winpeasexe-domain

winPEAS/winPEASexe/winPEAS/MyUtils.cs

@@ -16,6 +16,31 @@ namespace winPEAS
 {
     class MyUtils
     {
+        public static bool IsDomainJoined()
+        {
+            // returns true if the system is likely a virtual machine
+            // Adapted from RobSiklos' code from https://stackoverflow.com/questions/498371/how-to-detect-if-my-application-is-running-in-a-virtual-machine/11145280#11145280
+            try
+            {
+                using (var searcher = new System.Management.ManagementObjectSearcher("Select * from Win32_ComputerSystem"))
+                {
+                    using (var items = searcher.Get())
+                    {
+                        foreach (var item in items)
+                        {
+                            return (bool)item["PartOfDomain"];
+                        }
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                System.Console.WriteLine(ex);
+            }
+            //By default tru, because this way wiill check domain and local, but never should get here the code
+            return true;
+        }
+
         public static Dictionary<string, string> RemoveEmptyKeys(Dictionary<string, string> dic_in)
         {
             Dictionary<string, string> results = new Dictionary<string, string>();

winPEAS/winPEASexe/winPEAS/Program.cs

@@ -20,7 +20,7 @@ namespace winPEAS
         // Static blacklists
         static string strTrue = "True";
         static string strFalse = "False";
-        static string badgroups = "docker|Remote";
+        static string badgroups = "docker|Remote|Admins";
         static string badpasswd = "NotChange|NotExpi";
         static string badPrivileges = "Enabled|ENABLED|SeImpersonatePrivilege|SeAssignPrimaryPrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege|SeCreateTokenPrivilege|SeLoadDriverPrivilege|SeTakeOwnershipPrivilege|SeDebugPrivilege";
         static string goodSoft = "Windows Phone Kits|Windows Kits|Windows Defender|Windows Mail|Windows Media Player|Windows Multimedia Platform|windows nt|Windows Photo Viewer|Windows Portable Devices|Windows Security|Windows Sidebar|WindowsApps|WindowsPowerShell|Microsoft|WOW6432Node|internet explorer|Internet Explorer|Common Files";
@@ -47,10 +47,11 @@ namespace winPEAS
         static StyleSheet onlyKeyStyleSheet = new StyleSheet(color_key);
 
         // Create Dynamic blacklists
+        public static bool partofdomain = MyUtils.IsDomainJoined();
         static string currentUserName = Environment.UserName;
         static string currentDomainName = Environment.UserDomainName;
-        static List<string> currentUserGroups = UserInfo.GetUserGroups(currentUserName);
+        static List<string> currentUserGroups = UserInfo.GetUserGroups(currentUserName, currentDomainName);
-        public static List<string> interestingUsersGroups = new List<string> { "Everyone", "Users", "Todos" , currentUserName }; //Authenticated Users (Authenticated left behin to avoid repetitions)
+        public static List<string> interestingUsersGroups = new List<string> { "Everyone", "Users", "Todos", currentUserName }; //Authenticated Users (Authenticated left behin to avoid repetitions)
         static string paint_interestingUserGroups = String.Join("|", currentUserGroups);
         static string paint_activeUsers = String.Join("|", UserInfo.GetMachineUsers(true, false, false, false, false));
         static string paint_disabledUsers = String.Join("|", UserInfo.GetMachineUsers(false, true, false, false, false));
@@ -314,7 +315,8 @@ namespace winPEAS
 
