darnellkeith/PEASS-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- added Brave browser credentials extraction

Browse Source 
- added PowerOnEvents
- added PrintOutlookDownloads
- added PrintAuditPoliciesInfo
- added search keywords for keepass
This commit is contained in:
makikvues 2021-02-08 22:50:58 +01:00
parent 343b8bb96b
commit 647fe190ef
19 changed files with 497 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
winPEAS/winPEASexe/winPEAS/Checks/BrowserInfo.cs
View File

@ -1,6 +1,7 @@
using System.Collections.Generic; using System.Collections.Generic;
using winPEAS.Helpers; using winPEAS.Helpers;
using winPEAS.KnownFileCreds.Browsers; using winPEAS.KnownFileCreds.Browsers;
using winPEAS.KnownFileCreds.Browsers.Brave;
using winPEAS.KnownFileCreds.Browsers.Chrome; using winPEAS.KnownFileCreds.Browsers.Chrome;
using winPEAS.KnownFileCreds.Browsers.Firefox; using winPEAS.KnownFileCreds.Browsers.Firefox;
using winPEAS.KnownFileCreds.Browsers.Opera; using winPEAS.KnownFileCreds.Browsers.Opera;
@ -18,6 +19,7 @@ namespace winPEAS.Checks
new Firefox(), new Firefox(),
new Chrome(), new Chrome(),
new Opera(), new Opera(),
new Brave(),
new InternetExplorer(), new InternetExplorer(),
}.ForEach(browser => CheckRunner.Run(browser.PrintInfo, isDebug)); }.ForEach(browser => CheckRunner.Run(browser.PrintInfo, isDebug));
} }

44
winPEAS/winPEASexe/winPEAS/Checks/EventsInfo.cs
View File

@ -3,6 +3,7 @@ using System.Collections.Generic;
using System.Linq; using System.Linq;
using winPEAS.Helpers; using winPEAS.Helpers;
using winPEAS.Info.EventsInfo.Logon; using winPEAS.Info.EventsInfo.Logon;
using winPEAS.Info.EventsInfo.Power;
using winPEAS.Info.EventsInfo.PowerShell; using winPEAS.Info.EventsInfo.PowerShell;
using winPEAS.Info.EventsInfo.ProcessCreation; using winPEAS.Info.EventsInfo.ProcessCreation;
@ -19,7 +20,8 @@ namespace winPEAS.Checks
PrintExplicitLogonEvents, PrintExplicitLogonEvents,
PrintLogonEvents, PrintLogonEvents,
PrintProcessCreationEvents, PrintProcessCreationEvents,
PrintPowerShellEvents PrintPowerShellEvents,
PowerOnEvents,
}.ForEach(action => CheckRunner.Run(action, isDebug)); }.ForEach(action => CheckRunner.Run(action, isDebug));
} }
@ -30,23 +32,13 @@ namespace winPEAS.Checks
Beaprint.MainPrint("PowerShell events - script block logs (EID 4104) - searching for sensitive data.\n"); Beaprint.MainPrint("PowerShell events - script block logs (EID 4104) - searching for sensitive data.\n");
var powerShellEventInfos = PowerShell.GetPowerShellEventInfos(); var powerShellEventInfos = PowerShell.GetPowerShellEventInfos();
// TODO
// add highlighting for interesting words
var colors = new Dictionary<string, string>()
{
{ "TODO", Beaprint.ansi_color_bad }
};
foreach (var info in powerShellEventInfos) foreach (var info in powerShellEventInfos)
{ {
// TODO Beaprint.NoColorPrint($" User Id : {info.UserId}\n" +
// formatting - try horizontal?
Beaprint.AnsiPrint($" User Id : {info.UserId}\n" +
$" Event Id : {info.EventId}\n" + $" Event Id : {info.EventId}\n" +
$" Context : {info.Context}\n" + $" Context : {info.Context}\n" +
$" Created At : {info.CreatedAt}\n" + $" Created At : {info.CreatedAt}\n" +
$" Command line : {info.Match}\n", $" Command line : {info.Match}\n");
colors);
Beaprint.PrintLineSeparator(); Beaprint.PrintLineSeparator();
} }
@ -69,9 +61,6 @@ namespace winPEAS.Checks
return; return;
} }
// TODO
// formatting / highlighting?
foreach (var eventInfo in ProcessCreation.GetProcessCreationEventInfos()) foreach (var eventInfo in ProcessCreation.GetProcessCreationEventInfos())
{ {
Beaprint.BadPrint($" Created (UTC) : {eventInfo.CreatedAtUtc}\n" + Beaprint.BadPrint($" Created (UTC) : {eventInfo.CreatedAtUtc}\n" +
@ -81,7 +70,6 @@ namespace winPEAS.Checks
Beaprint.PrintLineSeparator(); Beaprint.PrintLineSeparator();
} }
} }
catch (Exception ex) catch (Exception ex)
{ {
@ -203,5 +191,27 @@ namespace winPEAS.Checks
Beaprint.BadPrint($" {user}"); Beaprint.BadPrint($" {user}");
} }
} }
private void PowerOnEvents()
{
try
{
var lastDays = 5;
Beaprint.MainPrint($"Displaying Power off/on events for last {lastDays} days\n");
var infos = Power.GetPowerEventInfos(lastDays);
foreach (var info in infos)
{
Beaprint.NoColorPrint($" {info.DateUtc.ToLocalTime(),-23} : {info.Description}");
}
}
catch (Exception e)
{
Console.WriteLine(e);
throw;
}
}
} }
} }

