darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Code Cleanup

Browse Source
This commit is contained in:
godylockz 2022-12-23 00:45:23 -05:00
parent e5b9b67786
commit 3cc49b5b9a
134 changed files with 16675 additions and 16731 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
winPEAS/winPEASexe/Tests/Properties/AssemblyInfo.cs
View File

@ -1,5 +1,4 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following

4
winPEAS/winPEASexe/Tests/SmokeTests.cs
View File

@ -11,8 +11,8 @@ namespace winPEAS.Tests
{
try
{
string[] args = new string[] {
"systeminfo", "servicesinfo", "processinfo", "applicationsinfo", "browserinfo", "debug"
string[] args = new string[] {
"systeminfo", "servicesinfo", "processinfo", "applicationsinfo", "browserinfo", "debug"
};
Program.Main(args);
}

12
winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
View File

@ -27,8 +27,8 @@ namespace winPEAS.Checks
{
Beaprint.MainPrint("Current Active Window Application");
string title = ApplicationInfoHelper.GetActiveWindowTitle();
List<string> permsFile = PermissionsHelper.GetPermissionsFile(title, winPEAS.Checks.Checks.CurrentUserSiDs);
List<string> permsFolder = PermissionsHelper.GetPermissionsFolder(title, winPEAS.Checks.Checks.CurrentUserSiDs);
List<string> permsFile = PermissionsHelper.GetPermissionsFile(title, Checks.CurrentUserSiDs);
List<string> permsFolder = PermissionsHelper.GetPermissionsFolder(title, Checks.CurrentUserSiDs);
if (permsFile.Count > 0)
{
Beaprint.BadPrint(" " + title);
@ -188,8 +188,8 @@ namespace winPEAS.Checks
foreach (Dictionary<string, string> sapp in scheduled_apps)
{
List<string> fileRights = PermissionsHelper.GetPermissionsFile(sapp["Action"], winPEAS.Checks.Checks.CurrentUserSiDs);
List<string> dirRights = PermissionsHelper.GetPermissionsFolder(sapp["Action"], winPEAS.Checks.Checks.CurrentUserSiDs);
List<string> fileRights = PermissionsHelper.GetPermissionsFile(sapp["Action"], Checks.CurrentUserSiDs);
List<string> dirRights = PermissionsHelper.GetPermissionsFolder(sapp["Action"], Checks.CurrentUserSiDs);
string formString = " ({0}) {1}: {2}";
if (fileRights.Count > 0)
@ -238,8 +238,8 @@ namespace winPEAS.Checks
foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft())
{
string pathDriver = driver.Key;
List<string> fileRights = PermissionsHelper.GetPermissionsFile(pathDriver, winPEAS.Checks.Checks.CurrentUserSiDs);
List<string> dirRights = PermissionsHelper.GetPermissionsFolder(pathDriver, winPEAS.Checks.Checks.CurrentUserSiDs);
List<string> fileRights = PermissionsHelper.GetPermissionsFile(pathDriver, Checks.CurrentUserSiDs);
List<string> dirRights = PermissionsHelper.GetPermissionsFolder(pathDriver, Checks.CurrentUserSiDs);
Dictionary<string, string> colorsD = new Dictionary<string, string>()
{

10
winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
View File

@ -169,7 +169,7 @@ namespace winPEAS.Checks
{
MaxRegexFileSize = Int32.Parse(parts[1]);
}
}
if (string.Equals(arg, "-lolbas", StringComparison.CurrentCultureIgnoreCase))
@ -363,8 +363,8 @@ namespace winPEAS.Checks
try
{
Beaprint.GrayPrint(" - Creating disabled users list...");
Checks.PaintDisabledUsers = string.Join("|", User.GetMachineUsers(false, true, false, false, false));
PaintDisabledUsersNoAdministrator = Checks.PaintDisabledUsers.Replace("|Administrator", "").Replace("Administrator|", "").Replace("Administrator", "");
PaintDisabledUsers = string.Join("|", User.GetMachineUsers(false, true, false, false, false));
PaintDisabledUsersNoAdministrator = PaintDisabledUsers.Replace("|Administrator", "").Replace("Administrator|", "").Replace("Administrator", "");
}
catch (Exception ex)
{
@ -411,7 +411,7 @@ namespace winPEAS.Checks
try
{
if (RegistryHelper.GetRegValue("HKCU", "CONSOLE", "VirtualTerminalLevel") == "" && RegistryHelper.GetRegValue("HKCU", "CONSOLE", "VirtualTerminalLevel") == "")
System.Console.WriteLine(@"ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
Console.WriteLine(@"ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
}
catch (Exception ex)
{
@ -425,7 +425,7 @@ namespace winPEAS.Checks
{
if (RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\FileSystem", "LongPathsEnabled") != "1")
{
System.Console.WriteLine(@"Long paths are disabled, so the maximum length of a path supported is 260chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
Console.WriteLine(@"Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
IsLongPath = false;
}
else

12
winPEAS/winPEASexe/winPEAS/Checks/EventsInfo.cs
View File

@ -10,7 +10,7 @@ using winPEAS.Info.EventsInfo.ProcessCreation;
namespace winPEAS.Checks
{
internal class EventsInfo : ISystemCheck
{
{
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Interesting Events information");
@ -23,7 +23,7 @@ namespace winPEAS.Checks
PrintPowerShellEvents,
PowerOnEvents,
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
}
private static void PrintPowerShellEvents()
{
@ -91,7 +91,7 @@ namespace winPEAS.Checks
}
var logonInfos = Logon.GetLogonInfos(lastDays);
foreach (var info in logonInfos.LogonEventInfos)
{
Beaprint.BadPrint($" Subject User Name : {info.SubjectUserName}\n" +
@ -102,13 +102,13 @@ namespace winPEAS.Checks
$" Lm Package : {info.LmPackage}\n" +
$" Logon Type : {info.LogonType}\n" +
$" Target User Name : {info.TargetUserName}\n" +
$" Target Domain Name : {info.TargetDomainName}\n" +
$" Target Domain Name : {info.TargetDomainName}\n" +
$" Target Outbound User Name : {info.TargetOutboundUserName}\n" +
$" Target Outbound Domain Name : {info.TargetOutboundDomainName}\n");
Beaprint.PrintLineSeparator();
}
if (logonInfos.NTLMv1LoggedUsersSet.Count > 0 || logonInfos.NTLMv2LoggedUsersSet.Count > 0)
{
Beaprint.BadPrint(" NTLM relay might be possible - other users authenticate to this machine using NTLM!");
@ -151,7 +151,7 @@ namespace winPEAS.Checks
{
var lastDays = 30;
Beaprint.MainPrint($"Printing Explicit Credential Events (4648) for last {lastDays} days - A process logged on using plaintext credentials\n");
Beaprint.MainPrint($"Printing Explicit Credential Events (4648) for last {lastDays} days - A process logged on using plaintext credentials\n");
if (!MyUtils.IsHighIntegrity())
{

49
winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs
View File

@ -27,7 +27,7 @@ namespace winPEAS.Checks
}.ForEach(action => CheckRunner.Run(action, isDebug));
}
private static List<CustomFileInfo> InitializeFileSearch(bool useProgramFiles=true)
private static List<CustomFileInfo> InitializeFileSearch(bool useProgramFiles = true)
{
var files = new List<CustomFileInfo>();
var systemDrive = $"{SearchHelper.SystemDrive}\\";
@ -101,7 +101,7 @@ namespace winPEAS.Checks
isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase);
if (isFileFound) break;
}
}
}
}
else
{
@ -118,7 +118,8 @@ namespace winPEAS.Checks
if (isFileFound)
{
if (!somethingFound) {
if (!somethingFound)
{
Beaprint.MainPrint($"Found {searchName} Files");
somethingFound = true;
}
@ -132,7 +133,7 @@ namespace winPEAS.Checks
}
}
// there are inner sections
else
else
{
foreach (var innerFileToSearch in fileSettings.files)
{
@ -143,7 +144,7 @@ namespace winPEAS.Checks
}
}
return new bool[] { false, somethingFound };
}
@ -177,7 +178,7 @@ namespace winPEAS.Checks
}
return foundMatches;
}
if (!is_re_match)
{
return foundMatches;
@ -187,10 +188,10 @@ namespace winPEAS.Checks
foreach (Match match in rgx.Matches(text))
{
if (cont > 10) break;
if (match.Value.Length < 400 && match.Value.Trim().Length > 2)
foundMatches.Add(match.Value);
cont++;
}
}
@ -348,12 +349,12 @@ namespace winPEAS.Checks
{
timer.Start();
}
try
{
string text = System.IO.File.ReadAllText(f.FullPath);
string text = File.ReadAllText(f.FullPath);
results = SearchContent(text, regex.regex, (bool)regex.caseinsensitive);
if (results.Count > 0)
{
@ -429,7 +430,7 @@ namespace winPEAS.Checks
// . -> \.
// * -> .*
// add $ at the end to avoid false positives
var pattern = str.Replace(".", @"\.")
.Replace("*", @".*");
@ -447,11 +448,11 @@ namespace winPEAS.Checks
resultsCount++;
if (resultsCount > ListFileLimit) return false;
// If contains undesireable string, stop processing
if (fileSettings.remove_path != null && fileSettings.remove_path.Length > 0)
{
foreach(var rem_path in fileSettings.remove_path.Split('|'))
foreach (var rem_path in fileSettings.remove_path.Split('|'))
{
if (fileInfo.FullPath.ToLower().Contains(rem_path.ToLower()))
return false;
@ -460,19 +461,23 @@ namespace winPEAS.Checks
if (fileSettings.type == "f")
{
var colors = new Dictionary<string, string>();
colors.Add(fileInfo.Filename, Beaprint.ansi_color_bad);
var colors = new Dictionary<string, string>
{
{ fileInfo.Filename, Beaprint.ansi_color_bad }
};
Beaprint.AnsiPrint($"File: {fileInfo.FullPath}", colors);
if (!(bool)fileSettings.just_list_file)
if (!(bool)fileSettings.just_list_file)
{
GrepResult(fileInfo, fileSettings);
}
}
else if (fileSettings.type == "d")
{
var colors = new Dictionary<string, string>();
colors.Add(fileInfo.Filename, Beaprint.ansi_color_bad);
var colors = new Dictionary<string, string>
{
{ fileInfo.Filename, Beaprint.ansi_color_bad }
};
Beaprint.AnsiPrint($"Folder: {fileInfo.FullPath}", colors);
// just list the directory
@ -487,7 +492,7 @@ namespace winPEAS.Checks
}
else
{
// should not happen
// should not happen
}
}
@ -531,11 +536,11 @@ namespace winPEAS.Checks
{
lineGrep = SanitizeLineGrep(fileSettings.line_grep);
}
fileContent = fileContent.Where(line => (!string.IsNullOrWhiteSpace(fileSettings.good_regex) && Regex.IsMatch(line, fileSettings.good_regex, RegexOptions.IgnoreCase)) ||
(!string.IsNullOrWhiteSpace(fileSettings.bad_regex) && Regex.IsMatch(line, fileSettings.bad_regex, RegexOptions.IgnoreCase)) ||
(!string.IsNullOrWhiteSpace(lineGrep) && Regex.IsMatch(line, lineGrep, RegexOptions.IgnoreCase)));
}
}
var content = string.Join(Environment.NewLine, fileContent);

48
winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
View File

@ -21,7 +21,7 @@ namespace winPEAS.Checks
internal class FilesInfo : ISystemCheck
{
static readonly string _patternsFileCredsColor = @"RDCMan.settings|.rdg|_history|httpd.conf|.htpasswd|.gitconfig|.git-credentials|Dockerfile|docker-compose.ymlaccess_tokens.db|accessTokens.json|azureProfile.json|appcmd.exe|scclient.exe|unattend.txt|access.log|error.log|credential|password|.gpg|.pgp|config.php|elasticsearch|kibana.|.p12|\.der|.csr|.crt|.cer|.pem|known_hosts|id_rsa|id_dsa|.ovpn|tomcat-users.xml|web.config|.kdbx|.key|KeePass.config|ntds.dir|Ntds.dit|sam|system|SAM|SYSTEM|security|software|SECURITY|SOFTWARE|FreeSSHDservice.ini|sysprep.inf|sysprep.xml|unattend.xml|unattended.xml|vnc|groups.xml|services.xml|scheduledtasks.xml|printers.xml|drives.xml|datasources.xml|php.ini|https.conf|https-xampp.conf|my.ini|my.cnf|access.log|error.log|server.xml|setupinfo|pagefile.sys|NetSetup.log|iis6.log|AppEvent.Evt|SecEvent.Evt|default.sav|security.sav|software.sav|system.sav|ntuser.dat|index.dat|bash.exe|wsl.exe";
// static readonly string _patternsFileCreds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;security;software;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt;pagefile.sys;NetSetup.log;iis6.log;AppEvent.Evt;SecEvent.Evt;default.sav;security.sav;software.sav;system.sav;ntuser.dat;index.dat;bash.exe;wsl.exe;unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak";
// static readonly string _patternsFileCreds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;security;software;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt;pagefile.sys;NetSetup.log;iis6.log;AppEvent.Evt;SecEvent.Evt;default.sav;security.sav;software.sav;system.sav;ntuser.dat;index.dat;bash.exe;wsl.exe;unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak";
private static readonly IList<string> patternsFileCreds = new List<string>()
{
@ -159,7 +159,7 @@ namespace winPEAS.Checks
{
string formString = " {0} ({1})\n Accessed:{2} -- Size:{3}";
Beaprint.BadPrint(string.Format(formString, cc["file"], cc["Description"], cc["Accessed"], cc["Size"]));
System.Console.WriteLine("");
Console.WriteLine("");
}
}
else
@ -182,7 +182,7 @@ namespace winPEAS.Checks
{
List<string> pwds = Unattended.ExtractUnattendedPwd(path);
Beaprint.BadPrint(" " + path);
System.Console.WriteLine(string.Join("\n", pwds));
Console.WriteLine(string.Join("\n", pwds));
}
}
catch (Exception ex)
@ -233,11 +233,11 @@ namespace winPEAS.Checks
foreach (var site in sitelistFilesInfo.Sites)
{
Beaprint.NoColorPrint($" Share Name : {site.ShareName}");
PrintColored( $" User Name : {site.UserName}", !string.IsNullOrWhiteSpace(site.UserName));
PrintColored( $" Server : {site.Server}", !string.IsNullOrWhiteSpace(site.Server));
PrintColored( $" Encrypted Password : {site.EncPassword}", !string.IsNullOrWhiteSpace(site.EncPassword));
PrintColored( $" Decrypted Password : {site.DecPassword}", !string.IsNullOrWhiteSpace(site.DecPassword));
Beaprint.NoColorPrint( $" Domain Name : {site.DomainName}\n" +
PrintColored($" User Name : {site.UserName}", !string.IsNullOrWhiteSpace(site.UserName));
PrintColored($" Server : {site.Server}", !string.IsNullOrWhiteSpace(site.Server));
PrintColored($" Encrypted Password : {site.EncPassword}", !string.IsNullOrWhiteSpace(site.EncPassword));
PrintColored($" Decrypted Password : {site.DecPassword}", !string.IsNullOrWhiteSpace(site.DecPassword));
Beaprint.NoColorPrint($" Domain Name : {site.DomainName}\n" +
$" Name : {site.Name}\n" +
$" Type : {site.Type}\n" +
$" Relative Path : {site.RelativePath}\n");
@ -291,7 +291,7 @@ namespace winPEAS.Checks
const string rootDirectory = "Root directory";
const string runWith = "Run command";
var colors = new Dictionary<string, string>();
var colors = new Dictionary<string, string>();
new List<string>
{
linpeas,
@ -410,7 +410,7 @@ namespace winPEAS.Checks
{
try
{
string pattern_color = "[cC][rR][eE][dD][eE][nN][tT][iI][aA][lL]|[pP][aA][sS][sS][wW][oO][rR][dD]";
string pattern_color = "[cC][rR][eE][dD][eE][nN][tT][iI][aA][lL]|[pP][aA][sS][sS][wW][oO][rR][dD]";
var validExtensions = new HashSet<string>
{
".cnf",
@ -431,7 +431,7 @@ namespace winPEAS.Checks
};
Beaprint.MainPrint("Looking for possible password files in users homes");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
var fileInfos = SearchHelper.SearchUserCredsFiles();
foreach (var fileInfo in fileInfos)
@ -463,7 +463,7 @@ namespace winPEAS.Checks
{
//string pattern_bin = _patternsFileCreds + ";*password*;*credential*";
string pattern_bin = string.Join(";", patternsFileCreds) + ";*password*;*credential*";
Dictionary<string, string> colorF = new Dictionary<string, string>()
{
{ _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad },
@ -472,7 +472,7 @@ namespace winPEAS.Checks
Beaprint.MainPrint("Looking inside the Recycle Bin for creds files");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
List<Dictionary<string, string>> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin();
foreach (Dictionary<string, string> rec_file in recy_files)
{
foreach (string pattern in pattern_bin.Split(';'))
@ -480,7 +480,7 @@ namespace winPEAS.Checks
if (Regex.Match(rec_file["Name"], pattern.Replace("*", ".*"), RegexOptions.IgnoreCase).Success)
{
Beaprint.DictPrint(rec_file, colorF, true);
System.Console.WriteLine();
Console.WriteLine();
}
}
}
@ -507,7 +507,7 @@ namespace winPEAS.Checks
Beaprint.MainPrint("Searching known files that can contain creds in home");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
var files = SearchHelper.SearchUsersInterestingFiles();
Beaprint.AnsiPrint(" " + string.Join("\n ", files), colorF);
@ -567,7 +567,7 @@ namespace winPEAS.Checks
try
{
Beaprint.MainPrint("Searching interesting files in other users home directories (can be slow)\n");
// check if admin already, if yes, print a message, if not, try to enumerate all files
if (MyUtils.IsHighIntegrity())
{
@ -751,7 +751,7 @@ namespace winPEAS.Checks
".cmd"
};
var files = SearchHelper.GetFilesFast(systemDrive, "*", excludedDirs);
var files = SearchHelper.GetFilesFast(systemDrive, "*", excludedDirs);
foreach (var file in files)
{
@ -825,14 +825,14 @@ namespace winPEAS.Checks
foreach (var certificateInfo in certificateInfos)
{
Beaprint.NoColorPrint($" Issuer : {certificateInfo.Issuer}\n" +
$" Subject : {certificateInfo.Subject}\n" +
$" ValidDate : {certificateInfo.ValidDate}\n" +
$" ValidDate : {certificateInfo.ValidDate}\n" +
$" ExpiryDate : {certificateInfo.ExpiryDate}\n" +
$" HasPrivateKey : {certificateInfo.HasPrivateKey}\n" +
$" StoreLocation : {certificateInfo.StoreLocation}\n" +
$" KeyExportable : {certificateInfo.KeyExportable}\n" +
$" HasPrivateKey : {certificateInfo.HasPrivateKey}\n" +
$" StoreLocation : {certificateInfo.StoreLocation}\n" +
$" KeyExportable : {certificateInfo.KeyExportable}\n" +
$" Thumbprint : {certificateInfo.Thumbprint}\n");
if (!string.IsNullOrEmpty(certificateInfo.Template))
@ -885,7 +885,7 @@ namespace winPEAS.Checks
}
catch (Exception e)
{
}
}
}
}
catch (Exception ex)
@ -1033,7 +1033,7 @@ namespace winPEAS.Checks
//@"c:\windows.old",
rootUsersSearchPath,
documentsAndSettings
};
};
var files = SearchHelper.GetFilesFast(systemDrive, "*", excludedDirs);

