From 5877659e57368b967830214f44aed9a790c4df90 Mon Sep 17 00:00:00 2001 From: makikvues Date: Sat, 27 Feb 2021 20:10:50 +0100 Subject: [PATCH 1/3] - updated EventsInfo.cs - removed throw --- winPEAS/winPEASexe/winPEAS/Checks/EventsInfo.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/winPEAS/winPEASexe/winPEAS/Checks/EventsInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/EventsInfo.cs index 1c175d7..01c8946 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/EventsInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/EventsInfo.cs @@ -210,7 +210,6 @@ namespace winPEAS.Checks catch (Exception e) { Console.WriteLine(e); - throw; } } } From d41684d66cbcda0d60bee1e5cc8c1c4ecdbf1184 Mon Sep 17 00:00:00 2001 From: makikvues Date: Sun, 28 Feb 2021 12:26:52 +0100 Subject: [PATCH 2/3] - updated LanmanCompatibilityLevel --- winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index 4bdc053..fa81fe8 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -624,7 +624,7 @@ namespace winPEAS.Checks { var info = Ntlm.GetNtlmSettingsInfo(); - string lmCompatibilityLevelColor = info.LanmanCompatibilityLevel == 5 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad; + string lmCompatibilityLevelColor = info.LanmanCompatibilityLevel >= 3 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad; Beaprint.ColorPrint($" LanmanCompatibilityLevel : {info.LanmanCompatibilityLevel} ({info.LanmanCompatibilityLevelString})\n", lmCompatibilityLevelColor); var ntlmSettingsColors = new Dictionary From 94f9bb72ac7c5bf9e8f55ae3ebf76a8fbf50ab95 Mon Sep 17 00:00:00 2001 From: makikvues Date: Tue, 2 Mar 2021 20:36:08 +0100 Subject: [PATCH 3/3] - added domain argument (to enable enumeration of domain users) - only local users enumerated by default - added permissions check for SAM backups - fixed GetPermissionsFile - did not process files without an extension - added Read / ReadData permission to PermInt2Str - updated WinPEAS.exe README.md --- winPEAS/winPEASexe/README.md | 1 + winPEAS/winPEASexe/winPEAS/Checks/Checks.cs | 18 +++++++++++-- .../winPEASexe/winPEAS/Checks/FilesInfo.cs | 9 ++++++- .../winPEASexe/winPEAS/Checks/SystemInfo.cs | 2 +- .../winPEASexe/winPEAS/Helpers/Beaprint.cs | 1 + .../winPEAS/Helpers/PermissionsHelper.cs | 8 +++++- .../winPEASexe/winPEAS/Info/UserInfo/User.cs | 25 +++++++------------ 7 files changed, 43 insertions(+), 21 deletions(-) diff --git a/winPEAS/winPEASexe/README.md b/winPEAS/winPEASexe/README.md index 20cc31a..a81cd42 100755 --- a/winPEAS/winPEASexe/README.md +++ b/winPEAS/winPEASexe/README.md @@ -17,6 +17,7 @@ Download the **[latest obfuscated version from here](https://github.com/carlospo winpeas.exe #run all checks (except for additional slower checks - LOLBAS and linpeas.sh in WSL) (noisy - CTFs) winpeas.exe systeminfo userinfo #Only systeminfo and userinfo checks executed winpeas.exe notcolor #Do not color the output +winpeas.exe domain #enumerate also domain information winpeas.exe wait #wait for user input between tests winpeas.exe debug #display additional debug information winpeas.exe log #log output to out.txt instead of standard output diff --git a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs index 6478fed..7187eaf 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs @@ -14,6 +14,7 @@ namespace winPEAS.Checks { public static class Checks { + public static bool IsDomainEnumeration = false; public static bool IsNoColor = false; public static bool Banner = true; public static bool IsDebug = false; @@ -129,6 +130,11 @@ namespace winPEAS.Checks IsDebug = true; } + if (string.Equals(arg, "domain", StringComparison.CurrentCultureIgnoreCase)) + { + IsDomainEnumeration = true; + } + if (string.Equals(arg, "-lolbas", StringComparison.CurrentCultureIgnoreCase)) { IsLolbas = true; @@ -235,7 +241,14 @@ namespace winPEAS.Checks try { Beaprint.GrayPrint(" - Getting Win32_UserAccount info..."); - var query = new SelectQuery("Win32_UserAccount"); + + // by default only enumerate local users + SelectQuery query = new SelectQuery("Win32_UserAccount", "LocalAccount=true"); + if (IsDomainEnumeration) + { + // include also domain users + query = new SelectQuery("Win32_UserAccount"); + } using (var searcher = new ManagementObjectSearcher(query)) { @@ -275,7 +288,8 @@ namespace winPEAS.Checks try { - Beaprint.GrayPrint(" - Creating active users list..."); + var domainString = IsDomainEnumeration ? "(local + domain)" : "(local only)"; + Beaprint.GrayPrint($" - Creating active users list {domainString}..."); _paintActiveUsers = string.Join("|", User.GetMachineUsers(true, false, false, false, false)); PaintActiveUsersNoAdministrator = _paintActiveUsers.Replace("|Administrator", "").Replace("Administrator|", "").Replace("Administrator", ""); } diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs index be1082e..92b3726 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs @@ -200,8 +200,15 @@ namespace winPEAS.Checks Beaprint.MainPrint("Looking for common SAM & SYSTEM backups"); List sam_files = InterestingFiles.InterestingFiles.GetSAMBackups(); foreach (string path in sam_files) - Beaprint.BadPrint(" " + path); + { + var permissions = PermissionsHelper.GetPermissionsFile(path, Checks.CurrentUserSiDs); + if (permissions.Any()) + { + Beaprint.BadPrint(" " + path); + Beaprint.BadPrint(" File Permissions: " + string.Join(", ", permissions) + "\n"); + } + } } catch (Exception ex) { diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs index fa81fe8..ab85e22 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs @@ -635,7 +635,7 @@ namespace winPEAS.Checks { "null", Beaprint.ansi_color_bad}, { "Require Signing", Beaprint.ansi_color_good}, { "Negotiate signing", Beaprint.ansi_color_yellow}, - { "Unknown", Beaprint.ansi_color_bad}, + { "Unknown", Beaprint.ansi_color_bad}, }; Beaprint.ColorPrint("\n NTLM Signing Settings", Beaprint.LBLUE); diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs index 9bfe654..f3a8224 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs @@ -126,6 +126,7 @@ namespace winPEAS.Helpers Console.WriteLine(YELLOW + " [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally" + NOCOLOR); Console.WriteLine(LBLUE + " quiet" + GRAY + " Do not print banner" + NOCOLOR); Console.WriteLine(LBLUE + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR); + Console.WriteLine(LBLUE + " domain" + GRAY + " Enumerate domain information" + NOCOLOR); Console.WriteLine(LBLUE + " systeminfo" + GRAY + " Search system information" + NOCOLOR); Console.WriteLine(LBLUE + " userinfo" + GRAY + " Search user information" + NOCOLOR); Console.WriteLine(LBLUE + " processinfo" + GRAY + " Search processes information" + NOCOLOR); diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs index 54b82e1..33ab902 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs @@ -27,7 +27,7 @@ namespace winPEAS.Helpers if (path == null || path == "") return results; - Match reg_path = Regex.Match(path.ToString(), @"\W*([a-z]:\\.+?(\.[a-zA-Z0-9_-]+))\W*", RegexOptions.IgnoreCase); + Match reg_path = Regex.Match(path.ToString(), @"\W*([a-z]:\\[^.]+(\.[a-zA-Z0-9_-]+)?)\W*", RegexOptions.IgnoreCase); string binaryPath = reg_path.Groups[1].ToString(); path = binaryPath; if (path == null || path == "") @@ -178,11 +178,17 @@ namespace winPEAS.Helpers { "GenericAll", 0x10000000}, { "FullControl", (int)FileSystemRights.FullControl }, { "TakeOwnership", (int)FileSystemRights.TakeOwnership }, + { "GenericWrite", 0x40000000 }, { "WriteData/CreateFiles", (int)FileSystemRights.WriteData }, { "Modify", (int)FileSystemRights.Modify }, { "Write", (int)FileSystemRights.Write }, + + { "Read", (int)FileSystemRights.Read }, + { "ReadData", (int)FileSystemRights.ReadData }, + { "ChangePermissions", (int)FileSystemRights.ChangePermissions }, + { "Delete", (int)FileSystemRights.Delete }, { "DeleteSubdirectoriesAndFiles", (int)FileSystemRights.DeleteSubdirectoriesAndFiles }, { "AppendData/CreateDirectories", (int)FileSystemRights.AppendData }, diff --git a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs index 0bfc743..67cd345 100644 --- a/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs +++ b/winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs @@ -207,25 +207,18 @@ namespace winPEAS.Info.UserInfo string currentUsername = Environment.UserName?.ToLower(); var usersBaseDirectory = Path.Combine(Path.GetPathRoot(Environment.SystemDirectory), "Users"); - SelectQuery query = new SelectQuery("Win32_UserAccount"); - using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(query)) + foreach (ManagementObject envVar in Checks.Checks.Win32Users) { - using (var data = searcher.Get()) + string username = (string)envVar["Name"]; + username = username?.ToLower(); + + if (currentUsername != username) { - foreach (ManagementObject envVar in data) + string userDirectory = Path.Combine(usersBaseDirectory, username); + + if (Directory.Exists(userDirectory)) { - string username = (string)envVar["Name"]; - username = username?.ToLower(); - - if (currentUsername != username) - { - string userDirectory = Path.Combine(usersBaseDirectory, username); - - if (Directory.Exists(userDirectory)) - { - result.Add(userDirectory.ToLower()); - } - } + result.Add(userDirectory.ToLower()); } } }