35
winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
View File

@ -129,6 +129,7 @@ namespace winPEAS.Checks
PrintUserCredsFiles, PrintUserCredsFiles,
PrintOracleSQLDeveloperConfigFiles, PrintOracleSQLDeveloperConfigFiles,
Slack.PrintInfo, Slack.PrintInfo,
PrintOutlookDownloads,
PrintMachineAndUserCertificateFiles, PrintMachineAndUserCertificateFiles,
PrintUsersInterestingFiles, PrintUsersInterestingFiles,
PrintUsersDocsKeys, PrintUsersDocsKeys,
@ -815,5 +816,39 @@ namespace winPEAS.Checks
{ {
} }
} }
private static void PrintOutlookDownloads()
{
Beaprint.MainPrint("Enumerating Outlook download files\n");
try
{
var userDirs = User.GetUsersFolders();
foreach (var userDir in userDirs)
{
try
{
var userOutlookBasePath = $"{userDir}\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\";
if (Directory.Exists(userOutlookBasePath))
{
var files = SearchHelper.GetFilesFast(userOutlookBasePath, "*");
foreach (var file in files)
{
Beaprint.BadPrint($" {file.FullPath}");
}
}
}
catch (Exception e)
{
}
}
}
catch (Exception ex)
{
}
}
} }
} }

32
winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
View File

@ -14,6 +14,7 @@ using winPEAS.Info.SystemInfo;
using winPEAS.Info.SystemInfo.SysMon; using winPEAS.Info.SystemInfo.SysMon;
using winPEAS.Helpers.Extensions; using winPEAS.Helpers.Extensions;
using winPEAS.Helpers.Registry; using winPEAS.Helpers.Registry;
using winPEAS.Info.SystemInfo.AuditPolicies;
using winPEAS.Info.SystemInfo.DotNet; using winPEAS.Info.SystemInfo.DotNet;
using winPEAS.Info.SystemInfo.WindowsDefender; using winPEAS.Info.SystemInfo.WindowsDefender;
@ -57,6 +58,7 @@ namespace winPEAS.Checks
PrintUserEV, PrintUserEV,
PrintSystemEV, PrintSystemEV,
PrintAuditInfo, PrintAuditInfo,
PrintAuditPoliciesInfo,
PrintWEFInfo, PrintWEFInfo,
PrintLAPSInfo, PrintLAPSInfo,
PrintWdigest, PrintWdigest,
@ -250,7 +252,7 @@ namespace winPEAS.Checks
} }
} }
static void PrintAuditInfo() private static void PrintAuditInfo()
{ {
try try
{ {
@ -265,6 +267,34 @@ namespace winPEAS.Checks
} }
} }
private static void PrintAuditPoliciesInfo()
{
try
{
Beaprint.MainPrint("Audit Policy Settings - Classic & Advanced");
var policies = AuditPolicies.GetAuditPoliciesInfos();
foreach (var policy in policies)
{
Beaprint.NoColorPrint($" Domain : {policy.Domain}\n" +
$" GPO : {policy.GPO}\n" +
$" Type : {policy.Type}\n");
foreach (var entry in policy.Settings)
{
Beaprint.NoColorPrint($" {entry.Subcategory,50} : {entry.AuditType}");
}
Beaprint.PrintLineSeparator();
}
}
catch (Exception ex)
{
Beaprint.PrintException(ex.Message);
}
}
static void PrintWEFInfo() static void PrintWEFInfo()
{ {
try try

