diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs index 92b3726..4699bea 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs @@ -201,7 +201,7 @@ namespace winPEAS.Checks List sam_files = InterestingFiles.InterestingFiles.GetSAMBackups(); foreach (string path in sam_files) { - var permissions = PermissionsHelper.GetPermissionsFile(path, Checks.CurrentUserSiDs); + var permissions = PermissionsHelper.GetPermissionsFile(path, Checks.CurrentUserSiDs, PermissionType.READABLE_OR_WRITABLE); if (permissions.Any()) { @@ -593,7 +593,7 @@ namespace winPEAS.Checks FileAttributes attr = File.GetAttributes(file.FullPath); if ((attr & FileAttributes.Directory) == FileAttributes.Directory) { - List dirRights = PermissionsHelper.GetPermissionsFolder(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); + List dirRights = PermissionsHelper.GetPermissionsFolder(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); if (dirRights.Count > 0) { @@ -602,7 +602,7 @@ namespace winPEAS.Checks } else { - List fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); + List fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); if (fileRights.Count > 0) { @@ -761,7 +761,7 @@ namespace winPEAS.Checks if (file.Extension != null && allowedExtensions.Contains(file.Extension.ToLower())) { // check the file permissions - List fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); + List fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); if (fileRights.Count > 0) { diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/AppLockerHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/AppLockerHelper.cs index c60afc7..ad98b46 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/AppLockerHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/AppLockerHelper.cs @@ -200,7 +200,7 @@ namespace winPEAS.Helpers.AppLocker if (Directory.Exists(normalizedPath)) { // can we write to the directory ? - var folderPermissions = PermissionsHelper.GetPermissionsFolder(normalizedPath, Checks.Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); + var folderPermissions = PermissionsHelper.GetPermissionsFolder(normalizedPath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); // we can write if (folderPermissions.Count > 0) @@ -216,7 +216,7 @@ namespace winPEAS.Helpers.AppLocker // iterate over applocker bypass directories and check them foreach (var subfolders in _appLockerByPassDirectoriesByPath[normalizedPath]) { - var subfolderPermissions = PermissionsHelper.GetPermissionsFolder(subfolders, Checks.Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); + var subfolderPermissions = PermissionsHelper.GetPermissionsFolder(subfolders, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); // we can write if (subfolderPermissions.Count > 0) @@ -373,7 +373,7 @@ namespace winPEAS.Helpers.AppLocker if (File.Exists(path)) { - var filePermissions = PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); + var filePermissions = PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); if (filePermissions.Count > 0) { @@ -425,7 +425,7 @@ namespace winPEAS.Helpers.AppLocker } else { - var folderPermissions = PermissionsHelper.GetPermissionsFolder(directory, Checks.Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); + var folderPermissions = PermissionsHelper.GetPermissionsFolder(directory, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT); if (folderPermissions.Count > 0) { diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs index 33ab902..e7626bb 100644 --- a/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs @@ -9,13 +9,21 @@ using Microsoft.Win32; namespace winPEAS.Helpers { + internal enum PermissionType + { + DEFAULT, + READABLE_OR_WRITABLE, + WRITEABLE_OR_EQUIVALENT + } + + /////////////////////////////////// //////// Check Permissions //////// /////////////////////////////////// /// Get interesting permissions from Files, Folders and Registry internal static class PermissionsHelper { - public static List GetPermissionsFile(string path, Dictionary SIDs, bool isOnlyWriteOrEquivalentCheck = false) + public static List GetPermissionsFile(string path, Dictionary SIDs, PermissionType permissionType = PermissionType.DEFAULT) { /*Permisos especiales para carpetas *https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask-format?redirectedfrom=MSDN @@ -36,7 +44,7 @@ namespace winPEAS.Helpers try { FileSecurity fSecurity = File.GetAccessControl(path); - results = GetMyPermissionsF(fSecurity, SIDs, isOnlyWriteOrEquivalentCheck); + results = GetMyPermissionsF(fSecurity, SIDs, permissionType); } catch { @@ -45,7 +53,7 @@ namespace winPEAS.Helpers return results; } - public static List GetPermissionsFolder(string path, Dictionary SIDs, bool