winpeasexe-domain
This commit is contained in:
carlospolop
parent
64b9062daa
commit
1f5e5a6508
@ -16,6 +16,31 @@ namespace winPEAS
|
||||
{
|
||||
class MyUtils
|
||||
{
|
||||
public static bool IsDomainJoined()
|
||||
{
|
||||
// returns true if the system is likely a virtual machine
|
||||
// Adapted from RobSiklos' code from https://stackoverflow.com/questions/498371/how-to-detect-if-my-application-is-running-in-a-virtual-machine/11145280#11145280
|
||||
try
|
||||
{
|
||||
using (var searcher = new System.Management.ManagementObjectSearcher("Select * from Win32_ComputerSystem"))
|
||||
{
|
||||
using (var items = searcher.Get())
|
||||
{
|
||||
foreach (var item in items)
|
||||
{
|
||||
return (bool)item["PartOfDomain"];
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
System.Console.WriteLine(ex);
|
||||
}
|
||||
//By default tru, because this way wiill check domain and local, but never should get here the code
|
||||
return true;
|
||||
}
|
||||
|
||||
public static Dictionary<string, string> RemoveEmptyKeys(Dictionary<string, string> dic_in)
|
||||
{
|
||||
Dictionary<string, string> results = new Dictionary<string, string>();
|
||||
|
||||
@ -20,7 +20,7 @@ namespace winPEAS
|
||||
// Static blacklists
|
||||
static string strTrue = "True";
|
||||
static string strFalse = "False";
|
||||
static string badgroups = "docker|Remote";
|
||||
static string badgroups = "docker|Remote|Admins";
|
||||
static string badpasswd = "NotChange|NotExpi";
|
||||
static string badPrivileges = "Enabled|ENABLED|SeImpersonatePrivilege|SeAssignPrimaryPrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege|SeCreateTokenPrivilege|SeLoadDriverPrivilege|SeTakeOwnershipPrivilege|SeDebugPrivilege";
|
||||
static string goodSoft = "Windows Phone Kits|Windows Kits|Windows Defender|Windows Mail|Windows Media Player|Windows Multimedia Platform|windows nt|Windows Photo Viewer|Windows Portable Devices|Windows Security|Windows Sidebar|WindowsApps|WindowsPowerShell|Microsoft|WOW6432Node|internet explorer|Internet Explorer|Common Files";
|
||||
@ -47,10 +47,11 @@ namespace winPEAS
|
||||
static StyleSheet onlyKeyStyleSheet = new StyleSheet(color_key);
|
||||
|
||||
// Create Dynamic blacklists
|
||||
public static bool partofdomain = MyUtils.IsDomainJoined();
|
||||
static string currentUserName = Environment.UserName;
|
||||
static string currentDomainName = Environment.UserDomainName;
|
||||
static List<string> currentUserGroups = UserInfo.GetUserGroups(currentUserName);
|
||||
public static List<string> interestingUsersGroups = new List<string> { "Everyone", "Users", "Todos" , currentUserName }; //Authenticated Users (Authenticated left behin to avoid repetitions)
|
||||
static List<string> currentUserGroups = UserInfo.GetUserGroups(currentUserName, currentDomainName);
|
||||
public static List<string> interestingUsersGroups = new List<string> { "Everyone", "Users", "Todos", currentUserName }; //Authenticated Users (Authenticated left behin to avoid repetitions)
|
||||
static string paint_interestingUserGroups = String.Join("|", currentUserGroups);
|
||||
static string paint_activeUsers = String.Join("|", UserInfo.GetMachineUsers(true, false, false, false, false));
|
||||
static string paint_disabledUsers = String.Join("|", UserInfo.GetMachineUsers(false, true, false, false, false));
|
||||
@ -314,7 +315,8 @@ namespace winPEAS
|
||||
|
||||
void PrintUACInfo()
|
||||
{
|
||||
try {
