winpeasexe-domain
This commit is contained in:
carlospolop
parent
64b9062daa
commit
1f5e5a6508
@ -16,6 +16,31 @@ namespace winPEAS
|
||||
{
|
||||
class MyUtils
|
||||
{
|
||||
public static bool IsDomainJoined()
|
||||
{
|
||||
// returns true if the system is likely a virtual machine
|
||||
// Adapted from RobSiklos' code from https://stackoverflow.com/questions/498371/how-to-detect-if-my-application-is-running-in-a-virtual-machine/11145280#11145280
|
||||
try
|
||||
{
|
||||
using (var searcher = new System.Management.ManagementObjectSearcher("Select * from Win32_ComputerSystem"))
|
||||
{
|
||||
using (var items = searcher.Get())
|
||||
{
|
||||
foreach (var item in items)
|
||||
{
|
||||
return (bool)item["PartOfDomain"];
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
System.Console.WriteLine(ex);
|
||||
}
|
||||
//By default tru, because this way wiill check domain and local, but never should get here the code
|
||||
return true;
|
||||
}
|
||||
|
||||
public static Dictionary<string, string> RemoveEmptyKeys(Dictionary<string, string> dic_in)
|
||||
{
|
||||
Dictionary<string, string> results = new Dictionary<string, string>();
|
||||
|
||||
@ -20,7 +20,7 @@ namespace winPEAS
|
||||
// Static blacklists
|
||||
static string strTrue = "True";
|
||||
static string strFalse = "False";
|
||||
static string badgroups = "docker|Remote";
|
||||
static string badgroups = "docker|Remote|Admins";
|
||||
static string badpasswd = "NotChange|NotExpi";
|
||||
static string badPrivileges = "Enabled|ENABLED|SeImpersonatePrivilege|SeAssignPrimaryPrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege|SeCreateTokenPrivilege|SeLoadDriverPrivilege|SeTakeOwnershipPrivilege|SeDebugPrivilege";
|
||||
static string goodSoft = "Windows Phone Kits|Windows Kits|Windows Defender|Windows Mail|Windows Media Player|Windows Multimedia Platform|windows nt|Windows Photo Viewer|Windows Portable Devices|Windows Security|Windows Sidebar|WindowsApps|WindowsPowerShell|Microsoft|WOW6432Node|internet explorer|Internet Explorer|Common Files";
|
||||
@ -47,9 +47,10 @@ namespace winPEAS
|
||||
static StyleSheet onlyKeyStyleSheet = new StyleSheet(color_key);
|
||||
|
||||
// Create Dynamic blacklists
|
||||
public static bool partofdomain = MyUtils.IsDomainJoined();
|
||||
static string currentUserName = Environment.UserName;
|
||||
static string currentDomainName = Environment.UserDomainName;
|
||||
static List<string> currentUserGroups = UserInfo.GetUserGroups(currentUserName);
|
||||
static List<string> currentUserGroups = UserInfo.GetUserGroups(currentUserName, currentDomainName);
|
||||
public static List<string> interestingUsersGroups = new List<string> { "Everyone", "Users", "Todos", currentUserName }; //Authenticated Users (Authenticated left behin to avoid repetitions)
|
||||
static string paint_interestingUserGroups = String.Join("|", currentUserGroups);
|
||||
static string paint_activeUsers = String.Join("|", UserInfo.GetMachineUsers(true, false, false, false, false));
|
||||
@ -314,7 +315,8 @@ namespace winPEAS
|
||||
|
||||
void PrintUACInfo()
|
||||
{
|
||||
try {
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("UAC Status", "T1012");
|
||||
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access", "If you are in the Administrators group check how to bypass the UAC");
|
||||
Dictionary<string, string> uacDict = SystemInfo.GetUACSystemPolicies();
|
||||
@ -483,7 +485,8 @@ namespace winPEAS
|
||||
{
|
||||
if (exec_cmd)
|
||||
Beaprint.BadPrint(" " + MyUtils.ExecCMD("powershell -command Get-Clipboard"));
|
||||
else {
|
||||
else
|
||||
{
|
||||
Beaprint.NotFoundPrint();
|
||||
Beaprint.InfoPrint(" This C# implementation to capture the clipboard is not trustable in every Windows version");
|
||||
Beaprint.InfoPrint(" If you want to see what is inside the clipboard execute 'powershell -command \"Get - Clipboard\"'");
|
||||
@ -523,12 +526,14 @@ namespace winPEAS
|
||||
{
|
||||
string format = " {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}";
|
||||
string header = String.Format(format, "SessID", "pSessionName", "pUserName", "pDomainName", "State", "SourceIP");
|
||||
if (using_ansi) {
|
||||
if (using_ansi)
|
||||
{
|
||||
System.Console.WriteLine(header);