2
winPEAS/winPEASexe/winPEAS/Helpers/Search/Patterns.cs
View File

@ -48,6 +48,7 @@ namespace winPEAS.Helpers.Search
"iis6.log", "iis6.log",
"index.dat", "index.dat",
"keepass.config", "keepass.config",
"keepass.config.xml",
"my.cnf", "my.cnf",
"my.ini", "my.ini",
"netsetup.log", "netsetup.log",
@ -56,6 +57,7 @@ namespace winPEAS.Helpers.Search
"pagefile.sys", "pagefile.sys",
"php.ini", "php.ini",
"printers.xml", "printers.xml",
"protecteduserkey.bin",
"rdcman.settings", "rdcman.settings",
"recentservers.xml", "recentservers.xml",
"sam", "sam",

2
winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs
View File

@ -60,7 +60,7 @@ namespace winPEAS.Helpers.Search
return files.ToList(); return files.ToList();
} }
public static List<FileInfo> GetFiles(string folder, string pattern = "*") private static List<FileInfo> GetFiles(string folder, string pattern = "*")
{ {
DirectoryInfo dirInfo; DirectoryInfo dirInfo;
DirectoryInfo[] directories; DirectoryInfo[] directories;

39
winPEAS/winPEASexe/winPEAS/Info/EventsInfo/Power/Power.cs Normal file
View File

@ -0,0 +1,39 @@
using System;
using System.Collections.Generic;
using winPEAS.Helpers;
namespace winPEAS.Info.EventsInfo.Power
{
internal class Power
{
public static IEnumerable<PowerEventInfo> GetPowerEventInfos(int lastDays)
{
var startTime = DateTime.Now.AddDays(-lastDays);
var endTime = DateTime.Now;
// eventID 1 == sleep
var query = $@"((*[System[(EventID=12 or EventID=13) and Provider[@Name='Microsoft-Windows-Kernel-General']]] or *[System/EventID=42]) or (*[System/EventID=6008]) or (*[System/EventID=1] and *[System[Provider[@Name='Microsoft-Windows-Power-Troubleshooter']]])) and *[System[TimeCreated[@SystemTime >= '{startTime.ToUniversalTime():o}']]] and *[System[TimeCreated[@SystemTime <= '{endTime.ToUniversalTime():o}']]]";
var logReader = MyUtils.GetEventLogReader("System", query);
for (var eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
{
var action = eventDetail.Id switch
{
1 => "Awake",
12 => "Startup",
13 => "Shutdown",
42 => "Sleep",
6008 => "Unexpected Shutdown",
_ => null
};
yield return new PowerEventInfo
{
DateUtc = (DateTime)eventDetail.TimeCreated?.ToUniversalTime(),
Description = action
};
}
}
}
}

10
winPEAS/winPEASexe/winPEAS/Info/EventsInfo/Power/PoweredEventInfo.cs Normal file
View File

@ -0,0 +1,10 @@
using System;
namespace winPEAS.Info.EventsInfo.Power
{
internal class PowerEventInfo
{
public DateTime DateUtc { get; set; }
public string Description { get; set; }
}
}