22
winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs
View File

@ -26,8 +26,8 @@ namespace winPEAS.Checks
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Network Information");
Beaprint.GreatPrint("Network Information");
new List<Action>
{
PrintNetShares,
@ -81,7 +81,7 @@ namespace winPEAS.Checks
{
if (line.Length > 0 && line[0] != '#')
{
System.Console.WriteLine(" " + line.Replace("\t", " "));
Console.WriteLine(" " + line.Replace("\t", " "));
}
}
}
@ -304,8 +304,8 @@ namespace winPEAS.Checks
Beaprint.GrayPrint(" DENY rules:");
foreach (Dictionary<string, string> rule in Firewall.GetFirewallRules())
{
string filePerms = string.Join(", ", PermissionsHelper.GetPermissionsFile(rule["AppName"], winPEAS.Checks.Checks.CurrentUserSiDs));
string folderPerms = string.Join(", ", PermissionsHelper.GetPermissionsFolder(rule["AppName"], winPEAS.Checks.Checks.CurrentUserSiDs));
string filePerms = string.Join(", ", PermissionsHelper.GetPermissionsFile(rule["AppName"], Checks.CurrentUserSiDs));
string folderPerms = string.Join(", ", PermissionsHelper.GetPermissionsFolder(rule["AppName"], Checks.CurrentUserSiDs));
string formString = " ({0}){1}[{2}]: {3} {4} {5} from {6} --> {7}";
if (filePerms.Length > 0)
formString += "\n File Permissions: {8}";
@ -389,8 +389,8 @@ namespace winPEAS.Checks
var info = InternetSettings.GetInternetSettingsInfo();
Beaprint.ColorPrint(" General Settings", Beaprint.LBLUE);
Beaprint.NoColorPrint($" {"Hive",-10} {"Key",-40} {"Value"}");
Beaprint.NoColorPrint($" {"Hive",-10} {"Key",-40} {"Value"}");
foreach (var i in info.GeneralSettings)
{
Beaprint.NoColorPrint($" {i.Hive,-10} {i.ValueName,-40} {i.Value}");
@ -410,9 +410,9 @@ namespace winPEAS.Checks
{
Beaprint.NoColorPrint($" {i.Hive,-10} {i.ValueName,-40} {i.Interpretation}");
}
}
Beaprint.ColorPrint("\n Zone Auth Settings", Beaprint.LBLUE);
}
Beaprint.ColorPrint("\n Zone Auth Settings", Beaprint.LBLUE);
if (info.ZoneAuthSettings.Count == 0)
{
Beaprint.NoColorPrint(" No Zone Auth Settings");
@ -423,7 +423,7 @@ namespace winPEAS.Checks
{
Beaprint.NoColorPrint($" {i.Interpretation}");
}
}
}
}
catch (Exception ex)
{

4
winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs
View File

@ -10,7 +10,7 @@ namespace winPEAS.Checks
{
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Processes Information");
Beaprint.GreatPrint("Processes Information");
new List<Action>
{
@ -101,7 +101,7 @@ namespace winPEAS.Checks
Beaprint.DictPrint(vulnHandlers, colors, true);
}
}
}
}

8
winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs
View File

@ -20,7 +20,7 @@ namespace winPEAS.Checks
{
CheckRunner.Run(() =>
{
modifiableServices = ServicesInfoHelper.GetModifiableServices(winPEAS.Checks.Checks.CurrentUserSiDs);
modifiableServices = ServicesInfoHelper.GetModifiableServices(Checks.CurrentUserSiDs);
}, isDebug);
}
catch (Exception ex)
@ -53,12 +53,12 @@ namespace winPEAS.Checks
foreach (Dictionary<string, string> serviceInfo in services_info)
{
List<string> fileRights = PermissionsHelper.GetPermissionsFile(serviceInfo["FilteredPath"], winPEAS.Checks.Checks.CurrentUserSiDs);
List<string> fileRights = PermissionsHelper.GetPermissionsFile(serviceInfo["FilteredPath"], Checks.CurrentUserSiDs);
List<string> dirRights = new List<string>();
if (serviceInfo["FilteredPath"] != null && serviceInfo["FilteredPath"] != "")
{
dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(serviceInfo["FilteredPath"]), winPEAS.Checks.Checks.CurrentUserSiDs);
dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(serviceInfo["FilteredPath"]), Checks.CurrentUserSiDs);
}
bool noQuotesAndSpace = MyUtils.CheckQuoteAndSpace(serviceInfo["PathName"]);
@ -159,7 +159,7 @@ namespace winPEAS.Checks
{
Beaprint.MainPrint("Looking if you can modify any service registry");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service");
List<Dictionary<string, string>> regPerms = ServicesInfoHelper.GetWriteServiceRegs(winPEAS.Checks.Checks.CurrentUserSiDs);
List<Dictionary<string, string>> regPerms = ServicesInfoHelper.GetWriteServiceRegs(Checks.CurrentUserSiDs);
Dictionary<string, string> colorsWR = new Dictionary<string, string>()
{

66
winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
View File

@ -5,21 +5,21 @@ using System.Linq;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text.RegularExpressions;
using winPEAS._3rdParty.Watson;
using winPEAS.Helpers;
using winPEAS.Helpers.AppLocker;
using winPEAS._3rdParty.Watson;
using winPEAS.Info.SystemInfo.Printers;
using winPEAS.Info.SystemInfo.NamedPipes;
using winPEAS.Info.SystemInfo;
using winPEAS.Info.SystemInfo.SysMon;
using winPEAS.Helpers.Extensions;
using winPEAS.Helpers.Registry;
using winPEAS.Info.SystemInfo;
using winPEAS.Info.SystemInfo.AuditPolicies;
using winPEAS.Info.SystemInfo.DotNet;
using winPEAS.Info.SystemInfo.GroupPolicy;
using winPEAS.Info.SystemInfo.WindowsDefender;
using winPEAS.Info.SystemInfo.PowerShell;
using winPEAS.Info.SystemInfo.NamedPipes;
using winPEAS.Info.SystemInfo.Ntlm;
using winPEAS.Info.SystemInfo.PowerShell;
using winPEAS.Info.SystemInfo.Printers;
using winPEAS.Info.SystemInfo.SysMon;
using winPEAS.Info.SystemInfo.WindowsDefender;
using winPEAS.Native.Enums;
namespace winPEAS.Checks
@ -47,13 +47,13 @@ namespace winPEAS.Checks
{ "3b576869-a4ec-4529-8536-b80a7769e899" , "Block Office applications from creating executable content "},
{ "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" , "Block Office applications from injecting code into other processes"},
{ "d3e037e1-3eb8-44c8-a917-57927947596d" , "Block JavaScript or VBScript from launching downloaded executable content"},
{ "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" , "Block executable content from email client and webmail"},
{ "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" , "Block executable content from email client and webmail"},
};
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("System Information");
new List<Action>
{
PrintBasicSystemInfo,
@ -107,7 +107,7 @@ namespace winPEAS.Checks
{ Globals.StrTrue, Beaprint.ansi_color_bad },
};
Beaprint.DictPrint(basicDictSystem, colorsSI, false);
System.Console.WriteLine();
Console.WriteLine();
Watson.FindVulns();
//To update Watson, update the CVEs and add the new ones and update the main function so it uses new CVEs (becausfull with the Beaprints inside the FindVulns function)
@ -200,7 +200,7 @@ namespace winPEAS.Checks
Beaprint.MainPrint("PS default transcripts history");
Beaprint.InfoPrint("Read the PS history inside these files (if any)");
string drive = Path.GetPathRoot(Environment.SystemDirectory);
string transcriptsPath = drive + @"transcripts\";
string transcriptsPath = drive + @"transcripts\";
string usersPath = $"{drive}users";
var users = Directory.EnumerateDirectories(usersPath, "*", SearchOption.TopDirectoryOnly);
@ -210,7 +210,7 @@ namespace winPEAS.Checks
{
{ "^.*", Beaprint.ansi_color_bad },
};
var results = new List<string>();
var dict = new Dictionary<string, string>()
@ -218,7 +218,7 @@ namespace winPEAS.Checks
// check \\transcripts\ folder
{transcriptsPath, "*"},
};
foreach (var user in users)
{
// check the users directories
@ -290,12 +290,12 @@ namespace winPEAS.Checks
Beaprint.NoColorPrint($" Domain : {policy.Domain}\n" +
$" GPO : {policy.GPO}\n" +
$" Type : {policy.Type}\n");
foreach (var entry in policy.Settings)
{
Beaprint.NoColorPrint($" {entry.Subcategory,50} : {entry.AuditType}");
}
Beaprint.PrintLineSeparator();
}
}
@ -366,15 +366,15 @@ namespace winPEAS.Checks
Beaprint.MainPrint("Credentials Guard");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory");
string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags");
if (lsaCfgFlags == "1")
{
System.Console.WriteLine(" Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
Console.WriteLine(" Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
Beaprint.GoodPrint(" CredentialGuard is active with UEFI lock");
}
else if (lsaCfgFlags == "2")
{
System.Console.WriteLine(" Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
Console.WriteLine(" Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
Beaprint.GoodPrint(" CredentialGuard is active without UEFI lock");
}
else
@ -572,7 +572,7 @@ namespace winPEAS.Checks
else if (using_HKLM_WSUS == "0")
Beaprint.GoodPrint(" But UseWUServer is equals to 0, so it is not vulnerable!");
else
System.Console.WriteLine(" But UseWUServer is equals to " + using_HKLM_WSUS + ", so it may work or not");
Console.WriteLine(" But UseWUServer is equals to " + using_HKLM_WSUS + ", so it may work or not");
}
else
{
@ -643,9 +643,9 @@ namespace winPEAS.Checks
string path = "Software\\Policies\\Microsoft\\Windows\\Installer";
string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated");
string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated");
if (HKLM_AIE == "1")
{
{
Beaprint.BadPrint(" AlwaysInstallElevated set to 1 in HKLM!");
}
@ -672,7 +672,7 @@ namespace winPEAS.Checks
try
{
var info = Ntlm.GetNtlmSettingsInfo();
string lmCompatibilityLevelColor = info.LanmanCompatibilityLevel >= 3 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
Beaprint.ColorPrint($" LanmanCompatibilityLevel : {info.LanmanCompatibilityLevel} ({info.LanmanCompatibilityLevelString})\n", lmCompatibilityLevelColor);
@ -683,12 +683,12 @@ namespace winPEAS.Checks
{ "No signing", Beaprint.ansi_color_bad},
{ "null", Beaprint.ansi_color_bad},
{ "Require Signing", Beaprint.ansi_color_good},
{ "Negotiate signing", Beaprint.ansi_color_yellow},
{ "Negotiate signing", Beaprint.ansi_color_yellow},
{ "Unknown", Beaprint.ansi_color_bad},
};
Beaprint.ColorPrint("\n NTLM Signing Settings", Beaprint.LBLUE);
Beaprint.AnsiPrint($" ClientRequireSigning : {info.ClientRequireSigning}\n" +
Beaprint.AnsiPrint($" ClientRequireSigning : {info.ClientRequireSigning}\n" +
$" ClientNegotiateSigning : {info.ClientNegotiateSigning}\n" +
$" ServerRequireSigning : {info.ServerRequireSigning}\n" +
$" ServerNegotiateSigning : {info.ServerNegotiateSigning}\n" +
@ -727,13 +727,13 @@ namespace winPEAS.Checks
}
}
var ntlmOutboundRestrictionsColor = info.OutboundRestrictions == 2 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
var ntlmOutboundRestrictionsColor = info.OutboundRestrictions == 2 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
Beaprint.ColorPrint("\n NTLM Auditing and Restrictions", Beaprint.LBLUE);
Beaprint.NoColorPrint($" InboundRestrictions : {info.InboundRestrictions} ({info.InboundRestrictionsString})");
Beaprint.ColorPrint($" OutboundRestrictions : {info.OutboundRestrictions} ({info.OutboundRestrictionsString})", ntlmOutboundRestrictionsColor);
Beaprint.NoColorPrint($" InboundAuditing : {info.InboundAuditing} ({info.InboundRestrictionsString})");
Beaprint.NoColorPrint($" OutboundExceptions : {info.OutboundExceptions}");
Beaprint.NoColorPrint($" OutboundExceptions : {info.OutboundExceptions}");
}
catch (Exception ex)
{
@ -783,7 +783,7 @@ namespace winPEAS.Checks
Beaprint.AnsiPrint(string.Format(formatString, namedPipe.Name, namedPipe.CurrentUserPerms, namedPipe.Sddl), colors);
}
}
catch (Exception ex)
catch (Exception ex)
{
//Beaprint.PrintException(ex.Message);
}
@ -816,8 +816,8 @@ namespace winPEAS.Checks
{
PrintSysmonConfiguration();
PrintSysmonEventLogs();
}
}
private void PrintSysmonConfiguration()
{
Beaprint.MainPrint("Enumerating Sysmon configuration");
@ -1070,7 +1070,7 @@ namespace winPEAS.Checks
}
else if (kvp.Value.GetType().IsArray && (kvp.Value.GetType().GetElementType().ToString() == "System.Byte"))
{
val = System.BitConverter.ToString((byte[])kvp.Value);
val = BitConverter.ToString((byte[])kvp.Value);
}
else
{
@ -1086,12 +1086,12 @@ namespace winPEAS.Checks
Beaprint.BadPrint(" [!] WDigest is enabled - plaintext password extraction is possible!");
}
if (key.Equals("RunAsPPL", System.StringComparison.InvariantCultureIgnoreCase) && val == "1")
if (key.Equals("RunAsPPL", StringComparison.InvariantCultureIgnoreCase) && val == "1")
{
Beaprint.BadPrint(" [!] LSASS Protected Mode is enabled! You will not be able to access lsass.exe's memory easily.");
}
if (key.Equals("DisableRestrictedAdmin", System.StringComparison.InvariantCultureIgnoreCase) && val == "0")
if (key.Equals("DisableRestrictedAdmin", StringComparison.InvariantCultureIgnoreCase) && val == "0")
{
Beaprint.BadPrint(" [!] RDP Restricted Admin Mode is enabled! You can use pass-the-hash to access RDP on this system.");
}
@ -1107,7 +1107,7 @@ namespace winPEAS.Checks
{
try
{
Beaprint.MainPrint("Display Local Group Policy settings - local users/machine" );
Beaprint.MainPrint("Display Local Group Policy settings - local users/machine");
var infos = GroupPolicy.GetLocalGroupPolicyInfos();

14
winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs
View File

@ -1,8 +1,6 @@
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Security.Principal;
using winPEAS.Helpers;
using winPEAS.Helpers.Extensions;
@ -39,7 +37,7 @@ namespace winPEAS.Checks
public void PrintInfo(bool isDebug)
{
Beaprint.GreatPrint("Users Information");
new List<Action>
{
PrintCU,
@ -158,7 +156,7 @@ namespace winPEAS.Checks
try
{
Beaprint.MainPrint("RDP Sessions");
List<Dictionary<string, string>> rdp_sessions = Info.UserInfo.UserInfoHelper.GetRDPSessions();
List<Dictionary<string, string>> rdp_sessions = UserInfoHelper.GetRDPSessions();
if (rdp_sessions.Count > 0)
{
string format = " {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}";
@ -263,7 +261,7 @@ namespace winPEAS.Checks
{
Beaprint.MainPrint("Password Policies");
Beaprint.LinkPrint("", "Check for a possible brute-force");
List<Dictionary<string, string>> PPy = Info.UserInfo.UserInfoHelper.GetPasswordPolicy();
List<Dictionary<string, string>> PPy = UserInfoHelper.GetPasswordPolicy();
Beaprint.DictPrint(PPy, ColorsU(), false);
}
catch (Exception ex)
@ -282,7 +280,7 @@ namespace winPEAS.Checks
foreach (var logonSession in logonSessions)
{
Beaprint.NoColorPrint ($" Method: {logonSession.Method}\n" +
Beaprint.NoColorPrint($" Method: {logonSession.Method}\n" +
$" Logon Server: {logonSession.LogonServer}\n" +
$" Logon Server Dns Domain: {logonSession.LogonServerDnsDomain}\n" +
$" Logon Id: {logonSession.LogonId}\n" +
@ -317,7 +315,7 @@ namespace winPEAS.Checks
if (User32.GetLastInputInfo(ref lastInputInfo))
{
var currentUser = WindowsIdentity.GetCurrent().Name;
var idleTimeMiliSeconds = (uint) Environment.TickCount - lastInputInfo.Time;
var idleTimeMiliSeconds = (uint)Environment.TickCount - lastInputInfo.Time;
var timeSpan = TimeSpan.FromMilliseconds(idleTimeMiliSeconds);
var idleTimeString = $"{timeSpan.Hours:D2}h:{timeSpan.Minutes:D2}m:{timeSpan.Seconds:D2}s:{timeSpan.Milliseconds:D3}ms";
@ -364,7 +362,7 @@ namespace winPEAS.Checks
lastLogon = lastLogon.AddSeconds(localUser.last_logon).ToLocalTime();
}
Beaprint.AnsiPrint( $" Computer Name : {computerName}\n" +
Beaprint.AnsiPrint($" Computer Name : {computerName}\n" +
$" User Name : {localUser.name}\n" +
$" User Id : {localUser.user_id}\n" +
$" Is Enabled : {enabled}\n" +

75
winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/AppLockerHelper.cs
View File

@ -7,9 +7,9 @@ using System.Runtime.InteropServices;
namespace winPEAS.Helpers.AppLocker
{
internal static class AppLockerHelper
{
{
private static readonly HashSet<string> _appLockerByPassDirectoriesSet = new HashSet<string>
{
{
@"C:\Windows\Temp",
@"C:\Windows\System32\spool\drivers\color",
@"C:\Windows\Tasks",
@ -88,7 +88,7 @@ namespace winPEAS.Helpers.AppLocker
PrintFilePathRules(rule);
PrintFilePublisherRules(rule);
}
}
}
}
catch (COMException)
{
@ -116,7 +116,7 @@ namespace winPEAS.Helpers.AppLocker
var color = GetColorBySid(filePublisherRule.UserOrGroupSid);
Beaprint.ColorPrint( $" User Or Group Sid: {filePublisherRule.UserOrGroupSid}\n", color);
Beaprint.ColorPrint($" User Or Group Sid: {filePublisherRule.UserOrGroupSid}\n", color);
Beaprint.GoodPrint($" Conditions");
@ -150,10 +150,10 @@ namespace winPEAS.Helpers.AppLocker
$" Translated Name: {normalizedName}\n" +
$" Description: {filePathRule.Description}\n" +
$" Action: {filePathRule.Action}");
var color = GetColorBySid(filePathRule.UserOrGroupSid);
Beaprint.ColorPrint( $" User Or Group Sid: {filePathRule.UserOrGroupSid}\n", color);
Beaprint.ColorPrint($" User Or Group Sid: {filePathRule.UserOrGroupSid}\n", color);
Beaprint.GoodPrint($" Conditions");
@ -241,7 +241,7 @@ namespace winPEAS.Helpers.AppLocker
Beaprint.ColorPrint($" No potential bypass found while recursively checking files/subfolders " +
$"for write or equivalent permissions with depth: {FolderCheckMaxDepth}\n" +
$" Check permissions manually.", Beaprint.YELLOW);
}
}
}
}
}
@ -328,39 +328,42 @@ namespace winPEAS.Helpers.AppLocker
try
{
var subfolders = Directory.EnumerateDirectories(path);
var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);
ruleType = ruleType.ToLower();
if (!_appLockerFileExtensionsByType.ContainsKey(ruleType))
if (Directory.Exists(path))
{
throw new ArgumentException(nameof(ruleType));
}
var filteredFiles =
(from file in files
let extension = Path.GetExtension(file)?.ToLower() ?? string.Empty
where _appLockerFileExtensionsByType[ruleType].Contains(extension)
select file).ToList();
var subfolders = Directory.EnumerateDirectories(path);
var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);
// first check write access for files
if (filteredFiles.Any(CheckFileWriteAccess))
{
return true;
}
ruleType = ruleType.ToLower();
// if we have not found any writable file,
// check subfolders for write access
if (subfolders.Any(subfolder => CheckDirectoryWriteAccess(subfolder, out bool _, isGoodPrint: false)))
{
return true;
}
if (!_appLockerFileExtensionsByType.ContainsKey(ruleType))
{
throw new ArgumentException(nameof(ruleType));
}
// check recursively all the subfolders for files/sub-subfolders
if (subfolders.Any(subfolder => CheckFilesAndSubfolders(subfolder, ruleType, depth + 1)))
{
return true;
var filteredFiles =
(from file in files
let extension = Path.GetExtension(file)?.ToLower() ?? string.Empty
where _appLockerFileExtensionsByType[ruleType].Contains(extension)
select file).ToList();
// first check write access for files
if (filteredFiles.Any(CheckFileWriteAccess))
{
return true;
}
// if we have not found any writable file,
// check subfolders for write access
if (subfolders.Any(subfolder => CheckDirectoryWriteAccess(subfolder, out bool _, isGoodPrint: false)))
{
return true;
}
// check recursively all the subfolders for files/sub-subfolders
if (subfolders.Any(subfolder => CheckFilesAndSubfolders(subfolder, ruleType, depth + 1)))
{
return true;
}
}
}
catch (Exception)