|
||||
foreach (Dictionary<string, string> rdp_ses in rdp_sessions)
|
||||
Beaprint.AnsiPrint(String.Format(format, rdp_ses["SessionID"], rdp_ses["pSessionName"], rdp_ses["pUserName"], rdp_ses["pDomainName"], rdp_ses["State"], rdp_ses["SourceIP"]), colorsU());
|
||||
}
|
||||
else {
|
||||
else
|
||||
{
|
||||
Colorful.Console.WriteLineStyled(header, onlyKeyStyleSheet);
|
||||
foreach (Dictionary<string, string> rdp_ses in rdp_sessions)
|
||||
Colorful.Console.WriteLineStyled(String.Format(format, rdp_ses["SessionID"], rdp_ses["pSessionName"], rdp_ses["pUserName"], rdp_ses["pDomainName"], rdp_ses["State"], rdp_ses["SourceIP"]), CreateUsersSS());
|
||||
@ -567,7 +572,8 @@ namespace winPEAS
|
||||
Beaprint.MainPrint("Looking for AutoLogon credentials", "T1012");
|
||||
bool ban = false;
|
||||
Dictionary<string, string> autologon = UserInfo.GetAutoLogon();
|
||||
if (autologon.Count > 0) {
|
||||
if (autologon.Count > 0)
|
||||
{
|
||||
foreach (KeyValuePair<string, string> entry in autologon)
|
||||
{
|
||||
if (!String.IsNullOrEmpty(entry.Value))
|
||||
@ -1308,7 +1314,8 @@ namespace winPEAS
|
||||
formString += "\n Folder Permissions: {9}";
|
||||
formString += "\n {10}";
|
||||
|
||||
if (using_ansi) {
|
||||
if (using_ansi)
|
||||
{
|
||||
Dictionary<string, string> colorsN = new Dictionary<string, string>()
|
||||
{
|
||||
{ strFalse, ansi_color_bad },
|
||||
|
||||
@ -96,6 +96,7 @@ namespace winPEAS
|
||||
results.Add("IsVirtualMachine", isVM.ToString());
|
||||
results.Add("Current Time", now.ToString());
|
||||
results.Add("HighIntegrity", isHighIntegrity.ToString());
|
||||
results.Add("PartOfDomain", Program.partofdomain.ToString());
|
||||
results.Add("Hotfixes", hotfixes);
|
||||
}
|
||||
catch (Exception ex)
|
||||
|
||||
@ -292,18 +292,20 @@ namespace winPEAS
|
||||
else if (onlyLockout && (bool)user["Lockout"]) retList.Add((string)user["Name"]);
|
||||
else if (onlyAdmins)
|
||||
{
|
||||
if ((string.Join(",", GetUserGroups((string)user["Name"])).Contains("Admin"))) retList.Add((string)user["Name"]);
|
||||
string domain = (string)user["Domain"];
|
||||
if (string.Join(",", GetUserGroups((string)user["Name"], domain)).Contains("Admin")) retList.Add((string)user["Name"]);
|
||||
}
|
||||
else if (fullInfo)
|
||||
{
|
||||
string domain = (string)user["Domain"];
|
||||
string userLine = user["Caption"] + ((bool)user["Disabled"] ? "(Disabled)" : "") + ((bool)user["Lockout"] ? "(Lockout)" : "") + ((string)user["Fullname"] != "false" ? "" : "(" + user["Fullname"] + ")") + (((string)user["Description"]).Length > 1 ? ": " + user["Description"] : "");
|
||||
List<string> user_groups = GetUserGroups((string)user["Name"]);
|
||||
List<string> user_groups = GetUserGroups((string)user["Name"], domain);
|
||||
string groupsLine = "";
|
||||
if (user_groups.Count > 0)
|
||||
{
|
||||
groupsLine = "\n\t|->Groups: " + string.Join(",", user_groups);
|
||||
}
|
||||
string passLine = "\n\t|->Password: " + ((bool)user["PasswordChangeable"] ? "CanChange" : "NotChange") + "-" + ((bool)user["PasswordExpires"] ? "Expi" : "NotExpi") + "-" + ((bool)user["PasswordRequired"] ? "Req" : "NotReq");
|
||||
string passLine = "\n\t|->Password: " + ((bool)user["PasswordChangeable"] ? "CanChange" : "NotChange") + "-" + ((bool)user["PasswordExpires"] ? "Expi" : "NotExpi") + "-" + ((bool)user["PasswordRequired"] ? "Req" : "NotReq") + "\n";
|
||||
retList.Add(userLine + groupsLine + passLine);
|
||||
}
|
||||
}
|
||||
@ -316,12 +318,12 @@ namespace winPEAS
|
||||
}
|
||||
|
||||
// https://stackoverflow.com/questions/3679579/check-for-groups-a-local-user-is-a-member-of/3681442#3681442
|
||||
public static List<string> GetUserGroups(string sUserName)
|
||||
public static List<string> GetUserGroups(string sUserName, string domain)
|
||||
{
|
||||
List<string> myItems = new List<string>();
|
||||
try
|
||||
{
|
||||
UserPrincipal oUserPrincipal = GetUser(sUserName);
|
||||
UserPrincipal oUserPrincipal = GetUser(sUserName, domain);
|
||||
PrincipalSearchResult<Principal> oPrincipalSearchResult = oUserPrincipal.GetGroups();
|
||||
foreach (Principal oResult in oPrincipalSearchResult)
|
||||
{
|
||||
@ -335,9 +337,27 @@ namespace winPEAS
|
||||
return myItems;
|