22
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/AuditPolicies/AuditEntryInfo.cs Normal file
View File

@ -0,0 +1,22 @@
namespace winPEAS.Info.SystemInfo.AuditPolicies
{
internal class AuditEntryInfo
{
public string Target { get; }
public string Subcategory { get; }
public string SubcategoryGuid { get; }
public AuditType AuditType { get; }
public AuditEntryInfo(
string target,
string subcategory,
string subcategoryGuid,
AuditType auditType)
{
Target = target;
Subcategory = subcategory;
SubcategoryGuid = subcategoryGuid;
AuditType = auditType;
}
}
}

191
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/AuditPolicies/AuditPolicies.cs Normal file
View File

@ -0,0 +1,191 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text.RegularExpressions;
using winPEAS.Helpers.Search;
using winPEAS.Native;
namespace winPEAS.Info.SystemInfo.AuditPolicies
{
internal class AuditPolicies
{
private static readonly string SystemRoot = Environment.GetEnvironmentVariable("SystemRoot");
// https://code.msdn.microsoft.com/windowsdesktop/Reading-and-Writing-Values-85084b6a
private static int Capacity = 512;
public static IEnumerable<AuditPolicyGPOInfo> GetAuditPoliciesInfos()
{
var searchPath = $"{SystemRoot}\\System32\\GroupPolicy\\DataStore\\0\\sysvol\\";
var files = SearchHelper.GetFilesFast(searchPath, "audit.csv");
var classicFiles = SearchHelper.GetFilesFast(searchPath, "GptTmpl.inf");
foreach (var classicFilePath in classicFiles)
{
var fullFilePath = classicFilePath.FullPath;
var result = ParseGPOPath(fullFilePath);
var domain = result[0];
var gpo = result[1];
//ParseClassicPolicy
var sections = ReadSections(fullFilePath);
if (!sections.Contains("Event Audit"))
continue;
var settings = ParseClassicPolicy(fullFilePath);
yield return new AuditPolicyGPOInfo(
classicFilePath.FullPath,
domain,
gpo,
"classic",
settings
);
}
foreach (var filePath in files)
{
var result = ParseGPOPath(filePath.FullPath);
var domain = result[0];
var gpo = result[1];
var settings = ParseAdvancedPolicy(filePath.FullPath);
yield return new AuditPolicyGPOInfo(
filePath.FullPath,
domain,
gpo,
"advanced",
settings
);
}
}
private static string[] ParseGPOPath(string path)
{
// returns an array of the domain and GPO GUID from an audit.csv (or GptTmpl.inf) path
var searchPath = $"{Environment.GetEnvironmentVariable("SystemRoot")}\\System32\\GroupPolicy\\DataStore\\0\\sysvol\\";
var sysnativeSearchPath = $"{Environment.GetEnvironmentVariable("SystemRoot")}\\Sysnative\\GroupPolicy\\DataStore\\0\\sysvol\\";
var actualSearchPath = Regex.IsMatch(path, "System32") ? searchPath : sysnativeSearchPath;
var rest = path.Substring(actualSearchPath.Length, path.Length - actualSearchPath.Length);
var parts = rest.Split('\\');
string[] result = { parts[0], parts[2] };
return result;
}
private static string[] ReadSections(string filePath)
{
// first line will not recognize if ini file is saved in UTF-8 with BOM
while (true)
{
var chars = new char[Capacity];
var size = Kernel32.GetPrivateProfileString(null, null, "", chars, Capacity, filePath);
if (size == 0)
return new string[] { };
if (size < Capacity - 2)
{
var result = new string(chars, 0, size);
var sections = result.Split(new char[] { '\0' }, StringSplitOptions.RemoveEmptyEntries);
return sections;
}
Capacity *= 2;
}
}
private static List<AuditEntryInfo> ParseAdvancedPolicy(string path)
{
// parses a "advanced" auditing policy (audit.csv), returning a list of AuditEntries
var results = new List<AuditEntryInfo>();
using (var reader = new StreamReader(path))
{
while (!reader.EndOfStream)
{
var line = reader.ReadLine();
var values = line.Split(',');
if (values[0].Equals("Machine Name")) // skip the header
{
continue;
}
// CSV lines:
// Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
var target = values[1];
var subcategory = values[2];
var subcategoryGuid = values[3];
var auditType = (AuditType)int.Parse(values[6]);
results.Add(new AuditEntryInfo(
target,
subcategory,
subcategoryGuid,
auditType
));
}
}
return results;
}
private static List<AuditEntryInfo> ParseClassicPolicy(string path)
{
// parses a "classic" auditing policy (GptTmpl.inf), returning a list of AuditEntries
var results = new List<AuditEntryInfo>();
var settings = ReadKeyValuePairs("Event Audit", path);
foreach (var setting in settings)
{
var parts = setting.Split('=');
var result = new AuditEntryInfo(
string.Empty,
parts[0],
string.Empty,
(AuditType)Int32.Parse(parts[1])
);
results.Add(result);
}
return results;
}
private static string[] ReadKeyValuePairs(string section, string filePath)
{
while (true)
{
var returnedString = Marshal.AllocCoTaskMem(Capacity * sizeof(char));
var size = Kernel32.GetPrivateProfileSection(section, returnedString, Capacity, filePath);
if (size == 0)
{
Marshal.FreeCoTaskMem(returnedString);
return new string[] { };
}
if (size < Capacity - 2)
{
var result = Marshal.PtrToStringAuto(returnedString, size - 1);
Marshal.FreeCoTaskMem(returnedString);
var keyValuePairs = result.Split('\0');
return keyValuePairs;
}
Marshal.FreeCoTaskMem(returnedString);
Capacity *= 2;
}
}
}
}