             void PrintUACInfo()
             {
-                try {
+                try
+                {
                     Beaprint.MainPrint("UAC Status", "T1012");
                     Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC");
                     Dictionary<string, string> uacDict = SystemInfo.GetUACSystemPolicies();
@@ -483,7 +485,8 @@ namespace winPEAS
                     {
                         if (exec_cmd)
                             Beaprint.BadPrint("    " + MyUtils.ExecCMD("powershell -command Get-Clipboard"));
-                        else {
+                        else
+                        {
                             Beaprint.NotFoundPrint();
                             Beaprint.InfoPrint("    This C# implementation to capture the clipboard is not trustable in every Windows version");
                             Beaprint.InfoPrint("    If you want to see what is inside the clipboard execute 'powershell -command \"Get - Clipboard\"'");
@@ -523,12 +526,14 @@ namespace winPEAS
                     {
                         string format = "    {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}";
                         string header = String.Format(format, "SessID", "pSessionName", "pUserName", "pDomainName", "State", "SourceIP");
-                        if (using_ansi) {
+                        if (using_ansi)
+                        {
                             System.Console.WriteLine(header);
                             foreach (Dictionary<string, string> rdp_ses in rdp_sessions)
                                 Beaprint.AnsiPrint(String.Format(format, rdp_ses["SessionID"], rdp_ses["pSessionName"], rdp_ses["pUserName"], rdp_ses["pDomainName"], rdp_ses["State"], rdp_ses["SourceIP"]), colorsU());
                         }
-                        else {
+                        else
+                        {
                             Colorful.Console.WriteLineStyled(header, onlyKeyStyleSheet);
                             foreach (Dictionary<string, string> rdp_ses in rdp_sessions)
                                 Colorful.Console.WriteLineStyled(String.Format(format, rdp_ses["SessionID"], rdp_ses["pSessionName"], rdp_ses["pUserName"], rdp_ses["pDomainName"], rdp_ses["State"], rdp_ses["SourceIP"]), CreateUsersSS());
@@ -567,7 +572,8 @@ namespace winPEAS
                     Beaprint.MainPrint("Looking for AutoLogon credentials", "T1012");
                     bool ban = false;
                     Dictionary<string, string> autologon = UserInfo.GetAutoLogon();
-                    if (autologon.Count > 0) {
+                    if (autologon.Count > 0)
+                    {
                         foreach (KeyValuePair<string, string> entry in autologon)
                         {
                             if (!String.IsNullOrEmpty(entry.Value))
@@ -601,7 +607,7 @@ namespace winPEAS
                 {
                     Beaprint.MainPrint("Home folders found", "T1087&T1083&T1033");
                     List<string> user_folders = UserInfo.GetUsersFolders();
-                    foreach(string ufold in user_folders)
+                    foreach (string ufold in user_folders)
                     {
                         string perms = String.Join(", ", MyUtils.GetPermissionsFolder(ufold, interestingUsersGroups));
                         if (perms.Length > 0)
@@ -1308,7 +1314,8 @@ namespace winPEAS
                             formString += "\n    Folder Permissions: {9}";
                         formString += "\n    {10}";
 
-                        if (using_ansi) {
+                        if (using_ansi)
+                        {
                             Dictionary<string, string> colorsN = new Dictionary<string, string>()
                             {
                                 { strFalse, ansi_color_bad },

winPEAS/winPEASexe/winPEAS/SystemInfo.cs

@@ -96,6 +96,7 @@ namespace winPEAS
                 results.Add("IsVirtualMachine", isVM.ToString());
                 results.Add("Current Time", now.ToString());
                 results.Add("HighIntegrity", isHighIntegrity.ToString());
+                results.Add("PartOfDomain", Program.partofdomain.ToString());
                 results.Add("Hotfixes", hotfixes);
             }
             catch (Exception ex)

winPEAS/winPEASexe/winPEAS/UserInfo.cs

@@ -292,18 +292,20 @@ namespace winPEAS
                     else if (onlyLockout && (bool)user["Lockout"]) retList.Add((string)user["Name"]);
                     else if (onlyAdmins)
                     {
-                        if ((string.Join(",", GetUserGroups((string)user["Name"])).Contains("Admin"))) retList.Add((string)user["Name"]);
+                        string domain = (string)user["Domain"];
+                        if (string.Join(",", GetUserGroups((string)user["Name"], domain)).Contains("Admin")) retList.Add((string)user["Name"]);
                     }
                     else if (fullInfo)
                     {
+                        string domain = (string)user["Domain"];
                         string userLine = user["Caption"] + ((bool)user["Disabled"] ? "(Disabled)" : "") + ((bool)user["Lockout"] ? "(Lockout)" : "") + ((string)user["Fullname"] != "false" ? "" : "(" + user["Fullname"] + ")") + (((string)user["Description"]).Length > 1 ? ": " + user["Description"] : "");
-                        List<string> user_groups = GetUserGroups((string)user["Name"]);
+                        List<string> user_groups = GetUserGroups((string)user["Name"], domain);
                         string groupsLine = "";
                         if (user_groups.Count > 0)
                         {
                             groupsLine = "\n\t|->Groups: " + string.Join(",", user_groups);
                         }
-                        string passLine = "\n\t|->Password: " + ((bool)user["PasswordChangeable"] ? "CanChange" : "NotChange") + "-" + ((bool)user["PasswordExpires"] ? "Expi" : "NotExpi") + "-" + ((bool)user["PasswordRequired"] ? "Req" : "NotReq");
+                        string passLine = "\n\t|->Password: " + ((bool)user["PasswordChangeable"] ? "CanChange" : "NotChange") + "-" + ((bool)user["PasswordExpires"] ? "Expi" : "NotExpi") + "-" + ((bool)user["PasswordRequired"] ? "Req" : "NotReq") + "\n";
                         retList.Add(userLine + groupsLine + passLine);
                     }
                 }
@@ -316,12 +318,12 @@ namespace winPEAS
         }
 
