diff --git a/linPEAS/linpeas.sh b/linPEAS/linpeas.sh index b8ca240..f43d4b1 100755 --- a/linPEAS/linpeas.sh +++ b/linPEAS/linpeas.sh @@ -186,7 +186,7 @@ sidB="/apache2$%Read_root_passwd__apache2_-f_/etc/shadow\(CVE-2019-0211\)\ sidVB='/aria2c$|/arp$|/ash$|/awk$|/base64$|/bash$|/busybox$|/cat$|/chmod$|/chown$|/cp$|/csh$|/curl$|/cut$|/dash$|/date$|/dd$|/diff$|/dmsetup$|/docker$|/ed$|/emacs$|/env$|/expand$|/expect$|/file$|/find$|/flock$|/fmt$|/fold$|/gdb$|/gimp$|/git$|/grep$|/head$|/ionice$|/ip$|/jjs$|/jq$|/jrunscript$|/ksh$|/ld.so$|/less$|/logsave$|/lua$|/make$|/more$|/mv$|/mysql$|/nano$|/nc$|/nice$|/nl$|/nmap$|/node$|/od$|/openssl$|/perl$|/pg$|/php$|/pic$|/pico$|/python$|/readelf$|/rlwrap$|/rpm$|/rpmquery$|/rsync$|/rvim$|/screen-4.5.0|/scp$|/sed$|/setarch$|/shuf$|/socat$|/sort$|/sqlite3$|/stdbuf$|/strace$|/systemctl$|/tail$|/tar$|/taskset$|/tclsh$|/tee$|/telnet$|/tftp$|/time$|/timeout$|/ul$|/unexpand$|/uniq$|/unshare$|/vim$|/watch$|/wget$|/xargs$|/xxd$|/zip$|/zsh$' sudoVB=" \*|env_keep\+=LD_PRELOAD|apt-get$|apt$|aria2c$|arp$|ash$|awk$|base64$|bash$|busybox$|cat$|chmod$|chown$|cp$|cpan$|cpulimit$|crontab$|csh$|curl$|cut$|dash$|date$|dd$|diff$|dmesg$|dmsetup$|dnf$|docker$|dpkg$|easy_install$|ed$|emacs$|env$|expand$|expect$|facter$|file$|find$|flock$|fmt$|fold$|ftp$|gdb$|gimp$|git$|grep$|head$|ionice$|ip$|irb$|jjs$|journalctl$|jq$|jrunscript$|ksh$|ld.so$|less$|logsave$|ltrace$|lua$|mail$|make$|man$|more$|mount$|mtr$|mv$|mysql$|nano$|nc$|nice$|nl$|nmap$|node$|od$|openssl$|perl$|pg$|php$|pic$|pico$|pip$|puppet$|python$|readelf$|red$|rlwrap$|rpm$|rpmquery$|rsync$|ruby$|run-mailcap$|run-parts$|rvim$|scp$|screen$|script$|sed$|service$|setarch$|sftp$|smbclient$|socat$|sort$|sqlite3$|ssh$|start-stop-daemon$|stdbuf$|strace$|systemctl$|tail$|tar$|taskset$|tclsh$|tcpdump$|tee$|telnet$|tftp$|time$|timeout$|tmux$|ul$|unexpand$|uniq$|unshare$|vi$|vim$|watch$|wget$|wish$|xargs$|xxd$|yum$|zip$|zsh$|zypper$" -sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|NOPASSWD|/apache2|/cryptsetup|/mount" +sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount" sudoG="NOEXEC" sudocapsB="/apt-get|/apt|/aria2c|/arp|/ash|/awk|/base64|/bash|/busybox|/cat|/chmod|/chown|/cp|/cpan|/cpulimit|/crontab|/csh|/curl|/cut|/dash|/date|/dd|/diff|/dmesg|/dmsetup|/dnf|/docker|/dpkg|/easy_install|/ed|/emacs|/env|/expand|/expect|/facter|/file|/find|/flock|/fmt|/fold|/ftp|/gdb|/gimp|/git|/grep|/head|/ionice|/ip|/irb|/jjs|/journalctl|/jq|/jrunscript|/ksh|/ld.so|/less|/logsave|/ltrace|/lua|/mail|/make|/man|/more|/mount|/mtr|/mv|/mysql|/nano|/nc|/nice|/nl|/nmap|/node|/od|/openssl|/perl|/pg|/php|/pic|/pico|/pip|/puppet|/python|/readelf|/red|/rlwrap|/rpm|/rpmquery|/rsync|/ruby|/run-mailcap|/run-parts|/rvim|/scp|/screen|/script|/sed|/service|/setarch|/sftp|/smbclient|/socat|/sort|/sqlite3|/ssh|/start-stop-daemon|/stdbuf|/strace|/systemctl|/tail|/tar|/taskset|/tclsh|/tcpdump|/tee|/telnet|/tftp|/time|/timeout|/tmux|/ul|/unexpand|/uniq|/unshare|/vi|/vim|/watch|/wget|/wish|/xargs|/xxd|/yum|/zip|/zsh|/zypper" diff --git a/winPEAS/winPEASexe/winPEAS/Program.cs b/winPEAS/winPEASexe/winPEAS/Program.cs index 4ce87b8..fce782a 100755 --- a/winPEAS/winPEASexe/winPEAS/Program.cs +++ b/winPEAS/winPEASexe/winPEAS/Program.cs @@ -21,7 +21,7 @@ namespace winPEAS // Static blacklists static string strTrue = "True"; static string strFalse = "False"; - static string badgroups = "docker|Remote |DNSAdmins|AD Recycle Bin|Azure Admins|Admins";//The space in Remote is important to not mix with SeShutdownRemotePrivilege + static string badgroups = "docker|Remote |DNSAdmins|AD Recycle Bin|Azure Admins|Admins|Server Operators";//The space in Remote is important to not mix with SeShutdownRemotePrivilege