27
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/AuditPolicies/AuditPolicyGPOInfo.cs Normal file
View File

@ -0,0 +1,27 @@
using System.Collections.Generic;
namespace winPEAS.Info.SystemInfo.AuditPolicies
{
internal class AuditPolicyGPOInfo
{
public string Path { get; }
public string Domain { get; }
public string GPO { get; }
public string Type { get; }
public List<AuditEntryInfo> Settings { get; }
public AuditPolicyGPOInfo(
string path,
string domain,
string gpo,
string type,
List<AuditEntryInfo> settings)
{
Path = path;
Domain = domain;
GPO = gpo;
Type = type;
Settings = settings ?? new List<AuditEntryInfo>();
}
}
}

9
winPEAS/winPEASexe/winPEAS/Info/SystemInfo/AuditPolicies/AuditType.cs Normal file
View File

@ -0,0 +1,9 @@
namespace winPEAS.Info.SystemInfo.AuditPolicies
{
internal enum AuditType
{
Success = 1,
Failure = 2,
SuccessAndFailure = 3
}
}

16
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Brave/Brave.cs Normal file
View File

@ -0,0 +1,16 @@
using System.IO;
namespace winPEAS.KnownFileCreds.Browsers.Brave
{
internal class Brave : ChromiumBase, IBrowser
{
public override string Name => "Brave Browser";
public override string BaseAppDataPath => Path.Combine(AppDataPath, "..\\Local\\BraveSoftware\\Brave-Browser\\User Data\\Default\\");
public override void PrintInfo()
{
PrintSavedCredentials();
}
}
}

