7 @@ namespace winPEAS.Helpers
public static void PrintException(string message) public static void PrintException(string message)
{ {
GrayPrint($" [X] Exception: {message}"); GrayPrint($" [X] Exception: {message}");
} }
public static void AnsiPrint(string to_print, Dictionary<string, string> ansi_colors_regexp) public static void AnsiPrint(string to_print, Dictionary<string, string> ansi_colors_regexp)
{ {

30
winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs
View File

@ -84,7 +84,7 @@ namespace winPEAS.Helpers
return results; return results;
} }
public static List<string> GetMyPermissionsF(FileSecurity fSecurity, Dictionary<string, string> SIDs, PermissionType permissionType = PermissionType.DEFAULT) public static List<string> GetMyPermissionsF(FileSecurity fSecurity, Dictionary<string, string> SIDs, PermissionType permissionType = PermissionType.DEFAULT)
{ {
// Get interesting permissions in fSecurity (Only files and folders) // Get interesting permissions in fSecurity (Only files and folders)
List<string> results = new List<string>(); List<string> results = new List<string>();
@ -271,11 +271,15 @@ namespace winPEAS.Helpers
else if (permissionType == PermissionType.WRITEABLE_OR_EQUIVALENT_SVC) else if (permissionType == PermissionType.WRITEABLE_OR_EQUIVALENT_SVC)
{ {
// docs:
// https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights
// https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/grant-users-rights-manage-services
interesting_perms = new Dictionary<string, int>() interesting_perms = new Dictionary<string, int>()
{ {
{ "AllAccess", 0xf01ff}, { "AllAccess", 0xf01ff}, // full control
//{"QueryConfig" , 1}, //Grants permission to query the service's configuration. //{"QueryConfig" , 1}, //Grants permission to query the service's configuration.
//{"ChangeConfig" , 2}, //Grants permission to change the service's permission. {"ChangeConfig" , 2}, //Grants permission to change the service's permission.
//{"QueryStatus" , 4}, //Grants permission to query the service's status. //{"QueryStatus" , 4}, //Grants permission to query the service's status.
//{"EnumerateDependents" , 8}, //Grants permissionto enumerate the service's dependent services. //{"EnumerateDependents" , 8}, //Grants permissionto enumerate the service's dependent services.
//{"PauseContinue" , 64}, //Grants permission to pause/continue the service. //{"PauseContinue" , 64}, //Grants permission to pause/continue the service.
@ -283,15 +287,17 @@ namespace winPEAS.Helpers
//{"UserDefinedControl" , 256}, //Grants permission to run the service's user-defined control. //{"UserDefinedControl" , 256}, //Grants permission to run the service's user-defined control.
//{"Delete" , 65536}, //Grants permission to delete the service. //{"Delete" , 65536}, //Grants permission to delete the service.
//{"ReadControl" , 131072}, //Grants permission to query the service's security descriptor. //{"ReadControl" , 131072}, //Grants permission to query the service's security descriptor.
{"WriteDac" , 262144}, //Grants permission to set the service's discretionary access list. {"WriteDac" , 0x40000}, //Grants permission to set the service's discretionary access list.
{"WriteOwner" , 524288}, //Grants permission to modify the group and owner of a service. {"WriteOwner" , 0x80000}, //Grants permission to modify the group and owner of a service.
//{"Synchronize" , 1048576}, //{"Synchronize" , 1048576},
{"AccessSystemSecurity" , 16777216}, //The right to get or set the SACL in the object security descriptor. {"AccessSystemSecurity" , 16777216}, //The right to get or set the SACL in the object security descriptor.
{"GenericAll" , 268435456}, {"GenericAll" , 0x1000_0000},
{"GenericWrite" , 1073741824}, //{"GenericWrite" , 0x4000_0000},
{"GenericExecute" , 536870912}, //{"GenericExecute" , 0x2000_0000},
{"Start" , 16}, //Grants permission to start the service. {"GenericWrite (ChangeConfig)" , 0x2_0002},
{"Stop" , 32}, //Grants permission to stop the service. {"GenericExecute (Start/Stop)" , 0x2_01F0},
{"Start" , 0x0010}, //Grants permission to start the service.
{"Stop" , 0x0020}, //Grants permission to stop the service.
//{"GenericRead" , 2147483648} //{"GenericRead" , 2147483648}
}; };
} }
@ -302,8 +308,8 @@ namespace winPEAS.Helpers
foreach (KeyValuePair<string, int> entry in interesting_perms) foreach (KeyValuePair<string, int> entry in interesting_perms)
{ {
if ((entry.Value & current_perm) == entry.Value) if ((entry.Value & current_perm) == entry.Value)
{ {
return entry.Key; return entry.Key;
} }
} }
} }