From 89bc4c527e6aaaf98d796c790ddc3b6fea06c035 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Wed, 2 Sep 2020 09:54:37 +0100 Subject: [PATCH] winpeas --- .../winPEASexe/winPEAS/InterestingFiles.cs | 17 ---- winPEAS/winPEASexe/winPEAS/Program.cs | 28 +------ winPEAS/winPEASexe/winPEAS/SystemInfo.cs | 76 +++++++++++++----- .../winPEAS.csprojAssemblyReference.cache | Bin 2550 -> 14706 bytes 4 files changed, 59 insertions(+), 62 deletions(-) diff --git a/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs b/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs index 16d96cd..38cb01c 100755 --- a/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs +++ b/winPEAS/winPEASexe/winPEAS/InterestingFiles.cs @@ -438,23 +438,6 @@ namespace winPEAS return results; } - public static string GetConsoleHostHistory() - { - string result = ""; - try - { - - string searchLocation = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt", Environment.GetEnvironmentVariable("USERPROFILE")); - if (System.IO.File.Exists(searchLocation)) - result = searchLocation; - } - catch (Exception ex) - { - Beaprint.GrayPrint("Error: " + ex); - } - return result; - } - public static List> GetRecycleBin() { List> results = new List>(); diff --git a/winPEAS/winPEASexe/winPEAS/Program.cs b/winPEAS/winPEASexe/winPEAS/Program.cs index 354a732..4ce87b8 100755 --- a/winPEAS/winPEASexe/winPEAS/Program.cs +++ b/winPEAS/winPEASexe/winPEAS/Program.cs @@ -238,32 +238,7 @@ namespace winPEAS } } - void PrintConsoleHostHistory() - { - try - { - Beaprint.MainPrint("Powershell Console Host History"); - string console_host_history = InterestingFiles.GetConsoleHostHistory(); - if (console_host_history != "") - { - - string text = File.ReadAllText(console_host_history); - List credStringsRegexPowershell = new List(credStringsRegex); - credStringsRegexPowershell.Add("CONVERTTO-SECURESTRING"); - - if (MyUtils.ContainsAnyRegex(text.ToUpper(), credStringsRegexPowershell)) - Beaprint.BadPrint(" " + console_host_history + " (Potential credentials found)"); - else - System.Console.WriteLine(" " + console_host_history); - } - } - catch (Exception ex) - { - Beaprint.GrayPrint(String.Format("{0}", ex)); - } - } - - void PrintAuditInfo() + void PrintAuditInfo() { try { @@ -589,7 +564,6 @@ namespace winPEAS PrintUACInfo(); PrintPSInfo(); PrintTranscriptPS(); - PrintConsoleHostHistory(); PrintInetInfo(); PrintDrivesInfo(); PrintWSUS(); diff --git a/winPEAS/winPEASexe/winPEAS/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/SystemInfo.cs index 1c9fdb2..a5409a9 100755 --- a/winPEAS/winPEASexe/winPEAS/SystemInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/SystemInfo.cs @@ -233,43 +233,83 @@ namespace winPEAS results["PS history file"] = ""; results["PS history size"] = ""; - Dictionary transcriptionSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); - if ((transcriptionSettings == null) || (transcriptionSettings.Count == 0)) - transcriptionSettings = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); + Dictionary transcriptionSettingsCU = MyUtils.GetRegValues("HKCU", + "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); + if ((transcriptionSettingsCU == null) || (transcriptionSettingsCU.Count == 0)) + transcriptionSettingsCU = MyUtils.GetRegValues("HKCU", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); - if ((transcriptionSettings != null) && (transcriptionSettings.Count != 0)) + if ((transcriptionSettingsCU != null) && (transcriptionSettingsCU.Count != 0)) { - foreach (KeyValuePair kvp in transcriptionSettings) + foreach (KeyValuePair kvp in transcriptionSettingsCU) { - results["Transcription Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); + results["Transcription Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } - Dictionary moduleLoggingSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); - if ((moduleLoggingSettings == null) || (moduleLoggingSettings.Count == 0)) - moduleLoggingSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); + Dictionary transcriptionSettingsLM = MyUtils.GetRegValues("HKLM", + "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription"); + if ((transcriptionSettingsLM == null) || (transcriptionSettingsLM.Count == 0)) + transcriptionSettingsLM = MyUtils.GetRegValues("HKLM", @"HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription"); - if ((moduleLoggingSettings != null) && (moduleLoggingSettings.Count != 0)) + if ((transcriptionSettingsLM != null) && (transcriptionSettingsLM.Count != 0)) { - foreach (KeyValuePair kvp in moduleLoggingSettings) + foreach (KeyValuePair kvp in transcriptionSettingsLM) + { + results["Transcription Settings LM"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); + } + } + + Dictionary moduleLoggingSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); + if ((moduleLoggingSettingsLM == null) || (moduleLoggingSettingsLM.Count == 0)) + moduleLoggingSettingsLM = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); + + if ((moduleLoggingSettingsLM != null) && (moduleLoggingSettingsLM.Count != 0)) + { + foreach (KeyValuePair kvp in moduleLoggingSettingsLM) { results["Module Logging Settings"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } - Dictionary scriptBlockSettings = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); - if ((scriptBlockSettings == null) || (scriptBlockSettings.Count == 0)) - scriptBlockSettings = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); + Dictionary moduleLoggingSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging"); + if ((moduleLoggingSettingsCU == null) || (moduleLoggingSettingsCU.Count == 0)) + moduleLoggingSettingsCU = MyUtils.GetRegValues("HKCU", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"); - if ((scriptBlockSettings != null) && (scriptBlockSettings.Count != 0)) + if ((moduleLoggingSettingsCU != null) && (moduleLoggingSettingsCU.Count != 0)) { - foreach (KeyValuePair kvp in scriptBlockSettings) + foreach (KeyValuePair kvp in moduleLoggingSettingsCU) { - results["Scriptblock Logging Settings"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); + results["Module Logging Settings CU"] += String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); } } - + + Dictionary scriptBlockSettingsLM = MyUtils.GetRegValues("HKLM", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); + if ((scriptBlockSettingsLM == null) || (scriptBlockSettingsLM.Count == 0)) + scriptBlockSettingsLM = MyUtils.GetRegValues("HKLM", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); + + if ((scriptBlockSettingsLM != null) && (scriptBlockSettingsLM.Count != 0)) + { + foreach (KeyValuePair kvp in scriptBlockSettingsLM) + { + results["Scriptblock Logging Settings LM"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); + } + } + + Dictionary scriptBlockSettingsCU = MyUtils.GetRegValues("HKCU", "SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging"); + if ((scriptBlockSettingsCU == null) || (scriptBlockSettingsCU.Count == 0)) + scriptBlockSettingsCU = MyUtils.GetRegValues("HKCU", @"SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"); + + if ((scriptBlockSettingsCU != null) && (scriptBlockSettingsCU.Count != 0)) + { + foreach (KeyValuePair kvp in scriptBlockSettingsCU) + { + results["Scriptblock Logging Settings CU"] = String.Format(" {0,30} : {1}\r\n", kvp.Key, kvp.Value); + } + } + string ps_history_path = Environment.ExpandEnvironmentVariables(@"%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"); + string ps_history_path2 = String.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt", Environment.GetEnvironmentVariable("USERPROFILE")); + ps_history_path = File.Exists(ps_history_path) ? ps_history_path : ps_history_path2; if (File.Exists(ps_history_path)) { FileInfo fi = new FileInfo(ps_history_path); diff --git a/winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csprojAssemblyReference.cache b/winPEAS/winPEASexe/winPEAS/obj/Debug/winPEAS.csprojAssemblyReference.cache index d3d4a902270213f500b90abd5d60c60704a8f78b..40457ca50bfb002e4e5447ee580a4ee49eb4556f 100755 GIT binary patch literal 14706 zcmcJV3v3+48OQJJ^POiy9+#w$6q1HOc{Ju~lQ@9@O^o9-3B(E5gan+J_1)TDe6Q@D zotQ!)ydNnfKq!x@fEubo#X|)IR0UK(g{sgNDxfM<4X6YaPyv;o0s{K|cW);%p3iL) zSNj;5o zdz*U~^foo+nj7u8b{&Ep%E#y!_A5@IqhePas6?-ucY<%VhlD>-E%JFMTcIlWnPs-$ zU$J}g4r(oG$s}O@t29Xh>(r8+TWV)3B`;OIo^e#&)>5HtdyZERZijoGlc1A+a*drI zbo^MXHda?RuKvJkJyv-+w`k|3&wHmGw`do!MS{#XaZm??a0#3m#Sd3GuG{S^QscJT zz7vbbC&6(%{UuXmw!~W(cCGeGeV$#IwUnB}pLNvcrqpdyx|VV8*;ObpJ~ZvOM}JAO1o(H zIR&R!