50
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs
View File

@ -1,22 +1,18 @@
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.Data;
using System.IO; using System.IO;
using System.Text.RegularExpressions; using System.Text.RegularExpressions;
using System.Web.Script.Serialization; using System.Web.Script.Serialization;
using winPEAS.Checks; using winPEAS.Checks;
using winPEAS.Helpers; using winPEAS.Helpers;
using winPEAS.KnownFileCreds.Browsers.Decryptor;
using winPEAS.KnownFileCreds.Browsers.Models;
using winPEAS._3rdParty.SQLite;
namespace winPEAS.KnownFileCreds.Browsers.Chrome namespace winPEAS.KnownFileCreds.Browsers.Chrome
{ {
internal class Chrome : BrowserBase, IBrowser internal class Chrome : ChromiumBase, IBrowser
{ {
public override string Name => "Chrome"; public override string Name => "Chrome";
private const string LOGIN_DATA_PATH = "\\..\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"; public override string BaseAppDataPath => Path.Combine(AppDataPath, "..\\Local\\Google\\Chrome\\User Data\\Default\\");
public override void PrintInfo() public override void PrintInfo()
{ {
@ -274,47 +270,5 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
} }
return results; return results;
} }
public override IEnumerable<CredentialModel> GetSavedCredentials()
{
var result = new List<CredentialModel>();
var appdata = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);// APPDATA
var p = Path.GetFullPath(appdata + LOGIN_DATA_PATH);
if (File.Exists(p))
{
SQLiteDatabase database = new SQLiteDatabase(p);
string query = "SELECT action_url, username_value, password_value FROM logins";
DataTable resultantQuery = database.ExecuteQuery(query);
if (resultantQuery.Rows.Count > 0)
{
var key = GCDecryptor.GetChromeKey();
foreach (DataRow row in resultantQuery.Rows)
{
byte[] nonce, ciphertextTag;
byte[] encryptedData = Convert.FromBase64String((string)row["password_value"]);
GCDecryptor.Prepare(encryptedData, out nonce, out ciphertextTag);
var pass = GCDecryptor.Decrypt(ciphertextTag, key, nonce);
string actionUrl = row["action_url"] is System.DBNull ? string.Empty : (string)row["action_url"];
string usernameValue = row["username_value"] is System.DBNull ? string.Empty : (string)row["username_value"];
result.Add(new CredentialModel()
{
Url = actionUrl,
Username = usernameValue,
Password = pass
});
}
database.CloseDatabase();
}
}
return result;
}
} }
} }

58
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/ChromiumBase.cs Normal file
View File

@ -0,0 +1,58 @@
using System;
using System.Collections.Generic;
using System.Data;
using System.IO;
using winPEAS._3rdParty.SQLite;
using winPEAS.KnownFileCreds.Browsers.Decryptor;
using winPEAS.KnownFileCreds.Browsers.Models;
namespace winPEAS.KnownFileCreds.Browsers
{
internal abstract class ChromiumBase : BrowserBase
{
public static string AppDataPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
public abstract string BaseAppDataPath { get; }
public override IEnumerable<CredentialModel> GetSavedCredentials()
{
var result = new List<CredentialModel>();
var p = Path.Combine(BaseAppDataPath, "Login Data");
var keyPath = Path.Combine(BaseAppDataPath, "..\\Local State");
if (File.Exists(p))
{
SQLiteDatabase database = new SQLiteDatabase(p);
string query = "SELECT action_url, username_value, password_value FROM logins";
DataTable resultantQuery = database.ExecuteQuery(query);
if (resultantQuery.Rows.Count > 0)
{
var key = GCDecryptor.GetKey(keyPath);
foreach (DataRow row in resultantQuery.Rows)
{
byte[] encryptedData = Convert.FromBase64String((string)row["password_value"]);
GCDecryptor.Prepare(encryptedData, out var nonce, out var cipherTextTag);
var pass = GCDecryptor.Decrypt(cipherTextTag, key, nonce);
string actionUrl = row["action_url"] is System.DBNull ? string.Empty : (string)row["action_url"];
string usernameValue = row["username_value"] is System.DBNull ? string.Empty : (string)row["username_value"];
result.Add(new CredentialModel
{
Url = actionUrl,
Username = usernameValue,
Password = pass
});
}
database.CloseDatabase();
}
}
return result;
}
}
}

13
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Decryptor/GCDecryptor.cs
View File

