diff --git a/winPEAS/winPEASexe/README.md b/winPEAS/winPEASexe/README.md index ade9303..0b87c25 100755 --- a/winPEAS/winPEASexe/README.md +++ b/winPEAS/winPEASexe/README.md @@ -57,6 +57,7 @@ $wp.EntryPoint #Get the name of the ReflectedType, in obfuscated versions someti winpeas.exe #run all checks (except for additional slower checks - LOLBAS and linpeas.sh in WSL) (noisy - CTFs) winpeas.exe systeminfo userinfo #Only systeminfo and userinfo checks executed winpeas.exe notcolor #Do not color the output +winpeas.exe domain #enumerate also domain information winpeas.exe wait #wait for user input between tests winpeas.exe debug #display additional debug information winpeas.exe log #log output to out.txt instead of standard output diff --git a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs index 6478fed..7187eaf 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs @@ -14,6 +14,7 @@ namespace winPEAS.Checks { public static class Checks { + public static bool IsDomainEnumeration = false; public static bool IsNoColor = false; public static bool Banner = true; public static bool IsDebug = false; @@ -129,6 +130,11 @@ namespace winPEAS.Checks IsDebug = true; } + if (string.Equals(arg, "domain", StringComparison.CurrentCultureIgnoreCase)) + { + IsDomainEnumeration = true; + } + if (string.Equals(arg, "-lolbas", StringComparison.CurrentCultureIgnoreCase)) { IsLolbas = true; @@ -235,7 +241,14 @@ namespace winPEAS.Checks try { Beaprint.GrayPrint(" - Getting Win32_UserAccount info..."); - var query = new SelectQuery("Win32_UserAccount"); + + // by default only enumerate local users + SelectQuery query = new SelectQuery("Win32_UserAccount", "LocalAccount=true"); + if (IsDomainEnumeration) + { + // include also domain users + query = new SelectQuery("Win32_UserAccount"); + } using (var searcher = new ManagementObjectSearcher(query)) { @@ -275,7 +288,8 @@ namespace winPEAS.Checks try { - Beaprint.GrayPrint(" - Creating active users list..."); + var domainString = IsDomainEnumeration ? "(local + domain)" : "(local only)"; + Beaprint.GrayPrint($" - Creating active users list {domainString}..."); _paintActiveUsers = string.Join("|", User.GetMachineUsers(true, false, false, false, false)); PaintActiveUsersNoAdministrator = _paintActiveUsers.Replace("|Administrator", "").Replace("Administrator|", "").Replace("Administrator", ""); } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs index be1082e..92b3726 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs @@ -200,8 +200,15 @@ namespace winPEAS.Checks Beaprint.MainPrint("Looking for common SAM & SYSTEM backups"); List sam_files = InterestingFiles.InterestingFiles.GetSAMBackups(); foreach (string path in sam_files) - Beaprint.BadPrint(" " + path); + { + var permissions = PermissionsHelper.GetPermissionsFile(path, Checks.CurrentUserSiDs); + if (permissions.Any()) + { + Beaprint.BadPrint(" " + path); + Beaprint.BadPrint(" File Permissions: " + string.Join(", ", permissions) + "\n"); + } + } } catch (Exception ex) { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index fa81fe8..ab85e22 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -635,7 +635,7 @@ namespace winPEAS.Checks { "null", Beaprint.ansi_color_bad}, { "Require Signing", Beaprint.ansi_color_good}, { "Negotiate signing", Beaprint.ansi_color_yellow}, - { "Unknown", Beaprint.ansi_color_bad}, + { "Unknown", Beaprint.ansi_color_bad}, }; Beaprint.ColorPrint("\n NTLM Signing Settings", Beaprint.LBLUE); diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs index 4ebd659..9a05937 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs @@ -126,6 +126,7 @@ namespace winPEAS.Helpers Console.WriteLine(YELLOW + " [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally" + NOCOLOR); Console.WriteLine(LBLUE + " quiet" + GRAY + " Do not print banner" + NOCOLOR); Console.WriteLine(LBLUE + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR); + Console.WriteLine(LBLUE + " domain" + GRAY + " Enumerate domain information" + NOCOLOR); Console.WriteLine(LBLUE + " systeminfo" + GRAY + " Search system information" + NOCOLOR); Console.WriteLine(LBLUE + " userinfo" + GRAY + " Search user information" + NOCOLOR); Console.WriteLine(LBLUE + " processinfo" + GRAY + " Search processes information" + NOCOLOR); diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs index 54b82e1..33ab902 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs @@ -27,7 +27,7 @@ namespace winPEAS.Helpers if (path == null || path == "") return results; - Match reg_path = Regex.Match(path.ToString(), @"\W*([a-z]:\\.+?(\.[a-zA-Z0-9_-]+))\W*", RegexOptions.IgnoreCase); + Match reg_path = Regex.Match(path.ToString(), @"\W*([a-z]:\\[^.]+(\.[a-zA-Z0-9_-]+)?)\W*", RegexOptions.IgnoreCase); string binaryPath = reg_path.Groups[1].ToString(); path = binaryPath; if (path == null || path == "") @@ -178,11 +178,17 @@ namespace winPEAS.Helpers { "GenericAll", 0x10000000}, { "FullControl", (int)FileSystemRights.FullControl }, { "TakeOwnership", (int)FileSystemRights.TakeOwnership }, + { "GenericWrite", 0x40000000 }, { "WriteData/CreateFiles", (int)FileSystemRights.WriteData }, { "Modify", (int)FileSystemRights.Modify }, { "Write", (int)FileSystemRights.Write }, + + { "Read", (int)FileSystemRights.Read }, + { "ReadData", (int)FileSystemRights.ReadData }, + { "ChangePermissions", (int)FileSystemRights.ChangePermissions }, + { "Delete", (int)FileSystemRights.Delete }, { "DeleteSubdirectoriesAndFiles", (int)FileSystemRights.DeleteSubdirectoriesAndFiles }, { "AppendData/CreateDirectories", (int)FileSystemRights.AppendData }, diff --git a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs index 0bfc743..67cd345 100644 --- a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs +++ b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs @@ -207,25 +207,18 @@ namespace winPEAS.Info.UserInfo string currentUsername = Environment.UserName?.ToLower(); var usersBaseDirectory = Path.Combine(Path.GetPathRoot(Environment.SystemDirectory), "Users"); - SelectQuery query = new SelectQuery("Win32_UserAccount"); - using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(query)) + foreach (ManagementObject envVar in Checks.Checks.Win32Users) { - using (var data = searcher.Get()) + string username = (string)envVar["Name"]; + username = username?.ToLower(); + + if (currentUsername != username) { - foreach (ManagementObject envVar in data) + string userDirectory = Path.Combine(usersBaseDirectory, username); + + if (Directory.Exists(userDirectory)) { - string username = (string)envVar["Name"]; - username = username?.ToLower(); - - if (currentUsername != username) - { - string userDirectory = Path.Combine(usersBaseDirectory, username); - - if (Directory.Exists(userDirectory)) - { - result.Add(userDirectory.ToLower()); - } - } + result.Add(userDirectory.ToLower()); } } }