||||
}
|
||||
|
||||
public static UserPrincipal GetUser(string sUserName)
|
||||
public static UserPrincipal GetUser(string sUserName, string domain)
|
||||
{
|
||||
UserPrincipal user = null;
|
||||
try
|
||||
{
|
||||
if (Program.partofdomain) //Check if partof domain
|
||||
{
|
||||
user = GetUserDomain(sUserName, domain);
|
||||
if (user == null) //If part of domain but null, then user is local
|
||||
user = GetUserLocal(sUserName);
|
||||
}
|
||||
else //If not part of a domain, thn user is local
|
||||
user = GetUserLocal(sUserName);
|
||||
}
|
||||
catch
|
||||
{ //If error, then some error ocurred trying to find a user inside an unexistant domain, check if local user
|
||||
user = GetUserLocal(sUserName);
|
||||
}
|
||||
return user;
|
||||
}
|
||||
public static UserPrincipal GetUserLocal(string sUserName)
|
||||
{
|
||||
// Extract local user information
|
||||
//https://stackoverflow.com/questions/14594545/query-local-administrator-group
|
||||
@ -348,15 +368,15 @@ namespace winPEAS
|
||||
user = searcher.FindOne() as UserPrincipal;
|
||||
return user;
|
||||
}
|
||||
catch (Exception ex)
|
||||
public static UserPrincipal GetUserDomain(string sUserName, string domain)
|
||||
{
|
||||
//if not local, try to extract domain user information
|
||||
//https://stackoverflow.com/questions/12710355/check-if-user-is-a-domain-user-or-local-user/12710452
|
||||
var domainContext = new PrincipalContext(ContextType.Domain, Environment.UserDomainName);
|
||||
//var domainContext = new PrincipalContext(ContextType.Domain, Environment.UserDomainName);
|
||||
var domainContext = new PrincipalContext(ContextType.Domain, domain);
|
||||
UserPrincipal domainuser = UserPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, sUserName);
|
||||
return domainuser;
|
||||
}
|
||||
}
|
||||
|
||||
public static PrincipalContext GetPrincipalContext()
|
||||
{
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
0
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.CopyComplete
Executable file
0
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.CopyComplete
Executable file
9
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.FileListAbsolute.txt
Executable file
9
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.FileListAbsolute.txt
Executable file
@ -0,0 +1,9 @@
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\bin\Debug\winPEAS.exe.config
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\bin\Debug\winPEAS.exe
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\bin\Debug\winPEAS.pdb
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\bin\Debug\Microsoft.Win32.TaskScheduler.xml
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.csprojAssemblyReference.cache
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.csproj.Fody.CopyLocal.cache
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.csproj.CopyComplete
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.exe
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\Debug\winPEAS.pdb
|
||||
1
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.Fody.CopyLocal.cache
Executable file
1
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csproj.Fody.CopyLocal.cache
Executable file
@ -0,0 +1 @@
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\packages\TaskScheduler.2.8.16\lib\net40\Microsoft.Win32.TaskScheduler.xml
|
||||
Binary file not shown.
BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.exe
Executable file
BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.exe
Executable file
Binary file not shown.
BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.pdb
Executable file
BIN
winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.pdb
Executable file
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -14,4 +14,3 @@ D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\o
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.csproj.CopyComplete
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.exe
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.pdb
|
||||
D:\shared\privilege-escalation-awesome-script-suite\winPEAS\winPEASexe\winPEAS\obj\x86\Release\winPEAS.csprojAssemblyReference.cache
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue
Block a user