128
winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/IAppIdPolicyHandler.cs
View File

@ -5,79 +5,79 @@ using System.Runtime.InteropServices;
namespace winPEAS.Helpers.AppLocker
{
[Guid("B6FEA19E-32DD-4367-B5B7-2F5DA140E87D")]
[TypeLibType(TypeLibTypeFlags.FDual | TypeLibTypeFlags.FNonExtensible | TypeLibTypeFlags.FDispatchable)]
[ComImport]
public interface IAppIdPolicyHandler
{
// Token: 0x06000001 RID: 1
[DispId(1)]
[MethodImpl(MethodImplOptions.InternalCall)]
void SetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath, [MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy);
[TypeLibType(TypeLibTypeFlags.FDual | TypeLibTypeFlags.FNonExtensible | TypeLibTypeFlags.FDispatchable)]
[ComImport]
public interface IAppIdPolicyHandler
{
// Token: 0x06000001 RID: 1
[DispId(1)]
[MethodImpl(MethodImplOptions.InternalCall)]
void SetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath, [MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy);
// Token: 0x06000002 RID: 2
[DispId(2)]
[MethodImpl(MethodImplOptions.InternalCall)]
[return: MarshalAs(UnmanagedType.BStr)]
string GetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath);
// Token: 0x06000002 RID: 2
[DispId(2)]
[MethodImpl(MethodImplOptions.InternalCall)]
[return: MarshalAs(UnmanagedType.BStr)]
string GetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath);
// Token: 0x06000003 RID: 3
[DispId(3)]
[MethodImpl(MethodImplOptions.InternalCall)]
[return: MarshalAs(UnmanagedType.BStr)]
string GetEffectivePolicy();
// Token: 0x06000003 RID: 3
[DispId(3)]
[MethodImpl(MethodImplOptions.InternalCall)]
[return: MarshalAs(UnmanagedType.BStr)]
string GetEffectivePolicy();
// Token: 0x06000004 RID: 4
[DispId(4)]
[MethodImpl(MethodImplOptions.InternalCall)]
int IsFileAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrFilePath, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
// Token: 0x06000004 RID: 4
[DispId(4)]
[MethodImpl(MethodImplOptions.InternalCall)]
int IsFileAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrFilePath, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
// Token: 0x06000005 RID: 5
[DispId(5)]
[MethodImpl(MethodImplOptions.InternalCall)]
int IsPackageAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrPublisherName, [MarshalAs(UnmanagedType.BStr)][In] string bstrPackageName, [In] ulong ullPackageVersion, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
}
// Token: 0x06000005 RID: 5
[DispId(5)]
[MethodImpl(MethodImplOptions.InternalCall)]
int IsPackageAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrPublisherName, [MarshalAs(UnmanagedType.BStr)][In] string bstrPackageName, [In] ulong ullPackageVersion, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
}
// Token: 0x02000003 RID: 3
[CoClass(typeof(AppIdPolicyHandlerClass))]
[Guid("B6FEA19E-32DD-4367-B5B7-2F5DA140E87D")]
[ComImport]
public interface AppIdPolicyHandler : IAppIdPolicyHandler
{
}
// Token: 0x02000003 RID: 3
[CoClass(typeof(AppIdPolicyHandlerClass))]
[Guid("B6FEA19E-32DD-4367-B5B7-2F5DA140E87D")]
[ComImport]
public interface AppIdPolicyHandler : IAppIdPolicyHandler
{
}
// Token: 0x02000004 RID: 4
[Guid("F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3")]
[ClassInterface(ClassInterfaceType.None)]
[TypeLibType(TypeLibTypeFlags.FCanCreate)]
[ComImport]
public class AppIdPolicyHandlerClass : IAppIdPolicyHandler, AppIdPolicyHandler
{
// Token: 0x02000004 RID: 4
[Guid("F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3")]
[ClassInterface(ClassInterfaceType.None)]
[TypeLibType(TypeLibTypeFlags.FCanCreate)]
[ComImport]
public class AppIdPolicyHandlerClass : IAppIdPolicyHandler, AppIdPolicyHandler
{
// Token: 0x06000007 RID: 7
[DispId(1)]
[MethodImpl(MethodImplOptions.InternalCall)]
public virtual extern void SetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath, [MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy);
// Token: 0x06000007 RID: 7
[DispId(1)]
[MethodImpl(MethodImplOptions.InternalCall)]
public virtual extern void SetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath, [MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy);
// Token: 0x06000008 RID: 8
[DispId(2)]
[MethodImpl(MethodImplOptions.InternalCall)]
[return: MarshalAs(UnmanagedType.BStr)]
public virtual extern string GetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath);
// Token: 0x06000008 RID: 8
[DispId(2)]
[MethodImpl(MethodImplOptions.InternalCall)]
[return: MarshalAs(UnmanagedType.BStr)]
public virtual extern string GetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath);
// Token: 0x06000009 RID: 9
[DispId(3)]
[MethodImpl(MethodImplOptions.InternalCall)]
[return: MarshalAs(UnmanagedType.BStr)]
public virtual extern string GetEffectivePolicy();
// Token: 0x06000009 RID: 9
[DispId(3)]
[MethodImpl(MethodImplOptions.InternalCall)]
[return: MarshalAs(UnmanagedType.BStr)]
public virtual extern string GetEffectivePolicy();
// Token: 0x0600000A RID: 10
[DispId(4)]
[MethodImpl(MethodImplOptions.InternalCall)]
public virtual extern int IsFileAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrFilePath, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
// Token: 0x0600000A RID: 10
[DispId(4)]
[MethodImpl(MethodImplOptions.InternalCall)]
public virtual extern int IsFileAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrFilePath, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
// Token: 0x0600000B RID: 11
[DispId(5)]
[MethodImpl(MethodImplOptions.InternalCall)]
public virtual extern int IsPackageAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrPublisherName, [MarshalAs(UnmanagedType.BStr)][In] string bstrPackageName, [In] ulong ullPackageVersion, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
}
// Token: 0x0600000B RID: 11
[DispId(5)]
[MethodImpl(MethodImplOptions.InternalCall)]
public virtual extern int IsPackageAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrPublisherName, [MarshalAs(UnmanagedType.BStr)][In] string bstrPackageName, [In] ulong ullPackageVersion, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
}
}

5
winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
View File

@ -1,7 +1,6 @@
using System;
using System.Collections.Generic;
using System.Text.RegularExpressions;
using System.Threading;
namespace winPEAS.Helpers
{
@ -105,7 +104,7 @@ namespace winPEAS.Helpers
PrintLegend();
Console.WriteLine();
Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: "+YELLOW+"https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation");
Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: " + YELLOW + "https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation");
}
static void PrintLegend()
@ -142,7 +141,7 @@ namespace winPEAS.Helpers
Console.WriteLine(LCYAN + " debug" + GRAY + " Display debugging information - memory usage, method execution time" + NOCOLOR);
Console.WriteLine(LCYAN + " log[=logfile]" + GRAY + $" Log all output to file defined as logfile, or to \"{Checks.Checks.DefaultLogFile}\" if not specified" + NOCOLOR);
Console.WriteLine(LCYAN + " max-regex-file-size=1000000" + GRAY + $" Max file size (in Bytes) to search regex in. Default: {Checks.Checks.MaxRegexFileSize}B" + NOCOLOR);
Console.WriteLine();
Console.WriteLine(GREEN + " Additional checks (slower):");
Console.WriteLine(LCYAN + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR);

3
winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/Credential.cs
View File

@ -4,7 +4,6 @@ using System.Linq;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Permissions;
using System.Text;
using winPEAS.Native;
using winPEAS.Native.Enums;
@ -394,6 +393,6 @@ namespace winPEAS.Helpers.CredentialManager
PersistenceType = (PersistenceType)credential.Persist;
Description = credential.Comment;
LastWriteTimeUtc = DateTime.FromFileTimeUtc(credential.LastWritten);
}
}
}
}

2
winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/CredentialType.cs
View File

@ -1,4 +1,4 @@
namespace winPEAS.Helpers.CredentialManager
{
}

6
winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/NativeMethods.cs
View File

@ -1,9 +1,9 @@
using System;
using Microsoft.Win32.SafeHandles;
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Linq;
using System.Runtime.InteropServices;
using Microsoft.Win32.SafeHandles;
using winPEAS.Native;
namespace winPEAS.Helpers.CredentialManager
@ -18,7 +18,7 @@ namespace winPEAS.Helpers.CredentialManager
/// </summary>
public class NativeMethods
{
/// <summary>
/// The CREDENTIAL structure contains an individual credential.
///

5
winPEAS/winPEASexe/winPEAS/Helpers/DomainHelper.cs
View File

@ -1,5 +1,4 @@
using System;
using System.Runtime.InteropServices;
using winPEAS.Native;
using winPEAS.Native.Enums;
@ -15,9 +14,9 @@ namespace winPEAS.Helpers
{
internal class Win32
{
public const int ErrorSuccess = 0;
public const int ErrorSuccess = 0;
}
public static string IsDomainJoined()

16
winPEAS/winPEASexe/winPEAS/Helpers/HandlesHelper.cs
View File

@ -1,11 +1,9 @@
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text;
using System.Threading.Tasks;
namespace winPEAS.Helpers
{
@ -244,7 +242,7 @@ namespace winPEAS.Helpers
{
string perm = PermissionsHelper.PermInt2Str((int)h.GrantedAccess, PermissionType.WRITEABLE_OR_EQUIVALENT);
if (perm != null && perm.Length> 0)
if (perm != null && perm.Length > 0)
{
vulnHandler.isVuln = true;
vulnHandler.reason = perm;
@ -438,9 +436,11 @@ namespace winPEAS.Helpers
// Get the owner of a process given the PID
public static Dictionary<string, string> GetProcU(Process p)
{
Dictionary<string, string> data = new Dictionary<string, string>();
data["name"] = "";
data["sid"] = "";
Dictionary<string, string> data = new Dictionary<string, string>
{
["name"] = "",
["sid"] = ""
};
IntPtr pHandle = IntPtr.Zero;
try
{
@ -471,7 +471,7 @@ namespace winPEAS.Helpers
PT_RELEVANT_INFO pri = new PT_RELEVANT_INFO();
Process proc = Process.GetProcessById(pid);
Dictionary<string,string> user = GetProcU(proc);
Dictionary<string, string> user = GetProcU(proc);
StringBuilder fileName = new StringBuilder(2000);
Native.Psapi.GetProcessImageFileName(proc.Handle, fileName, 2000);
@ -586,7 +586,7 @@ namespace winPEAS.Helpers
{ // This shouldn't be needed
if (path.StartsWith("\\"))
path = path.Substring(1);
hive = Helpers.Registry.RegistryHelper.CheckIfExists(path);
hive = Registry.RegistryHelper.CheckIfExists(path);
}
if (path.StartsWith("\\"))

3
winPEAS/winPEASexe/winPEAS/Helpers/MemoryHelper.cs
View File

@ -1,5 +1,4 @@
using System;
using System.Diagnostics;
using System.Diagnostics;
namespace winPEAS.Helpers
{

4
winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
View File

@ -76,7 +76,7 @@ namespace winPEAS.Helpers
}
//Check if rundll32
string[] binaryPathdll32 = binaryPath.Split(new string[] {"Rundll32.exe"}, StringSplitOptions.None);
string[] binaryPathdll32 = binaryPath.Split(new string[] { "Rundll32.exe" }, StringSplitOptions.None);
if (binaryPathdll32.Length > 1)
{
@ -224,7 +224,7 @@ namespace winPEAS.Helpers
return strOutput;
}
private static string[] suffixes = new[] {" B", " KB", " MB", " GB", " TB", " PB"};
private static string[] suffixes = new[] { " B", " KB", " MB", " GB", " TB", " PB" };
public static string ConvertBytesToHumanReadable(double number, int precision = 2)
{

17
winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs
View File

@ -1,11 +1,11 @@
using System;
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Text.RegularExpressions;
using Microsoft.Win32;
namespace winPEAS.Helpers
{
@ -354,14 +354,17 @@ namespace winPEAS.Helpers
results[path] = String.Join(", ", GetPermissionsFolder(path, Checks.Checks.CurrentUserSiDs));
if (string.IsNullOrEmpty(results[path]))
{
foreach (string d in Directory.EnumerateDirectories(path))
if (Directory.Exists(path))
{
foreach (string f in Directory.EnumerateFiles(d))
foreach (string d in Directory.EnumerateDirectories(path))
{
results[f] = String.Join(", ", GetPermissionsFile(f, Checks.Checks.CurrentUserSiDs));
foreach (string f in Directory.EnumerateFiles(d))
{
results[f] = String.Join(", ", GetPermissionsFile(f, Checks.Checks.CurrentUserSiDs));
}
cont += 1;
results.Concat(GetRecursivePrivs(d, cont)).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
}
cont += 1;
results.Concat(GetRecursivePrivs(d, cont)).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
}
}
}

136
winPEAS/winPEASexe/winPEAS/Helpers/ProgressBar.cs
View File

@ -4,85 +4,85 @@ using System.Threading;
namespace winPEAS.Helpers
{
internal class ProgressBar : IDisposable, IProgress<double>
{
private const int blockCount = 10;
private readonly TimeSpan animationInterval = TimeSpan.FromSeconds(1.0 / 8);
private const string animation = @"|/-\";
internal class ProgressBar : IDisposable, IProgress<double>
{
private const int blockCount = 10;
private readonly TimeSpan animationInterval = TimeSpan.FromSeconds(1.0 / 8);
private const string animation = @"|/-\";
private readonly Timer timer;
private readonly Timer timer;
private double currentProgress = 0;
private string currentText = string.Empty;
private bool disposed = false;
private int animationIndex = 0;
private double currentProgress = 0;
private string currentText = string.Empty;
private bool disposed = false;
private int animationIndex = 0;
public ProgressBar()
{
timer = new Timer(TimerHandler, new object(), animationInterval, animationInterval);
}
public ProgressBar()
{
timer = new Timer(TimerHandler, new object(), animationInterval, animationInterval);
}
public void Report(double value)
{
// Make sure value is in [0..1] range
value = Math.Max(0, Math.Min(1, value));
Interlocked.Exchange(ref currentProgress, value);
}
public void Report(double value)
{
// Make sure value is in [0..1] range
value = Math.Max(0, Math.Min(1, value));
Interlocked.Exchange(ref currentProgress, value);
}
private void TimerHandler(object state)
{
lock (timer)
{
if (disposed) return;
private void TimerHandler(object state)
{
lock (timer)
{
if (disposed) return;
int progressBlockCount = (int)(currentProgress * blockCount);
int percent = (int)(currentProgress * 100);
string text = string.Format("[{0}{1}] {2,3}% {3}",
new string('#', progressBlockCount), new string('-', blockCount - progressBlockCount),
percent,
animation[animationIndex++ % animation.Length]);
UpdateText(text);
}
}
int progressBlockCount = (int)(currentProgress * blockCount);
int percent = (int)(currentProgress * 100);
string text = string.Format("[{0}{1}] {2,3}% {3}",
new string('#', progressBlockCount), new string('-', blockCount - progressBlockCount),
percent,
animation[animationIndex++ % animation.Length]);
UpdateText(text);
}
}
private void UpdateText(string text)
{
// Get length of common portion
int commonPrefixLength = 0;
int commonLength = Math.Min(currentText.Length, text.Length);
while (commonPrefixLength < commonLength && text[commonPrefixLength] == currentText[commonPrefixLength])
{
commonPrefixLength++;
}
private void UpdateText(string text)
{
// Get length of common portion
int commonPrefixLength = 0;
int commonLength = Math.Min(currentText.Length, text.Length);
while (commonPrefixLength < commonLength && text[commonPrefixLength] == currentText[commonPrefixLength])
{
commonPrefixLength++;
}
// Backtrack to the first differing character
StringBuilder outputBuilder = new StringBuilder();
outputBuilder.Append('\b', currentText.Length - commonPrefixLength);
// Backtrack to the first differing character
StringBuilder outputBuilder = new StringBuilder();
outputBuilder.Append('\b', currentText.Length - commonPrefixLength);
// Output new suffix
outputBuilder.Append(text.Substring(commonPrefixLength));
// Output new suffix
outputBuilder.Append(text.Substring(commonPrefixLength));
// If the new text is shorter than the old one: delete overlapping characters
int overlapCount = currentText.Length - text.Length;
if (overlapCount > 0)
{
outputBuilder.Append(' ', overlapCount);
outputBuilder.Append('\b', overlapCount);
}
// If the new text is shorter than the old one: delete overlapping characters
int overlapCount = currentText.Length - text.Length;
if (overlapCount > 0)
{
outputBuilder.Append(' ', overlapCount);
outputBuilder.Append('\b', overlapCount);
}
Console.Write(outputBuilder);
currentText = text;
}
Console.Write(outputBuilder);
currentText = text;
}
public void Dispose()
{
lock (timer)
{
disposed = true;
UpdateText(string.Empty);
timer.Dispose();
}
}
public void Dispose()
{
lock (timer)
{
disposed = true;
UpdateText(string.Empty);
timer.Dispose();
}
}
}
}
}

6
winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs
View File

@ -1,7 +1,7 @@
using System;
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.Linq;
using Microsoft.Win32;
namespace winPEAS.Helpers.Registry
{
@ -177,7 +177,7 @@ namespace winPEAS.Helpers.Registry
internal static uint? GetDwordValue(string hive, string key, string val)
{
string strValue = RegistryHelper.GetRegValue(hive, key, val);
string strValue = GetRegValue(hive, key, val);
if (uint.TryParse(strValue, out uint res))
{

6
winPEAS/winPEASexe/winPEAS/Helpers/Search/Patterns.cs
View File

@ -3,7 +3,7 @@
namespace winPEAS.Helpers.Search
{
static class Patterns
{
{
public static readonly HashSet<string> WhitelistExtensions = new HashSet<string>()
{
".cer",
@ -11,7 +11,7 @@ namespace winPEAS.Helpers.Search
".der",
".p12",
};
public static readonly HashSet<string> WhiteListExactfilenamesWithExtensions = new HashSet<string>()
{
"docker-compose.yml",
@ -21,6 +21,6 @@ namespace winPEAS.Helpers.Search
public static readonly IList<string> WhiteListRegexp = new List<string>()
{
"config.*\\.php$",
};
};
}
}