isOnlyWriteOrEquivalentCheck = false) + public static List GetPermissionsFolder(string path, Dictionary SIDs, PermissionType permissionType = PermissionType.DEFAULT) { List results = new List(); @@ -65,7 +73,7 @@ namespace winPEAS.Helpers } FileSecurity fSecurity = File.GetAccessControl(path); - results = GetMyPermissionsF(fSecurity, SIDs, isOnlyWriteOrEquivalentCheck); + results = GetMyPermissionsF(fSecurity, SIDs, permissionType); } catch { @@ -74,7 +82,7 @@ namespace winPEAS.Helpers return results; } - public static List GetMyPermissionsF(FileSecurity fSecurity, Dictionary SIDs, bool isOnlyWriteOrEquivalentCheck = false) + public static List GetMyPermissionsF(FileSecurity fSecurity, Dictionary SIDs, PermissionType permissionType = PermissionType.DEFAULT) { // Get interesting permissions in fSecurity (Only files and folders) List results = new List(); @@ -84,7 +92,7 @@ namespace winPEAS.Helpers { //First, check if the rule to check is interesting int current_perm = (int)rule.FileSystemRights; - string current_perm_str = PermInt2Str(current_perm, isOnlyWriteOrEquivalentCheck); + string current_perm_str = PermInt2Str(current_perm, permissionType); if (current_perm_str == "") { continue; @@ -133,7 +141,7 @@ namespace winPEAS.Helpers foreach (RegistryAccessRule rule in rSecurity.GetAccessRules(true, true, typeof(SecurityIdentifier))) { int current_perm = (int)rule.RegistryRights; - string current_perm_str = PermInt2Str(current_perm, true); + string current_perm_str = PermInt2Str(current_perm, PermissionType.WRITEABLE_OR_EQUIVALENT); if (current_perm_str == "") continue; @@ -169,9 +177,38 @@ namespace winPEAS.Helpers return results; } - public static string PermInt2Str(int current_perm, bool only_write_or_equivalent = false, bool is_service = false) + public static string PermInt2Str(int current_perm, PermissionType permissionType = PermissionType.DEFAULT, bool is_service = false) { - Dictionary interesting_perms = new Dictionary() + Dictionary interesting_perms = new Dictionary(); + + if (permissionType == PermissionType.DEFAULT) + { + interesting_perms = new Dictionary() + { + // This isn't an exhaustive list of possible permissions. Just the interesting ones. + { "AllAccess", 0xf01ff}, + { "GenericAll", 0x10000000}, + { "FullControl", (int)FileSystemRights.FullControl }, + { "TakeOwnership", (int)FileSystemRights.TakeOwnership }, + + { "GenericWrite", 0x40000000 }, + { "WriteData/CreateFiles", (int)FileSystemRights.WriteData }, + { "Modify", (int)FileSystemRights.Modify }, + { "Write", (int)FileSystemRights.Write }, + + { "ChangePermissions", (int)FileSystemRights.ChangePermissions }, + + { "Delete", (int)FileSystemRights.Delete }, + { "DeleteSubdirectoriesAndFiles", (int)FileSystemRights.DeleteSubdirectoriesAndFiles }, + { "AppendData/CreateDirectories", (int)FileSystemRights.AppendData }, + { "WriteAttributes", (int)FileSystemRights.WriteAttributes }, + { "WriteExtendedAttributes", (int)FileSystemRights.WriteExtendedAttributes }, + }; + } + + else if (permissionType == PermissionType.READABLE_OR_WRITABLE) + { + interesting_perms = new Dictionary() { // This isn't an exhaustive list of possible permissions. Just the interesting ones. { "AllAccess", 0xf01ff}, @@ -195,8 +232,9 @@ namespace winPEAS.Helpers { "WriteAttributes", (int)FileSystemRights.WriteAttributes }, { "WriteExtendedAttributes", (int)FileSystemRights.WriteExtendedAttributes }, }; + } - if (only_write_or_equivalent) + else if (permissionType == PermissionType.WRITEABLE_OR_EQUIVALENT) { interesting_perms = new Dictionary() { diff --git a/winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/ServicesInfoHelper.cs b/winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/ServicesInfoHelper.cs index 98bfde4..a623680 100644 --- a/winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/ServicesInfoHelper.cs +++ b/winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/ServicesInfoHelper.cs @@ -219,7 +219,7 @@ namespace winPEAS.Info.ServicesInfo { int serviceRights = ace.AccessMask; - string current_perm_str = PermissionsHelper.PermInt2Str(serviceRights, true, true); + string current_perm_str = PermissionsHelper.PermInt2Str(serviceRights, PermissionType.WRITEABLE_OR_EQUIVALENT, true); if (!string.IsNullOrEmpty(current_perm_str) && !permissions.Contains(current_perm_str)) permissions.Add(current_perm_str); } diff --git a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj index c93f4e6..86f9f75 100755 --- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj +++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj @@ -40,6 +40,7 @@ 8.0 false MinimumRecommendedRules.ruleset + true true @@ -91,6 +92,7 @@ prompt MinimumRecommendedRules.ruleset false + true winPEAS.Program