Merge pull request #110 from makikvues/master

bugfixes, enumeration of local/domain users
2021-03-02 21:27:09 +00:00 · 2021-03-02 21:27:09 +00:00 · 30aea9f980
commit 30aea9f980
parent 5b1be925c7 94f9bb72ac
7 changed files with 43 additions and 21 deletions
--- a/winPEAS/winPEASexe/README.md
+++ b/winPEAS/winPEASexe/README.md
@ -57,6 +57,7 @@ $wp.EntryPoint #Get the name of the ReflectedType, in obfuscated versions someti
 winpeas.exe #run all checks (except for additional slower checks - LOLBAS and linpeas.sh in WSL) (noisy - CTFs)
 winpeas.exe systeminfo userinfo #Only systeminfo and userinfo checks executed
 winpeas.exe notcolor #Do not color the output
+winpeas.exe domain #enumerate also domain information
 winpeas.exe wait #wait for user input between tests
 winpeas.exe debug #display additional debug information
 winpeas.exe log #log output to out.txt instead of standard output
--- a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
@ -14,6 +14,7 @@ namespace winPEAS.Checks
 {
    public static class Checks
    {
+        public static bool IsDomainEnumeration = false;
        public static bool IsNoColor = false;
        public static bool Banner = true;
        public static bool IsDebug = false;
@ -129,6 +130,11 @@ namespace winPEAS.Checks
                    IsDebug = true;
                }

+                if (string.Equals(arg, "domain", StringComparison.CurrentCultureIgnoreCase))
+                {
+                    IsDomainEnumeration = true;
+                }
+
                if (string.Equals(arg, "-lolbas", StringComparison.CurrentCultureIgnoreCase))
                {
                    IsLolbas = true;
@ -235,7 +241,14 @@ namespace winPEAS.Checks
            try
            {
                Beaprint.GrayPrint("   - Getting Win32_UserAccount info...");
-                var query = new SelectQuery("Win32_UserAccount");
+                
+                // by default only enumerate local users
+                SelectQuery query = new SelectQuery("Win32_UserAccount", "LocalAccount=true");
+                if (IsDomainEnumeration)
+                {
+                    // include also domain users
+                    query = new SelectQuery("Win32_UserAccount");
+                }

                using (var searcher = new ManagementObjectSearcher(query))
                {
@ -275,7 +288,8 @@ namespace winPEAS.Checks

            try
            {
-                Beaprint.GrayPrint("   - Creating active users list...");
+                var domainString = IsDomainEnumeration ? "(local + domain)" : "(local only)";
+                Beaprint.GrayPrint($"   - Creating active users list {domainString}...");
                _paintActiveUsers = string.Join("|", User.GetMachineUsers(true, false, false, false, false));
                PaintActiveUsersNoAdministrator = _paintActiveUsers.Replace("|Administrator", "").Replace("Administrator|", "").Replace("Administrator", "");
            }
--- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
@ -200,8 +200,15 @@ namespace winPEAS.Checks
                Beaprint.MainPrint("Looking for common SAM & SYSTEM backups");
                List<string> sam_files = InterestingFiles.InterestingFiles.GetSAMBackups();
                foreach (string path in sam_files)
-                    Beaprint.BadPrint("    " + path);
+                {
+                    var permissions = PermissionsHelper.GetPermissionsFile(path, Checks.CurrentUserSiDs);

+                    if (permissions.Any())
+                    {
+                        Beaprint.BadPrint("    " + path);
+                        Beaprint.BadPrint("    File Permissions: " + string.Join(", ", permissions) + "\n");
+                    }
+                }
            }
            catch (Exception ex)
            {
--- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
@ -635,7 +635,7 @@ namespace winPEAS.Checks
                    { "null", Beaprint.ansi_color_bad},
                    { "Require Signing", Beaprint.ansi_color_good},
                    { "Negotiate signing", Beaprint.ansi_color_yellow},                    
-                    { "Unknown", Beaprint.ansi_color_bad},                     
+                    { "Unknown", Beaprint.ansi_color_bad},
                };

