darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- fixed wlan enumeration - if wlanapi.dll is unsupported, try to use netsh

Browse Source 
- added support to log to file
- updated check for modifiable services
- updated documentation
This commit is contained in:
makikvues 2021-09-21 21:02:52 +02:00
parent aa8091e504
commit 1eb12a5852
6 changed files with 96 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
winPEAS/winPEASexe/README.md
View File

@ -81,7 +81,7 @@ filesinfo Search files that can contains credentials
eventsinfo Display interesting events information
wait Wait for user input between checks
debug Display debugging information - memory usage, method execution time
log Log all output to file "out.txt"
log=[logfile] Log all output to file defined as logfile, or to "out.txt" if not specified
Additional checks (slower):
-lolbas Run additional LOLBAS check

24
winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
View File

@ -44,7 +44,7 @@ namespace winPEAS.Checks
// github url for Linpeas.sh
public static string LinpeasUrl = "https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh";
public const string LogFile = "out.txt";
public const string DefaultLogFile = "out.txt";
class SystemCheck
@ -96,20 +96,34 @@ namespace winPEAS.Checks
return;
}
if (string.Equals(arg, "log", StringComparison.CurrentCultureIgnoreCase))
if (arg.StartsWith("log", StringComparison.CurrentCultureIgnoreCase))
{
// get logfile argument if present
string logFile = DefaultLogFile;
var parts = arg.Split('=');
if (parts.Length == 2)
{
logFile = parts[1];
if (string.IsNullOrWhiteSpace(logFile))
{
Beaprint.PrintException("Please specify a valid log file.");
return;
}
}
try
{
fileStream = new FileStream(LogFile, FileMode.OpenOrCreate, FileAccess.Write);
fileStream = new FileStream(logFile, FileMode.OpenOrCreate, FileAccess.Write);
fileWriter = new StreamWriter(fileStream);
}
catch (Exception ex)
{
Beaprint.PrintException($"Cannot open \"{LogFile}\" for writing:\n {ex.Message}");
Beaprint.PrintException($"Cannot open \"{logFile}\" for writing:\n {ex.Message}");
return;
}
Beaprint.ColorPrint($"\"log\" argument present, redirecting output to file \"{LogFile}\"", Beaprint.ansi_color_good);
Beaprint.ColorPrint($"\"log\" argument present, redirecting output to file \"{logFile}\"", Beaprint.ansi_color_good);
Console.SetOut(fileWriter);
}

16
winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs
View File

@ -124,10 +124,22 @@ namespace winPEAS.Checks
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services", "Check if you can modify any service");
if (modifiableServices.Count > 0)
{
Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY SOME SERVICE/s:");
Beaprint.BadPrint(" LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:");
Dictionary<string, string> colorsMS = new Dictionary<string, string>()
{
{ ".*", Beaprint.ansi_color_bad },
// modify
{ "AllAccess", Beaprint.ansi_color_bad },
{ "ChangeConfig", Beaprint.ansi_color_bad },
{ "WriteDac", Beaprint.ansi_color_bad },
{ "WriteOwner", Beaprint.ansi_color_bad },
{ "AccessSystemSecurity", Beaprint.ansi_color_bad },
{ "GenericAll", Beaprint.ansi_color_bad },
{ "GenericWrite (ChangeConfig)", Beaprint.ansi_color_bad },
// start/stop
{ "GenericExecute (Start/Stop)", Beaprint.ansi_color_yellow },
{ "Start", Beaprint.ansi_color_yellow },
{ "Stop", Beaprint.ansi_color_yellow },
};
Beaprint.DictPrint(modifiableServices, colorsMS, false, true);
}

23
winPEAS/winPEASexe/winPEAS/Checks/WindowsCreds.cs
View File

@ -252,6 +252,9 @@ namespace winPEAS.Checks
try
{
Beaprint.MainPrint("Looking for saved Wifi credentials");
WlanClient wlanClient = new WlanClient();
foreach (var @interface in new WlanClient().Interfaces)
{
foreach (var profile in @interface.GetProfiles())
@ -276,6 +279,26 @@ namespace winPEAS.Checks
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
// revert to old way
Beaprint.NoColorPrint("Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'");
Dictionary<string, string> networkConnections = Wifi.Wifi.Retrieve();
Dictionary<string, string> ansi_colors_regexp = new Dictionary<string, string>();
if (networkConnections.Count > 0)
{
//Make sure the passwords are all flagged as ansi_color_bad.
foreach (var connection in networkConnections)
{
ansi_colors_regexp.Add(connection.Value, Beaprint.ansi_color_bad);
}
Beaprint.DictPrint(networkConnections, ansi_colors_regexp, false);
}
else
{
Beaprint.NoColorPrint("No saved Wifi credentials found");
}
}
}