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("UAC Status", "T1012");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC");
|
||||
Dictionary<string, string> uacDict = SystemInfo.GetUACSystemPolicies();
|
||||
@ -388,7 +390,7 @@ namespace winPEAS
|
||||
* MediumPurple:
|
||||
* ---- Disabled users
|
||||
*/
|
||||
|
||||
|
||||
StyleSheet CreateUsersSS()
|
||||
{
|
||||
StyleSheet styleSheetUsers = new StyleSheet(color_default);
|
||||
@ -483,7 +485,8 @@ namespace winPEAS
|
||||
{
|
||||
if (exec_cmd)
|
||||
Beaprint.BadPrint(" " + MyUtils.ExecCMD("powershell -command Get-Clipboard"));
|
||||
else {
|
||||
else
|
||||
{
|
||||
Beaprint.NotFoundPrint();
|
||||
Beaprint.InfoPrint(" This C# implementation to capture the clipboard is not trustable in every Windows version");
|
||||
Beaprint.InfoPrint(" If you want to see what is inside the clipboard execute 'powershell -command \"Get - Clipboard\"'");
|
||||
@ -523,12 +526,14 @@ namespace winPEAS
|
||||
{
|
||||
string format = " {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}";
|
||||
string header = String.Format(format, "SessID", "pSessionName", "pUserName", "pDomainName", "State", "SourceIP");
|
||||
if (using_ansi) {
|
||||
if (using_ansi)
|
||||
{
|
||||
System.Console.WriteLine(header);
|
||||
foreach (Dictionary<string, string> rdp_ses in rdp_sessions)
|
||||
Beaprint.AnsiPrint(String.Format(format, rdp_ses["SessionID"], rdp_ses["pSessionName"], rdp_ses["pUserName"], rdp_ses["pDomainName"], rdp_ses["State"], rdp_ses["SourceIP"]), colorsU());
|
||||
}
|
||||
else {
|
||||
else
|
||||
{
|
||||
Colorful.Console.WriteLineStyled(header, onlyKeyStyleSheet);
|
||||
foreach (Dictionary<string, string> rdp_ses in rdp_sessions)
|
||||
Colorful.Console.WriteLineStyled(String.Format(format, rdp_ses["SessionID"], rdp_ses["pSessionName"], rdp_ses["pUserName"], rdp_ses["pDomainName"], rdp_ses["State"], rdp_ses["SourceIP"]), CreateUsersSS());
|
||||
@ -567,7 +572,8 @@ namespace winPEAS
|
||||
Beaprint.MainPrint("Looking for AutoLogon credentials", "T1012");
|
||||
bool ban = false;
|
||||
Dictionary<string, string> autologon = UserInfo.GetAutoLogon();
|
||||
if (autologon.Count > 0) {
|
||||
if (autologon.Count > 0)
|
||||
{
|
||||
foreach (KeyValuePair<string, string> entry in autologon)
|
||||
{
|
||||
if (!String.IsNullOrEmpty(entry.Value))
|
||||
@ -601,7 +607,7 @@ namespace winPEAS
|
||||
{
|
||||
Beaprint.MainPrint("Home folders found", "T1087&T1083&T1033");
|
||||
List<string> user_folders = UserInfo.GetUsersFolders();
|
||||
foreach(string ufold in user_folders)
|
||||
foreach (string ufold in user_folders)
|
||||
{
|
||||
string perms = String.Join(", ", MyUtils.GetPermissionsFolder(ufold, interestingUsersGroups));
|
||||
if (perms.Length > 0)
|
||||
@ -708,7 +714,7 @@ namespace winPEAS
|
||||
if (proc_info["CommandLine"].Length > 1)
|
||||
formString += "\n {8}";
|
||||
|
||||
if (using_ansi)
|
||||
if (using_ansi)
|
||||
{
|
||||
Dictionary<string, string> colorsP = new Dictionary<string, string>()
|
||||
{
|
||||
@ -1308,7 +1314,8 @@ namespace winPEAS
|
||||
formString += "\n Folder Permissions: {9}";
|
||||
formString += "\n {10}";
|
||||
|
||||
if (using_ansi) {
|
||||
if (using_ansi)
|
||||
{
|
||||
Dictionary<string, string> colorsN = new Dictionary<string, string>()
|
||||
{
|
||||
{ strFalse, ansi_color_bad },
|
||||
@ -1316,7 +1323,7 @@ namespace winPEAS
|
||||
{ "File Permissions.*|Folder Permissions.*", ansi_color_bad },
|
||||