66
winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs
View File

@ -92,13 +92,13 @@ namespace winPEAS.Helpers.Search
Beaprint.LongPathWarning(f.FullName);
}
}
) ;
);
});
});
return files.ToList();
}
}
private static List<FileInfo> GetFiles(string folder, string pattern = "*")
{
DirectoryInfo dirInfo;
@ -221,43 +221,43 @@ namespace winPEAS.Helpers.Search
{
// c:\users
string rootUsersSearchPath = $"{SystemDrive}\\Users\\";
SearchHelper.RootDirUsers = SearchHelper.GetFilesFast(rootUsersSearchPath, GlobalPattern, isFoldersIncluded: true);
RootDirUsers = GetFilesFast(rootUsersSearchPath, GlobalPattern, isFoldersIncluded: true);
// c:\users\current_user
string rootCurrentUserSearchPath = Environment.GetEnvironmentVariable("USERPROFILE");
SearchHelper.RootDirCurrentUser = SearchHelper.GetFilesFast(rootCurrentUserSearchPath, GlobalPattern, isFoldersIncluded: true);
RootDirCurrentUser = GetFilesFast(rootCurrentUserSearchPath, GlobalPattern, isFoldersIncluded: true);
// c:\Program Files\
string rootProgramFiles = $"{SystemDrive}\\Program Files\\";
SearchHelper.ProgramFiles = SearchHelper.GetFilesFast(rootProgramFiles, GlobalPattern, isFoldersIncluded: true);
ProgramFiles = GetFilesFast(rootProgramFiles, GlobalPattern, isFoldersIncluded: true);
// c:\Program Files (x86)\
string rootProgramFilesX86 = $"{SystemDrive}\\Program Files (x86)\\";
SearchHelper.ProgramFilesX86 = SearchHelper.GetFilesFast(rootProgramFilesX86, GlobalPattern, isFoldersIncluded: true);
ProgramFilesX86 = GetFilesFast(rootProgramFilesX86, GlobalPattern, isFoldersIncluded: true);
// c:\Documents and Settings\
string documentsAndSettings = $"{SystemDrive}\\Documents and Settings\\";
SearchHelper.DocumentsAndSettings = SearchHelper.GetFilesFast(documentsAndSettings, GlobalPattern, isFoldersIncluded: true);
DocumentsAndSettings = GetFilesFast(documentsAndSettings, GlobalPattern, isFoldersIncluded: true);
// c:\ProgramData\Microsoft\Group Policy\History
string groupPolicyHistory = $"{SystemDrive}\\ProgramData\\Microsoft\\Group Policy\\History";
SearchHelper.GroupPolicyHistory = SearchHelper.GetFilesFast(groupPolicyHistory, GlobalPattern, isFoldersIncluded: true);
GroupPolicyHistory = GetFilesFast(groupPolicyHistory, GlobalPattern, isFoldersIncluded: true);
// c:\Documents and Settings\All Users\Application Data\\Microsoft\\Group Policy\\History
string groupPolicyHistoryLegacy = $"{documentsAndSettings}\\All Users\\Application Data\\Microsoft\\Group Policy\\History";
//SearchHelper.GroupPolicyHistoryLegacy = SearchHelper.GetFilesFast(groupPolicyHistoryLegacy, globalPattern);
var groupPolicyHistoryLegacyFiles = SearchHelper.GetFilesFast(groupPolicyHistoryLegacy, GlobalPattern, isFoldersIncluded: true);
SearchHelper.GroupPolicyHistory.AddRange(groupPolicyHistoryLegacyFiles);
var groupPolicyHistoryLegacyFiles = GetFilesFast(groupPolicyHistoryLegacy, GlobalPattern, isFoldersIncluded: true);
GroupPolicyHistory.AddRange(groupPolicyHistoryLegacyFiles);
}
internal static void CleanLists()
{
SearchHelper.RootDirUsers = null;
SearchHelper.RootDirCurrentUser = null;
SearchHelper.ProgramFiles = null;
SearchHelper.ProgramFilesX86 = null;
SearchHelper.DocumentsAndSettings = null;
SearchHelper.GroupPolicyHistory = null;
RootDirUsers = null;
RootDirCurrentUser = null;
ProgramFiles = null;
ProgramFilesX86 = null;
DocumentsAndSettings = null;
GroupPolicyHistory = null;
GC.Collect();
}
@ -270,10 +270,10 @@ namespace winPEAS.Helpers.Search
".*password.*"
};
foreach (var file in SearchHelper.RootDirUsers)
{
//string extLower = file.Extension.ToLower();
foreach (var file in RootDirUsers)
{
//string extLower = file.Extension.ToLower();
if (!file.IsDirectory)
{
string nameLower = file.Filename.ToLower();
@ -297,7 +297,7 @@ namespace winPEAS.Helpers.Search
{
var result = new List<string>();
foreach (var file in SearchHelper.RootDirCurrentUser)
foreach (var file in RootDirCurrentUser)
{
if (!file.IsDirectory)
{
@ -322,7 +322,7 @@ namespace winPEAS.Helpers.Search
}
}
}
}
}
return result;
@ -337,7 +337,7 @@ namespace winPEAS.Helpers.Search
".xml"
};
foreach (var file in SearchHelper.GroupPolicyHistory)
foreach (var file in GroupPolicyHistory)
{
if (!file.IsDirectory)
{
@ -361,14 +361,14 @@ namespace winPEAS.Helpers.Search
};
string programDataPath = $"{SystemDrive}\\ProgramData\\";
var programData = SearchHelper.GetFilesFast(programDataPath, GlobalPattern);
var programData = GetFilesFast(programDataPath, GlobalPattern);
var searchFiles = new List<CustomFileInfo>();
searchFiles.AddRange(SearchHelper.ProgramFiles);
searchFiles.AddRange(SearchHelper.ProgramFilesX86);
searchFiles.AddRange(ProgramFiles);
searchFiles.AddRange(ProgramFilesX86);
searchFiles.AddRange(programData);
searchFiles.AddRange(SearchHelper.DocumentsAndSettings);
searchFiles.AddRange(SearchHelper.RootDirUsers);
searchFiles.AddRange(DocumentsAndSettings);
searchFiles.AddRange(RootDirUsers);
foreach (var file in searchFiles)
{
@ -403,7 +403,7 @@ namespace winPEAS.Helpers.Search
".pdf",
};
foreach (var file in SearchHelper.RootDirCurrentUser)
foreach (var file in RootDirCurrentUser)
{
if (!file.IsDirectory)
{
@ -426,7 +426,7 @@ namespace winPEAS.Helpers.Search
}
}
}
}
}
}
return result;
@ -451,7 +451,7 @@ namespace winPEAS.Helpers.Search
".pdf",
};
foreach (var file in SearchHelper.RootDirUsers)
foreach (var file in RootDirUsers)
{
if (!file.IsDirectory)
{
@ -474,7 +474,7 @@ namespace winPEAS.Helpers.Search
}
}
}
}
}
}
return result;

77
winPEAS/winPEASexe/winPEAS/Helpers/YamlConfig/YamlConfig.cs
View File

@ -8,12 +8,13 @@ namespace winPEAS.Helpers.YamlConfig
{
public string name { get; set; }
public RegularExpression[] regexes { get; set; }
public class RegularExpression {
public class RegularExpression
{
public string name { get; set; }
public string regex { get; set; }
public bool caseinsensitive { get; set; }
public string disable { get; set; }
}
}
@ -25,65 +26,65 @@ namespace winPEAS.Helpers.YamlConfig
public class FileParam
{
public string name { get; set; }
public FileSettings value { get; set; }
}
public string name { get; set; }
public FileSettings value { get; set; }
}
public class SearchParameters
{
{
public class FileSettings
{
public string bad_regex { get; set; }
{
public string bad_regex { get; set; }
// public string check_extra_path { get; set; } // not used in Winpeas
public string good_regex { get; set; }
public bool? just_list_file { get; set; }
public string line_grep { get; set; }
public bool? only_bad_lines { get; set; }
public bool? remove_empty_lines { get; set; }
public string good_regex { get; set; }
public bool? just_list_file { get; set; }
public string line_grep { get; set; }
public bool? only_bad_lines { get; set; }
public bool? remove_empty_lines { get; set; }
// public string remove_path { get; set; } // not used in Winpeas
public string remove_regex { get; set; }
public string remove_regex { get; set; }
public string remove_path { get; set; }
// public string[] search_in { get; set; } // not used in Winpeas
public string type { get; set; }
public FileParam[] files { get; set; }
public string type { get; set; }
public FileParam[] files { get; set; }
}
public class FileParameters
{
public string file { get; set; }
public FileSettings options { get; set; }
public string file { get; set; }
public FileSettings options { get; set; }
}
public class Config
{
public bool auto_check { get; set; }
public bool auto_check { get; set; }
}
public Config config { get; set; }
public string[] disable { get; set; } // disabled scripts - linpeas/winpeas
public FileParam[] files { get; set; }
public Config config { get; set; }
public string[] disable { get; set; } // disabled scripts - linpeas/winpeas
public FileParam[] files { get; set; }
}
public class SearchParams
{
public string name { get; set; }
public SearchParameters value { get; set; }
public string name { get; set; }
public SearchParameters value { get; set; }
}
public class Defaults
{
public bool auto_check { get; set; }
public string bad_regex { get; set; }
public bool auto_check { get; set; }
public string bad_regex { get; set; }
//public string check_extra_path { get; set; } not used in winpeas
public string good_regex { get; set; }
public bool just_list_file { get; set; }
public string line_grep { get; set; }
public bool only_bad_lines { get; set; }
public bool remove_empty_lines { get; set; }
public string remove_path { get; set; }
public string remove_regex { get; set; }
public string[] search_in { get; set; }
public string type { get; set; }
public string good_regex { get; set; }
public bool just_list_file { get; set; }
public string line_grep { get; set; }
public bool only_bad_lines { get; set; }
public bool remove_empty_lines { get; set; }
public string remove_path { get; set; }
public string remove_regex { get; set; }
public string[] search_in { get; set; }
public string type { get; set; }
}
public class Variable
@ -92,9 +93,9 @@ namespace winPEAS.Helpers.YamlConfig
public string value { get; set; }
}
public SearchParams[] search { get; set; }
public Defaults defaults { get; set; }
public SearchParams[] search { get; set; }
public Defaults defaults { get; set; }
public Variable[] variables { get; set; }
}

15
winPEAS/winPEASexe/winPEAS/Helpers/YamlConfig/YamlConfigHelper.cs
View File

@ -1,10 +1,9 @@
using System.Collections.Generic;
using System.Yaml.Serialization;
using System.IO;
using System.Reflection;
using System.Linq;
using System.Reflection;
using System.Yaml.Serialization;
using static winPEAS.Helpers.YamlConfig.YamlConfig;
using static winPEAS.Helpers.YamlConfig.YamlRegexConfig;
namespace winPEAS.Helpers.YamlConfig
@ -30,7 +29,7 @@ namespace winPEAS.Helpers.YamlConfig
YamlRegexConfig yamlConfig = (YamlRegexConfig)yamlSerializer.Deserialize(configFileContent, typeof(YamlRegexConfig))[0];
// check
if (yamlConfig.regular_expresions == null || yamlConfig.regular_expresions.Length == 0)
if (yamlConfig.regular_expresions == null || yamlConfig.regular_expresions.Length == 0)
{
throw new System.Exception("No configuration was read");
}
@ -79,7 +78,7 @@ namespace winPEAS.Helpers.YamlConfig
// apply the defaults e.g. for filesearch
foreach (var searchItem in yamlConfig.search)
{
{
SetDefaultOptions(searchItem, yamlConfig.defaults);
}
@ -91,7 +90,7 @@ namespace winPEAS.Helpers.YamlConfig
Beaprint.PrintException($"An exception occured while parsing sensitive_files.yaml configuration file: {e.Message}");
throw;
}
}
}
private static void SetDefaultOptions(SearchParams searchItem, Defaults defaults)
@ -106,7 +105,7 @@ namespace winPEAS.Helpers.YamlConfig
foreach (var fileParam in fileParams)
{
var value = fileParam.value;
value.bad_regex = GetValueOrDefault(value.bad_regex, defaults.bad_regex);
value.good_regex = GetValueOrDefault(value.good_regex, defaults.good_regex);
value.just_list_file = GetValueOrDefault(value.just_list_file, defaults.just_list_file);
@ -135,7 +134,7 @@ namespace winPEAS.Helpers.YamlConfig
private static T GetValueOrDefault<T>(T val, T defaultValue)
{
return val == null ? defaultValue : val;
return val == null ? defaultValue : val;
}
private static T GetValueOrDefault<T>(Dictionary<object, object> dict, string key, T defaultValue)

5
winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/ApplicationInfoHelper.cs
View File

@ -1,6 +1,5 @@
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;
using winPEAS.Helpers;
using winPEAS.Native;
@ -10,7 +9,7 @@ namespace winPEAS.Info.ApplicationInfo
{
internal class ApplicationInfoHelper
{
public static string GetActiveWindowTitle()
{
const int nChars = 256;
@ -46,7 +45,7 @@ namespace winPEAS.Info.ApplicationInfo
{
try
{
if (t.Enabled &&
if (t.Enabled &&
!string.IsNullOrEmpty(t.Path) && !t.Path.Contains("Microsoft") &&
!string.IsNullOrEmpty(t.Definition.RegistrationInfo.Author) &&
!t.Definition.RegistrationInfo.Author.Contains("Microsoft"))

62
winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs
View File

@ -1,10 +1,10 @@
using System;
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;
using System.Text.RegularExpressions;
using Microsoft.Win32;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
@ -204,7 +204,7 @@ namespace winPEAS.Info.ApplicationInfo
{
autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name, autorunLocationKey[2]
}
: new List<string> {autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name});
: new List<string> { autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name });
}
}
@ -243,10 +243,10 @@ namespace winPEAS.Info.ApplicationInfo
string folder = Path.GetDirectoryName(filepath_cleaned);
try
{
{
//If the path doesn't exist, pass
if (File.GetAttributes(filepath_cleaned).HasFlag(FileAttributes.Directory))
{
{
//If the path is already a folder, change the values of the params
orig_filepath = "";
folder = filepath_cleaned;
@ -336,7 +336,7 @@ namespace winPEAS.Info.ApplicationInfo
var systemDrive = Environment.GetEnvironmentVariable("SystemDrive");
var autorunLocations = new List<string>
{
Environment.ExpandEnvironmentVariables(@"%programdata%\Microsoft\Windows\Start Menu\Programs\Startup"),
Environment.ExpandEnvironmentVariables(@"%programdata%\Microsoft\Windows\Start Menu\Programs\Startup"),
};
string usersPath = Path.Combine(Environment.GetEnvironmentVariable(@"USERPROFILE"));
@ -344,15 +344,18 @@ namespace winPEAS.Info.ApplicationInfo
try
{
var userDirs = Directory.EnumerateDirectories(usersPath);
foreach (var userDir in userDirs)
if (Directory.Exists(usersPath))
{
string startupPath = $@"{userDir}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup";
var userDirs = Directory.EnumerateDirectories(usersPath);
if (Directory.Exists(startupPath))
foreach (var userDir in userDirs)
{
autorunLocations.Add(startupPath);
string startupPath = $@"{userDir}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup";
if (Directory.Exists(startupPath))
{
autorunLocations.Add(startupPath);
}
}
}
}
@ -364,22 +367,25 @@ namespace winPEAS.Info.ApplicationInfo
{
try
{
var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);
foreach (string filepath in files)
if (Directory.Exists(path))
{
string folder = Path.GetDirectoryName(filepath);
results.Add(new Dictionary<string, string>() {
{ "Reg", "" },
{ "RegKey", "" },
{ "RegPermissions", "" },
{ "Folder", folder },
{ "File", filepath },
{ "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
});
var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);
foreach (string filepath in files)
{
string folder = Path.GetDirectoryName(filepath);
results.Add(new Dictionary<string, string>() {
{ "Reg", "" },
{ "RegKey", "" },
{ "RegPermissions", "" },
{ "Folder", folder },
{ "File", filepath },
{ "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))},
{ "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
});
}
}
}
catch (Exception)
@ -477,7 +483,7 @@ namespace winPEAS.Info.ApplicationInfo
private static IEnumerable<Dictionary<string, string>> GetAutoRunsFiles()
{
var results = new List<Dictionary<string, string>>();
var results = new List<Dictionary<string, string>>();
var systemDrive = Environment.GetEnvironmentVariable("SystemDrive");
var autostartFiles = new HashSet<string>
{

17
winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/InstalledApps.cs
View File

@ -8,7 +8,7 @@ using winPEAS.Helpers.Registry;
namespace winPEAS.Info.ApplicationInfo
{
internal static class InstalledApps
{
{
public static SortedDictionary<string, Dictionary<string, string>> GetInstalledAppsPerms()
{
//Get from Program Files
@ -71,16 +71,19 @@ namespace winPEAS.Info.ApplicationInfo
var results = new SortedDictionary<string, Dictionary<string, string>>();
try
{
foreach (string f in Directory.EnumerateFiles(fpath))
if (Directory.Exists(fpath))
{
results[f] = new Dictionary<string, string>
foreach (string f in Directory.EnumerateFiles(fpath))
{
results[f] = new Dictionary<string, string>
{
{ f, string.Join(", ", PermissionsHelper.GetPermissionsFile(f, Checks.Checks.CurrentUserSiDs)) }
};
}
foreach (string d in Directory.EnumerateDirectories(fpath))
{
results[d] = PermissionsHelper.GetRecursivePrivs(d);
}
foreach (string d in Directory.EnumerateDirectories(fpath))
{
results[d] = PermissionsHelper.GetRecursivePrivs(d);
}
}
}
catch (Exception ex)

10
winPEAS/winPEASexe/winPEAS/Info/EventsInfo/Logon/Logon.cs
View File

@ -18,12 +18,12 @@ namespace winPEAS.Info.EventsInfo.Logon
var kerberosLoggedUsersSet = new HashSet<string>();
string userRegex = null;
var startTime = DateTime.Now.AddDays(-lastDays);
var endTime = DateTime.Now;
var query = $@"*[System/EventID=4624] and *[System[TimeCreated[@SystemTime >= '{startTime.ToUniversalTime():o}']]] and *[System[TimeCreated[@SystemTime <= '{endTime.ToUniversalTime():o}']]]";
var logReader = MyUtils.GetEventLogReader("Security", query);
var logReader = MyUtils.GetEventLogReader("Security", query);
// read the event log
for (var eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
@ -127,14 +127,14 @@ namespace winPEAS.Info.EventsInfo.Logon
result.NTLMv2LoggedUsersSet = NTLMv2LoggedUsersSet;
result.LogonEventInfos = logonEventInfos;
return result;
return result;
}
public static IEnumerable<ExplicitLogonEventInfo> GetExplicitLogonEventsInfos(int lastDays)
{
const string eventId = "4648";
string userFilterRegex = null;
var startTime = DateTime.Now.AddDays(-lastDays);
var endTime = DateTime.Now;
@ -143,7 +143,7 @@ namespace winPEAS.Info.EventsInfo.Logon
var logReader = MyUtils.GetEventLogReader("Security", query);
for (var eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
{
{
//string subjectUserSid = eventDetail.GetPropertyValue(0);
var subjectUserName = eventDetail.GetPropertyValue(1);
var subjectDomainName = eventDetail.GetPropertyValue(2);

2
winPEAS/winPEASexe/winPEAS/Info/EventsInfo/Logon/LogonEventInfo.cs
View File

@ -40,6 +40,6 @@ namespace winPEAS.Info.EventsInfo.Logon
LmPackage = lmPackage;
TargetOutboundUserName = targetOutboundUserName;
TargetOutboundDomainName = targetOutboundDomainName;
}
}
}
}

2
winPEAS/winPEASexe/winPEAS/Info/EventsInfo/PowerShell/PowerShell.cs
View File

@ -16,7 +16,7 @@ namespace winPEAS.Info.EventsInfo.PowerShell
string[] powerShellLogs = { "Microsoft-Windows-PowerShell/Operational", "Windows PowerShell" };
// Get our "sensitive" cmdline regexes from a common helper function.
var powerShellRegex = Common.GetInterestingProcessArgsRegex();
var powerShellRegex = Common.GetInterestingProcessArgsRegex();
foreach (var logName in powerShellLogs)
{

7
winPEAS/winPEASexe/winPEAS/Info/EventsInfo/ProcessCreation/ProcessCreation.cs
View File

@ -1,15 +1,14 @@
using System.Collections.Generic;
using winPEAS.Helpers;
using winPEAS.Info.EventsInfo.PowerShell;
namespace winPEAS.Info.EventsInfo.ProcessCreation
{
internal class ProcessCreation
{
public static IEnumerable<ProcessCreationEventInfo> GetProcessCreationEventInfos()
{
{
// Get our "sensitive" cmdline regexes from a common helper function.
var processCmdLineRegex = Common.GetInterestingProcessArgsRegex();
var processCmdLineRegex = Common.GetInterestingProcessArgsRegex();
var query = $"*[System/EventID=4688]";
var logReader = MyUtils.GetEventLogReader("Security", query);
@ -33,6 +32,6 @@ namespace winPEAS.Info.EventsInfo.ProcessCreation
}
}
}
}
}
}
}

