linpeasv2.8.4
This commit is contained in:
carlospolop
commit
1f69e6399e
@ -186,7 +186,7 @@ sidB="/apache2$%Read_root_passwd__apache2_-f_/etc/shadow\(CVE-2019-0211\)\
|
||||
sidVB='/aria2c$|/arp$|/ash$|/awk$|/base64$|/bash$|/busybox$|/cat$|/chmod$|/chown$|/cp$|/csh$|/curl$|/cut$|/dash$|/date$|/dd$|/diff$|/dmsetup$|/docker$|/ed$|/emacs$|/env$|/expand$|/expect$|/file$|/find$|/flock$|/fmt$|/fold$|/gdb$|/gimp$|/git$|/grep$|/head$|/ionice$|/ip$|/jjs$|/jq$|/jrunscript$|/ksh$|/ld.so$|/less$|/logsave$|/lua$|/make$|/more$|/mv$|/mysql$|/nano$|/nc$|/nice$|/nl$|/nmap$|/node$|/od$|/openssl$|/perl$|/pg$|/php$|/pic$|/pico$|/python$|/readelf$|/rlwrap$|/rpm$|/rpmquery$|/rsync$|/rvim$|/screen-4.5.0|/scp$|/sed$|/setarch$|/shuf$|/socat$|/sort$|/sqlite3$|/stdbuf$|/strace$|/systemctl$|/tail$|/tar$|/taskset$|/tclsh$|/tee$|/telnet$|/tftp$|/time$|/timeout$|/ul$|/unexpand$|/uniq$|/unshare$|/vim$|/watch$|/wget$|/xargs$|/xxd$|/zip$|/zsh$'
|
||||
|
||||
sudoVB=" \*|env_keep\+=LD_PRELOAD|apt-get$|apt$|aria2c$|arp$|ash$|awk$|base64$|bash$|busybox$|cat$|chmod$|chown$|cp$|cpan$|cpulimit$|crontab$|csh$|curl$|cut$|dash$|date$|dd$|diff$|dmesg$|dmsetup$|dnf$|docker$|dpkg$|easy_install$|ed$|emacs$|env$|expand$|expect$|facter$|file$|find$|flock$|fmt$|fold$|ftp$|gdb$|gimp$|git$|grep$|head$|ionice$|ip$|irb$|jjs$|journalctl$|jq$|jrunscript$|ksh$|ld.so$|less$|logsave$|ltrace$|lua$|mail$|make$|man$|more$|mount$|mtr$|mv$|mysql$|nano$|nc$|nice$|nl$|nmap$|node$|od$|openssl$|perl$|pg$|php$|pic$|pico$|pip$|puppet$|python$|readelf$|red$|rlwrap$|rpm$|rpmquery$|rsync$|ruby$|run-mailcap$|run-parts$|rvim$|scp$|screen$|script$|sed$|service$|setarch$|sftp$|smbclient$|socat$|sort$|sqlite3$|ssh$|start-stop-daemon$|stdbuf$|strace$|systemctl$|tail$|tar$|taskset$|tclsh$|tcpdump$|tee$|telnet$|tftp$|time$|timeout$|tmux$|ul$|unexpand$|uniq$|unshare$|vi$|vim$|watch$|wget$|wish$|xargs$|xxd$|yum$|zip$|zsh$|zypper$"
|
||||
sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|NOPASSWD|/apache2|/cryptsetup|/mount"
|
||||
sudoB="$(whoami)|ALL:ALL|ALL : ALL|ALL|NOPASSWD|SETENV|/apache2|/cryptsetup|/mount"
|
||||
sudoG="NOEXEC"
|
||||
|
||||
sudocapsB="/apt-get|/apt|/aria2c|/arp|/ash|/awk|/base64|/bash|/busybox|/cat|/chmod|/chown|/cp|/cpan|/cpulimit|/crontab|/csh|/curl|/cut|/dash|/date|/dd|/diff|/dmesg|/dmsetup|/dnf|/docker|/dpkg|/easy_install|/ed|/emacs|/env|/expand|/expect|/facter|/file|/find|/flock|/fmt|/fold|/ftp|/gdb|/gimp|/git|/grep|/head|/ionice|/ip|/irb|/jjs|/journalctl|/jq|/jrunscript|/ksh|/ld.so|/less|/logsave|/ltrace|/lua|/mail|/make|/man|/more|/mount|/mtr|/mv|/mysql|/nano|/nc|/nice|/nl|/nmap|/node|/od|/openssl|/perl|/pg|/php|/pic|/pico|/pip|/puppet|/python|/readelf|/red|/rlwrap|/rpm|/rpmquery|/rsync|/ruby|/run-mailcap|/run-parts|/rvim|/scp|/screen|/script|/sed|/service|/setarch|/sftp|/smbclient|/socat|/sort|/sqlite3|/ssh|/start-stop-daemon|/stdbuf|/strace|/systemctl|/tail|/tar|/taskset|/tclsh|/tcpdump|/tee|/telnet|/tftp|/time|/timeout|/tmux|/ul|/unexpand|/uniq|/unshare|/vi|/vim|/watch|/wget|/wish|/xargs|/xxd|/yum|/zip|/zsh|/zypper"
|
||||
|
||||
@ -21,7 +21,7 @@ namespace winPEAS
|
||||
// Static blacklists
|
||||
static string strTrue = "True";
|
||||
static string strFalse = "False";
|
||||
static string badgroups = "docker|Remote |DNSAdmins|AD Recycle Bin|Azure Admins|Admins";//The space in Remote is important to not mix with SeShutdownRemotePrivilege
|
||||
static string badgroups = "docker|Remote |DNSAdmins|AD Recycle Bin|Azure Admins|Admins|Server Operators";//The space in Remote is important to not mix with SeShutdownRemotePrivilege
|
||||
static string badpasswd = "NotChange|NotExpi";
|
||||
static string badPrivileges = "SeImpersonatePrivilege|SeAssignPrimaryPrivilege|SeTcbPrivilege|SeBackupPrivilege|SeRestorePrivilege|SeCreateTokenPrivilege|SeLoadDriverPrivilege|SeTakeOwnershipPrivilege|SeDebugPrivilege";
|
||||
//static string goodSoft = "Windows Phone Kits|Windows Kits|Windows Defender|Windows Mail|Windows Media Player|Windows Multimedia Platform|windows nt|Windows Photo Viewer|Windows Portable Devices|Windows Security|Windows Sidebar|WindowsApps|WindowsPowerShell| Windows$|Microsoft|WOW6432Node|internet explorer|Internet Explorer|Common Files";
|
||||
@ -1649,22 +1649,26 @@ namespace winPEAS
|
||||
{
|
||||
try
|
||||
{
|
||||
Beaprint.MainPrint("Looking saved Wifis");
|
||||
Beaprint.MainPrint("Looking for saved Wifi credentials");
|
||||
if (exec_cmd)
|
||||
{
|
||||
Dictionary<string, string> colorsC = new Dictionary<string, string>()
|
||||
Dictionary<string, string> networkConnections = Wifi.Retrieve();
|
||||
Dictionary<string, string> ansi_colors_regexp = new Dictionary<string, string>();
|
||||
|
||||
//Make sure the passwords are all flagged as ansi_color_bad.