{ rule["AppName"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?"), (file_perms.Length > 0 || folder_perms.Length > 0) ? ansi_color_bad : ansi_color_good },
|
||||
};
|
||||
Beaprint.AnsiPrint(String.Format(formString, rule["Profiles"], rule["Name"], rule["AppName"], rule["Action"], rule["Protocol"], rule["Direction"], rule["Direction"] == "IN" ? rule["Local"] : rule["Remote"], rule["Direction"] == "IN" ? rule["Remote"] : rule["Local"], file_perms, folder_perms, rule["Description"]), colorsN);
|
||||
Beaprint.AnsiPrint(String.Format(formString, rule["Profiles"], rule["Name"], rule["AppName"], rule["Action"], rule["Protocol"], rule["Direction"], rule["Direction"] == "IN" ? rule["Local"] : rule["Remote"], rule["Direction"] == "IN" ? rule["Remote"] : rule["Local"], file_perms, folder_perms, rule["Description"]), colorsN);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -1522,7 +1529,7 @@ namespace winPEAS
|
||||
List<Dictionary<string, string>> cred_files = KnownFileCredsInfo.GetCredFiles();
|
||||
Beaprint.DictPrint(cred_files, false);
|
||||
if (cred_files.Count != 0)
|
||||
Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the creds file");
|
||||
Beaprint.InfoPrint("Follow the provided link for further instructions in how to decrypt the creds file");
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
@ -1982,7 +1989,7 @@ namespace winPEAS
|
||||
{
|
||||
StyleSheet styleSheetPS = new StyleSheet(color_default);
|
||||
styleSheetPS.AddStyle("ProxyPassword.*", color_bad);
|
||||
|
||||
|
||||
Beaprint.DictPrint(putty_sess, styleSheetPS, true);
|
||||
}
|
||||
}
|
||||
|
||||
@ -96,6 +96,7 @@ namespace winPEAS
|
||||
results.Add("IsVirtualMachine", isVM.ToString());
|
||||
results.Add("Current Time", now.ToString());
|
||||
results.Add("HighIntegrity", isHighIntegrity.ToString());
|
||||
results.Add("PartOfDomain", Program.partofdomain.ToString());
|
||||
results.Add("Hotfixes", hotfixes);
|
||||
}
|
||||
catch (Exception ex)
|
||||
|
||||
@ -292,18 +292,20 @@ namespace winPEAS
|
||||
else if (onlyLockout && (bool)user["Lockout"]) retList.Add((string)user["Name"]);
|
||||
else if (onlyAdmins)
|
||||
{
|
||||
if ((string.Join(",", GetUserGroups((string)user["Name"])).Contains("Admin"))) retList.Add((string)user["Name"]);
|
||||
string domain = (string)user["Domain"];
|
||||
if (string.Join(",", GetUserGroups((string)user["Name"], domain)).Contains("Admin")) retList.Add((string)user["Name"]);
|
||||
}
|
||||
else if (fullInfo)
|
||||
{
|
||||
string domain = (string)user["Domain"];
|
||||
string userLine = user["Caption"] + ((bool)user["Disabled"] ? "(Disabled)" : "") + ((bool)user["Lockout"] ? "(Lockout)" : "") + ((string)user["Fullname"] != "false" ? "" : "(" + user["Fullname"] + ")") + (((string)user["Description"]).Length > 1 ? ": " + user["Description"] : "");
|
||||
List<string> user_groups = GetUserGroups((string)user["Name"]);
|
||||
List<string> user_groups = GetUserGroups((string)user["Name"], domain);
|
||||
string groupsLine = "";
|
||||
if (user_groups.Count > 0)
|
||||
{
|
||||
groupsLine = "\n\t|->Groups: " + string.Join(",", user_groups);
|
||||
}
|
||||
string passLine = "\n\t|->Password: " + ((bool)user["PasswordChangeable"] ? "CanChange" : "NotChange") + "-" + ((bool)user["PasswordExpires"] ? "Expi" : "NotExpi") + "-" + ((bool)user["PasswordRequired"] ? "Req" : "NotReq");
|
||||
string passLine = "\n\t|->Password: " + ((bool)user["PasswordChangeable"] ? "CanChange" : "NotChange") + "-" + ((bool)user["PasswordExpires"] ? "Expi" : "NotExpi") + "-" + ((bool)user["PasswordRequired"] ? "Req" : "NotReq") + "\n";