2
winPEAS/winPEASexe/winPEAS/Info/EventsInfo/ProcessCreation/ProcessCreationEventInfo.cs
View File

@ -19,6 +19,6 @@ namespace winPEAS.Info.EventsInfo.ProcessCreation
EventId = eventId;
User = user;
Match = match;
}
}
}
}

2
winPEAS/winPEASexe/winPEAS/Info/FilesInfo/Certificates/CertificateInfo.cs
View File

@ -3,7 +3,7 @@ using System.Collections.Generic;
namespace winPEAS.Info.FilesInfo.Certificates
{
internal class CertificateInfo
internal class CertificateInfo
{
public string StoreLocation { get; set; }
public string Issuer { get; set; }

22
winPEAS/winPEASexe/winPEAS/Info/FilesInfo/Certificates/Certificates.cs
View File

@ -34,19 +34,19 @@ namespace winPEAS.Info.FilesInfo.Certificates
switch (ext.Oid.FriendlyName)
{
case "Enhanced Key Usage":
{
var extUsages = ((X509EnhancedKeyUsageExtension)ext).EnhancedKeyUsages;
if (extUsages.Count == 0)
continue;
foreach (var extUsage in extUsages)
{
enhancedKeyUsages.Add(extUsage.FriendlyName);
}
var extUsages = ((X509EnhancedKeyUsageExtension)ext).EnhancedKeyUsages;
break;
}
if (extUsages.Count == 0)
continue;
foreach (var extUsage in extUsages)
{
enhancedKeyUsages.Add(extUsage.FriendlyName);
}
break;
}
case "Certificate Template Name":
case "Certificate Template Information":
template = ext.Format(false);

4
winPEAS/winPEASexe/winPEAS/Info/FilesInfo/McAfee/McAfee.cs
View File

@ -127,7 +127,7 @@ namespace winPEAS.Info.FilesInfo.McAfee
byte[] XORKey = { 0x12, 0x15, 0x0F, 0x10, 0x11, 0x1C, 0x1A, 0x06, 0x0A, 0x1F, 0x1B, 0x18, 0x17, 0x16, 0x05, 0x19 };
// xor the input b64 string with the static XOR key
var passwordBytes = System.Convert.FromBase64String(base64password);
var passwordBytes = Convert.FromBase64String(base64password);
for (var i = 0; i < passwordBytes.Length; i++)
{
passwordBytes[i] = (byte)(passwordBytes[i] ^ XORKey[i % XORKey.Length]);
@ -137,7 +137,7 @@ namespace winPEAS.Info.FilesInfo.McAfee
//var tDESKey = MyUtils.CombineArrays(crypto.ComputeHash(System.Text.Encoding.ASCII.GetBytes("<!@#$%^>")), new byte[] { 0x00, 0x00, 0x00, 0x00 });
byte[] tDESKey = { 62, 241, 54, 184, 179, 59, 239, 188, 52, 38, 167, 181, 78, 196, 26, 55, 124, 211, 25, 155, 0, 0, 0, 0 };
// set the options we need
var tDESalg = new TripleDESCryptoServiceProvider();
tDESalg.Mode = CipherMode.ECB;

4
winPEAS/winPEASexe/winPEAS/Info/FilesInfo/Office/Office.cs
View File

@ -1,9 +1,9 @@
using System;
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
using System.Text.RegularExpressions;
using Microsoft.Win32;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
using winPEAS.Info.FilesInfo.Office.OneDrive;

3
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/Firewall.cs
View File

@ -1,6 +1,5 @@
using System;
using System.Collections.Generic;
using System.Reflection;
using System.Runtime.InteropServices;
using winPEAS.Helpers;
@ -25,7 +24,7 @@ namespace winPEAS.Info.NetworkInfo
Type firewall = Type.GetTypeFromCLSID(new Guid("E2B3C97F-6AE1-41AC-817A-F6F92166D7DD"));
object firewallObj = Activator.CreateInstance(firewall);
object types = ReflectionHelper.InvokeMemberProperty(firewallObj, "CurrentProfileTypes");
result = $"{(FirewallProfiles) int.Parse(types.ToString())}";
result = $"{(FirewallProfiles)int.Parse(types.ToString())}";
}
catch (Exception ex)
{

6
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettings.cs
View File

@ -33,7 +33,7 @@ namespace winPEAS.Info.NetworkInfo.InternetSettings
string zoneMapKey = @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey";
AddSettings("HKCU", zoneMapKey, result.ZoneMaps, zoneMapKeys);
AddSettings("HKLM", zoneMapKey, result.ZoneMaps, zoneMapKeys);
// List Zones settings with automatic logons
/**
@ -72,14 +72,14 @@ namespace winPEAS.Info.NetworkInfo.InternetSettings
authSetting.ToString(),
$"{zone} : {authSettingStr}"
));
}
}
}
return result;
}
private static void AddSettings(string hive, string keyPath, IList<InternetSettingsKey> internetSettingsList, IDictionary<string, string> zoneMapKeys = null)
{
{
var proxySettings = (RegistryHelper.GetRegValues(hive, keyPath) ?? new Dictionary<string, object>());
if (proxySettings != null)
{

2
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettingsKey.cs
View File

@ -19,7 +19,7 @@
Value = value;
Interpretation = interpretation;
Hive = hive;
Path = path;
Path = path;
}
}
}

36
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkInfoHelper.cs
View File

@ -17,8 +17,8 @@ namespace winPEAS.Info.NetworkInfo
{
// https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-socket
private const int AF_INET = 2;
private const int AF_INET6 = 23;
private const int AF_INET6 = 23;
[StructLayout(LayoutKind.Sequential)]
internal struct MIB_IPNETROW
{
@ -191,12 +191,12 @@ namespace winPEAS.Info.NetworkInfo
foreach (var listener in props.GetActiveTcpListeners())
{
bool repeated = false;
foreach(List<string> inside_entry in results)
foreach (List<string> inside_entry in results)
{
if (inside_entry.SequenceEqual(new List<string>() { "TCP", listener.ToString(), "", "Listening" }))
repeated = true;
}
if (! repeated)
if (!repeated)
results.Add(new List<string>() { "TCP", listener.ToString(), "", "Listening" });
}
@ -218,12 +218,12 @@ namespace winPEAS.Info.NetworkInfo
}
return results;
}
// https://stackoverflow.com/questions/3567063/get-a-list-of-all-unc-shared-folders-on-a-local-network-server
// v2: https://stackoverflow.com/questions/6227892/reading-share-permissions-in-c-sharp
}
// https://stackoverflow.com/questions/3567063/get-a-list-of-all-unc-shared-folders-on-a-local-network-server
// v2: https://stackoverflow.com/questions/6227892/reading-share-permissions-in-c-sharp
public static List<Dictionary<string, string>> GetNetworkShares(string pcname)
{
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
@ -297,8 +297,8 @@ namespace winPEAS.Info.NetworkInfo
Beaprint.PrintException(ex.Message);
}
return results;
}
}
public static List<TcpConnectionInfo> GetTcpConnections(IPVersion ipVersion, Dictionary<int, Process> processesByPid = null)
{
int bufferSize = 0;
@ -325,8 +325,8 @@ namespace winPEAS.Info.NetworkInfo
// If not zero, the call failed.
if (result != 0)
{
return new List<TcpConnectionInfo>();
{
return new List<TcpConnectionInfo>();
}
// Marshals data fron an unmanaged block of memory to the
@ -337,7 +337,7 @@ namespace winPEAS.Info.NetworkInfo
// Determine if IPv4 or IPv6.
if (ipVersion == IPVersion.IPv4)
{
MIB_TCPTABLE_OWNER_PID tcpRecordsTable = (MIB_TCPTABLE_OWNER_PID) Marshal.PtrToStructure(tcpTableRecordsPtr, typeof(MIB_TCPTABLE_OWNER_PID));
MIB_TCPTABLE_OWNER_PID tcpRecordsTable = (MIB_TCPTABLE_OWNER_PID)Marshal.PtrToStructure(tcpTableRecordsPtr, typeof(MIB_TCPTABLE_OWNER_PID));
IntPtr tableRowPtr = (IntPtr)((long)tcpTableRecordsPtr + Marshal.SizeOf(tcpRecordsTable.dwNumEntries));
@ -373,7 +373,7 @@ namespace winPEAS.Info.NetworkInfo
}
else if (ipVersion == IPVersion.IPv6)
{
MIB_TCP6TABLE_OWNER_PID tcpRecordsTable = (MIB_TCP6TABLE_OWNER_PID) Marshal.PtrToStructure(tcpTableRecordsPtr, typeof(MIB_TCP6TABLE_OWNER_PID));
MIB_TCP6TABLE_OWNER_PID tcpRecordsTable = (MIB_TCP6TABLE_OWNER_PID)Marshal.PtrToStructure(tcpTableRecordsPtr, typeof(MIB_TCP6TABLE_OWNER_PID));
IntPtr tableRowPtr = (IntPtr)((long)tcpTableRecordsPtr + Marshal.SizeOf(tcpRecordsTable.dwNumEntries));
@ -461,14 +461,14 @@ namespace winPEAS.Info.NetworkInfo
// Determine if IPv4 or IPv6.
if (ipVersion == IPVersion.IPv4)
{
MIB_UDPTABLE_OWNER_PID udpRecordsTable = (MIB_UDPTABLE_OWNER_PID) Marshal.PtrToStructure(udpTableRecordsPtr, typeof(MIB_UDPTABLE_OWNER_PID));
MIB_UDPTABLE_OWNER_PID udpRecordsTable = (MIB_UDPTABLE_OWNER_PID)Marshal.PtrToStructure(udpTableRecordsPtr, typeof(MIB_UDPTABLE_OWNER_PID));
IntPtr tableRowPtr = (IntPtr)((long)udpTableRecordsPtr + Marshal.SizeOf(udpRecordsTable.dwNumEntries));
// Read and parse the UDP records from the table and store them in list
// 'UdpConnection' structure type objects.
for (int i = 0; i < udpRecordsTable.dwNumEntries; i++)
{
MIB_UDPROW_OWNER_PID udpRow = (MIB_UDPROW_OWNER_PID) Marshal.PtrToStructure(tableRowPtr, typeof(MIB_UDPROW_OWNER_PID));
MIB_UDPROW_OWNER_PID udpRow = (MIB_UDPROW_OWNER_PID)Marshal.PtrToStructure(tableRowPtr, typeof(MIB_UDPROW_OWNER_PID));
udpTableRecords.Add(new UdpConnectionInfo(
Protocol.UDP,
new IPAddress(udpRow.localAddr),

2
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/Structs/MIB_UDP6TABLE_OWNER_PID.cs
View File

@ -6,7 +6,7 @@ namespace winPEAS.Info.NetworkInfo.Structs
public struct MIB_UDP6TABLE_OWNER_PID
{
public uint dwNumEntries;
[MarshalAs(UnmanagedType.ByValArray, ArraySubType = UnmanagedType.Struct,SizeConst = 1)]
[MarshalAs(UnmanagedType.ByValArray, ArraySubType = UnmanagedType.Struct, SizeConst = 1)]
public MIB_UDP6ROW_OWNER_PID[] table;
}
}

2
winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/Structs/MIB_UDPTABLE_OWNER_PID.cs
View File

@ -6,7 +6,7 @@ namespace winPEAS.Info.NetworkInfo.Structs
public struct MIB_UDPTABLE_OWNER_PID
{
public uint dwNumEntries;
[MarshalAs(UnmanagedType.ByValArray, ArraySubType = UnmanagedType.Struct,SizeConst = 1)]
[MarshalAs(UnmanagedType.ByValArray, ArraySubType = UnmanagedType.Struct, SizeConst = 1)]
public MIB_UDPROW_OWNER_PID[] table;
}
}

39
winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/ProcessesInfo.cs
View File

@ -6,7 +6,6 @@ using System.Linq;
using System.Management;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text;
using System.Text.RegularExpressions;
using System.Threading.Tasks;
using winPEAS.Helpers;
@ -33,7 +32,7 @@ namespace winPEAS.Info.ProcessInfo
Proc = p,
Pth = (string)mo["ExecutablePath"],
CommLine = (string)mo["CommandLine"],
Owner = Helpers.HandlesHelper.GetProcU(p)["name"], //Needed inside the next foreach
Owner = HandlesHelper.GetProcU(p)["name"], //Needed inside the next foreach
};
foreach (var itm in queRy)
@ -54,14 +53,16 @@ namespace winPEAS.Info.ProcessInfo
}
if ((string.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{
Dictionary<string, string> to_add = new Dictionary<string, string>();
to_add["Name"] = itm.Proc.ProcessName;
to_add["ProcessID"] = itm.Proc.Id.ToString();
to_add["ExecutablePath"] = itm.Pth;
to_add["Product"] = companyName;
to_add["Owner"] = itm.Owner == null ? "" : itm.Owner;
to_add["isDotNet"] = isDotNet;
to_add["CommandLine"] = itm.CommLine;
Dictionary<string, string> to_add = new Dictionary<string, string>
{
["Name"] = itm.Proc.ProcessName,
["ProcessID"] = itm.Proc.Id.ToString(),
["ExecutablePath"] = itm.Pth,
["Product"] = companyName,
["Owner"] = itm.Owner == null ? "" : itm.Owner,
["isDotNet"] = isDotNet,
["CommandLine"] = itm.CommLine
};
f_results.Add(to_add);
}
}
@ -123,11 +124,13 @@ namespace winPEAS.Info.ProcessInfo
string hName = HandlesHelper.GetObjectName(dupHandle);
Dictionary<string, string> to_add = new Dictionary<string, string>();
to_add["Handle Name"] = hName;
to_add["Handle"] = h.HandleValue.ToString() + "(" + typeName + ")";
to_add["Handle Owner"] = "Pid is " + h.UniqueProcessId.ToString() + "(" + origProcInfo.name + ") with owner: " + origProcInfo.userName;
to_add["Reason"] = handlerExp.reason;
Dictionary<string, string> to_add = new Dictionary<string, string>
{
["Handle Name"] = hName,
["Handle"] = h.HandleValue.ToString() + "(" + typeName + ")",
["Handle Owner"] = "Pid is " + h.UniqueProcessId.ToString() + "(" + origProcInfo.name + ") with owner: " + origProcInfo.userName,
["Reason"] = handlerExp.reason
};
if (typeName == "process" || typeName == "thread")
{
@ -177,7 +180,7 @@ namespace winPEAS.Info.ProcessInfo
string sFilePath = fni.FileName;
if (sFilePath.Length == 0)
continue;
List<string> permsFile = PermissionsHelper.GetPermissionsFile(sFilePath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
try
{
@ -208,13 +211,13 @@ namespace winPEAS.Info.ProcessInfo
else if (typeName == "key")
{
HandlesHelper.KEY_RELEVANT_INFO kri = HandlesHelper.getKeyHandlerInfo(dupHandle);
if (kri.path.Length == 0 && kri.hive != null && kri.hive.Length> 0)
if (kri.path.Length == 0 && kri.hive != null && kri.hive.Length > 0)
continue;
RegistryKey regKey = Helpers.Registry.RegistryHelper.GetReg(kri.hive, kri.path);
if (regKey == null)
continue;
List<string> permsReg = PermissionsHelper.GetMyPermissionsR(regKey, Checks.Checks.CurrentUserSiDs);
// If current user already have permissions over that reg, handle not interesting to elevate privs

42
winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/ServicesInfoHelper.cs
View File

@ -1,4 +1,5 @@
using System;
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
@ -8,10 +9,8 @@ using System.Runtime.InteropServices;
using System.Security.AccessControl;
using System.ServiceProcess;
using System.Text.RegularExpressions;
using Microsoft.Win32;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
using winPEAS.KnownFileCreds;
using winPEAS.Native;
namespace winPEAS.Info.ServicesInfo
@ -51,17 +50,18 @@ namespace winPEAS.Info.ServicesInfo
if (string.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
{
Dictionary<string, string> toadd = new Dictionary<string, string>();
toadd["Name"] = GetStringOrEmpty(result["Name"]);
toadd["DisplayName"] = GetStringOrEmpty(result["DisplayName"]);
toadd["CompanyName"] = companyName;
toadd["State"] = GetStringOrEmpty(result["State"]);
toadd["StartMode"] = GetStringOrEmpty(result["StartMode"]);
toadd["PathName"] = GetStringOrEmpty(result["PathName"]);
toadd["FilteredPath"] = binaryPath;
toadd["isDotNet"] = isDotNet;
toadd["Description"] = GetStringOrEmpty(result["Description"]);
Dictionary<string, string> toadd = new Dictionary<string, string>
{
["Name"] = GetStringOrEmpty(result["Name"]),
["DisplayName"] = GetStringOrEmpty(result["DisplayName"]),
["CompanyName"] = companyName,
["State"] = GetStringOrEmpty(result["State"]),
["StartMode"] = GetStringOrEmpty(result["StartMode"]),
["PathName"] = GetStringOrEmpty(result["PathName"]),
["FilteredPath"] = binaryPath,
["isDotNet"] = isDotNet,
["Description"] = GetStringOrEmpty(result["Description"])
};
results.Add(toadd);
}
@ -166,7 +166,7 @@ namespace winPEAS.Info.ServicesInfo
}
return results;
}
public static Dictionary<string, string> GetModifiableServices(Dictionary<string, string> SIDs)
{
Dictionary<string, string> results = new Dictionary<string, string>();
@ -222,7 +222,7 @@ namespace winPEAS.Info.ServicesInfo
{ //https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.commonace?view=net-6.0
int serviceRights = ace.AccessMask;
string current_perm_str = PermissionsHelper.PermInt2Str(serviceRights, PermissionType.WRITEABLE_OR_EQUIVALENT_SVC);
if (!string.IsNullOrEmpty(current_perm_str) && !permissions.Contains(current_perm_str))
permissions.Add(current_perm_str);
}
@ -232,7 +232,7 @@ namespace winPEAS.Info.ServicesInfo
if (permissions.Count > 0)
{
string perms = String.Join(", ", permissions);
if (perms.Replace("Start", "").Replace("Stop","").Length > 3) //Check if any other permissions appart from Start and Stop
if (perms.Replace("Start", "").Replace("Stop", "").Length > 3) //Check if any other permissions appart from Start and Stop
results.Add(sc.ServiceName, perms);
}
@ -249,9 +249,9 @@ namespace winPEAS.Info.ServicesInfo
/////// Find Write reg. Services ////////
//////////////////////////////////////////
/// Find Services which Reg you have write or equivalent access
public static List<Dictionary<string, string>> GetWriteServiceRegs(Dictionary<string,string> NtAccountNames)
public static List<Dictionary<string, string>> GetWriteServiceRegs(Dictionary<string, string> NtAccountNames)
{
List<Dictionary<string,string>> results = new List<Dictionary<string, string>>();
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
try
{
RegistryKey regKey = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services");
@ -275,7 +275,7 @@ namespace winPEAS.Info.ServicesInfo
return results;
}
//////////////////////////////////////
//////// PATH DLL Hijacking /////////
//////////////////////////////////////
@ -294,7 +294,7 @@ namespace winPEAS.Info.ServicesInfo
foreach (string folder in folders)
results[folder] = String.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs));
}
catch (Exception ex)
{

6
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/CredentialGuard.cs
View File

@ -35,7 +35,7 @@ namespace winPEAS.Info.SystemInfo
{
var configCheck = (int[])result.GetPropertyValue("SecurityServicesConfigured");
var serviceCheck = (int[])result.GetPropertyValue("SecurityServicesRunning");
var configured = false;
var running = false;
@ -56,7 +56,7 @@ namespace winPEAS.Info.SystemInfo
$" Configured: {configured}\n" +
$" Running: {running}",
colors);
}
}
}
@ -68,7 +68,7 @@ namespace winPEAS.Info.SystemInfo
catch (Exception ex)
{
//Beaprint.PrintException(ex.Message);
}
}
}
private static string GetVbsSettingString(uint? vbs)

2
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/DotNet/DotNet.cs
View File