|
||||
foreach (var connection in networkConnections)
|
||||
{
|
||||
{ ": .*", Beaprint.ansi_color_bad },
|
||||
};
|
||||
Beaprint.AnsiPrint(" " + MyUtils.ExecCMD("wlan show profile", "netsh.exe"), colorsC);
|
||||
ansi_colors_regexp.Add(connection.Value, Beaprint.ansi_color_bad);
|
||||
}
|
||||
Beaprint.DictPrint(networkConnections, ansi_colors_regexp, false);
|
||||
}
|
||||
else
|
||||
{
|
||||
Beaprint.GrayPrint(" This function is not yet implemented.");
|
||||
Beaprint.InfoPrint("If you want to list saved Wifis connections you can list the using 'netsh wlan show profile'");
|
||||
}
|
||||
Beaprint.InfoPrint("If you want to get the clear-text password use 'netsh wlan show profile <SSID> key=clear'");
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
Beaprint.GrayPrint(String.Format("{0}", ex));
|
||||
@ -2434,7 +2438,6 @@ namespace winPEAS
|
||||
|
||||
|
||||
/*
|
||||
* Wifi (passwords?)
|
||||
* Keylogger?
|
||||
* Input prompt ==> Better in PS
|
||||
* Cretae list of malicious drives that could allow to privesc?
|
||||
|
||||
55
winPEAS/winPEASexe/winPEAS/Wifi.cs
Normal file
55
winPEAS/winPEASexe/winPEAS/Wifi.cs
Normal file
@ -0,0 +1,55 @@
|
||||
using System.Collections.Generic;
|
||||
using System.Text.RegularExpressions;
|
||||
namespace winPEAS
|
||||
{
|
||||
class Wifi
|
||||
{
|
||||
public static Dictionary<string, string> Retrieve()
|
||||
{
|
||||
Dictionary<string, string> connections = new Dictionary<string, string>();
|
||||
foreach (string ssid in GetSSIDs())
|
||||
{
|
||||
string password = GetPassword(ssid);
|
||||
connections.Add(ssid, password);
|
||||
}
|
||||
|
||||
return connections;
|
||||
}
|
||||
|
||||
private static IEnumerable<string> GetSSIDs()
|
||||
{
|
||||
string args = "wlan show profiles";
|
||||
string result = MyUtils.ExecCMD(args, "netsh");
|
||||
Regex regex = new Regex(@"\s+:\s+([^\r\n]+)", RegexOptions.Multiline);
|
||||
MatchCollection matches = regex.Matches(result);
|
||||
List<string> ssids = new List<string>();
|
||||
|
||||
for (int i = 0; i < matches.Count; i++)
|
||||
{
|
||||
if (matches[i].Groups.Count > 0 && !string.IsNullOrWhiteSpace(matches[i].Groups[1].Value))
|
||||
{
|
||||
ssids.Add(matches[i].Groups[1].Value);
|
||||
}
|
||||
}
|
||||
|
||||
return ssids;
|
||||
}
|
||||
|
||||
private static string GetPassword(string ssid)
|
||||
{
|
||||
string args = $@" wlan show profile name=""{ssid}"" key=""clear""";
|
||||
string result = MyUtils.ExecCMD(args, "netsh");
|
||||
Regex regex = new Regex(@"Key Content\s+:\s+([^\r\n]+)", RegexOptions.Multiline);
|
||||
MatchCollection matches = regex.Matches(result);
|
||||
string password = string.Empty;
|
||||
|
||||
if (matches.Count > 0 && matches[0].Groups.Count > 1)
|
||||
{
|
||||
password = matches[0].Groups[1].Value;
|
||||
}
|
||||
|
||||
return password;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
@ -155,6 +155,7 @@
|
||||
<Compile Include="TaskScheduler\XmlSerializationHelper.cs" />
|
||||
<Compile Include="UserInfo.cs" />
|
||||
<Compile Include="Watson.cs" />
|
||||
<Compile Include="Wifi.cs" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<None Include="App.config" />
|
||||
|
||||
Loading…
Reference in New Issue
Block a user