12
winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
View File

@ -43,7 +43,7 @@ namespace winPEAS.Helpers
/////////////////////////////////
public static void PrintBanner()
{
Console.WriteLine(BLUE + string.Format(@"
Console.WriteLine(BLUE + string.Format(@"
{0}*((,.,/((((((((((((((((((((/, */
{0},/*,..*((((((((((((((((((((((((((((((((((,
{0},*/((((((((((((((((((/, .*//((//**, .*(((((((*
@ -71,9 +71,9 @@ namespace winPEAS.Helpers
{0}(((((((((/,. ,*//////*,. ./(((((((((((((((.
{0}(((((((((((((((((((((((((((((/", LGREEN, GREEN, BLUE, NOCOLOR) + NOCOLOR);
Console.WriteLine();
Console.WriteLine(LYELLOW + "ADVISORY: " + BLUE + Advisory);
Console.WriteLine();
Console.WriteLine();
Console.WriteLine(LYELLOW + "ADVISORY: " + BLUE + Advisory);
Console.WriteLine();
}
public static void PrintMarketingBanner()
@ -140,7 +140,7 @@ namespace winPEAS.Helpers
Console.WriteLine(LBLUE + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR);
Console.WriteLine(LBLUE + " wait" + GRAY + " Wait for user input between checks" + NOCOLOR);
Console.WriteLine(LBLUE + " debug" + GRAY + " Display debugging information - memory usage, method execution time" + NOCOLOR);
Console.WriteLine(LBLUE + " log" + GRAY +$" Log all output to file \"{Checks.Checks.LogFile}\"" + NOCOLOR);
Console.WriteLine(LBLUE + " log[=logfile]" + GRAY + $" Log all output to file defined as logfile, or to \"{Checks.Checks.DefaultLogFile}\" if not specified" + NOCOLOR);
Console.WriteLine();
Console.WriteLine(LCYAN + " Additional checks (slower):");
Console.WriteLine(LBLUE + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR);
@ -215,7 +215,7 @@ namespace winPEAS.Helpers
internal static void PrintDebugLine(string log)
{
Console.WriteLine(YELLOW + " [Debug] " + log + NOCOLOR);
Console.WriteLine(YELLOW + " [Debug] " + log + NOCOLOR);
Console.WriteLine();
}

26
winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs
View File

@ -84,7 +84,7 @@ namespace winPEAS.Helpers
return results;
}
public static List<string> GetMyPermissionsF(FileSecurity fSecurity, Dictionary<string, string> SIDs, PermissionType permissionType = PermissionType.DEFAULT)
public static List<string> GetMyPermissionsF(FileSecurity fSecurity, Dictionary<string, string> SIDs, PermissionType permissionType = PermissionType.DEFAULT)
{
// Get interesting permissions in fSecurity (Only files and folders)
List<string> results = new List<string>();
@ -271,11 +271,15 @@ namespace winPEAS.Helpers
else if (permissionType == PermissionType.WRITEABLE_OR_EQUIVALENT_SVC)
{
// docs:
// https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights
// https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/grant-users-rights-manage-services
interesting_perms = new Dictionary<string, int>()
{
{ "AllAccess", 0xf01ff},
{ "AllAccess", 0xf01ff}, // full control
//{"QueryConfig" , 1}, //Grants permission to query the service's configuration.
//{"ChangeConfig" , 2}, //Grants permission to change the service's permission.
{"ChangeConfig" , 2}, //Grants permission to change the service's permission.
//{"QueryStatus" , 4}, //Grants permission to query the service's status.
//{"EnumerateDependents" , 8}, //Grants permissionto enumerate the service's dependent services.
//{"PauseContinue" , 64}, //Grants permission to pause/continue the service.
@ -283,15 +287,17 @@ namespace winPEAS.Helpers
//{"UserDefinedControl" , 256}, //Grants permission to run the service's user-defined control.
//{"Delete" , 65536}, //Grants permission to delete the service.
//{"ReadControl" , 131072}, //Grants permission to query the service's security descriptor.
{"WriteDac" , 262144}, //Grants permission to set the service's discretionary access list.
{"WriteOwner" , 524288}, //Grants permission to modify the group and owner of a service.
{"WriteDac" , 0x40000}, //Grants permission to set the service's discretionary access list.
{"WriteOwner" , 0x80000}, //Grants permission to modify the group and owner of a service.
//{"Synchronize" , 1048576},
{"AccessSystemSecurity" , 16777216}, //The right to get or set the SACL in the object security descriptor.
{"GenericAll" , 268435456},
{"GenericWrite" , 1073741824},
{"GenericExecute" , 536870912},
{"Start" , 16}, //Grants permission to start the service.
{"Stop" , 32}, //Grants permission to stop the service.
{"GenericAll" , 0x1000_0000},
//{"GenericWrite" , 0x4000_0000},
//{"GenericExecute" , 0x2000_0000},
{"GenericWrite (ChangeConfig)" , 0x2_0002},
{"GenericExecute (Start/Stop)" , 0x2_01F0},
{"Start" , 0x0010}, //Grants permission to start the service.
{"Stop" , 0x0020}, //Grants permission to stop the service.
//{"GenericRead" , 2147483648}
};
}