@ -38,7 +38,7 @@ namespace winPEAS.Info.SystemInfo.DotNet
private static string GetOSVersion()
{
try
{
using (var wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT Version FROM Win32_OperatingSystem"))

6
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/GroupPolicy/GroupPolicy.cs
View File

@ -1,5 +1,5 @@
using System.Collections.Generic;
using Microsoft.Win32;
using Microsoft.Win32;
using System.Collections.Generic;
using winPEAS.Helpers.Registry;
using winPEAS.Native.Enums;
@ -14,7 +14,7 @@ namespace winPEAS.Info.SystemInfo.GroupPolicy
// local machine GPOs
var basePath = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0";
var machineIDs = RegistryHelper.GetRegSubkeys("HKLM", basePath) ?? new string[] { };
foreach (var id in machineIDs)
{
var settings = RegistryHelper.GetRegValues("HKLM", $"{basePath}\\{id}");

3
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/NamedPipes/NamedPipes.cs
View File

@ -3,7 +3,6 @@ using System.IO;
using System.Runtime.InteropServices;
using System.Security.AccessControl;
using winPEAS.Native;
using System.Security.Principal;
namespace winPEAS.Info.SystemInfo.NamedPipes
@ -51,7 +50,7 @@ namespace winPEAS.Info.SystemInfo.NamedPipes
{
var security = File.GetAccessControl($"\\\\.\\pipe\\{namedPipe}");
sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
List<string> currentUserPermsList = winPEAS.Helpers.PermissionsHelper.GetMyPermissionsF(security, winPEAS.Checks.Checks.CurrentUserSiDs);
List<string> currentUserPermsList = Helpers.PermissionsHelper.GetMyPermissionsF(security, Checks.Checks.CurrentUserSiDs);
currentUserPerms = string.Join(", ", currentUserPermsList);
}
catch

8
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/Ntlm/NtlmSettingsInfo.cs
View File

@ -5,7 +5,7 @@
public uint? LanmanCompatibilityLevel { get; set; }
public string LanmanCompatibilityLevelString
{
{
get
{
switch (LanmanCompatibilityLevel)
@ -25,11 +25,11 @@
public bool ClientRequireSigning { get; set; }
public bool ClientNegotiateSigning { get; set; }
public bool ServerRequireSigning { get; set; }
public bool ServerNegotiateSigning { get; set; }
public bool ServerNegotiateSigning { get; set; }
public uint? LdapSigning { get; set; }
public string LdapSigningString
{
{
get
{
switch (LdapSigning)
@ -44,7 +44,7 @@
}
public uint? NTLMMinClientSec { get; set; }
public uint? NTLMMinServerSec { get; set; }
public uint? NTLMMinServerSec { get; set; }
public uint? InboundRestrictions { get; internal set; }
public string InboundRestrictionsString

4
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PowerShell.cs
View File

@ -8,7 +8,7 @@ namespace winPEAS.Info.SystemInfo.PowerShell
internal class PowerShell
{
public static IEnumerable<PowerShellSessionSettingsInfo> GetPowerShellSessionSettingsInfos()
{
{
var plugins = new[] { "Microsoft.PowerShell", "Microsoft.PowerShell.Workflow", "Microsoft.PowerShell32" };
foreach (var plugin in plugins)
@ -49,6 +49,6 @@ namespace winPEAS.Info.SystemInfo.PowerShell
yield return new PowerShellSessionSettingsInfo(plugin, access);
}
}
}
}
}

2
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PowerShellSessionSettingsInfo.cs
View File

@ -11,6 +11,6 @@ namespace winPEAS.Info.SystemInfo.PowerShell
{
Plugin = plugin;
Permissions = permissions;
}
}
}
}

4
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/Printers/Printers.cs
View File

@ -10,14 +10,14 @@ using winPEAS.Native.Enums;
namespace winPEAS.Info.SystemInfo.Printers
{
internal class Printers
{
{
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_INFOS
{
public string Owner;
public RawSecurityDescriptor SecurityDescriptor;
public string SDDL;
}
}
public static IEnumerable<PrinterInfo> GetPrinterWMIInfos()
{

3
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SysMon/SysMon.cs
View File

@ -2,7 +2,6 @@
using System;
using System.Collections.Generic;
using System.Diagnostics.Eventing.Reader;
using System.Text.RegularExpressions;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
@ -14,7 +13,7 @@ namespace winPEAS.Info.SystemInfo.SysMon
public static IEnumerable<SysmonInfo> GetSysMonInfos()
{
var paramsKey = @"SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters";
var paramsKey = @"SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters";
uint? regHashAlg = GetUintNullableFromString(RegistryHelper.GetRegValue("HKLM", paramsKey, "HashingAlgorithm"));
uint? regOptions = GetUintNullableFromString(RegistryHelper.GetRegValue("HKLM", paramsKey, "Options"));
byte[] regSysmonRules = GetBinaryValueFromRegistry(Registry.LocalMachine, paramsKey, "Rules");

2
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SysMon/SysmonInfo.cs
View File

@ -13,6 +13,6 @@
HashingAlgorithm = hashingAlgorithm;
Options = options;
Rules = rules;
}
}
}
}

9
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs
View File

@ -9,7 +9,6 @@ using System.Net.NetworkInformation;
using System.Windows.Forms;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
using winPEAS.KnownFileCreds;
namespace winPEAS.Info.SystemInfo
{
@ -160,7 +159,7 @@ namespace winPEAS.Info.SystemInfo
{
Dictionary<string, string> results = new Dictionary<string, string>();
string whitelistpaths = "";
try
{
var keys = RegistryHelper.GetRegValues("HKLM", @"SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths");
@ -188,7 +187,7 @@ namespace winPEAS.Info.SystemInfo
{
results["whitelistpaths"] = " " + whitelistpaths; //Add this info the last
}
return results;
}
@ -342,7 +341,7 @@ namespace winPEAS.Info.SystemInfo
{
var keys = RegistryHelper.GetRegSubkeys("HKLM", @"SOFTWARE\Microsoft\PowerShellCore\InstalledVersions\") ?? new string[] { };
return keys.Select(key =>
return keys.Select(key =>
RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\PowerShellCore\InstalledVersions\" + key, "SemanticVersion"))
.Where(version => version != null).ToList();
}
@ -461,7 +460,7 @@ namespace winPEAS.Info.SystemInfo
if ((settings != null) && (settings.Count != 0))
{
foreach (KeyValuePair<string, object> kvp in settings)
{
{
result[kvp.Key] = (string)kvp.Value;
}
}

10
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/WindowsDefender/WindowsDefenderSettings.cs
View File

@ -1,7 +1,5 @@
using System;
using System.Collections.Generic;
using Microsoft.Win32;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
namespace winPEAS.Info.SystemInfo.WindowsDefender
@ -17,14 +15,14 @@ namespace winPEAS.Info.SystemInfo.WindowsDefender
public WindowsDefenderSettings(string defenderBaseKeyPath)
{
PathExclusions = new List<string>();
var pathExclusionData = RegistryHelper.GetRegValues("HKLM", $"{ defenderBaseKeyPath}\\Exclusions\\Paths");
var pathExclusionData = RegistryHelper.GetRegValues("HKLM", $"{defenderBaseKeyPath}\\Exclusions\\Paths");
if (pathExclusionData != null)
{
foreach (var kvp in pathExclusionData)
{
PathExclusions.Add(kvp.Key);
}
}
}
PolicyManagerPathExclusions = new List<string>();
var excludedPaths = RegistryHelper.GetRegValue("HKLM", $"{defenderBaseKeyPath}\\Policy Manager", "ExcludedPaths");
@ -54,7 +52,7 @@ namespace winPEAS.Info.SystemInfo.WindowsDefender
{
ExtensionExclusions.Add(kvp.Key);
}
}
}
var asrKeyPath = $"{defenderBaseKeyPath}\\Windows Defender Exploit Guard\\ASR";
var asrEnabled = RegistryHelper.GetRegValue("HKLM", asrKeyPath, "ExploitGuard_ASR_Rules");
@ -82,7 +80,7 @@ namespace winPEAS.Info.SystemInfo.WindowsDefender
{
AsrSettings.Exclusions.Add(value.Key);
}
}
}
}
}
}

8
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/WindowsDefender/WindowsDefenderSettingsInfo.cs
View File

@ -1,10 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace winPEAS.Info.SystemInfo.WindowsDefender
namespace winPEAS.Info.SystemInfo.WindowsDefender
{
class WindowsDefenderSettingsInfo
{

2
winPEAS/winPEASexe/winPEAS/Info/UserInfo/LogonSessions/LogonSessions.cs
View File

@ -184,5 +184,5 @@ namespace winPEAS.Info.UserInfo.LogonSessions
}
}
}
}
}
}

2
winPEAS/winPEASexe/winPEAS/Info/UserInfo/LogonSessions/LogonSessionsInfo.cs
View File

@ -43,6 +43,6 @@ namespace winPEAS.Info.UserInfo.LogonSessions
LogonServerDnsDomain = logonServerDnsDomain;
UserPrincipalName = userPrincipalName;
UserSID = userSid;
}
}
}
}

5
winPEAS/winPEASexe/winPEAS/Info/UserInfo/SAM/SamServer.cs
View File

@ -2,7 +2,6 @@
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Principal;
using winPEAS.Helpers;
using winPEAS.Native;
using winPEAS.Native.Classes;
@ -99,9 +98,9 @@ namespace winPEAS.Info.UserInfo.SAM
yield return us.ToString();
us.Buffer = IntPtr.Zero; // we don't own this one
}
}
}
private static void Check(NTSTATUS err)
{

1
winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs
View File

@ -2,7 +2,6 @@
using System.Collections.Generic;
using System.Net.NetworkInformation;
using System.Security.Principal;
using System.Text.RegularExpressions;
using winPEAS.Helpers;
namespace winPEAS.Info.UserInfo

1
winPEAS/winPEASexe/winPEAS/Info/UserInfo/Tenant/Tenant.cs
View File

@ -3,7 +3,6 @@ using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using winPEAS.Helpers;
using winPEAS.Native;
using winPEAS.Native.Structs;

2
winPEAS/winPEASexe/winPEAS/Info/UserInfo/Token/Enums.cs
View File

@ -1,7 +1,7 @@
using System;
namespace winPEAS.Info.UserInfo.Token
{
{
[Flags]
public enum LuidAttributes : uint
{

4
winPEAS/winPEASexe/winPEAS/Info/UserInfo/Token/Token.cs
View File

@ -10,7 +10,7 @@ using winPEAS.Native.Enums;
namespace winPEAS.Info.UserInfo.Token
{
internal static class Token
{
{
public static Dictionary<string, string> GetTokenGroupPrivs()
{
// Returns all privileges that the current process/user possesses
@ -36,7 +36,7 @@ namespace winPEAS.Info.UserInfo.Token
Advapi32.LookupPrivilegeName(null, luidPointer, null, ref luidNameLen);
strBuilder.EnsureCapacity(luidNameLen + 1);
if (Advapi32.LookupPrivilegeName(null, luidPointer, strBuilder, ref luidNameLen))
results[strBuilder.ToString()] = $"{(LuidAttributes) laa.Attributes}";
results[strBuilder.ToString()] = $"{(LuidAttributes)laa.Attributes}";
Marshal.FreeHGlobal(luidPointer);
}
}

5
winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs
View File

@ -7,7 +7,6 @@ using System.Management;
using System.Runtime.InteropServices;
using System.Security.Principal;
using winPEAS.Helpers;
using winPEAS.KnownFileCreds;
using winPEAS.Native;
using winPEAS.Native.Structs;
@ -18,7 +17,7 @@ namespace winPEAS.Info.UserInfo
public static List<string> GetMachineUsers(bool onlyActive, bool onlyDisabled, bool onlyLockout, bool onlyAdmins, bool fullInfo)
{
List<string> retList = new List<string>();
try
{
foreach (ManagementObject user in Checks.Checks.Win32Users)
@ -107,7 +106,7 @@ namespace winPEAS.Info.UserInfo
}
}
catch
{
{
//If error, then some error ocurred trying to find a user inside an unexistant domain, check if local user
user = GetUserLocal(sUserName);
}

40
winPEAS/winPEASexe/winPEAS/Info/UserInfo/UserInfoHelper.cs
View File

@ -6,7 +6,6 @@ using System.Windows.Forms;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
using winPEAS.Info.UserInfo.SAM;
using winPEAS.KnownFileCreds;
using winPEAS.Native;
using winPEAS.Native.Enums;
@ -14,12 +13,12 @@ using winPEAS.Native.Enums;
//I have also created the folder Costura32 and Costura64 with the respective Dlls of Colorful.Console
namespace winPEAS.Info.UserInfo
{
{
class UserInfoHelper
{
// https://stackoverflow.com/questions/5247798/get-list-of-local-computer-usernames-in-windows
public static string SID2GroupName(string SID)
{
//Frist, look in well-known SIDs
@ -84,13 +83,13 @@ namespace winPEAS.Info.UserInfo
Beaprint.PrintException(ex.Message);
}
return groupName;
}
}
public static PrincipalContext GetPrincipalContext()
{
PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Machine);
return oPrincipalContext;
}
}
//From Seatbelt
public enum WTS_CONNECTSTATE_CLASS
@ -106,7 +105,7 @@ namespace winPEAS.Info.UserInfo
Down,
Init
}
public static void CloseServer(IntPtr ServerHandle)
{
Wtsapi32.WTSCloseServer(ServerHandle);
@ -145,7 +144,7 @@ namespace winPEAS.Info.UserInfo
[MarshalAs(UnmanagedType.LPStr)]
public String pFarmName;
}
public static IntPtr OpenServer(String Name)
{
IntPtr server = Wtsapi32.WTSOpenServer(Name);
@ -215,7 +214,7 @@ namespace winPEAS.Info.UserInfo
}
return results;
}
// https://stackoverflow.com/questions/31464835/how-to-programmatically-check-the-password-must-meet-complexity-requirements-g
public static List<Dictionary<string, string>> GetPasswordPolicy()
{
@ -247,18 +246,19 @@ namespace winPEAS.Info.UserInfo
Beaprint.GrayPrint(string.Format(" [X] Exception: {0}", ex));
}
return results;
}
}
public static Dictionary<string, string> GetAutoLogon()
{
Dictionary<string, string> results = new Dictionary<string, string>();
results["DefaultDomainName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultDomainName");
results["DefaultUserName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultUserName");
results["DefaultPassword"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultPassword");
results["AltDefaultDomainName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultDomainName");
results["AltDefaultUserName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultUserName");
results["AltDefaultPassword"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultPassword");
Dictionary<string, string> results = new Dictionary<string, string>
{
["DefaultDomainName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultDomainName"),
["DefaultUserName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultUserName"),
["DefaultPassword"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultPassword"),
["AltDefaultDomainName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultDomainName"),
["AltDefaultUserName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultUserName"),
["AltDefaultPassword"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultPassword")
};
return results;
}
@ -281,7 +281,7 @@ namespace winPEAS.Info.UserInfo
c = $"{Clipboard.GetFileDropList()}";
//else if (Clipboard.ContainsImage()) //No system.Drwing import
//c = string.Format("{0}", Clipboard.GetImage());
//c = string.Format("{0}", Clipboard.GetImage());
}
catch (Exception ex)
{

2
winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RDPServerSettings.cs
View File

@ -29,6 +29,6 @@
AllowSmartCardRedirection = allowSmartCardRedirection;
BlockPnPDeviceRedirection = blockPnPDeviceRedirection;
BlockPrinterRedirection = blockPrinterRedirection;
}
}
}
}

14
winPEAS/winPEASexe/winPEAS/InterestingFiles/GPP.cs
View File

@ -15,7 +15,7 @@ namespace winPEAS.InterestingFiles
try
{
string allUsers = System.Environment.GetEnvironmentVariable("ALLUSERSPROFILE");
string allUsers = Environment.GetEnvironmentVariable("ALLUSERSPROFILE");
if (!allUsers.Contains("ProgramData"))
{
@ -225,11 +225,13 @@ namespace winPEAS.InterestingFiles
Changed = "[BLANK]";
}
results[file] = new Dictionary<string, string>();
results[file]["UserName"] = UserName;
results[file]["NewName"] = NewName;
results[file]["cPassword"] = cPassword;
results[file]["Changed"] = Changed;
results[file] = new Dictionary<string, string>
{
["UserName"] = UserName,
["NewName"] = NewName,
["cPassword"] = cPassword,
["Changed"] = Changed
};
}
}
catch (Exception ex)

12
winPEAS/winPEASexe/winPEAS/InterestingFiles/InterestingFiles.cs
View File

@ -9,9 +9,9 @@ using winPEAS.Helpers.Search;
namespace winPEAS.InterestingFiles
{
internal static class InterestingFiles
{
{
public static List<string> GetSAMBackups()
{
{
//From SharpUP
var results = new List<string>();
@ -28,7 +28,7 @@ namespace winPEAS.InterestingFiles
$@"{systemRoot}\System32\config\RegBack\SYSTEM",
};
results.AddRange(searchLocations.Where(searchLocation => System.IO.File.Exists(searchLocation)));
results.AddRange(searchLocations.Where(searchLocation => File.Exists(searchLocation)));
}
catch (Exception ex)
{
@ -40,7 +40,7 @@ namespace winPEAS.InterestingFiles
public static List<string> GetLinuxShells()
{
var results = new List<string>();
try
{
string drive = Environment.GetEnvironmentVariable("SystemDrive");
@ -90,7 +90,7 @@ namespace winPEAS.InterestingFiles
Beaprint.GrayPrint("Error: " + ex);
}
return results;
}
}
public static List<Dictionary<string, string>> GetRecycleBin()
{
@ -102,7 +102,7 @@ namespace winPEAS.InterestingFiles
// Reference: https://stackoverflow.com/questions/18071412/list-filenames-in-the-recyclebin-with-c-sharp-without-using-any-external-files
int lastDays = 30;
var startTime = System.DateTime.Now.AddDays(-lastDays);
var startTime = DateTime.Now.AddDays(-lastDays);
// Shell COM object GUID
Type shell = Type.GetTypeFromCLSID(new Guid("13709620-C279-11CE-A49E-444553540000"));

4
winPEAS/winPEASexe/winPEAS/InterestingFiles/Unattended.cs
View File

@ -40,7 +40,7 @@ namespace winPEAS.InterestingFiles
try
{
var winDir = System.Environment.GetEnvironmentVariable("windir");
var winDir = Environment.GetEnvironmentVariable("windir");
string[] searchLocations =
{
$"{winDir}\\sysprep\\sysprep.xml",
@ -56,7 +56,7 @@ namespace winPEAS.InterestingFiles
$"{winDir}\\..\\unattend.inf",
};
results.AddRange(searchLocations.Where(System.IO.File.Exists));
results.AddRange(searchLocations.Where(File.Exists));
}
catch (Exception ex)
{

2
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/BrowserBase.cs
View File

@ -10,7 +10,7 @@ namespace winPEAS.KnownFileCreds.Browsers
public abstract string Name { get; }
public abstract IEnumerable<CredentialModel> GetSavedCredentials();
public abstract void PrintInfo();
public virtual void PrintSavedCredentials()
{

4
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/FFDecryptor.cs
View File

@ -9,9 +9,9 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
/// Firefox helper class
/// </summary>
static class FFDecryptor
{
{
static IntPtr NSS3;
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate long DLLFunctionDelegate(string configdir);

8
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/FFLogins.cs
View File

@ -1,10 +1,4 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace winPEAS.KnownFileCreds.Browsers.Firefox
namespace winPEAS.KnownFileCreds.Browsers.Firefox
{
class FFLogins
{

2
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/IBrowser.cs
View File

@ -5,7 +5,7 @@ namespace winPEAS.KnownFileCreds.Browsers
{
internal interface IBrowser
{
string Name { get; }
string Name { get; }
void PrintInfo();
IEnumerable<CredentialModel> GetSavedCredentials();
}

2
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Kerberos/Enums.cs
View File

@ -1,7 +1,7 @@
using System;
namespace winPEAS.KnownFileCreds.Kerberos
{
{
public enum KERB_ENCRYPTION_TYPE : UInt32
{
reserved0 = 0,