|
||||
retList.Add(userLine + groupsLine + passLine);
|
||||
}
|
||||
}
|
||||
@ -316,12 +318,12 @@ namespace winPEAS
|
||||
}
|
||||
|
||||
// https://stackoverflow.com/questions/3679579/check-for-groups-a-local-user-is-a-member-of/3681442#3681442
|
||||
public static List<string> GetUserGroups(string sUserName)
|
||||
public static List<string> GetUserGroups(string sUserName, string domain)
|
||||
{
|
||||
List<string> myItems = new List<string>();
|
||||
try
|
||||
{
|
||||
UserPrincipal oUserPrincipal = GetUser(sUserName);
|
||||
UserPrincipal oUserPrincipal = GetUser(sUserName, domain);
|
||||
PrincipalSearchResult<Principal> oPrincipalSearchResult = oUserPrincipal.GetGroups();
|
||||
foreach (Principal oResult in oPrincipalSearchResult)
|
||||
{
|
||||
@ -335,27 +337,45 @@ namespace winPEAS
|
||||
return myItems;
|
||||
}
|
||||
|
||||
public static UserPrincipal GetUser(string sUserName)
|
||||
public static UserPrincipal GetUser(string sUserName, string domain)
|
||||
{
|
||||
UserPrincipal user = null;
|
||||
try
|
||||
{
|
||||
// Extract local user information
|
||||
//https://stackoverflow.com/questions/14594545/query-local-administrator-group
|
||||
var context = new PrincipalContext(ContextType.Machine);
|
||||
var user = new UserPrincipal(context);
|
||||
user.SamAccountName = sUserName;
|
||||
var searcher = new PrincipalSearcher(user);
|
||||
user = searcher.FindOne() as UserPrincipal;
|
||||
return user;
|
||||
if (Program.partofdomain) //Check if partof domain
|
||||
{
|
||||
user = GetUserDomain(sUserName, domain);
|
||||
if (user == null) //If part of domain but null, then user is local
|
||||
user = GetUserLocal(sUserName);
|
||||
}
|
||||
else //If not part of a domain, thn user is local
|
||||
user = GetUserLocal(sUserName);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
//if not local, try to extract domain user information
|
||||
//https://stackoverflow.com/questions/12710355/check-if-user-is-a-domain-user-or-local-user/12710452
|
||||
var domainContext = new PrincipalContext(ContextType.Domain, Environment.UserDomainName);
|
||||
UserPrincipal domainuser = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, sUserName);
|
||||
return domainuser;
|
||||
catch
|
||||
{ //If error, then some error ocurred trying to find a user inside an unexistant domain, check if local user
|
||||
user = GetUserLocal(sUserName);
|
||||
}
|
||||
return user;
|
||||
}
|
||||
public static UserPrincipal GetUserLocal(string sUserName)
|
||||
{
|
||||
// Extract local user information
|
||||
//https://stackoverflow.com/questions/14594545/query-local-administrator-group
|
||||
var context = new PrincipalContext(ContextType.Machine);
|
||||
var user = new UserPrincipal(context);
|
||||
user.SamAccountName = sUserName;
|
||||
var searcher = new PrincipalSearcher(user);
|
||||
user = searcher.FindOne() as UserPrincipal;
|
||||
return user;
|
||||
}
|
||||
public static UserPrincipal GetUserDomain(string sUserName, string domain)
|
||||
{
|
||||
//if not local, try to extract domain user information
|
||||
//https://stackoverflow.com/questions/12710355/check-if-user-is-a-domain-user-or-local-user/12710452
|
||||
//var domainContext = new PrincipalContext(ContextType.Domain, Environment.UserDomainName);
|
||||
var domainContext = new PrincipalContext(ContextType.Domain, domain);
|
||||
UserPrincipal domainuser = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, sUserName);