                Beaprint.ColorPrint("\n  NTLM Signing Settings", Beaprint.LBLUE);
--- a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
+++ b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
@ -126,6 +126,7 @@ namespace winPEAS.Helpers
            Console.WriteLine(YELLOW + "  [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally" + NOCOLOR);
            Console.WriteLine(LBLUE + "        quiet" + GRAY + "                Do not print banner" + NOCOLOR);
            Console.WriteLine(LBLUE + "        notcolor" + GRAY + "             Don't use ansi colors (all white)" + NOCOLOR);
+            Console.WriteLine(LBLUE + "        domain" + GRAY + "               Enumerate domain information" + NOCOLOR);
            Console.WriteLine(LBLUE + "        systeminfo" + GRAY + "           Search system information" + NOCOLOR);
            Console.WriteLine(LBLUE + "        userinfo" + GRAY + "             Search user information" + NOCOLOR);
            Console.WriteLine(LBLUE + "        processinfo" + GRAY + "          Search processes information" + NOCOLOR);
--- a/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs
+++ b/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs
@ -27,7 +27,7 @@ namespace winPEAS.Helpers
            if (path == null || path == "")
                return results;

-            Match reg_path = Regex.Match(path.ToString(), @"\W*([a-z]:\\.+?(\.[a-zA-Z0-9_-]+))\W*", RegexOptions.IgnoreCase);
+            Match reg_path = Regex.Match(path.ToString(), @"\W*([a-z]:\\[^.]+(\.[a-zA-Z0-9_-]+)?)\W*", RegexOptions.IgnoreCase);
            string binaryPath = reg_path.Groups[1].ToString();
            path = binaryPath;
            if (path == null || path == "")
@ -178,11 +178,17 @@ namespace winPEAS.Helpers
                    { "GenericAll", 0x10000000},
                    { "FullControl", (int)FileSystemRights.FullControl },
                    { "TakeOwnership", (int)FileSystemRights.TakeOwnership },
+
                    { "GenericWrite", 0x40000000 },
                    { "WriteData/CreateFiles", (int)FileSystemRights.WriteData },
                    { "Modify", (int)FileSystemRights.Modify },
                    { "Write", (int)FileSystemRights.Write },
+
+                    { "Read", (int)FileSystemRights.Read },
+                    { "ReadData", (int)FileSystemRights.ReadData },
+
                    { "ChangePermissions", (int)FileSystemRights.ChangePermissions },
+
                    { "Delete", (int)FileSystemRights.Delete },
                    { "DeleteSubdirectoriesAndFiles", (int)FileSystemRights.DeleteSubdirectoriesAndFiles },
                    { "AppendData/CreateDirectories", (int)FileSystemRights.AppendData },
--- a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs
@ -207,25 +207,18 @@ namespace winPEAS.Info.UserInfo
            string currentUsername = Environment.UserName?.ToLower();
            var usersBaseDirectory = Path.Combine(Path.GetPathRoot(Environment.SystemDirectory), "Users");

-            SelectQuery query = new SelectQuery("Win32_UserAccount");
-            using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(query))
+            foreach (ManagementObject envVar in Checks.Checks.Win32Users)
            {
-                using (var data = searcher.Get())
+                string username = (string)envVar["Name"];
+                username = username?.ToLower();
+
+                if (currentUsername != username)
                {
-                    foreach (ManagementObject envVar in data)
+                    string userDirectory = Path.Combine(usersBaseDirectory, username);
+
+                    if (Directory.Exists(userDirectory))
                    {
-                        string username = (string)envVar["Name"];
-                        username = username?.ToLower();
-
-                        if (currentUsername != username)
-                        {
-                            string userDirectory = Path.Combine(usersBaseDirectory, username);
-
-                            if (Directory.Exists(userDirectory))
-                            {
-                                result.Add(userDirectory.ToLower());
-                            }
-                        }
+                        result.Add(userDirectory.ToLower());
                    }
                }
            }