2
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Kerberos/Helpers.cs
View File

@ -29,7 +29,7 @@ namespace winPEAS.KnownFileCreds.Kerberos
}
catch (Exception e)
{
}
}
return lsaHandle;
}

220
winPEAS/winPEASexe/winPEAS/KnownFileCreds/KnownFileCredsInfo.cs
View File

@ -1,4 +1,5 @@
using System;
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
@ -6,14 +7,13 @@ using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;
using Microsoft.Win32;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
namespace winPEAS.KnownFileCreds
{
static class KnownFileCredsInfo
{
{
public static Dictionary<string, object> GetRecentRunCommands()
{
Dictionary<string, object> results = new Dictionary<string, object>();
@ -34,7 +34,7 @@ namespace winPEAS.KnownFileCreds
results = RegistryHelper.GetRegValues("HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU");
}
return results;
}
}
public static List<Dictionary<string, string>> ListCloudCreds()
{
@ -76,7 +76,7 @@ namespace winPEAS.KnownFileCreds
else
{
var currentUserDir = Environment.GetEnvironmentVariable("USERPROFILE");
userDirs = new List<string>{ currentUserDir };
userDirs = new List<string> { currentUserDir };
}
foreach (var userDir in userDirs)
@ -107,7 +107,7 @@ namespace winPEAS.KnownFileCreds
DateTime lastModified = File.GetLastWriteTime(filePath);
long size = new FileInfo(filePath).Length;
results?.Add(new Dictionary<string, string>
results?.Add(new Dictionary<string, string>
{
{ "file", filePath },
{ "Description", description },
@ -123,7 +123,7 @@ namespace winPEAS.KnownFileCreds
// parses recent file shortcuts via COM
List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
int lastDays = 7;
DateTime startTime = System.DateTime.Now.AddDays(-lastDays);
DateTime startTime = DateTime.Now.AddDays(-lastDays);
try
{
@ -145,31 +145,34 @@ namespace winPEAS.KnownFileCreds
string recentPath = string.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\", dir);
try
{
string[] recentFiles = Directory.EnumerateFiles(recentPath, "*.lnk", SearchOption.AllDirectories).ToArray();
if (recentFiles.Length != 0)
if (Directory.Exists(recentPath))
{
Console.WriteLine(" {0} :\r\n", userName);
foreach (string recentFile in recentFiles)
string[] recentFiles = Directory.EnumerateFiles(recentPath, "*.lnk", SearchOption.AllDirectories).ToArray();
if (recentFiles.Length != 0)
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(recentFile);
if (lastAccessed > startTime)
Console.WriteLine(" {0} :\r\n", userName);
foreach (string recentFile in recentFiles)
{
// invoke the WshShell com object, creating a shortcut to then extract the TargetPath from
Object shortcut = shellObj.GetType().InvokeMember("CreateShortcut", BindingFlags.InvokeMethod, null, shellObj, new object[] { recentFile });
Object TargetPath = shortcut.GetType().InvokeMember("TargetPath", BindingFlags.GetProperty, null, shortcut, new object[] { });
DateTime lastAccessed = File.GetLastAccessTime(recentFile);
if (TargetPath.ToString().Trim() != "")
if (lastAccessed > startTime)
{
results.Add(new Dictionary<string, string>()
// invoke the WshShell com object, creating a shortcut to then extract the TargetPath from
Object shortcut = shellObj.GetType().InvokeMember("CreateShortcut", BindingFlags.InvokeMethod, null, shellObj, new object[] { recentFile });
Object TargetPath = shortcut.GetType().InvokeMember("TargetPath", BindingFlags.GetProperty, null, shortcut, new object[] { });
if (TargetPath.ToString().Trim() != "")
{
results.Add(new Dictionary<string, string>()
{
{ "Target", TargetPath.ToString() },
{ "Accessed", string.Format("{0}", lastAccessed) }
});
}
Marshal.ReleaseComObject(shortcut);
shortcut = null;
}
Marshal.ReleaseComObject(shortcut);
shortcut = null;
}
}
}
@ -180,33 +183,35 @@ namespace winPEAS.KnownFileCreds
}
else
{
string recentPath = string.Format("{0}\\Microsoft\\Windows\\Recent\\", System.Environment.GetEnvironmentVariable("APPDATA"));
var recentFiles = Directory.EnumerateFiles(recentPath, "*.lnk", SearchOption.AllDirectories);
foreach (string recentFile in recentFiles)
string recentPath = string.Format("{0}\\Microsoft\\Windows\\Recent\\", Environment.GetEnvironmentVariable("APPDATA"));
if (Directory.Exists(recentPath))
{
// old method (needed interop dll)
//WshShell shell = new WshShell();
//IWshShortcut shortcut = (IWshShortcut)shell.CreateShortcut(recentFile);
var recentFiles = Directory.EnumerateFiles(recentPath, "*.lnk", SearchOption.AllDirectories);
DateTime lastAccessed = System.IO.File.GetLastAccessTime(recentFile);
if (lastAccessed > startTime)
foreach (string recentFile in recentFiles)
{
// invoke the WshShell com object, creating a shortcut to then extract the TargetPath from
Object shortcut = shellObj.GetType().InvokeMember("CreateShortcut", BindingFlags.InvokeMethod, null, shellObj, new object[] { recentFile });
Object TargetPath = shortcut.GetType().InvokeMember("TargetPath", BindingFlags.GetProperty, null, shortcut, new object[] { });
if (TargetPath.ToString().Trim() != "")
// old method (needed interop dll)
//WshShell shell = new WshShell();
//IWshShortcut shortcut = (IWshShortcut)shell.CreateShortcut(recentFile);
DateTime lastAccessed = File.GetLastAccessTime(recentFile);
if (lastAccessed > startTime)
{
results.Add(new Dictionary<string, string>()
// invoke the WshShell com object, creating a shortcut to then extract the TargetPath from
Object shortcut = shellObj.GetType().InvokeMember("CreateShortcut", BindingFlags.InvokeMethod, null, shellObj, new object[] { recentFile });
Object TargetPath = shortcut.GetType().InvokeMember("TargetPath", BindingFlags.GetProperty, null, shortcut, new object[] { });
if (TargetPath.ToString().Trim() != "")
{
results.Add(new Dictionary<string, string>()
{
{ "Target", TargetPath.ToString() },
{ "Accessed", string.Format("{0}", lastAccessed) }
});
}
Marshal.ReleaseComObject(shortcut);
shortcut = null;
}
Marshal.ReleaseComObject(shortcut);
shortcut = null;
}
}
}
@ -237,13 +242,15 @@ namespace winPEAS.KnownFileCreds
string userName = parts[parts.Length - 1];
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{
List<string> userDPAPIBasePaths = new List<string>();
userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
List<string> userDPAPIBasePaths = new List<string>
{
string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("USERPROFILE")),
string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("USERPROFILE"))
};
foreach (string userDPAPIBasePath in userDPAPIBasePaths)
{
if (System.IO.Directory.Exists(userDPAPIBasePath))
if (Directory.Exists(userDPAPIBasePath))
{
var directories = Directory.EnumerateDirectories(userDPAPIBasePath);
foreach (string directory in directories)
@ -254,9 +261,9 @@ namespace winPEAS.KnownFileCreds
{
if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
string fileName = System.IO.Path.GetFileName(file);
DateTime lastAccessed = File.GetLastAccessTime(file);
DateTime lastModified = File.GetLastWriteTime(file);
string fileName = Path.GetFileName(file);
results.Add(new Dictionary<string, string>()
{
{ "MasterKey", file },
@ -274,13 +281,15 @@ namespace winPEAS.KnownFileCreds
else
{
string userName = Environment.GetEnvironmentVariable("USERNAME");
List<string> userDPAPIBasePaths = new List<string>();
userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
foreach (string userDPAPIBasePath in userDPAPIBasePaths)
List<string> userDPAPIBasePaths = new List<string>
{
if (System.IO.Directory.Exists(userDPAPIBasePath))
string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("USERPROFILE")),
string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("USERPROFILE"))
};
foreach (string userDPAPIBasePath in userDPAPIBasePaths)
{
if (Directory.Exists(userDPAPIBasePath))
{
var directories = Directory.EnumerateDirectories(userDPAPIBasePath);
foreach (string directory in directories)
@ -291,9 +300,9 @@ namespace winPEAS.KnownFileCreds
{
if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
string fileName = System.IO.Path.GetFileName(file);
DateTime lastAccessed = File.GetLastAccessTime(file);
DateTime lastModified = File.GetLastWriteTime(file);
string fileName = Path.GetFileName(file);
results.Add(new Dictionary<string, string>()
{
{ "MasterKey", file },
@ -331,23 +340,25 @@ namespace winPEAS.KnownFileCreds
string userName = parts[parts.Length - 1];
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{
List<string> userCredFilePaths = new List<string>();
userCredFilePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", dir));
userCredFilePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", dir));
List<string> userCredFilePaths = new List<string>
{
string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", dir),
string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", dir)
};
foreach (string userCredFilePath in userCredFilePaths)
{
if (System.IO.Directory.Exists(userCredFilePath))
if (Directory.Exists(userCredFilePath))
{
var systemFiles = Directory.EnumerateFiles(userCredFilePath);
if ((systemFiles != null))
{
foreach (string file in systemFiles)
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
long size = new System.IO.FileInfo(file).Length;
string fileName = System.IO.Path.GetFileName(file);
DateTime lastAccessed = File.GetLastAccessTime(file);
DateTime lastModified = File.GetLastWriteTime(file);
long size = new FileInfo(file).Length;
string fileName = Path.GetFileName(file);
// jankily parse the bytes to extract the credential type and master key GUID
// reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
@ -381,49 +392,54 @@ namespace winPEAS.KnownFileCreds
}
string systemFolder = string.Format("{0}\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials", Environment.GetEnvironmentVariable("SystemRoot"));
var files = Directory.EnumerateFiles(systemFolder);
if ((files != null))
if (Directory.Exists(systemFolder))
{
foreach (string file in files)
var files = Directory.EnumerateFiles(systemFolder);
if ((files != null))
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
long size = new System.IO.FileInfo(file).Length;
string fileName = System.IO.Path.GetFileName(file);
// jankily parse the bytes to extract the credential type and master key GUID
// reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
byte[] credentialArray = File.ReadAllBytes(file);
byte[] guidMasterKeyArray = new byte[16];
Array.Copy(credentialArray, 36, guidMasterKeyArray, 0, 16);
Guid guidMasterKey = new Guid(guidMasterKeyArray);
byte[] stringLenArray = new byte[16];
Array.Copy(credentialArray, 56, stringLenArray, 0, 4);
int descLen = BitConverter.ToInt32(stringLenArray, 0);
byte[] descBytes = new byte[descLen];
Array.Copy(credentialArray, 60, descBytes, 0, descLen - 4);
string desc = Encoding.Unicode.GetString(descBytes);
results.Add(new Dictionary<string, string>()
foreach (string file in files)
{
{ "CredFile", file },
{ "Description", desc },
{ "MasterKey", string.Format("{0}", guidMasterKey) },
{ "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", string.Format("{0}", lastModified) },
{ "Size", string.Format("{0}", size) },
});
DateTime lastAccessed = File.GetLastAccessTime(file);
DateTime lastModified = File.GetLastWriteTime(file);
long size = new System.IO.FileInfo(file).Length;
string fileName = Path.GetFileName(file);
// jankily parse the bytes to extract the credential type and master key GUID
// reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
byte[] credentialArray = File.ReadAllBytes(file);
byte[] guidMasterKeyArray = new byte[16];
Array.Copy(credentialArray, 36, guidMasterKeyArray, 0, 16);
Guid guidMasterKey = new Guid(guidMasterKeyArray);
byte[] stringLenArray = new byte[16];
Array.Copy(credentialArray, 56, stringLenArray, 0, 4);
int descLen = BitConverter.ToInt32(stringLenArray, 0);
byte[] descBytes = new byte[descLen];
Array.Copy(credentialArray, 60, descBytes, 0, descLen - 4);
string desc = Encoding.Unicode.GetString(descBytes);
results.Add(new Dictionary<string, string>()
{
{ "CredFile", file },
{ "Description", desc },
{ "MasterKey", string.Format("{0}", guidMasterKey) },
{ "Accessed", string.Format("{0}", lastAccessed) },
{ "Modified", string.Format("{0}", lastModified) },
{ "Size", string.Format("{0}", size) },
});
}
}
}
}
else
{
string userName = Environment.GetEnvironmentVariable("USERNAME");
List<string> userCredFilePaths = new List<string>();
userCredFilePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
userCredFilePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
List<string> userCredFilePaths = new List<string>
{
string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", Environment.GetEnvironmentVariable("USERPROFILE")),
string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", Environment.GetEnvironmentVariable("USERPROFILE"))
};
foreach (string userCredFilePath in userCredFilePaths)
{
@ -433,10 +449,10 @@ namespace winPEAS.KnownFileCreds
foreach (string file in files)
{
DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
DateTime lastModified = System.IO.File.GetLastWriteTime(file);
DateTime lastAccessed = File.GetLastAccessTime(file);
DateTime lastModified = File.GetLastWriteTime(file);
long size = new System.IO.FileInfo(file).Length;
string fileName = System.IO.Path.GetFileName(file);
string fileName = Path.GetFileName(file);
// jankily parse the bytes to extract the credential type and master key GUID
// reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
@ -472,6 +488,6 @@ namespace winPEAS.KnownFileCreds
Beaprint.PrintException(ex.Message);
}
return results;
}
}
}
}

14
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs
View File

@ -1,6 +1,6 @@
using System;
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using Microsoft.Win32;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
@ -20,7 +20,7 @@ namespace winPEAS.KnownFileCreds
try
{
Beaprint.MainPrint("Putty Sessions");
List<Dictionary<string, string>> putty_sess = Putty.GetPuttySessions();
List<Dictionary<string, string>> putty_sess = GetPuttySessions();
Dictionary<string, string> colorF = new Dictionary<string, string>()
{
@ -39,7 +39,7 @@ namespace winPEAS.KnownFileCreds
try
{
Beaprint.MainPrint("Putty SSH Host keys");
List<Dictionary<string, string>> putty_sess = Putty.ListPuttySSHHostKeys();
List<Dictionary<string, string>> putty_sess = ListPuttySSHHostKeys();
Dictionary<string, string> colorF = new Dictionary<string, string>()
{
{ ".*", Beaprint.ansi_color_bad },
@ -182,8 +182,10 @@ namespace winPEAS.KnownFileCreds
Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\", SID));
if ((hostKeys != null) && (hostKeys.Count != 0))
{
Dictionary<string, string> putty_ssh = new Dictionary<string, string>();
putty_ssh["UserSID"] = SID;
Dictionary<string, string> putty_ssh = new Dictionary<string, string>
{
["UserSID"] = SID
};
foreach (KeyValuePair<string, object> kvp in hostKeys)
{
putty_ssh[kvp.Key] = ""; //Looks like only matters the key name, not the value

18
winPEAS/winPEASexe/winPEAS/KnownFileCreds/RemoteDesktop.cs
View File

@ -1,8 +1,8 @@
using System;
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.IO;
using System.Xml;
using Microsoft.Win32;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
@ -77,7 +77,7 @@ namespace winPEAS.KnownFileCreds
if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
{
string userRDManFile = string.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", dir);
if (System.IO.File.Exists(userRDManFile))
if (File.Exists(userRDManFile))
{
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(userRDManFile);
@ -87,8 +87,8 @@ namespace winPEAS.KnownFileCreds
XmlNodeList items = filesToOpen[0].ChildNodes;
XmlNode node = items[0];
DateTime lastAccessed = System.IO.File.GetLastAccessTime(userRDManFile);
DateTime lastModified = System.IO.File.GetLastWriteTime(userRDManFile);
DateTime lastAccessed = File.GetLastAccessTime(userRDManFile);
DateTime lastModified = File.GetLastWriteTime(userRDManFile);
Dictionary<string, string> rdg = new Dictionary<string, string>(){
{ "RDCManFile", userRDManFile },
{ "Accessed", string.Format("{0}", lastAccessed) },
@ -107,9 +107,9 @@ namespace winPEAS.KnownFileCreds
else
{
string userName = Environment.GetEnvironmentVariable("USERNAME");
string userRDManFile = string.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", System.Environment.GetEnvironmentVariable("USERPROFILE"));
string userRDManFile = string.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", Environment.GetEnvironmentVariable("USERPROFILE"));
if (System.IO.File.Exists(userRDManFile))
if (File.Exists(userRDManFile))
{
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.Load(userRDManFile);
@ -119,8 +119,8 @@ namespace winPEAS.KnownFileCreds
XmlNodeList items = filesToOpen[0].ChildNodes;
XmlNode node = items[0];
DateTime lastAccessed = System.IO.File.GetLastAccessTime(userRDManFile);
DateTime lastModified = System.IO.File.GetLastWriteTime(userRDManFile);
DateTime lastAccessed = File.GetLastAccessTime(userRDManFile);
DateTime lastModified = File.GetLastWriteTime(userRDManFile);
Dictionary<string, string> rdg = new Dictionary<string, string>(){
{ "RDCManFile", userRDManFile },
{ "Accessed", string.Format("{0}", lastAccessed) },

2
winPEAS/winPEASexe/winPEAS/KnownFileCreds/SecurityPackages/NtlmHashInfo.cs
View File

@ -9,6 +9,6 @@
{
Version = version;
Hash = hash;
}
}
}
}

2
winPEAS/winPEASexe/winPEAS/KnownFileCreds/SecurityPackages/SecBuffer.cs
View File

@ -2,7 +2,7 @@
using System.Runtime.InteropServices;
namespace winPEAS.KnownFileCreds.SecurityPackages
{
{
[StructLayout(LayoutKind.Sequential)]
public struct SecBuffer : IDisposable
{

10
winPEAS/winPEASexe/winPEAS/KnownFileCreds/SecurityPackages/SecurityPackages.cs
View File

@ -8,7 +8,7 @@ using winPEAS.Native;
namespace winPEAS.KnownFileCreds.SecurityPackages
{
internal class SecurityPackages
{
{
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_INTEGER
{
@ -30,7 +30,7 @@ namespace winPEAS.KnownFileCreds.SecurityPackages
if (cred != null)
{
yield return cred;
}
}
}
private static NtlmHashInfo GetNtlmCredentialsInternal(string challenge, bool disableESS)
@ -142,7 +142,7 @@ namespace winPEAS.KnownFileCreds.SecurityPackages
return ParseNTResponse(clientTokenBytes, challenge);
}
else if (result == SEC_E_NO_CREDENTIALS)
{
{
return null;
}
else if (disableESS)
@ -209,7 +209,7 @@ namespace winPEAS.KnownFileCreds.SecurityPackages
{
return new NtlmHashInfo(
"NetNTLMv2",
FormatNetNtlmV2Hash(challenge, user, domain, SubArray(nt_resp, 0, 16), SubArray(nt_resp,16, nt_resp.Length - 16))
FormatNetNtlmV2Hash(challenge, user, domain, SubArray(nt_resp, 0, 16), SubArray(nt_resp, 16, nt_resp.Length - 16))
);
}
else
@ -253,7 +253,7 @@ namespace winPEAS.KnownFileCreds.SecurityPackages
private static string ByteArrayToString(byte[] ba)
{
var hex = new StringBuilder(ba.Length * 2);
foreach (var b in ba)
{
hex.AppendFormat("{0:x2}", b);

13
winPEAS/winPEASexe/winPEAS/KnownFileCreds/SuperPutty/SuperPutty.cs
View File

@ -15,7 +15,7 @@ namespace winPEAS.KnownFileCreds.SuperPutty
private static void PrintConfigurationFiles()
{
Beaprint.MainPrint("SuperPutty configuration files");
var dirs = User.GetUsersFolders();
var filter = "sessions*.xml";
@ -24,11 +24,14 @@ namespace winPEAS.KnownFileCreds.SuperPutty
try
{
var path = $"{dir}\\Documents\\SuperPuTTY\\";
var files = Directory.EnumerateFiles(path, filter, SearchOption.TopDirectoryOnly);
foreach (var file in files)
if (Directory.Exists(path))
{
Beaprint.BadPrint($" {file}");
var files = Directory.EnumerateFiles(path, filter, SearchOption.TopDirectoryOnly);
foreach (var file in files)
{
Beaprint.BadPrint($" {file}");
}
}
}
catch (Exception)