@ -12,21 +12,10 @@ namespace winPEAS.KnownFileCreds.Browsers.Decryptor
{ {
public static class GCDecryptor public static class GCDecryptor
{ {
public static byte[] GetChromeKey()
{
return GetKey("\\..\\Local\\Google\\Chrome\\User Data\\Local State");
}
public static byte[] GetOperaKey()
{
return GetKey("\\..\\Roaming\\Opera Software\\Opera Stable\\Local State");
}
public static byte[] GetKey(string localStatePath) public static byte[] GetKey(string localStatePath)
{ {
var sR = string.Empty; var sR = string.Empty;
var appdata = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);// APPDATA var path = Path.GetFullPath(localStatePath);
var path = Path.GetFullPath(appdata + localStatePath);
var v = File.ReadAllText(path); var v = File.ReadAllText(path);
var json = new JavaScriptSerializer().Deserialize<LocalState>(v); var json = new JavaScriptSerializer().Deserialize<LocalState>(v);

54
winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Opera/Opera.cs
View File

@ -1,64 +1,16 @@
using System; using System.IO;
using System.Collections.Generic;
using System.Data;
using System.IO;
using winPEAS.KnownFileCreds.Browsers.Decryptor;
using winPEAS.KnownFileCreds.Browsers.Models;
using winPEAS._3rdParty.SQLite;
namespace winPEAS.KnownFileCreds.Browsers.Opera namespace winPEAS.KnownFileCreds.Browsers.Opera
{ {
internal class Opera : BrowserBase, IBrowser internal class Opera : ChromiumBase, IBrowser
{ {
public override string Name => "Opera"; public override string Name => "Opera";
private const string LOGIN_DATA_PATH = "\\..\\Roaming\\Opera Software\\Opera Stable\\Login Data";
public override void PrintInfo() public override void PrintInfo()
{ {
PrintSavedCredentials(); PrintSavedCredentials();
} }
public override IEnumerable<CredentialModel> GetSavedCredentials() public override string BaseAppDataPath => Path.Combine(AppDataPath, "..\\Roaming\\Opera Software\\Opera Stable");
{
var result = new List<CredentialModel>();
var appdata = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);// APPDATA
var p = Path.GetFullPath(appdata + LOGIN_DATA_PATH);
if (File.Exists(p))
{
SQLiteDatabase database = new SQLiteDatabase(p);
string query = "SELECT action_url, username_value, password_value FROM logins";
DataTable resultantQuery = database.ExecuteQuery(query);
if (resultantQuery.Rows.Count > 0)
{
var key = GCDecryptor.GetOperaKey();
foreach (DataRow row in resultantQuery.Rows)
{
byte[] nonce, ciphertextTag;
byte[] encryptedData = Convert.FromBase64String((string)row["password_value"]);
GCDecryptor.Prepare(encryptedData, out nonce, out ciphertextTag);
var pass = GCDecryptor.Decrypt(ciphertextTag, key, nonce);
string actionUrl = row["action_url"] is System.DBNull ? string.Empty : (string)row["action_url"];
string usernameValue = row["username_value"] is System.DBNull ? string.Empty : (string)row["username_value"];
result.Add(new CredentialModel()
{
Url = actionUrl,
Username = usernameValue,
Password = pass
});
}
database.CloseDatabase();
}
}
return result;
}
} }
} }

7
winPEAS/winPEASexe/winPEAS/Native/Kernel32.cs
View File

@ -60,5 +60,12 @@ namespace winPEAS.Native
[DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] [DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)] [return: MarshalAs(UnmanagedType.Bool)]
internal static extern bool FreeLibrary(IntPtr lib); internal static extern bool FreeLibrary(IntPtr lib);
[DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
internal static extern int GetPrivateProfileSection(string section, IntPtr keyValue, int size, string filePath);
[DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
internal static extern int GetPrivateProfileString(string? section, string? key, string defaultValue, [In, Out] char[] value, int size, string filePath);
} }
} }

