darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- sensitive_files.yaml updates - removed duplicates, updated windows files key

Browse Source 
- added registry search for CurrentPass
This commit is contained in:
makikvues 2021-06-22 19:39:53 +02:00
parent 15b769a298
commit 4cb1a48975
2 changed files with 42 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
build_lists/sensitive_files.yaml
View File

@ -139,12 +139,6 @@ search:
type: d type: d
search_in: search_in:
- /etc - /etc
? "system.d"
:
type: d
search_in:
- /etc
MySQL: MySQL:
config: config:
@ -1661,7 +1655,7 @@ search:
search_in: search_in:
- common - common
Windows Files: Windows_Files:
config: config:
auto_check: True auto_check: True

41
winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
View File

@ -69,6 +69,7 @@ namespace winPEAS.Checks
PrintLSAProtection, PrintLSAProtection,
PrintCredentialGuard, PrintCredentialGuard,
PrintCachedCreds, PrintCachedCreds,
PrintRegistryCreds,
PrintAVInfo, PrintAVInfo,
PrintWindowsDefenderInfo, PrintWindowsDefenderInfo,
PrintUACInfo, PrintUACInfo,
@ -1106,5 +1107,45 @@ namespace winPEAS.Checks
{ {
} }
} }
private static void PrintRegistryCreds()
{
try
{
Beaprint.MainPrint("Enumerating saved credentials in Registry (CurrentPass)");
string currentPass = "CurrentPass";
var hive = "HKLM";
var path = "System";
var controlSet = "ControlSet";
var colors = new Dictionary<string, string>
{
{ currentPass, Beaprint.ansi_color_bad }
};
var subkeys = RegistryHelper.GetRegSubkeys(hive, path);
foreach (var subkey in subkeys.Where(i => i.Contains(controlSet)))
{
try
{
var subPath = @$"{path}\{subkey}\Control";
var key = $@"{hive}\{subPath}\{currentPass}";
var value = RegistryHelper.GetRegValue(hive, subPath, currentPass);
if (!string.IsNullOrWhiteSpace(value))
{
Beaprint.AnsiPrint($@" {key,-60} : {value}", colors);
}
}
catch (Exception)
{
}
}
}
catch (Exception ex)
{
}
}
} }
} }