         // https://stackoverflow.com/questions/3679579/check-for-groups-a-local-user-is-a-member-of/3681442#3681442
-        public static List<string> GetUserGroups(string sUserName)
+        public static List<string> GetUserGroups(string sUserName, string domain)
         {
             List<string> myItems = new List<string>();
             try
             {
-                UserPrincipal oUserPrincipal = GetUser(sUserName);
+                UserPrincipal oUserPrincipal = GetUser(sUserName, domain);
                 PrincipalSearchResult<Principal> oPrincipalSearchResult = oUserPrincipal.GetGroups();
                 foreach (Principal oResult in oPrincipalSearchResult)
                 {
@@ -335,9 +337,27 @@ namespace winPEAS
             return myItems;
         }
 
-        public static UserPrincipal GetUser(string sUserName)
+        public static UserPrincipal GetUser(string sUserName, string domain)
         {
+            UserPrincipal user = null;
             try
+            {
+                if (Program.partofdomain) //Check if partof domain
+                {
+                    user = GetUserDomain(sUserName, domain);
+                    if (user == null) //If part of domain but null, then user is local
+                        user = GetUserLocal(sUserName);
+                }
+                else //If not part of a domain, thn user is local
+                    user = GetUserLocal(sUserName);
+            }
+            catch
+            { //If error, then some error ocurred trying to find a user inside an unexistant domain, check if local user
+                user = GetUserLocal(sUserName);
+            }
+            return user;
+        }
+        public static UserPrincipal GetUserLocal(string sUserName)
         {
             // Extract local user information
             //https://stackoverflow.com/questions/14594545/query-local-administrator-group
@@ -348,15 +368,15 @@ namespace winPEAS
             user = searcher.FindOne() as UserPrincipal;
             return user;
         }
-            catch (Exception ex)
+        public static UserPrincipal GetUserDomain(string sUserName, string domain)
         {
             //if not local, try to extract domain user information
             //https://stackoverflow.com/questions/12710355/check-if-user-is-a-domain-user-or-local-user/12710452
-                var domainContext = new PrincipalContext(ContextType.Domain, Environment.UserDomainName);
+            //var domainContext = new PrincipalContext(ContextType.Domain, Environment.UserDomainName);
+            var domainContext = new PrincipalContext(ContextType.Domain, domain);
             UserPrincipal domainuser = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, sUserName);
             return domainuser;
         }
-        }
 
         public static PrincipalContext GetPrincipalContext()
         {

winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.FileListAbsolute.txt

@@ -0,0 +1,9 @@
+D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\bin\Debug\winPEAS.exe.config
+D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\bin\Debug\winPEAS.exe
+D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\bin\Debug\winPEAS.pdb
+D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\bin\Debug\Microsoft.Win32.TaskScheduler.xml
+D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.csprojAssemblyReference.cache
+D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.csproj.Fody.CopyLocal.cache
+D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.csproj.CopyComplete
+D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.exe
+D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.pdb

winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.Fody.CopyLocal.cache

@@ -0,0 +1 @@
+D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\packages\TaskScheduler.2.8.16\lib\net40\Microsoft.Win32.TaskScheduler.xml

winPEAS/winPEASexe/winPEAS/obj/x86/Release/winPEAS.csproj.FileListAbsolute.txt

@@ -14,4 +14,3 @@ D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\o
 D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.csproj.CopyComplete
 D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.exe
 D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.pdb
-D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.csprojAssemblyReference.cache