$>j3+WIfd*KX%nP)9J~yZLT;)bSyuJC@5mz7(|rqlWFbfx4m)@%%WgDV-PHA zWxHYramG=cfw7Bord!OFHu;&QC9e>+;sF$J{n!OW*FZn*9)l1CKU?zhZcor~6DUY! z41%aPXbIh=4yQ7rA5NsmW7zYn zxQml1)))>mJf4C$Qz(u-w%0^Ge-dVP^nNiF=4&tq!W;xM4Q4vb*I^EZIRs_~%uJYX zz|1032f&=YGn4wv4SQ(t1e}A(KRCi;p|()UCFpOU#x5puPT5cTcvkv#US-JfYI=*Y zSWO}skBR!sNHQiqCzq){HHO>iIU#%f+3WErjl;wapOW0^{-GXEC`%klR?H@oJPhCI zDbkpk+c>xB_*fj5j!V!T4yO|W&%xvoWHbjflj(3I9FBs+(IXwuq^85S;4lXc4I>@U z{HDV(aLB;n+an!tt4xPRI5ffG*pUvnt)|0VILw1X^GFAD0n=eV92UUgxRDO%E~dlr za99Y36Gl3qYncuw!r>%1d}pKsx}oW?2o8(MBwNU6Hx6CabU2yLidHx*8R;;KPM8jD zbXF`Sll(3jH9`vAEQTHzyf-!MOV>r870Y0j!>oWg1?E(km1NTBzbGkm&L9ltip0K$ zX(uf;k(e3uZmc2AFP`bI7DIY*11d6G1)k z2Du;gw8>5Mz+_=^WYQR7C@GAe0A5d@`vG^zP4vR_!SutpFz3Pyz~srKF+@>P7=J-P zi$3=wV1e8OO>8kyf+@pngz;c}mXF zQ1X4{OrS|&f(a_PpFQY8au*lDY=OC$Od9hQN(z%v0LLZl`_+p}$W2@da~aI#FjtUC zV}e6TVfOke)xVP5#Z@p@!(2lqjmZ!tg_-WFRDUbEiyy#T3v(UJHZtkOWKdEk!(uwy z&j#8~uHt%_8(?mP*+C|a=@uo`28#&$d4F#rSMfubn_+Gtlg8AHQn!rEK2463;ni>Z zE$xXSy;jte2Wra$m0Efusq4+#eSRui9<;q|KQyh&YqD;N4*Fa2eS##xQo2%~E#;gZ zS_!8HoZ+(VdUdwnQSnl)-+?z33!de{7J>-3P#6rB|Mi|zu*+p9M{h1EjPO`(ZB0!L zeb&TlCRE?@s|)@5`gnbF^;B!A*z5KUdN$Gt(F+kRqoc#&Wnt|~o?GcJocRBGRU?Jh zg`*BJLy;mEfx48>k|#5) z(xH{5Fa~pJAB!YM5pw z4BjEbFwfJG98NFL7x8;CQ3-KPDz1^ib&x*9y+}t<7o=KS;w3sE{uJ@(GekD1$T-3BGYXqjxkUd*vAIh-T zkThiPqNAuSg5mfEoe*!5iAso^p&}1qkY|!UM7~8wQFYNN_V$F`^ow{q0@G*6o~E)7 zV%Td*8nWM^qjA-yK$6N5@6s9Z9+{|w%qc2!GQ(U)`jGiP9Ysv!O)T*Noe>{KK>7@s z6IAAShItlAL*_?xG)bvvkod909y%>PCKHtqEL3nk1I7v|1b;$D(L;QRXK!+geU|u? zPKwVWCVht3go>?Yuw5h#v0uWk#PMlI!4d*7EHY6E zuVarI<0B?Uw~R5KoF}W-(MHp1W!MrEfSzceKTy%{Gw5?9dNMhWkI>Z$PXTqRL48-H zzQa&$Nj-?1m50hS0H+(k-74@c2G}Ekhmf;ARAzuV(_p@#GIue|tYjWa&T?{}4cuV{ z?sXOS8iUJ8+!5p~2goqJc)M9k90}}E2KH4I`wD|~Bz6utD^1w|;4ud9B^CH01MHQ+ zMsk*y-2~jR2JQtF_dJ6`t|9FI&E%}jG1x5z`w5l(IKw_yvX_wa#Oh#bA1u&IPnNiC z;4U?|kEz^88Sa4OE+^;dRW1#E$18iT??jWCB~~E9DMo~c)CdnU5%MxZJ2~s)YZaKQ z4d(qS^FD@IkjxHpR(ftHfM*!MdsN`v46rDHYsp!Tu;>xA4%o8{>|H8$Cxb0X?0RyJ z?plYF9i(L@O|2Wi?KZe~sNCBbZdr1B$XO1wEO0pkcbkg4mBDS4xIS_oPdmf3MO9tR zTB09R*Pz~{Qg<*^Pg3*bJjz%r0A4iU+g12B2JTDvMsn8X1`kNzKyFo$*D%P6L=KU2 zT0XDJ`O+}<$1Sl5&RK_Bin%7ZXk;)vcMoOl*k*&S!sYB0N!K(T@~2R056ijTgW-; z8sW?Ttzh0}Fmoz1%P_Y{=8wr)&JMQ&cZY%NR&g5`+{F_26LOBK7_KFDf_az0JWFM+ zW0;pn=FiAkX~(+(yvG2Zp#nP@;H46HFFDI=z7M$j4cuxKw~E1CCUL(Y=P1*ly(eUr z7yXKzryS3N2=b5-^=CY&_8( z2lfdA+oEC@GuSI7_SfXB+_r~*%5fLBT2Z^&8RxMzWT&cH2Daq}76)e`qR za{eDT?s)`x!3c7!8l;H{a*Yh~M{-W@-MU=Sk@eg%Jts0pI~HLl_zO8Jck49(UpIhMkJPFpx7<gp4EILK{hXY& zKJW#QUmD1miv03(Gn=wQBC(YdRdw&`rk2i%1evIW*^SQ#B{vy9WwDZVL@|Tl=o?@Wi zQ_=4-=vyTEKysE{>mcB!8MwDq+-?&$5nEaH^jGu9d0lI!&)aoX0{dFgL#DbZmY`F~ z?v?hrC67K_+TTug2mkOSx=(k8T>J+pDPr|hAXUr6JLsDhAbuyEK@dZVU7NPDtU#% zLBdLr?a--6eXvqwGIS}@8mtugh(Ibw0g@A}6xjuxic|wDMaDpm9M;c53 delta 244 zcmexV^i6ofT&Br|Y|&gUi6x18DLFZ8T$A&e3mCa4KVVK``_H1p$_L~nf_e2!?2{ANST@VD?qQrfmnmbiHTz;2CMHG(P7X#UpehCxVYVfi z=Q$XGOfD`iHpR)N9I7lphSKCT2t#@DbO=Lb@(Bn-b@ERLLv6AaCs?ui