8
winPEAS/winPEASexe/winPEAS/winPEAS.csproj
View File

@ -408,6 +408,8 @@
<Compile Include="Info\EventsInfo\PowerShell\PowerShell.cs" /> <Compile Include="Info\EventsInfo\PowerShell\PowerShell.cs" />
<Compile Include="Info\EventsInfo\PowerShell\PowerShellEventInfo.cs" /> <Compile Include="Info\EventsInfo\PowerShell\PowerShellEventInfo.cs" />
<Compile Include="Info\EventsInfo\Common.cs" /> <Compile Include="Info\EventsInfo\Common.cs" />
<Compile Include="Info\EventsInfo\Power\Power.cs" />
<Compile Include="Info\EventsInfo\Power\PoweredEventInfo.cs" />
<Compile Include="Info\EventsInfo\ProcessCreation\ProcessCreation.cs" /> <Compile Include="Info\EventsInfo\ProcessCreation\ProcessCreation.cs" />
<Compile Include="Info\EventsInfo\ProcessCreation\ProcessCreationEventInfo.cs" /> <Compile Include="Info\EventsInfo\ProcessCreation\ProcessCreationEventInfo.cs" />
<Compile Include="Info\FilesInfo\Certificates\CertificateInfo.cs" /> <Compile Include="Info\FilesInfo\Certificates\CertificateInfo.cs" />
@ -432,6 +434,10 @@
<Compile Include="Info\NetworkInfo\TcpConnectionInfo.cs" /> <Compile Include="Info\NetworkInfo\TcpConnectionInfo.cs" />
<Compile Include="Info\NetworkInfo\UdpConnectionInfo.cs" /> <Compile Include="Info\NetworkInfo\UdpConnectionInfo.cs" />
<Compile Include="Info\NetworkInfo\Win32Error.cs" /> <Compile Include="Info\NetworkInfo\Win32Error.cs" />
<Compile Include="Info\SystemInfo\AuditPolicies\AuditEntryInfo.cs" />
<Compile Include="Info\SystemInfo\AuditPolicies\AuditPolicies.cs" />
<Compile Include="Info\SystemInfo\AuditPolicies\AuditPolicyGPOInfo.cs" />
<Compile Include="Info\SystemInfo\AuditPolicies\AuditType.cs" />
<Compile Include="Info\SystemInfo\CredentialGuard.cs" /> <Compile Include="Info\SystemInfo\CredentialGuard.cs" />
<Compile Include="Info\SystemInfo\DotNet\DotNet.cs" /> <Compile Include="Info\SystemInfo\DotNet\DotNet.cs" />
<Compile Include="Info\SystemInfo\DotNet\DotNetInfo.cs" /> <Compile Include="Info\SystemInfo\DotNet\DotNetInfo.cs" />
@ -454,9 +460,11 @@
<Compile Include="InterestingFiles\GPP.cs" /> <Compile Include="InterestingFiles\GPP.cs" />
<Compile Include="InterestingFiles\InterestingFiles.cs" /> <Compile Include="InterestingFiles\InterestingFiles.cs" />
<Compile Include="InterestingFiles\Unattended.cs" /> <Compile Include="InterestingFiles\Unattended.cs" />
<Compile Include="KnownFileCreds\Browsers\Brave\Brave.cs" />
<Compile Include="KnownFileCreds\Browsers\Browser.cs" /> <Compile Include="KnownFileCreds\Browsers\Browser.cs" />
<Compile Include="KnownFileCreds\Browsers\BrowserBase.cs" /> <Compile Include="KnownFileCreds\Browsers\BrowserBase.cs" />
<Compile Include="KnownFileCreds\Browsers\Chrome\Chrome.cs" /> <Compile Include="KnownFileCreds\Browsers\Chrome\Chrome.cs" />
<Compile Include="KnownFileCreds\Browsers\ChromiumBase.cs" />
<Compile Include="KnownFileCreds\Browsers\Models\Login.cs" /> <Compile Include="KnownFileCreds\Browsers\Models\Login.cs" />
<Compile Include="KnownFileCreds\Browsers\Decryptor\GCDecryptor.cs" /> <Compile Include="KnownFileCreds\Browsers\Decryptor\GCDecryptor.cs" />
<Compile Include="KnownFileCreds\Browsers\Decryptor\LocalState.cs" /> <Compile Include="KnownFileCreds\Browsers\Decryptor\LocalState.cs" />