|
||||
return domainuser;
|
||||
}
|
||||
|
||||
public static PrincipalContext GetPrincipalContext()
|
||||
@ -594,15 +614,15 @@ namespace winPEAS
|
||||
var pi = server.GetDomainPasswordInformation(sid);
|
||||
|
||||
results.Add(new Dictionary<string, string>()
|
||||
{
|
||||
{ "Domain", domain },
|
||||
{ "SID", String.Format("{0}", sid) },
|
||||
{ "MaxPasswordAge", String.Format("{0}", pi.MaxPasswordAge) },
|
||||
{ "MinPasswordAge", String.Format("{0}", pi.MinPasswordAge) },
|
||||
{ "MinPasswordLength", String.Format("{0}", pi.MinPasswordLength) },
|
||||
{ "PasswordHistoryLength", String.Format("{0}", pi.PasswordHistoryLength) },
|
||||
{ "PasswordProperties", String.Format("{0}", pi.PasswordProperties) },
|
||||
});
|
||||
{
|
||||
{ "Domain", domain },
|
||||
{ "SID", String.Format("{0}", sid) },
|
||||
{ "MaxPasswordAge", String.Format("{0}", pi.MaxPasswordAge) },
|
||||
{ "MinPasswordAge", String.Format("{0}", pi.MinPasswordAge) },
|
||||
{ "MinPasswordLength", String.Format("{0}", pi.MinPasswordLength) },
|
||||
{ "PasswordHistoryLength", String.Format("{0}", pi.PasswordHistoryLength) },
|
||||
{ "PasswordProperties", String.Format("{0}", pi.PasswordProperties) },
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
0
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.CopyComplete
Executable file
0
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.CopyComplete
Executable file
9
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.FileListAbsolute.txt
Executable file
9
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.FileListAbsolute.txt
Executable file
@ -0,0 +1,9 @@
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\bin\Debug\winPEAS.exe.config
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\bin\Debug\winPEAS.exe
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\bin\Debug\winPEAS.pdb
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\bin\Debug\Microsoft.Win32.TaskScheduler.xml
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.csprojAssemblyReference.cache
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.csproj.Fody.CopyLocal.cache
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.csproj.CopyComplete
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.exe
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.pdb
|
||||
1
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.Fody.CopyLocal.cache
Executable file
1
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.Fody.CopyLocal.cache
Executable file
@ -0,0 +1 @@
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\packages\TaskScheduler.2.8.16\lib\net40\Microsoft.Win32.TaskScheduler.xml
|
||||
Binary file not shown.
BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.exe
Executable file
BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.exe
Executable file
Binary file not shown.
BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.pdb
Executable file
BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.pdb
Executable file
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -14,4 +14,3 @@ D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\o
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.csproj.CopyComplete
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.exe
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.pdb
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.csprojAssemblyReference.cache
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue
Block a user