static string badpasswd = "NotChange|NotExpi"; static string badPrivileges = "SeImpersonatePrivilege|SeAssignPrimaryPrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege|SeCreateTokenPrivilege|SeLoadDriverPrivilege|SeTakeOwnershipPrivilege|SeDebugPrivilege"; //static string goodSoft = "Windows Phone Kits|Windows Kits|Windows Defender|Windows Mail|Windows Media Player|Windows Multimedia Platform|windows nt|Windows Photo Viewer|Windows Portable Devices|Windows Security|Windows Sidebar|WindowsApps|WindowsPowerShell| Windows$|Microsoft|WOW6432Node|internet explorer|Internet Explorer|Common Files"; @@ -1649,21 +1649,25 @@ namespace winPEAS { try { - Beaprint.MainPrint("Looking saved Wifis"); + Beaprint.MainPrint("Looking for saved Wifi credentials"); if (exec_cmd) { - Dictionary colorsC = new Dictionary() + Dictionary networkConnections = Wifi.Retrieve(); + Dictionary ansi_colors_regexp = new Dictionary(); + + //Make sure the passwords are all flagged as ansi_color_bad. + foreach (var connection in networkConnections) { - { ": .*", Beaprint.ansi_color_bad }, - }; - Beaprint.AnsiPrint(" " + MyUtils.ExecCMD("wlan show profile", "netsh.exe"), colorsC); + ansi_colors_regexp.Add(connection.Value, Beaprint.ansi_color_bad); + } + Beaprint.DictPrint(networkConnections, ansi_colors_regexp, false); } else { Beaprint.GrayPrint(" This function is not yet implemented."); Beaprint.InfoPrint("If you want to list saved Wifis connections you can list the using 'netsh wlan show profile'"); + Beaprint.InfoPrint("If you want to get the clear-text password use 'netsh wlan show profile key=clear'"); } - Beaprint.InfoPrint("If you want to get the clear-text password use 'netsh wlan show profile key=clear'"); } catch (Exception ex) { @@ -2434,7 +2438,6 @@ namespace winPEAS /* - * Wifi (passwords?) * Keylogger? * Input prompt ==> Better in PS * Cretae list of malicious drives that could allow to privesc? diff --git a/winPEAS/winPEASexe/winPEAS/Wifi.cs b/winPEAS/winPEASexe/winPEAS/Wifi.cs new file mode 100644 index 0000000..15c232f --- /dev/null +++ b/winPEAS/winPEASexe/winPEAS/Wifi.cs @@ -0,0 +1,55 @@ +using System.Collections.Generic; +using System.Text.RegularExpressions; +namespace winPEAS +{ + class Wifi + { + public static Dictionary Retrieve() + { + Dictionary connections = new Dictionary(); + foreach (string ssid in GetSSIDs()) + { + string password = GetPassword(ssid); + connections.Add(ssid, password); + } + + return connections; + } + + private static IEnumerable GetSSIDs() + { + string args = "wlan show profiles"; + string result = MyUtils.ExecCMD(args, "netsh"); + Regex regex = new Regex(@"\s+:\s+([^\r\n]+)", RegexOptions.Multiline); + MatchCollection matches = regex.Matches(result); + List ssids = new List(); + + for (int i = 0; i < matches.Count; i++) + { + if (matches[i].Groups.Count > 0 && !string.IsNullOrWhiteSpace(matches[i].Groups[1].Value)) + { + ssids.Add(matches[i].Groups[1].Value); + } + } + + return ssids; + } + + private static string GetPassword(string ssid) + { + string args = $@" wlan show profile name=""{ssid}"" key=""clear"""; + string result = MyUtils.ExecCMD(args, "netsh"); + Regex regex = new Regex(@"Key Content\s+:\s+([^\r\n]+)", RegexOptions.Multiline); + MatchCollection matches = regex.Matches(result); + string password = string.Empty; + + if (matches.Count > 0 && matches[0].Groups.Count > 1) + { + password = matches[0].Groups[1].Value; + } + + return password; + } + + } +} diff --git a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj index 4c7371b..3aa6459 100755 --- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj +++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj @@ -155,6 +155,7 @@ +