24
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Vault/VaultCli.cs
View File

@ -45,16 +45,18 @@ namespace winPEAS.KnownFileCreds.Vault
// Create dictionary to translate Guids to human readable elements
IntPtr guidAddress = vaultGuidPtr;
Dictionary<Guid, string> vaultSchema = new Dictionary<Guid, string>();
vaultSchema.Add(new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note");
vaultSchema.Add(new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential");
vaultSchema.Add(new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector");
vaultSchema.Add(new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials");
vaultSchema.Add(new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials");
vaultSchema.Add(new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential");
vaultSchema.Add(new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential");
vaultSchema.Add(new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential");
vaultSchema.Add(new Guid("00000000-0000-0000-0000-000000000000"), null);
Dictionary<Guid, string> vaultSchema = new Dictionary<Guid, string>
{
{ new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note" },
{ new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential" },
{ new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector" },
{ new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials" },
{ new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials" },
{ new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential" },
{ new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential" },
{ new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential" },
{ new Guid("00000000-0000-0000-0000-000000000000"), null }
};
for (int i = 0; i < vaultCount; i++)
{
@ -167,7 +169,7 @@ namespace winPEAS.KnownFileCreds.Vault
vault_cred["PacakgeSid"] = string.Format("{0}", packageSid);
}
vault_cred["Credential"] = string.Format("{0}", cred);
vault_cred["Last Modified"] = string.Format("{0}", System.DateTime.FromFileTimeUtc((long)lastModified));
vault_cred["Last Modified"] = string.Format("{0}", DateTime.FromFileTimeUtc((long)lastModified));
results.Add(vault_cred);
}
}

187
winPEAS/winPEASexe/winPEAS/Native/Classes/SafeTokenHandle.cs
View File

@ -1,15 +1,14 @@
using System;
using System.Runtime.InteropServices;
using winPEAS.Native.Enums;
using winPEAS.TaskScheduler.TaskEditor.Native;
namespace winPEAS.Native.Classes
{
public partial class SafeTokenHandle : Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid
{
private const Int32 ERROR_NO_TOKEN = 0x000003F0;
private const Int32 ERROR_INSUFFICIENT_BUFFER = 122;
private static SafeTokenHandle currentProcessToken = null;
public partial class SafeTokenHandle : Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid
{
private const Int32 ERROR_NO_TOKEN = 0x000003F0;
private const Int32 ERROR_INSUFFICIENT_BUFFER = 122;
private static SafeTokenHandle currentProcessToken = null;
private SafeTokenHandle() : base(true) { }
@ -20,102 +19,102 @@ namespace winPEAS.Native.Classes
protected override bool ReleaseHandle() => Kernel32.CloseHandle(handle);
public T GetInfo<T>(TOKEN_INFORMATION_CLASS type)
{
int cbSize = Marshal.SizeOf(typeof(T));
IntPtr pType = Marshal.AllocHGlobal(cbSize);
public T GetInfo<T>(TOKEN_INFORMATION_CLASS type)
{
int cbSize = Marshal.SizeOf(typeof(T));
IntPtr pType = Marshal.AllocHGlobal(cbSize);
try
{
// Retrieve token information.
if (!Advapi32.GetTokenInformation(this, type, pType, cbSize, out cbSize))
throw new System.ComponentModel.Win32Exception();
try
{
// Retrieve token information.
if (!Advapi32.GetTokenInformation(this, type, pType, cbSize, out cbSize))
throw new System.ComponentModel.Win32Exception();
// Marshal from native to .NET.
switch (type)
{
case TOKEN_INFORMATION_CLASS.TokenType:
case TOKEN_INFORMATION_CLASS.TokenImpersonationLevel:
case TOKEN_INFORMATION_CLASS.TokenSessionId:
case TOKEN_INFORMATION_CLASS.TokenSandBoxInert:
case TOKEN_INFORMATION_CLASS.TokenOrigin:
case TOKEN_INFORMATION_CLASS.TokenElevationType:
case TOKEN_INFORMATION_CLASS.TokenHasRestrictions:
case TOKEN_INFORMATION_CLASS.TokenUIAccess:
case TOKEN_INFORMATION_CLASS.TokenVirtualizationAllowed:
case TOKEN_INFORMATION_CLASS.TokenVirtualizationEnabled:
return (T)Convert.ChangeType(Marshal.ReadInt32(pType), typeof(T));
// Marshal from native to .NET.
switch (type)
{
case TOKEN_INFORMATION_CLASS.TokenType:
case TOKEN_INFORMATION_CLASS.TokenImpersonationLevel:
case TOKEN_INFORMATION_CLASS.TokenSessionId:
case TOKEN_INFORMATION_CLASS.TokenSandBoxInert:
case TOKEN_INFORMATION_CLASS.TokenOrigin:
case TOKEN_INFORMATION_CLASS.TokenElevationType:
case TOKEN_INFORMATION_CLASS.TokenHasRestrictions:
case TOKEN_INFORMATION_CLASS.TokenUIAccess:
case TOKEN_INFORMATION_CLASS.TokenVirtualizationAllowed:
case TOKEN_INFORMATION_CLASS.TokenVirtualizationEnabled:
return (T)Convert.ChangeType(Marshal.ReadInt32(pType), typeof(T));
case TOKEN_INFORMATION_CLASS.TokenLinkedToken:
return (T)Convert.ChangeType(Marshal.ReadIntPtr(pType), typeof(T));
case TOKEN_INFORMATION_CLASS.TokenLinkedToken:
return (T)Convert.ChangeType(Marshal.ReadIntPtr(pType), typeof(T));
case TOKEN_INFORMATION_CLASS.TokenUser:
case TOKEN_INFORMATION_CLASS.TokenGroups:
case TOKEN_INFORMATION_CLASS.TokenPrivileges:
case TOKEN_INFORMATION_CLASS.TokenOwner:
case TOKEN_INFORMATION_CLASS.TokenPrimaryGroup:
case TOKEN_INFORMATION_CLASS.TokenDefaultDacl:
case TOKEN_INFORMATION_CLASS.TokenSource:
case TOKEN_INFORMATION_CLASS.TokenStatistics:
case TOKEN_INFORMATION_CLASS.TokenRestrictedSids:
case TOKEN_INFORMATION_CLASS.TokenGroupsAndPrivileges:
case TOKEN_INFORMATION_CLASS.TokenElevation:
case TOKEN_INFORMATION_CLASS.TokenAccessInformation:
case TOKEN_INFORMATION_CLASS.TokenIntegrityLevel:
case TOKEN_INFORMATION_CLASS.TokenMandatoryPolicy:
case TOKEN_INFORMATION_CLASS.TokenLogonSid:
return (T)Marshal.PtrToStructure(pType, typeof(T));
case TOKEN_INFORMATION_CLASS.TokenUser:
case TOKEN_INFORMATION_CLASS.TokenGroups:
case TOKEN_INFORMATION_CLASS.TokenPrivileges:
case TOKEN_INFORMATION_CLASS.TokenOwner:
case TOKEN_INFORMATION_CLASS.TokenPrimaryGroup:
case TOKEN_INFORMATION_CLASS.TokenDefaultDacl:
case TOKEN_INFORMATION_CLASS.TokenSource:
case TOKEN_INFORMATION_CLASS.TokenStatistics:
case TOKEN_INFORMATION_CLASS.TokenRestrictedSids:
case TOKEN_INFORMATION_CLASS.TokenGroupsAndPrivileges:
case TOKEN_INFORMATION_CLASS.TokenElevation:
case TOKEN_INFORMATION_CLASS.TokenAccessInformation:
case TOKEN_INFORMATION_CLASS.TokenIntegrityLevel:
case TOKEN_INFORMATION_CLASS.TokenMandatoryPolicy:
case TOKEN_INFORMATION_CLASS.TokenLogonSid:
return (T)Marshal.PtrToStructure(pType, typeof(T));
case TOKEN_INFORMATION_CLASS.TokenSessionReference:
case TOKEN_INFORMATION_CLASS.TokenAuditPolicy:
default:
return default(T);
}
}
finally
{
Marshal.FreeHGlobal(pType);
}
}
case TOKEN_INFORMATION_CLASS.TokenSessionReference:
case TOKEN_INFORMATION_CLASS.TokenAuditPolicy:
default:
return default(T);
}
}
finally
{
Marshal.FreeHGlobal(pType);
}
}
public static SafeTokenHandle FromCurrentProcess(AccessTypes desiredAccess = AccessTypes.TokenDuplicate)
{
lock (currentProcessToken)
{
if (currentProcessToken == null)
currentProcessToken = FromProcess(Kernel32.GetCurrentProcess(), desiredAccess);
return currentProcessToken;
}
}
public static SafeTokenHandle FromCurrentProcess(AccessTypes desiredAccess = AccessTypes.TokenDuplicate)
{
lock (currentProcessToken)
{
if (currentProcessToken == null)
currentProcessToken = FromProcess(Kernel32.GetCurrentProcess(), desiredAccess);
return currentProcessToken;
}
}
public static SafeTokenHandle FromCurrentThread(AccessTypes desiredAccess = AccessTypes.TokenDuplicate, bool openAsSelf = true)
public static SafeTokenHandle FromCurrentThread(AccessTypes desiredAccess = AccessTypes.TokenDuplicate, bool openAsSelf = true)
=> FromThread(Kernel32.GetCurrentThread(), desiredAccess, openAsSelf);
public static SafeTokenHandle FromProcess(IntPtr hProcess, AccessTypes desiredAccess = AccessTypes.TokenDuplicate)
{
SafeTokenHandle val;
if (!Advapi32.OpenProcessToken(hProcess, desiredAccess, out val))
throw new System.ComponentModel.Win32Exception();
return val;
}
public static SafeTokenHandle FromProcess(IntPtr hProcess, AccessTypes desiredAccess = AccessTypes.TokenDuplicate)
{
SafeTokenHandle val;
if (!Advapi32.OpenProcessToken(hProcess, desiredAccess, out val))
throw new System.ComponentModel.Win32Exception();
return val;
}
public static SafeTokenHandle FromThread(IntPtr hThread, AccessTypes desiredAccess = AccessTypes.TokenDuplicate, bool openAsSelf = true)
{
SafeTokenHandle val;
if (!Advapi32.OpenThreadToken(hThread, desiredAccess, openAsSelf, out val))
{
if (Marshal.GetLastWin32Error() == ERROR_NO_TOKEN)
{
SafeTokenHandle pval = FromCurrentProcess();
if (!Advapi32.DuplicateTokenEx(pval, AccessTypes.TokenImpersonate | desiredAccess, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.Impersonation, TokenType.TokenImpersonation, ref val))
throw new System.ComponentModel.Win32Exception();
if (!Advapi32.SetThreadToken(IntPtr.Zero, val))
throw new System.ComponentModel.Win32Exception();
}
else
throw new System.ComponentModel.Win32Exception();
}
return val;
}
}
public static SafeTokenHandle FromThread(IntPtr hThread, AccessTypes desiredAccess = AccessTypes.TokenDuplicate, bool openAsSelf = true)
{
SafeTokenHandle val;
if (!Advapi32.OpenThreadToken(hThread, desiredAccess, openAsSelf, out val))
{
if (Marshal.GetLastWin32Error() == ERROR_NO_TOKEN)
{
SafeTokenHandle pval = FromCurrentProcess();
if (!Advapi32.DuplicateTokenEx(pval, AccessTypes.TokenImpersonate | desiredAccess, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.Impersonation, TokenType.TokenImpersonation, ref val))
throw new System.ComponentModel.Win32Exception();
if (!Advapi32.SetThreadToken(IntPtr.Zero, val))
throw new System.ComponentModel.Win32Exception();
}
else
throw new System.ComponentModel.Win32Exception();
}
return val;
}
}
}

52
winPEAS/winPEASexe/winPEAS/Native/Enums/DS_NAME_FORMAT.cs
View File

@ -1,38 +1,38 @@
namespace winPEAS.Native.Enums
{
/// <summary>
/// Provides formats to use for input and output names for the DsCrackNames function.
/// </summary>
public enum DS_NAME_FORMAT
{
///<summary>Indicates the name is using an unknown name type. This format can impact performance because it forces the server to attempt to match all possible formats. Only use this value if the input format is unknown.</summary>
DS_UNKNOWN_NAME = 0,
/// <summary>
/// Provides formats to use for input and output names for the DsCrackNames function.
/// </summary>
public enum DS_NAME_FORMAT
{
///<summary>Indicates the name is using an unknown name type. This format can impact performance because it forces the server to attempt to match all possible formats. Only use this value if the input format is unknown.</summary>
DS_UNKNOWN_NAME = 0,
///<summary>Indicates that the fully qualified distinguished name is used. For example: "CN = someone, OU = Users, DC = Engineering, DC = Fabrikam, DC = Com"</summary>
DS_FQDN_1779_NAME = 1,
///<summary>Indicates that the fully qualified distinguished name is used. For example: "CN = someone, OU = Users, DC = Engineering, DC = Fabrikam, DC = Com"</summary>
DS_FQDN_1779_NAME = 1,
///<summary>Indicates a Windows NT 4.0 account name. For example: "Engineering\someone" The domain-only version includes two trailing backslashes (\\).</summary>
DS_NT4_ACCOUNT_NAME = 2,
///<summary>Indicates a Windows NT 4.0 account name. For example: "Engineering\someone" The domain-only version includes two trailing backslashes (\\).</summary>
DS_NT4_ACCOUNT_NAME = 2,
///<summary>Indicates a user-friendly display name, for example, Jeff Smith. The display name is not necessarily the same as relative distinguished name (RDN).</summary>
DS_DISPLAY_NAME = 3,
///<summary>Indicates a user-friendly display name, for example, Jeff Smith. The display name is not necessarily the same as relative distinguished name (RDN).</summary>
DS_DISPLAY_NAME = 3,
///<summary>Indicates a GUID string that the IIDFromString function returns. For example: "{4fa050f0-f561-11cf-bdd9-00aa003a77b6}"</summary>
DS_UNIQUE_ID_NAME = 6,
///<summary>Indicates a GUID string that the IIDFromString function returns. For example: "{4fa050f0-f561-11cf-bdd9-00aa003a77b6}"</summary>
DS_UNIQUE_ID_NAME = 6,
///<summary>Indicates a complete canonical name. For example: "engineering.fabrikam.com/software/someone" The domain-only version includes a trailing forward slash (/).</summary>
DS_CANONICAL_NAME = 7,
///<summary>Indicates a complete canonical name. For example: "engineering.fabrikam.com/software/someone" The domain-only version includes a trailing forward slash (/).</summary>
DS_CANONICAL_NAME = 7,
///<summary>Indicates that it is using the user principal name (UPN). For example: "someone@engineering.fabrikam.com"</summary>
DS_USER_PRINCIPAL_NAME = 8,
///<summary>Indicates that it is using the user principal name (UPN). For example: "someone@engineering.fabrikam.com"</summary>
DS_USER_PRINCIPAL_NAME = 8,
///<summary>This element is the same as DS_CANONICAL_NAME except that the rightmost forward slash (/) is replaced with a newline character (\n), even in a domain-only case. For example: "engineering.fabrikam.com/software\nsomeone"</summary>
DS_CANONICAL_NAME_EX = 9,
///<summary>This element is the same as DS_CANONICAL_NAME except that the rightmost forward slash (/) is replaced with a newline character (\n), even in a domain-only case. For example: "engineering.fabrikam.com/software\nsomeone"</summary>
DS_CANONICAL_NAME_EX = 9,
///<summary>Indicates it is using a generalized service principal name. For example: "www/www.fabrikam.com@fabrikam.com"</summary>
DS_SERVICE_PRINCIPAL_NAME = 10,
///<summary>Indicates it is using a generalized service principal name. For example: "www/www.fabrikam.com@fabrikam.com"</summary>
DS_SERVICE_PRINCIPAL_NAME = 10,
///<summary>Indicates a Security Identifier (SID) for the object. This can be either the current SID or a SID from the object SID history. The SID string can use either the standard string representation of a SID, or one of the string constants defined in Sddl.h. For more information about converting a binary SID into a SID string, see SID Strings. The following is an example of a SID string: "S-1-5-21-397955417-626881126-188441444-501"</summary>
DS_SID_OR_SID_HISTORY_NAME = 11,
}
///<summary>Indicates a Security Identifier (SID) for the object. This can be either the current SID or a SID from the object SID history. The SID string can use either the standard string representation of a SID, or one of the string constants defined in Sddl.h. For more information about converting a binary SID into a SID string, see SID Strings. The following is an example of a SID string: "S-1-5-21-397955417-626881126-188441444-501"</summary>
DS_SID_OR_SID_HISTORY_NAME = 11,
}
}

2
winPEAS/winPEASexe/winPEAS/Native/Enums/SECURITY_IMPERSONATION_LEVEL.cs
View File

@ -1,6 +1,6 @@
namespace winPEAS.Native.Enums
{
public enum SECURITY_IMPERSONATION_LEVEL
public enum SECURITY_IMPERSONATION_LEVEL
{
Anonymous,
Identification,

2
winPEAS/winPEASexe/winPEAS/Native/Enums/ServerTypes.cs
View File

@ -2,7 +2,7 @@
namespace winPEAS.Native.Enums
{
[Flags]
[Flags]
public enum ServerTypes : uint
{
Workstation = 0x00000001,

2
winPEAS/winPEASexe/winPEAS/Native/Enums/TOKEN_ELEVATION_TYPE.cs
View File

@ -1,6 +1,6 @@
namespace winPEAS.Native.Enums
{
public enum TOKEN_ELEVATION_TYPE
public enum TOKEN_ELEVATION_TYPE
{
Default = 1,
Full,

2
winPEAS/winPEASexe/winPEAS/Native/Enums/TOKEN_INFORMATION_CLASS.cs
View File

@ -1,6 +1,6 @@
namespace winPEAS.Native.Enums
{
public enum TOKEN_INFORMATION_CLASS
public enum TOKEN_INFORMATION_CLASS
{
TokenUser = 1,
TokenGroups,

2
winPEAS/winPEASexe/winPEAS/Native/Ntdll.cs
View File

@ -1,7 +1,5 @@
using System;
using System.Runtime.ConstrainedExecution;
using System.Runtime.InteropServices;
using winPEAS.Info.SystemInfo.NamedPipes;
namespace winPEAS.Native
{

2
winPEAS/winPEASexe/winPEAS/Native/Ntdsapi.cs
View File

@ -27,5 +27,5 @@ namespace winPEAS.Native
[DllImport("ntdsapi.dll", CharSet = CharSet.Auto)]
internal static extern uint DsUnBind(ref IntPtr phDS);
}
}
}

2
winPEAS/winPEASexe/winPEAS/Native/Structs/LUID.cs
View File

@ -2,7 +2,7 @@
namespace winPEAS.Native.Structs
{
[StructLayout(LayoutKind.Sequential, Pack = 1)]
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct LUID
{
public uint LowPart;

2
winPEAS/winPEASexe/winPEAS/Native/Structs/SID_AND_ATTRIBUTES.cs
View File

@ -3,7 +3,7 @@ using System.Runtime.InteropServices;
namespace winPEAS.Native.Structs
{
[StructLayout(LayoutKind.Sequential)]
[StructLayout(LayoutKind.Sequential)]
public struct SID_AND_ATTRIBUTES
{
public IntPtr Sid;

2
winPEAS/winPEASexe/winPEAS/Native/Structs/TOKEN_ELEVATION.cs
View File

@ -3,7 +3,7 @@ using System.Runtime.InteropServices;
namespace winPEAS.Native.Structs
{
[StructLayout(LayoutKind.Sequential)]
[StructLayout(LayoutKind.Sequential)]
public struct TOKEN_ELEVATION
{
public Int32 TokenIsElevated;

Some files were not shown because too many files have changed in this diff Show More